FOR508
Indicators (TTPs)
1. Atomic. 2. Computed. 3. Behavioral.
TTPs (Indicators)
1. Atomic. 2. Computed. 3. Behavioral.
Remediation - Critical Event Steps
1. Disconnect environment from network. 2. Implement strict network segmentation not allowing specific subnets to communicate w/each other. 3. Block IP addresses & domain names for known C2 channels. 4. Remove all infected systems that maintained active or previous active malware on host. 5. If needed, remove all systems id'd as compromised but do not show sings of infection via malware. 6. Restrict access to known compromised accts. 7. Restrict access to domain admin accts. 8. Validate everything above done properly.
Threat Hunting Team - Operational Tempo
IR initiated by reactive response usually sprint w/long days, 7 days/week, until incident remediated. Hunt teams will constantly find new breaches if good. If every breach treated like emergency, hunt team soon be exhausted. Forcing IR team to take time off is a must.
Hierarchy of Needs - IR
Inventory (Can name assets defending?). Telemetry (Have visibility across assets?). Detection (Can detect unauthorized activity?). Triage (Can accurately classify detection results?). Threats (Who are adversaries? Their capabilities?). Behaviors (Can detect adversary activity w/in environment?). Hunt (Can detect adversary already embedded?). Track (During intrusion, Can observe adversary activity in real-time?). Act (Can deploy proven countermeasures to evict & recover?). Can collaborate w/trusted partners to disrupt adversary campaigns?
Persistence
Maintaining a presence on your network, as well as repeatedly attempting to gain entry to areas where presence is not established.
Asset Access & Data Exfiltration - Step 4 of Attack Lifecycle
Many footprints left as attackers search for/collect data. Once assets id'd, attacker must find way to exfil it. Common for attackers to utilize "staging sytem". Alternative to data exfil is destruction (like ransomware).
Eradication w/o Proper Scoping/Containment
Many orgs begin eradication too quickly. Stop gap measures (pulling plug, blocking IP addresses, rebuilding systems, disabling compromised accts) unlikely to lead to full eradication. "whack-a-mole" when move too fast to eradication.
Threat Hunting Team - Management Support
Mgmt buy-in a must. In many cases, mgmt thinks wants to know about breaches, but found many orgs far more concerned about what happens when breaches found rather than whether exist in 1st place.
Weaponization - Step 2 of Kill Chain
Might or might not happen after reconnaissance. The one phase victim doesn't see happen but can very much detect. Act of placing malicious payload into delivery vehicle. Technique used to obfuscate shellcode, way executable packed into trojaned document, etc.
ATT&CK (MITRE) - Adversarial Tactics, Techniques, & Common Knowledge
Model & framework describing actions adversary may take while operating w/in enterprise network. Currently most detailed resource available on universe of attacker techniques & guidance on how to hunt for evidence of them. Twelve tactic categories derived from later stages (control,maintain,execute) of Kill Chain.
Adversarial Tactics, Techniques, & Common Knowledge (ATT&CK)
Model & framework describing actions adversary may take while operating w/in enterprise network. Currently most detailed resource available on universe of attacker techniques & guidance on how to hunt for evidence of them. Twelve tactic categories derived from later stages (control,maintain,execute) of Kill Chain.
Kill Chain - Lockheed Martin
Model used in threat intel. Categorizes sequence of actions occurring in most attacks, provides framework for organizing detection indicators. Step 1: Reconnaissance. Step 2: Weaponization. Step 3: Delivery. Step 4: Exploitation. Step 5: Installation. Step 6: Command & Control. Step 7: Actions on Objective.
Recovery - Step 5 of IR Process
leads enterprise back to day-to-day business. Goal is to improve overall security of network & detect/prevent reinfection. Ex. changes: Improve Enterprise Authentication Model; Enhanced Network Visibility; Establish Comprehensive Patch Mgmt Program; Centralized Logging (SIEM/SIM); Enhance Password Portal; Establish Security Awareness Training Program; Network Redesign
Containment/Intel Development - Step 3 of IR Process
Goal to rapidly understand adversary begin crafting containment strategy. Identify initial exploit, how attackers maintaining persistence & laterally moving, how C2 being accomplished. Implement changes to increase host/network visibility. Threat intel key part of phase.
Threat Hunting Team - Right Mindset
Hunt teams require manual & automated methods of collecting/searching data across network. Single member should be able to scale up searching thousands of host for single artifact. Challenge is knowing when analysis complete. Always feel like missed something. Must know difference between normal/abnormal.
ATT&CK Categories
1. Initial Access - trying to get in your network. 2. Execution - trying to run malicious code. 3. Persistence - trying to maintain foothold. 4. Privilege Escalation - trying to gain higher-level permissions. 5. Defense Evasion - Trying to avoid detection. 6. Credential Access - trying to steal account names/passwords. 7. Discovery - Trying to figure out your environment. 8. Lateral Movement - trying to move through environment. 9. Collection - trying to gather data of interest. 10. C2 - trying to communicate w/compromised systems to control them. 11. Exfiltration - trying to steal data. 12. Impact - trying to manipulate, interrupt, or destroy systems/data.
Attack Lifecycle
1. Initial Compromise. 2. Low privileges lateral movement cycle. 3. High privileges lateral movement cycle. 4. Asset access & data exfiltration.
Incident Response Process (Six Steps)
1. Preparation. 2. Identification/Scoping. 3. Containment/Intelligence Development. 4. Eradication/Remediation. 5. Recovery. 6. Lessons Learned/Threat Intel Consumption.
Exploitation - Step 4 of Kill Chain
AKA Compromise Phase. Possibly have elements of software vulnerability, human vulnerability (social engineering), or hardware vulnerability (rare). Single Phase Exploit: Compromised host behaves according to attacker's wishes directly as result of successful execution of delivered payload. Multiphase exploit: delivery of shellcode whose sole function is to pull down & execute more capable code. This is pivotal phase of the attack.
Installation - Step 5 of Kill Chain
Achieve repeatable access via persistent techniques or tools.
Remediation - Real-Time
Advances in network & endpoint monitoring provide some organizations ability to mitigate attacks in real-time. It requires complete enterprise visibility & mature processes.
Compromised Host
Any system the adversary has examined, utilized, or infected.
Eradication/Remediation - Step 4 of IR Process
Arguably most important phase. Aim to remove threat, restore ops to normal state. Ex. changes to environment: -Block malicious IP addresses; blackhole malicious domain names; rebuild compromised systems; coordinate w/cloud & service providers; Enterprise-wide password changes; implementation validation
Low Privileges Lateral Movement Cycle - Step 2 of Attack Lifecycle
Attacker must maintain persistence w/in environment expand foothold, gaining access to addt'l systems. Placement persistent backdoors common. Lateral movement paired w/credential dumping.
Threat Intelligence
Attempts to map attacker techniques, tactics, & procedures (TTPs) to the attack lifecycle.
Adversary Behavior - Behavioral Aspect of Indicators
Best way to behaviorally describe adversary is by how they do their job. That "job" is comprising data, so describe attacker in terms of anatomy of the attacks.
Reconnaissance - Step 1 of Kill Chain
Browsing websites, pulling down PDFs, learning internal structure of org. Activity in this phase often indistinguishable from normal activity.
Containment/Intel Development - Step 3 of IR Process
Bulk of response time often spent here. Need for threat intel collection can't be overstated. IOC development important at this phase. W/enough intel, possible to predict attacker intent/future actions. When this point reached, time to consider eradication phase.
ATT&CK Mapping & Threat Intel - "Doubletap" malware
Chart mapping "DoubleTap" malware to ATT&CK framework in book.
DoubleTap malware - mapping to ATT&CK framework
Chart mapping "DoubleTap" malware to ATT&CK framework in book.
Behavioral Indicators
Combine other indicators (incl. other behaviors) to form profile.
Preparation - Step 1 of IR Process
Establishing a response capability & preventing incidents by ensuring systems, networks, & apps sufficiently secure.
Initial Compromise - Step 1 of Attack Lifecycle
Most initial compromises not persistent, level of access achieved at this stage very fragile. If IR team can eliminate adversary before foothold established, survivability of adversary drops to nearly zero.
High Privileges Lateral Movement Cycle - Step 3 of Attack Lifecycle
Once high-level credentials achieved, attack shifts from mass credential collection to asset collection. Since high-level credentials (sadly) often discovered early in attack, this phase can compromise longest length of time. Tracking unusual credential usage, lateral movement, abnormal system access important in this phase.
Command & Control: Maintain Presence - Step 6 of Kill Chain
Period after which adversaries leverage exploit of a system.
Atomic Indicators
Pieces of data that are indicators of adversary activity on their own. IP addresses, email addresses, static string in Covert C2 channel, or fully qualified domain names (FQDNs). Can be problematic, b/c may or may not exclusively represent adversary activity.
Threat Hunting Process
Popular b/c it works. Hunt teams should be looking for new detection methods that can then be automated for enterprise-wide detection. Hunting is human vs human w/tech as force multiplier.
Containment
Prevent or slow addt'l access during monitoring & collection phase; Full-scale host/network monitoring; data decoy; bit mangling; traffic shaping; adversary network segmentation. AVOID PLAYING YOUR HAND.
Digital Forensics
Process used to analyze systems (host/network data) in order to identify compromised systems & provide guidance on necessary remediation steps.
Reactive Response vs Threat Hunting
Reactive org begins IR when alert/notification comes in (call from gov't agency; vendor/threat info; security appliance alert; "five-alarm fire" response). Hunting organization actively looking for incidents (known malware & variants; patterns of activity (evil vs normal); threat intel; security patrols) & reducing adversary dwell time.
Threat Hunting vs Reactive Response
Reactive org begins IR when alert/notification comes in (call from gov't agency; vendor/threat info; security appliance alert; "five-alarm fire" response). Hunting organization actively looking for incidents (known malware & variants; patterns of activity (evil vs normal); threat intel; security patrols) & reducing adversary dwell time.
Attack Progression or Kill Chain
Six sequential stages. A linear flow--some phases might occur in parallel, & order of earlier phases can be interchanged--but rather how far adversary has progressed, corresponding damage, & invest must be performed.
Threat Hunting Team
Team should be made of host/network/reverse engineers working side by side. Suggested comp (1 team lead, 1-2 endpoint/host/cloud analysts, 1-2 network analysts, 1 reverse engineering malware specialist, 1 DevOps/tool development resource).
Identification/Scoping & Containment/Intel Development Loop
These 2 critical phases form mini-cycle. Intel developed used for further scoping. New systems analyzed, providing addt'l info on actions & new IOCs, which then used to find more systems.
Computed Indicators
Those that are computed. Most common are hashes of malicious files, can also include specific data in decoded custom C2 protocols. More complicated IDS (Intrusion Detection System) signatures might fall into this category.
Remediation Is Hard
Threats good at avoiding detection & ensuring survivability. Threats react to countermeasures & remediation tactics. Threats will return.
Dwell Time
Time an attacker has remained undetected in the network.
Breakout Time
Time it takes an attacker to begin moving laterally once initiated foothold in network.
Intel Development
Tools, techniques, & procedures observation; Understanding adversary intent; Malware gathering; IOC development; Campaign identification
Identification/Scoping - Step 2 of IR Process
Triggered by suspicious event. Event validation should occur, decision made as to severity (not valid events lead to full IR response. One IR begun, phase used to better understand findings & begin scoping network for addt'l compromise.
Follow-Up - Step 6 of IR Process
Verify incident mitigated, adversary removed, addt'l countermeasures implemented correctly. Addt'l monitoring, network sweeps looking for new breaches, auditing network (pen tests) to ensure new security functioning normally
Actions on Objectives - Step 7 of Kill Chain
When data, which has been target all along, is taken. Also lump lateral movement w/compromised credentials, file system enumeration, & addt'l tool dropping.
Delivery - Step 3 of Kill Chain
Whether HTTP request containing SQL injection code or email w/hyperlink to compromised website, this is where payload delivered to its target.
