Presentation slides from the MITRE ATT&CKcon Power Hour held on November 12, 2020.

1. Welcome
Follow the conversation on Slack
@MITREattack
attack.mitre.org

2. Allie Mellen
Security Strategist, Office of the CSO
Cybereason

3. Confidential
Mapping the EventBot Mobile
Banking Trojan with
MITRE ATT&CK for Mobile
Allie Mellen, Security Strategist, Office of the CSO

4. WHO AM I?
ALLIE MELLEN
Security Strategist
Office of the CSO, Cybereason

5. ● Why MITRE ATT&CK?
● Cybereason Nocturnus Mobile Malware Research
● Aligning to MITRE ATT&CK For Mobile
● How This Drives Future Alignment
AGENDA

6. ● Classification
● Purple Teaming
● Knowledge Sharing
○ Community
○ Internally
○ Partners
○ Customers
○ Business
WHY MAP TO MITRE ATT&CK?

7. ● Innovative Approach
● Important Target
● Clarity
● Communicate Value
WHY MAP TO
MITRE ATT&CK FOR MOBILE?

8. THREAT TYPE
Banking Trojan
NOCTURNUS RESEARCH: EVENTBOT
TARGET INDUSTRY
Financial
ATTACK GOAL
User Data
IMPACTED GEO
USA & Europe

9. EVENTBOT TARGETS:
RECOGNIZE ANY OF THESE?

10. INITIAL ACCESS PERSISTENCE
DEFENSE
EVASION
CREDENTIAL
ACCESS
DISCOVERY COLLECTION EXFILTRATION C2
T1476: Deliver
Malicious App via
Other Means
T1402: App Auto-
Start at Device
Boot
T1444: Masquerade
as Legitimate
Application
T1412: Capture
SMS Messages
T1418:
Application
Discovery
T1056: Input
Capture
T1532: Data
Encrypted
T1521: Standard
Cryptographic
Protocol
T1461: Lockscreen
Bypass
T1508: Suppress
Application Icon
T1417: Input
Capture
T1426: System
Information
Discovery
T1413: Access
Sensitive Data in
Device Logs
T1437: Standard
Application Layer
Protocol
T1407: Download
New Code at
Runtime
T1409: Access
Stored
Application Data
T1516: Input
Injection
MITRE ATT&CK FOR MOBILE TECHNIQUES

11. NOCTURNUS RESEARCH: EVENTBOT
Unsuspecting User
Downloads Application
Masquerading as Legitimate
INITIAL ACCESS
CONTROL
Gets Control of
Accessibility Features,
Begins to Run in the
Background
Collects Reconnaissance
Information Like Device
Info and the Names of
Android Packages
DISCOVERY
COLLECTION
Tracks the Device PIN
and Collects Financial
Information, Personal
Data, Keystrokes, and
Passwords
Exfiltrates Collected Data
to its C2 Server
EXFILTRATION
BYPASS
Steals SMS Messages to
Bypass 2FA

12. WHAT DOES THE
FUTURE LOOK LIKE?

13. THANK YOU. QUESTIONS?
allie@cybereason.com
@hackerxbella

14. Q&A
Jamie Williams
Lead Cyber Adversarial Engineer
MITRE

15. Anthony Randazzo
Global Response Lead
Expel

16. © 2020 Expel, Inc.© 2020 Expel, Inc.
ATT&CKing the Cloud:
Hopping Between the Matrices
November 12, 2020 | Anthony Randazzo

17. © 2020 Expel, Inc.
GetCallerIdentity
~ 1.5 years leading response @ Expel
▪ 12+ years of SecOps
▫ iSIGHT/FireEye
▫ Fortune 25 Detection & Response
▪ Disclaimer: not a cloud expert but
frequent AWS D&R blog contributor
▪ Kids, LEGO, whiskey
expel.io/blog

18. © 2020 Expel, Inc.
Agenda
▪ ATT&CK for Cloud as we see it
▪ Defending the control plane
▪ Real world incident
▪ Other applications of ATT&CK for Cloud
▪ Takeaways

19. © 2020 Expel, Inc.
So what exactly is ATT&CK for Cloud?
Infra-as-a-Service Software-as-a-Service
It’s a way to communicate how attackers are misusing or abusing cloud services!

