att ck the attacker
play

ATT&CK the Attacker Assessing & Improving Detection - PowerPoint PPT Presentation

Sep 19, 2022 •357 likes •551 views

ATT&CK the Attacker Assessing & Improving Detection Capabilities # whoami Christian Kollee Studied Computer Science at University of Erlangen- Nueremberg (Diplom-Informatik) Several years at various universities and at

  1. ATT&CK™ the Attacker Assessing & Improving Detection Capabilities

  2. # whoami Christian Kollee ✗ Studied Computer Science at University of Erlangen- Nueremberg (Diplom-Informatik) ✗ Several years at various universities and at Fraunhofer ✗ IT security since 2012 ✗ Currently working as IT Security Consultant (Security Monitoring, Incident Response, Digital Forensics)

  3. Why should we care about detection?

  4. Defender’s Dilemma The intruder only needs to exploit one of the victims in order to compromise the enterprise. Intruder’s Dilemma The defender only needs to detect one of the indicators of the intruder’s presence to initiate incident response within the enterprise. Richard Bejtlich - https://taosecurity.blogspot.de/2009/05/defenders-dilemma-and-intruders-dilemma.html

  5. How can we detect these indicators?

  6. All models are wrong; some models are useful - George Box

  7. Recon Intrusion Kill Chain Weaponization Delivery Exploitation Installation / Maintain ATT&CK™ Enterprise C2 / Control Actives on Objective / Execute Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chain; Hutchins, E. & Cloppert, M. & Amin, R.; 2011

  8. Ten ATT&CK™ – Tactics 188 different techniques, e.g., 60 60 60 60 60 Scheduled Task 50 50 50 50 50 40 40 40 40 40 30 30 30 30 30 Timestomp 20 20 20 20 20 10 10 10 10 10 0 0 0 0 0 Remote Desktop Protocol Scheduled Task

  9. Technique name Technique description Info box Examples Mitigation Detection References

  10. How to use ATT&CK TM from a defender perspective?

  11. 1 Asses your current detection capabilities Identify and extend your detection 2 capabilities based on your data sources Prioritize additional data sources based 3 on the threats you are facing

  12. 1 Asses your current detection capabilities Goto 3 and prioritize your data source based on your threats ➢ Use your playbooks ➢ Use adversarial emulation tools

  13. Identify and extend your detection 2 capabilities based on your data sources Access Token Anti-Virus API Monitoring Authentication Binary File BIOS Browser Logs Metadata Extensions Data Loss Digital DLL Monitoring Extensible Environment File Monitoring Host Network Prevention Certifcation Firmware Variable Interface Logs Interface (EFI) Kernel Drivers Loaded DLLs Malware Master Boot Named Pipes Netfow Network Device Reverse Record (MBR) Logs Engineering Network Packet Capture Powershell Process Process Process Use of Sensor Health Protocol Logs Command- Monitoring Network and Status Analysis Lines Parameters Services SSL/TLS System Calls Third-Party User Interface Volume Boot Windows Error Inspection Application Record (VBR) Reporting Logs Windows Windows WMI Objects Event Logs Registry

  14. Prioritize additional data sources based 3 on the threats you are facing ➢ Network Protocol Analysis (DNS) ➢ What incidents do you have? ➢ Netfows ➢ How could you detect them (earlier)? ➢ Process Monitoring ➢ What sources are required? ➢ Windows Event Logs

  15. Conclusion

  16. Intruder’s Dilemma The defender only needs to detect one of the indicators of the intruder’s presence to initiate incident response within the enterprise. 1 Asses your current detection capabilities using ATT&CK TM One approach Identify and extend your detection capabilities 2 based on your data sources Prioritize additional data sources based on the 3 threats you are facing

  18. Thank you! Questions?

  19. MITRE ATT&CK TM – https://attack.mitre.org MITRE ATT&CK TM MTIRE ATT&CK TM Navigator – https://mitre.github.io/attack-navigator/enterprise/ MITRE – CALDERA – https://github.com/mitre/caldera Endgame – Red Team Automation (RTA) – https://github.com/endgameinc/RTA Adversarial Uber – Metta – https://github.com/uber-common/metta Emulation Nextron Systems – APTSimulator – https://github.com/NextronSystems/APTSimulator Red Canary – Atomic Red Team – https://github.com/redcanaryco/atomic-red-team A little white mug of espresso on a wood table – Photo by Annie Spratt on Unsplash Fire, fame, danger, and van – Photo by Dawn Armfeld on Unsplash Pictures Desert – Photo by Mark Eder on Unsplash Roots – Photo by David Peters on Unsplash Fortress – Photo by dMz on Pixabay

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Network Network Security Secure against what/whom Security goals Attacker model Same

The Network Network Security Secure against what/whom Security goals Attacker model Same

The Network Network Security Secure against what/whom Security goals Attacker model Same hub `trusted LAN Internet Eavesdrop / block messages / insert messages / ... Typical attacker model security protocol analysis: Attacker

780 views • 63 slides
SQL Injection: Summary Target: web server that uses a back-end database Attacker goal:

SQL Injection: Summary Target: web server that uses a back-end database Attacker goal:

SQL Injection: Summary Target: web server that uses a back-end database Attacker goal: inject or modify database commands to either read or alter web-site information Attacker tools: ability to send requests to web server (e.g.,

89 views • 4 slides
Reactions and Responses 1 IP Spoofing Stimuli Why would an attacker spoof his source

Reactions and Responses 1 IP Spoofing Stimuli Why would an attacker spoof his source

Reactions and Responses 1 IP Spoofing Stimuli Why would an attacker spoof his source address? Hide the attackers activity nmap decoy option Hide the attackers identity To be able to view the responses, the attacker

548 views • 17 slides
data level parallelism / exceptions 1 1 last time (1) PRIME+PROBE attacker fjll cache set(s)

data level parallelism / exceptions 1 1 last time (1) PRIME+PROBE attacker fjll cache set(s)

data level parallelism / exceptions 1 1 last time (1) PRIME+PROBE attacker fjll cache set(s) with attacker data let victim run, use cache set(s) cache coherency solution: invalidate or update all other caches on write glossed over details:

1.7k views • 123 slides
CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up malicious site visited by victim; no control of network Alice Network Security Network Attacker Intercepts and controls network communication

907 views • 44 slides
Advanced Network Inference Techniques Based on Network Protocol Stack Information Leaks Roya

Advanced Network Inference Techniques Based on Network Protocol Stack Information Leaks Roya

Advanced Network Inference Techniques Based on Network Protocol Stack Information Leaks Roya Ensafi October 2013 Still A Peach Attacker Still A Peach Attacker Zombie Victim Attacker What if we could? Scan a firewall port or a hidden

651 views • 40 slides
WHY ATTACKER TOOLSETS DO WHAT THEY DO (or.. Reasons they just keep working) Matt McCormack

WHY ATTACKER TOOLSETS DO WHAT THEY DO (or.. Reasons they just keep working) Matt McCormack

WHY ATTACKER TOOLSETS DO WHAT THEY DO (or.. Reasons they just keep working) Matt McCormack OVER THE LAST YEAR 50+ engagements Good chunk of different verticals, industries, etc. Varying qualities and effectiveness of defenses Collective

725 views • 56 slides
A Practical Methodology for Measuring the Side- Channel Signal Available to the Attacker for

A Practical Methodology for Measuring the Side- Channel Signal Available to the Attacker for

A Practical Methodology for Measuring the Side- Channel Signal Available to the Attacker for Instruction- Level Events Robert Callan, Alenka Zajic, and Milos Prvulovic @ MICRO14 (Paper #48) EECS 573 Sung Kim and Siying Feng 6/7/2017 1 1

350 views • 19 slides
Track 17: The New Attacker Model Dr. Ghassan Karame NEC Laboratories Europe Heidelberg, Germany

Track 17: The New Attacker Model Dr. Ghassan Karame NEC Laboratories Europe Heidelberg, Germany

Track 17: The New Attacker Model Dr. Ghassan Karame NEC Laboratories Europe Heidelberg, Germany ghassan@karame.org www.ghassankarame.com The Surge of a New Attacker Model Image Source: pcworld.com Image Source: TheLaw.tv Dr. Ghassan Karame

256 views • 6 slides
Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST

Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST

Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST 2008 Michael La Pilla VeriSign iDefense Malicious Code Operations Team June 26, 2008 Why Should Incident Responders Care? + US Commercial Accounts

458 views • 19 slides
Memory Categorization Separating Attacker-Controlled Data Matthias Neugschwandtner Alessandro

Memory Categorization Separating Attacker-Controlled Data Matthias Neugschwandtner Alessandro

Memory Categorization Separating Attacker-Controlled Data Matthias Neugschwandtner Alessandro Sorniotti Anil Kurmus IBM Research - Zurich 16th Conference on Detection of Intrusions and Malware & Vulnerability Assessment; Gothenburg, June

537 views • 24 slides
VIDEN VIDEN At Attacker Identification on In-Vehicle Networks Kyong-Tak Cho and Kang G. Shin

VIDEN VIDEN At Attacker Identification on In-Vehicle Networks Kyong-Tak Cho and Kang G. Shin

VIDEN VIDEN At Attacker Identification on In-Vehicle Networks Kyong-Tak Cho and Kang G. Shin Presented by Alokparna Bandyopadhyay Fall 2018, Wayne State University Overview Introduction CAN Message Transmission System and Threat

849 views • 31 slides
Stepping back What do these attacks have in common? ! 1. The attacker is able to control some data

Stepping back What do these attacks have in common? ! 1. The attacker is able to control some data

Stepping back What do these attacks have in common? ! 1. The attacker is able to control some data that is used by the program 2. The use of that data permits unintentional access to some memory area in the program past a buffer to

453 views • 33 slides
Attacker Independent Stability Guarantees for Peer-2-Peer-Live-Streaming Topologies Andreas

Attacker Independent Stability Guarantees for Peer-2-Peer-Live-Streaming Topologies Andreas

