MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomson, LooklingGlass Cyber Solutions

© 2019 LookingGlass Cyber Solutions, Inc. All Rights Reserved.
Zeek ATT&CK Metrics
Allan Thomson CTO LookingGlass
Oct 29th 2019

2Public Disclosure© 2019 LookingGlass Cyber Solutions, Inc. All Rights Reserved.
Zeek Background What is it Why it matters
Data Preparation
STIX2.1
Intelligence to
ATT&CK
Mapping
Zeek Script
Programming
Data Processing
Intelligence &
ATT&CK
normalization
Zeek/Behavior
correlation
3 Things

Zeek BackgroundBasic Architecture

Zeek Background
Network Analysis Framework
Focused on Network Security Monitoring
Open Source Community
20 Years Research (www.zeek.org)

5© 2019 LookingGlass Cyber Solutions, Inc. All Rights Reserved. Public Disclosure
Zeek Ecosystem
Botnet
Scanning
Web - HTTP
Exfiltration
Email
File Sharing - SMB
Routing - RIP
Domain - DNS
Syslog
Protocol
Vulnerabilities
SSH
X509
Certificates
SSL/TLS
Certificate
Validation
Geo-location
Sandbox
Integration
Intelligence
Integration
RPC NTLM
Fast Flux
Statistics
DHCP
Connections
Blacklists
ICMP
APT
IRC
NTP
Wordpress
BittorrentSpam
IPv6
IPv4
ShellshockBitcoin
Payload
VirusTotal
Integration
MAC
Bruteforce

• Zeek monitor receives copy of all traffic
• Zeek employs an event-based programming
model
• Zeek scripts run to perform analysis on the
network traffic
• Identify stateful analysis on specific network
patterns or network behavior
• Can also identify user application behaviors
(i.e. nefarious activity)
Zeek Based Detection

• Supports Actor-Framework
(https://actor-framework.org/)
• Distributed Messaging & Processing
- Event Processing
- Cross-Event Correlation
- Behavioral Identification
- Intelligence Correlation
- ATT&CK Analysis
 Multi-node
 Multi-processing
Zeek Processing and Distribution

Applying Zeek For ATT&CK/Intelligence Correlation
SOC/NOC
Passive Zeek Monitor
Perimeter
Cloud Network
Internal Network LAN
Zeek Agent
Active Zeek Detection & Mitigation
SDN Zeek Controller
Agents (Endpoints/Servers)

Data PreparationIntelligence & Zeek Updates for AT T&CK

• How we modelled Threat Intelligence
• How we related Intelligence to ATT&CK
• How we correlated intel with activities (net, sys, user)
• How we applied action based on Intelligence/ATT&CK
• STIX2
• STIX2
• Zeek
• Zeek
Threat Intelligence & ATT&CK

• 90 different intelligence feeds
• ~1800 Unique intelligence attack-patterns, intrusion sets, actors
- Data-driven Mapping to ATT&CK
- Include ATT&CK Mapping when producing STIX2.1 Intelligence
Data Preparation: Intel to ATT&CK Mapping

• Tactics mapped using kill-chain property on Intel Feed
- Attack-Pattern SDO
- Intrusion Set SDO
- Actor SDO

• Intel Feed Attack-Patterns related to ATT&CK Attack-Patterns using SROs
Points to ATT&CK UUID

Data ProcessingCor relation, Aler ting

• Find IP ranges and CIDRs that are associated with the
NAICS Industry of ‘Carpet and Rug Mills’;
- discover all active IPs contained within these ranges,
- and
 find FQDNs associated with them where those FQDNs
have active threats
 that include
o Attack-Pattern Exploitation of Remotes Services
and
o Attack-Pattern Pass the Hash
An Intelligence Question
?

• Many different sources assert essentially the same data
- i.e. FeedA asserts that IP 10.0.0.1 has Malware A, and FeedB asserts the same
• Much of the metadata is the same across temporal series
- Repeated fact assertions and threat associations
- i.e. FeedB asserts that Actor BB, associated with Intrusion Set AA, using Attack-Pattern ZZZ Drive-by
Compromise malware YY on Infrastructure CC at time X, and again, at time Y
• Different attributes with different data representation that communicate the same
semantic information
- i.e. country_s of “United States” and “United States of America” and country_code_s of “US”, and “USA”
• Multiple different object/entity types, billions of instances that requires large-scale
join across data-sets where those data-sets are being updated in real-time
The problem answering that question?

