one of att & ck essay series: right brain attack and left brain defense

Posted by deaguero at 2020-03-05

2019 is not peaceful. In addition to the global trade war, the security industry is also surging. At the end of last month, an enterprise a, one of the Magic Quadrant leaders of Gartner web application firewall (WAF), admitted to be hacked [1]. The enterprise has always claimed that its core competence and mission is to protect the application and data security of customers. The occurrence of the intrusion seems to be embarrassing. However, in May this year, foreign mainstream media reported that [2] the top three security companies in the world were all attacked by the hacker organization fxmsp, and the source code was leaked. Looking back on the timeline, Google terminated Google + service in 2018 due to data leakage [3], Microsoft admitted windows 10 source code leakage [4] in 2017, Kaspersky actively disclosed that the internal network was captured by Israeli hackers in 2015 [5]. At this point, you can stop laughing at the enterprise. The problem is far more serious than you think, and no one can stand by.

Based on the above invasion facts, if a manufacturer claims that its product technology can make customers feel safe and secure against hacker attacks, it can be listed as a joke decisively; even if more efforts are made to clarify and claim to continuously improve the safety awareness and process of employees, it only takes one more step on the baseline path, but it is far from enough. The companies behind the above events represent the upper limit of the industry's security capability. More companies face hacker attacks, and the rate falls into four quadrants: they don't know when they are hacked, they don't know when they are hacked, they are about to be hacked, and they are not worth being hacked. Foreign peers will generally say "assume break" [6] [7] (assuming defeat). Zhou Hongyi, CEO of 360 group, said at the ISC conference last month that "there is no unbreakable network" or even "the enemy is already in me". Many people will be surprised by this concept, but this is the fact that we need to be more honest in the face of problems and do deep reflection.

The black iron age: man against man

In my memory, I began to pay close attention to advanced threat confrontation since Google disclosed Aurora action [8] in 2010. I was impressed because it was confirmed on that day that the SAL (script analyzer lineup) developed by us could detect the attack code using zero day vulnerability (cve-2010-0249) completely without modification and upgrade. The team cheered and enjoyed the scene. Unexpectedly, this is just the starting point, and the whole industry has opened a more magnificent offensive and defensive confrontation.

To describe it as "magnificent" does not mean that the just side overwhelms its opponents with overwhelming superiority. In fact, on the contrary, it was the "black iron age". The attackers were getting better. At that time, most of the security companies focused on viruses for a long time. They didn't have much way to resist the hacker's invasion started by loopholes, or even knew little about the methods of attacks based on scripts and documents. At the same time, the Chinese security circle began to use the phrase "unknown attack, how to know prevention".

"Unknown attack, how to know how to prevent" is an irrefutable truth. Fortunately, in recent years, a large number of safety speeches and articles are still mentioned repeatedly, and the truth is deeply rooted in people's hearts. From this point of view, let's imagine what would happen if we knew the attack? Let's start with fireeye, a famous American security company.

The company was founded in 2004 and invested by the CIA in the early stage. The original safety gene came from McAfee, an old security manufacturer. Since 2013, it has entered the advanced threat attack and defense apt market by purchasing mandiant and successfully listed on NASDAQ. The zero day research team and mandiant security service team of fireeye have a group of excellent white hat hackers. In 2013 and 2014, the vast majority of global apt attacks based on Zero Day vulnerabilities were discovered by the cooperation of these two teams, which also promoted the rapid acceptance of fireeye's full range of sandbox based products by the market. At that time, I led the senior threat core technology team in the company I served, which happened to be responsible for the technology research and development of the benchmarking products with fireeye. Through several front-line real battles PK, I found that the product of fireeye is far away from the ability of market promotion, and even many of the zero day vulnerability exploitation and apt discovered by fireeye itself The attack can't be detected with a little change. In other words, the detection of high-level threat attacks mainly depends on people, and the limitations of people determine the necessity of one hundred secrets and one sparse, and the security ability can't be copied. Eye of fire is a super first-class company in the field of high-level threat attack and defense in that era. In detecting hacker attacks, other security vendors have no qualitative breakthrough. This experience makes me believe that even if we know how to attack, there is still a huge gap between knowledge and defense, and there is an urgent need for breakthrough change and innovation.

In fact, looking back at the security industry for so many years, we haven't got rid of this pattern. There are many reasons:

1) Black production makes huge profits, and state-level attacks cost nothing. If you are interested, you can read the touching story of gandcrab's blackmail team [9], and learn how NSA develops nuclear weapon attack code [10].

2) White hat hackers have great reputation and rewards for their research and attack, just like excellent artists. However, the operation and maintenance of Party A's safety products and the research and development of Party B's safety products need to be paid in a comprehensive, systematic and long-term way. At the same time, for the organization, it does not create profits but cost center, which is often subject to the shortage of safety budget and business oriented organizational process.

3) The funding problem is not insurmountable. After all, the head customers have the economic strength and the power to solve the security risks. The problem is that, as "Yao listened to the four mountains and used his Qi to control the water. Nine years without water, no function. The industry's top customer leaders have long been unable to accept the fact that huge security investment may be broken, and have always been immersed in Party A's commitment to be foolproof and impossible to complete outside the country to resist the enemy. They have repeatedly made "blocking" and "vanishing" articles focusing on loopholes and viruses. Virus defense is "soil". Although it is simple, it always pursues the change of virus, which leads to the expansion of virus library. Loophole defense is "day", zero day loopholes are everywhere, it is to face the attack of dimension reduction.

Bronze Age: focusing on product improvement of hacker behavior

The good news is that after years of repeated hopes and disappointments, the international security industry has gradually formed a consensus on "assume break" in recent years, and simultaneously synchronized its efforts to the detection direction based on hacker behavior. The technical term is TTP (tactical, technical, process)

TTP comes from the military term [11], and is gradually applied to network security scenarios.

1) Tactics are the technical target of attack

2) Technology is a technique used to realize tactics

3) A process is a specific implementation of a technology

In the fight against hacker attacks, the focus is shifted from indicator of infection (IOC) to TTP, which is carried out and completed by the discussion around pain pyramid.

In 2013, David J. Bianco, a safety expert at fireeye, first proposed the pyramid of pain. There are many introductions to the pyramid of pain in China. This paper does not give a detailed explanation. Here, based on the pyramid of pain, it puts forward the core point of view:

1) Below the first layer of the pyramid of pain is the IOC commonly used in the industry. They are the tools or results of hackers' attacks. Probably these tools are only generated for this attack, and the results only appear in this attack.

2) The real effective detection is based on a series of techniques of hacker attack, including how to interact with the target system. Some of these techniques are artificially explored by hackers, and some are automated by tools. A similar analogy is that traffic police will not mainly rely on license plates or vehicle models to seize violations through cameras.

3) The attack technique is not easy to change, just as the violation behavior is relatively fixed. IOC based defense is a necessary basic ability, but the lower the level, the lower the efficiency.

4) The defensive security device based on IOC or similar signature, because it must be blocked, often becomes a verification tool for hackers to probe and bypass. At the same time, hacker attacks tend to start with zero day attacks and social engineering, and are implemented with legal accounts, general tools, and even system tools. This means that it is not enough to block security products against hacker attacks. We need to provide sniffing, monitoring, correlation, analysis and traceability of bypass security products to complement each other.

When the above consensus is reached, each security manufacturer will start their own efforts to focus on hacker behavior (TTP) to improve detection capability. For example, crowdstroke, which has been successfully launched this year, put forward IOA [13] in 2014, and the company I served at that time also proposed EIOC to expand IOC. A batch of self-used empirical rules for detecting malicious behaviors were proposed to be described in the form of IOA (or other forms, such as EIOC) and tried to be implemented in their own security products. Time gives us God's perspective, recalling the fierce discussions in the company in the past, the potential comparison between IOA and EIOC, how to form rules, how to verify them, and now the conclusions are self-evident and come to a conclusion. These attempts have encountered major bottlenecks in the practice in the next few years, or they are struggling or even stagnant.

The root of the major bottleneck is that all efforts lack an important foundation: the language and thesaurus to describe hacking (TTP). This is determined by the uniqueness of high-level threat attacks:

1) The high-level threat attack has been publicly disclosed since 2013. Only a few security companies including fireeye, Trend Micro, Kaspersky and so on can see it in that year. With the public's attention and the investment of international head security companies, more companies began to join in the report. However, due to the high sensitivity of the incident, the threat information cannot be exchanged. Many security companies are like blind people in the face of the whole hacker organization.

2) Even in the security company, because there is not a good description language and vocabulary, even the best security personnel can't describe the hacker's technique completely and intuitively when they find the apt event, and then provide it to the core technology and product research and development for systematic confrontation implementation. As a result, the final product is still based on IOC detection, and even the description of IOA designed for behavior detection finally falls into the pattern of various threat codes.

