Building a Detection Strategy Based

Abdullah AlSharif

The purpose of this article is to present a method to enhance the detection capability using MITRE ATT&CK. By improving your visibility you can have a detection methodology that will help you catch the adversary. You might place number of technologies to prevent an adversary but they will find a workaround. So, having a detection capability is genuine need.

Security Operation Center Culture
Start preparing from now and make mistakes now, then fix them. Collecting events from data sources e.g. (Windows event, Sysmon, or Powershell) is useful WHEN you know what type of information you get from it. Reviewing your data sources and type of events you get, would help a lot in tuning the false positive (which is a tedious job) and create some sense of what is happening in your organization. Building this culture in your Security Operation Center would help in catching the real threats.

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. MITRE ATT&CK is known to be a valuable source for creating threat models and methodologies.

How MITRE ATT&CK can benefit us?
MITRE ATT&CK is helpful and can tell you about your visibility which is very important to us. They provide us the tactics, techniques, and procedures (TTPs) of the most known (categorized) APTs and we will use them to enhance our detection capability. There are several challenges as per anomali which is when leveraging ATT&CK such as :
  • Some techniques have many possible methods of execution
  • Some techniques are listed under multiple tactics
    • Example: DLL Search Order Hijacking (T1038)
    • Shows up under Persistence, Privilege Escalation, and Defense Evasion tactics
    • Some techniques, such as this one, can be used for multiple use cases and are useful in multiple stages of attack
However, all of theses challenges can be overcome.

Building the Detection Strategy
Creating a detection for the most dangerous adversaries won't be an easy task to do. So, this should be a long-term goal for SOC team. Using the MITRE ATT&CK module, we will build our detection based on multi factors.

  • Choose your threat actor
Open the attack mitre page that categorized the groups. Search for all the APT's that are either have interest to your business/sector or known to be attacking your region. You can start with a small list, or just put them all on page and you might find a lot of intersection between them (their techniques might be completely/partially the same). Keep in mind to be specific about your interest, since that MITRE is providing you with both (Enterprise and Mobile techniques)

For the simplicity, we will be focusing on adversary attacking the region, and techniques that are only apply to Windows Operating System.

Example of a group that is known to be targeting the middle east
Since we choose the groups that are most likely targeting the middle east.
Here is our list :
  1. APT37
  2. DarkHydrus
  3. Inception
  4. Leafminer

  • Create a roadmap
After choosing the groups, you can use a tool which is created by MITRE ATT&CK team called MITRE ATT&CK Navigator.

Follow this great tutorial to include multiple groups into one layer.
Filter the results as per your organization environment. Our foucs will be on Windows Workstation and Network.
Filtering out other platforms
Finally, you can render your layers as SVG file or excel. The colors below are showing us which group is using which techniques. You can customize your color as you wish. However, the red cells are showing the intersection between groups.
Download the file as an excel to track your activity.
  • Examine the threat
Now that we have our roadmap, we can start to learn more about the techniques. You can use the navigator to bring the technique for you. Check the technique page and you will find a lot of information about its definition, examples, mitigation, detection and references. Our most focus here into the detection area. For each technique, there are data sources from where it can be collected and integrated to your SIEM solution. This practice will help you know which data you need to send to your SIEM.

Simulating the Techniques
After defining our detection strategy, now it's time to imitate the adversaries.
It is much better to engage the red team into this process. However, for demonstration purpose we will be using the open source tools that simulate the attacks based on MITRE ATT&CK. There are number of tools such as "Atomic Red Team, MITRE Caldera, PurpleSharp etc.."

For the ease of this blog, we will be using PurpleSharp. This tool written in C# to execute adversary techniques within Widows Active Directory Environment which will simulate the adversary techniques based on MITRE attack framework.
Some attacks can leverage different techniques. Ensure that you have visibility on all of them.
  • Executing PowerShell (T1059.001)
Let's try this technique and figure if we can catch it.
Executing T1059.001 against Windows10
As we can see in the previous PowerShell terminal. In the left side, you will see the time of the execution which will help you to narrow your search.
From Splunk, we will be looking for windows event ID 4688 which indicate a new process has been created.
Splunk logs (Windows event logs)
Windows event ID 4688 need to be enabled to log every process created within the system using local security policy. For including the command line, you need to enable this logging level from the group policy.

To enable process creation logging:
  • Go to "Advanced Audit Policy Configuration"
  • System Audit Policies
  • Local Group Policies
  • Click on "Audit Process Creation"
  • Check the "Success"
To enable the command line logging within the event ID 4688 using group policy:
  • Go to "Local Computer Policy"
  • Computer Configuration
  • Administrative Templates
  • System
  • Click on "Audit Process Creation"
  • Set Enabled for "Include command line in process creation events"
It's highly recommended to disable PowerShell v2 for all devices and use PowerShell v5.
  • Executing JavaScript/JScript T1059.007
Let's try this technique and figure if we could detect it from splunk.
Executing T1059.007 against Windows10
While we detected the previous technique using windows logs, in this one we will be looking for the events from Sysmon logs.
Splunk logs (Windows event logs)
From those logs, we can see that PurpleSharp implanted the simulator Firefox_installer.exe and then run the command "wscript.exe invoice0420.js" which indicate a potential malicious JS file.
Jscript and VBscript are executed by Windows Script Host (WSH) using cscript.exe and wscript.exe.
Windows executable (PE files) that use windows subsystem comes in two options:
1. Console executables (Implemented in cscript.exe)
2. GUI executables (Implemented in wscript.exe)
Jscript engine is implemented in the DLL jscript.dll. We could've stopped this attack by remove or block the access to wscript.exe and cscript.exe using application whitelisting, disable Jscript support by de-registering ActiveX components, or disabling the WSH for users by changing the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings

Security Operation Center analyst must understand the attack techniques in order to defend better and this would happen only if the management supported the SOC team with trainings, tools and technology. This blog explain the importance of having a full visibility into enterprise data and take the advantage of it.

Share this blog
Follow us
Advance your skills by reading the latest blog created by our team.
Other Blogs