20. © 2020 Expel, Inc.
How is this different from Enterprise ATT&CK?
Enterprise Matrices Cloud Matrices
Very different attack surfaces!

21. © 2020 Expel, Inc.
Control plane is primary attack surface...but wait there’s more!
Control/Management Plane
And many more...

22. © 2020 Expel, Inc.
A shared responsibility...
Source: AWS

23. © 2020 Expel, Inc.
We have to protect this control plane, right?
▪ Informs our detection strategy for this
cloud attack surface
▪ What do we detect? Where do we even
start?
▪ How many AWS APIs are available in
this control plane? Almost 10,000, you
say?

24. © 2020 Expel, Inc.
How'd we build detections? Using OSTs, of course!
Source: Rhino Security Labs

25. © 2020 Expel, Inc.
What did an attack look like?
An unconventional coin miner...

26. © 2020 Expel, Inc.
What did the ATT&CK look like?
AWS [IaaS] Cloud

27. © 2020 Expel, Inc.
What did the ATT&CK look like?
Enterprise Linux

28. © 2020 Expel, Inc.
More examples of hopping between matrices!
▪ AWS CLI access from multiple compromised keys > SSH access into EC2
▪ boto3 SDK access of AWS SSM > sudo linux access (red team)
▪ SSRF exploitation > EC2 instance credential access to control plane
▪ RDS database ransom > used CloudTrail to identify when weak password
change occured

29. © 2020 Expel, Inc.
AWS mind map
for investigations
and incidents
MITRE ATT&CK Tactics
Sign up for an advanced
copy of our cheat sheet and
AWS mind map:
http://expel.io/mindmap

30. © 2020 Expel, Inc.
Takeaways
▪ With lots of attack surface in the cloud, understanding both cloud and
enterprise ATT&CK will help.
▪ We need more information sharing! We don’t know nearly as much about
attacks in the cloud than in an enterprise [Windows] environment.
▪ Cloud control planes are a target for automated attacks. This is the trend
we’re observing today.

31. Q&A
Jamie Williams
Lead Cyber Adversarial Engineer
MITRE

32. Matt Snyder
Senior Threat Analytics Engineer
VMWare

33. What’s a MITRE With
Your Security?
VMware’s Use of MITRE
ATT&CK
Matt Snyder
November 2020

34. Sr. Threat Analytics Engineer
• 15+ Years in IT/Security.
• In 2013, I was on the Incident Response team
during one the 1st major Credit Card breaches.
• I’ve built many SecOps programs over the last 10
years.
• I’ve been at VMware for 3+ years, and it’s a great
place to work!
Matt Snyder
Speaker Introduction

35. Agenda
Leveraging MITRE ATT&CK
•What logs do you need for
security monitoring?
•How do you build balanced
alerting?
•Evaluating New Security Tools

37. Fundamental Flaw in Operationalizing Security
Stuck in Survivor Bias mode…
o Most companies’ security
planning is done around
breaches/incidents they or
their peers in the industry
have had.
o This leads to target fixation
and wasting resources.
o Prevents proactive
detection of new threats.

38. What logs do you need for Security Monitoring?

39. Log All The Things!!

40. Log All The Things!!

42. Now You Are Logging with Focus…
By mapping our logging requirements with
MITRE and CIS, we can articulate what we need,
why we need it, and how to enable the proper
level of logging.
- Reduce the guess work
- Minimize the impact on the service owners, no
more back and forth or asking for more logs
- Reduce gaps in logs that would allow and
incident to go undetected
- Help educate service owners to the threats out
there

43. Typical Security Monitoring…

44. Building a Balanced Portfolio

45. Alerts with Meaning
Allows you to see a clearer picture of what’s
happening in your environment.
- What tactics and techniques are being
discovered
- Able to better understand your risk profile and
where compensating controls are needed
- Test areas that no detections are being found
- Gives you the freedom to do things like risk-
based alerting, where you can take lower
fidelity events and chain them together to see
a much clearer picture of an attack.

46. Tracking Maturity and Growth
Starting Out
- Aligning with ATT&CK gives us targets
to track against
- Helps us set what is a priority and
ensure that those priorities make
sense
- Allows you to see in one place where
gaps exist.

47. Tracking Maturity and Growth
Future Check-In
- Over time, you can see your growth
and evaluate how that matches your
needs.
- Help reduce scope creep in your
alerting (ATT&CK are things that exist
in the wild and not hypothetical)
- Help track the work being done and
ensure you aren’t stacking alerts in
certain areas

48. Evaluating New SecurityTools
As seen on tv….
- With ATT&CK, we can focus on
specific deliverables that are
measurable and based on real
world attacks
- Helps to identify those 1 hit
wonder vendors that don’t offer a
well-rounded portfolio

49. Questions?
Thank you!

50. Q&A
Jamie Williams
Lead Cyber Adversarial Engineer
MITRE

51. Jamie Williams
Mike Hartley
MITRE

52. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Mike Hartley
@thecookiewanter
PUTTING THE INTO ATT&CK
Jamie Williams
@jamieantisocial
@MITREattack

53. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Active Scanning Acquire Infrastructure Valid Accounts Scheduled Task/Job Modify Authentication Process System Service Discovery Remote Services Data from Local System Data Obfuscation Exfiltration Over Other
Network Medium
Data Destruction
Gather Victim Host Information Compromise Accounts
Replication Through
Removable Media
Windows
Management
Instrumentation
Valid Accounts Network Sniffing
Software Deployment
Tools
Data from Removable
Media
Fallback Channels Data Encrypted for Impact
Gather Victim Identity Information Compromise Infrastructure Hijack Execution Flow OS Credential Dumping Application Window
Discovery
Application Layer Protocol Scheduled Transfer Service Stop
Gather Victim Network Information Develop Capabilities Trusted Relationship Software
Deployment
Tools
Boot or Logon Initialization Scripts Direct Volume Access Input Capture
Replication Through
Removable Media
Input Capture Proxy Data Transfer Size Limits Inhibit System Recovery
Gather Victim Org Information Establish Accounts Supply Chain Compromise Create or Modify System Process Rootkit Brute Force System Network
Configuration Discovery
Data Staged Communication Through
Removable Media
Exfiltration Over
C2 Channel
Defacement
Phishing for Information Obtain Capabilities Hardware Additions Shared Modules Event Triggered Execution Obfuscated Files or
Information
Two-Factor Authentication
Interception
Internal Spearphishing Screen Capture Firmware Corruption
Search Closed Sources Exploit Public-Facing
Application
User Execution Boot or Logon Autostart Execution System Owner/User
Discovery
Use Alternate
Authentication Material
Email Collection Web Service Exfiltration Over
Physical Medium
Resource Hijacking
Search Open Technical Databases Exploitation for
Client
Execution
Account Manipulation Process Injection
Exploitation for Credential
Access
Clipboard Data Multi-Stage Channels Network Denial of Service
Search Open Websites/Domains Phishing External Remote Services Access Token Manipulation System Network
Connections Discovery
Lateral Tool Transfer Automated Collection Ingress Tool Transfer Exfiltration Over
Web Service
Endpoint Denial of Service
Search Victim-Owned Websites External Remote Services System Services Office Application Startup Group Policy Modification Steal Web Session Cookie Taint Shared Content Audio Capture Data Encoding System Shutdown/Reboot
Drive-by Compromise Command and
Scripting
Interpreter
Create Account Abuse Elevation Control Mechanism Unsecured Credentials
Permission Groups
Discovery
Exploitation of Remote
Services
Video Capture Traffic Signaling Automated Exfiltration Account Access Removal
Browser Extensions
Exploitation for
Privilege
Escalation
Indicator Removal on Host Credentials from
Password Stores
Man in the Browser Remote Access Software Exfiltration Over
Alternative Protocol
Disk Wipe
Native API Traffic Signaling Modify Registry File and Directory
Discovery
Remote Service Session
Hijacking
Data from
Information Repositories
Dynamic Resolution Data Manipulation
Inter-Process
Communication
BITS Jobs Trusted Developer Utilities
Proxy Execution
Steal or Forge Kerberos
Tickets
Non-Standard Port Transfer Data to
Cloud AccountServer Software
Component
Peripheral Device
Discovery
Man-in-the-Middle Protocol Tunneling
Traffic Signaling Forced Authentication Archive Collected Data Encrypted Channel
Pre-OS Boot Signed Script Proxy
Execution
Steal Application Access
Token
Network Share Discovery Data from
Network Shared Drive
Non-Application
Layer ProtocolCompromise Client
Software Binary
Password Policy Discovery
Rogue Domain Controller Man-in-the-Middle Browser Bookmark
Discovery
Data from
Cloud Storage ObjectImplant Container Image Indirect Command
Execution Virtualization/Sandbox
EvasionBITS Jobs
XSL Script Processing Cloud Service Dashboard
Template Injection Software Discovery
File and Directory
Permissions Modification
Query Registry
Remote System Discovery
Virtualization/Sandbox
Evasion
Network Service Scanning
Process Discovery
Unused/Unsupported
Cloud Regions
System Information
Discovery
Use Alternate
Authentication Material
Account Discovery
System Time Discovery
Impair Defenses Domain Trust Discovery
Hide Artifacts Cloud Service Discovery
Masquerading Cloud Infrastructure Discovery
Deobfuscate/Decode Files
or Information
Signed Binary Proxy
Execution
Exploitation for
Defense Evasion
Execution Guardrails
Modify Cloud Compute
Infrastructure
Pre-OS Boot
Subvert Trust Controls
Source:
http://gph.is/1cEuQWX

54. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.

55. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
History of PRE-ATT&CK
• Initially released in 2017
• Separate matrix w/ 17 Tactics
• Adversary behaviors leading
to compromise
• Example use cases:
• Are there signs that an
adversary might be
targeting you?
• Prioritize open-source
intelligence gathering / sharing

56. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
The Long Con
• In 2018 (v2) the Launch and Compromise Tactics were refactored
into Initial Access

57. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Final Merge
• Deprecated PRE-ATT&CK matrix
for PRE Enterprise platform
• 2 new Tactics
• Criteria for inclusion:
1. Technical
2. Visible to some defenders
3. Evidence of adversary use

58. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Reconnaissance
• Actively or passively gathering
information that can be used to
support targeting.
• 10 Techniques & 31 Sub-techniques
• Split into what & how

59. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Resource Development
• Building, buying, or compromising
resources that can be used during
targeting
• Infrastructure
• Accounts
• Capabilities
• 6 Techniques & 26 Sub-techniques

60. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Technique Metadata
• New PRE platform
• New Pre-compromise Mitigation
• ex: This technique cannot be easily
mitigated with preventive controls
since it is based on behaviors
performed outside of the scope of
enterprise defenses and controls.
Efforts should focus on...
• Data sources and Detections relevant
to potential Enterprise artifacts
Source: https://i.pinimg.com/originals/71/6a/5b/716a5b5b8847470b77dde4a4b67f2a2b.gif

61. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Why?
• Promote more adoption and contributions
• More integration across spectrum of adversary behaviors
Source:
https://gph.is/g/Z5K7bQE

62. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Gone But Not Forgotten
Previous versions (< v8) will retain the full matrix
as well as individual techniques

63. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
How Can You Help?
• Feedback and contributions!
• New techniques + scoping of
existing techniques
• Documentation of potential
detections and mitigations
• Reported instances of adversary
procedure examples
Source:
http://gph.is/2colVQl

64. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
Special Thanks

65. Join our next session
on December 11
Register now!
https://na.eventscloud.com/ATTACKcon-november