UNDERSTANDING THE CYBER KILL CHAIN

AND MITRE ATT@CK FRAMEWORKS

 THE GROWTH OF THE UNKNOWN
MALWARE CVEs

Exploits Botnets Trojans

Bad URLs

THERE ARE MORE AND MORE Virus

THINGS WE DON’T KNOW
ZERO DAY, APTs, UNKNOWN MALWARE
Signatures

[Protected] Non-confidential content​

Modern Threats Are…

STRATEGIC TARGETED

PERSISTENT MULTI-STAGE

SOPHISTICATED EVASIVE

ATTACKS ARE MORE DANGEROUS THAN EVER

Simple protections are FAILING

Modern threats require

SOPHISTICATED DEFENSE STRATEGY
 Planning and Executing A Cyber Attack
Planning the Attack Getting In Carrying out the Attack

Weeks in Advance Within Seconds From Here On…

• Look for potential victims • Bypass detection • Wait for your malware to
• Collect relevant social data • Convince the victim to “call home”
• Build, find or buy your weapon of choice open your crafted file • Instruct it what to do on
• Exploit kit, Malware package • Bypass system the victim’s computer
• Adapt to your specific needs security control • Continuously monitor its
• Install your malware progress
• Package for delivery

Command & Act on

Reconnaissance Weaponization Delivery Exploitation Installation
Control Objectives
Identify the Create/select Deliver the Gain execution Install the Establish a Data collection
target and attack vector malicious privileges malware on channel of or corruption,
exploitable payload to the infected host communication Lateral
weaknesses victim movement and
exfiltration
 The Cyber Kill Chain

Command & Act on

Reconnaissance Weaponization Delivery Exploitation Installation
Control Objectives
Identify the Create/select Deliver the Gain execution Install the Establish a Data collection
target and attack vector malicious privileges malware on channel of or corruption,
exploitable payload to the infected host communication Lateral
weaknesses victim movement and
exfiltration
Simple Attack Timeline: Australian Ransomware

Locate email Send a spoofed Key obtained

addresses email with PDF from C&C server

T I M E

Create an Victim double Files gradually

infected PDF clicks attachment encrypted

Cryptolocker
installed

Some kill-chain steps take hours or even weeks,

while others take mere seconds

Recon Weapon Delivery Exploit Install C&C Act On

How does one buy an
attack?
Images from: www.deepdarkweb.com
[Protected] Non-confidential content​
 Very generous
indemnity
program: $0

334 listings for “software &

malware”
Images from: www.deepdarkweb.com
[Protected] Non-confidential content​
Don’t forget to read user reviews

[Protected] Non-confidential content​

 And then there are
Exploit Kit-as-a-Service (EaaS) sites

[Protected] Non-confidential content​

Each site leads to multiple
destinations, some are unintended

[Protected] Non-confidential content​

You’re
Let’s actually
say yougoing
go to to
your
many
favorite
moresite…
places

[Protected] Non-confidential content​

IT’S TIME TO BREAK THE CHAIN

[Protected] Non-confidential content​

Successful Defense Strategy
P r e - C o m p r o m i s e C o m p r o m i s e P o s t - C o m p r o m i s e

Command & Act on

Reconnaissance Weaponization Delivery Exploitation Installation
Control Objectives

Apply protection for No single step protection is enough

EACH of the stages Tackle attackers at each stage of their attack

Strong preventive Prevention is the most cost-effective form Damage and cost are
of protection proportional to time
defense BEFORE
Protect against the devastating cost of a Minimize the time it takes to
infection successful attack detect and contain attacks

Effective POST
compromise defense
[Protected] Non-confidential content​
 Successful Defense with Check Point
P r e - C o m p r o m i s e C o m p r o m i s e P o s t - C o m p r o m i s e

Command & Act on

Reconnaissance Weaponization Delivery Exploitation Installation
Control Objectives
Threat
IPS Firewall Anti-Virus Anti-Bot Anti-Bot DLP
Intelligence
Endpoint Endpoint Document
Firewall Anti-Spam IPS
Security Security Security
Threat
DLP URL Filtering Forensics Firewall
Emulation
Document Threat Mobile Threat
IPS
Security Emulation Prevention
Threat
Extraction
Mobile Threat
Prevention

INTELLIGENCE DETECTION PREVENTION

• Extensive research • Multi-layer architecture • Proactive practical prevention
• Collaboration with industry leading • Evasion-resistant detection • Effective containment
services • Best catch rate • Clear visibility and insight
• Sharing across users community

[Protected] Non-confidential content​

RECONNAISSANCE

[Protected] Non-confidential content​

WEAPONIZATION

[Protected] Non-confidential content​

DELIVERY

[Protected] Non-confidential content​

EXPLOITATION

[Protected] Non-confidential content​

INSTALLATION

[Protected] Non-confidential content​

COMMAND AND CONTROL

[Protected] Non-confidential content​

ACTIONS ON OBJECTS

[Protected] Non-confidential content​

AGENDA

MITRE
Overview of Operationalizi
ATT&CK vs
MITRE ng MITRE
Use Case in
ATT&CK ATT&CK
Organization

29
 Introduction

• ATT&CK® stands for Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK).

• The MITRE ATT&CK framework is curated knowledge base and model for cyber adversary behavior, reflecting
various phases of an adversary's attack lifecycle and the platforms they are known to target.

• MITRE ATT&CK was launched in 2015 as a result of where researchers emulated both adversary and defender
behavior to improve post-compromise detection of threats through behavioral analysis.
History
ATT&CK TTPs
RECONNAISSANCE

 The adversary is trying to gather information they can use to plan future operations.

 Use case
• IPS-In-Reconnaissance Activity Observed from External IP

 Recommendation steps:
1. Check if the IP is from a trusted vendor or Application Security/VAPT team.
2. If not, block the IP on the perimeter devices.
3. If the signature not in block mode, change it to block mode.
39
RESOURCE DEVELOPMENT

 The adversary is trying to establish resources they can use to support operations.

 Use case
• OS-MS-New Account Created by Non-Admin

 Recommendation steps:
1. Check if it is planned and approved or Genuine activity.
2. If No, then investigate the reason for activity.
40
INITIAL ACCESS

 The adversary is trying to get into your network.

 Use case
• IPS-In-Signature Observed from Blacklisted IP
• FW-Inbound Traffic on Suspicious Ports : Allowed

 Recommendation steps:
1. Check if the IP is from a trusted vendor or Application Security/VAPT team.
2. If not, block the IP on the perimeter devices.
41
EXECUTION

 The adversary is trying to run malicious code.

 Use case
• AV-SCCM-Virus Outbreak Observed

 Recommendation steps:
1. Anti-Virus
2. Patches
3. Unwanted files / software
42
PERSISTENCE

 The adversary is trying to maintain their foothold.

 Use case
• OS-MS-User Account Created during Non-Business Hour

 Recommendation steps:
Kindly validate the account created is valid or not.
1. If Yes, check if the account creation is authorized or not during non-business hours.
2. If not, audit all the activities performed from/on the new account created.

43
PRIVILEGE ESCALATION

 The adversary is trying to gain higher-level permissions.

 Use case
• ISE-Multiple Command Authorization failed

 Recommendation Steps:
1. Kindly check whether these activities are legitimate/Genuine or not.
2. If not, Kindly investigate the reason for the same.

44
DEFENSE EVASION

 The adversary is trying to avoid being detected.

 Use case
• Forcepoint-Proxy Avoidance Observed-Allowed

 Recommendation steps:
1. Investigate the reason for requests towards the domain through Proxy Avoidance.
2. Check with user reason for accessing websites through Proxy Avoidance.
3. Block the External Domain and External IP on the Security devices if not associated
with business purpose. 45
CREDENTIAL ACCESS

 The adversary is trying to steal account names and passwords.

 Use case
• OS-MS-Windows Multiple login failures Attempts

 Recommendation Steps:
1. Unwanted files/passwords
2. Anti-Virus
3. Patches
46
DISCOVERY

 The adversary is trying to figure out your environment.

