Scribd Logo
Upload

Welcome to Scribd!

  • Webinar 1534 Slides

    Uploaded by

    Ranjan Prakash
    6 views28 pages
    This document discusses building detection of MITRE ATT&CK techniques into a security monitoring environment. It begins with conducting a gap analysis to identify which ATT&CK tactics and techniques are not currently detected. It then describes preparing a test lab by configuring Microsoft Sysmon and LogRhythm's Sysmon agent to generate relevant logs. The importance of tuning log sources to optimize detections is highlighted. Various MITRE techniques will then be tested to evaluate LogRhythm's detection capabilities and identify any gaps. The overall goal is to enhance a SIEM's monitoring and testing by aligning it with the MITRE ATT&CK framework.

    Original Description:

    Original Title

    Webinar-1534-Slides

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses building detection of MITRE ATT&CK techniques into a security monitoring environment. It begins with conducting a gap analysis to identify which ATT&CK tactics and techniques are not currently detected. It then describes preparing a test lab by configuring Microsoft Sysmon and LogRhythm's Sysmon agent to generate relevant logs. The importance of tuning log sources to optimize detections is highlighted. Various MITRE techniques will then be tested to evaluate LogRhythm's detection capabilities and identify any gaps. The overall goal is to enhance a SIEM's monitoring and testing by aligning it with the MITRE ATT&CK framework.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views28 pages

    Webinar 1534 Slides

    Uploaded by

    Ranjan Prakash
    This document discusses building detection of MITRE ATT&CK techniques into a security monitoring environment. It begins with conducting a gap analysis to identify which ATT&CK tactics and techniques are not currently detected. It then describes preparing a test lab by configuring Microsoft Sysmon and LogRhythm's Sysmon agent to generate relevant logs. The importance of tuning log sources to optimize detections is highlighted. Various MITRE techniques will then be tested to evaluate LogRhythm's detection capabilities and identify any gaps. The overall goal is to enhance a SIEM's monitoring and testing by aligning it with the MITRE ATT&CK framework.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 28

    12/18/2018

    Building MITRE ATT&CK Sponsored by

    Technique Detection into


    Your Security Monitoring
    Environment
    © 2018 Monterey Technology Group Inc.

     Made possible by

    Thanks to

    1
    12/18/2018

     MITRE ATT&CK
     Tactics
    Preview of key  Techniques
     Examples
    points  Using ATT&CK
     Assess
     Enhance
     Test

     A normalized, structured approach for classifying, describing


    ATT&CK attack methods
     High-level to the technical and specific
     Many uses

    2
    12/18/2018

    Tactics Persistence

    ATT&CK Techniques Registry


    Run Keys
    New Service
    AppInit
    DLLs

    Procedures
    Examples Procedures
    Examples

    APT19 BADNEWS Briba Mitigation Detection

    Initial Access • gain an initial foothold within a network

    Execution • of adversary-controlled code

    Persistence • maintain access to target through interruptions

    Privileged Escalation • obtain a higher level of permissions

    Defense Evasion • evade detection or avoid other defenses


    Tactics
    Credential Access • Control of accounts

    Discovery • gain knowledge about the system or network

    Lateral Movement • access additional systems on target network

    Collection • Gather information prior to exfiltration

    Exfiltration • removing information from target

    Command and Control • communicate with systems under control

    3
    12/18/2018

     Tactic: Persistence
    Drilldown  https://attack.mitre.org/tactics/TA0003/
     Technique: Registry Run Keys / Startup Folder
     https://attack.mitre.org/techniques/T1060/

     https://mitre.github.io/attack-navigator/enterprise/

    ATT&CK
    Navigator

    4
    12/18/2018

     Adversary Emulation
    How can we  Red Teaming

    use ATT&CK?  Behavior Analytics Documentation


     Defensive Gap Assessment
     SOC Maturity Assessment
     Cyber Threat Intelligence Enrichment

    How can we
     Let’s zero in on how to use ATT&CK for designing, enhancing,
    use ATT&CK? assessing your security monitoring effort and keeping it up-to-
    date

    5
    12/18/2018

    Security  Gap analysis


    Monitoring  Enhancements
     Testing

     Classify what you are currently doing


     Map dashboards, alert rules, SAO, etc. to tactics and techniques
    Security  Include anything that alerts you
    Monitoring:  Antivirus
     EDR
    Gap analysis  SIEM
     UEBA
     Which tactics are your efforts light on?
     Which techniques are you missing?

    6
    12/18/2018

    Security  Prioritize techniques identified in gap analysis

    Monitoring:  Examine the detection content


     Are we currently capturing that information?
    Enhancements  Where can we implement the detection logic?
     Implement
     Test

    Security
    Monitoring:  How do you know if your security monitoring environment really
    works – if it will really alert you if you are attacked?
    Testing
     https://www.redcanary.com/blog/atomic-red-team-testing/

    7
    12/18/2018

     MITRE ATT&CK is cool


     Systematic way to classify, document and respond to attacker
    Bottom line techniques
     Use it to
     Assess your security monitoring
     Keep your security monitoring up-to-date
     Test your security monitoring

     Brian Coulson, from LogRhythm Labs, is leading an outstanding


    project at LogRhythm Labs where-in he will show you how
    they’re aligning the ATT&CK matrix with log sources, including
    Let’s see windows event logs (XML – Security, XML Sysmon 8.0 and XML-
    System). While the matrix is wide spread in what it monitors,
    ATT&CK being there are effective ways to filter around common and relevant
    detection techniques and logs.
    implemented in
    the real world He will be demonstrating a gap analysis around MITRE ATT&CK
    Techniques and a SIEM (LogRhythm). While existing compliance
    and threat module rules are likely to detect the MITRE defined
    techniques, Brian is going to take it a step farther and walk
    through a MITRE attack process from inception to finalization
    while focusing on rule development and alignment in
    LogRhythm.