• Entity
- Contains information about an Entity that will never change
- Metadata such as name, and IP ranges in Entities allows Facts to only contain reference
Solution: Unified Data Modelling
• Fact
• Asserts attributes on Entity
and relationships to other
Entities
• If Facts contained temporal
and source/provider
attributes, it would be
multiple Fact Record for
each
• Assertion
• Asserts one or more Facts by Source Entity and Provider Entity
• Contains all temporal attributes – Observed At, and Asserted At

Impact on Data
Bytes: ~150GB/day  ~25-30GB/day.
Records: ~150mm/day  ~19mm/day.

Zeek Intelligence Basic Lookup Pipeline
Raw Events
Zeek Intelligence
Framework Lookup
Intelligence &
ATT&CK Correlation
Intelligence Found
Event

Zeek ATT&CK Report Event Dissection
1568762713.447733 1568762713.344683 - node1 HTTP::IN_HOST_HEADER comixalex.freeiz.com Intel::DOMAIN STIX::INDICATOR
DTD All: comixalex.freeiz.com 1456283538.000000 1568776825.000000 LookingGlass Cyber Solutions :adware,:apt,:bot,:click-
fraud,:exploit-kit,:financial,:malvertising,:malware,:mobile-device,:phishing,:port-scanner,:pos-atm,:ransomware,:remote-access-
trojan,:rogue-antivirus,:rootkit,:trojan,:worm [domain-name:value = 'comixalex.freeiz.com'] C70GjJ2nFHfFRmARhg 52:54:00:06:76:f2
192.168.123.100 51072 153.92.0.100 80
Where in the network was it seen? What aspect of traffic was it detectedWhat LGC Attack Pattern ID What intel feed produced the intel?
What labels are associated?What STIXv2 Pattern was matched?What src net entity? What dst net entity?

Zeek ATT&CK Report Event Analysis
1568762713.447733 1568762713.344683 - node1 HTTP::IN_HOST_HEADER comixalex.freeiz.com Intel::DOMAIN STIX::INDICATOR
DTD All: comixalex.freeiz.com 1456283538.000000 1568776825.000000 LookingGlass Cyber Solutions :adware,:apt,:bot,:click-
fraud,:exploit-kit,:financial,:malvertising,:malware,:mobile-device,:phishing,:port-scanner,:pos-atm,:ransomware,:remote-access-
trojan,:rogue-antivirus,:rootkit,:trojan,:worm [domain-name:value = 'comixalex.freeiz.com'] C70GjJ2nFHfFRmARhg 52:54:00:06:76:f2
192.168.123.100 51072 153.92.0.100 80
Where in the network was it seen? What aspect of traffic was it detectedWhat LGC Attack Pattern ID What intel feed produced the intel?
What labels are associated?What STIXv2 Pattern was matched?What src net entity? What dst net entity?
Allows gap analysis on
coverage of networks
Allows analysis of application coverage
Allows analysis of feeds coverage/value
Allows lookup back to
ATT&CK Tactics
& Kill-Chain Phase
Allows classification analysisAllows cross correlation
with other data
Allows cross correlation
with other data
Allows pattern effectiveness
analysis

• Zeek provides effective and flexible framework for collection and correlation
• Data preparation & modelling can have big impact on analysis effectiveness
• Data correlation at scale requires end-to-end approach
Summary
Questions?

Thank You
L o o k i n g G l a s s C y b e r. c o m
/LookingGlassCyber/company/LookingGlass@LG_Cyber@LookingGlassCyber

MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomson, LooklingGlass Cyber Solutions

More Related Content

What's hot (20)

Similar to MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomson, LooklingGlass Cyber Solutions (20)

More from MITRE - ATT&CKcon (20)

Recently uploaded (20)

MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomson, LooklingGlass Cyber Solutions