SlideShare a Scribd company logo

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries

MITRE - ATT&CKcon
MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Gert-Jan Bruggink, Defensive Specialist, FalconForce Adversaries are humans as well. They have objectives, deadlines and resources for programming. In a sense, very similar to corporations grounded in the economics of effort vs time vs results. Now understanding techniques is one thing, taking it a step further and understanding what the economic impact is of using certain techniques is another. Developing tools takes time. For example, developing a custom process injection module might take days or weeks to develop, where using an open source tool could prevent extensive development costs incurred. This talk explores the economic considerations for defending against techniques used by adversaries. It explores fundamental considerations all referenced to MITRE’s ATT&CK framework. The objective of this talk is to inspire defensive strategies designed to impact cost incurred by adversaries to perform compromises.

Related slideshows

What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
1 of 11
Download to read offline
1 @gertjanbruggink ATT&CK-ONOMICS Attacking the economics behind techniques used by adversaries Gert-Jan Bruggink | Defensive Specialist | FalconForce ATT&CKCON Power Hour 2020-2021 TLP: White Classification: Public
2 @gertjanbruggink Who am I? FalconForce Gert-Jan Bruggink Defensive Specialist 10+ years in InfoSec Consulted at financial services, high tech, manufacturing and governmental • Built / led CTI capabilities • Creation & delivery of CTI products • Intelligence-led Red- & Purple Teaming • Strategic change through CTI-, SOC- & Cyber transformation programs Cynical optimist, artist, CTI, bluetivism & pioneering Don’t like magic tricks Father² @gertjanbruggink github.com/gertjanbruggink /gertjanbrugink gj@falconforce.nl
3 @gertjanbruggink Why am I here? ▪ The industry currently emphasizes post-compromise behavior in the criminal value chain. Detection & response is the reality, prevention is the goal. ▪ Advocate the use of ATT&CK as your security program’s evidence- based, statistical, frame of reference. ▪ Inspire defensive strategies designed to impact ‘cost per intrusion’ incurred by adversaries.
4 @gertjanbruggink Example: burglars vs UNC2452 Understanding the cybercrime value chain There’s more to it than just the compromise Kerman Hang et al; https://sloanreview.mit.edu/article/casting-the-dark-web-in-a-new-light/ 1. Discover vulnerabilities 2. Prepare to exploit vulnerabilities 3. Deliver exploit 4. Activate cyberattack Manage the attack life-cycle Organize crew Determine opportunity & select target Overcome attempts to disrupt ROI from attack Marketing and Delivery Develop marketplace for trading Build reputation in community Evaluate value of trading Launder money HR Recruit new hackers Train new hackers
5 @gertjanbruggink Using ATT&CK to plot economic drivers Getting rich, or arrested, or indicted, or worse, trying 1. Discover vulnerabilities 2. Prepare to exploit vulnerabilities 3. Deliver exploit 4. Activate cyberattack Explored the following - from an adversary perspective: 1. Can we be detected/disrupted by our target? (yes/no/partial) 2. Is tooling currently available to execute the technique? (Manual activity/custom code/scripts/tools/frameworks) 3. Level of expertise required to ‘do’ the technique? (easy / hard) Data available @ https://github.com/gertjanbruggink
6 @gertjanbruggink Detecting early has always been complicated Exploring ‘defending to the left’ in ‘TA0043 – Reconnaissance’ Is it possible to detect these techniques? No Partial Yes Grand Total 67% 0% 33% 100% T1589 Gather Victim Identity Information 100% 0% 0% 100% T1590 Gather Victim Network Information 100% 0% 0% 100% T1591 Gather Victim Org Information 100% 0% 0% 100% T1593 Search Open Websites/Domains 100% 0% 0% 100% T1594 Search Victim-Owned Websites 0% 0% 100% 100% T1595 Active Scanning 0% 0% 100% 100% T1596 Search Open Technical Databases 100% 0% 0% 100% T1597 Search Closed Sources 100% 0% 0% 100% T1598 Phishing for Information 0% 0% 100% 100% Reason we can’t detect 67% of these techniques: very high occurrence & associated false positive rates. Also potentially taking place outside the visibility of the target organization. All these techniques can be executed with automated tooling & little to no expertise Mitigation efforts should focus on detecting related stages of the cybercrime value chain Start using Greynoise (https://viz.greynoise.io/signup) to understand targeted from broad scanning
7 @gertjanbruggink Sub techniques (2) focus on establishing Social Media & email accounts Picking up & actioning their preparation phase Things get more nuanced in ‘TA0042 - Resource Development’ T1583 Acquire Infrastructure T1584 Compromise Infrastructure T1585 Establish Accounts T1586 Compromise Accounts T1587 Develop Capabilities T1588 Obtain Capabilities Can we detect these techniques? Yes No Acquisition of domains can be monitored & tracked Sub techniques (2) focus on establishing Social Media & email accounts Focus on establishing Social Media & email accounts; monitoring Social Media as most effective initial mitigation Tracking certificates usage in sites across the internet
8 @gertjanbruggink Valid accounts Replication Through Removable Media External Remote Services Drive-by Compromise Exploit Public-Facing Application Supply Chain Compromise Trusted Relationship Hardware Additions Phishing There are only so much ways to gain ‘Initial Access’ Attacking the ‘deliver exploit’ phase TA0001 Phishing remains the go-to, low cost, low effort and easy- to-automate attack vector Honorable mention Infiltrating supply chains (Hardware & Software) remains high-cost & risk but also high-ROI Exploitation external infrastructure & applications close second as top attack vector Please note, the graph sizing is based on # of subtechniques per technique Exploiting external infrastructure & applications close second top attack vector Mitigations come down to security basics & hygiene (unfortunately) Obtained credentials from other breaches
9 @gertjanbruggink Disincentivize the ‘cyberattack’ ATT&CK the rest 100% of post ‘Initial Access’ techniques have detection suggestions. (sidenote: coverage should never be the objective) Work with community to identify ‘top technique’ lists and tailor defenses accordingly Force adversaries to spend time developing tooling Red Canary’s 2020 threat detection report 1. Process injection (T1055) 2. Scheduled Task (T1053) 3. Windows Admin Shares (T1077) 4. PowerShell (T1105) 5. Remote File Copy (T1036) Paul Litvak @ VB2020 Mapping threat actor usage of open-source offensive security tools https://youtu.be/gkxAgaluRpM Share actionable content, for example intel, KQL detections and response content FalconForce’s FalconFriday https://github.com/FalconForceTeam /FalconFriday
10 @gertjanbruggink Closing thoughts on decreasing adversary ROI Time-to-implement Cost-to-implement Real-time Cheap High Year Defender Attacker Effective risk management Initial mitigation e.g. tool or malware release Faster and smaller initial mitigations, early in the cybercrime value chain Please note, the graph positioning is estimative and meant just to illustrate the point
11 @gertjanbruggink Let’s continue the discussion! Gert-Jan Bruggink gj@falconforce.nl Shout-outs MITRE for developing an ATT&CK-to-excel export feature

More Related Content

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries

  • 1. 1 @gertjanbruggink ATT&CK-ONOMICS Attacking the economics behind techniques used by adversaries Gert-Jan Bruggink | Defensive Specialist | FalconForce ATT&CKCON Power Hour 2020-2021 TLP: White Classification: Public
  • 2. 2 @gertjanbruggink Who am I? FalconForce Gert-Jan Bruggink Defensive Specialist 10+ years in InfoSec Consulted at financial services, high tech, manufacturing and governmental • Built / led CTI capabilities • Creation & delivery of CTI products • Intelligence-led Red- & Purple Teaming • Strategic change through CTI-, SOC- & Cyber transformation programs Cynical optimist, artist, CTI, bluetivism & pioneering Don’t like magic tricks Father² @gertjanbruggink github.com/gertjanbruggink /gertjanbrugink gj@falconforce.nl
  • 3. 3 @gertjanbruggink Why am I here? ▪ The industry currently emphasizes post-compromise behavior in the criminal value chain. Detection & response is the reality, prevention is the goal. ▪ Advocate the use of ATT&CK as your security program’s evidence- based, statistical, frame of reference. ▪ Inspire defensive strategies designed to impact ‘cost per intrusion’ incurred by adversaries.
  • 4. 4 @gertjanbruggink Example: burglars vs UNC2452 Understanding the cybercrime value chain There’s more to it than just the compromise Kerman Hang et al; https://sloanreview.mit.edu/article/casting-the-dark-web-in-a-new-light/ 1. Discover vulnerabilities 2. Prepare to exploit vulnerabilities 3. Deliver exploit 4. Activate cyberattack Manage the attack life-cycle Organize crew Determine opportunity & select target Overcome attempts to disrupt ROI from attack Marketing and Delivery Develop marketplace for trading Build reputation in community Evaluate value of trading Launder money HR Recruit new hackers Train new hackers
  • 5. 5 @gertjanbruggink Using ATT&CK to plot economic drivers Getting rich, or arrested, or indicted, or worse, trying 1. Discover vulnerabilities 2. Prepare to exploit vulnerabilities 3. Deliver exploit 4. Activate cyberattack Explored the following - from an adversary perspective: 1. Can we be detected/disrupted by our target? (yes/no/partial) 2. Is tooling currently available to execute the technique? (Manual activity/custom code/scripts/tools/frameworks) 3. Level of expertise required to ‘do’ the technique? (easy / hard) Data available @ https://github.com/gertjanbruggink
  • 6. 6 @gertjanbruggink Detecting early has always been complicated Exploring ‘defending to the left’ in ‘TA0043 – Reconnaissance’ Is it possible to detect these techniques? No Partial Yes Grand Total 67% 0% 33% 100% T1589 Gather Victim Identity Information 100% 0% 0% 100% T1590 Gather Victim Network Information 100% 0% 0% 100% T1591 Gather Victim Org Information 100% 0% 0% 100% T1593 Search Open Websites/Domains 100% 0% 0% 100% T1594 Search Victim-Owned Websites 0% 0% 100% 100% T1595 Active Scanning 0% 0% 100% 100% T1596 Search Open Technical Databases 100% 0% 0% 100% T1597 Search Closed Sources 100% 0% 0% 100% T1598 Phishing for Information 0% 0% 100% 100% Reason we can’t detect 67% of these techniques: very high occurrence & associated false positive rates. Also potentially taking place outside the visibility of the target organization. All these techniques can be executed with automated tooling & little to no expertise Mitigation efforts should focus on detecting related stages of the cybercrime value chain Start using Greynoise (https://viz.greynoise.io/signup) to understand targeted from broad scanning
  • 7. 7 @gertjanbruggink Sub techniques (2) focus on establishing Social Media & email accounts Picking up & actioning their preparation phase Things get more nuanced in ‘TA0042 - Resource Development’ T1583 Acquire Infrastructure T1584 Compromise Infrastructure T1585 Establish Accounts T1586 Compromise Accounts T1587 Develop Capabilities T1588 Obtain Capabilities Can we detect these techniques? Yes No Acquisition of domains can be monitored & tracked Sub techniques (2) focus on establishing Social Media & email accounts Focus on establishing Social Media & email accounts; monitoring Social Media as most effective initial mitigation Tracking certificates usage in sites across the internet
  • 8. 8 @gertjanbruggink Valid accounts Replication Through Removable Media External Remote Services Drive-by Compromise Exploit Public-Facing Application Supply Chain Compromise Trusted Relationship Hardware Additions Phishing There are only so much ways to gain ‘Initial Access’ Attacking the ‘deliver exploit’ phase TA0001 Phishing remains the go-to, low cost, low effort and easy- to-automate attack vector Honorable mention Infiltrating supply chains (Hardware & Software) remains high-cost & risk but also high-ROI Exploitation external infrastructure & applications close second as top attack vector Please note, the graph sizing is based on # of subtechniques per technique Exploiting external infrastructure & applications close second top attack vector Mitigations come down to security basics & hygiene (unfortunately) Obtained credentials from other breaches
  • 9. 9 @gertjanbruggink Disincentivize the ‘cyberattack’ ATT&CK the rest 100% of post ‘Initial Access’ techniques have detection suggestions. (sidenote: coverage should never be the objective) Work with community to identify ‘top technique’ lists and tailor defenses accordingly Force adversaries to spend time developing tooling Red Canary’s 2020 threat detection report 1. Process injection (T1055) 2. Scheduled Task (T1053) 3. Windows Admin Shares (T1077) 4. PowerShell (T1105) 5. Remote File Copy (T1036) Paul Litvak @ VB2020 Mapping threat actor usage of open-source offensive security tools https://youtu.be/gkxAgaluRpM Share actionable content, for example intel, KQL detections and response content FalconForce’s FalconFriday https://github.com/FalconForceTeam /FalconFriday
  • 10. 10 @gertjanbruggink Closing thoughts on decreasing adversary ROI Time-to-implement Cost-to-implement Real-time Cheap High Year Defender Attacker Effective risk management Initial mitigation e.g. tool or malware release Faster and smaller initial mitigations, early in the cybercrime value chain Please note, the graph positioning is estimative and meant just to illustrate the point
  • 11. 11 @gertjanbruggink Let’s continue the discussion! Gert-Jan Bruggink gj@falconforce.nl Shout-outs MITRE for developing an ATT&CK-to-excel export feature