19 Января, 2019

MITRE ATT&CK для планирования технических контролей корпоративной ИБ

Сергей Солдатов
В предыдущей заметке отмечались варианты использования ATT&CK  для центров мониторинга. Но не стоит недооценивать ее значимость для целей планирования и развития корпоративных средств защиты.
Совокупность мероприятий по обеспечению информационной безопасности должна быть адекватна актуальной модели нарушителя, но вечный вопрос CISO о том, сколько безопасности достаточно по-прежнему актуален, - наряду с недооценкой, возможны и перегибы . Где же искать эту золотую середину ?
Если допустить, что совокупность техник  и тактик MITRE является компиляцией современного ландшафта угроз (известного на данный момент, ну а защищаться от неизвестного - невозможно, и, как результат это приведет на необоснованным затратам на ИБ), то одним из возможных вариантов отстройки корпоративной СУИБ , является набор мероприятий по противостоянию угрозам из этой базы знаний. Благо, что вся база знаний доступна в машиночитаемом формате , что позволяет ее удобно анализировать. В конце этой заметки я привел таблички из Jupyter ноутбук, доступного здесь,  в качестве примера такого анализа для Windows (сразу хочу попросить извинения у фанатов  Python за, полагаю, не самый красивый код, ибо, будучи закоренелым Perl-истом, так до сих пор и не привык к многим особенностям этого языка, хотя, безусловно, вариант писать на С++ меня привлекает значительно меньше). В табличке "APT actors uses Techniques" я привел список техник, упорядоченный по количеству группировок (intrusion-set) их используемых. Также приведены связанные с техниками варианты ВПО (malware), и другие инструменты, не являющиеся в явном виде ВПО (tool). Наибольший интерес для планирования и развития корпоративных технологий защиты представляет колонка необходимой телеметрии (data_sources). Вообще, про структуру ATT&CK написано здесь, в схеме 2 на стр. 12 , однако, формат машиночитаемого (далее MR) json-а я бы предпочел изобразить так (см табличку Number of objects of different type).

Из таблички "APT actors uses Techniques" можно сделать предположение какие техники наиболее часто используются публично известными на сейчас группировками и, с известной степенью допущения, в соответствии с ней можно планировать приоритетность и этапность  развития корпоративных систем обнаружения и предотвращения компьютерных атак.
Весьма немаловажным является последний столбик - data_sources, показывающий, фактически, какие логи необходимы для обнаружения использования соответствующей техники.
В последний табличке Приложений - Telemetry required for Techniques - отражено какое количество техник можно продектить имея ту или иную телеметрию. Из нее можно сделать немаловажное наблюдение, которого мы немного коснемся в следующей заметке.

Подведу краткий вывод: MITRE ATT&CK может вполне служить некоторым наукообразным обоснованием необходимости внедрения в корпорации соответствующих систем безопасности (== поставляющих соответствующую телеметрию), а также основой для формирования этапов и приоритетов для таких проектов.

Приложения

Number of objects of different type

ObjectCnt
attack-pattern223
relationship:course-of-action->mitigates->attack-pattern222
relationship:intrusion-set->uses->attack-pattern884
relationship:intrusion-set->uses->malware199
relationship:intrusion-set->uses->tool144
relationship:malware->uses->attack-pattern2065
relationship:tool->uses->attack-pattern208
relationship:intrusion-set->revoked-by->intrusion-set2
relationship:malware->revoked-by->malware1
course-of-action222
identity1
intrusion-set80
malware237
tool47
x-mitre-matrix1
x-mitre-tactic11
marking-definition1

APT actors uses Techniques

techniqueintrusion-setmalwaretooldata_sources
T1064: Scripting31193Process monitoring
File monitoring
Process command-line parameters
T1086: PowerShell28153Windows Registry
File monitoring
Process monitoring
Process command-line parameters
T1003: Credential Dumping272113API monitoring
Process monitoring
PowerShell logs
Process command-line parameters
T1204: User Execution2610Anti-virus
Process command-line parameters
Process monitoring
T1027: Obfuscated Files or Information24622Network protocol analysis
Process use of network
File monitoring
Malware reverse engineering
Binary file metadata
Process command-line parameters
Environment variable
Process monitoring
Windows event logs
Network intrusion detection system
Email gateway
SSL/TLS inspection
T1059: Command-Line Interface23854Process monitoring
Process command-line parameters
T1060: Registry Run Keys / Startup Folder23682Windows Registry
File monitoring
T1105: Remote File Copy23976File monitoring
Packet capture
Process use of network
Netflow/Enclave netflow
Network protocol analysis
Process monitoring
T1193: Spearphishing Attachment2300File monitoring
Packet capture
Network intrusion detection system
Detonation chamber
Email gateway
Mail server
T1071: Standard Application Layer Protocol211042Packet capture
Netflow/Enclave netflow
Process use of network
Malware reverse engineering
Process monitoring
T1107: File Deletion18642File monitoring
Process command-line parameters
Binary file metadata
T1078: Valid Accounts1841Authentication logs
Process monitoring
T1053: Scheduled Task17224File monitoring
Process monitoring
Process command-line parameters
Windows event logs
T1002: Data Compressed15141Binary file metadata
File monitoring
Process command-line parameters
Process monitoring
T1083: File and Directory Discovery15813File monitoring
Process monitoring
Process command-line parameters
T1082: System Information Discovery15994Process monitoring
Process command-line parameters
T1005: Data from Local System14204File monitoring
Process monitoring
Process command-line parameters
T1057: Process Discovery14664Process monitoring
Process command-line parameters
T1016: System Network Configuration Discovery13577Process monitoring
Process command-line parameters
T1074: Data Staged12220File monitoring
Process monitoring
Process command-line parameters
T1189: Drive-by Compromise1220Packet capture
Network device logs
Process use of network
Web proxy
Network intrusion detection system
SSL/TLS inspection
T1076: Remote Desktop Protocol1214Authentication logs
Netflow/Enclave netflow
Process monitoring
T1018: Remote System Discovery12103Network protocol analysis
Process monitoring
Process use of network
Process command-line parameters
T1192: Spearphishing Link1200Packet capture
Web proxy
Email gateway
Detonation chamber
SSL/TLS inspection
DNS records
Mail server
T1033: System Owner/User Discovery12452File monitoring
Process monitoring
Process command-line parameters
T1056: Input Capture11444Windows Registry
Kernel drivers
Process monitoring
API monitoring
T1036: Masquerading11331File monitoring
Process monitoring
Binary file metadata
T1087: Account Discovery10194API monitoring
Process monitoring
Process command-line parameters
T1140: Deobfuscate/Decode Files or Information10201File monitoring
Process monitoring
Process command-line parameters
T1116: Code Signing9112Binary file metadata
T1043: Commonly Used Port9402Packet capture
Netflow/Enclave netflow
Process use of network
Process monitoring
T1203: Exploitation for Client Execution920Anti-virus
System calls
Process monitoring
T1055: Process Injection9284API monitoring
Windows Registry
File monitoring
DLL monitoring
Process monitoring
Named Pipes
T1102: Web Service9200Host network interface
Netflow/Enclave netflow
Network protocol analysis
Packet capture
SSL/TLS inspection
T1047: Windows Management Instrumentation9123Authentication logs
Netflow/Enclave netflow
Process monitoring
Process command-line parameters
T1022: Data Encrypted8180File monitoring
Process monitoring
Process command-line parameters
Binary file metadata
T1050: New Service8361Windows Registry
Process monitoring
Process command-line parameters
Windows event logs
T1113: Screen Capture8503API monitoring
Process monitoring
File monitoring
T1032: Standard Cryptographic Protocol8373Packet capture
Netflow/Enclave netflow
Malware reverse engineering
Process use of network
Process monitoring
SSL/TLS inspection
T1049: System Network Connections Discovery8134Process monitoring
Process command-line parameters
T1077: Windows Admin Shares863Process use of network
Authentication logs
Process monitoring
Process command-line parameters
T1068: Exploitation for Privilege Escalation741Windows Error Reporting
Process monitoring
Application logs
T1112: Modify Registry7262Windows Registry
File monitoring
Process monitoring
Process command-line parameters
Windows event logs
T1046: Network Service Scanning753Netflow/Enclave netflow
Network protocol analysis
Packet capture
Process command-line parameters
Process use of network
T1045: Software Packing7110Binary file metadata
T1119: Automated Collection6110File monitoring
Data loss prevention
Process command-line parameters
T1110: Brute Force620Authentication logs
T1088: Bypass User Account Control6114System calls
Process monitoring
Authentication logs
Process command-line parameters
T1073: DLL Side-Loading6110Process use of network
Process monitoring
Loaded DLLs
T1089: Disabling Security Tools6201API monitoring
File monitoring
Services
Windows Registry
Process command-line parameters
Anti-virus
T1114: Email Collection661Authentication logs
File monitoring
Process monitoring
Process use of network
T1133: External Remote Services600Authentication logs
T1070: Indicator Removal on Host6121File monitoring
Process monitoring
Process command-line parameters
API monitoring
Windows event logs
T1012: Query Registry6272Windows Registry
Process monitoring
Process command-line parameters
T1108: Redundant Access610Process monitoring
Process use of network
Packet capture
Network protocol analysis
File monitoring
Authentication logs
Binary file metadata
T1009: Binary Padding580Binary file metadata
File monitoring
Malware reverse engineering
T1090: Connection Proxy5154Process use of network
Process monitoring
Netflow/Enclave netflow
Packet capture
T1173: Dynamic Data Exchange520API monitoring
DLL monitoring
Process monitoring
Windows Registry
Windows event logs
T1041: Exfiltration Over Command and Control Channel5111User interface
Process monitoring
T1066: Indicator Removal from Tools522Process use of network
Process monitoring
Process command-line parameters
Anti-virus
Binary file metadata
T1069: Permission Groups Discovery592API monitoring
Process monitoring
Process command-line parameters
T1117: Regsvr32531Loaded DLLs
Process monitoring
Windows Registry
Process command-line parameters
T1085: Rundll325241File monitoring
Process monitoring
Process command-line parameters
Binary file metadata
T1023: Shortcut Modification5150File monitoring
Process monitoring
Process command-line parameters
T1007: System Service Discovery5182Process monitoring
Process command-line parameters
T1065: Uncommonly Used Port5110Netflow/Enclave netflow
Process use of network
Process monitoring
T1015: Accessibility Features400Windows Registry
File monitoring
Process monitoring
T1094: Custom Command and Control Protocol4261Packet capture
Netflow/Enclave netflow
Process use of network
Process monitoring
Host network interface
Network intrusion detection system
Network protocol analysis
T1132: Data Encoding4220Packet capture
Process use of network
Process monitoring
Network protocol analysis
T1048: Exfiltration Over Alternative Protocol452User interface
Process monitoring
Process use of network
Packet capture
Netflow/Enclave netflow
Network protocol analysis
T1100: Web Shell440Anti-virus
Authentication logs
File monitoring
Netflow/Enclave netflow
Process monitoring
T1098: Account Manipulation321Authentication logs
API monitoring
Windows event logs
Packet capture
T1223: Compiled HTML File300File monitoring
