Mapping ATT&CK Techniques to ENGAGE Activities
- 2. Copyright © 2022 CounterCraft, Inc.. All rights reserved.
David Barroso @lostinsecurity
Before starting
Please check out the excellent MITRE engage resources.
https://engage.mitre.org/
Kudos to the MITRE Engage team!
- 3. Cyber Denial is the ability to prevent or
otherwise impair the adversary’s ability to
conduct their operations. This disruption may
limit their movements, collection efforts, or
effectiveness of their capabilities.
Cyber Deception intentionally reveals
deceptive facts and fictions to mislead the
adversary. In addition, it conceals critical
facts and fictions to prevent the adversary
from forming correct estimations or taking
appropriate actions.
When cyber denial and deception are used
together, within the context of strategic
planning and analysis, they provide the
foundation of Adversary Engagement.
Source: https://engage.mitre.org/
- 4. Copyright © 2022 CounterCraft, Inc.. All rights reserved.
David Barroso @lostinsecurity
Source: https://engage.mitre.org/
- 5. Copyright © 2022 CounterCraft, Inc.. All rights reserved.
David Barroso @lostinsecurity
Engage Key Terms
• Actions: two categories of actions: Strategic and Engagement.
• Goals: are the high-level outcomes you would like your operation to
accomplish: Prepare, Expose, Affect, Elicit, Understand.
• Approaches: let you make progress towards your selected goal (tactics in
ATT&CK): Plan, Collect, Detect, Prevent, Direct, Disrupt, Reassure, Motivate,
Analyze.
• Activities: concrete techniques you use in your approach (techniques in
ATT&CK)
- 6. Copyright © 2022 CounterCraft, Inc.. All rights reserved.
David Barroso @lostinsecurity
Source: https://engage.mitre.org/
- 7. Copyright © 2022 CounterCraft, Inc.. All rights reserved.
David Barroso @lostinsecurity
Source: https://engage.mitre.org/
- 8. Copyright © 2022 CounterCraft, Inc.. All rights reserved.
David Barroso @lostinsecurity
Mapping Engage and ATT&CK
For each ATT&CK technique, we can examine the weaknesses revealed and
identify an engagement activity or activities to exploit this weakness.
Lures
ID:
EAC0005
Source: https://engage.mitre.org/
- 9. Copyright © 2022 CounterCraft, Inc.. All rights reserved.
David Barroso @lostinsecurity
Example: TeamTNT and their Docker escape method
We want to to test the following hypothesis:
An specific threat actor (TeamTNT) is targeting companies in our sector. One
of their preferred methods is to compromise container servers and use them as
a way to propagate their payload.
- 10. Copyright © 2022 CounterCraft, Inc.. All rights reserved.
David Barroso @lostinsecurity
Example: TeamTNT and their Docker escape method
Steps ATT&CK Technique
TeamTNT scans your attack surface looking for
unprotected Docker daemons
T1133 – External Remote Services
They create a new container with privileged mode,
mapping the host’s root filesystem into the new container
T1610 – Deploy Container
Then they add a new SSH public key to the root user
authorized keys
T1098-004 Account Manipulation: SSH
Authorized Keys
They can now SSH into the host (ssh root@127.0.0.1) T1611 – Escape to Host
More information: https://www.countercraftsec.com/blog/post/escaping-docker-privileged-containers-for-mining-crypto-currencies/
- 11. Copyright © 2022 CounterCraft, Inc.. All rights reserved.
David Barroso @lostinsecurity
Example: TeamTNT and their Docker escape method
- 12. Copyright © 2022 CounterCraft, Inc.. All rights reserved.
David Barroso @lostinsecurity
Example: Apache log4j vulnerability CVE-2021-44228
We want to to test the following hypothesis:
We have a massive number of Java applications exposed to the Internet, and
many of them can’t be patched inmediately.
- 13. Copyright © 2022 CounterCraft, Inc.. All rights reserved.
David Barroso @lostinsecurity
Example: Apache log4j vulnerability CVE-2021-44228
Steps ATT&CK Technique
A threat actor scans your attack surface looking for
vulnerable Java applications.
T1133 – External Remote Services
They use the log4j exploit to execute a command T1190 – Exploit Public-Facing
Application
A PowerShell script is executed T1059:001 – Command and Scripting:
PowerShell
The PowerShell script downloads and executes a binary T1204:002 – User Execution: Malicious
file
The binary tries to achieve persistence adding registry
keys
T1547:001 – Boot or Logon Autostart:
Registry Run Keys
The binary installs a crypto-miner (XMRig) T1496 – Resource Hijacking
More information: https://blog.checkpoint.com/2021/12/14/a-deep-dive-into-a-real-life-log4j-exploitation/
- 14. Copyright © 2022 CounterCraft, Inc.. All rights reserved.
David Barroso @lostinsecurity
Example: Apache log4j vulnerability CVE-2021-44228
- 15. Copyright © 2022 CounterCraft, Inc.. All rights reserved.
David Barroso @lostinsecurity
Adversary Engagement tips
Deflect the adversary to our deception assets
• Services that are attractive and discoverable: Active Directory with a trust relationship with a production AD,
vulnerable software versions (Apache, Confluence, Windows Server, …), poorly secured software installations (SQL
Server with weak passwords, unauthenticated Docker daemons, SSH/RDP with weak passwords, etc.) or just
normal software that can be accessed using the credentials stored in breadcrumbs.
• Breadcrumbs that point to the above services. Example: private keys, credentials in files (PowerShell script, Excel,
bash, source code repositories, configuration files, etc.), shared folders, source code repositories, emails, TLS
certificates, etc.
• Physical breadcrumbs. QR codes posted in restricted areas walls, printed configuration files / credentials in trash
bins or on the desktop, post-it notes pointing to the deception assets, etc.
• Traffic generation from attractive assets: CDP pointing to Cisco devices, multicast traffic from vulnerable devices,
etc.
- 16. Copyright © 2022 CounterCraft, Inc.. All rights reserved.
David Barroso @lostinsecurity
Adversary Engagement tips
Bait and switch
Depending on how we are engaging with the adversaries, we can dynamically change the environment:
• Keep attackers engaged for as long as possible with our scenario
• Create chaos and confusion amongst them
• Collect information about them (IOCs, TTPs)
• Gain and/or increase situational awareness
Examples:
• Let them compromise malfunctioning hosts (random reboots, password changes, corrupted files, etc.)
• Block access to their C2. Example: blocking HTTP requests from Cobalt Strike beacons back to their C2.
• Add random delays (contacting servers, API operations, etc.). Example: Tularosa (Ferguson-Walter et al., 2019)
• Drop files and folders in real time containing relevant documentation based on the attacker profile
• Hide and seek vulnerable assets
• Drop IOCs that belong to similar groups (APT28 vs APT29)
• Send Detection Warnings using popups or shell messages
- 18. The content of this document is confidential and intended for the recipient and purpose of the related communication to which it’s attached only. It is strictly forbidden to share any part of this document with any third party, without a written consent of CounterCraft.
Should you receive this document by mistake, we also ask that you delete it, and do not forward it or any part of it to anyone else. Thank you for your cooperation and understanding.
craft@countercraftsec.com
www.countercraftsec.com