Erik Schwartz

Summary of “(2018) ATT&CKing the Status Quo: Improving Threat Intel and Cyber Defense with MITRE ATT&CK”

Katie Nickels & John Wunder

video, slides

ATT&CK helps answer these common questions from SOC

How effective are my defenses
Do I have a chance of detecting APT[123] for example
is my data useful?
Do I have overlapping tool coverage
Will this shiny XYZ product improve my defenses?

The difficult task of detecting Tactics, Techniques, and Procedures (TTPs)

Pinnacle of David Biancos pyramid of pain
It’s easy for attackers to change things like Hash values, IP addresses, Domain names, etc.
Much harder for them to change their attach behavior
ATT&CK is here to help with TTPs, it’s a knowledge base of adversary behavior

ATT&CK

based on real-world observations in MITRE red/blue team experiments
A common language. When you say the attacker moved laterally, it defines what that means
Community driven

Focus on adversary lifecycles

assume they’ll break your perimeter
lifecycle
- pre-att&ck
  - Gaining network access
  - laying groundwork for spearphishing
- enterprise
  - Move laterally
  - Exfiltration

Technique example: New Service

Install program that starts on system boot
ATT&CK describes common defenses, mitigation, logs where this appears

Example software: Chopstick

How to use ATT&CK

Detect, Threat intel, Assess and Engineer, Adversary emulation
More important: how to coordinate between these 4
ATT&CK is available in STIX (Structured Threat Information eXpression) json format for communicating cyber threat intel (CTI)
ATT&CK navigator to help you focus on what’s relevant to your org

Status Quote in Threat Intel

So many reports
Not clear how to apply intel to defense
Over-reliance on indicators like IPs and domains. Because they’re quantifiable. But it’s just wack-a-mole.

How to use ATT&CK

Use ATT&CK to structure tech intel
Example from Palo Alto 42 that consumes ATT&CK data to construct TTP playbooks describing attack campaigns. Shows a given groups evolution over time.
Tailor your existing threat intel repo. Many are starting to support ATT&CK like MISP, ThreatQ, etc
Have the threat intel originator do it
Start at the tactic level
Use existing website examples
Work as a team

Detection and Analytics

Now that we get reports from ATT&CK we can prioritize defense
Once we have indicators of known malicious IPs, hashes for malware, etc
- Follow the TTP to what would be next from this indicator
How to avoid false positives? Move towards analytics
- Indicators like file hashes, IP addresses, are effectively infinite
- Analytics follow credential dumping, or process persistence which have many fewer signatures to track
Analytics
- Look at observable events and artifacts. E.g. what’s it look like RDP is used for lateral movement? Analytic: it shows up in Windows Event Log.
- Then the work is to build evidence to separate good from bad and alert on bad. Windows example: process tries to elevate priv by riding on admin process. Attacker wants to bypass system dialog popup that asks for Admin priv.
- Important to understand the attack goal. Try the attack yourself. How to pinpoint bad logs without overfitting the attack. It’s iterative. New products will create new false positives and new attack techniques will need new analyics.
- It’s hard. Each OS requires totally different expertise to monitor effectively.
- Orgs that help define detection - NH-ISAC
  - SIGMAQ
  - Cyber Analytic Repository
  - MISP
- How to deal with false positives - Look at chains of events: graphs. Neo4j
  - Machine learning for classifications
  - Tighten the feedback loop: learn from your analysts
  - Focus on issues that lead to most important biz impacts
  - Adversaries are good a hiding in noise of normal logs - Agile logging: can we collect fewer logs until we notice something bad then ramp up?
- Roadmap for getting started on your own - Detection Lab
  - Be bad: Atomic Red Team to mimic red team
  - Write some detections. Use ThreatHunter-Playbook for inspiration
  - Share what you’ve learned with community
  - Have your red team focus on techniques from you analytics: use what’s real for your org
  - Use consistent naming conventions so you can communicate with your red team

Other tools

Caldera: an automated adversary emulation system

2018 Keynote talk: advancing infosec

By John Lambert, Microsoft

Traditional versus advanced defense concepts

Conventional Wisdom in Defense

Ideas

Reverse mentorship, where less experienced person explains concept to more experienced
How to increse rate of learning
- Promote community
- Organized knowledge
- Executeable Know-how
- Repeatable Analysis
“Githubification” of Infosec: important for community to share vendor-neutral learnings that any tool can pull in. So that we can all benefit for any other team’s incident response, just just our own. Multiply our power.

Selected tools mentioned

Mimikatz tool to explore windows security
Virustotal to analyze files and URLs for maliciousness
Yara database of metadata to identify malware samples
snort analyze packets; intrusion detection
Atomic Red Team test cases that simulate attacks to verify Blue Team alerts
Jupyter notebooks hyper popular datascience toolset in python. Great way to share infosec analysis. E.g. visualize netblocks that a machine connects to.
Papermill parameterize and run jupyter notebooks in automated fashion
Binder platform as a service that quickly hosts a jupyter GitHub repo so you can interact with it in your browser.

