Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Prakhar Pandey

Introduction to MITRE’s ATT&CK™

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (Exploit) to Command & Control (Maintain). ATT&CK™ Enterprise deals with the classification of post-compromise adversarial tactics and techniques against Windows™, Linux™ and MacOS™.

This community-enriched model adds techniques used to realize each tactic. These techniques are not exhaustive, and the community adds them as they are observed and verified.

To read more about how ATT&CK™ is helpful in resolving challenges and validate our defenses, please check this article.

 

Introduction to MITRE’s ATT&CK™ Navigator

ATT&CK™ Navigator is a tool openly available through GitHub which uses the STIX 2.0 content to provide a layered visualization of ATT&CK™ model.

ATT&CK™ Navigator stores information in JSON files and each JSON file is a layer containing multiple techniques which can be opened on Navigator web interface. The JSON contains content in STIX 2.0 format which can be fetched from a TAXII 2.0 server of your own choice. For example, we can fetch ATT&CK™ content from MITRE's TAXII 2.0 server through APIs.

The techniques in this visualization can be:

  • Highlighted with color coding.
  • Added with a numerical score to signal severity/frequency of the technique.
  • Added with a comment to describe that occurrence of technique or any other meaningful information.

These layers can be exported in SVG and excel format.

 

How to View a JSON in ATT&CK™ Navigator?

  1. Open MITRE’s ATT&CK™ Navigator web application. (https://mitre-attack.github.io/attack-navigator/enterprise/).
  2. In Navigator, open a New Tab through clicking '+' button.

    Navigator_Image
  3. Then click on 'Open Existing Layer' and then 'Upload from Local' which will let you choose a JSON file from your local machine (or, the one attached later in this blog).

    Navigator_Image

  4. After uploading JSON file the layer will be opened in Navigator and will look like this:

    Navigator_Image

 

This visualization highlights the techniques covered in the JSON file with color and comments.

 

RSA Netwitness Endpoint Application Rules

The Rule Library contains all the Endpoint Application Rules and we can map these rules or detection capabilities to the tactics/techniques of ATT&CK™ matrix. The mapping shows how many tactics/techniques are detected by RSA NetWitness Endpoint Application Rules.

We have created a layer as a JSON file which has all the NetWitness Endpoint Application Rules mapped to techniques. Then we have imported that layer on ATT&CK™ Navigator matrix to show the overlap. In the following image, we can see all the techniques highlighted that are detected by NetWitness Endpoint Application Rules:

 

endpoint_coverage_of_attack

 

The JSON for Endpoint Application Rules is attached with this blog and can be downloaded.

 

While hovering mouse over each colored technique you can see three things:

  1. Technique ID: Unique IDs of each technique as per ATT&CK™ framework.
  2. Score:  Threat score given to each technique.
  3. Comment: We can write anything related in comment to put things in perspective. In this case, we have commented pipe (‘|’) delimited names of application rules which cover that technique.

Hover_Over_navigator

To quantify how much RSA NetWitness Endpoint Application Rules spread across the matrix we can refer to the following plot:

 

Analysis_Plot

 

We have already mapped RSA ESA Rules with ATT&CK™ framework as described in this article. We can update these ATT&CK™ coverage periodically which will help us to give us a consolidated picture of our complete defense system and thus we can quantify and monitor the evolution of our detection capabilities.

 

References:

[1] https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf

[2] https://attack.mitre.org/wiki/Main_Page

[3] https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/using-attck-to-advance-cyber-threat

[4] https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/using-attck-to-advance-cyber-threat-0

[5] https://community.rsa.com/community/products/netwitness/blog/2018/08/31/introduction-to-mitre-s-attck

Introduction to MITRE’s ATT&CK™

 

Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) for enterprise is a framework which describes the adversarial actions or tactics from Initial Access (Exploit) to Command & Control (Maintain). ATT&CK™ Enterprise deals with the classification of post-compromise adversarial tactics and techniques against Windows™, Linux™ and MacOS™.

 

Consequently, two other frameworks are also developed namely, PRE-ATT&CK™ and ATT&CK Mobile Profile. PRE-ATT&CK™ is developed to categorize pre-compromise tactics, techniques and procedures (TTPs) independent of platform/OS. This framework categorizes the adversaries planning, information gathering, reconnaissance and setup before compromising the victim.

 

ATT&CK™ Mobile Profile is specific to Android and iOS mobile environments and has three matrices that classifies tactics and techniques. This does not just include post-compromise tactics and techniques but also deal with pre-compromise TTPs in mobile environments.

 

This community-enriched model adds techniques used to realize each tactic. These techniques are not exhaustive and the community adds them as they are observed and verified.

