Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate Your Data Analytics!

Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate Your Data Analytics!

How do we collect the right data for the detection of specific adversarial techniques?" That is a very important and common question for organizations planning on leveraging ATT&CK for their defensive strategy. One approach might be reading the data sources metadata available per each technique in the ATT&CK framework. That is a good first step, and it is already helping organizations to integrate the framework with their current security controls. However, as you go deeper into the specific recommended data sources per technique, it is very important to understand that not every technique variation requires the same data sources. In addition, there needs to be a way to validate if what we are collecting aligns with the data analytics being created. In this talk, we will share our current experiences contributing to the "Data Sources" section of ATT&CK framework and the Cyber Analytics Repository (CAR) project. We will show how to use pre-captured datasets from our open source project named Mordor to expedite simulation of adversarial techniques and validation of data analytics. In addition, we will show how we leverage Jupyter Notebooks to develop and test data analytics from projects like CAR to finish the validation process and provide recommendations

Roberto Rodriguez

October 30, 2019
Tweet

Other Decks in Technology

Transcript

  1. @Cyb3rWard0g & @Cyb3rPandaH • Projects ◦ @HunterPlaybook ◦ @THE_HELK ◦

    ATTACK-Python-Client ◦ @OSSEM_Project ◦ @Mordor_Project ◦ OpenHunt ◦ Blacksmith & More • Founders: ◦ @HuntersForge 2 https://github.com/hunters-forge
  2. Agenda • Explore ATT&CK ◦ 2018 -> 2019 • ATT&CK

    Data Sources Opportunities • Enter Mordor • Mordor & CAR • CAR & Threat Hunter Playbook (Notebooks) • Hunters Forge! 3
  3. ATTACK-Python-Client Github Project • A Python module to access up

    to date ATT&CK content available in STIX via public TAXII server. It leverages cti-python-stix2 and cti-taxii-client python libraries developed by MITRE. • Goals ◦ Allow the integration of ATT&CK content with other platforms ◦ Allow security analysts to quickly explore ATT&CK content and apply it in their daily operations ◦ Explore all available ATT&CK metadata at once ◦ Learn STIX2 and TAXII Client Python libraries https://github.com/hunters-forge/ATTACK-Python-Client 7
  4. ATTACK-Python-Client Installation • Via PIP: pip install attackcti • Or

    Straight from Source ◦ git clone https://github.com/hunters-forge/ ATTACK-Python-Client ◦ cd ATTACK-Python-Client ◦ pip install . • Jupyter Notebooks Available ◦ pip install -r requirements.txt ◦ cd notebooks ◦ jupyter lab https://github.com/hunters-forge/ATTACK-Python-Client 8
  5. 12

  6. 13

  7. ATT&CK Techniques (519) and Data Sources • Almost 51% of

    techniques have data sources defined • Around 49% of techniques do NOT have data sources defined • Pre-ATT&CK data sources maybe? • Opportunities to collaborate and define those without data sources? https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb 15
  8. ATT&CK Techniques with Data Sources (265) 18 Process Monitoring: 178

    Techniques File Monitoring: 107 Techniques Process Command Line: 103 Techniques https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb
  9. Credentials in Registry -> DS -> Sub-DS -> Events 20

    T1214 Windows Registry Process Monitoring Process Command-Line Parameters Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 8 Sysmon 10 Process Termination User terminated Process wrote_to accessed https://www.youtube.com/watch?v=QCDBjFJ_C3g
  10. A few opportunities.. • ATT&CK Data sources covered by other

    data sources • Windows Event Logs data source is too broad! • ATT&CK data sources and the wrong platforms! • Validation of ATT&CK data sources recommendations ◦ What specific event logs per data source? 28
  11. A few opportunities! • ATT&CK Data sources covered by other

    data sources • Windows Event Logs data source is too broad! 29
  12. Credentials in Registry - Windows Registry 30 https://www.youtube.com/watch?v=QCDBjFJ_C3g T1214 Windows

    Registry Process Monitoring Process Command-Line Parameters Registry Creation Process created Registry Registry Modification Process Registry Registry Access Process Registry Sysmon 12 Sysmon 12 Security 4663 Security 4657 Security 4663 Registry Deletion Process deleted Registry modified accessed Sysmon 13
  13. Windows Registry & Windows Security Event Logs? 31 https://www.youtube.com/watch?v=QCDBjFJ_C3g T1214

    Windows Registry Process Monitoring Process Command-Line Parameters Registry Creation Process created Registry Registry Modification Process Registry Registry Access Process Registry Sysmon 12 Sysmon 12 Security 4663 Security 4657 Security 4663 Registry Deletion Process deleted Registry modified accessed Sysmon 13
  14. ATT&CK Techniques with Data Sources (265) 32 Process Monitoring: 178

    Techniques File Monitoring: 107 Techniques Process Command Line: 103 Techniques https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb
  15. ATT&CK Techniques with Data Sources (265) 33 Process Monitoring: 178

    Techniques File Monitoring: 107 Techniques Process Command Line: 103 Techniques https://github.com/hunters-forge/ATTACK-Python-Client/blob/master/notebooks/ATT%26CK_DataSources.ipynb Windows Event Logs
  16. Windows Event Logs … a Universe Behind? 34 https://www.youtube.com/watch?v=QCDBjFJ_C3g Windows

    Event Logs 4656 4657 4658 4660 4670 4663 4741 4742 4743 4776 4768 4771 4769 4770 5144 5140 5143 5142
  17. Windows Event Logs 35 Windows Event Logs 4656 https://www.youtube.com/watch?v=QCDBjFJ_C3g 4657

    4658 4660 4670 4663 Audit Registry Win Registry Deletion Request Win Registry Key Value Modification Win Registry Access Request Win Registry Key Handle Closed Win Registry Key Deletion Win Registry Key Permissions Change Win Registry Key Access Win Registry Key Deletion Audit Computer Account Management 4741 4742 4743 Computer Account Creation Computer Account Change Computer Account Deletion
  18. Windows Event Logs 36 Windows Event Logs 4656 https://www.youtube.com/watch?v=QCDBjFJ_C3g 4657

    4658 4660 4670 4663 Audit Registry Win Registry Deletion Request Win Registry Key Value Modification Win Registry Access Request Win Registry Key Handle Closed Win Registry Key Deletion Win Registry Key Permissions Change Win Registry Key Access Win Registry Key Deletion Audit Computer Account Management 4741 4742 4743 Computer Account Creation Computer Account Change Computer Account Deletion
  19. Windows Event Logs 37 Windows Event Logs 4656 https://www.youtube.com/watch?v=QCDBjFJ_C3g 4657

    4658 4660 4670 4663 Audit Registry Win Registry Deletion Request Win Registry Key Value Modification Win Registry Access Request Win Registry Key Handle Closed Win Registry Key Deletion Win Registry Key Permissions Change Win Registry Key Access Win Registry Key Deletion
  20. Windows Event Log 4656: A handle to an object was

    requested 38 https://www.youtube.com/watch?v=QCDBjFJ_C3g Windows Registry 4656 Audit Registry Audit File System Win Registry Deletion Request Win Registry Access Request File Monitoring File Deletion Request File Access Request
  21. Windows Event Log 4657: A registry value was modified 39

    https://www.youtube.com/watch?v=QCDBjFJ_C3g Windows Registry 4656 Audit Registry Audit File System Win Registry Deletion Request Win Registry Access Request File Monitoring File Deletion Request File Access Request Windows Registry 4657 Audit Registry Win Registry Key Value Modification
  22. Windows Event Log 4658: The handle to an object was

    closed 40 https://www.youtube.com/watch?v=QCDBjFJ_C3g Windows Registry 4656 Audit Registry Audit File System Win Registry Deletion Request Win Registry Access Request File Monitoring File Deletion Request File Access Request File Monitoring 4658 Audit File System File Handle Closed Windows Registry 4657 Audit Registry Win Registry Key Value Modification
  23. A few opportunities! • Validation of ATT&CK data sources recommendations

    ◦ What specific event logs per data source? 44
  24. Credentials in Registry - Windows Registry 45 https://www.youtube.com/watch?v=QCDBjFJ_C3g T1214 Windows

    Registry Process Monitoring Process Command-Line Parameters Security 4656 Security 4657 Security 4658 Security 4660 Security 4670 Security 4663 Win Registry Deletion Request Win Registry Key Value Modification Win Registry Access Request Win Registry Key Handle Closed Win Registry Key Permissions Change Win Registry Key Deletion Win Registry Key Access Sysmon 12 Sysmon 13
  25. Data Analytics Development (Example) 47 Define a Research Goal Simulate

    Adversary Define Detection Model Validate Detection Model Document and Communicate Findings Model Data https://www.youtube.com/watch?v=DuUF-zXUzPs
  26. Data Analytics Development (Example) 48 Define a Research Goal Simulate

    Adversary Define Detection Model Validate Detection Model Document and Communicate Findings Model Data https://www.youtube.com/watch?v=DuUF-zXUzPs
  27. Data Analytics Development (Example) 50 Define a Research Goal Simulate

    Adversary Define Detection Model Validate Detection Model Document and Communicate Findings Model Data https://www.youtube.com/watch?v=DuUF-zXUzPs
  28. More than just testing security controls! 51 Simulate Adversary Test

    Security Controls Model Adversary Behavior • Endpoint Agent Detection • Analytics Platform Rules • Can I see it in my environment? • Learn adversary behavior • Map data sources to adversary actions • Study derived techniques
  29. What else do we need for Credentials in Registry? 55

    • Windows Registry? ◦ Enable Audit Object Access > Audit Registry • Process Monitoring? ◦ Enable Audit Detailed Tracking > Audit Process Creation • Process Command-line Parameters? ◦ Enable Administrative Templates\System\Audit Process Creation > Include command line in process creation events
  30. What else do we need for Credentials in Registry? 56

    https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists • Windows Registry? ◦ Enable Audit Object Access > Audit Registry ◦ Set Audit Rule to trigger event! • Process Monitoring? ◦ Enable Audit Detailed Tracking > Audit Process Creation • Process Command-line Parameters? ◦ Enable Administrative Templates\System\Audit Process Creation > Include command line in process creation events
  31. What else do we need for Credentials in Registry? 57

    https://github.com/hunters-forge/Blacksmith/blob/master/aws/mordor/cfn-files/scripts/default/Join-Domain.ps1#L37-L49 • What are we testing? ◦ Available default automatic logon user Settings!! Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name AutoAdminLogon -Value 1 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultUserName -Value pgustavo Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Value W1n1!2019
  32. What else do we need for Credentials in Registry? 58

    https://github.com/hunters-forge/Set-AuditRule/blob/master/registry/default_logon_user.md • Set Audit Rule! How? ◦ Download https://github.com/hunters-forge/Set-AuditRule ◦ Import-module Set-AuditRule.ps1 ◦ Set-AuditRule -RegistryPath "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -IdentityReference Everyone -Rights QueryValues -InheritanceFlags None -PropagationFlags None -AuditFlags Success
  33. What else do we need for Credentials in Registry? 59

    • Testing Commands? ◦ reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /f password /t REG_SZ /s
  34. What else do we need for Credentials in Registry? 61

    • Testing Commands? ◦ reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /f password /t REG_SZ /s ◦ Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name *password* ◦ C#, Python, etc!
  35. Execute -> Collect -> Analyze -> Repeat 64 Model Adversary

    Behavior Test Security Controls Data produced Simulating Adversarial Technique
  36. Credentials in Registry Data Mapping 67 Process Registry Key Value

    Queried EVENT ID TASK 4688 Process Creation 4673 Sensitive Privilege Use 4656 Registry (Request Handle) 4690 Handle Manipulation 4663 Registry (Access) 4658 Registry (Closing Handle) 4689 Process Termination
  37. Credentials in Registry Data Mapping 68 Process Registry Key Value

    Queried EVENT ID TASK 4688 Process Creation 4673 Sensitive Privilege Use 4656 Registry (Request Handle) 4690 Handle Manipulation 4663 Registry (Access) 4658 Registry (Closing Handle) 4689 Process Termination Process Monitoring Process Command-Line Parameters Windows Registry Process Monitoring
  38. Credentials in Registry - Windows Registry 69 https://www.youtube.com/watch?v=QCDBjFJ_C3g T1214 Windows

    Registry Process Monitoring Process Command-Line Parameters Security 4656 Security 4657 Security 4658 Security 4660 Security 4670 Security 4663 Win Registry Deletion Request Win Registry Key Value Modification Win Registry Access Request Win Registry Key Handle Closed Win Registry Key Permissions Change Win Registry Key Deletion Win Registry Key Access Sysmon 12 Sysmon 13
  39. Credentials in Registry - Windows Registry 70 https://www.youtube.com/watch?v=QCDBjFJ_C3g T1214 Windows

    Registry Process Monitoring Process Command-Line Parameters Security 4656 Security 4657 Security 4658 Security 4660 Security 4670 Security 4663 Win Registry Deletion Request Win Registry Key Value Modification Win Registry Access Request Win Registry Key Handle Closed Win Registry Key Permissions Change Win Registry Key Deletion Win Registry Key Access Sysmon 12 Sysmon 13
  40. Spending +time producing data & -time analyzing 71 Model Adversary

    Behavior Test Security Controls Data produced Takes Time! Similar Events?
  41. Same Technique + Some Variations 72 Model Adversary Behavior Test

    Security Controls EVENT ID TASK 4688 Process Creation 4673 Sensitive Privilege Use 4656 Registry (Request Handle) 4690 Handle Manipulation 4663 Registry (Access) 4658 Registry (Closing Handle) 4689 Process Termination
  42. Mordor Project @Mordor_Project • Pre-recorded security events generated by simulated

    adversarial techniques in the form of JavaScript Object Notation (JSON) • Pre-recorded data categorized by platforms, adversary groups, tactics and techniques defined by the Mitre ATT&CK Framework. • Data represents not only specific known malicious events but additional context/events that occur around it. 78 https://github.com/Cyb3rWard0g/mordor
  43. Mordor Standard Environments • Environment designed to replicate a small

    research network • Standardized and documented setup • Platforms ◦ Windows ◦ Linux • Endpoints Telemetry ◦ Windows Security Auditing ◦ Event Tracing for Windows (ETW) (NEW!!) • Network Telemetry ◦ Network Logs • Environments Available: Shire and Erebor 79 https://mordor.readthedocs.io/en/latest/index.html
  44. How do you collect data? • We use Kafkacat! •

    kafkacat is a generic non-JVM producer and consumer for Apache Kafka >=0.8, think of it as a netcat for Kafka. • In consumer mode ◦ Kafkacat reads messages from a topic and prints them to standard output (stdout). You can also redirect it to a file (i.e. JSON) • In producer mode ◦ Kafkacat reads messages from standard input (stdin). You can also send data to kafkacat by adding data from a file. 88 https://github.com/edenhill/kafkacat
  45. Consuming Data (Taking a snapshot of data) 89 https://mordor.readthedocs.io/en/latest/export_mordor.html $

    kafkacat -b <Kafka-IP>:9092 -t <kafka-Topic> -C -o end > file.json • -b : Kafka broker • -t : Topic to consume from • -C : Consumer Mode • -o : Offset to start consuming from
  46. Producing Data (Injecting Adversary Dataset) 93 https://mordor.readthedocs.io/en/latest/import_mordor.html $ kafkacat -b

    <Kafka-IP>:9092 -t <kafka-Topic> -P -l file.json • -b : Kafka broker • -t : Topic to produce to • -P : Producer Mode • -l : Send messages from a file
  47. I just want to download all the datasets.. 94 $

    git clone https://github.com/hunters-forge/mordor.git $ cd mordor/small_datasets/ $ find . -type f -name "*.tar.gz" -print0 | sudo xargs -0 -I{} tar xf {} -C .
  48. CAR-2019-08-001: Credential Dumping via Windows Task Manager • The Windows

    Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking “Create dump file”. This saves a dump file to disk with a deterministic name that includes the name of the process being dumped. • This requires filesystem data to determine whether files have been created. • Contributors: Tony Lambert/Red Canary 100 https://car.mitre.org/analytics/CAR-2019-08-001/
  49. CAR-2019-08-001: Procdump - File Create (Pseudocode) files = search File:Create

    lsass_dump = filter files where ( file_name = "lsass*.dmp" and image_path = "C:\Windows\*\taskmgr.exe") output lsass_dump 103 https://car.mitre.org/analytics/CAR-2019-08-001/
  50. What are Jupyter Notebooks? • Think of a notebook as

    a document that you can access via a web interface that allows you to save: ◦ Input (live code) ◦ Output (evaluated code output) ◦ Visualizations and narrative text (Tell the story!) • Uses include: ◦ Data cleaning and transformation ◦ Statistical modeling ◦ Data visualization ◦ Machine learning, and much more 106 https://jupyter.org/
  51. IPython -> Jupyter Notebook The Jupyter Notebook project is the

    evolution of the IPython Notebook library which was developed primarily to enhance the default python interactive console by enabling scientific operations and advanced data analytics capabilities 107 https://jupyter.org/
  52. How Do Jupyter Notebooks Work? • Jupyter Notebooks work with

    what is called a two-process model based on a kernel-client infrastructure. • This model applies Read-Evaluate-Print Loop (REPL): ◦ Takes a single user’s inputs ◦ Evaluates them ◦ Returns the result to the user 108 https://jupyter.org/
  53. The ThreatHunter-Playbook @HunterPlaybook • A Threat hunter's playbook to aid

    the development of techniques and hypothesis for hunting campaigns by leveraging security event logs from diverse operating systems. • It documents detection strategies in the form of interactive notebooks to provide an easy and flexible way to visualize the expected output and be able to run the analytics against pre-recorded mordor datasets 111 https://github.com/hunters-forge/ThreatHunter-Playbook
  54. OpenHunt Library • Via PIP: pip install openhunt • Or

    Straight from Source git clone https://github.com/Cyb3rPanda/openhunt cd OpenHunt && pip install . 112 https://github.com/hunters-forge/openhunt
  55. The Binder Project 122 • The Binder Project is an

    open community that makes it possible to create shareable, interactive, reproducible environments. • The main technical product that the community creates is called BinderHub, and one deployment of a BinderHub exists at mybinder.org. • Who is it for?: ◦ Researchers, Educators, people analyzing data and people trying to communicate the data analysis to others!! https://mybinder.readthedocs.io/en/latest/introduction.html#what-is-the-binder-project
  56. BinderHub 123 BinderHub connects several services together to provide on-the-fly

    creation and registry of Docker images. It utilizes the following tools: • A cloud provider such Google Cloud, Microsoft Azure, Amazon EC2, and others • Kubernetes to manage resources on the cloud • Helm to configure and control Kubernetes • Docker to use containers that standardize computing environments • A BinderHub UI that users can access to specify Git repos they want built • BinderHub to generate Docker images using the URL of a Git repository • A Docker registry (such as gcr.io) that hosts container images • JupyterHub to deploy temporary containers for users https://binderhub.readthedocs.io/en/latest/overview.html
  57. Binder Design! 124 Repo2Docker Pod https://github.com/repo https://github.com/repo Docker Image Exists?

    No Push Image Up to date? Yes No Yes Kubernetes Cluster Jupyter Notebook Pod Docker Registry https://binderhub.readthedocs.io/en/latest/overview.html#a-diagram-of-the-binderhub-architecture Creates
  58. 128

  59. Threat Hunters Forge References • GitHub: https://github.com/hunters-forge • Python Library:

    https://github.com/Cyb3rPanda/openhunt • Slack Invitation: https://launchpass.com/threathunting • Official Blog: https://medium.com/threat-hunters-forge • Founders: @Cyb3rWard0g & @Cyb3rPandaH • Official Twitter: @HuntersForge • @HunterPlaybook • @THE_HELK • @OSSEM_Project, @Mordor_Project & More