    © 2018 Monterey Technology Group Inc.

    8
    12/18/2018

    Building MITRE ATT&CK Technique Detection


    into Your Security Monitoring Environment
    Brian Coulson
    Threat Research, Senior Engineer
    Dec 2018

    Agenda

    • Gap Analysis
    • via SCRUM and Documentation
    • Preparing a Test lab
    • Microsoft Sysmon and Advanced Auditing
    • LogRhythm Sysmon Agent
    • Importance of Tuning
    • Testing MITRE Techniques
    • LogRhythm Detection of Techniques

    COMPANY CONFIDENTIAL

    9
    12/18/2018

    SCRUM and Documentation

    COMPANY CONFIDENTIAL

    SCRUM: Gap Analysis

    COMPANY CONFIDENTIAL

    10
    12/18/2018

    Confluence

    COMPANY CONFIDENTIAL

    Preparing a Test Lab

    COMPANY CONFIDENTIAL

    11
    12/18/2018

    Swift On Security: Sysmon Config

    COMPANY CONFIDENTIAL

    Swift on Security + LogRhythm: Sysmon Config

    COMPANY CONFIDENTIAL

    12
    12/18/2018

    Microsoft: Advanced security audit policy settings

    COMPANY CONFIDENTIAL

    LogRhythm Sysmon Agent: Log Source Types

    COMPANY CONFIDENTIAL

    13
    12/18/2018

    LogRhythm Registry Integrity Monitoring Policies

    COMPANY CONFIDENTIAL

    Importance of Tuning Log Sources

    COMPANY CONFIDENTIAL

    14
    12/18/2018

    Microsoft Sysmon: Event ID 10

    COMPANY CONFIDENTIAL

    Microsoft Sysmon: Event ID 10 Post Tuning

    COMPANY CONFIDENTIAL

    15
    12/18/2018

    Testing MITRE Techniques

    COMPANY CONFIDENTIAL

    Red Canary: Atomic Red Team

    COMPANY CONFIDENTIAL

    16
    12/18/2018

    Atomic Red Team: T1035 - Service Execution: Atomic Test #1

    COMPANY CONFIDENTIAL

    Atomic Red Team: T1035: Execution of Test

    COMPANY CONFIDENTIAL

    17
    12/18/2018

    LogRhythm Detection of Techniques

    COMPANY CONFIDENTIAL

    MITRE: Service Execution: Detection Guidance


    • Detection
    • Changes to service Registry entries and command-line invocation of tools
    capable of modifying services that do not correlate with known software,
    patch cycles, etc., may be suspicious. If a service is used only to execute a
    binary or script and not to persist, then it will likely be changed back to its
    original form shortly after the service is restarted so the service is not left
    broken, as is the case with the common administrator tool PsExec.

    COMPANY CONFIDENTIAL

    18
    12/18/2018

    LogRhythm: Registry Logs

    COMPANY CONFIDENTIAL

    LogRhythm: Registry Logs: Security: Event ID 4663

    COMPANY CONFIDENTIAL

    19
    12/18/2018

    LogRhythm: Registry Logs: MS Sysmon: Event ID 12

    COMPANY CONFIDENTIAL

    LogRhythm: Registry Logs: MS Sysmon: Event ID 13

    COMPANY CONFIDENTIAL

    20
    12/18/2018

    LogRhythm: Registry Logs: LogRhythm Sysmon: Add

    COMPANY CONFIDENTIAL

    LogRhythm: MS System and Security Logs

    COMPANY CONFIDENTIAL

    21
    12/18/2018

    LogRhythm: MS Security Logs: Event ID 4697

    COMPANY CONFIDENTIAL

    LogRhythm: Identifying Logs by Command

    COMPANY CONFIDENTIAL

    22
    12/18/2018

    LogRhythm: Filtered by Command: Dashboard

    COMPANY CONFIDENTIAL

    Security Event ID: 4688

    COMPANY CONFIDENTIAL

    23
    12/18/2018

    Microsoft Sysmon: Event ID 1

    COMPANY CONFIDENTIAL

    LogRhythm Echo: Building the use case

    COMPANY CONFIDENTIAL

    24
    12/18/2018

    LogRhythm Echo: Logs

    COMPANY CONFIDENTIAL

    LogRhythm AIE Rule: Detect Software Installed

    COMPANY CONFIDENTIAL

    25
    12/18/2018

    LogRhythm AIE Rule: Detect Registry Add

    COMPANY CONFIDENTIAL

    LogRhythm AIE Rule: Information about the rule

    COMPANY CONFIDENTIAL

    26
    12/18/2018

    LogRhythm Echo: Run Use Case

    COMPANY CONFIDENTIAL

    LogRhythm Alarm Card

    COMPANY CONFIDENTIAL

    27
    12/18/2018

    End and Q&A


    • Thank you! 

    COMPANY CONFIDENTIAL

    28

    You might also like