actual att & ck gamma introduction

Posted by santillano at 2020-03-29

Preface: This paper is a practical att & CK Gamma The beginning of a series of special articles, mainly about the current threat situation of Cyberspace Security, intelligence driven defense and att & CK Gamma Core concepts such as models are designed to help readers understand att & CK in depth Gamma The model lays a solid theoretical foundation.


Current threat situation of Cyberspace Security

Intelligence driven defense

MITRE ATT&CK Gamma Core concepts of the model

Appendix: mitre att & CK Gamma Groups and software in the model


1. the current threat situation of Cyberspace Security

1) background:

On the morning of Tuesday, June 27, 2017, a new blackmail virus named "not Petya" attacked Ukraine, Russia, Spain, France, Britain, Denmark, India, the United States (law firm dlapiper) and other countries and regions. The new blackmail virus can shut down critical infrastructure, crippling corporate and government networks. According to afterwards reports, 10% of Ukraine's computer systems have been infected, causing more than 3 billion US dollars in economic losses!

2) attack target:

According to public reports, the specific targets of the attack by notpetya include:

-Pavlo rozenko, Ukraine's deputy prime minister, said the country's government's computer network crashed and facilities such as the central bank's power distribution system were damaged.

-A.P. Moller - Maersk, the Dutch shipping giant, said the facility, including the Los Angeles terminal, had been attacked.

-WPP, the world's largest advertising and communication group, said it was infected with the virus. One of the company's employees revealed that they were asked to turn off their computers, and then the whole building fell silent.

-A Ukrainian media company said its computer system had been hacked and hackers had asked to pay $300 in electronic cryptocurrency bitcoin to unlock it. The hacker also left a message saying, "don't waste time trying to recover files. Only we can provide decryption service. "

-Russia's central bank said its computer was infected. A company engaged in consumer credit had to suspend customer service.

-Rosneft said its computer system had been severely affected.

3) analysis of attacker's tactics, technology and process

We use att & CK Gamma After the analysis of notpetya in the model, it is found that as a blackmail software, notpetya has obvious intention of destruction. It uses phishing mail (the virus uses RTF format attachment of cve-2017-0199 vulnerability for mail delivery), backdoor of software supply chain (by using stolen credentials, attackers can manipulate m.e.doc to update the server), water pit attack (Bahamut, Ukraine) City's website). After successfully infecting the target system, the downloader will be released to obtain the virus matrix, forming the initial diffusion node, and then the worm will be spread through the eternalblue (cve-2017-0144) vulnerability, eternalromance (cve-2017-0145) vulnerability, WMI, pseexc and system weak password. At the same time, it has the ability of killing soft confrontation (Kaspersky, Norton) and anti Forensics (wevtutil log clearing).

It can be seen from the analysis that advanced attackers have the following characteristics:

-The attacker's infrastructure is adaptive and can target more different environments

-After an attacker's invasion, they will be mixed with legitimate user behaviors, such as using legitimate infrastructure components, abusing legitimate user credentials or repeatedly executing legitimate user behaviors

-Attackers have the ability to quickly improve themselves and take advantage of new vulnerabilities and new leaking tools

Cyberspace threat actors are the source of cyberspace attack activities. They have different purposes and motivations, and their capabilities also have obvious hierarchical differences. According to the operation motivation, attack ability, control resources and other aspects, the cyberspace threat actors are divided into seven levels, which are:

-Amateur hacker


-Network criminal gang or hacker organization

-Network Terrorist Organization

-General capacity country actors

-High capacity national / regional actors

-Super high capacity national / regional actors.

Among them, the ultra-high capacity national / regional actors, or the ultra-high capacity network air threat actors, have a strict scale system, a huge support engineering system, control the systematic attack equipment and attack resources, and can carry out the most covert and deadly network attacks.

    "Equation organization" is such an ultra-high capability network air threat actor, with a complete and strict operation framework and method system; it has a large-scale support engineering system and standardized equipment combination, and carries out strict organization operation, and highly pursues the concealment and anti traceability of the operation process, so that its attack looks like "ballistic traceless", its breakthrough, existence, influence and persistence It is difficult to detect the trajectory of the network environment or system until it is safely removed.

Equation organization's attack equipment:

(1) , exploit tools and attack platforms

The relevant vulnerability attack equipment is mainly aimed at network security devices such as network devices, firewalls and various endpoint systems. Its main function is to break through the boundary, move horizontally, obtain the authority of the target system, and open up a channel for the subsequent implantation of persistent and control loads.

The typical vulnerability attack equipment epicbana, extrabacon and one unknown equipment are for firewalls. The advanced fuzzbunch vulnerability exploitation platform works for Windows system (including multiple 0day vulnerabilities)

(2) . persistent / implanted attack equipment

Super cyberspace threat actors attach great importance to the ability to form persistence in the target scene, and develop a large number of equipment to achieve persistence. Persistent attack equipment is usually used after breaking through the target, mainly for BIOS / UEFI, firmware, boot sector, peripherals and other links. It is difficult to find and dispose of deep-seated loading points, or to form a window of job opportunities that can be repeatedly implanted.

Feedtrough is an attack equipment for persistence of firmware layer of juniper, NetScreen and other firewalls. It can implant load into the system when the firewall starts. This technology is the same as the persistence idea of the attack organization for hard disk firmware, and it is a more difficult to detect and develop Persistence technology at the lower level.

3) , control / backdoor malicious code

This kind of attack equipment is the final load implanted into the target system in the attack action, which is used for persistent or non persistent control of the target system. Covering network security equipment and network equipment, Linux / windows host system. Different from the persistent tool's pursuit of establishing a hidden permanent entry, the equation organization focuses on the control / backdoor malicious code, more emphasis is placed on the memory atomic module loading job, and the file does not land, so as to minimize the possibility of being found and extracted.

Dander spritz is one of the most typical control platforms. It has a modular attack platform with strict operation process and rich evasion means. Danderspritz has an interface remote control platform with complex instruction system and control functions, which is obviously different from the traditional rat program. Once implanted in the target system, it will collect all kinds of security configuration information of the system and prompt the attacker which configuration or information may lead to its discovery or detection. Its payload has many connection modes, among which "trigger" mode is a kind of activation connection mode. It does not listen to the port or send out the connection, but waits for the attacker's activation packet by listening to the traffic, which makes the deployment of the control end flexible and difficult to be blocked.

With the support of these resources, the super high capability network air threat actor represented by "equation organization" has the characteristics of huge attack support engineering system, equipment system and large-scale operation team, and successfully carries out highly complex attack activities. If the analysis of similar attack organizations stays on the single link such as 0day vulnerability and malicious code, it will not help to conduct a comprehensive analysis of the whole process, nor effectively guide the defense work. In order to deal with the attack activities of high-capacity network air threat actors, security personnel need to have a systematic and framework threat analysis model, conduct a more in-depth and systematic analysis of their behaviors, understand the threat, and then achieve more effective defense. Current similar models include Lockheed Martin's killchain and mitre's att & CK.

2. Intelligence driven defense

    Intelligence driven defense is a threat centered risk management strategy. Its core is the analysis of the opponent, including understanding the opponent's capabilities, objectives, principles and limitations, helping the defender to obtain a resilient security posture, and effectively guiding the priority of security investment (such as taking measures against the risks identified in a campaign, or Highly focused on the security of an attacking opponent or technology).

Intelligence driven defense must be a continuous and iterative process. Through analysis and collaborative discovery of indicators, indicators are used to detect new attack activities, and richer indicators are obtained in the investigation process. The so-called flexibility refers to the detection, defense and response of the intrusion from the perspective of a complete killing chain, which can contain the unknown attacks in the chain through the known indicators in the previous stage; in view of the characteristics of the technical and tactical repeatability of the attacking party, as long as the defending party can identify and use this feature faster than the opponent, it will inevitably increase the attack cost of the opponent.

