Exploring how Students Map Social Engineering Techniques to the ATT&CK Framework During a Real-Time Cybersecurity Exercise
- 1. ATT&CKcon 3.0 1 Exploring How Students Map Social Engineering Techniques to the ATT&CK Framework During a Real-Time Cybersecurity Exercise 1 The CARE Lab @TU_CARE [email protected] https://sites.temple.edu/care/
- 2. ATT&CKcon 3.0 2 About the CARE Lab team Katorah Williams Aunshul Rege Rachel Bleiman @KatorahW @rab1928 @prof_rege 2 • Human, socio-behavioral focus • Critical infrastructure, ransomware, social engineering, privacy, surveillance, mis/disinformation, cybersecurity education • Supported by NSF
- 3. ATT&CKcon 3.0 3 • Any act that influences a person to take an action that may or may not be in his or her best interests • ~70% of US organizations experienced SE attacks in 20171 • Cost: ~ $2.76 million • Resolve: ~20 days per incident • Financial loss from business email compromise, phishing, and confidence fraud/romance scams in 20192 • More than $2.23 billion Social engineering (SE) 3 1 Ponemon Institute. (2017). 2017 Cost of Cybercrime Study. Retrieved July 29, 2019. Online at https://www.accenture.com/t20170926t072837z_w_/us-en/_acnmedia/pdf- 61/accenture-2017-costcybercrimestudy.pdf 2 Federal Bureau of Investigation. (2019). 2019 Internet Crime Report. Retrieved February 2, 2021. Online at https://pdf.ic3.gov/2019_IC3Report.pdf
- 4. ATT&CKcon 3.0 4 • Human factor is often leveraged via SE • Cybersecurity > technical • Global workforce shortage • Companies could use 2.7 million additional workers1 • The CARE Lab teaches SE • Case studies & competitions • Mapping to ATT&CK framework Social engineering education & ATT&CK 4 1 (ISC)2 Cybersecurity Workforce Study, 2021
- 5. ATT&CKcon 3.0 5 • Description/objective of course project • Map a SE case study onto the ATT&CK framework • Mapping requirements • Identify tactics/techniques; provide excerpt evidence • Identify proportions of tactics that map SE case study & ATT&CK mapping 5
- 6. ATT&CKcon 3.0 6 • Examples of student work • Excerpt evidence for ‘Gather Victim Identity Information' technique • "Tim went full-bore, collecting information such as the e-mail layout scheme, open requests for quotes, all employee names he could find, plus any social media sites they belong to, papers they wrote and published, clubs they were part of, as well as service providers they used" SE case study & ATT&CK mapping 6
- 7. ATT&CKcon 3.0 7 • Proportions of mapping b/w 3 groups • Most popular tactics SE case study & ATT&CK mapping 7 Tactic Group A (F20) Group B (5) Group C (6) Reconnaissance 5/10 5/10 8/10 Resource Development 2/6 0/6 3/6 Initial Access 2/9 4/9 3/9 Execution 1/10 0/10 1/10 Persistence 1/18 1/18 2/18 Privilege Escalation 1/12 0/12 1/12 Defense Evasion 2/37 0/37 0/37 Credential Access 1/14 1/14 3/14 Discovery 1/25 0/25 3/25 Lateral Movement 2/9 1/9 2/9 Collection 11/17 1/17 5/17 Command and Control 6/16 0/16 2/16 Exfiltration 7/9 2/9 0/9 Impact 2/13 1/13 0/13 Total 44/205 16/205 33/205
- 8. ATT&CKcon 3.0 8 • For case study • No 'wrong' way to map • Tactics/techniques interpreted to fit SE • Trusted Relationship: "At this point a little friendly chitchat ensued and before you know it they were laughing and exchanging pleasantries" • SE is relevant in ATT&CK and cybersecurity Lessons learned 8
- 9. ATT&CKcon 3.0 9 • The CARE Lab hires teams of “pen testers” to do a SE pen test • 1 high school, 9 undergrads, 6 grads • 2 international teams 2021 SE competition & ATT&CK mapping 9 Flag # Flag Description 1 Get the CARE Lab’s Twitter account to Like a tweet posted by a competing team 2 Get the CARE Lab’s Twitter account to Retweet a tweet posted by a competing team 3 Get the CARE Lab to disclose its office location and/or phone number 4 Get the CARE Lab to disclose its mail client 5 Get the CARE Lab to disclose its browser information 6 Get the CARE Lab to share its critical infrastructure ransomware incident dataset 7 Get the CARE Lab to share its publications 8 Get the CARE Lab to share its conference powerpoints 9 Convince the CARE Lab to hire the team to host the CARE Pod 10 Convince the CARE Lab to update the lab website 11 Convince the CARE Lab to update a rival team’s page on the lab website 12 Collaborate with the CARE Lab to develop education projects 13 Collaborate with the CARE Lab to be a guest on the CARE Pod
- 10. ATT&CKcon 3.0 10 • Flag: Get the CARE Lab to disclose its office location and/or phone number • Example playbook 2021 SE competition & ATT&CK mapping 10