 Use case
• FW-Internal to Internal Network Scan Detected

 Recommendation Steps:
1. Kindly check whether the traffic observed on respective ports is genuine or not.
2. Investigate reason for Network Scan observed
3. A misconfigured application might be connecting to an old IP configured internally,
check with the asset owner for more details and update the IP address or remove the
application if no longer in use. 47
LATERAL MOVEMENT

 The adversary is trying to move through your environment.

 Use case
• Remote Access Tools Observed-Blocked

 Recommendation Steps:
1. Investigate the reason for Remote Access Tools Observed.
2. Check if the user has required approvals or not.
3. If not then, a. Uninstall the application b. Check if the user install the software without
privileges or approval.
48

4. Restrict user from accessing unauthorized applications.

COLLECTION

 The adversary is trying to gather data of interest to their goal.

 Use case
• Mimecast-Huge amount of mail Observed from Single Mail ID – Outbound

 Recommendation steps:
Kindly check whether these activities are legitimate/Genuine or not.
If not, Kindly investigate the reason for the same.
Check if activity performed by authorized user, change password in case of unauthorized
user.
49
COMMAND AND CONTROL

 The adversary is trying to communicate with compromised systems to control them.

 Use case
• FW- XFORCE Out-Connection Observed Towards Blacklisted URL
• Traffic to Known C2 Servers

 Recommendation steps:
1. Block the malicious URL/IP on Proxy if there is no business relevance.
2. Check for Anti-Virus.
3. Check for Patches. 50
EXFILTRATION

 The adversary is trying to steal data.

 Use case
• WG-Forcepoint-Traffic towards Potentially Unwanted Software or Hacking Observed – Allowed
• Data Exfiltration Observed via FTP or SFTP

 Recommendation steps:
1. Block the Domain on the security devices
2. Unwanted files
3. Check for Anti-Virus. 51

4. Check for Patches.

IMPACT

 The adversary is trying to manipulate, interrupt, or destroy your systems and data.

 Use case
• OS-MS-Windows Server Shutdown\Reboot Observed
• FW-Palo Alto-HA status Change

 Recommendation steps:
1. Check if it is planned activity.
2. If yes, please provide CR/SR for the same.
3. If No, then investigate the reason for the same. 52
Why MITRE ATT&CK?
Key Differences

1. Focus and Perspective:Cyber Kill Chain: Focuses on attack stages from

the attacker’s perspective, allowing defenders to interrupt the chain at
any point. ATT&CK: Focuses on specific techniques used by attackers,
providing a deeper understanding of tactics and procedures.

2. Order of Operations:Cyber Kill Chain: Prescribes a specific sequence of

attack tactics. ATT&CK: Does not enforce a fixed order; it covers the full
spectrum of techniques.

3. Complexity:Cyber Kill Chain: Simplified model, suitable for high-level

analysis. ATT&CK: Detailed and comprehensive, offering depth and
breadth.

[Protected] Non-confidential content​

Synergies and Practical Implications

1.Detection and Response:Cyber Kill Chain: Pinpoints

threat identification stages. ATT&CK: Reveals specific
tactics and techniques used.
2.Threat Hunting:ATT&CK: Enables proactive threat
hunting by diving into granular techniques.
3.Incident Response:Combining Both: Organizations can
benefit from the synergy by using the Kill Chain for high-
level understanding and ATT&CK for detailed analysis

[Protected] Non-confidential content​

 THREAT THREAT
EMULATION EXTRACTION

Evasion resistant Quick delivery

sandboxing at of safe
CPU- and OS- reconstructed
Level content

PROTECT FROM THE UNKNOWN

[Restricted] ONLY for designated groups and individuals​
 PREVENT RESPOND
& CONTAIN & REMEDIATE

Detect and block Automated

malicious forensics analysis
infections and for effective
activity response

ACCELERATE RESPONSE TO INFECTIONS

lock [Restricted] ONLY for designated groups and individuals​
One Console to Manage Everything

Enterprise

ONE CONSOLE
ONE POLICY

[Protected] Non-confidential content​

THANK YOU

[Protected] Non-confidential content​