att cking the castle
play

ATT&CKing the Castle Chip Greene Conrad Layne Introductions - PowerPoint PPT Presentation

Feb 22, 2023 •211 likes •599 views

ATT&CKing the Castle Chip Greene Conrad Layne Introductions Chip Greene Conrad Layne Director, Cyber Security GE CIRT ICS SecOps, Operational Readiness Senior Cyber Intelligence Analyst, Veterans Network Lead ATT&CK Czar MS

  1. ATT&CKing the Castle Chip Greene Conrad Layne

  2. Introductions Chip Greene Conrad Layne Director, Cyber Security GE CIRT ICS SecOps, Operational Readiness Senior Cyber Intelligence Analyst, Veterans Network Lead ATT&CK Czar MS Disaster Science Alumni Board of Directors MS Cyber-security Intelligence BS Information Systems Cyber Security Advisory Board BS Digital Forensic Science USS Richard E. Byrd DDG-23 NAVSTA Norfolk Brig

  3. Discussion topics • Frameworks (Kill Chain, Pyramid of Pain, Mitre ATT&CK TM , TIAMAT) • Extracting ICS indicators for behavioral detection TM behaviors • Scenarios developed from ATT&CK • Detection & confidence • Q&A

  4. Frameworks

  5. Lockheed Martin Kill Chain TM KC 1 KC 2 KC 3 KC 4 KC 5 KC 6 KC 7 Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on Objective (Reference 1,2)

  6. SANS ICS Kill Chain TM (Reference 1,2)

  7. Kill Chain integration KC 1 KC 2 KC 3 KC 4 KC 5 KC 6 KC 7 Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on Objective ICS Kill Chain Develop Validate (Reference 1,2)

  8. Lockheed Martin Kill Chain TM Multi-Environment KC 1 KC 2 KC 3 KC 4 KC 5 KC 6 KC 7 Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on Objective KC 1 KC 2 KC 3 KC 4 KC 5 KC 6 KC 7 Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Actions on Objective (Reference 1,2)

  9. Behavioral based detection The Pyramid of Pain TTP - David Bianco Tools Network/Host Artifacts Automation of traditional indicators Domain Names IP Addresses Hash Values Hash Values (Reference 5)

  10. Leveraging behaviors Meta • Tactic • Technique • Campaign Behavior • Fidelity Signature Alert • Critical • Temporal • High • Cluster • Medium • Other • • Critical Low • High Analytics • Medium • Low Alert

  11. Detection Strategies • Atomic Indicators of Compromise-based • Behavior-based • Static • Dynamic • Signatures are specific for one • Signatures are indicator independent indicator • Focuses on observable malicious • Does not apply for other samples actions across the same malware family or • Detects across multiple malware actor families, and across Cybercrime and • Quick deployment APT actors • Analyst fatigue • Fidelity over longer time • Loses fidelity over time

  12. ATT&CK Framework TM (Reference 3)

  13. Mitre ICS ATT&CK TM Persistence Privilege Escalation Defense Evasion Operator Evasion Credential Access Discovery Lateral Movement Execution Command and Control Compromise Integrity Physical Impact External Remote Services Exploitation for Privilege Escalation Alternate Modes of Operation Block Reporting Message Brute Force Control Device Discovery Default Credentials Alternate Modes of Operation Commonly Used Port Alternate Modes of Operation Block Command Message Modify Control Logic Valid Accounts Exploitation for Defense Evasion Block Serial Comm Port Credential Dumping Control Process External Remote Services Command-Line Interface Connection Proxy Block Serial Comm Port Block Reporting Message Module Firmware File Deletion Modify Control Logic Default Credentials I/O Module Enumeration Modify Control Logic Execution through API Device Shutdown DoS Service System Firmware Masquerading Modify HMI/Historian Reporting Network Sniffing Location Identification Valid Accounts Graphical User Interface DoS Service Exploitation for Denial of Service Valid Accounts Modify Event Log Modify I/O Image Network Connection Enumeration Man in the Middle Modify Control Logic Masquerading Modify System Settings Modify Parameter Network Service Scanning Modify Control Logic System Firmware Modify Command Message Rootkit Modify Physical Device Display Network Sniffing Modify System Settings Modify Control Logic Modify Reporting Message Remote System Discovery Scripting Modify Parameter Modify Reporting Settings Role Identification Modify Reporting Settings Modify Tag Serial Connection Enumeration Modify Tag Rootkit Module Firmware Operator Evasion Spoof Reporting Message Spoof Command Message How can we fool the operator into thinking everything is OK Spoof Reporting Message How can we fool the operator to take the wrong action Compromise Integrity How can we make changes to cause future physical impacts Physical Impact How can we stop/degrade the process How can we cause catastrophic failure (Reference 4)