Indicators and lost indicators

(1) indicators are the basic elements of "intelligence", which are used to objectively describe the information of invasion. They are specifically divided into three categories:

Atomic: in order to maintain its meaning in the context of intrusion, indicators that can no longer be split, such as IP address, email address and vulnerability number.

Computed: an indicator derived from the data involved in the event. Common calculation indicators include hash value and regular expression.

Behavioral: a collection of computational and atomic metrics, usually limited by the number of metrics and possible combination logic. For example, it might be a description like this: "the intruder initially uses the backdoor, matches the" regular expression "to access a" IP address "at a certain" frequency ", and once the access is established, it will be replaced with another backdoor (MD5 hash value)."

(2) . IOCS (indicators of failure)

1. The generation of lost index is a process of recording the characteristics and evidences of events in a structured way. IOC contains everything from a host and network perspective, not just malware. It could be a working directory name, output file name, login event, persistence mechanism, IP address, domain name, or even malware network protocol signature. 2. IOC not only looks for specific file and system information, but also uses logical statements that describe malicious activities in detail. 3. In the mandiant blog "combat the apt by sharing indicators of compile7", the author Matt Frazier introduces an IOC instantiation based on XML language, which can be read and created using the free mandiant tool.

The pyramid of pain

The pyramid model of pain is composed of IOCS, which is also used to classify and organize the IOCS and describe the value of all kinds of IOCS in attack and defense. TTPS is the abbreviation of tactics, techniques and procedures, which refers to the opponent's "how" to complete the task from stampede point to data leakage and each step between them. TTPS are at the top of the pyramid of pain. For attackers, TTPS reflect the behavior of attackers, and the time and money cost to adjust TTPS is the most expensive. On the defensive side, TTPS based detection and response may cause more pain to the opponent, so TTPS is also the most valuable kind of IOCS in the pain pyramid. But on the other hand, this kind of IOCS is more difficult to identify and apply. Because most security tools are not suitable for using them, it also means that the difficulty coefficient of collecting and applying TTPS to network defense is the highest. And ATT&CK Gamma The model is a threat analysis technology which can effectively analyze the opponent's behavior (i.e. TTPS).

3.MITRE ATT&CK Gamma Core concepts of the model

3.1) mitre

At first, it mainly did threat modeling for the Department of defense, mainly for intelligence analysis. It was engaged in the field of counter-terrorism intelligence (originated from the US intelligence promotion act after 9 / 11), and later extended to the field of Cyberspace Security. Its biggest feature is classified modeling. The Stix intelligence architecture is the mitre construction, and the sitx1.0 version has a strong shadow of counter-terrorism intelligence analysis. At the stage of stix2.0, it is found that it is difficult to describe network attack and malicious code in cyberspace only with TTP. Therefore, in stix2.0, two relatively independent expressions of attack and malicious code are introduced. The attack uses Cape C, and the malicious code uses MEAC, but the Cape C and MEAC are too obscure. In 2015, it released att & CK Gamma Model and modeling dictionary to improve attack description.

3.2 att & CK model (E)

Att & CK (advanced tactics, techniques, and common knowledge) is a model and knowledge base reflecting the attack behavior in each attack life cycle.

ATT&CK Gamma After enumerating and classifying the tactics and technologies used by the adversary, it can be used for subsequent "understanding" of the attacker's behavior, such as identifying the key assets of the attacker's concern, tracking the technologies that the attacker will use and continuously observing the attacker with threat intelligence. ATT&CK Gamma The organization of apt is also organized to describe the TTP (technology, tactics and process) they use.


TTP used by the opponent in the real environment

A common language for describing adversary behavior

Free, open and accessible

Community driven

  At present, ATT & CK model is divided into three parts: pre-att & CK, ATT & ckmatrixforenterprise (including Linux, Mac OS, windows) and att & ckmatrixforemobile (including IOS, Android). Pre-att & CK covers the first two stages of attack chain model (reconnaissance and tracking, weapon construction), and att & ckmatrixforenterprise covers the last five stages of attack chain (load transfer, vulnerability benefit) Using, installing, implanting, command and control, goal achievement), ATT & ckmatrixfor mobile is mainly for mobile platform.