Trajedy of systemd talk

Summary

Linux started simple, initd started a few daemons and mounted filesystems
- Unfortunately it conflates system config (filesystems) with service bootstrap
- This gets in way of automated service management. - along comes upstart and systemd to handle things that need more active mgmt
The web made things complicated
- We can’t fork processes to handle each connection anymore
- We manage complicated databases that have all sorts of persistant processes
Along came services which are superset of daemons
- init.d is not great at keeping services running once they start
Comparative systems
- Windows NT: actually has great service model despite security weaknesses
- MacOS: has great service delegation that receives well defined mgmt calls
  - launchd took over for init.d, cron, etc
  - can start service daeomons as needed by listening on TCP ports, unix sockets. Means they don’t have to start at boot. They can be run and managed ad hoc.
  - this is super important for complicated systems like desktop envs
systemd is based on launchd
- Inventor (Lennart Poettering) didn’t think upstart had enough mechanisms for dependency ordering
- wanted boot to start less and more in parallel
- wanted an init system to listen for hardware/software changes like launchd does
- you start thinking more in terms of handling events rather than system boot
- Between 2011-2015 systemd was adopted across majority of linux distros
Systems are much more dynamic than they once were - We need unified layer between kernal and userspace: kernal | system | userspace
- this avoids cobbling together 15 different systems to manage system functions
Issues with systemd - “violates Unix philosphy”
- “bloated and monolithic”
- “it’s buggy!”
- “I don’t like the inventor”
- “It’s not portable” it’s agressively linux-specific like cgroups - UNIX is dead. You have Linux and rounding errors like FreeBSD
  - Went from pathological diversity to pathological monolithism
  - cgroups are even better than jails - E.g. you can run user-level daemons
systemd is change, super disruptive
- We love change when we’re doing it
- We don’t like outside systemd person forcing us to abandon our RC shell scripts we’ve run for 20 years
- Contempt is not cool. We shouldn’t send threats to systemd people. We should see it’s utility. Adopt it or grow our own (speaker is from BSD)
The promise of systemd - Message Transport: Dbus e.g.
- You need an RPC framework so you don’t worry if your API call talks to kernal or user-space: e.g. “network interface, take this IP address”
- Service lifecycle
- Automation via API
- Containers and their encapsulation
- Consistent device naming
- Good logging: append only
Catharsis
- Cleansing. Let’s get with it
- Challenge: look at systemd and find one thing you like
Questions
- Q: Are containers DLL hell? A: DLL hell is 5 diff libraries and your app chooses wrong one

I needed to experiment with 301 redirect behavior for a site under SSL.

The constraints

make sure redirects from https://mydomain.com aren’t spoiled by certificate errors because the certificate covers www.mydomain.com but not mydomain.com
Here’s the post that describes this problem and how to avoid it. But it’s 5 years old so I wanted to test it all out.
Use the Pantheon PaaS
Use letsencrypt to generate throw-away certificates for free

Generate a certificate

Given that I’m using a PaaS, I can’t install the lets encrypt certbot to automatically manage certificates the way others would. For my use case I just want to generate temporary certificates to test out the 301 behavior (in the long-term I’ll get a certificate from a provider with longer validity). So for now I’m ok using lets encrypt to create the cert manually.

To manually generate certificates with lets encrypt, I need a public web server that my domain resolves to so I point a throwaway domain “notabigdeal.club” at a DigitalOcean droplet ($.88 on namecheap for the domain!).

The DNS is set up like so on Namecheap:


URL redirect record	@	http://www.notabigdeal.club	Unmasked

ssh to the droplet and then:

openssl req -new -newkey rsa:2048 -nodes -out notabigdeal_club.csr -keyout notabigdeal_club.key -subj '/C=US/ST=Kentucky/L=Lexington/O=test/CN=notabigdeal.club'

certbot-auto certonly --authenticator manual --server https://acme-v01.api.letsencrypt.org/directory --text --email erik@erikschwartz.net --csr www_notabigdeal_club.csr

# Things that pantheon wants:

# The cert
cat 0000_cert.pem

# Intermediate cert
cat 0000_chain.pem

# The private key
cat www_notabigdeal_club.key

The 301 behavior

As expected, visiting ‘https://notabigdeal.club’ throws an error since the certificate is only for ‘www’

Lets try again with a Sans certificate that covers both domains

Namecheap DNS settings

record type
CNAME Record	www	my-site.pantheonsite.io.	30 min
A Record	@	104.130.89.68	30 min

Is generating a SAN CSR a pain?

According to the openssl CSR tool “Adding Subject Alternative Names to a CSR using OpenSSL is a complicated task. Our advice is to skip the hassle, use your most important server name as the Common Name, and specify the other names during the order process. Our Multi-Domain (SAN) Certificate ordering process will let you specify all the names you need without making you include them in the CSR.”

It’s not so bad to generate a SAN CSR with a good example in hand.

On the digital ocean droplet that hosts notabigdeal.club, create openssl.conf

[ req ]
default_bits        = 2048
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
req_extensions     = req_ext # The extentions to add to the self signed cert

[ req_distinguished_name ]
countryName           = Country Name (2 letter code)
countryName_default   = US
stateOrProvinceName   = State or Province Name (full name)
stateOrProvinceName_default = Iowa
localityName          = Locality Name (eg, city)
localityName_default  = Iowa City
organizationName          = Organization Name (eg, company)
organizationName_default  = The University of Iowa
commonName            = Common Name (eg, YOUR name)
commonName_max        = 64

[ req_ext ]
subjectAltName          = @alt_names

[alt_names]
DNS.1 = notabigdeal.club
DNS.2 = www.notabigdeal.club

Generate the CSR and the certificate:

# make sure to answer "Common Name (eg, YOUR name) []:" as notabigdeal.club
openssl req -new -newkey rsa:2048 -nodes -out notabigdeal_club.csr -keyout notabigdeal_club.key -config openssl.conf

Follow the instructions to add the files to .well-known/acme-challenge for each domain.

If it works, certbot will congratulate you and you can copy over the cert details to pantheon:

# The cert
cat 0000_cert.pem

# Intermediate cert
cat 0000_chain.pem

# The private key
cat notabigdeal_club.key

Pantheon-specific note

I had to enable both domains in Pantheon: www.notabigdeal.club and notabigdeal.club. Otherwise it gave a Pantheon boilerplate “Site not found” page.

Erik Schwartz

Explorer, weirdo, developer of wonderful things.

Stay curious.