  15. TIAMAT Supremely strong and powerful 5-headed draconic goddess A goddess in ancient Mesopotamian mythology. Queen and mother of evil dragons Named as one of the greatest villains in D&D history in Dragon #359, the magazine's final print issue. (Reference 6)

  16. Intel CIRT Content Dev TIAMAT OSINT Add Submit TIAMAT Approved Query TTPs Behavior Report To QA TTPs Add Hypothesis created Internal Incident Metadata CIRT ID Operational Integration between CIRT and Intel Detection Detection developed deployed

  17. Intel CIRT Content Dev TIAMAT OSINT Add Submit Approved Query TTPs Behavior Report To QA TTPs Add Hypothesis created Internal Incident Metadata CIRT ID Operational Integration between CIRT and Intel Detection Detection developed deployed

  18. Multi-Stage Kill Chain Corporate Internet We must focus on the behaviors in the environment

  19. Indicators & Scenarios

  20. Extracting ICS indicators Behavioral detection from internal incidents • Establish a timeline of events with brief narrative • Perform root cause analysis • Align significant events to the Lockheed martin cyber kill chain • Map the events to the appropriate tactic and technique • Document the kill chain levels, tactics and techniques • Evaluate detection opportunities

  21. Extracting ICS indicators key events

  22. Mapping key events to the ATT&CK Framework Initial Connection Cyber Kill Chain Level ICS-ATT&CK Tactic ICS-ATT&CK Technique KC6 Discovery Control Device Discovery KC6 Credential Access Default Credentials Cyber Kill Chain Level Enterprise-ATT&CK Tactic Enterprise-ATT&CK Technique KC3 Initial Access Trusted Relationship Actor: Unknown Tools: N/A Execution Notes: IPv4: XXX.XXX.XXX.XXX Patterns & Trends: Public facing modem with VNC connection required no username and 'password’

  23. Mapping key events to the ATT&CK Framework File Execution Cyber Kill Chain Level Enterprise-ATT&CK Tactic Enterprise-ATT&CK Technique KC5 Execution Scripting Actor: Unknown Tools: lsasso.exe, malicious WordPad.exe Execution Notes: Documents and Settings\auduser\Application Data\lsasso.exe Documents and Settings\auduser\Start Menu\Programs\Startup\WordPad.exe Patterns & Trends: lsasso.exe & a malicious version of WordPad.exe launched via script

  24. Mapping key events to the ATT&CK Framework Establish Persistence Cyber Kill Chain Level Enterprise-ATT&CK Tactic Enterprise-ATT&CK Technique KC5 Persistence Registry Run Keys / Startup Folder KC5 Execution Scripting Actor: Unknown Tools: lsasso.exe, malicious WordPad.exe Execution Notes: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run for "lsasso" Logon,38062JEN\auduser "Logon",38062JEN\auduser,documents and settings\auduser\application data\ lsasso.exe” "E: \Documents and Settings\auduser\Application Data\ lsasso.exe” Patterns & Trends: Autoruns created and persistence established

  25. Mapping key events to the ATT&CK Framework .NET Framework version checking Cyber Kill Chain Level Enterprise-ATT&CK Tactic Enterprise-ATT&CK Technique KC6 Discovery System Information Discovery Actor: Unknown Tools: N/A Execution Notes: N/A Patterns & Trends: video shows attacker checking the .NET Framework version through the control panel

  26. Mapping key events to the ATT&CK Framework Hands on Keyboard Cyber Kill Chain Level Enterprise-ATT&CK Tactic Enterprise-ATT&CK Technique KC6 Discovery System Owner/User Discovery KC6 Discovery Network Share Discovery Cyber Kill Chain Level ICS-ATT&CK Tactic ICS-ATT&CK Technique KC5 Execution Command-line Interface Actor: Unknown Tools: N/A Execution Notes: Net User Net View Patterns & Trends: video shows attacker running ‘Net’ commands via windows cmd.exe

