![[Bucharest] Attack is easy, let's talk defence](https://cdn.slidesharecdn.com/ss_thumbnails/attackiseasyletstalkdefencev3-151026104559-lva1-app6891-thumbnail.jpg?width=560&fit=bounds)
MITRE ATT&CK Fundamentals Webinar - Day 3.pptx
- 1. www.cyberranges.com Copyright © CYBER RANGES – All rights reserved. Any Reproduction is Forbidden MITRE ATT&CK Fundamentals - 3- Day Webinar Learn how to operationalize the MITRE ATT&CK Framework for offensive and defensive operations.
- 2. Copyright © Silensec – All rights reserved. Any Reproduction is Forbidden Agenda Day 3 • Learn how to use Sigma Rules within the MITRE ATT&CK Framework. • Introduction To Adversary Emulation. • Adversary Emulation With MITRE ATT&CK.
- 3. Copyright © Silensec – All rights reserved. Any Reproduction is Forbidden Sigma Rules • Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. • The rule format is very flexible, easy to write and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others. • Sigma is for log files, what Snort is for network traffic and YARA is for files. So it allows you to describe searches on log data in generic form. These rules can be converted and applied to many log management or SIEM systems.
- 4. Copyright © Silensec – All rights reserved. Any Reproduction is Forbidden Sigma Rules
- 5. Copyright © Silensec – All rights reserved. Any Reproduction is Forbidden Sigma Rule Syntax • A Sigma Rule is a YAML File, which has the following sections: • Metadata (ID, tags, author, title, references, level) • Status (experimental or normal), the status is being used to filter on experimental or normal rules. • The log source, defines the source of the log data • Detections (one or more selectors, timeframe and condition) • Optional tags • False positives, describing scenarios where false positives could be triggered as help for the analyst.
- 6. Copyright © Silensec – All rights reserved. Any Reproduction is Forbidden Sigma Rule Syntax
- 7. Copyright © Silensec – All rights reserved. Any Reproduction is Forbidden Sigma & MITRE ATT&CK • Sigma provides threat intelligence analysts with an easy-to-use format for creating rules and signatures for detection which can then be shared with defenders and the SOC for implementation in to a SIEM. • Sigma is SIEM agnostic, you can convert any Sigma rule in to an alert for Qradar, Splunk, Arcsight etc. • Sigma also provides you with the ability to convert rules to MITRE ATT&CK navigator layers. • This can be very helpful during CTI as we can identify TTPs that we have rules for and can detect. • We can use this intelligence to identify weak spots with regards to detection capabilities for specific TTPs tied to a threat actor, APT group or software.
- 8. Copyright © Silensec – All rights reserved. Any Reproduction is Forbidden Links & Resources • CYBER RANGES: app.cyberranges.com • MITRE ATT&CK: attack.mitre.org • MITRE ATT&CK Navigator: https://mitre-attack.github.io/attack-navigator/ • Sigma: https://github.com/SigmaHQ/sigma • APT Groups & Operations: https://bit.ly/3CBQdZn • MITRE D3fend: https://d3fend.mitre.org/
- 9. Demo • Leveraging SIGMA rules for operational threat intelligence with the MITRE ATT&CK Framework.
- 10. Copyright © Silensec – All rights reserved. Any Reproduction is Forbidden Adversary Emulation • Adversary emulation is the process of emulating the tactics, techniques and behavior of a specific adversary. • The objective of adversary emulation is to assess and improve how resilient an organization is against specific adversary techniques/attacks. • Adversary behavior is classified using Tactics, Techniques and Procedures (TTP). • Adversary TTPs are used to outline how a specific adversary operates. • An adversary emulation should be based on the adversary TTPs, In order to facilitate an accurate adversary attack. • Adversary emulation should follow a structured methodology/kill chain.
- 11. Copyright © Silensec – All rights reserved. Any Reproduction is Forbidden Adversary Emulation Lifecycle
- 12. Copyright © Silensec – All rights reserved. Any Reproduction is Forbidden Emulating FIN6 • Objectives and Evolution: FIN6 is thought to be a financially motivated cyber- crime group. As such, they appear to take a pragmatic approach toward targeting and exploitation. • Their strategic objective over time and across a diverse target set remains the same, monetizing compromised environments. Early on, FIN6 used social engineering to gain unauthorized access to targets that process high-volume point-of-sale (PoS) transactions. • Target Industries: The group has aggressively targeted and compromised: • High-volume POS systems in the hospitality and retail sectors since at least 2015. • FIN6 has targeted e-commerce sites and multinational organizations. Most of the group’s targets have been located in the United States and Europe, but include companies in Australia, Canada, Spain, India, Kazakhstan, Serbia, and China.5 Most recently, the group is reported to be deploying ransomware. Industry and geography are of little consequence for operations that leverage extortion to monetize compromised environments.
- 13. Copyright © Silensec – All rights reserved. Any Reproduction is Forbidden Emulating FIN6 • Operations: FIN6 has been known to attain initial access to target organizations by using legitimate but compromised credentials (T1078) coupled with legitimate remote access applications (T1133), and spearphishing (T1566.001), (T1566.002), (T1566.003). Most recently, FIN6 may have been purchasing access to environments previously compromised with TrickBot. Once inside the target organization, FIN6 uses a variety of open and closed-source red team tools, custom scripts (T1059), and commodity malware in support of tactical objectives. • FIN6’s tactical objectives are to identify systems for staging, reconnoiter active directory environments (T1046), (T1069), escalate privileges (T1068) (often via credential access (T1078)), and identify systems that align with operational objectives. More_eggs (S0284), a lightweight JScript implant has been used during the initial stages of compromise to conduct host enumeration (T1018), establish command and control (C2), and to download and execute additional tools (T1105).FIN6 frequently uses Metasploit or Cobalt Strike (S0154) for their primary post-exploitation C2 framework, though sometimes employing a degree of customization to increase difficulty in detection. To that end, FIN6 has used code-signing certificates to evade defenses (T1553.002).
- 14. Copyright © Silensec – All rights reserved. Any Reproduction is Forbidden FIN6 TTPs Mapped
- 15. Copyright © Silensec – All rights reserved. Any Reproduction is Forbidden FIN6 Software Name Associated Names Software Type Availability Emulation Notes Cobalt Strike (S0154) Threat Emulation Software Commercial FIN6 uses CobaltStrike to realize tactical objectives during the initial phases of an intrusion. Metasploit Penetration Testing Software Openly Available FIN6 has used Metasploit's Meterpreter and other tools within the framework to achieve tactical objectives. LockerGoga (S0372) Ransomware Malware-as-a-Service (MaaS) FIN6 deploys POS/Ransomware on systems of interest in support of operational objectives. Mimikatz (S0002) Windows Credential Dumper Openly Available FIN6 is reported to use the credential dumping capability of Mimikatz. More_eggs (S0284) Remote Access Tool (RAT) MaaS Used to expand access and persist on a compromised network. PsExec (S0029) Remote Execution Openly Available FIN6 appears to be using Cobaltstrike’s PsExec_psh module for lateral movement. Windows Credential Editor (S0005) Windows Credential Dumper Openly Available One of three methods FIN6 uses to compromise credentials. FrameworkPOS TRINITY Point of Sale (POS) Malware POS malware commonly used by FIN6 to achieve operational objectives. TerraLoader SpiceyOmlette Loader MaaS FIN6 uses TerraLoader to download and execute more_eggs and Metasploit stages. PowerTrick Backdoor MaaS FIN6 is believed to have used PowerTrick to download TerraLoader, which subequently installs more_eggs or Metasploit. MAZE Ransomware MaaS The group is thought to have deployed MAZE ransomware in compromised environments.
- 16. Demo • Mapping FIN6 TTPs • Emulating FIN6
- 17. Thank You! • Twitter: https://twitter.com/cyberranges • LinkedIn: https://www.linkedin.com/company/cyber-ranges/ • YouTube: https://www.youtube.com/channel/UCnwJsmSkzB uLrxfUJKwnQyw • Discord: https://discord.gg/kz99rd9TgB • CYBER RANGES Website & Blog: https://cyberranges.com • CYBER RANGES Platform: https://app.cyberranges.com