Security Vision
Every year, the methods of gaining unauthorised access to company and individual data become more sophisticated. Effective infrastructure penetration defences have given rise to more complex, multi-stage attacks. As a result, the relevance of behavioural analysis of attackers in information security techniques has increased dramatically over the last ten years. This does not mean, of course, that the search for dangerous signatures should be completely written off - this method is an excellent defence against mass and widespread attacks (when, for example, a virus-infected email is sent to as many addresses as possible), but in today's environment it is only the first barrier to an attacker. If criminals are motivated, persistent and resourceful enough, they will find a way into your infrastructure, but even then, they can be prevented from gaining valuable information or destroying it.
Pyramid of Pain
Let's take a look at a diagram very familiar to all information security analysts - the pyramid of pain (of the attacker). The point is that the higher the attacker climbs up the pyramid, the harder it is for him to continue the attack.
For example, the slightest modification to the virus code is enough to change the hash. It is not difficult to change the IP address, and when using a VPN it happens automatically. A domain name is a bit more difficult to change, but ISPs most often do not control who registers domain names, not to mention that there are plenty of ways to get a domain for free. Network and host artefacts are a bit more complicated: if the victim has identified attack triggers and blocked a suspicious process, command line or url (most often automatically, based on the security policy settings of the IS software), then the criminal will not be able to continue the attack until he reconfigures the tools. Once the victim has identified which tool the attacker is using, the behaviour of the tool will have to be modified in order to resume the attack. For example, when using a tool with default settings whose behavioural indicators are well known, the attacker will have to modify the tool's configuration. However, the most painful situation for the attacker is when the defender has recognised the technique and tactics of attack (TTP).
In this case, the attacker will have to fundamentally change the attack approach. This is why behavioural analysis is the most effective means of information protection, and effective analysis requires a global knowledge base based on real observations, reflecting attacker behaviour patterns, different stages of the attack life cycle. And, of course, such a base appeared at one point.
MITRE ATT&CK.
In 2013, MITRE introduced its ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) project - a structured reference of tactics, techniques, and procedures (TTPs) used by attackers. By analysing suspicious activity on different parts of the infrastructure, it is possible to correlate this data with sections of the MITRE ATT&CK matrix, which in turn will allow not only to assume with a high degree of probability what techniques are used by criminals, but also to react to the threat as quickly as possible. In the MITRE ATT&CK matrix, techniques are grouped into tactics, which in turn are organised into a sequence of attack development.
In general, the American company Lockheed-Martin first proposed to build a sequence of attacks into a single connected chain in 2011. They called this chain The Cyber Kill Chain. No translation into Russian can be considered universally accepted and established, so in the domestic IS environment this chain is more often referred to either in English or as a short transliteration of the original name - killchain. The Lockheed-Martin chain had only seven links: intelligence, arming, delivery, operation, installation, management, and action.
MITRE took the idea further and doubled the number of links by introducing a sequence of 14 tactics, each of which combines between 7 and 42 techniques. At the same time, one technique can be present in more than one tactic. This approach has become the de facto ‘gold standard’. Many manufacturers of TIP or SOAR (IRP) class systems integrate the MITRE ATT&CK matrix with their solutions and it certainly makes sense.
If an attacker uses tools that are detected by classical protection systems (antiviruses, firewalls, sandboxes), there are good chances to detect these tools using behavioural indicators in network and host telemetry logs. Due to the convenience of mapping behavioural indicators to MITRE ATT&CK techniques, we are able to build a kilchain of detected techniques.
MITRE CAR
MITRE CAR (Cyber Analytics Repository) is an analytics knowledge base developed by MITRE based on MITRE ATT&CK, which describes rules for detecting behavioural indicators. MITRE CAR contains data on popular attack techniques obtained through Threat intelligence. The behavioural indicators described in MITRE CAR can be used in incident enrichment and retro-search. This approach can be used for proactive threat detection (Threat hunting) when an incident is unreported. CAR also includes tool-specific techniques (e.g. Splunk, EQL) in its analytics.
MITRE Shield
MITRE has another matrix widely known in the IS world that aggregates information on active defence tactics and techniques - Shield. This knowledge base applies active defence technology - primarily deceptions (deceptive users, processes, creeds) as well as behavioural analysis. MITRE Shield describes a number of common defensive tactics, and then the tactics are mapped to actions that can help the tactic to be carried out. MITRE Shield provides a mapping between ATT&CK and Shield techniques to be able to most effectively build a defence against certain enemy tactics, techniques and procedures (TTPs). MITRE's corporate direction has been building real-world experience in countering cyber criminals for over a decade. This experience has as a result formed the basis of the Shield matrix. The Shield active defence knowledge base was created by MITRE in 2019. A formidable amount of work has been done to unify the format and document methods for countering attackers, creating a streamlined structure of defensive techniques and mapping with MITRE's ATT&CK techniques.
The combination of different defences allows an organisation to not only counter current attacks, but also to learn more about the adversary to better prepare for new attacks in the future. To be fair, there are some difficulties with using this matrix in our country. Since MITRE Shield was developed jointly with the US security agencies, due to the complicated political environment, access to this knowledge base in our country is only possible via VPN.
MITRE D3FEND
Another product of MITRE is the D3FEND framework - it is a classic defence that includes detection, containment, removal and hardening. There is a perception that MITRE D3FEND is a simplified version of ATT&CK, but this is not quite true, or rather not at all. The D3FEND knowledge base recommendations focus on countering the attack and mitigating the effects of the ‘hit’, whereas the ATT&CK matrix focuses more on identifying the attack itself. The ATT&CK techniques are mapped to the D3FEND recommendations and for greater effectiveness you can use both matrices to complement each other. MITRE D3FEND allows you to apply measures to prevent the implementation of attack techniques (mitigation).
Case Study
As an example, there is a common case of a CNC-type malware infection that, during execution, uses built-in Windows utilities (rundll32.exe, regsvr32.exe) to stealthily execute code (technique T1059 - Command and Scripting Interpreter). After gaining control, the most common task of the VPO is to compromise the credential by dumping the LSASS system process (technique T1003 - OS Credential Dumping). Next, the VPO performs network reconnaissance, during which it discovers resources containing sensitive information: mail servers, shared file folders, databases (technique T1046 - Network Service Discovery). Next, the VPO performs horizontal migration using remote service creation (technique T1021 - Remote Services). Finally, the VPO starts collecting sensitive information (technique T1039 - Data from Network Shared Drive) and leaks it (technique T1041 - Exfiltration Over C2 Channel) with subsequent encryption and ransom demands (technique T1486 - Data Encrypted for Impact). Thus, by applying the MITRE ATT&CK matrix, we obtained a logically aligned kilchain.
Using one of the discovered techniques (T1003 - OS Credential Dumping) as an example, we will demonstrate the applicability of the matrices described above.
In the MITRE D3FEND matrix, the OS Credential Dumping technique can be used by attackers to obtain the credentials of users and system administrators. The D3FEND matrix provides the following recommendations to protect against this technique:
1. Credential protection: Use strong passwords and multiple authentication to protect credentials. Role and privilege based access control is also recommended.
2. Operating system protection: ensure that the operating system and all installed applications have the latest security updates and patches. It is also recommended to use anti-virus software and firewalls to protect against malware.
3 Restrict access to the system: restrict access to the system to only necessary users and administrators. It is also recommended to use monitoring and auditing mechanisms to track user activities and detect suspicious activity.
4. Protect the network : use network security mechanisms such as firewalls, VPNs, and traffic encryption to protect against attacks from outside the network.
5. Use secure protocols: use secure protocols for remote access to the system, such as SSH or VPN, instead of legacy protocols such as Telnet or RDP.
6. User training: educate users on secure system usage practices, such as not delaying updates and not opening suspicious email attachments.
Following these guidelines will help protect the system from OS Credential Dumping techniques and other credential leakage attacks.
In the MITRE Shield matrix, the OS Credential Dumping: LSASS Memory technique belongs to the ‘Credential Access’ tactic and the ‘Memory Protection’ scenario. To defend against this technique, MITRE Shield recommends using similar measures to the recommendations from the D3FEND matrix, supplemented by recommendations with a bias towards active defence, such as:
A defender can create decoy credentials for active defence purposes by entering credentials (such as username/password, browser tokens, and other forms of authentication data) into the target system for the purpose of interaction. Decoy credentials can be deployed in many locations and used in a variety of ways.
MITRE CAR offers detection of this technique with the following sigma rule example, using the in-house monitoring tool MS Sysmon:
The wonders of automation
The use of MITRE matrices, combined with its own accumulated experience in countering malicious attacks, allows companies to make their departments responsible for information security more effective. Previously, IS analysts had to spend a lot of time manually matching suspicious activity detected in their own infrastructure with MITRE techniques and tactics. However, technology is not standing still, and systems have appeared on the market that are responsible not only for automating individual protection processes, but also for orchestrating all information protection equipment (IPE) used in the infrastructure.
Suspicious activity recorded by SIEM and/or TIP is grouped according to pre-configured correlation rules and sent to SOAR/IRP class systems, where the system independently records the incident, builds the attack sequence and compares it with recommendations from MITRE matrices. The IS analyst only has to assess the situation and take the necessary response actions from a single convenient interface (e.g., block an account or add an IP address to the untrusted register).
This approach allows IS analysts to increase their awareness of external and internal threats many times over, as well as significantly reduce the time required to respond to an attack, which in turn reduces the probable damage caused by attackers. Another advantage of this approach is that fewer people are needed to organise an effective defence. This not only significantly reduces the company's costs, but also simplifies the task of recruiting specialists, and as we know, there is a shortage of IS analysts in the Russian market.
Conclusion
Assessing the coverage of MITRE techniques in the SOC (Security Operation Centre) allows us to draw conclusions about how effectively the processes are built and to plan further work to develop the SOC and close the blind spots in the detection of attacker techniques. Automation reduces the time it takes for an analyst to process an incident and provides more detailed information, leaving more options for response. It becomes possible to configure automated response rules. Time will work in your favour, because an analyst's long-term use of a SOAR/IRP-class system will allow him or her to accumulate experience and best tailor automated response rules to fit your enterprise's unique threat landscape.
.jpg)
