Knowing Your Battle Space - Part 4
Part 3 Review
As a refresher we covered the following topics in our third post:
- Automated Adversary Testing
- Repeatable and objective against all Tactic scoring
- Quick adoption of new tactics
- Automated scoring of Tactics in DarkFalcon
This post in the series starts looking at an extended view of the rich data you have available in Dark Falcon. We are constantly finding new ways of interacting with the ATT&CK tactic and there ratings in our environment. What we cover in this article is just a beginning to what is possible and we are excited to hear from others on what they are doing. As always this code is in the DarkFalcon GitHub repo, https://github.com/security-storm/DarkFalcon
Today we will cover:
- Overlaying the Kill Chain
- Internal Kill Chain vs External Kill Chain
- Attack Profiling
Overlaying the Kill Chain
After watching the great talks, by people like Chris Gates and Chris Nickerson, and reading the tweets and documentation from MITRE ATT&CK we really wanted to try something with the ATT&CK framework and the notion of the kill chain to see if we could anticipate how an advisory would successfully attack our environment.
From an ATT&CK perspective, we already have the tactics scored and they are tagged with categories that align with common kill chain language.
For the kill chain, we looked at the commonly referenced Lockheed Martin "Cyber Kill Chain." This process is a linear based attack divided into 8 distinct parts.
With the two foundation pieces we started overlaying real malware, penetration tests and incidents through it. By knowing what the attack process and methods were, as well as where we were strong and weak, we could see how well the model works. Quickly it fell apart :( The main reason we found was the attacks we modeled appeared to skip around on the very linear Cyber Kill Chain. We did notice from the results though there were clusters of activities performed in specific phases. We then created a Phased Kill Chain approach based on those clusters:
Phase 1 – Execute: This goal of this phase is to get code to execute in the environment to form a connection and allow additional attacks or code to execute
Phase 2 – Persist: The goal of this phase is to create a stronger connection in the environment and elevate access to reach as many systems and as much data as possible
Phase 3 – Exfil: The goal of this phase is to capture and move sensitive or helpful data out of the environment. This may include data, company plans, webcam pictures, email and even phone recordings
We re-aligned the ATT&CK categories into these phases then produced a model with our tactic scoring. The phases are based on not only timing but also usefulness for future/next phase. As we walked the real attacks across this model we saw a much tighter result between the model and real results.
Now that we have a model that works for us we can do some Splunk magic, all documented in GitHub, and are able to produce a likely successful attack path. At a high-level, it groups tactic scores for the categories in that phase then sorts them lowest to highest maturity, 0-100%, and looks only at 0-30% scored tactics.
As you review the results it starts to become clear and almost lets your mind slip into just what a successful attack would look like. With this clarity you can start prioritizing the tactics you need to implement controls for.
Internal Kill Chain vs External Kill Chain
While looking at the phasing of a kill chain it occurred to us that buried in it is assumption from that it begins from an external attacker view. If we were to take the same categories of tactics and rearranged them in phases from an internal attacker view how would it look different?
Phase 1 – Collect: This goal of this phase is to discover and move readily available data outside the environment
Phase 2 – Escalate: The goal of this phase is to create a stronger connection in the environment and elevate access to reach as many systems and as much data as possible
Phase 3 – Execute: This goal of this phase is to get code to execute in the environment to form a connection and allow additional attacks or code to execute to further an attack and impact
We do see the phases shifted and are almost an inverse of the external kill chain phases. We find this very interesting as it may help explain why you can be mature in blocking external attacks but have little to no insight or protection with managing internal threats.
Again, this groups tactic scores for the categories in that phase then sorts them lowest to highest maturity, 0-100%, and looks only at 0-30% scored tactics.
What we have so far is a nice overlay of attack path with the maturity of each of our ATT&CK Tactics, great. What if we had the ability to look at the tactics used in an attack or model an attack and see how well we were protected? We wanted that too so we crafted Attack Profiling.
You can multi-select the tactics used, name it and pick an origin to add a new one. Then it runs it against the tactic scores to show your overall maturity to withstand it. These profiled attacks also show up in the visuals of the Security Posture dashboard.
We also added a feature where tactics found in profiled attacks weights them in your overall maturity ratings. For example, as a base all tactics have a weight of 1 value, PowerShell and hot mic-ing. As PowerShell shows up in the profiled attacks the score, good or bad, is multiplied to increase its significance while hot mic-ing remains at the single value if it is not profiled in attacks. This places greater value on defense against current threats and ages them out or in based on what is being seen, like the resurgence of vbscript, in attacks.
We have been very excited about all of the uses for the MITRE ATT&CK tactic rating and enjoy sharing them to help other organizations think critically about finding blind spots and prioritizing defense against attacker tactics. By no means are these definitive approaches but rather adaptations we have found useful in driving our situational awareness and security program. This code is in the DarkFalcon GitHub repo, https://github.com/security-storm/DarkFalcon
Part 5 - Remaing Bits
In the next part of the series we will cover some of the remain bits we have created that really extend the data and platform of DarkFalcon:
- Proof of Concept Modeling - the ability to model control changes and view change in security posture
- Tomorrow modeling - ability to look for under under-utilized controls and unaddressed tactics for business planning