  27. Mapping key events to the ATT&CK Framework System Shutdown Cyber Kill Chain Level ICS-ATT&CK Tactic ICS-ATT&CK Technique KC7 Compromise Integrity Device Shutdown KC7 Physical Impact Denial of Service Actor: Unknown Tools: N/A Execution Notes: HKLM\SYSTEM\CurrentControlSet\Control\Windows Windows,ShutdownTime,REG_BINARY,ffffffc4fffffff6401b501effffffd201 Patterns & Trends: Shutdown of milling machine controller

  28. Extracting ICS indicators Behavioral detection from external reports – Industroyer (Reference 7)

  29. Detection & Confidence Detection & Confidence

  30. Entering ATT&CK data into TIAMAT

  31. Content Development Behavior-based signatures

  32. Visual map of behavior-based coverage (sample)

  33. Detection confidence (sample) by vendor and data source Vendor 1 Vendor 1 Vendor 1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Castle Trust Innovative loans with no monthly payments required 1 Who are Castle Trust? Castle

Castle Trust Innovative loans with no monthly payments required 1 Who are Castle Trust? Castle

Scott Apps Business Development Manager Castle Trust Intermediary use only Castle Trust Innovative loans with no monthly payments required 1 Who are Castle Trust? Castle Trust was launched in October 2012 by an experienced team of senior

152 views • 11 slides
SECOND SHOOT PRESENTATION Edinburgh Castle EDINBURGH CASTLE, EDINBURGH I plan on visiting

SECOND SHOOT PRESENTATION Edinburgh Castle EDINBURGH CASTLE, EDINBURGH I plan on visiting

SECOND SHOOT PRESENTATION Edinburgh Castle EDINBURGH CASTLE, EDINBURGH I plan on visiting Edinburgh Castle soon in order to express one of the oldest styles of architecture in my project. Edinburgh Castle sits proudly upon an extinct volcano and

299 views • 11 slides
The CASTLE-AF trial Nassir F. Marrouche and Johannes Brachmann, on behalf the CASTLE AF

The CASTLE-AF trial Nassir F. Marrouche and Johannes Brachmann, on behalf the CASTLE AF

Catheter Ablation versus Standard conventional Treatment in patients with LEft ventricular dysfunction and Atrial Fibrillation The CASTLE-AF trial Nassir F. Marrouche and Johannes Brachmann, on behalf the CASTLE AF Investigators CASTLE-AF

357 views • 7 slides
04. 04. Web Track cking tech chnologies: Br Browser

04. 04. Web Track cking tech chnologies: Br Browser

04. 04. Web Track cking tech chnologies: Br Browser fingerprinting Nataliia Bielova @nataliabielova September 18 th , 2018 Web Privacy course University of Trento

666 views • 44 slides
EVENTS AND CELEBRATIONS THE QUEEN AND CASTLE WWW.QUEENANDCASTLEKENILWORTH.CO.UK WELCOME TO THE

EVENTS AND CELEBRATIONS THE QUEEN AND CASTLE WWW.QUEENANDCASTLEKENILWORTH.CO.UK WELCOME TO THE

EVENTS AND CELEBRATIONS THE QUEEN AND CASTLE WWW.QUEENANDCASTLEKENILWORTH.CO.UK WELCOME TO THE QUEEN AND CASTLE Located in the beautiful, historic town of Kenilwoth, Tie Queen and Castle is the ideal venue for your next event or celebration.

168 views • 6 slides
Know n & Observ ed Hea lth Im p a ct of Fra cking On In -Utero Dev elop m ent Autism Sy nd rom

Know n & Observ ed Hea lth Im p a ct of Fra cking On In -Utero Dev elop m ent Autism Sy nd rom

Know n & Observ ed Hea lth Im p a ct of Fra cking On In -Utero Dev elop m ent Autism Sy nd rom e Disord er P E N E L O P E A L L D E R D I C E P h D , M D iv . Professor Em erita Mem orial University of Newfoundland TO : T H E N L H F R P O C

278 views • 11 slides
Welcome - Open House New Castle County Flood Studies May 23, 2 2017 New C Castle, e, DE

Welcome - Open House New Castle County Flood Studies May 23, 2 2017 New C Castle, e, DE

Welcome - Open House New Castle County Flood Studies May 23, 2 2017 New C Castle, e, DE Thank you for attending This p s prese sentat atio ion l last sts a s about 4 4 minutes Aft fter w watching i it p ple lease le let s

309 views • 13 slides
Tra racking Hyper Bo cking Hyper Boosted sted Top Q p Qua uarks @ 100 T rks @ 100 TeV eV

Tra racking Hyper Bo cking Hyper Boosted sted Top Q p Qua uarks @ 100 T rks @ 100 TeV eV

Tra racking Hyper Bo cking Hyper Boosted sted Top Q p Qua uarks @ 100 T rks @ 100 TeV eV Michel Mi chele Sel e Selva vaggi ggi (CP3) (CP3) An Andr drew w Lar Larko koski ski (MIT), Fabi abio Mal altoni (CP CP3) Flavo vor

623 views • 31 slides
Bi Biol ology ogy and Con and Contro trol of L l of Leaf eaf- Suck Su cking ing, , St

Bi Biol ology ogy and Con and Contro trol of L l of Leaf eaf- Suck Su cking ing, , St

Bi Biol ology ogy and Con and Contro trol of L l of Leaf eaf- Suck Su cking ing, , St Stem em-Inf Infest esting ing, and , and Ro Root ot-Fe Feedi eding Inse ng Insect ct and and Mit Mites es Pes Pests ts of of P Pec

584 views • 57 slides
The CASTLE-AF trial Nassir F. Marrouche MD on behalf the CASTLE AF Investigators Background

The CASTLE-AF trial Nassir F. Marrouche MD on behalf the CASTLE AF Investigators Background

Catheter Ablation versus Standard conventional Treatment in patients with LEft ventricular dysfunction and Atrial Fibrillation The CASTLE-AF trial Nassir F. Marrouche MD on behalf the CASTLE AF Investigators Background Atrial fibrillation

369 views • 23 slides
ITS W Webi binar o on n Track cking ng & & Traci cing App Apps ITS Cor Corporate

ITS W Webi binar o on n Track cking ng & & Traci cing App Apps ITS Cor Corporate

ITS W Webi binar o on n Track cking ng & & Traci cing App Apps ITS Cor Corporate e Mem embers Spea eaker er Prof ofiles es Masahiro Sogabe , Professor of Constitutional Law at Kyoto University Bronwyn E. Howell,

742 views • 4 slides
Castle Schools Explore Curriculum At Castle School students working at the earliest stages

Castle Schools Explore Curriculum At Castle School students working at the earliest stages

Castle Schools Explore Curriculum At Castle School students working at the earliest stages of development explore their senses through an individual programme and 1:1 support They focus on 4 key areas: Physical Cognition developmentt

205 views • 17 slides
CASTLE SILVER RESOURCES INC. REDEVELOPING THE FORMER HIGH-GRADE CASTLE AND BEAVER MINES IN THE

CASTLE SILVER RESOURCES INC. REDEVELOPING THE FORMER HIGH-GRADE CASTLE AND BEAVER MINES IN THE

CASTLE SILVER RESOURCES INC. REDEVELOPING THE FORMER HIGH-GRADE CASTLE AND BEAVER MINES IN THE HISTORIC COBALT CAMP SILVER COBALT GOLD COPPER September 11, 2017 www.CastleSilverResources.com TSX-V CSR OTC TAKRF FRANKFURT

654 views • 32 slides
APPLIC LICATION ION OF OF GIS IN IN TRACKING CKING ENVIR VIRONMEN NMENTAL AL DEGRAD

APPLIC LICATION ION OF OF GIS IN IN TRACKING CKING ENVIR VIRONMEN NMENTAL AL DEGRAD

APPLIC LICATION ION OF OF GIS IN IN TRACKING CKING ENVIR VIRONMEN NMENTAL AL DEGRAD RADATION ION IN IN SOUTHE OUTHERN RN VIHIGA HILLS LS: IMPLIC PLICATIONS IONS FOR OR ENVIR IRONMEN MENTAL AL CON ONSER SERVATION ION IN IN

458 views • 15 slides
Beyond the Castle (Lancaster City Park) What is Beyond the Castle? Lancaster Square Routes 'Three

Beyond the Castle (Lancaster City Park) What is Beyond the Castle? Lancaster Square Routes 'Three

Beyond the Castle (Lancaster City Park) What is Beyond the Castle? Lancaster Square Routes 'Three Big Ideas': Lancaster Lore and Legends, Georgian Gem and the City Park. Rejuvenate the historical city centre and destination for both visitors and

667 views • 19 slides
CASTLE In a Nutshell Cognitive Models Motor controls and Sensory inputs other actions Virtual

CASTLE In a Nutshell Cognitive Models Motor controls and Sensory inputs other actions Virtual

CASTLE : A Framework for Integrating Cognitive Models into Virtual Environments Dr. Art Pope, SET Corporation Dr. Pat Langley, Arizona State University Sponsored by U.S. Air Force Office of Scientific Research CASTLE In a Nutshell Cognitive

446 views • 18 slides
Network Inference Ezequiel Bianco Martinez Dr. Murilo Baptista Complex Systems Complex Systems

Network Inference Ezequiel Bianco Martinez Dr. Murilo Baptista Complex Systems Complex Systems

Network Inference Ezequiel Bianco Martinez Dr. Murilo Baptista Complex Systems Complex Systems NETWORKS Networks Robustness Prevent cascades Synchronizability Coherence Cost vs . Efficiency Improve transport

975 views • 31 slides
and Elie Bursztein with the help of Marc Stevens (CWI), Pierre Karpman (INRIA), Ange Albertini,

and Elie Bursztein with the help of Marc Stevens (CWI), Pierre Karpman (INRIA), Ange Albertini,

and Elie Bursztein with the help of Marc Stevens (CWI), Pierre Karpman (INRIA), Ange Albertini, Yarik Markov, Alex Petit-Bianco Digest uniqueness 3171 AC03 B186 File 1 One-way function 42A9 1C4E 3CBE 2 File 2 Attacking hash functions

962 views • 53 slides
Mike Bianco Projects 3-4 person groups preferred Deliverables: Poster, Report & main

Mike Bianco Projects 3-4 person groups preferred Deliverables: Poster, Report & main

Announcements Class is 170. Matlab Grader homework, 1 and 2 (of less than 9) homeworks Due 22 April tonight, Binary graded. 167, 165,164 has done the homework. ( If you have not done HW talk to me/TA! ) Homework 3 due 5 May Homework 4 (SVM +DL)

691 views • 40 slides
Entropy and gravitational interaction c 1 Milutin Blagojevi c i Branislav Cvetkovi 1 Institut

Entropy and gravitational interaction c 1 Milutin Blagojevi c i Branislav Cvetkovi 1 Institut

Introduction Black hole entropy in MB model Black hole entropy in PGT Entropy of conformally flat black holes Conclusion Entropy and gravitational interaction c 1 Milutin Blagojevi c i Branislav Cvetkovi 1 Institut za fiziku, Beograd

331 views • 31 slides
Scientific Programming Lecture A05 - Designing programs Andrea Passerini Universit degli Studi

Scientific Programming Lecture A05 - Designing programs Andrea Passerini Universit degli Studi

Scientific Programming Lecture A05 - Designing programs Andrea Passerini Universit degli Studi di Trento 2019/10/22 Acknowledgments: Alberto Montresor, Stefano Teso This work is licensed under a Creative Commons Attribution-ShareAlike 4.0

554 views • 36 slides
Scientific Programming: Part B Lecture 2 Luca Bianco - Academic Year 2019-20

Scientific Programming: Part B Lecture 2 Luca Bianco - Academic Year 2019-20

Scientific Programming: Part B Lecture 2 Luca Bianco - Academic Year 2019-20 luca.bianco@fmach.it [credits: thanks to Prof. Alberto Montresor] Introduction Complexity The complexity of an algorithm can be defined as a function mapping the

884 views • 45 slides
New opportunities in optical testing given by photochromic materials Giorgio Pariani, Martino

New opportunities in optical testing given by photochromic materials Giorgio Pariani, Martino

New opportunities in optical testing given by photochromic materials Giorgio Pariani, Martino Quintavalla, Rossella Castagna, Letizia Colella, Chiara Bertarelli, Frederic Zamkotsian, Andrea Bianco Photochromic materials F Change of: F 3 -

832 views • 17 slides
BenchCouncil AIBench --- A Datacenter AI Benchmark Suite Wanling Gao, Fei Tang, Jianfeng Zhan

BenchCouncil AIBench --- A Datacenter AI Benchmark Suite Wanling Gao, Fei Tang, Jianfeng Zhan

BenchCouncil AIBench --- A Datacenter AI Benchmark Suite Wanling Gao, Fei Tang, Jianfeng Zhan http://www.benchcouncil.org/AIBench/index.html INSTITUTE O BenchCouncil OF C Bench19, Denver, Colorado, USA COMPUTING T TECHNOLOGY Why

1k views • 61 slides

More recommend