threat modeling model att & ck

Posted by deaguero at 2020-02-27

Threat modeling model att & CK

Monday, March 11, 2019


AI / ml is a hot spot in this RSA. In fact, the current AI can be simply divided into perceptual intelligence (mainly focusing on the ability to explore pictures, videos and voice) and cognitive intelligence (involving knowledge reasoning, causal analysis, etc.). Most of the current algorithms are perceptual algorithms. How to teach AI systems to carry out cognitive intelligence is a difficult problem, and a knowledge needs to be established Database, for example, in the process of apt tracking, we hope to infer its intention through cognitive intelligence, and automatically track sample varieties. The more effective method is to use threat modeling knowledge base, among which mitre is a very typical company. At first, it mainly does threat modeling in the Department of defense, mainly in the field of intelligence analysis and counter-terrorism intelligence (originated from the US intelligence promotion act after September 11) , and then extended to the field of Cyberspace Security, its biggest feature is classified modeling. The Stix intelligence architecture is the mitre construction, and the sitx1.0 version has a strong shadow of anti-terrorism intelligence analysis. At the stage of stix2.0, it is found that it is difficult to describe network attack and malicious code in cyberspace only with TTP. Therefore, in stix2.0, two relatively independent expressions of attack and malicious code are introduced. Capec is used for attack and MEAC is used for malicious code. However, capec and MEAC are too obscure. In 2015, it released att & CK model and modeling dictionary to improve attack description. The new model is more explicit and easier to express. It combines capec and MEAC, which is easy to express and share, convenient for security automation, and easy to introduce new AI technologies such as knowledge map. The TTP examples of 79 apt attack organizations (188 aliases) are described on its official website. Green Alliance Technology also carried out similar research and constructed a larger knowledge map for automatic tracking of apt organizations.

At the RSA conference in 2019, Freddy dezeure, CEO of Freddy dezeure, and rich struse, Chief Strategic Officer of cyber Threat Intelligence of mitre, introduced in att & CK in practice a primer to improve your Cyber Defense how to use att & CK model to build and improve your defense system; Jared, senior threat researcher from carbon black Myers introduced how to use att & CK model to capture threats in "how to evolve threat hunting by using the mitre att & CK framework".

Increasingly skilled and agile competitors

Freddy starts with the blackmail software Petya, which has a huge impact. Petya is a blackmail software that is no less powerful than "wanna cry". It has been used in many countries since June. As a blackmail software, it has a very obvious intention of destruction. However, at first, it only affects and spreads through some accounting software, and then uses the leaked NSA weapon Library (Eternal Blue Hole) to spread worms. According to Freddy's reasoning, future attackers will be more flexible and changeable:

1. The attacker's infrastructure will be more adaptive and can target more different environments

2. After an attacker's invasion, it will be mixed with legitimate user behaviors, such as using legitimate infrastructure components, abusing legitimate user credentials or repeatedly executing legitimate user behaviors

3. Attackers will also quickly improve their ability to exploit new vulnerabilities and new leaked tools

In response to this situation, Freddy believes that a threat model can be established to analyze the problem. Starting from the risk-based model, the threat will use the vulnerability to invade, which will cause blackmail, data theft and other adverse effects. The level of the research problem is further improved, and the threat of the model rises to its executor, the attacker, who will use the vulnerability to perform some operations to invade the system. The key goal after the invasion is to conduct malicious operations on valuable assets.

According to this threat model, there are three steps to defense:

1. Identify your key assets, who are the attackers and why you are interested in them

2. Use threat intelligence to maximize the observation of the attacker's infrastructure, such as IOC (indicators of complexity), COA (course of action)

3. Observe the attacker's TTP (technical, tactical, and process) and apply it to the detection, defense, and response processes

Freddy focuses on the third step, which is the most critical step in the whole practice. We need to introduce the mitre att & CK model to detect, defend and respond to the attacker's TTP.

ATT&CK model

Att & CK (advanced statistics, techniques, and common knowledge) is a model and knowledge base reflecting the attack behavior in each attack life cycle. Derived from a project for enumeration and classification for Microsoft Windows Gamma The tactics, technology and process (TTP) of the system to improve the detection of malicious activities. At present, ATT & CK model is divided into three parts: pre-att & CK, ATT & CK for enterprise and att & CK for mobile. Pre-att & CK covers the first two stages of attack chain model, and att & CK for enterprise covers the last five stages of attack chain.

Pre-att & CK includes the following tactics: priority definition, target selection, information collection, vulnerability detection, aggressive use of development platform, establishment and maintenance of infrastructure, personnel development, establishment capability, testing capability and segmentation capability.

Att & CK for enterprise includes access initialization, execution, residency, right withdrawal, defense evasion, access credentials, discovery, horizontal movement, collection, data acquisition, command and control.

One of the technologies will be used to implement multiple tactics, and the process is the specific implementation of the technology in the actual attack. For example, the technology of "planned mission" (T1053) will be used in the three tactics of execution, residency and empowerment. For example, apt3 uses schtasks / create / TN "MYSC" / TR C: userspublic est.exe / SC onlogon / Ru "system" command to create a scheduled task. A specific technology will also contain other information, such as the platform (windows, Linux, Mac OS), permissions required for execution, detection means and mitigation means.

After enumeration and classification of these technologies, mitre att & CK can be used for subsequent "understanding" of the attacker's behavior, such as identifying the critical assets of the attacker's concern, tracking the technologies that the attacker will use and continuously observing the attacker with threat intelligence. Mitre att & CK also collated the apt organization and described the TTP (technology, tactics and process) they used.

Freddy thinks that compared with other models, the key value of ATT & CK is that it provides a general classification, can implement and cover specific technologies according to the needs, does not need to implement the entire technology matrix listed in the model, and gives priority to the actual prevention, detection and response. In addition, ATT & CK uses general language to describe TTP, and also provides basic knowledge that can be used for TTP observation, and will continue to update the model, independent of a manufacturer, which is widely adopted by the open source community.


Improve defense ability

How to apply att & CK to the actual defense system, Freddy thinks that we need to understand the controllable part of the defense first. Attackers usually use vulnerabilities to invade the system. If they operate on critical assets, some actions involve critical control. Then adjust and verify the behavior of key control to capture the malicious behavior of the attacker.

To verify the behavior of key controls, you need to check your detection ability first:

1. Identify attack behavior from collected logs

2. Design analysis system, start from the attacker's relevant knowledge, or refer to the open source community

3. Deploy analyzers for detection, capture, and capability improvement

Then we analyze the technologies covered by the known attack organizations, and study which technologies will have a serious impact on the key assets.

Then check whether the detection ability can cover the key technologies, such as whether the technical range that can be covered by using agent, terminal anti-virus software and system monitor logs can meet their own needs.

Finally, establish the analysis procedures for yourself:

1. Study the "technology" you are concerned about and read the relevant documents. Refer to the existing analysis or the source code of the open source community to distinguish the possible legal behaviors from malicious behaviors.

2. Use the concerned technology to simulate the attack drill and check the corresponding log record

3. Write your own query statements to search the log for events, test and iterate continuously, and use related technologies to launch multiple simulation attacks to reduce false positives

In terms of log event search, Freddy introduces the open source project sigma. At present, IOC and Yara rules play an important role in detecting malicious network connections and malicious files. However, there is a lack of a general detection method that can describe specific events from log events. People need to read a lot of data before building their own search methods and rules to collect log data for analysis. Without a standardized format, people cannot share their work with others.

Sigma is a general and open signature format, which allows the description of related log events in a direct way. Its rule format is flexible, easy to write and applicable to any type of log file. The main purpose of the project is to provide a structured form in which researchers or analysts can describe the detection methods they have developed and share them with others. Using Sigma for rule writing and searching can also avoid over dependence on specific vendors. At present, log rules for apt, application, Linux, windows, network, agent, web and other related aspects have been provided in sigma project.

In the aspect of simulated attack drill, Freddy introduces four attack testing tools based on att & CK model:

1. Mitre caldera: an automatic attack simulation system, which can perform malicious actions in Windows enterprise network.

2. Endgame RTA: a python script framework for windows, which is used by the blue team to test their ability to detect malicious technologies based on att & CK model. Endgame RTA can generate more than 50 different att & CK tactics, including a binary application that can perform the required activities.

3. Red Canary atomic red team: a small, highly portable, open source test collection that maps to the corresponding technologies in the mitre ATT and CK frameworks. These tests can be used to validate detection and response techniques and processes.

4. Uber metta: a tool for basic adversary simulation, which parses the multi-step attacker's behavior into yaml file, and uses celery to queue and automate the operation.

The actions performed by mitre caldera are generated by the planning system in combination with the pre configured att & CK model. The advantage of this is that it can simulate the attacker's operation more flexibly, rather than following the specified work sequence. Automatically simulate the attacker to conduct attack drill, safely reproduce the attack behavior, do not damage the assets, and can repeat the execution to test and verify the defense ability and detection ability.

