Skip to main content

MITRE ATT&CK - How to use Effectively for Threat Hunting & Detection in SOC Environment.

Why do we need to use MITRE ATT&CK?

David Bianco explained very well that not all indicators of compromise are created equal. The pyramid defines the pain it will cause the adversary when you are able to deny those indicators to them.

No alt text provided for this image
Fig 1: Pyramid of Pain (Source:http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html)

Hash Value: Hash indicators are the most accurate type of indicator. On the other hand, any change to a malicious file results in a completely different and unrelated hash value. So, in that case it’s very easy to change the hash value and there are so many hashes around the globe in that cases it may not be quite worth monitoring all of them.

IP Address: If you deny the adversary IP then usually, they can come back quickly with different IP.

Domain Name: Tons of domain are registered using fake details and there are free DNS services available.
Udacity has special offers worldwide to help anyone learn important, higher-paying job skills during this challenging time. Click here to get your offer and start learning now!

Network/Host Artifacts: When you can detect and respond to indicators at this level, you cause the attacker to go back and reconfigure and/or recompile their tools.

Tools: So now we are good at detecting the artifacts of their tool in many ways that they gave up or either find a new way to create a tool for the similar purpose.

TTP: When you are able to detect and respond at this level, you are operating directly on adversary behaviors, not against their tools. Adversary are finally a human behavior by detecting at TTP it becomes difficult to operate anymore.

What happens when you detect adversary's different TTPs? They have two options either to give up or re-invent themselves with new behavior.

How to use MITRE ATT&CK effectively ?

Mitre att&ck framework consists of 12 tactics, from initial access, execution, lateral movement all the way through command and control, data ex filtration and Impact. Each phase of this attack life-cycle consists of a multitude of techniques that have been observed globally and used by various threat actor groups when compromising an organization’s network.

By adopting this framework, it can be extremely useful to determine an environment level of visibility against targeted attacks with the tools that have been deployed across your enterprise organization endpoints and perimeter.

No alt text provided for this image
          Fig 2: Mitre att&ck

Now to start with threat hunting you should know few things about your organization like,

  •  Enterprise knowledge: contextual knowledge and awareness of your IT environment
  • Hypothetical thinking: the ability to hypothesize threat attacks, source vectors, and organizational impact
  • Statistics: the ability to interpret significance from statistical data
  • Forensics: the ability to investigate the root cause and develop an attack timeline of events through network and endpoint forensics.

All looks good…. But how can I start now…. With all these 100+ techniques?

Let’s start looking for detection with some post-exploitation and pre-exploitation activity across the whole adversary life-cycle. Assuming that adversary has already got access to the organization system/network or trying to enter organization system/network.

  • Keep tracking changes over time, Behavior analytic there are few rules where you can use.
  • Identify your enemy, what is there aim (PII, database, email leak...etc.) and threat to your organization, High value Assets they might target.
  • Create detection rules for those techniques map those rules to Mitre Att&ck navigator and keep tracking.

https://car.mitre.org/analytics/ - Cyber Analytics Repository

https://github.com/hunters-forge/ThreatHunter-Playbook - Threat Hunter Playbook

https://eqllib.readthedocs.io/en/latest/analytics.html - End Game Analytics library.

https://github.com/Neo23x0/sigma - Sigma SIEM agnostic use case

https://github.com/BlueTeamLabs/sentinel-attack - Sentinel ATT&CK

  • Allocate severity to your detection like High, Medium and Low.
  • Provide detection rating to your rules (1-5) 100% rules coverage is difficult to achieve, so rate your detection rule accordingly.    
No alt text provided for this image
    Fig3: Mitre att&ck Data Map(Source: https://github.com/olafhartong/ATTACKdatamap)         

Start with what data/log source you have, Map those data source with techniques.                                                               

No alt text provided for this image
  Fig 4: Mitre att&ck (https://github.com/mitre-attack/attackscripts/tree/master/scripts)
No alt text provided for this image
 Fig5: Mitre att&ck (https://raw.githubusercontent.com/MalwareArchaeology/ATTACK/master/Windows_Logging_Attack_Matrix_Win_Events_Sept_2018.xlsx)

Now once you are ready with Heat Map in ATT&CK Matrix navigator. It’s time to assess your detection like what so far, we can detect and what we cannot.

  • Where are my gaps do, I need more logs/data sources ?
  • What tools should I need to deploy and detect those ?
  • Why can’t you detect maybe you need risk acceptance ?
  • Use the Mite Att&ck navigator to have understanding on all the area.                 
No alt text provided for this image
       Fig 6 (Source: https://mitre-attack.github.io/attack-navigator/enterprise/)

Green: Able to detect threat successfully.

Yellow: Still need some more logs source/some fine tuning in infrastructure.

Red: Cannot detect those attack with current environment/scenario.

White: Grey area not sure, Blind Spot.

Hopefully with following all these steps you can start having meaning full threat detection in your SOC/Organization.

Author published the article intially in Linkedin. Republishing here with permission from the Author.

Popular posts from this blog

Cisco ASA: Disable SSLv3 and configure TLSv1.2.

For configuring TLS v1.2, the ASA should run software version 9.3(2) or later. In earlier versions of ASA, TLS 1.2 is not supported.If you are running the old version, it's time to upgrade. But before that i will show you the config prior to the change. I am running ASA version 9.6.1 Now ,set the server-version to tlsv1.2, though ASA supports version tlsv1.1, its always better to configure the connection to more secure. Server here in the sense, the ASA will be act as the server and the client will connect to the ASA.     #ssl server-version tlsv1.2 set the client-version to tlsv1.2, if required.     #ssl client-version tlsv1.2 ssl cipher command in ASA offers 5 predefined security levels and an additional custom level.     #ssl cipher tlsv1.2 high we can see the setting of each cipher levels using #show ssl cipher command. Now set the DH group to 24, which is the strongest offered as of now in the ASA.     #ssl dh-group group24 An

How to Install Netmiko on Windows?

Netmiko, developed by kirk Byers is an open source python library  based on Paramiko which simplifies SSH management to network devices and is primarily used for network automation tasks. Installing Netmiko in linux is a matter o f one single command but if you need to use Netmiko in your Windows PC, follow this process. 1) Install the latest version of Python. 2) Install Anaconda, which is an opensource distribution platform that you can install in Windows and other OS's (https://www.anaconda.com/download/) 3) From the Anaconda Shell, run “ conda install paramiko ”. 4) From the Anaconda Shell, run “ pip install scp ”. 5) Now Install the Git for Windows. (https://www.git-scm.com/downloads) . Git is required for downloading and cloning all the Netmiko library files from Github. 6) From Git Bash window, Clone Netmiko using the following command git clone https://github.com/ktbyers/netmiko&#8221         7) Once the installation is completed, ch

RUST error: linker `link.exe` not found

While compiling Rust program in a windows environment, you may encounter the error : linker `link.exe` not found. This is because of the absence of the C++ build tools in your machine. For compiling Rust programs successfully, one of the prerequisites is the installation of the Build Tools for Visual Studio 2019.   Download the Visual Studio 2019 Build tools from the Microsoft website. After the download, while installing the Build tools, make sure that you install the required components (highlighted in Yellow) This will download around 1.2GB of required files. Once everything is successfully installed, reboot and re-run your rust program and it will compile successfully.   Read More on RUST Hello World Rust Program : Code explained RUST Cargo Package Manager Explained Data Representation in Rust.

What is a Gratuitous ARP? How is it used in Network attacks?

Many of us encountered the word "Gratuitous" while exploring the network topic on ARP, The Address Resolution Protocol. Before explaining Gratuitous ARP, here is a quick review on how ARP works. ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address.For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B shoots a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the same broadcast domain receive the ARP request, and Host A responds with its MAC address. We can see the ARP entries on our computers by entering the command arp -a . So, back to the topic on what is a Gratuitous reply, here is a better explanation. Gratuitous arp is when a device will send an ARP packet that is not a response to a request. Ideally a gratuitous ARP request is an ARP request packe

Recovery Procedure: Alcatel-Lucent Omni-Switch not booting AOS: Going to Mini-boot prompt.

Problem: Switch not booting AOS; Going to Mini-boot prompt. Model: Alcatel-Lucent OS6850 [Note:The same procedure might be applicable for different models of Omni-Switches, However, for this illustration, i have used OS-6850 ] Reason: This problem may occurs due to corrupt AOS image files or misconfigured boot parameters. Hence switch cannot boot the images properly and will go to Mini-boot prompt.  Work Around: [Note: This zmodem procedure consumes a lot to time to finish the process.] 1.) Power off your OS6850 2.) When you switched it back on, stop it before the Miniboot (there is some counter counting down from 4). Press Enter to break. 3.) You will have the following prompt " => " 4.) Enter " setenv baudrate 115200 ”. Increasing baudrate helps to increase the data transfer speed using zmodem. 5.) Enter " saveenv " 6.) Enter " boot " 7.) The switch should run now in baud rate 115200 (so you have to change your clients ter