3) It is difficult to define hacker behavior and normal user behavior, but there are a lot of intersections. Security products lack the ability to record neutral behaviors, which makes it difficult for hackers to discover. This is the direct reason why the security companies that represent the industry's upper limit of security capabilities lost collectively.

Silver Age: unifying language and putting on battle

The good news is that in 2013, in the Fort Meade experiment (FMX) research project led by mitre, ATT & CK Gamma (Advanced Statistics and technologies & common knowledge) model was first proposed and quickly became the standard to solve the above bottlenecks. Mitre is a non-profit organization that provides system engineering, research and development, and information technology support to governments and industries. Att & CK was officially released by mitre in 2015, bringing together advanced threat attack tactics and technologies based on historical actual combat contributed by global security community, forming a common language for describing hacker behavior and an abstract knowledge base framework for hacker attack.

As can be seen from the above figure, ATT & CK started to get explosive attention in 2018 after about five years of development. All international security head manufacturers have rapidly started to increase support for att & CK in their products, and continue to contribute hacking techniques and attacks they see to att & CK knowledge base. In the past two years, a large number of manufacturers and researchers began to exchange experiences based on att & CK during the first-line security meetings such as RSA, sans, blackhat, Defcon, and shared their tools and practices with GitHub.

At this point, the basic framework and language of information exchange have finally been established for hacker attack and defense. Similar to the Qin Dynasty, which unified language, currency and measurement, the productivity and combat effectiveness have a breakthrough growth. Att & CK has built a bridge from "know how to attack" to "know how to defend", so that the defense side has the opportunity to absorb attack knowledge systematically and transform it into targeted confrontation ability.

In the security industry, through the white hat hackers mentioned in this paper, they know how to attack in order to know how to defend, evolve to know how to attack and focus on product detection of hacker behavior, and finally reach a consensus based on att & CK knowledge base to jointly improve product knowledge and defense ability. The long-term laggard defense side finally saw the dawn of peer-to-peer attack.

March into the golden age: right brain knows how to attack and left brain knows how to defend

Back to the title of the article, attack is an art that requires imagination; defense is a systematic project that relies on rationality and logic. If we compare the core competence of Party B's security manufacturer to the security brain, or the security operation and maintenance center of Party A's users to the security brain, "right brain knows how to attack and left brain knows how to defend" is the strongest brain to deal with hacker attacks.

A typical scenario is: Based on the newly discovered hacker attacks, white hat researchers refine new tactics, techniques and procedures, which are equivalent to contribution tags; while security products are based on the latest TTP to collect tracking data, identify attack techniques and map them to attack tactics (tactics), which is equivalent to tagging a large number of daily data in the customer environment, this process can provide high-quality tagging data for the safe brain, so that machine learning can really help improve the detection ability, and it is possible to systematically discover and respond to apt attacks.

The first part of this article's att & CK essay series. Next, I will introduce the understanding and thinking of mite att & CK knowledge base, the evolution and recent progress of safety product capability evaluation, and the best practices based on mite att & CK. Welcome to pay attention, and look forward to!

Author brief introduction

Yu Kai

Vice president, Hans Technology

Currently, he works as vice president of Hansi technology, has nearly 20 years of experience in safety technology, products and market, and has 3 US patents. We are committed to introducing world-class attack and defense practice and technological innovation to upgrade the core technology of Hansi internationally. He once led the senior threat attack and defense core technology team in trend technology, the world's largest independent security software manufacturer, and was responsible for R & D of multiple core technology products such as zero day vulnerability research, attack detection sandbox, vulnerability detection and filter engine. He has won the most valuable employee (2012) and leader (2015) trophies of the company, and won the CEO and CIO in 2015 Co signed team of the year trophy.


[1] Cybersecurity Firm Imperva Discloses Breach

[2] Anti-virus vendors named in Fxmsp’s alleged source code breach respond

[3] Google+ shutting down after data leak affecting 500,000 users

[4] Microsoft confirms some Windows 10 source code has leaked

[5] The Mystery of Duqu 2.0: a sophisticated cyberespionage actor returns

[6] Defensible Security Architecture


[8] More Details on "Operation Aurora"

[9] GandCrab Ransomware Shutting Down After Claiming to Earn $2 Billion

[10] PLANS TO INFECT ‘MILLIONS’ OF COMPUTERS WITH MALWARE [11] What’s in a name? TTPs in Info Sec [12] The Pyramid of Pain [13] IOC Security: Indicators of Attack vs. Indicators of Compromise