Through continuous attack drill test, we can improve the detection ability of the analysis program, expand the technical coverage, and narrow the gap with the attacker.

Threat capture

Att & CK model can also be applied to threat capture. Jared Myers, a senior threat researcher from carbon black company, introduced how to use the battle att & CK framework to capture threats.

Jared said that many enterprises realize that whether their assets will be broken is no longer a problem, and more attention should be paid to when. Therefore, many enterprises need tools not only to detect and respond to threats, but also to search and capture threats to quickly identify potential hazards.

On the basis of defense, threat capture puts forward higher requirements for the whole analysis system:

1. Be able to use tools to detect high-quality alarms for previously covered technologies

2. Analytical thinking focuses on areas that are not easy to detect

3. Expand the scope of the analysis, for example, the general sample method may be used for different purposes, or other tactics or techniques may be used to achieve specific purposes

In the actual practice of threat capture, it also needs continuous testing and iteration to improve the detection ability of unknown threats

Jared takes t1191 cmstp as an example, and can get the technical details of cmstp from mitre wiki before starting the research.

Jared shared the research idea of threat capture for cmstp technology, suggesting that attackers may use less known technology for information transmission, so we can check whether there are key malicious behavior indicators first, such as

1. Whether to establish a network connection

2. Whether to create subprocesses in temporary directory for command interaction, etc

3. Is the subprocess created from the dllhost cmstp COM object

Then, research from the ideas of "what" and "how to do", such as:

1. Binary signature or not

2. Is the binary applicable to all versions of windows

3. Can the binary execute remote commands

4. Whether the binary automatically raises the right when the process is running

It can also be analyzed from the execution frequency of the binary

You can also analyze the frequency of cmstp calls from the parent process

You can also use the atomic red team attack drill tool to conduct unit tests internally

From the perspective of modeling level, the modeling of ATT & CK mainly focuses on behavior level, while the alarm of traditional protective equipment belongs to indicator level. Indicator layer can detect known malicious data, driven by human characteristics, with less false alarms and small granularity, so the number of corresponding alarms is huge. The analysis of behavior layer detects suspicious events, which are driven by behaviors, with relatively more false positives, large granularity, so the number of events is small and the life cycle is longer. Att & CK model in the behavior layer, on the one hand, it can make full use of TTP of threat intelligence to share knowledge, on the other hand, it can portray the attacker in a more macro level, and it can be freed from the specific technical means and indicator rules.

In terms of threat modeling, Lvmeng technology also focuses on abstract modeling at the behavioral level. For a large number of alarms generated by protective equipment, green alliance technology uses the understanding engine to understand the massive alarms as the corresponding attack behavior, corresponding to the threat subject of the risk model using the target vulnerability to attack. Using inference engine to infer the harm caused by attack, corresponding to the impact of the vulnerability of the risk model, and combining with the attack chain model to study and judge the attack.

In view of the complexity of the actual network environment, it is not enough to analyze the problem only by modeling the attack behavior. Therefore, based on the knowledge map, Lvmeng technology has designed multiple ontologies to model and analyze the whole network threat, and is compatible with the access and use of the models such as capec, MAEC and att & CK organized by mitre. It can extract key information from multi-party Threat Intelligence and expand the knowledge map as knowledge.

In terms of capability improvement, Lvmeng technology also uses the methods of restoring real attack scenarios and simulating actual attack and defense drills to test its products, and organizes internal red blue confrontation for many times to test its own defense capability.

Freddy and rich in att & CK in practice a primer to improve your cyber Defense focuses on the practical application of ATT & CK model. It starts from threat modeling to analyze problems. It first clarifies the attackers to be resisted and the key assets to be protected, then introduces the specific steps of using att & CK model to establish its own analysis defense system, and then the methods to improve its own defense capability. It also introduces many useful tools and resources. Jared's share of how to evolve thread tracing by using the mitre att & CK framework focuses on using att & CK model to capture threats, introduces how to mine unknown threats after establishing a defense system, and shares many specific research ideas. Through research and comparison, Lvmeng technology is basically on the same level as att & CK in terms of modeling idea, and the idea of capability improvement is also the same. The functions realized are different due to different support businesses, but its research idea still has high reference value.



Mitre Caldera:

Endgame Red Team Automation:

Redcanary Atomic Red Team:

Uber Metta: