MA
Uploaded byMITRE ATT&CK
PDF, PPTX898 views

Mapping ATT&CK Techniques to ENGAGE Activities

The document discusses the concepts of cyber denial and deception, highlighting their role in impairing adversary operations through strategic planning and analysis. It provides examples of threat actor techniques, particularly focusing on TeamTNT's docker escape method and the Apache Log4j vulnerability, illustrating the steps involved in exploitation and techniques used. Additionally, it offers adversary engagement tips, including methods to deflect adversaries and dynamically alter the engagement environment.

Embed presentation

Download as PDF, PPTX
ATT&CKcon 3.0 McLean, VA Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Mapping ATT&CK techniques to Engage activities
Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Before starting Please check out the excellent MITRE engage resources. https://engage.mitre.org/ Kudos to the MITRE Engage team!
Cyber Denial is the ability to prevent or otherwise impair the adversary’s ability to conduct their operations. This disruption may limit their movements, collection efforts, or effectiveness of their capabilities. Cyber Deception intentionally reveals deceptive facts and fictions to mislead the adversary. In addition, it conceals critical facts and fictions to prevent the adversary from forming correct estimations or taking appropriate actions. When cyber denial and deception are used together, within the context of strategic planning and analysis, they provide the foundation of Adversary Engagement. Source: https://engage.mitre.org/
Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Source: https://engage.mitre.org/
Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Engage Key Terms • Actions: two categories of actions: Strategic and Engagement. • Goals: are the high-level outcomes you would like your operation to accomplish: Prepare, Expose, Affect, Elicit, Understand. • Approaches: let you make progress towards your selected goal (tactics in ATT&CK): Plan, Collect, Detect, Prevent, Direct, Disrupt, Reassure, Motivate, Analyze. • Activities: concrete techniques you use in your approach (techniques in ATT&CK)
Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Source: https://engage.mitre.org/
Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Source: https://engage.mitre.org/
Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Mapping Engage and ATT&CK For each ATT&CK technique, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness. Lures ID: EAC0005 Source: https://engage.mitre.org/
Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Example: TeamTNT and their Docker escape method We want to to test the following hypothesis: An specific threat actor (TeamTNT) is targeting companies in our sector. One of their preferred methods is to compromise container servers and use them as a way to propagate their payload.
Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Example: TeamTNT and their Docker escape method Steps ATT&CK Technique TeamTNT scans your attack surface looking for unprotected Docker daemons T1133 – External Remote Services They create a new container with privileged mode, mapping the host’s root filesystem into the new container T1610 – Deploy Container Then they add a new SSH public key to the root user authorized keys T1098-004 Account Manipulation: SSH Authorized Keys They can now SSH into the host (ssh root@127.0.0.1) T1611 – Escape to Host More information: https://www.countercraftsec.com/blog/post/escaping-docker-privileged-containers-for-mining-crypto-currencies/
Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Example: TeamTNT and their Docker escape method
Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Example: Apache log4j vulnerability CVE-2021-44228 We want to to test the following hypothesis: We have a massive number of Java applications exposed to the Internet, and many of them can’t be patched inmediately.
Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Example: Apache log4j vulnerability CVE-2021-44228 Steps ATT&CK Technique A threat actor scans your attack surface looking for vulnerable Java applications. T1133 – External Remote Services They use the log4j exploit to execute a command T1190 – Exploit Public-Facing Application A PowerShell script is executed T1059:001 – Command and Scripting: PowerShell The PowerShell script downloads and executes a binary T1204:002 – User Execution: Malicious file The binary tries to achieve persistence adding registry keys T1547:001 – Boot or Logon Autostart: Registry Run Keys The binary installs a crypto-miner (XMRig) T1496 – Resource Hijacking More information: https://blog.checkpoint.com/2021/12/14/a-deep-dive-into-a-real-life-log4j-exploitation/
Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Example: Apache log4j vulnerability CVE-2021-44228
Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Adversary Engagement tips Deflect the adversary to our deception assets • Services that are attractive and discoverable: Active Directory with a trust relationship with a production AD, vulnerable software versions (Apache, Confluence, Windows Server, …), poorly secured software installations (SQL Server with weak passwords, unauthenticated Docker daemons, SSH/RDP with weak passwords, etc.) or just normal software that can be accessed using the credentials stored in breadcrumbs. • Breadcrumbs that point to the above services. Example: private keys, credentials in files (PowerShell script, Excel, bash, source code repositories, configuration files, etc.), shared folders, source code repositories, emails, TLS certificates, etc. • Physical breadcrumbs. QR codes posted in restricted areas walls, printed configuration files / credentials in trash bins or on the desktop, post-it notes pointing to the deception assets, etc. • Traffic generation from attractive assets: CDP pointing to Cisco devices, multicast traffic from vulnerable devices, etc.
Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Adversary Engagement tips Bait and switch Depending on how we are engaging with the adversaries, we can dynamically change the environment: • Keep attackers engaged for as long as possible with our scenario • Create chaos and confusion amongst them • Collect information about them (IOCs, TTPs) • Gain and/or increase situational awareness Examples: • Let them compromise malfunctioning hosts (random reboots, password changes, corrupted files, etc.) • Block access to their C2. Example: blocking HTTP requests from Cobalt Strike beacons back to their C2. • Add random delays (contacting servers, API operations, etc.). Example: Tularosa (Ferguson-Walter et al., 2019) • Drop files and folders in real time containing relevant documentation based on the attacker profile • Hide and seek vulnerable assets • Drop IOCs that belong to similar groups (APT28 vs APT29) • Send Detection Warnings using popups or shell messages
ATT&CKcon 3.0 McLean, VA Copyright © 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Questions?
The content of this document is confidential and intended for the recipient and purpose of the related communication to which it’s attached only. It is strictly forbidden to share any part of this document with any third party, without a written consent of CounterCraft. Should you receive this document by mistake, we also ask that you delete it, and do not forward it or any part of it to anyone else. Thank you for your cooperation and understanding. craft@countercraftsec.com www.countercraftsec.com

More Related Content

PDF
ATT&CK Updates- Defensive ATT&CK
byMITRE ATT&CK
 
PDF
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
byMITRE ATT&CK
 
PDF
ATT&CKING Containers in The Cloud
byMITRE ATT&CK
 
PDF
State of the ATT&CK
byMITRE ATT&CK
 
PDF
Threat Modelling - It's not just for developers
byMITRE ATT&CK
 
PDF
The ATT&CK Latin American APT Playbook
byMITRE ATT&CK
 
PDF
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
byMITRE ATT&CK
 
PDF
When Insiders ATT&CK!
byMITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
byMITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
byMITRE ATT&CK
 
ATT&CKING Containers in The Cloud
byMITRE ATT&CK
 
State of the ATT&CK
byMITRE ATT&CK
 
Threat Modelling - It's not just for developers
byMITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
byMITRE ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
byMITRE ATT&CK
 
When Insiders ATT&CK!
byMITRE ATT&CK
 

What's hot

PDF
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
byMITRE ATT&CK
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
PDF
It's just a jump to the left (of boom): Prioritizing detection implementation...
byMITRE ATT&CK
 
PDF
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
byMITRE ATT&CK
 
PDF
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
byMITRE ATT&CK
 
PDF
ATT&CKing the Red/Blue Divide
byMITRE ATT&CK
 
PDF
ATT&CK Updates- ATT&CK's Open Source
byMITRE ATT&CK
 
PDF
ATT&CK Updates- ATT&CK for ICS
byMITRE ATT&CK
 
PPTX
Adversary Emulation using CALDERA
byErik Van Buggenhout
 
PDF
Projects to Impact- Operationalizing Work from the Center
byMITRE ATT&CK
 
PDF
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
PDF
Automation: The Wonderful Wizard of CTI (or is it?)
byMITRE ATT&CK
 
PDF
The ATT&CK Philharmonic
byMITRE ATT&CK
 
PDF
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
byMITRE ATT&CK
 
PDF
Threat Intelligence
byDeepak Kumar (D3)
 
PDF
ATT&CKcon Intro
byMITRE ATT&CK
 
PDF
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
byMITRE ATT&CK
 
PDF
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
PPTX
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
PPTX
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
byMITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
byMITRE ATT&CK
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
byMITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
byMITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
byMITRE ATT&CK
 
ATT&CK Updates- ATT&CK's Open Source
byMITRE ATT&CK
 
ATT&CK Updates- ATT&CK for ICS
byMITRE ATT&CK
 
Adversary Emulation using CALDERA
byErik Van Buggenhout
 
Projects to Impact- Operationalizing Work from the Center
byMITRE ATT&CK
 
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
Automation: The Wonderful Wizard of CTI (or is it?)
byMITRE ATT&CK
 
The ATT&CK Philharmonic
byMITRE ATT&CK
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
byMITRE ATT&CK
 
Threat Intelligence
byDeepak Kumar (D3)
 
ATT&CKcon Intro
byMITRE ATT&CK
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
byMITRE ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
Bsides 2019 - Intelligent Threat Hunting
byDhruv Majumdar
 

Similar to Mapping ATT&CK Techniques to ENGAGE Activities

PPTX
ATT&CKing with Threat Intelligence
byChristopher Korban
 
PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
PPTX
MITRE ATT&CK framework
byBhushan Gurav
 
PDF
MITRE-Module 2 Slides.pdf
byReZa AdineH
 
PDF
Breach and attack simulation tools
byBangladesh Network Operators Group
 
PPTX
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
PPTX
Crack the Code
byInnoTech
 
PDF
Best practices fore MITRE EMERSON EDUARDO RODRIGUES
byEMERSON EDUARDO RODRIGUES
 
PDF
MITRE-Module 1 Slides.pdf
byReZa AdineH
 
PPTX
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
byHarry McLaren
 
PDF
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
byRobert Brandel
 
PDF
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
PPTX
Evaluating container security with ATT&CK Framework
bySandeep Jayashankar
 
PDF
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
byAdam Pennington
 
PDF
Using the MITRE ATT&CK framework to analyze real-world cyberattacks
bylucytyrteos
 
PDF
State of ATT&CK
byAdam Pennington
 
PDF
One Technique, Two Techniques, Red Technique, Blue Technique
byDaniel Weiss
 
PDF
Red Team: Emulating Advanced Adversaries in Cyberspace
byDon Anto
 
PDF
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
byLeszek Mi?
 
ATT&CKing with Threat Intelligence
byChristopher Korban
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
MITRE ATT&CK framework
byBhushan Gurav
 
MITRE-Module 2 Slides.pdf
byReZa AdineH
 
Breach and attack simulation tools
byBangladesh Network Operators Group
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
Crack the Code
byInnoTech
 
Best practices fore MITRE EMERSON EDUARDO RODRIGUES
byEMERSON EDUARDO RODRIGUES
 
MITRE-Module 1 Slides.pdf
byReZa AdineH
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
byHarry McLaren
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
byRobert Brandel
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
Evaluating container security with ATT&CK Framework
bySandeep Jayashankar
 
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
byAdam Pennington
 
Using the MITRE ATT&CK framework to analyze real-world cyberattacks
bylucytyrteos
 
State of ATT&CK
byAdam Pennington
 
One Technique, Two Techniques, Red Technique, Blue Technique
byDaniel Weiss
 
Red Team: Emulating Advanced Adversaries in Cyberspace
byDon Anto
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
byLeszek Mi?
 

More from MITRE ATT&CK

PDF
Birds of a Feather: The Evolution of Threat Actor Prioritization, Gap Analysi...
byMITRE ATT&CK
 
PDF
Using ATT&CK and MITRE CTID’s StP Frameworks to Assess Threat Detection Resil...
byMITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: Enterprise - Casey Knerr
byMITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: Defensive ATT&CK - Lex Crumpton
byMITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: CTI - Path Forward - Joe Slowik
byMITRE ATT&CK
 
PDF
Practical Application of MITRE ATT&CK: Real World Usage in a Corporate Enviro...
byMITRE ATT&CK
 
PDF
Updates from The Center for Threat Informed Defense - Jon Baker
byMITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: Software - Jared Ondricek
byMITRE ATT&CK
 
PDF
ATT&CKcon 5.0 Lightning Talks - Various Speakers
byMITRE ATT&CK
 
PDF
SaaSy ATT&CK – Practical ATT&CK usage for SaaS-based Telemetry - Aaron Shelmire
byMITRE ATT&CK
 
PDF
State of the ATT&CK 2024 - Adam Pennington
byMITRE ATT&CK
 
PDF
Next-Gen Threat-Informed Defense: Human-Assisted Intelligent Agents - Rajesh ...
byMITRE ATT&CK
 
PDF
Sources of ATT&CK: A Bibliographic Journey through Enterprise ATT&CK - Robert...
byMITRE ATT&CK
 
PDF
ATT&CKcon 5.0 Keynote - From Ticket Closers to Practitioners- How Great Secu...
byMITRE ATT&CK
 
PDF
This is why we don’t shout “Bingo”: Analyzing ATT&CK Integration in Endpoint ...
byMITRE ATT&CK
 
PDF
Every Cloud Has a Purple Lining - Arun Seelagan
byMITRE ATT&CK
 
PDF
Confession: 3 Things I Wish I Knew About MITRE ATT&CK When I Was an FBI Profi...
byMITRE ATT&CK
 
PDF
Go Go Ransom Rangers: Diving into Akira’s Linux Variant with ATT&CK - Nicole ...
byMITRE ATT&CK
 
PDF
I'll take ATT&CK techniques that can be done for $1000, Alex. - Ben Langrill
byMITRE ATT&CK
 
PDF
Bridging the Gap: Enhancing Detection Coverage with Atomic Red Team, Sigma, a...
byMITRE ATT&CK
 
Birds of a Feather: The Evolution of Threat Actor Prioritization, Gap Analysi...
byMITRE ATT&CK
 
Using ATT&CK and MITRE CTID’s StP Frameworks to Assess Threat Detection Resil...
byMITRE ATT&CK
 
MITRE ATT&CK Updates: Enterprise - Casey Knerr
byMITRE ATT&CK
 
MITRE ATT&CK Updates: Defensive ATT&CK - Lex Crumpton
byMITRE ATT&CK
 
MITRE ATT&CK Updates: CTI - Path Forward - Joe Slowik
byMITRE ATT&CK
 
Practical Application of MITRE ATT&CK: Real World Usage in a Corporate Enviro...
byMITRE ATT&CK
 
Updates from The Center for Threat Informed Defense - Jon Baker
byMITRE ATT&CK
 
MITRE ATT&CK Updates: Software - Jared Ondricek
byMITRE ATT&CK
 
ATT&CKcon 5.0 Lightning Talks - Various Speakers
byMITRE ATT&CK
 
SaaSy ATT&CK – Practical ATT&CK usage for SaaS-based Telemetry - Aaron Shelmire
byMITRE ATT&CK
 
State of the ATT&CK 2024 - Adam Pennington
byMITRE ATT&CK
 
Next-Gen Threat-Informed Defense: Human-Assisted Intelligent Agents - Rajesh ...
byMITRE ATT&CK
 
Sources of ATT&CK: A Bibliographic Journey through Enterprise ATT&CK - Robert...
byMITRE ATT&CK
 
ATT&CKcon 5.0 Keynote - From Ticket Closers to Practitioners- How Great Secu...
byMITRE ATT&CK
 
This is why we don’t shout “Bingo”: Analyzing ATT&CK Integration in Endpoint ...
byMITRE ATT&CK
 
Every Cloud Has a Purple Lining - Arun Seelagan
byMITRE ATT&CK
 
Confession: 3 Things I Wish I Knew About MITRE ATT&CK When I Was an FBI Profi...
byMITRE ATT&CK
 
Go Go Ransom Rangers: Diving into Akira’s Linux Variant with ATT&CK - Nicole ...
byMITRE ATT&CK
 
I'll take ATT&CK techniques that can be done for $1000, Alex. - Ben Langrill
byMITRE ATT&CK
 
Bridging the Gap: Enhancing Detection Coverage with Atomic Red Team, Sigma, a...
byMITRE ATT&CK
 

Recently uploaded

PDF
MathML Core in WebKit
byIgalia
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
UiPath Veterans Day Acknowledgement and Benefits
byDianaGray10
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PDF
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
PDF
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
PDF
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PPTX
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
MathML Core in WebKit
byIgalia
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
Q3'25 Financial Results and Earnings Presentation
byDropbox
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
UiPath Veterans Day Acknowledgement and Benefits
byDianaGray10
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
Wrapping up unowned UTF8 C strings: CStringView
byIgalia
 
How to not make bugs (in JSC), and the future of 32-bits
byIgalia
 
Private Governance: How Decentralized Mechanisms Can Regulate the Crypto Economy
byFederico Ast
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
WebXR in Android and Linux with OpenXR
byIgalia
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Manage Networking in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
Sephora UAE API Service Real-Time Product & Price Data Access.pptx
bycreativeclicks1733
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
From Pixels to Insights: Getting Started with Imagery in FME
bySafe Software
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
Access Linux File System in RHEL - RHCSA (RH124).pdf
byLinuxCert Guru
 

Mapping ATT&CK Techniques to ENGAGE Activities

  • 1.
    ATT&CKcon 3.0 McLean, VA Copyright© 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Mapping ATT&CK techniques to Engage activities
  • 2.
    Copyright © 2022CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Before starting Please check out the excellent MITRE engage resources. https://engage.mitre.org/ Kudos to the MITRE Engage team!
  • 3.
    Cyber Denial isthe ability to prevent or otherwise impair the adversary’s ability to conduct their operations. This disruption may limit their movements, collection efforts, or effectiveness of their capabilities. Cyber Deception intentionally reveals deceptive facts and fictions to mislead the adversary. In addition, it conceals critical facts and fictions to prevent the adversary from forming correct estimations or taking appropriate actions. When cyber denial and deception are used together, within the context of strategic planning and analysis, they provide the foundation of Adversary Engagement. Source: https://engage.mitre.org/
  • 4.
    Copyright © 2022CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Source: https://engage.mitre.org/
  • 5.
    Copyright © 2022CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Engage Key Terms • Actions: two categories of actions: Strategic and Engagement. • Goals: are the high-level outcomes you would like your operation to accomplish: Prepare, Expose, Affect, Elicit, Understand. • Approaches: let you make progress towards your selected goal (tactics in ATT&CK): Plan, Collect, Detect, Prevent, Direct, Disrupt, Reassure, Motivate, Analyze. • Activities: concrete techniques you use in your approach (techniques in ATT&CK)
  • 6.
    Copyright © 2022CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Source: https://engage.mitre.org/
  • 7.
    Copyright © 2022CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Source: https://engage.mitre.org/
  • 8.
    Copyright © 2022CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Mapping Engage and ATT&CK For each ATT&CK technique, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness. Lures ID: EAC0005 Source: https://engage.mitre.org/
  • 9.
    Copyright © 2022CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Example: TeamTNT and their Docker escape method We want to to test the following hypothesis: An specific threat actor (TeamTNT) is targeting companies in our sector. One of their preferred methods is to compromise container servers and use them as a way to propagate their payload.
  • 10.
    Copyright © 2022CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Example: TeamTNT and their Docker escape method Steps ATT&CK Technique TeamTNT scans your attack surface looking for unprotected Docker daemons T1133 – External Remote Services They create a new container with privileged mode, mapping the host’s root filesystem into the new container T1610 – Deploy Container Then they add a new SSH public key to the root user authorized keys T1098-004 Account Manipulation: SSH Authorized Keys They can now SSH into the host (ssh [email protected]) T1611 – Escape to Host More information: https://www.countercraftsec.com/blog/post/escaping-docker-privileged-containers-for-mining-crypto-currencies/
  • 11.
    Copyright © 2022CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Example: TeamTNT and their Docker escape method
  • 12.
    Copyright © 2022CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Example: Apache log4j vulnerability CVE-2021-44228 We want to to test the following hypothesis: We have a massive number of Java applications exposed to the Internet, and many of them can’t be patched inmediately.
  • 13.
    Copyright © 2022CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Example: Apache log4j vulnerability CVE-2021-44228 Steps ATT&CK Technique A threat actor scans your attack surface looking for vulnerable Java applications. T1133 – External Remote Services They use the log4j exploit to execute a command T1190 – Exploit Public-Facing Application A PowerShell script is executed T1059:001 – Command and Scripting: PowerShell The PowerShell script downloads and executes a binary T1204:002 – User Execution: Malicious file The binary tries to achieve persistence adding registry keys T1547:001 – Boot or Logon Autostart: Registry Run Keys The binary installs a crypto-miner (XMRig) T1496 – Resource Hijacking More information: https://blog.checkpoint.com/2021/12/14/a-deep-dive-into-a-real-life-log4j-exploitation/
  • 14.
    Copyright © 2022CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Example: Apache log4j vulnerability CVE-2021-44228
  • 15.
    Copyright © 2022CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Adversary Engagement tips Deflect the adversary to our deception assets • Services that are attractive and discoverable: Active Directory with a trust relationship with a production AD, vulnerable software versions (Apache, Confluence, Windows Server, …), poorly secured software installations (SQL Server with weak passwords, unauthenticated Docker daemons, SSH/RDP with weak passwords, etc.) or just normal software that can be accessed using the credentials stored in breadcrumbs. • Breadcrumbs that point to the above services. Example: private keys, credentials in files (PowerShell script, Excel, bash, source code repositories, configuration files, etc.), shared folders, source code repositories, emails, TLS certificates, etc. • Physical breadcrumbs. QR codes posted in restricted areas walls, printed configuration files / credentials in trash bins or on the desktop, post-it notes pointing to the deception assets, etc. • Traffic generation from attractive assets: CDP pointing to Cisco devices, multicast traffic from vulnerable devices, etc.
  • 16.
    Copyright © 2022CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Adversary Engagement tips Bait and switch Depending on how we are engaging with the adversaries, we can dynamically change the environment: • Keep attackers engaged for as long as possible with our scenario • Create chaos and confusion amongst them • Collect information about them (IOCs, TTPs) • Gain and/or increase situational awareness Examples: • Let them compromise malfunctioning hosts (random reboots, password changes, corrupted files, etc.) • Block access to their C2. Example: blocking HTTP requests from Cobalt Strike beacons back to their C2. • Add random delays (contacting servers, API operations, etc.). Example: Tularosa (Ferguson-Walter et al., 2019) • Drop files and folders in real time containing relevant documentation based on the attacker profile • Hide and seek vulnerable assets • Drop IOCs that belong to similar groups (APT28 vs APT29) • Send Detection Warnings using popups or shell messages
  • 17.
    ATT&CKcon 3.0 McLean, VA Copyright© 2022 CounterCraft, Inc.. All rights reserved. David Barroso @lostinsecurity Questions?
  • 18.
    The content ofthis document is confidential and intended for the recipient and purpose of the related communication to which it’s attached only. It is strictly forbidden to share any part of this document with any third party, without a written consent of CounterCraft. Should you receive this document by mistake, we also ask that you delete it, and do not forward it or any part of it to anyone else. Thank you for your cooperation and understanding. [email protected] www.countercraftsec.com