Attacker Independent Stability Guarantees for Peer-2-Peer-Live-Streaming Topologies Andreas Brieg, Michael Brinkmeier, Sascha Grau, Mathias Fischer, Guenter Schaefer This work was in part supported by the Deutsche Forschungsgemeinschaft under

858 views • 41 slides
CSCI E-170 Lecture 09: Attacker Motivations, Computer Crime and Secure Coding Simson L. Garfinkel

CSCI E-170 Lecture 09: Attacker Motivations, Computer Crime and Secure Coding Simson L. Garfinkel

CSCI E-170 Lecture 09: Attacker Motivations, Computer Crime and Secure Coding Simson L. Garfinkel Center for Research on Computation and Society Harvard University November 21, 2005 1 Todays Agenda 1. Administrivia 2. Missing Readings

1.29k views • 108 slides
CSE 127: Introduction to Security Lecture 15: TLS Nadia Heninger and Deian Stefan UCSD Fall

CSE 127: Introduction to Security Lecture 15: TLS Nadia Heninger and Deian Stefan UCSD Fall

CSE 127: Introduction to Security Lecture 15: TLS Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Dan Boneh, Stefan Savage Reminder: Network Attacker Threat Model Network Attacker: Controls infrastructure: Routers, DNS

1.36k views • 67 slides
SEE-GRID-SCI SEE-GRID Infrastructure for Regional eScience www.see-grid-sci.eu International

SEE-GRID-SCI SEE-GRID Infrastructure for Regional eScience www.see-grid-sci.eu International

SEE-GRID-SCI SEE-GRID Infrastructure for Regional eScience www.see-grid-sci.eu International Symposium on Grid Computing (ISGC) Academia Sinica, Taipei, 5-12 March 2010 Dr. Ognjen Prnjat European and Regional Grid Management GRNET The

329 views • 31 slides
iwi Final Focus : Worst-case ' or randomized expected Howtodesignlanalyze ? -

iwi Final Focus : Worst-case ' or randomized expected Howtodesignlanalyze ? -

' -- T .-nys-n- Recap / Other Better criteria ? Lots of search trees / : Different combinations Lesson : : Some keys - unbalanced BSI of rotations Expected case can : - bring given node to root more popular than others - AVL Trees -

250 views • 3 slides
1 Vocational training center for undergraduate university students and teachers in Jordan (VTC)

1 Vocational training center for undergraduate university students and teachers in Jordan (VTC)

1 Vocational training center for undergraduate university students and teachers in Jordan (VTC) (Project no.: 561708-EPP-1-2015-1-DE-EPPKA2-CBHE-JP) 2 DIGITAL PLATFORMS IN TEACHING Learning Proce cess Framework & Dig igital Resources

404 views • 13 slides
Safe Harbor & Reg. G Statement Any statements contained in this presentation that do not

Safe Harbor & Reg. G Statement Any statements contained in this presentation that do not

Bruker Corporation (NASDAQ: BRKR) Q2 2018 Earnings Presentation Frank Laukien, President & CEO Gerald Herman, Chief Financial Officer August 2, 2018 Miroslava Minkova, Director of Investor Relations & Corporate Development Innovation

430 views • 28 slides
Smart Grid Projects UK Policy and Experience Kelly Butler Deputy CEO BEAMA Limited 17 th

Smart Grid Projects UK Policy and Experience Kelly Butler Deputy CEO BEAMA Limited 17 th

Smart Grid Projects UK Policy and Experience Kelly Butler Deputy CEO BEAMA Limited 17 th March 2016 (Theme C): Smart Grid Project Outcomes About BEAMA BEAMA is the leading trade association representing manufacturers of electrical

464 views • 12 slides
Cheap and Large CAMs for High Performance Data-Intensive Networked Systems Presented By:

Cheap and Large CAMs for High Performance Data-Intensive Networked Systems Presented By:

Cheap and Large CAMs for High Performance Data-Intensive Networked Systems Presented By: Abhinav Dutta Abstract Authors build cheap and large CAMs, or CLAMs, using a combination of DRAM and flash memory. Using DRAM to maintain hash

158 views • 11 slides
TRACK vs Partran Benchmarking Version 2 (It is better to be approximately right than exactly

TRACK vs Partran Benchmarking Version 2 (It is better to be approximately right than exactly

TRACK vs Partran Benchmarking Version 2 (It is better to be approximately right than exactly wrong !) J.F Ostiguy/ APC ostiguy@fnal.gov Ostiguy - Track vs Partran Benchmarking Version 2 Issues A while ago, we performed some comparisons

489 views • 19 slides
PVMD Miro Zeman Delft University of Technology Learning objectives What does the band

PVMD Miro Zeman Delft University of Technology Learning objectives What does the band

Band Diagram of a P-N Junction PVMD Miro Zeman Delft University of Technology Learning objectives What does the band diagram of P-N junction at thermal equilibrium look like ? How thick is the depletion region? Band diagram of isolated

363 views • 14 slides

More recommend