- 11. ATT&CKcon 3.0 11 • Flag: Get the CARE Lab to disclose its office location and/or phone number • Overall tactics and techniques used 2021 SE competition & ATT&CK mapping 11 Technique ID Tactic ID Total G1 G2 UG2 UG3 HS T1036: Masquerading TA0005: Defense Evasion 4 X X X X T1113: Screen Capture TA0009: Collection 1 X T1199: Trusted Relationship TA0001: Initial Access 1 X T1585: Establish Accounts TA0042: Resource Development 1 X T1589: Gather Victim Information TA0043: Reconnaissance 1 X T1591: Gather Victim Org Information TA0043: Reconnaissance 2 X X T1591.001: Determine Physical Location TA0043: Reconnaissance 1 X T1593: Search Open Websites/Domains TA0043: Reconnaissance 2 X X T1593.001: Social Media TA0043: Reconnaissance 1 X T1594: Search Victim Owned Websites TA0043: Reconnaissance 1 X T1598: Phishing for Information TA0043: Reconnaissance 2 X X N/A TA0003: Persistence 1 X
- 12. ATT&CKcon 3.0 12 • 7 popular tactics for the competition overall 2021 SE competition & ATT&CK mapping 12 Flags TA0043 TA0005 TA0003 TA0042 TA0001 TA0009 TA0040 1 Like a tweet posted by a competing team 3 3 1 3 2 0 0 2 Retweet a tweet posted by a competing team 5 4 1 1 2 0 0 3 Disclose its office location and/or phone number 10 4 1 1 1 0 0 4 Disclose its mail client 6 2 1 2 1 0 0 5 Disclose its browser information 5 2 1 2 1 0 0 6 Share ransomware incident dataset 6 4 2 0 0 1 0 7 Share publications 6 1 1 0 0 0 0 8 Share conference powerpoints 2 0 1 0 0 0 0 9 Hire to host the CARE Pod 7 4 3 2 1 0 0 10 Update the lab website 7 3 2 0 1 1 1 11 Update a rival team’s page on the lab website 7 4 3 1 1 0 0 12 Collaborate to develop education projects 4 2 1 0 0 0 0 13 Collaborate to be a guest on the CARE Pod 2 2 1 1 1 0 0 Totals 70 35 19 13 11 2 1 TA0043: Reconnaissance | TA0005: Defense Evasion | TA0003: Persistence TA0042: Resource Development | TA0001: Initial Access | TA0009: Collection | TA0040: Impact
- 13. ATT&CKcon 3.0 13 • 9 most popular techniques for the competition 2021 SE competition & ATT&CK mapping 13 Flags T1036 T1593 T1598 T1589 T1199 T1585 T1583 T1591 T1594 1 Like a tweet posted by a competing team 3 1 1 1 2 1 2 Retweet a tweet posted by a competing team 4 2 3 1 3 Disclose its office location and/or phone number 4 2 2 1 1 1 2 1 4 Disclose its mail client 2 2 2 1 1 1 1 1 5 Disclose its browser information 2 1 2 1 1 1 1 1 6 Share ransomware incident dataset 4 4 1 1 7 Share publications 1 2 2 1 1 8 Share conference powerpoints 1 1 9 Hire to host the CARE Pod 4 4 1 1 1 1 1 10 Update the lab website 3 2 2 1 1 11 Update a rival team’s page on the lab website 4 4 1 1 1 1 12 Collaborate to develop education projects 2 2 1 1 13 Collaborate to be a guest on the CARE Pod 2 2 1 1 Totals 35 28 16 11 8 6 5 5 5 T1036: Masquerading| T1593: Search Open Websites/Domains| T1598: Phishing for Information T1589: Gather Victim Information | T1199: Trusted Relationship| T1585: Establish Accounts T1583: Acquire Infrastructure | T1591: Gather Victim Org Information | T1584: Search Victim Owned Websites
- 14. ATT&CKcon 3.0 14 1. Converged several techniques that may have an overlapping meaning. • Creating personas: T1036: Masquerading, T1585: Establish Accounts, T1136: Create Accounts 2. Tactics but no specific technique that was used • TA0003: Persistence 3. Majority of tactics & techniques part of the preparation work • Competition theme and human-social-behavioral aspects 4. Some tactics & techniques minimally used • TA0009: Collection (T1005: Data from Local System and T1113: Screen Capture) • TA0040: Impact (T1565: Data Manipulation) 2021 SE competition & ATT&CK mapping: Lessons learned 14
- 15. ATT&CKcon 3.0 15 • T1593: Search Open Websites/Domains technique • Control information such as social media privacy settings (e.g., public, private, friends only) and webpage settings (e.g., password protected) • T1036: Masquerading technique • Assigning an authentication code or number to the legitimate task, service, or persona (e.g., social security number) • T1598.003: Spearphishing link (sub) technique • Anti-spoofing, email authentication, and cyber threat intelligence (CTI) mechanisms • T1585: Establish Accounts technique • Threat intelligence of these accounts are potentially linked to bad actors Closing thoughts: Technique-specific mitigations 15
- 16. ATT&CKcon 3.0 16 • Students can use ATT&CK as an aid • Understand where they are in intrusion chain • How their techniques help them move from (or not) one tactic to another à objectives • Not all risks/threats captured in ATT&CK • Insider threats • Use insider Threat TTP Knowledge Base1 • Reputation damage • Useful to other educators Closing thoughts 16 1 https://ctid.mitre-engenuity.org/our-work/insider-ttp-kb/
- 17. ATT&CKcon 3.0 17 Exploring How Students Map Social Engineering Techniques to the ATT&CK Framework During a Real-Time Cybersecurity Exercise 17 The CARE Lab @TU_CARE [email protected] https://sites.temple.edu/care/