More Related Content
Similar to ATT&CKing the Red/Blue Divide (20)
![[Warsaw 26.06.2018] SDL Threat Modeling principles](https://cdn.slidesharecdn.com/ss_thumbnails/warsaw26-180628121942-thumbnail.jpg?width=560&fit=bounds)
ATT&CKing the Red/Blue Divide
- 1. Attacking the Red vs Blue Divide MITRE ATT&CKcon 3.0 March 30, 2022
- 2. Copyright © 2021 Threatology, Inc #whoami Fred Frey CTO/Co-founder - SnapAttack 20+ years of red team + threat hunt [email protected] @fryguy2600 Jonathan Mulholland AI Director - SnapAttack 15 years experience in data analysis and scientific research [email protected]
- 3. Agenda Talk Topics • Our approach: red and blue • Threat & analytics library • What is measured, gets improved! • Curating analytics • Better ATT&CK coverage estimates • Analytic robustness measures • SnapAttack Community Release Goals and Motivations Support community threat research efforts by: • Combining multiple red and blue community efforts together • Measuring and identifying community detection gaps • Empower searching and filtering attacks/analytics in a purpose-built platform
- 4. Community Threat Research Security Content Analytics Sentinel Use Cases Red Team Communities Blue Team Communities … wouldn't it be cool if we could combine and independently validate these efforts? Sigma
- 5. Red ↔ Blue: Particle Collider Particle Collider Propels charged particles at high speeds that smash against other particles. By studying these collisions, physicists are able to probe the world of the infinitely small.
- 6. Red ↔ Blue: Particle Collider Atomic Red T1059 -> T1218 -> T1047 -> T1003 -> T1105 -> T1055 -> <- T1059 <- T1218 <- T1047 <- T1003 <- T1105 <- T1055 Sigma Logs EDR, syslogs, application logs, PCAP / Zeek SnapAttack Propels malicious attacks at high speeds that smash against behavioral detection analytics. By studying these collisions, threat researchers are able to probe the world of the hackers.
- 7. Empowering Threat Research What can we measure with red and blue data? False Positives – Throw out overly false positive analytics and/or improve filtering True Positives Validation – Ensure it detects what you expect it to MITRE ATT&CK Coverage – Detect across the board, validate community labels Analytic Similarities – Find duplicate analytics, pick the best 1 2 3 4
- 9. Threat and Analytic Library Video of Attack Attack Description Analytic Hit Details Analytic Timeline Memorialize attacks – share with the community
- 10. Threat and Analytic Library Validate "All the Things" CONFIDENTLY DEPLOY BLUE TEAM Creates analytics to detect RED TEAM Emulates / captures threat to validate Signature Metadata • Title / description / notes • MITRE ATT&CK mapping • Validation status • Confidence ranking • Exclusion filters • Link to true positive logs Threat Metadata • Title / description / notes • MITRE ATT&CK mapping • Security event logs • Threat intel report link • Labeled threats (ATT&CK + timestamp) ANALYTIC LIBRARY THREAT LIBRARY Undetected Attack Logs VALIDATED True Positive Untested Signatures
- 11. FALSE POSITIVE (Noise) TRUE POSITIVE (Validated hit) FALSE NEGATIVE (Undetected hit) Label Data Validation Criteria Blue and red marker must match either: • The same event log, or • +/- 5 seconds with the same ATT&CK technique or process ID Attack timeline with overlayed detection hits
- 12. Curating Analytics: False Positive Reduction
- 13. Curating Analytics ATOMIC SESSIONS • 1,840 Sigma queries • 322 distinct ATT&CK tags Sigma Community Analytics • 847 Atomic Red scripts • 379 attacks emulated in our lab • 182 distinct ATT&CK tags Atomic Red Scripts • Techniques: 188 • Sub-techniques: 379 ATT&CK Techniques Finding Quality Community Detections ATOMIC SESSIONS SIGMA QUERIES
- 14. Curating Analytics • Filter out noise • Identify the events of interest • This experiment is environment sensitive Our Particle Traces Collision! ATOMIC SESSIONS SIGMA QUERIES QUERY HIT
- 15. False Positives Removed • Analytic must have 1 - 20 connections on the graph • Analytics that miss are discarded Noise Filters • Results can't be obtained manually • Analytic that miss form a red team backlog (need to create a true positive attack example) Notes ATOMIC SESSIONS SIGMA QUERIES QUERY HIT
- 16. Reducing False Positives Example: Change Powershell Policies to an Unsecure Level • Hits every single Atomic Red session • Author's level and false positive entries are unreliable • Behavior is environment dependent, manual curation is impossible CommandLine: powershell.exe -ExecutionPolicy Bypass -File C:Program FilesAmazonEc2ConfigServiceScriptsDiscoverConsolePort.ps1 detection: option: CommandLine|contains: '-executionpolicy' level: CommandLine|contains: - 'Unrestricted' - 'bypass' - 'RemoteSigned' condition: option and level falsepositives: - Administrator script level: high Unanticipated query behavior False Positive Log Hit:
- 17. CRITICAL HIGH MEDIUM LOW 0.0 0.2 0.4 0.6 0.8 1.0 QUALITY SCORE Criticality Level Can't Be Trusted! • Is not based on your data • Author expertise is unknown Sigma Author's Assessment Conclusion • Risk = Probability x Severity • Sigma level field does not include probability • Probability can be obtained from real data or estimated using community data DISTRIBUTION OF ANALYTIC QUALITY FOR EACH CRITICALITY LEVEL Quality Score • The fraction of hits by a Sigma query that are validated (1.0 means all hits from an analytic were validated) coin flip whether the analytic is reliable Criticality vs. Analytic Quality
- 19. Analytic Validation • False positive reduction • Analytic must have a validated hit (true positive) Analytic Filters Winners! ATOMIC SESSIONS SIGMA QUERIES QUERY HIT Validation Criteria • Analytic hit and attack marker match the exact same event log, or • Analytic hit must be near (+/- 5 seconds) an attack marker and share a MITRE ATT&CK tag or process ID
- 20. Validated Analytics Atomic Sessions Dump LSASS.exe Memory using ProcDump Dump LSASS.exe Memory using comsvcs.dll Dump LSASS.exe Memory using direct system calls and API unhooking Create Mini Dump of LSASS.exe using ProcDump Dump LSASS.exe Memory using Out-Minidump.ps1 Cred Dump Tools Dropped Files LSASS Memory Dump File Creation LSASS Memory Dumping Procdump Usage Suspicious Use of Procdump LSASS Memory Dump Suspicious Use of Procdump on LSASS Lsass Memory Dump via Comsvcs DLL Dumpert Process Dumper LSASS Process Memory Dump Files Dumpert Process Dumper Process Dump via Comsvcs DLL Credentials Dumping Tools Accessing LSASS Memory Generic Password Dumper Activity on LSASS Accessing WinAPI in PowerShell for Credentials Dumping Sigma Queries ATOMIC SESSIONS SIGMA QUERIES QUERY HIT T1003.001: OS Credential Dumping: LSASS Memory
- 22. False Positives Filter Validation Filter Unfiltered Sigma Queries: 129 Atomic Sessions: 127 Sigma Queries: 221 Atomic Sessions: 214 Sigma Queries: 1840 Atomic Sessions: 379 SIGMA 322 ATT&CK TECHNIQUES 567 Realistic ATT&CK Coverage ATT&CK TECHNIQUES 567 SIGMA 130 ATT&CK TECHNIQUES 567 SIGMA 115 Query / Session Counts ATT&CK Technique Coverage
- 24. Analytic Similarity • Nerds: Projection of the bipartite network onto a single mode using hyperbolic weighting • Everyone Else: Finding similar/duplicate analytics Analytic Similarity Applications of Similarity Calculation • Deduplication • Auto labeling • Defense-in-depth Use unvalidated data to calculate correlations Disjoint of sets of most correlated analytics Projection showing Sigma query connectivity based on similar Atomic Red hits Leveraging Graph Data
- 25. Analytic Similarity Analytic Similarity • Nearly identical analytic • ATT&CK tag error Mavinject Inject DLL Into Running Process T1055.001 Process Injection: Dynamic-link Library Execution T1056.004 Inject Capture: Credential Hooking detection: selection: CommandLine|contains|all: - ' /INJECTRUNNING' - '.dll' OriginalFileName|contains: mavinject condition: selection Mavinject Process Injection T1055.001 Process Injection: Dynamic-link Library Execution T1218. Signed Binary Process Execution detection: selection: CommandLine|contains: ' /INJECTRUNNING ' condition: selection Example #1 – Result: Merge to improve
- 26. Analytic Similarity Analytic Similarity Suspicious Rundll32 Script in CommandLine T1218.011 Signed Binary Proxy Execution: Rundll32 detection: selection_run: CommandLine|contains|all: - rundll32 - 'mshtml,RunHTMLApplication' selection_script: CommandLine|contains: - 'javascript:' - 'vbscript:' condition: all of selection_* logsource: category: process_creation product: windows Example #2 – Result: Keep Both for robustness • Similar analytic and same tag • Defense-in-depth • Process logs • Network logs • Auto-labeling potential Rundll32 Internet Connection T1218.011 Signed Binary Proxy Execution: Rundll32 detection: selection: Image|endswith: 'rundll32.exe' Initiated: 'true' filter: - DestinationIp|startswith: - '10.' - '192.168.' - '172.16.' ... filter_microsoft: DestinationIp|startswith: - '51.124.' condition: selection and not 1 of filter* logsource: category: network_connection product: windows
- 27. Research Wrap-up CONFIDENTLY DEPLOY ANALYTIC LIBRARY THREAT LIBRARY Undetected Attack Logs VALIDATED True Positive Untested Signatures Collision Experiments Results • Curated set of validated analytics • Backlog of undetected Atomic Red sessions • Realistic MITRE ATT&CK coverage • Graph theory analytic similarity Released Today in SnapAttack Community Platform ATT&CK TECHNIQUES 567 SIGMA 115
- 28. SnapAttack – Community Platform • Forever free and open to the community • Access to all community content (including all Sigma analytics and Atomic Red attacks mentioned today) • Request contributor beta access (general availability in the next ~3-4 months) • Analytic IDE for creating and testing detections • Capture and share your own attacks Register Today or Request Contributor Beta Access https://www.snapattack.com/community We are launching our community edition today