Hunting for Cyber Threats Using Threat Modeling & Frameworks

Editor's Notes

• #3: This was a twitter debate that happened last week, and i think it is a great pivot point here to get a poll from the audience. There are controls, which we will discuss in a minute, which state that basic controls are going to prevent up to 96% of attacks. Meanwhile, who’s to say that the attacks on paper would have been prevented, but a dedicated attacker would have then just changed their tactics. I will be going over some “basic cyber hygiene” today, so keep this thought in the back of your mind as a frame of reference for this session.
• #4: This is a great image from Gartner which describes the overall workflow of what security professionals are going to need to do in order to harden or secure their systems. It’s not just a one time job of installing a perimeter firewall and next-gen AV. That’s something you going have gotten away with at the first RMISC, not the one here in 2018. From a prediction standpoint, there is one word in that quadrant that stands out more than any other. Baseline. When you are talking about detecting attacks and threat hunting, having a baseline about what is normal is critical. Imagine getting handed a hard drive with a note that says, tell me what’s wrong with this computer. Where do you start? The same goes when scaling up to an environment with 10k machines. Even a baseline of a golden image will speed up threat hunting and incident response in later sections. However, ideally this section is about anticipating what an attacker is going to do and feed that information into your prevention strategy. For prevention, hardening is key here. Reducing the attack surface is what you’re after. I don’t think I’m preaching anything novel here when I say that securing a server and disabling unnecessary services is going to improve security. However, prediction is going to feed prevention, even more so in mature and complex environments. It is also going to identify how to detect, since you’re now limiting what the attack surface needs to be monitored. Knowing the attack surface can help limit what needs to be monitored, which will improve the detection rates. Even better, this carousel keeps on going and what gets detected is then fed into how you respond to an event. From a response perspective, eliminating the threat on the detected machines is the first step, usually. There’s always going to be cases where you’ll need to actually skip steps here and make changes to the environment to monitor a threat actor, or change mitigation strategies before completely eliminating the threat. However, going from a high level perspective, you’ll eventually remediate the threat and feed that retrospective analysis into the prediction machine on the top left here and start the process all over to make sure that type of attack doesn’t happen again. I start with this image because it’s the most high level and abstract of what I’ll be discussing today. It’s also a great way to visualize what security organizations need to accomplish. It’s not a one time expense, there is no silver bullet. It’s a continual process which feeds into itself until the end of time.
• #5: In a similar manner to the gartner adaptive security architecture, Robert Lee from SANS has released a great reference model he calls the Sliding Scale of Cyber Security. This roughly defines where an organization fits at a high level in terms of their security maturity. The previous slide talks about what we’re doing, this slide talks about where we are. The return on investment on the lower end (Architecture) will be much higher than the upper end (Offense). Similarly, the pyramid builds upon each other, you will get a higher ROI on passive defense when you have a solid foundation of architecture to build upon. You will have a higher ROI on active defense when you build that on top of a solid foundation of Passive Defense (which relies on a solid Archtecture). If your organization hasn’t build or maintained architecture or passive defense, you will find diminishing returns on Active Defense and should not attempt to get into Intelligence of Offense until those foundations are built. If you aren’t familiar with the sliding scale of cyber security, read the white paper on SANS website. It’s only about 10 pages and is quite entertaining, so it’s a quick read for those of you who’s brain just shut off when I said white paper.
• #6: The goal of the architecture phase is to establish a base for which other security components can be built upon later. It’s not just the planning and establishing that are important, it must also incorporate the general upkeep, including installing latest patches and reviewing the network to make sure there are no systems creeping into areas they should not be. If a network is left wide open and riddled with known vulnerabilities, it will make the defender’s job much harder than it would have been if proper segmentation, hardening, and patching was done on a routine basis. As I mentioned before, we want to increase that cost of pwnership. All too often we read about security breaches where proper network segmentation, hardened systems, or even just installing patches within 6, 12, even 18 months could have prevented the attack. Architecture is what everything is built upon later. Without a proper foundation, any additional security controls will fail.
• #7: Passive defense is adding security components to the systems. In the last section we would have hardened Windows by enabling security built-in security features and reducing the attack surgace by disabling unnecessary services. In this section, these systems should add protection, eliminate security gaps left over from the architecture phase, reduce the probably of a threat, give insight into the the threat’s behavior. (List off examples) When combined with a proper architecture, these two components will hopefully slow down an attacker to the point that they give up or can be detected by the logs being collected. Time is the one resource you can deplete from an attacker. I hate to relate to an actual kinetic conflict, but when you’re compare up against a kinetic attack, you can eventually deplete the resources of the adversary. They only have so many bullets and bombs they can throw at you. Eventually the barrage will end. A digital attack never runs out of bullets and bombs, they can continually fire those at you. Time is the only thing you can take away from the attacker. Hardening systems and installing passive defense tools in a defense in depth layered solution will increase the amount of resources required for them to achieve their objective. However, make sure that defense in depth is layered in a manner in which the same techniques cannot be used to bypass each layer. This would completely eliminate any ROI from investing in multiple security technologies. If you have a million dollars worth of network intrusion detection and prevention tools, next-gen firewalls, and deep packet-analysis protecting a kiosk running windows XP with all of the USB ports enabled, you’re going to have a bad time.
• #8: If a system is turned on, it has the possibility of being breached, regardless of how well the architecture and passive defense was implemented. A determined and well funded adversary will have the ability to bypass most security protections. However a determined and well funded defender can counter any of these adversaries. First step, gather your logs. This is mission critical! If it isn’t step one, it should be step 1.5. These logs will enable your organization to actually detect events happening on the network. When one is found, the organization will neutralize the threats by eliminating it from the environment, determining the infection vector, and close the gap where the attacker was able to get in. There are a lot of different maturity models in this phase. At the beginning, you may detect a piece of malware on an endpoint and wipe the machine or delete the piece of malware with the endpoint security tool. More mature organizations will also hunt out for the existence of that piece of malware elsewhere on their network. At the pinnacle of mature, you may want to actually leave the piece of malware in place and monitor what it is trying to do. Is it a RAT, is it stealing sensitive information from a database, is it communicating with other machines on the network, or communicating with hosts on the Internet? Answering these questions in a meaningful amount of time can help detect the scope of the breach and prevent you from playing a game of whack-a-mole while the attacker is getting in elsewhere in the network. An active defense means you may want to direct the attacker to a specific area of the network. Prevent them from utilizing part of their exploit kit and force them out of their comfort zone. An attacker is used to using the same set of TTPs, they are engrained in their psyche. If they are coming in via Tor and you block Tor, they may use another less anonymous VPN service. If you block their user account control bypass, they may try and use other exploits further shedding light on their activities. Active defense can be a very powerful tool in the defender’s arsenal. However, this is where many organizations will stop.
• #9: Most organizations will not reach this phase. This requires a well funded and mature organization. This is not about consuming threat intelligence into security tools, this is more about generating the intelligence to share internally or externally. The goal of this phase is to collect information about an adversary, their TTPs, or their tools. Then analyze that information into a piece of intelligence that can be shared internally or externally. As I stated in the active defense stage, it takes a high level of maturity to actually force an attacker to change their tactics and force them to move elsewhere n the environment. If you are able to do that, then this stage should be attainable. If you’re at this level, threat intel is going to be your friend. Find an ISAC to your geographic region or market vertical. But be sure to share your findings as well as consuming the findings of everyone else.
• #10: The offense is what we would call, hacking back. Raise you’re hand if you have reached this level in your organization. OK, put your hand down because there may be law enforecement here. Unless you are a government entity, you will not be (legally) reaching this phase. This phase is where actions are taken against the adversary outside of friendly networks. Active defense would be eliminating a piece of malware from your environment and blocking the C2 server at perimeter firewalls. Offense would be attacking the C2 server to take it offline. Because attribution is incredibly hard, it is unwise for organizations to attempt to reach this phase. It will take considerable resources to understand where an attacker is coming from and if they actually own the hardware from which the attack is coming. Imagine an attacker breached a public entity (bank, public utility, etc.), then launched their campaign from that infected network. Would it be wise to take action against another victim?
• #11: I promised I would tie all of these together instead of just preaching what you can find online. Hang with me, because I’m going to be hunting for Pepe Silvia while connecting all these frameworks together.
• #12: First I took the Garter Adaptive Security Architecture and used that as my basis for mapping things together. This will be the basis for the X axis. I like this because everything we do in the security world comes down to preventing an attack, detecting an attack, or responding to an attack. I just combined the respond/remediate since these are more similar when looking at how they map to everything else out there. Then I stole the ROI portion from the sliding scale of cyber security to map things on the Y axis. From here, I am attempting to map their ROI from highest on top to lowest on bottom. (Describe why the items are where they are)
• #13: While the ASA and Sliding Scale are great abstract concept to think about, most of us at the tactical level need guidance on how to implement them. The best place to start when trying to secure an enterprise for the first time are the CIS Critical Security Controls (formerly known as the SANS Top 20). These do a great job of prioritizing what an organization should do to get a first level of coverage in securing their assets. What’s nice is that they break them down into basic (1-6), foundational(7-16), and organizational (17-20) controls, so they can be leveraged by organizations both large and small. However, while they do provide more guidance than say the SANS Sliding Scale Architecture phase, it still leaves implementation details up to the local organization. The downside, is that this looks like it can be a lot to take on for an infosec department which is already understaffed and over worked. While there are twenty of these controls listed, there are dozens of sub items for each control. Then these controls are fairly high level, leaving the interpretation of how to implement them, or what tools to use up to you.
• #14: Pareto Principle 80% of effects come from 20% of the causes Taking a small portion of all security actions you can take yields a large percentage of benefit. The first twenty-ish percent of CIS controls can block 80-ish percent of attacks. This is why CIS easily provides the first five CSC’s on their website. The effort to protection ratio is tremendous for these five, while the additional fifteen controls only produce another 12% of protection. Remember that twitter quote from before. If I told you that you’re headed into a war zone to fix the wifi, just pretend with me, we’ve all had someone call us with wifi problems right? So you’re preparing to go in, and they tell you that “ignore that there basic bullet proof vest, there’s a guy out there who knows kung fu and the vest won’t help at all”. But what about the other 500 folks with guns? Don’t ignore cyber hyegene Full disclaimer, these are based off of the previous version of the contols. I take no responsibility for what has changed in the latest version 7 which was released a few months back.
• #15: Now, we can add in the CIS controls here to the matrix. Instead of splitting them by individual control (which would be more accurate), I instead split them up by their high level grouping (basic, foundational, and organizational). Here we can see that the basic controls are most closely aligned with the architecture phase, where doing the basis is necessary to enable the later controls. The foundational controls are a bit more advanced and would be evenly split between passive and active defense. However, when averaged out they fall somewhere in the middle. Finally, I put the organizational controls near the bottom as it takes a mature security organization to effectively implement these along the same lines of effective organizations needing to implement intelligence.
• #16: Chances are, your organization has to follow some type of compliance framework to do business in your industry. These are much more prescriptive when it comes to what needs to be done at a tactical level. The problem is that they are much more reactive to today’s threats. That being said, they are still valuable in providing the foundations of a good security architecture. If you recall, when we were talking about applying a solid Architecture, implementing compliance frameworks was on the list for establishing that initial baseline.
• #17: This is a poster which is available from CIS based on the previous set of controls. Some things have changed, but overall it still fits to the latest release from last month. Here’s how the widely adopted 20 top critical security controls map to various popular compliance frameworks, such as NIST SP800-53, PCI, HIPAA, and NERC CIP. Overlaying how these then map to Gartner’s Adaptive Security Architecture, you can see which one is a focus
• #18: Simply put, compliance is primarily focused on prevention. There are some controls to enable logging, however the vast majority of controls in the frameworks work on locking down the assets. Compliance is very reactionary, as such it will focus on preventing known attacks, not preventing or detecting unknown ones.
• #19: While the CSC’s are great at defining high level objectives on where to focus security operation goals, hardening guides are where you will want to start when hardening critical assets. For most private organizations, the CIS hardening guides are what you will want to reference. Meanwhile government entities will use the DISA STIGS. For all of the critical assets in you environment from the endpoints, servers, supporting networking equipment, critical applications, and even cloud providers. All of our Tripwire content is based off of these guides and then migrated down to less prescriptive standards such as PCI or NIST.
• #20: Most compliance frameworks will draw inspiration from hardening benchmarks. Thus, if you implement the hardening benchmarks first you are already going to have the coverage you need for the compliance framework your organization needs to address. I slid everything down a bit and put the hardening right above compliance and architecture. In reality, hardening should be part of the architecture phase. It’s much easier to bake security into the organization from the beginning than it will be to try and cherry pick the controls in a DISA STIG to make sure they don’t have a negative impact on mission critical systems.
• #21: Lockheed Martin’s cyber threat kill chain is a great way to describe the overall process an attacker is going to go through over the course of their campaign. The other day I was describing this attack kill chain to my wife (our typical Sunday evening conversations). What I compared it to was the pain chart you see at the doctor’s office. It actually matches up really closely with the cyber kill chain. When an adversary is doing recon against you, it’s not that painful. There’s really know way you can limit that attack vector. As you move across the attack chain, it gets more and more painful. The unbearable pain is beyond the 10, it’s when you get a call from this guy. The fact to iterate here is that you want to stop an attack sooner rather than later, the same way you would prefer a doctor to discover and fix a problem when you’re smiling rather than crying. Hardening guides and compliance frameworks can do a lot to mitigate the first half of the kill chain, but lack in the later parts of the cycle. That’s why I love the MITRE ATT&CK framework.
• #22: They really nailed the acronym on this one. 11 Tactics Adversaries Commonly Use Hundreds of Sorted Techniques Used For Each Phase of the Kill Chain Methodologies to Mitigate and Detect Techniques References to published articles of real-world usage
• #23: When looking at how the ATT&CK framework maps in, it’s later in the life cycle when an attacker already has a foothold in the environment. While this may seem scary to some, as defenders we know that attackers are going to bypass our defenses. There are companies which spend millions on security and are still getting successfully attacked. It’s important to be able to know how adversaries will try and work inside our walls so we can eradicate them as soon as possible. While the cyber kill chain above can be somewhat of a linear path, the ATTACK tactics are in no specific order. An adversary may start with discovery and move on to execution while another may start with defense evasion then move on to command and control. When adopting ATT&CK, it is a great model to understand your defenses in order to plug the holes where you are exposed. Let me explain…
• #24: What you see here is a listing of the tactics and techniques from MITRE ATT&CK. These are available on their website at attack.mitre.org. The framework has the tactics an adversary will use across the top row. Each tactic then has a set of techniques in the columns underneath. Each one of these techniques defines a set of procedures that an attacker is going to use. If you look closely enough, techniques can be used across various tactics. The first three columns are a great example about how multiple techniques are listed in multiple tactics. Combined, these tactics, techniques, and procedures are the TTPs which were on the top of that pyramid of pain from a few slides ago. We can dig into one of these techniques to get an example of the type of information we can gather. One important thing to note, is that these tactive don’t map to the cyber kill chain in a chronological order. An attacker may begin gain a foothold with execution, then move to command and control, then laterally move across the environment, then maintain persistence, then exfiltrate data. So don’t think of this matrix as starting on the top left and working it’s way to the bottom right.
• #26: One might say that you are going to need to implement and pass a compliance audit before you can begin to look at ATT&CK, and I don’t disagree. However we are only looking at pure ROI for the security operations team on what they should be looking at. From a preventative measure, hardening is going to be the most important aspect in terms of architecture and benchmarks. Like compliance, ATT&CK will pull a lot of the mitigating factors from CIS style tests. However, from a detection standpoint, ATT&CK is near the top. Doing controls 1-6 are going to enable ATT&CK to detect a lot of these things, but there’s no better authoritative source than ATT&CK when trying to hunt for real threats in your environment.
• #27: If you’re familiar with ATT&CK and keep updated, this is based on the January release, the latest April release now has another column for initial access, but it’s already hard enough to fit everything on the screen here. What works well for many organizations is to start with a blank matrix such as this. There’s one of two ways to tackle this. The first is to inventory your security tools and have them identify what their coverage of the matrix is. The problem with this strategy is that a vendor may list their theoretical capabilities which may not match how you’ve deployed their tools. That being said, it’s a good idea to have your vendors fill out this matrix so you can at least get a picture of what your potential coverage may be. The option I see most often is people focusing on a single column at a time. For example focus on Privilege Escalation and work your way through the set of techniques. This is not an easy task to take on. There are a lot of techniques, some which may be more important than others. Techniques can have a vast set of guidelines for both detection and mitigation. This is where I recommend trying to follow the CIS hardening guidelines for the mitigating aspects. The guidelines provide detailed step by step instructions on how to secure an asset, rather than the high level guidance from ATT&CK of “do x to mitigate this technique”. Think of the validating the mitigation portion of this the same way you would a vulnerability scan. It will tell you where an attacker may get in, but you may still be blind if they either attempt and/or actually exploit that specific technique. The more difficult aspect will be the detection portion of the control. Ideally you can test the defenses by having a red team go through and exploit while you validate the detection. There’s a couple of great tools to help with that which I will discuss later.
• #28: Using ATT&CK, you can get an understanding of your enterprise network defense. By starting to model an attackers methodologies against your environment. For both a mitigating and a detecting capabilities matrix, you can define what your current coverage is, identify the most important gaps in the coverage, and then work towards filling those gaps. This is a repetitive process, not a one time project. As an example here, we can see in a sample organization that they may have gone through and assessed their coverage to identify the gaps and began to work from the left side of the matrix and move across it to address detection coverage. Working from the Gartner EDR model from the beginning of the presentation, we can adopt that same workflow of continuously feeding the predict, prevent, detect, and respond aspect of our security operations.
• #29: Historically (the past year), people would be forced to do this in excel. MITRE has released an open source tool called Navigator which allows you to interact with the cells much easier. Even better, you can export your results in JSON format and share them with your friends.
• #30: Maybe you have already completed a comprehensive endeavor of implementing CIS control 2. I have compiled a list, using the ATT&CK Navigator tool, of mapping every CIS Critical Security Control to the associated ATT&CK techniques.
• #31: ATT&CK themselves has APT emulation plans based off of real world attacks. Right now all they have is one for APT3, better known as Gothic Panda. These break down what the attack did in step by step basis mapped directly to the ATT&CK techniques. The spreadsheet they provide has a great reference of built-in command line functions as well as what Cobalt Strike and Metaploit modules can be used to achieve the goal for that technique. NexTron System has an APT Simulator which will perform a lot of the techniques found in ATT&CK. This is a spray and pray and doesn’t provide a lot of granularity as to what is tested and detected. However, great at testing your defenses and detection technology if you don’t have a dedicated red team. Red Canary released an excellent open source tool called Atomic Red Team, which has a ton of scripts and instructions on how to test a variety of the ATT&CK techniques. As I mentioned a few slides previously, when you work towards figuring out your coverage, you’ll want to assess, identify gaps, and close the gaps. This is a continuous process. This tool fits nicely in the execute test function of all of that. You can “exploit” the systems one function at a time in order to determine coverage for both detection and mitigation.
• #32: Unknown – HVAC vendor sent phishing email with Citadel malware Nov 15 – Nov 28, 2013 – Vendor credentials used to infiltrate network Nov 27 – Dec 15, 2013 – Memory scraping malware installed to POS machines Jan 22, 2014 – 475 employees laid off Feb 18, 2014 – Reported costs of cleanup at $200 million May 5, 2014 – Target CEO resigns Third Party Credentials Stolen Phishing email to vendor, used Citadel to steal Target Vendor Portal credentials Attackers used credentials to gain foothold and take over Microsoft SCCM Published bogus patch containing malware to POS machines Memory scraping malware stored credit card data to DLL files on POS machines DLL file data exfiltrated via FTP to external servers
• #34: If you’re doing this manually, it’s going to take time to get to that 80% mark. Most will get a system configured and realize it broke something, so have to roll back some changes. Even if that doesn’t happen, new benchmarks are constantly updated, allowing for gaps in coverage to expose themselves over time. Now, let’s see who’s guilty of what I call “Keep The Auditor Happy Scanning”. You configure the environment to pass all the inspections an auditor checks for. Then security begins to quickly lapse until the auditor is scheduled to show up again the next quarter/year. You re-assess the environment and reconfigure it back to their standards. Even with automated tools, it’s a laborious undertaking. The best way to do this is an automated tool which scans the environment, checks for failures against the benchmark, and can quickly remediate. There’s no need for manual intervention or mega scans. Point in time checks ensure security is constantly met and auditors are always happy.
• #35: Getting back to this quite again, I think it is important that basic hygene controls should be put into place. Even if you are able to block 96% of basic script kiddie attacks, what you are doing is raising the bar, or increasing the cost of pwnership for the attacker. Additionally, you are freeing up analyst time so they can focus on the 4% instead of the 100%. The job of the analyst is to reduce the noise to focus on the needle in the haystack. Follow the best practices of hardening and critical controls to allow your team to then focus on the real hard work of increasing the maturity of your SOC and threat hunting like a bad ass.