Process monitoring
Process command-line parameters
T1136: Create Account352Process monitoring
Process command-line parameters
Authentication logs
Windows event logs
T1039: Data from Network Shared Drive320File monitoring
Process monitoring
Process command-line parameters
T1075: Pass the Hash303Authentication logs
T1120: Peripheral Device Discovery390
T1093: Process Hollowing371Process monitoring
API monitoring
T1219: Remote Access Tools310Network intrusion detection system
Network protocol analysis
Process use of network
Process monitoring
T1021: Remote Services311Authentication logs
T1063: Security Software Discovery3282File monitoring
Process monitoring
Process command-line parameters
T1124: System Time Discovery3101Process monitoring
Process command-line parameters
API monitoring
T1099: Timestomp3141File monitoring
Process monitoring
Process command-line parameters
T1134: Access Token Manipulation253API monitoring
Access tokens
Process monitoring
Process command-line parameters
T1067: Bootkit230API monitoring
MBR
VBR
T1191: CMSTP200Process monitoring
Process command-line parameters
Process use of network
Windows event logs
T1024: Custom Cryptographic Protocol2320Packet capture
Netflow/Enclave netflow
Process use of network
Malware reverse engineering
Process monitoring
T1038: DLL Search Order Hijacking281File monitoring
DLL monitoring
Process monitoring
Process command-line parameters
T1001: Data Obfuscation2150Packet capture
Process use of network
Process monitoring
Network protocol analysis
T1213: Data from Information Repositories201Application logs
Authentication logs
Data loss prevention
Third-party application logs
T1025: Data from Removable Media290File monitoring
Process monitoring
Process command-line parameters
T1106: Execution through API2101API monitoring
Process monitoring
T1008: Fallback Channels2170Malware reverse engineering
Netflow/Enclave netflow
Packet capture
Process monitoring
Process use of network
T1187: Forced Authentication200File monitoring
Network protocol analysis
Network device logs
Process use of network
T1158: Hidden Files and Directories250File monitoring
Process monitoring
Process command-line parameters
T1031: Modify Existing Service251Windows Registry
File monitoring
Process monitoring
Process command-line parameters
T1170: Mshta221Process monitoring
Process command-line parameters
T1135: Network Share Discovery244Process monitoring
Process command-line parameters
Network protocol analysis
Process use of network
T1097: Pass the Ticket211Authentication logs
T1091: Replication Through Removable Media280File monitoring
Data loss prevention
T1035: Service Execution277Windows Registry
Process monitoring
Process command-line parameters
T1194: Spearphishing via Service200SSL/TLS inspection
Anti-virus
Web proxy
T1095: Standard Non-Application Layer Protocol2130Host network interface
Netflow/Enclave netflow
Network intrusion detection system
Network protocol analysis
Packet capture
Process use of network
T1221: Template Injection200Anti-virus
Email gateway
Network intrusion detection system
Web logs
T1199: Trusted Relationship200Application logs
Authentication logs
Third-party application logs
T1084: Windows Management Instrumentation Event Subscription230WMI Objects
T1182: AppCert DLLs110Loaded DLLs
Process monitoring
Windows Registry
T1017: Application Deployment Software100File monitoring
Process use of network
Process monitoring
T1138: Application Shimming100Loaded DLLs
System calls
Windows Registry
Process monitoring
Process command-line parameters
T1010: Application Window Discovery180API monitoring
Process monitoring
Process command-line parameters
T1123: Audio Capture192API monitoring
Process monitoring
File monitoring
T1020: Automated Exfiltration140File monitoring
Process monitoring
Process use of network
T1197: BITS Jobs111API monitoring
Packet capture
Windows event logs
T1092: Communication Through Removable Media120File monitoring
Data loss prevention
T1109: Component Firmware100Disk forensics
API monitoring
Process monitoring
Component firmware
T1122: Component Object Model Hijacking150Windows Registry
DLL monitoring
Loaded DLLs
T1081: Credentials in Files172File monitoring
Process command-line parameters
T1030: Data Transfer Size Limits140Packet capture
Netflow/Enclave netflow
Process use of network
Process monitoring
T1172: Domain Fronting101SSL/TLS inspection
Packet capture
T1190: Exploit Public-Facing Application102Packet capture
Web logs
Web application firewall logs
Application logs
T1211: Exploitation for Defense Evasion100Windows Error Reporting
Process monitoring
File monitoring
T1210: Exploitation of Remote Services110Windows Error Reporting
Process monitoring
File monitoring
T1061: Graphical User Interface100File monitoring
Process monitoring
Process command-line parameters
Binary file metadata
T1179: Hooking110API monitoring
Binary file metadata
DLL monitoring
Loaded DLLs
Process monitoring
Windows event logs
T1037: Logon Scripts110File monitoring
Process monitoring
T1104: Multi-Stage Channels130Netflow/Enclave netflow
Network device logs
Network protocol analysis
Packet capture
Process use of network
T1188: Multi-hop Proxy131Network protocol analysis
Netflow/Enclave netflow
T1026: Multiband Communication111Packet capture
Netflow/Enclave netflow
Process use of network
Malware reverse engineering
Process monitoring
T1126: Network Share Connection Removal101Process monitoring
Process command-line parameters
Packet capture
Authentication logs
T1040: Network Sniffing111Network device logs
Host network interface
Netflow/Enclave netflow
Process monitoring
T1137: Office Application Startup100Process monitoring
Process command-line parameters
Windows Registry
File monitoring
T1201: Password Policy Discovery111Process command-line parameters
Process monitoring
T1014: Rootkit160BIOS
MBR
System calls
T1216: Signed Script Proxy Execution100Process monitoring
Process command-line parameters
T1195: Supply Chain Compromise120Web proxy
File monitoring
T1080: Taint Shared Content120File monitoring
Process monitoring
T1072: Third-party Software110File monitoring
Third-party application logs
Windows Registry
Process monitoring
Process use of network
Binary file metadata
T1125: Video Capture172Process monitoring
File monitoring
API monitoring
T1028: Windows Remote Management101File monitoring
Authentication logs
Netflow/Enclave netflow
Process monitoring
Process command-line parameters
T1004: Winlogon Helper DLL120Windows Registry
File monitoring
Process monitoring
T1220: XSL Script Processing100Process monitoring
Process command-line parameters
Process use of network
DLL monitoring
T1103: AppInit DLLs020Loaded DLLs
Process monitoring
Windows Registry
T1131: Authentication Package010DLL monitoring
Windows Registry
Loaded DLLs
T1217: Browser Bookmark Discovery020API monitoring
File monitoring
Process command-line parameters
Process monitoring
T1176: Browser Extensions000Network protocol analysis
Packet capture
System calls
Process use of network
Process monitoring
Browser extensions
T1042: Change Default File Association000Windows Registry
Process monitoring
Process command-line parameters
T1115: Clipboard Data091API monitoring
T1196: Control Panel Items010API monitoring
Binary file metadata
DLL monitoring
Windows Registry
Windows event logs
Process command-line parameters
Process monitoring
T1214: Credentials in Registry002Windows Registry
Process command-line parameters
Process monitoring
T1207: DCShadow001API monitoring
Authentication logs
Network protocol analysis
Packet capture
T1175: Distributed Component Object Model011API monitoring
Authentication logs
DLL monitoring
Packet capture
Process monitoring
Windows Registry
Windows event logs
T1129: Execution through Module Load020API monitoring
DLL monitoring
File monitoring
Process monitoring
T1011: Exfiltration Over Other Network Medium010User interface
Process monitoring
T1052: Exfiltration Over Physical Medium040Data loss prevention
File monitoring
T1212: Exploitation for Credential Access000Authentication logs
Windows Error Reporting
Process monitoring
T1181: Extra Window Memory Injection010API monitoring
Process monitoring
T1222: File Permissions Modification010File monitoring
Process monitoring
Process command-line parameters
Windows event logs
T1006: File System Logical Offsets000API monitoring
T1044: File System Permissions Weakness010File monitoring
Services
Process command-line parameters
T1200: Hardware Additions000Asset management
Data loss prevention
T1062: Hypervisor000System calls
T1183: Image File Execution Options Injection000Process monitoring
Windows Registry
Windows event logs
T1054: Indicator Blocking000Sensor health and status
Process command-line parameters
Process monitoring
T1202: Indirect Command Execution001Process monitoring
Process command-line parameters
Windows event logs
T1130: Install Root Certificate021SSL/TLS inspection
Digital certificate logs
T1118: InstallUtil000Process monitoring
Process command-line parameters
T1208: Kerberoasting001Windows event logs
T1171: LLMNR/NBT-NS Poisoning002Windows Registry
Packet capture
Netflow/Enclave netflow
T1177: LSASS Driver020API monitoring
DLL monitoring
File monitoring
Kernel drivers
Loaded DLLs
Process monitoring
T1185: Man in the Browser011Authentication logs
Packet capture
Process monitoring
API monitoring
T1079: Multilayer Encryption022Packet capture
Process use of network
Malware reverse engineering
Process monitoring
T1096: NTFS File Attributes050File monitoring
Kernel drivers
API monitoring
Process command-line parameters
T1128: Netsh Helper DLL001DLL monitoring
Windows Registry
Process monitoring
T1174: Password Filter DLL010DLL monitoring
Process monitoring
Windows Registry
T1034: Path Interception001File monitoring
Process monitoring
T1013: Port Monitors000File monitoring
API monitoring
DLL monitoring
Windows Registry
Process monitoring
T1145: Private Keys001File monitoring
T1186: Process Doppelg?nging010API monitoring
Process monitoring
T1121: Regsvcs/Regasm000Process monitoring
Process command-line parameters
T1178: SID-History Injection001API monitoring
Authentication logs
Windows event logs
T1198: SIP and Trust Provider Hijacking000API monitoring
Application logs
DLL monitoring
Loaded DLLs
Process monitoring
Windows Registry
Windows event logs
T1029: Scheduled Transfer051Netflow/Enclave netflow
Process use of network
Process monitoring
T1180: Screensaver010Process monitoring
Process command-line parameters
Windows Registry
File monitoring
T1101: Security Support Provider002DLL monitoring
Windows Registry
Loaded DLLs
T1058: Service Registry Permissions Weakness000Process command-line parameters
Services
Windows Registry
T1051: Shared Webroot000File monitoring
Process monitoring
T1218: Signed Binary Proxy Execution000Process monitoring
Process command-line parameters
T1019: System Firmware020API monitoring
BIOS
EFI
T1209: Time Providers000API monitoring
Binary file metadata
DLL monitoring
File monitoring
Loaded DLLs
Process monitoring
T1127: Trusted Developer Utilities010Process monitoring
T1111: Two-Factor Authentication Interception010API monitoring
Process monitoring
Kernel drivers

Telemetry required for Techniques

data_sourcesattack-pattern
Process monitoring136
Process command-line parameters76
File monitoring68
API monitoring39
Process use of network36
Windows Registry34
Packet capture32
Authentication logs24
Netflow/Enclave netflow24
Windows event logs19
Network protocol analysis18
DLL monitoring17
Binary file metadata16
Loaded DLLs12
Malware reverse engineering8
SSL/TLS inspection8
Network intrusion detection system7
Anti-virus7
System calls6
Data loss prevention6
Application logs5
Host network interface4
Network device logs4
Web proxy4
Windows Error Reporting4
Kernel drivers4
Email gateway4
Third-party application logs3
Services3
User interface3
MBR2
Web logs2
BIOS2
Detonation chamber2
Mail server2
Access tokens1
VBR1
Browser extensions1
Disk forensics1
Component firmware1
PowerShell logs1
Web application firewall logs1
Asset management1
Sensor health and status1
Digital certificate logs1
Environment variable1
Named Pipes1
DNS records1
EFI1
WMI Objects1