Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Prakhar Pandey

Introduction to MITRE ATT&CK™

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (Exploit) to Command & Control (Maintain). ATT&CK™ Enterprise deals with the classification of post-compromise adversarial tactics and techniques against Windows™, Linux™ and MacOS™.

This community-enriched model adds techniques used to realize each tactic. These techniques are not exhaustive, and the community adds them as they are observed and verified.

To read more about how ATT&CK™ is helpful in resolving challenges and validate our defenses, please check this article.

Some Techniques are mapped to multiple Tactics. There are total 244 unique Techniques which results in 314 Non-unique Techniques distributed over 12 Tactics.

 

RSA Threat Content Mapping with MITRE ATT&CK™

RSA has mainly three kinds of Threat Content: a. Application Rules, b. ESA Rules and c. LUA Parsers.These content types can be classified further as per the 'Medium' of each piece of content. Medium depends upon the source of the meta that particular content piece is using. For example: An application rule if using meta populated by packet data then its Medium will be packet. We can search LIVE content using Medium criteria:

 

 

We will try to measure how much ATT&CK™ matrix is covered by RSA Threat Content. Essentially mapping each piece of threat content to one or multiple ATT&CK™ techniques it detects. This mapping needs to be saved in a file and in case of ATT&CK™ the file type will be JSON. For example: In case of application rules, there will be mapping JSON files for each of the following:

  • Mapping of only RSA Application Rules with Medium = log
  • Mapping of only RSA Application Rules with Medium = packet
  • Mapping of only RSA Application Rules with Medium = endpoint
  • Mapping of only RSA Application Rules with Medium = log AND packet
  • Mapping of all RSA Application Rules (Without considering Medium)

The same pattern will follow for ESA Rules and LUA Parsers depending upon Medium value.

This JSON is graphically viewable through ATT&CK™ Navigator web GUI tool which is described later in this post with the process of observing the GUI.

 

a. Application Rules - The Rule Library contains all the Application Rules and we can map these rules or detection capabilities to the tactics/techniques of ATT&CK™ matrix. The mapping shows how many Tactics/Techniques are detected by RSA NetWitness Application Rules. We have generated JSON files for application rules which can be viewed in Navigator. This JSON can be downloaded from attached archive in this blog post. Following are the mappings for RSA Application Rules:

 

Content TypeMediumLocation of JSON in attached archive
RSA Application RuleslogRSA_Threat_Content_ATTACK_JSON_Mapping\Application_Rules\Medium_log
RSA Application RulespacketRSA_Threat_Content_ATTACK_JSON_Mapping\Application_Rules\Medium_packet
RSA Application RulesendpointRSA_Threat_Content_ATTACK_JSON_Mapping\Application_Rules\Medium_endpoint
RSA Application RulesAll Rules(Without considering Medium)RSA_Threat_Content_ATTACK_JSON_Mapping\Application_Rules\All_RSA_Application_Rules

 

Following is the plot which reflects number of techniques detected by all RSA Application Rules with respect to ATT&CK™:

 

b. ESA Rules - ESA is one of the defense systems that is used to generate alerts. ESA Rules provide real-time, complex event processing of log, packet, and endpoint meta across sessions. ESA Rules can identify threats and risks by recognizing adversarial Tactics, Techniques and Procedures (TTPs). We have generated JSON files for ESA rules which can be viewed in Navigator. This JSON can be downloaded from attached archive in this blog post. Following are the mappings for RSA ESA Rules:

 

Content TypeMediumLocation of JSON in attached archive
RSA ESA RuleslogRSA_Threat_Content_ATTACK_JSON_Mapping\ESA_Rules\Medium_log
RSA ESA RulespacketRSA_Threat_Content_ATTACK_JSON_Mapping\ESA_Rules\Medium_packet
RSA ESA Ruleslog AND packetRSA_Threat_Content_ATTACK_JSON_Mapping\ESA_Rules\Medium_log_AND_packet
RSA ESA RulesAll Rules(Without considering Medium)

RSA_Threat_Content_ATTACK_JSON_Mapping\ESA_Rules\All_RSA_ESA_Rules

 

Following is the plot which reflects number of techniques detected by all RSA ESA Rules with respect to ATT&CK™:

 

c. LUA Parsers - Packet parsers identify the application layer protocol of sessions seen by the Decoder, and extract meta data from the packet payloads of the session. Every packet parser is able to extract meta from every session. One of these packet parsers are LUA Parsers which can be customized by customers. We have generated JSON files for LUA Parsers which can be viewed in Navigator. This JSON can be downloaded from attached archive in this blog post. Following are the mappings for RSA LUA Parsers:

 

Content TypeMediumLocation of JSON in attached archive
RSA LUA ParserspacketRSA_Threat_Content_ATTACK_JSON_Mapping\Lua_Parsers\Medium_packet
RSA LUA ParsersAll LUA Parsers(Without considering Medium)RSA_Threat_Content_ATTACK_JSON_Mapping\Lua_Parsers\All_RSA_Lua_Parsers

Note: The above two JSONs will be same as for LUA Parsers the only Medium is packet.

 

Following is the plot which reflects number of techniques detected by all RSA LUA Parsers with respect to ATT&CK™:

 

 

d. Complete RSA Threat Content (Application Rules + ESA Rules + Lua Parsers) - We have combined all three type of contents and created a combined JSON file for ATT&CK™ Navigator and can be downloaded from this blog post.

 

Content TypeMediumLocation of JSON in attached archive
RSA Threat ContentAll RSA Threat ContentRSA_Threat_Content_ATTACK_JSON_Mapping\All_RSA_Threat_Content

 

Following is the plot which reflects number of techniques detected by all three threat content types combined with respect to ATT&CK™ coverage :

Although these statistics are bound to change with time as new content is added or updated. We can update ATT&CK™ coverage periodically which will help us to give us a consolidated picture of our complete defense system and thus we can quantify and monitor the evolution of our detection capabilities.

 

In above sections, we have talked about using JSON files (attached with blog post) in ATT&CK™ Navigator . In next section, we will discuss how to use and observe the JSON files.

 

Introduction to MITRE ATT&CK™ Navigator

ATT&CK™ Navigator is a tool openly available through GitHub which uses the STIX 2.0 content to provide a layered visualization of ATT&CK™ model.

ATT&CK™ Navigator stores information in JSON files and each JSON file is a layer containing multiple techniques which can be opened on Navigator web interface. The JSON contains content in STIX 2.0 format which can be fetched from a TAXII 2.0 server of your own choice. For example, we can fetch ATT&CK™ content from MITRE's TAXII 2.0 server through APIs.

The techniques in this visualization can be:

  • Highlighted with color coding.
  • Added with a numerical score to signal severity/frequency of the technique.
  • Added with a comment to describe that occurrence of technique or any other meaningful information.

These layers can be exported in SVG and excel format.

 

How to View a JSON in ATT&CK™ Navigator?

  1. Open MITRE’s ATT&CK™ Navigator web application. (https://mitre-attack.github.io/attack-navigator/enterprise/).
  2. In Navigator, open a New Tab through clicking '+' button.

    Navigator_Image
  3. Then click on 'Open Existing Layer' and then 'Upload from Local' which will let you choose a JSON file from your local machine (or, the one attached later in this blog).

    Navigator_Image

  4. After uploading JSON file the layer will be opened in Navigator and will look like this:

    Navigator_Image

 

        This visualization highlights the techniques covered in the JSON file with color and comments.

 

    5. While hovering mouse over each colored technique you can see three things:

  • Technique ID: Unique IDs of each technique as per ATT&CK™ framework.
  • Score:  Threat score given to each technique.
  • Comment: We can write anything related in comment to put things in perspective. In this case, we have commented pipes (‘||’) delimited names of content/rules/parsers which cover that technique. For example, if you have opened application rule JSON then comments will contain pipes delimited name of those application rules which detect hovered technique.

 


Other blog posts written before regarding Threat Content coverage of ATT&CK™ can be found here and here.

Introduction to MITRE’s ATT&CK™

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (Exploit) to Command & Control (Maintain). ATT&CK™ Enterprise deals with the classification of post-compromise adversarial tactics and techniques against Windows™, Linux™ and MacOS™.

This community-enriched model adds techniques used to realize each tactic. These techniques are not exhaustive, and the community adds them as they are observed and verified.

To read more about how ATT&CK™ is helpful in resolving challenges and validate our defenses, please check this article.

 

Introduction to MITRE’s ATT&CK™ Navigator

ATT&CK™ Navigator is a tool openly available through GitHub which uses the STIX 2.0 content to provide a layered visualization of ATT&CK™ model.

ATT&CK™ Navigator stores information in JSON files and each JSON file is a layer containing multiple techniques which can be opened on Navigator web interface. The JSON contains content in STIX 2.0 format which can be fetched from a TAXII 2.0 server of your own choice. For example, we can fetch ATT&CK™ content from MITRE's TAXII 2.0 server through APIs.

The techniques in this visualization can be:

  • Highlighted with color coding.
  • Added with a numerical score to signal severity/frequency of the technique.
  • Added with a comment to describe that occurrence of technique or any other meaningful information.

These layers can be exported in SVG and excel format.

 

How to View a JSON in ATT&CK™ Navigator?

  1. Open MITRE’s ATT&CK™ Navigator web application. (https://mitre-attack.github.io/attack-navigator/enterprise/).
  2. In Navigator, open a New Tab through clicking '+' button.

    Navigator_Image
  3. Then click on 'Open Existing Layer' and then 'Upload from Local' which will let you choose a JSON file from your local machine (or, the one attached later in this blog).

    Navigator_Image

  4. After uploading JSON file the layer will be opened in Navigator and will look like this:

    Navigator_Image

 

This visualization highlights the techniques covered in the JSON file with color and comments.

 

RSA Netwitness Endpoint Application Rules

The Rule Library contains all the Endpoint Application Rules and we can map these rules or detection capabilities to the tactics/techniques of ATT&CK™ matrix. The mapping shows how many tactics/techniques are detected by RSA NetWitness Endpoint Application Rules.

We have created a layer as a JSON file which has all the NetWitness Endpoint Application Rules mapped to techniques. Then we have imported that layer on ATT&CK™ Navigator matrix to show the overlap. In the following image, we can see all the techniques highlighted that are detected by NetWitness Endpoint Application Rules:

 

endpoint_coverage_of_attack

 

The JSON for Endpoint Application Rules is attached with this blog and can be downloaded.

 

While hovering mouse over each colored technique you can see three things:

  1. Technique ID: Unique IDs of each technique as per ATT&CK™ framework.
  2. Score:  Threat score given to each technique.
  3. Comment: We can write anything related in comment to put things in perspective. In this case, we have commented pipe (‘|’) delimited names of application rules which cover that technique.

Hover_Over_navigator

To quantify how much RSA NetWitness Endpoint Application Rules spread across the matrix we can refer to the following plot:

 

Analysis_Plot

 

We have already mapped RSA ESA Rules with ATT&CK™ framework as described in this article. We can update these ATT&CK™ coverage periodically which will help us to give us a consolidated picture of our complete defense system and thus we can quantify and monitor the evolution of our detection capabilities.

 

References:

[1] https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf

[2] https://attack.mitre.org/wiki/Main_Page

[3] https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/using-attck-to-advance-cyber-threat

[4] https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/using-attck-to-advance-cyber-threat-0

[5] https://community.rsa.com/community/products/netwitness/blog/2018/08/31/introduction-to-mitre-s-attck

Introduction to MITRE’s ATT&CK™

 

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (Exploit) to Command & Control (Maintain). ATT&CK™ Enterprise deals with the classification of post-compromise adversarial tactics and techniques against Windows™, Linux™ and MacOS™.

 

Consequently, two other frameworks are also developed namely, PRE-ATT&CK™ and ATT&CK Mobile Profile. PRE-ATT&CK™ is developed to categorize pre-compromise tactics, techniques and procedures (TTPs) independent of platform/OS. This framework categorizes the adversaries planning, information gathering, reconnaissance and setup before compromising the victim.

 

ATT&CK™ Mobile Profile is specific to Android and iOS mobile environments and has three matrices that classifies tactics and techniques. This does not just include post-compromise tactics and techniques but also deal with pre-compromise TTPs in mobile environments.

 

This community-enriched model adds techniques used to realize each tactic. These techniques are not exhaustive and the community adds them as they are observed and verified.

 

                This matrix is helpful in validation of defenses already in place and designing new security measures. It can be used in the following ways to improve and validate the defenses:

 

  1. This framework can be used to create adversary emulation plans which can be used by hunters and defenders to test and verify their defenses. Also, these plans will make sure you are testing against an ever-evolving industry standard framework.
  2. Adversary behavior can be mapped using ATT&CK™ matrix which can be used for analytics purposes to improve your Indicators of Compromise (IOCs) or Behavior of Compromise (BOCs). This will enhance your detection capabilities with greater insight into threat actor specific information.
  3. Mapping your existing defense with this matrix can give a visualization of tactics and techniques detected and thus can present an opportunity to assess gaps and prioritize your efforts to build new defenses.
  4. ATT&CK™ framework can help to build the threat intelligence with perspective of not just TTPs but threat groups and software that are being used. This approach will enhance your defenses in a way that detection will not be just dependent upon TTPs but the relationship it has with threat groups and software that are in play.

 

Relationships between Threat-Group, Software, Tactic and Techniques

Figure 1: Relationships between Threat-Group, Software, Tactics and Techniques

 

This framework resolves the following problems:

 

  1. Existing Kill Chain concepts were too abstract to relate new techniques with new types of detection capabilities and defenses. ATT&CK can be called a Kill Chain on steroids.
  2. Techniques added or considered should be observed in a real environment and not just from theoretical concepts. The community adding techniques insures that the techniques have been seen in the wild and thus are suitable for people using this model in real environments.
  3. This model gives common language and terminology across different environments and threat actors. This factor is important in making this model industry standard.
  4. Granular indicators like domain names, hashes, protocols et cetera do not provide enough information to see the bigger picture of how the threat actor is exploiting the system, and its relationship with various sub-systems and tools used by the adversary. This model gives a good understanding and relationship between tactics and techniques used which can be used further to drill down into only the important granular details.
  5. This model helps with making a common repository from where this information can be used with APIs and programming. This model is available via public TAXII 2.0 server and serve STIX 2.0 content.

 

ATT&CK Navigator

 

ATT&CK Navigator is a tool openly available through GitHub which uses the STIX 2.0 content to provide a layered visualization of ATT&CK model.

 

ATT&CK Navigator

 

Figure 2: ATT&CK Navigator

 

By default, this uses MITRE’s TAXII server but it can be changed to use any TAXII server of choice. Navigator uses JSON files to create layers which can be programmatically created and thus used to generate layers.

 

RSA NetWitness Event Stream Analysis (ESA)

 

ESA is one of the defense systems that is used to generate alerts. ESA Rules provide real-time, complex event processing of log, packet, and endpoint meta across sessions. ESA Rules can identify threats and risks by recognizing adversarial Tactics, Techniques and Procedures (TTPs).

 

The following are ESA Components:

 

  1. Alert - Output from a rule that matches data in the environment.
  2. Template - Convert the rule syntax into code (Esper) that ESA understands.
  3. Constituent Events - All of the events involved in an alert, including the trigger event.
  4. Rule Library - A list of all the ESA Rules that have been created.
  5. Deployments - A list of the ESA Rules that have been deployed to an ESA device.

 

The Rule Library contains all the ESA Rules and we can map these rules or detection capabilities to the tactics/techniques of ATT&CK matrix. The mapping shows how many tactics/techniques are detected by ESA. Please find attached with this blog post the excel workbook of mapping between ESA Rules and ATT&CK Tactics/Techniques.

 

In other words, overlap between ESA Rules and ATT&CK matrix can not only show us how far our detection capabilities reach across the matrix but also can quantify the evolution of product. We can measure how much we are improving and in which directions we are improving.

 

We have created a layer as a JSON file which has all the ESA Rules mapped to techniques. Then we have imported that layer on ATT&CK Navigator matrix to show the overlap. In the following image, we can see all the techniques highlighted that are detected by ESA Rules:

 

ATT&CK Navigator ESA Rules Mapping

 

Figure 3: ATT&CK Navigator Mapping to ESA Rules

 

To quantify how much ESA Rules spread across the matrix we can refer to the following plot:

 

ATT&CK Navigator ESA Rules Mapping Plot

 

                               Figure 4: Plot for ATT&CK Matrix Mapping to ESA Rules

 

Moving forward we can map our other detection capabilities with ATT&CK matrix. This will help to give us a consolidated picture of our complete defense system and thus we can quantify and monitor the evolution of our detection capabilities.

 

References:

[1] https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf

[2] https://attack.mitre.org/wiki/Main_Page

[3] https://attack.mitre.org/pre-attack/index.php/Main_Page

[4] https://attack.mitre.org/mobile/index.php/Main_Page

[5] https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/using-attck-to-advance-cyber-threat

[6] https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/using-attck-to-advance-cyber-threat-0

 

Thanks to Michael Sconzo and Raymond Carney for their valuable suggestions.

In first week of August 2017, malspam activity was observed delivering the Trickbot banking trojan, which has been heavily active this summer and has now once again evolved.

  

Beginning in 2011, Trickbot actors began targeting banks from countries like UK and India, but it has since expanded its range of countries and victims to include PayPal and Customer Relationship Management (CRM) providers. Trickbot has also consistently evolved, recently adding new evasion techniques, browser manipulation tools, modules targeting Microsoft Outlook data, and now worm functionality. 

 

Primary delivery of the malware has been attributed to the Necurs botnet and also sometimes RIG exploit kit. In the case of this most recent delivery, malspam delivered a MS Word document (File name: SecureMessage.doc) that contains embedded and obfuscated macros recorded in VBA along with a Santander bank decoy.

 

 

This document contains malicious VBA code and What's This File gives it a maximum threat score. The VBA code analysis shows main indicators as “VBA Code Contains Reference to Code Execution” and “VBA Code Contains Auto-Launch Scripts”.

 

 

 

As visible below, the cleansed VBA code contained within the document uses Shell to launch an executable.

 

 

 

Use of Chr in VBA code suggests possible obfuscation of specific strings:

 

 

Upon opening, the attachment attempts to download a PNG file (Filename: nologo.png) that is actually an executable and the TRICKBOT payload.  The first attempt to download our PNG file from lexpertpret[.]com  actually failed, but a second attempt out to hvsglobal[.]co[.]uk was successful in downloading and then saving to 'C:\Users\student\AppData\Local\Temp\ywbltmn.exe'.

 

 

NetWitness provides visibility and characterizes this activity as malicious into this through some of the more obvious meta tags, such as session.analysis = “first carve not dns”, service.analysis = “http no referer”, and file.analysis = “exe filetype but not exe extension”.

 

 

 

NetWitness Endpoint (aka ECAT) also easily detects this shady behavior.  For more details, please refer to FirstWatch's July 2017 work against Trickbot.

  

The malware’s configuration file carries Command and Control (C2) information as well as other module related settings.  In this case, version is 1000030, the group tag is ser801 and systeminfo & injectDll are the two modules the executable will attempt to download from any of the listed C2. 

 

  

Most of these C2 IPs are known to be associated with devices like Routers and IP Cameras [3].  For example, 84[.]238[.]198[.]166 from our config file appears to be a Router.

 

 

This version (1000029) of Trickbot also debuts worm-like capabilities to spread infections via the Eternal Blue exploit of CVE-2017-0144 in Server Message Block (SMB) protocol.   To do so, the malware attempts to get servers using NetServerEnum Windows API and then query LDAP to identify computers that are not domain controllers [1].  It is believed that these capabilities are in a testing phase and not yet fully implemented.

 

Image Source: https://www.flashpoint-intel.com/wp-content/uploads/2017/07/image3.png

 

With regard to evasion, this new Trickbot codebase also demonstrates new capabilities [4].  Recent Trickbot versions contain blacklist checks for a variety of Defense/Research oriented DLLS, Processes, Filenames, Usernames, Window Names, and also checks if a Debugger is present.  On any positive hit, Trickbot exits and uninstall itself. 

 

 

 

Image Source: https://www.cyphort.com/wp-content/uploads/2016/07/payload_anti.png

 

The version 1000030 is also known to have two extra modules then previous versions of Trickbot [2]:

1. module.dll – Written in C++ and it steals information from browsers

2. outlook.dll – Written in Delphi and it steals Microsoft Outlook Data

Presence of Delphi can be assumed by analyzing the dropped EXE file through hybrid analysis:

 

 

Post infection, Trickbot uses both “Static Injection” (replace real bank login pages with rogue ones) and “Dynamic Injection” (redirect browsers to C2) to steal victim credentials.  Below is an example of a legitmate (left) and rogue page (right), where a Chrome icon indicates some elements in the page are not from secure sources [5]:

 

 

Trickbot banking trojan and the group responsible need to be studied with some periodicity, because this successor of Dyre has proven to be capable and ever evolving.  All relevant IOCs have been added to the FirstWatch C2 Domains and IPs feeds as available in RSA Live.

 

Thanks to Kevin Stear and Erik Heuser  for their contribution.

 

References:

[1] https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/

[2] https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/

[3] https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf

[4] https://www.cyphort.com/trik-bot-lots-tricks-sleeve/

[5] https://labsblog.f-secure.com/2017/06/13/trickbot-goes-nordic-once-in-a-while/

 

 

 

 

 

 

 

Filter Blog

By date: By tag: