MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary to Create Better Detections, David Herrald and Ryan Kovar, Splunk
8 likes3,026 views
The presentation discusses adversary simulation for enhancing detection capabilities using tools like Splunk and Phantom. It emphasizes the importance of simulating realistic threats, developing new detection analytics, and leveraging existing frameworks such as the MITRE ATT&CK. Key takeaways include the availability of tools for adversary simulation and the potential for improved security through collaborative purple team efforts.
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary to Create Better Detections, David Herrald and Ryan Kovar, Splunk
- 1. From Automation to Analytics Simulating the Adversary to Create Better Detections MITRE ATT&CKcon 23-24OCT18 Dave Herrald and Ryan Kovar @Splunk Dave Ryan
- 2. Disclaimer During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. I often lie. Maybe this is a lie. Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this yër? See the løveli lakes The wøndërful telephøne system And mäni interesting furry animals The characters and incidents portrayed and the names used in this Presentation are fictitious and any similarity to the names, characters, or history of any person is entirely accidental and unintentional. Signed RICHARD M. NIXON Including the majestik møøse A Møøse once bit my Marcus... No realli! He was Karving his initials on the møøse with the sharpened end of an interspace tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and star of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. Splunk undertakës no øbligation either to develøp the features or functionality described or to include any such feature or functionality in a future release.
- 3. - 25+ years IT and security - Information security officer, security architect, pen tester, consultant, SE, system/network engineer - Former SANS Mentor - Co-creator of Splunk Boss of the SOC Staff Security Strategist @daveherrald # whoami > Dave Herrald CISSP, GIAC G*, GSE #79
- 4. • 19 years of cyber security experience • Worked in US/UK Public Sector and DOD most recently in nation state hunting roles • Enjoys clicking too fast, long walks in the woods, and data visualization • Current role on Security Practice team focuses on incident/breach response, threat intelligence, and research • Currently interested in automating methods to triage data collection for IR analyst review. • Also investigating why printers are so insubordinate ಠ_ಠ • Co-creator of Splunk Boss of the SOC 4 Principal Security Strategist Minster of the OODAloopers @meansec # whoami > Ryan Kovar CISSP, MSc(Dist)
- 5. We use Splunk (and Phantom) But you don’t have to!
- 6. Agenda •Faking it till you make it (APT Style) •A brief review of some new simulation tooling •Simulating a realistic adversary with automation •Developing New Detection Analytics •Free stuff
- 9. If you’ve never been a red teamer… … Sit Down
- 10. If you’ve never automated your red teaming… … Sit Down
- 11. If you’ve never been a fake nationstate APT group… … Sit Down
- 13. I should build a fake APT… but I should keep it real.
- 14. Place Holder PowerSploit Capabilities 14
- 15. Place Holder PowerSploit Capabilities 15
- 16. 16
- 17. 17 Not just a ”Flag” but personas and infrastructure
- 19. • Nation state sponsored adversary • Located (+8.0 time zone) • Uses Korean encoded language • Uses Hancom Thinkfree Office • European VPS servers • Western innovative Brewers and Home Brewing companies • PowerShell Empire • Spear phishing • Seeking to obtain high end Western Beers for production in their breweries • Documents with .hwp suffix • PS exec lateral movement • YMLP • Self signed SSL/TLS certificates • +8.0 hour time zone • Korean fonts for English • Korean text google translated to English • Naenara user agent string A special thanks to TAEDONGGANG STOUT
- 24. The Tools
- 25. Tool makers Kyle Champlain Product Manager Splunk @Dishwishy Tim Frazier Senior Sales Engineer Splunk Phantom @timfrazier1
- 26. Builders… Kyle Champlain Product Manager Splunk @Dishwishy Tim Frazier Senior Sales Engineer Splunk Phantom @timfrazier1
- 27. Builders… Kyle Champlain Product Manager Splunk @Dishwishy Tim Frazier Senior Sales Engineer Splunk Phantom @timfrazier1 Slides and Video https://conf.splunk.com/conf-online.html?search=1244#/
- 28. TL;DR Splunk Simulation Runner Phantom Adversary Simulation Playbook Executes Atomic Red Team detection tests Windows OSX Linux Splunk UF Splunk UF Splunk UF ATT&CK Navigator Splunk Security Analytics Atomic Red Team App Implements ATR in Phantom ES CONTENT UPDATE
- 29. TL;DR Splunk Simulation Runner Phantom Adversary Simulation Playbook Executes Atomic Red Team detection tests Windows OSX Linux Splunk UF Splunk UF Splunk UF ATT&CK Navigator Splunk Security Analytics Atomic Red Team App Implements ATR in Phantom ES CONTENT UPDATE
- 30. Use this Tooling to Develop New Detections Splunk Simulation Runner Phantom Adversary Simulation Playbook Executes Atomic Red Team detection tests Windows OSX Linux Splunk UF Splunk UF Splunk UF ATT&CK Navigator Atomic Red Team App Implements ATR in Phantom Analytic Development
- 31. Thank You to Atomic Red Team https://www.redcanary.com/atomic-red-team Casey Smith @subTee
- 32. ATT&CK Navigator in Splunk
- 33. Kick off a simulation Kick off simulation.
- 34. Start and End Events
- 35. Signs of Test Execution
- 36. Finally Write the Analytic
- 45. • Nation-state sponsored adversary • Located (+8.0 timezone) • Compromised AWS EC2 instances • Compromised Chinese hosts • Western innovative Brewers and Home Brewing companies • Vulnerability scanning • Amplification DoS attacks • Crypto-coin mining • Fondness for causing chaos and disruption. • Generates revenue via coin mining on compromised hosts • Aliases: • 6HOUL@G3R • CRYP70KOL5CH • Known public Coinhive site key: • swUaVm1xhugv49RmyEMucajPO8VPAUlS A special thanks to TAEDONGGANG LAGER
- 47. Takeaways •Adversary simulation is helpful for security analytic development •Tooling is increasingly available •Purple Team can be realized •We still haven’t solved cyber •Cloud :’(
- 48. Free Tools Splunk Simulation Runner Phantom Adversary Simulation Playbook Executes Atomic Red Team detection tests Windows OSX Linux Splunk UF Splunk UF Splunk UF ATT&CK Navigator Splunk Security Analytics Atomic Red Team App Implements ATR in Phantom ES CONTENT UPDATE ▶ MITRE ATT&CK Navigator in a Splunk Dashboard https://github.com/daveherrald/SA-attck_nav ▶ Simulation Runner App for Splunk https://github.com/daveherrald/SA-advsim ▶ Adversary Simulation Playbook for Phantom https://github.com/daveherrald/AdvSim ▶ Atomic Red Team App for Phantom https://github.com/daveherrald/ART_Phantom https://conf.splunk.com/conf-online.html?search=1244#/