Pre-att & CK includes the following tactics: priority definition, target selection, information collection, vulnerability detection, aggressive use of development platform, establishment and maintenance of infrastructure, personnel development, establishment capability, testing capability and segmentation capability.

Att & CK matrixforenterprise includes access initialization, execution, residency, authorization, defense evasion, access credentials, discovery, horizontal movement, collection, command and control, data acquisition and impact.

Att & CK matrixformobile is mainly for mobile platforms.

TTP (tactics, technology and process) in att & CK model and their relationship.

Definition of TTP: (source: NIST)

TTP is the behavior of the opponent. Tactics is the highest level description of this behavior, while technology provides a more detailed description of the behavior in the context of tactics, while the process is a lower level, more detailed description in the context of technology.

-Tactics: opponent's technical objectives (e.g., lateral movement)

-Technology: how to achieve goals (e.g., psexec)

-Process: specific technical implementation (for example, the process of using psexec to realize horizontal movement)

Give an example:

If the computer or resource in the network that the attacker wants to access is not in its initial position, it needs to use the tactics of "horizontal mobile attack". A popular technology is to use windows built-in management share, C $and admin $, as a writable directory on a remote computer. The process of implementing this technology is to use psexec tool to create binary files, execute commands, copy them to the remote windows management share, and then start services from the share. In addition, even if the execution of psexec tool is blocked, the risk of windows management sharing technology cannot be completely eliminated. This is because attackers will switch to other processes, such as PowerShell, WMI and other tools.

The defense of threat informed emphasizes that the key to successful network defense is to understand the tactics, techniques and TTPS of the opponent. So we can use att & CK Gamma Model to detect, defend and respond to the attacker's TTP.

The author will discuss in detail through four articles:

4. Appendix: mitre att & CK Gamma Groups and software in the model

Groups, used to track known apt organizations reported by public and private organizations in their threat intelligence reports.

For example: apt3, apt29, cobalt group


Software refers to tools, utilities and malware used by adversaries.

Tools: for example: psexec, Metasploit, mimikatz

Utilities: net, netstat, tasklist

Malware: plugx, chopstick


5. thanks!

The original intention of this writing: gather the wisdom of all security experts in the industry, systematically and comprehensively introduce the following topics,

- ATT&CK Gamma

-Threat Intelligence

-Threat detection and threat hunting

-Red and blue army confrontation simulation

In the process of writing, I feel that it is very difficult to achieve this goal! Therefore, we should record what we have learned and what we think, and then improve it.

This writing refers to the research results of the following safety teams and individuals (ranking in no order)


Freddy Dezeure

Katie [email protected]

Sergio [email protected]

Xiao Yanjun @ NSFocus


Yu Kai @ Hansi Technology



Wang Liejun @ Qianxin Threat Intelligence Center / 360 Threat Intelligence Center

(Corelight Labs、Reservoir Labs、Red Canary、Endgame、FOX IT、SpecterOps Team、Sqrrl、FireEye、

Awake security, gigamon applied thread research team, sans Institute, Cisco Talos, proofpoint, etc.)

Special note: this column is by no means the work of the author alone. Without the selfless sharing of colleagues, this column is impossible to appear!

Special thanks: it's a great honor to ask Mr. Zhou Yi @ Hansi technology, Mr. Yuan Mingkun @ Anheng information, Mr. Yang Dalu @ Tianji friendship League for advice!

Everyone's knowledge, ability and vision are limited. Please criticize and correct the elders, brothers and sisters in the security industry!

Tianyu attack and defense laboratory: focusing on threat perception, threat hunting, advanced threat detection, advanced simulation, advanced detection, advanced resilience

Long by picture recognition QR code attention