3. Confidential
Mapping the EventBot Mobile
Banking Trojan with
MITRE ATT&CK for Mobile
Allie Mellen, Security Strategist, Office of the CSO
4. WHO AM I?
ALLIE MELLEN
Security Strategist
Office of the CSO, Cybereason
5. â Why MITRE ATT&CK?
â Cybereason Nocturnus Mobile Malware Research
â Aligning to MITRE ATT&CK For Mobile
â How This Drives Future Alignment
AGENDA
6. â Classification
â Purple Teaming
â Knowledge Sharing
â Community
â Internally
â Partners
â Customers
â Business
WHY MAP TO MITRE ATT&CK?
7. â Innovative Approach
â Important Target
â Clarity
â Communicate Value
WHY MAP TO
MITRE ATT&CK FOR MOBILE?
10. INITIAL ACCESS PERSISTENCE
DEFENSE
EVASION
CREDENTIAL
ACCESS
DISCOVERY COLLECTION EXFILTRATION C2
T1476: Deliver
Malicious App via
Other Means
T1402: App Auto-
Start at Device
Boot
T1444: Masquerade
as Legitimate
Application
T1412: Capture
SMS Messages
T1418:
Application
Discovery
T1056: Input
Capture
T1532: Data
Encrypted
T1521: Standard
Cryptographic
Protocol
T1461: Lockscreen
Bypass
T1508: Suppress
Application Icon
T1417: Input
Capture
T1426: System
Information
Discovery
T1413: Access
Sensitive Data in
Device Logs
T1437: Standard
Application Layer
Protocol
T1407: Download
New Code at
Runtime
T1409: Access
Stored
Application Data
T1516: Input
Injection
MITRE ATT&CK FOR MOBILE TECHNIQUES
11. NOCTURNUS RESEARCH: EVENTBOT
Unsuspecting User
Downloads Application
Masquerading as Legitimate
INITIAL ACCESS
CONTROL
Gets Control of
Accessibility Features,
Begins to Run in the
Background
Collects Reconnaissance
Information Like Device
Info and the Names of
Android Packages
DISCOVERY
COLLECTION
Tracks the Device PIN
and Collects Financial
Information, Personal
Data, Keystrokes, and
Passwords
Exfiltrates Collected Data
to its C2 Server
EXFILTRATION
BYPASS
Steals SMS Messages to
Bypass 2FA
33. Whatâs a MITRE With
Your Security?
VMwareâs Use of MITRE
ATT&CK
Matt Snyder
November 2020
34. Sr. Threat Analytics Engineer
âą 15+ Years in IT/Security.
âą In 2013, I was on the Incident Response team
during one the 1st major Credit Card breaches.
âą Iâve built many SecOps programs over the last 10
years.
âą Iâve been at VMware for 3+ years, and itâs a great
place to work!
Matt Snyder
Speaker Introduction
35. Agenda
Leveraging MITRE ATT&CK
âąWhat logs do you need for
security monitoring?
âąHow do you build balanced
alerting?
âąEvaluating New Security Tools
36.
37. Fundamental Flaw in Operationalizing Security
Stuck in Survivor Bias modeâŠ
o Most companiesâ security
planning is done around
breaches/incidents they or
their peers in the industry
have had.
o This leads to target fixation
and wasting resources.
o Prevents proactive
detection of new threats.
42. Now You Are Logging with FocusâŠ
By mapping our logging requirements with
MITRE and CIS, we can articulate what we need,
why we need it, and how to enable the proper
level of logging.
- Reduce the guess work
- Minimize the impact on the service owners, no
more back and forth or asking for more logs
- Reduce gaps in logs that would allow and
incident to go undetected
- Help educate service owners to the threats out
there
45. Alerts with Meaning
Allows you to see a clearer picture of whatâs
happening in your environment.
- What tactics and techniques are being
discovered
- Able to better understand your risk profile and
where compensating controls are needed
- Test areas that no detections are being found
- Gives you the freedom to do things like risk-
based alerting, where you can take lower
fidelity events and chain them together to see
a much clearer picture of an attack.
46. Tracking Maturity and Growth
Starting Out
- Aligning with ATT&CK gives us targets
to track against
- Helps us set what is a priority and
ensure that those priorities make
sense
- Allows you to see in one place where
gaps exist.
47. Tracking Maturity and Growth
Future Check-In
- Over time, you can see your growth
and evaluate how that matches your
needs.
- Help reduce scope creep in your
alerting (ATT&CK are things that exist
in the wild and not hypothetical)
- Help track the work being done and
ensure you arenât stacking alerts in
certain areas
48. Evaluating New SecurityTools
As seen on tvâŠ.
- With ATT&CK, we can focus on
specific deliverables that are
measurable and based on real
world attacks
- Helps to identify those 1 hit
wonder vendors that donât offer a
well-rounded portfolio