 

                This matrix is helpful in validation of defenses already in place and designing new security measures. It can be used in the following ways to improve and validate the defenses:

 

  1. This framework can be used to create adversary emulation plans which can be used by hunters and defenders to test and verify their defenses. Also, these plans will make sure you are testing against an ever-evolving industry standard framework.
  2. Adversary behavior can be mapped using ATT&CK™ matrix which can be used for analytics purposes to improve your Indicators of Compromise (IOCs) or Behavior of Compromise (BOCs). This will enhance your detection capabilities with greater insight into threat actor specific information.
  3. Mapping your existing defense with this matrix can give a visualization of tactics and techniques detected and thus can present an opportunity to assess gaps and prioritize your efforts to build new defenses.
  4. ATT&CK™ framework can help to build the threat intelligence with perspective of not just TTPs but threat groups and software that are being used. This approach will enhance your defenses in a way that detection will not be just dependent upon TTPs but the relationship it has with threat groups and software that are in play.

 

Relationships between Threat-Group, Software, Tactic and Techniques

Figure 1: Relationships between Threat-Group, Software, Tactics and Techniques

 

This framework resolves the following problems:

 

  1. Existing Kill Chain concepts were too abstract to relate new techniques with new types of detection capabilities and defenses. ATT&CK can be called a Kill Chain on steroids.
  2. Techniques added or considered should be observed in a real environment and not just from theoretical concepts. The community adding techniques insures that the techniques have been seen in the wild and thus are suitable for people using this model in real environments.
  3. This model gives common language and terminology across different environments and threat actors. This factor is important in making this model industry standard.
  4. Granular indicators like domain names, hashes, protocols et cetera do not provide enough information to see the bigger picture of how the threat actor is exploiting the system, and its relationship with various sub-systems and tools used by the adversary. This model gives a good understanding and relationship between tactics and techniques used which can be used further to drill down into only the important granular details.
  5. This model helps with making a common repository from where this information can be used with APIs and programming. This model is available via public TAXII 2.0 server and serve STIX 2.0 content.

 

ATT&CK Navigator

 

ATT&CK Navigator is a tool openly available through GitHub which uses the STIX 2.0 content to provide a layered visualization of ATT&CK model.

 

ATT&CK Navigator

 

Figure 2: ATT&CK Navigator

 

By default, this uses MITRE’s TAXII server but it can be changed to use any TAXII server of choice. Navigator uses JSON files to create layers which can be programmatically created and thus used to generate layers.

 

RSA NetWitness Event Stream Analysis (ESA)

 

ESA is one of the defense systems that is used to generate alerts. ESA Rules provide real-time, complex event processing of log, packet, and endpoint meta across sessions. ESA Rules can identify threats and risks by recognizing adversarial Tactics, Techniques and Procedures (TTPs).

 

The following are ESA Components:

 

  1. Alert - Output from a rule that matches data in the environment.
  2. Template - Convert the rule syntax into code (Esper) that ESA understands.
  3. Constituent Events - All of the events involved in an alert, including the trigger event.
  4. Rule Library - A list of all the ESA Rules that have been created.
  5. Deployments - A list of the ESA Rules that have been deployed to an ESA device.

 

The Rule Library contains all the ESA Rules and we can map these rules or detection capabilities to the tactics/techniques of ATT&CK matrix. The mapping shows how many tactics/techniques are detected by ESA. Please find attached with this blog post the excel workbook of mapping between ESA Rules and ATT&CK Tactics/Techniques.

 

In other words, overlap between ESA Rules and ATT&CK matrix can not only show us how far our detection capabilities reach across the matrix but also can quantify the evolution of product. We can measure how much we are improving and in which directions we are improving.

 

We have created a layer as a JSON file which has all the ESA Rules mapped to techniques. Then we have imported that layer on ATT&CK Navigator matrix to show the overlap. In the following image, we can see all the techniques highlighted that are detected by ESA Rules:

 

ATT&CK Navigator ESA Rules Mapping

 

Figure 3: ATT&CK Navigator Mapping to ESA Rules

 

To quantify how much ESA Rules spread across the matrix we can refer to the following plot:

 

ATT&CK Navigator ESA Rules Mapping Plot

 

                               Figure 4: Plot for ATT&CK Matrix Mapping to ESA Rules

 

Moving forward we can map our other detection capabilities with ATT&CK matrix. This will help to give us a consolidated picture of our complete defense system and thus we can quantify and monitor the evolution of our detection capabilities.

 

References:

[1] https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf

[2] https://attack.mitre.org/wiki/Main_Page

[3] https://attack.mitre.org/pre-attack/index.php/Main_Page

[4] https://attack.mitre.org/mobile/index.php/Main_Page

[5] https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/using-attck-to-advance-cyber-threat

[6] https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/using-attck-to-advance-cyber-threat-0

 

Thanks to Michael Sconzo and Raymond Carney for their valuable suggestions.

In first week of August 2017, malspam activity was observed delivering the Trickbot banking trojan, which has been heavily active this summer and has now once again evolved.

  

Beginning in 2011, Trickbot actors began targeting banks from countries like UK and India, but it has since expanded its range of countries and victims to include PayPal and Customer Relationship Management (CRM) providers. Trickbot has also consistently evolved, recently adding new evasion techniques, browser manipulation tools, modules targeting Microsoft Outlook data, and now worm functionality. 

 

Primary delivery of the malware has been attributed to the Necurs botnet and also sometimes RIG exploit kit. In the case of this most recent delivery, malspam delivered a MS Word document (File name: SecureMessage.doc) that contains embedded and obfuscated macros recorded in VBA along with a Santander bank decoy.

 

 

This document contains malicious VBA code and What's This File gives it a maximum threat score. The VBA code analysis shows main indicators as “VBA Code Contains Reference to Code Execution” and “VBA Code Contains Auto-Launch Scripts”.

 

 

 

As visible below, the cleansed VBA code contained within the document uses Shell to launch an executable.

 

 

 

Use of Chr in VBA code suggests possible obfuscation of specific strings:

 

 

Upon opening, the attachment attempts to download a PNG file (Filename: nologo.png) that is actually an executable and the TRICKBOT payload.  The first attempt to download our PNG file from lexpertpret[.]com  actually failed, but a second attempt out to hvsglobal[.]co[.]uk was successful in downloading and then saving to 'C:\Users\student\AppData\Local\Temp\ywbltmn.exe'.

 

 

NetWitness provides visibility and characterizes this activity as malicious into this through some of the more obvious meta tags, such as session.analysis = “first carve not dns”, service.analysis = “http no referer”, and file.analysis = “exe filetype but not exe extension”.

 

 

 

NetWitness Endpoint (aka ECAT) also easily detects this shady behavior.  For more details, please refer to FirstWatch's July 2017 work against Trickbot.

  

The malware’s configuration file carries Command and Control (C2) information as well as other module related settings.  In this case, version is 1000030, the group tag is ser801 and systeminfo & injectDll are the two modules the executable will attempt to download from any of the listed C2. 

 

  

Most of these C2 IPs are known to be associated with devices like Routers and IP Cameras [3].  For example, 84[.]238[.]198[.]166 from our config file appears to be a Router.

 

 

This version (1000029) of Trickbot also debuts worm-like capabilities to spread infections via the Eternal Blue exploit of CVE-2017-0144 in Server Message Block (SMB) protocol.   To do so, the malware attempts to get servers using NetServerEnum Windows API and then query LDAP to identify computers that are not domain controllers [1].  It is believed that these capabilities are in a testing phase and not yet fully implemented.

 

Image Source: https://www.flashpoint-intel.com/wp-content/uploads/2017/07/image3.png

 

With regard to evasion, this new Trickbot codebase also demonstrates new capabilities [4].  Recent Trickbot versions contain blacklist checks for a variety of Defense/Research oriented DLLS, Processes, Filenames, Usernames, Window Names, and also checks if a Debugger is present.  On any positive hit, Trickbot exits and uninstall itself. 

 

 

 

Image Source: https://www.cyphort.com/wp-content/uploads/2016/07/payload_anti.png

 

The version 1000030 is also known to have two extra modules then previous versions of Trickbot [2]:

1. module.dll – Written in C++ and it steals information from browsers

2. outlook.dll – Written in Delphi and it steals Microsoft Outlook Data

Presence of Delphi can be assumed by analyzing the dropped EXE file through hybrid analysis:

 

 

Post infection, Trickbot uses both “Static Injection” (replace real bank login pages with rogue ones) and “Dynamic Injection” (redirect browsers to C2) to steal victim credentials.  Below is an example of a legitmate (left) and rogue page (right), where a Chrome icon indicates some elements in the page are not from secure sources [5]:

 

 

Trickbot banking trojan and the group responsible need to be studied with some periodicity, because this successor of Dyre has proven to be capable and ever evolving.  All relevant IOCs have been added to the FirstWatch C2 Domains and IPs feeds as available in RSA Live.

 

Thanks to Kevin Stear and Erik Heuser  for their contribution.

 

References:

[1] https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/

[2] https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/

[3] https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf

[4] https://www.cyphort.com/trik-bot-lots-tricks-sleeve/

[5] https://labsblog.f-secure.com/2017/06/13/trickbot-goes-nordic-once-in-a-while/

 

 

 

 

 

 

 

Filter Blog

By date: By tag: