Recon and weaponization
The attacker conducts research on a target. The attacker identifies targets (both systems and people) and determines his attack methodology. The attacker may look for Internet-facing services or individuals to exploit.Platforms like Shodan hunt for internet facing devices to perform scanning and enumeration. Vulnerability scanning
A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures.
Lateral movement
The attacker uses his access to move from system to system within the compromised environment. Common lateral movement methods include accessing network shares, using the Windows Task Scheduler to execute programs, using remote access tools such as PsExec, or using remote desktop clients such as Remote Desktop Protocol (RDP), DameWare, or Virtual Network Computing (VNC) to interact with target systems using a graphical user interface.Windows management instrumentation (WMI) is a tool that is implemented as a service to locally and remotely manages data, operations and configuring settings on windows operating systems. WinRM
Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). SSH HiJacking
In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. SMB
Using the victim credentials the attacker authenticates to the victim machine on port 445 and try to gain access to the `Admin$ shares: (C$, IPC$, or ADMIN$)`. Access to `Admin$` allows for remote code execution including arbitrary code. Remote Desktop
Attackers will use valid credentials to move laterally in the environment by utilizing remote desktop. Exploit
An attacker can scan for vulnerable hosts that can be attacked by an exploit. For example, `MS08-67` is an exploit that can be used to create a reverse shell on a remote Windows machine.
Internal recon
The attacker explores the victim’s environment to gain a better understanding of the environment, the roles and responsibilities of key individuals, and to determine where an organization stores information of interest.Network enumeration is a process that involves gathering information about a network such as the hosts, network services, connected devices along with usernames, group information, and related data. Port scanning
A port scanner refers to a software application program that scans a server for open ports. It enables auditors and network administrators to examine network security while attackers and hackers use it to identify open ports for exploiting and/or running malicious services on a host computer or server. Network sniffing
Network Sniffing involves capturing, decoding, inspecting and interpreting the information inside a network packet on a TCP/IP network. The purpose is to steal information, usually user IDs, passwords, network details, credit card numbers, etc.
Initial compromise
The attacker successfully executes malicious code on one or more systems. This most likely occurs through social engineering (most often spear phishing), by exploiting a vulnerability on an Internet-facing system, or by any other means necessary.A stager is a small payload instructing the computer to pull down the next phase of malicious code. SQL Injection
SQL stands for structured query language; it’s a programming language used to communicate with databases. Many of the servers that store critical data for websites and services use SQL to manage the data in their databases. A SQL injection attack specifically targets this kind of server, using malicious code to get the server to divulge information it normally wouldn’t. This is especially problematic if the server stores private customer information from the website, such as credit card numbers, usernames and passwords (credentials), or other personally identifiable information, which are tempting and lucrative targets for an attacker. Exploit
An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized).
Impersonation
Impersonation is a disguise. In terms of communications security issues, an impersonation is a type of attack where the attacker pretends to be an authorized user of a system in order to gain access to it or to gain greater privileges than they are authorized for.An adversary can reduce their footprint by using credentials to directly connect to the network as a legitimate user, instead of relying on the RAT. Trusted third party
Attackers may compromise a subsidiary organization before moving into the parent organization. Reverse RDP tunnel
Reverse RDP tunneling is when an attacker initiates a connection outbound to a server. The attacker can use this server to perform actions on this host. Certificate impersonation
In order to avoid detection, attackers may generate a self-signed SSL/TLS certificate that impersonates an entity. Domain spoofing
Domain Spoofing is a form of phishing, that occurs when an attacker appears to use a company’s domain to impersonate a company or one of its employees. ARP spoofing
ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network.
Evasion
Evasion is bypassing an information security device in order to deliver an exploit, attack, or other forms of malware to a target network or system, without detection. Evasions are typically used to counter network-based intrusion detection and prevention systems (IPS, IDS) but can also be used to bypass firewalls and defeat malware analysis. A further target of evasions can be to crash a network security device, rendering it in-effective to subsequent targeted attacks.Anonymous services like TOR can be used to mask the attacker's identity and location. Public services
The malware may communicate with public services such as Google or Dropbox. These services can be used for the staging of malware or C2 communication. Encryption
Threat actors may utilize encryption to thwart security controls from reading/interpreting the data in transit. Encoding
Encoding is the process of putting a sequence of characters (letters, numbers, punctuation, and certain symbols) into a specialized format for efficient transmission or storage. Custom protocol
Threat actors may create custom protocols to thwart security controls from reading/interpreting the data in transit. Custom obfuscation
Threat actors may create custom obfuscation(encryption, encoding, and hashing) mechanisms to thwart defenders. Compression
Compression is the act of reducing the number of bits needed to represent data.
DOS
A denial-of-service (DoS) is any type of attack where the attackers (hackers) attempt to prevent legitimate users from accessing the service.A UDP Flood is a type of denial-of-service attack in which a large number of User Datagram Protocol (UDP) packets are sent to a targeted server with the aim of overwhelming that device’s ability to process and respond. TCP Flood
A TCP SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic. HTTP Flood
An HTTP flood attack is a type of volumetric distributed denial-of-service (DDoS) attack designed to overwhelm a targeted server with HTTP requests. Once the target has been saturated with requests and is unable to respond to normal traffic, denial-of-service will occur for additional requests from actual users.
Delivery
A network mechanism used to distribute the malicious code to the target.A watering hole attack is a security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit. The goal is to infect a targeted user's computer and gain access to the network at the target's place of employment. Poisoned torrents
The technique of threat actors deploying torrent files onto torrent sites that are pre-infected with malware has not been widely seen before, especially with respect to BitTorrent-types of attack. Phishing
Phishing is the practice of sending fraudulent communications that appear to come from a reputable source. It is usually done through email. The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine.
Command and control
A command and control (C&C) Server is a computer controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.The peer-to-peer(P2P) protocol provides a decentralized command and control technique. A decentralized network allows botnet clients to relay commands to other bots and removes the need of a master server. IRC
Using internet relay chat(IRC) as a C2 channel. ICMP
Using ICMP requests and replies as a C2 channel. DNS
Using DNS queries and responses as a C2 channel. Webshell
A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. Remote Admin Tools
Remote Administration tools like TeamViewer can be used to control a machine remotely. Tools like TeamViewer are legitimate applications that are signed and may be trusted by security controls. Listening Service
HTTP
Command and control server uses a full web backend that lets the attacker directly control the victims via a web browser. These HTTP channels may be plain-text or encrypted with SSL.
Matrix in construction
The current state of this matrix is the "sum of its parts", meaning, the researchers of this project acknowledge the matrix requires community input to foster adoption, development, and completion. We are looking too the Infosec community to contribute to the matrix and to provide feedback. If you would like to provide feedback, please fill out this survey.
The Whole is Greater than the Sum of its Parts.
- Aristotle
About this project
Adversaries are constantly coming up with new methods to thwart the effectiveness of security controls. Threat hunting provides a proactive solution to find adversaries before they complete their mission. This matrix presents adversarial behavior and is a mechanism to classify the actions of Advanced Persistent Threats (APTs) on the network.
Threat hunting is the "process of actively looking for signs of malicious activity within enterprise networks, without prior knowledge of those signs." (Kerr, Ewing 2018). Our matrix classifies network-based threat hunting into a variety of attack themes (column headings), each of these themes contains a grouping of adversarial techniques, and these techniques have been aggregated on our matrix to determine the likelihood of an APT acting within the network.
Thesis Defense
Our matrix and the MITRE ATT&CK
At the current time of this project, MITRE ATT&CK matrix is targeted at host-based detection and mitigation. The deliverable for this project is a MITRE ATT&CK like matrix for network-based threat hunting. In the current landscape of security, we need to monitor endpoints and network traffic. I am challenging that APT detection is not limited to endpoint monitoring and that detection can be performed from the network as well. This research will generate a MITRE ATT&CK style-like matrix to describe APT techniques from a network perspective that can be used for network-based threat hunting.
Attack themes
The attack themes are a combination of the Bryant Kill Chain (Bryant, Blake & Saiedian, Hossein. 2017) and themes that have emerged from a literature review. The Lockheed Martin Cyber Kill Chain and the Mandiant Attack Life Cycle were not chosen as attack models because they contain phases that happen on the host. For this reason, the Bryant Kill Chain was selected because it is an evolution of the Lockheed Martin Cyber Kill Chain and the Mandiant Attack Life cycle, but strictly from a network perspective.
Bryant Kill Chain phases
Lit review themes
Aggregating techniques
Each technique represented on our matrix exists because an APT report has referenced it. The APT reports were gathered from public Github repositories to create an archive.
Definitions
- Attack themes - Contains a grouping of adversary techniques to describe attacker activity on a network.
- Techniques - Method of achieving a result during an attack.
- APT(Advanced persistent threat) - An adversary targeting a network with the capability and resources to develop advanced tools used to thwart security controls and the time, money, and personnel to maintain a presence on the network.