MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; David Westin and Andy Kettell, Nationwide

Using Threat Intelligence to
Focus ATT&CK Activities
October 29, 2019

INFORMATION RISK MANAGEMENT
2
• Andy Kettell
– 20+ years IT security experience
– 4+ years at Nationwide in Cyber Security
Operations Center
– CISSP, CCSP
The Nationwide MITRE ATT&CK Team
.
• David Westin
– 20+ years of Intelligence in U.S.
Marine Corps
– 4 years at U.S. Cyber Command
– 1 year at Nationwide
Others:
• Risk Leaders
• Business Area Leaders
• Infrastructure Personnel
• Columbus Collaboratory

3
This ATT&CK thing is cool! I want it!
In the beginning…
Okay…how do we do this?

“Project Squishee…”
• What we did
– Tried to analyze 240+ techniques, one technique at a time
– Techniques chosen based on group consensus
• Six months to get three mitigations
• No real movement towards operationalizing the
framework within the company
Our First Attempt (February 2017)

• Why it didn’t work:
– Tried to do everything (no focus)
– Unfocused choosing of technique for deep dive analysis (what is cool…)
– Tried to work technique from analysis to completing remediation issues
– Bogged down in minutiae (took too long…)
– No differentiation between basic and advanced techniques
– No idea what we will get from this
– Participation fatigue
– No Intel personnel
Our First Attempt (February 2017)

6
Bright Idea: Focus on the Threat!!
Who is targeting us?
What techniques do they use?

7
Nationwide MITRE ATT&CK Process Was Born
Threat Intel
Phase
Testing Phase
Assessment
Phase
Implementation
Phase
Leadership
Phase
Threat Intel provided the compass and map…

Should I Care About Everything?
• Started with Excel spreadsheet created by Florian Roth (@cyb3rops)
• Added capability/intent; simplified based on Nationwide needs
• Used simple aging out criteria based on last known reports
Prioritize…

Put It In a Pretty ChartCapabilityMaturity
Interest in Financial Sector
Adversaries to the Financial Sector

Focus on What Matters
CapabilityMaturity
I Know ‘Who’, But Not ‘What’…
• 100+ threat actors down to 27
• Focus is on those threat actors
with capability and intent to go
after finance/insurance industry

11
Researching Threat Actor Techniques
• Intelligence collection tool of choice
• MITRE ATT&CK Site (of course…)
• ISAC/ISAO
• Security Researchers
• Twitter
• Top Techniques Reported
• Many others…
Collect All The Things…

• If used by threat actor,
add to chart
• More red = more threat
actors using that
technique
• Simple Excel
spreadsheet math…
Tying Research to ATT&CK Matrix
Still Messy…

13
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control
Drive-by Compromise
Command-Line
Interface
Accessibility Features Access Token Manipulation Code Signing Account Manipulation Account Discovery
Application Deployment
Software
Data Staged Data Compressed Commonly Used Port
Spearphishing
Attachment
Mshta Application Shimming Accessibility Features Disabling Security Tools Brute Force
Application Window
Discovery
Exploitation of Remote
Services
Data from Local
System
Data Encrypted Connection Proxy
Spearphishing Link PowerShell Create Account Application Shimming File Deletion Credential Dumping
File and Directory
Discovery
Pass the Hash
Data from Network
Shared Drive
Exfiltration Over
Alternative Protocol
Data Encoding
Trusted Relationship Regsvr32
DLL Search Order
Hijacking
DLL Search Order Hijacking
Hidden Files and
Directories
Credentials in Files
Network Service
Scanning
Remote Desktop Protocol Email Collection
Exfiltration Over
Command and
Control Channel
Data Obfuscation
Valid Accounts Rundll32
Hidden Files and
Directories
Exploitation for Privilege
Escalation
Indicator Removal from
Tools
Input Capture
Permission Groups
Discovery
Remote File Copy Fallback Channels
Scheduled Task New Service New Service
Indicator Removal on
Host
Process Discovery Remote Services Multi-Stage Channels
Scripting
Registry Run Keys / Start
Folder
Process Injection Masquerading Query Registry Windows Admin Shares
Standard Application Layer
Protocol
User Execution Scheduled Task Scheduled Task Mshta
Remote System
Discovery
Standard Cyrptographic
Protocol
Windows
Management
Instrumentation
Shortcut Modification Valid Accounts
Obfuscated Files or
Information
System Information
Discovery
Standard Non-Application
Protocol
Web Shell Process Injection
System Network
Configuration Discovery
Uncommonly Used Port
Regsvr32
System Network
Connections Discovery
Rundll32
System Owner/User
Discovery
Software Packing
Timestomp
Valid Accounts
Web Service
• 91 techniques across 11 tactics
• Initial data necessary for
prioritization
Focusing Only On Identified Techniques…
Manageable Project…

14
“Knowing Is Half The Battle”
- G.I. Joe
“Victorious warriors win first and then
go to war, while defeated warriors go
to war first and then seek to win”
- Sun Tzu
Winning Quotes

Intel Driving Operations
Teams Involved: Threat Intelligence, Attack & Penetration, Infrastructure
Operations, Security Tool administrators, Incident Response, Security
Architecture, 2nd Line of Defense consultants, executive leadership
Everyone Involved…
Objective: Focus
project on most
likely adversary
techniques
Objective:
Determine
susceptibility to
prioritized
techniques
Objective:
Determine
recommended
detection &
mitigation
strategies
Objective:
Develop &
implement
detection and
mitigation actions
Objective:
Determine risk
associated with
non-implemented
strategies
Threat Intel
Phase
Testing Phase
Assessment
Phase
Implementation
Phase
Leadership
Phase

16
• Reduced tested techniques from 240+ to 91
• Clear understanding of our security posture related to MITRE
ATT&CK techniques associated with threat actors targeting the
finance/insurance industry
• Security focused recommendations vs. IT audit driven
• Enabled MITRE ATT&CK to gain a foothold in the organization
• Framework built to enable follow-on actions
Where Did We End Up?

17
Are we done yet?
What’s next?
Keep The Momentum Going

18
Constantly EvolvingCapabilityMaturity

19
• Prioritization of techniques
– Third party research (Red Canary’s analysis of top techniques)
– Attack & Penetration test results
– Security expert input (FS-ISAC, Columbus Collaboratory, etc…)
– Analysis of recent breach reports (Ryuk, Emotet, Qakbot, Fin7, etc…)
– Analysis of Nationwide existing controls and effectiveness
Priority Tactic Technique
1 Execution PowerShell
2 Credential Access Credential Dumping
3 Execution Command-Line Interface
4 Defense Evasion, Persistence, Privilege Escalation, Initial Access Valid Accounts
5 Initial Access Spearphishing Attachment
6 Initial Access Spearphishing Link
7 Exfiltration Data Compressed
8 Execution, Persistence, Privilege Escalation Scheduled Task
9 Defense Evasion Masquerading
10 Defense Evasion Obfuscated Files
Intelligence Led Prioritization
*Not real results

20
Intelligence Driving Security
• “Anatomy of ATT&CK”
documents
• Use security research and
recent external events
• Break down scenario by
technique
• Used to confirm security
controls are in place

21
• Intel driven operations ensure clear focus and prioritization
• Focus on threat actors in your sector and techniques they use
• Don’t try to do it all…smaller chunks enable clearer understanding of final objectives
• Constantly evolve and iterate to increase coverage
Key Takeaways

22
Contact us at:
sccthreatintel@nationwide.com
Andy Kettell
David Westin
Questions?

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; David Westin and Andy Kettell, Nationwide

More Related Content

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; David Westin and Andy Kettell, Nationwide