Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


operation practice based on att & ck + soar

Posted by fleschner at 2020-04-03

For a long time, security personnel are tired of adopting one new technology after another, deploying layer by layer defense measures, only to improve their operating environment, hoping to discover and deal with threats in time before attackers break through the system. However, with the continuous evolution of attack technology, this situation has not improved significantly. Under the time window exposed to the attacker, the system assets will be in a high risk state. How to improve the efficiency of threat detection and disposal and shorten the exposure time window is a problem we have to face. Att & CK and soar technology provide new ideas for improving this situation.

1、 Asymmetry of attack and defense is the driving force of safety operation optimization

In the face of all kinds of changing threats, enterprises are facing great pressure on their safe operation. In the attack defense confrontation, it usually takes only a few minutes for attackers to attack the target, capture the target, and then destroy and steal the data. However, it often takes hours, days, or even months for security operators to discover the attack, find the asset, and then take disposal measures. The basic reason is the asymmetry between attack and defense.

The asymmetry between attack and defense forces drives the security operation to be optimized continuously. The asymmetry of attack and defense is mainly manifested in several aspects:

1. In terms of time, the attacker is in the vanguard position; only when the attacker launches an attack can the defender find the exception, and there is a certain lag.

2. From the space, the attacker breaks through the surface with a point. As long as he finds a vulnerability, he can launch or even succeed in the attack. The defender needs to strengthen the system to block all the risk points, but can't do anything about the unknown risk points.

3. Technically, in the face of the endless attack technologies of attackers, the defenders can not prepare detection and disposal measures in advance, which further widens the time window of asset exposure.

4. In terms of safety operation itself, there are also many problems. The number of threat information and events is large, the integration of security technology is low, and the lack of human experience is difficult to solidify, which makes the security operation face severe challenges.

In spite of this asymmetry, the top priority of enterprise security is still to take measures to optimize operation and timely identify and deal with threats.

2、 Timely detection and response of threats can ensure safety

There is no absolute security. Even the top three security manufacturers in the world were reported by foreign mainstream media in May 2019 that they were attacked by the hacker organization fxmsp and the source code was leaked. The so-called "security" is to control the risk within the acceptable range, find out the threat in time and take effective measures before the attacker breaks through the system defense. In the theory of time-based security model, the criterion requires:

Pt > Dt + Rt

PT is the length of time that the security measures can resist the attacker; DT is the length of time to discover the threat; RT is the length of time that the disposal measures take. The criterion requires that the threat can be detected and disposed before the system is broken, that is

DeltaT = Pt – Dt - Rt,DeltaT > 0

Deltat is the time window under the threat of system exposure. Deltat > 0, the system is in a relatively safe state, so Pt should be as large as possible, DT and RT should be as small as possible. However, the length of Pt time is closely related to the attacker. Attackers with rich experience can quickly break through all layers of defense and gain control of assets. Otherwise, it will take a long time. For example, robbing the vault, with advanced guns and ammunition, can quickly break through the defense. And it's easy to get stuck with bare hands. As the security officer of the system, the attacker's ability cannot be controlled. For DT and RT, advanced concepts and technologies can be adopted to shorten DT and RT and optimize safe operation.

By standing in the perspective of "attacker", strengthening the cognition and understanding of threat, recording the steps of prevention, detection, mitigation and remedy involved in security defense into one or more course of action (COA), it can effectively shorten the mean detection time (mttd) and mean response time (MTTR). At present, some new technologies provide new ideas for optimizing safe operation. Mitre att & CK provides a large number of attack technology, tactics and process knowledge base, which helps to understand the attacker's behavior, evaluate and improve the ability of attack identification, and improve the efficiency of threat detection. Through intelligent arrangement and automatic response to security events, soar has made a comprehensive and efficient response to security threats.

3、 Att & CK accelerated threat discovery

3.1 att & CK threat analysis system

Att & CK framework is a set of knowledge model and framework which is more detailed and more suitable for actual combat based on the kill chain. It makes a division of threat occurrence tactics and technologies, and provides a threat analysis benchmark model for network security. Among them, 12 kinds of tactics include: access initialization, execution, persistence, right withdrawal, defense evasion, access credentials, discovery, horizontal movement, collection, command and control, data acquisition and harm. Under each kind of tactics, including many kinds of attack technologies.

3.2 rich and comprehensive data sources

Rich and comprehensive data is the basis for timely and accurate detection of threats. It is difficult to find the attack behavior in the host only depending on the network traffic. With the trend of encrypted traffic, traffic based detection will become more difficult. Att & CK provides high value host data.

In each technical introduction of ATT & CK, data source requirements are provided. Its caret project provides clearer guidance for attack analysis. The relationship among attack organization, attack technology, analysis technology, data model and sensor is established. Left to right shows which attack technologies are used by the attack organization to infiltrate, right to left shows the appropriate sensor to collect data, classify and analyze. The two collide in "analysis". The figure shows the logs of files, processes, user sessions, network messages and other categories needed to detect the apt32 attack. The analysis of the host log can find a lot of direct evidence and quickly locate the real hammer attack.

3.3 update and optimization of detection capability

At present, detection based on attack features is still the mainstream. The addition of threat intelligence makes feature-based detection more powerful. However, in the face of the diversification of threats, how to evaluate the detection ability and make up the gap?

Att & CK is a widely collected attack technology based on the actual attack cases under each tactic. It provides a reference standard for threat analysis capability. Any attack technique may be the attack technique adopted by the attacker. The detection capability of security products is mapped to the framework and measured according to its coverage. At the same time, it finds out which detection points are not covered, finds out the deficiencies, and then actively improves them. By covering more types of attacks, we can reduce false positives and the time-consuming of artificial forensics.

3.4 behavior correlation analysis

The feature-based detection technology is single and can not detect unknown threats. Moreover, the detected alarms may be mixed with false alarms of normal operation of the system. For example, the operation and maintenance staff may also use some uncommon system commands, such as the CMD command line, to troubleshoot the system. How to associate single point behavior is very helpful for eliminating false positives, analyzing the whole picture of attacks and locating lost assets.

In the process of launching an attack, combining the hit situation of security events, the attacker can outline the relationship between the attack technologies adopted by the attacker from att & CK matrix, and clearly show how the attacker successfully invades step by step. Through continuous attack traceability analysis, capture attack routines and form accurate detection rules. At the same time, improve the ability of threat analysis of operators, strengthen their own technical coverage, constantly narrow the gap with attackers, and improve the efficiency of threat detection.

3.5 confrontation to improve the operation ability of safety officers

Att & CK matrix model gives "attack tactics" a universal language. In practical application, through the red blue confrontation, the red team activities and blue team activities are compared according to att & CK matrix, from which we can find out how successful the attackers have been, what technologies have been adopted, and what activities have been missed. It helps to enhance the security personnel's understanding of the threat, help the analysis and response personnel better understand the attacker, be familiar with the real environment's confrontation skills, and enhance the actual combat ability.

4、 Fill the gap between threat discovery and response

4.1 evolution of threat model

The most intuitive presentation of ATT & CK model is a tactical technical matrix, whose abstract level is located in the middle of comparison. Some high-level threat analysis models, such as Lockheed Martin cyber kill Chain model is helpful for customers to understand the high-dimensional attack process and the attacker's target, but there are obvious deficiencies in expressing the details of the attacker's attack process, such as the association between multiple attack actions of the attacker, how the attack action sequence is related to the attacker's tactical target, which data sources, defense measures and configurations are involved in these attack actions.

At the middle level, ATT & CK model classifies some high-level concepts (such as tactics) more descriptive. Each technology is given, including data source, further subdivision and specific implementation. This means that if the attacker uses this technology to carry out the attack, it will leave traces in the data source (such as process information, process command-line parameters). If the information is monitored or recorded in real time, and then matched with the corresponding analysis and matching mechanism, the detection or protection of the technology can be realized. These more descriptive attack technologies build a bridge between the information of the underlying data sources and vulnerabilities and the tactics of the upper layer, and map the attacker's behaviors to the defense more effectively. Show what kind of attack the attacker is carrying out, so that the defender can formulate a more targeted disposal strategy.

4.2 bridge attack technique and defense strategy

Att & CK maps the attacker's behavior to defense more effectively, and gives a very detailed description of each attack technology, some of which even have detailed code fragments. When attackers use these attack technologies, they can develop a variety of machine-readable detection or disposal scripts based on the data source information left behind, including defining the input and output interfaces of scripts and internal execution logic. For situations requiring manual study and judgment, appropriate parameter interfaces shall be reserved. Based on a large number of attack techniques, atomic scripts can be built.

The tagging of threat analysis results can know the attacks suffered by the system and what specific technologies are used. Combining with the typical attack routine or threat hit correlation situation, arrange the human and technology, automatically or manually connect the attack behavior, call the preset or dynamically generated script sequence, and deal with the threat. This will be used for prevention, detection, disposal and other scripts in series or parallel to form a safe operation disposal policy (course of action), accelerate threat disposal and improve operation efficiency. This is the key problem to be solved by soar technology.

5、 Soar enhances agile response

5.1 about soar

In 2017, garter carried out a comprehensive concept upgrade of soar, defined as security orchestration automation and response. It is a technology that organizations can collect security threat data and alarms from different sources. These technologies use the combination of human and machine to perform time analysis and classification, so as to help define and determine priorities, and drive standardized event response activities according to standard workflow. Different security tools and technologies are adjusted by integrating multiple systems and platforms. People and technologies are integrated into business processes, and workflow steps of manual and automatic collaborative operation are created to simplify security processes and accelerate event response.

1. Security Orchestration: human and technology are programmed into business processes, that is, different equipment or component capabilities are organized into orderly execution logic blocks according to business demands through API and manual checkpoints, and manual or automatic workflow steps are created.

2. Automation: it is a subset of choreography, which allows automatic integration of some security capabilities according to certain conditions. If it depends entirely on the API implementation, it is automated.

3. Response: it is more effective than traditional security solutions in many aspects. Covers the entire event lifecycle - alert generation, its validation, automatic response, policy distribution, human disposition, and reporting.

Whether it's automatic or manual, it's expressed by script. Through the series and parallel relationship between scripts, the workflow needed for business scenarios is constructed. For some unknown attacks that need human participation, the corresponding scripts are required to provide human research and judgment access.

5.2 scenario based operation

Soar integrates technology and people into business processes, and forms one or more action policy scripts by steps of prevention, investigation, mitigation, and remediation, which can automatically or manually cooperate with each other. The repeated, conventional and determined parts shall be handed over to the machine for completion, and the new, complex and uncertain parts shall be handed over to the manual judgment and disposal. Decompose the tasks in the operation process and abstract them into different types and granularity scripts triggered automatically or manually.

1. Investigative script: allows manual or automatic discovery of threats and their context information, which can be used during or after security events. For example, if the script receives a suspicious alarm, it will compare the threat artifacts by investigating the context, query Threat Intelligence, etc. to determine whether to upgrade to an event.

2. Preventive script: protect the system from known threats and suspicious behaviors. Such scripts block malicious IP, domain name, file, URL, etc. by changing strategies such as NF, IPS, AV, gateway, etc. In addition, vulnerability patches related to threats shall be supplemented.

3. Missionary script: from the perspective of assets, isolate lost users, equipment, applications, etc., and block threats to prevent further penetration. Block script, such as moving lost host to other network segments or VLAN for further troubleshooting. After eliminating the threat, return to the work network.

4. Remedial scenario: remedy the affected assets by selectively correcting malicious actions or rolling back the known security state of the device. Such scripts usually have the characteristics of immediate execution without notice and negotiation.

For example, for the disposal of malicious files, scripts can be arranged as follows: when TAC detects a malicious sample, trigger the created "hunting file" script, collect the range of host assets to search for similar sample files, upload TAC, and transmit the analysis and statistics results to the security operation team for review. After the operation team studies and judges, it calls the "delete file" script, automatically issues operation instructions, and clears malicious files.

5.3 example of scenario definition

Generally speaking, the script includes three basic aspects: trigger, conditions and actions

1. Trigger: when the trigger condition is met, start the execution script. Multiple triggers can exist in a single script through logical combination. When a trigger is satisfied, the corresponding action is started and executed;

2. Environmental conditions: control the logic flow of the script. Usually in the form of block conditions, representing a set of conditions, such as risk score, IP address, host name, platform type, etc. Only when all conditions are met can the action be performed;

3. Action: orderly task set, such as killing process, blocking IP, email notification or other operation tasks. Task flow can be suspended by setting approval door, which requires human intervention to run subsequent tasks.

An instantiated script, in addition to the above three aspects, needs to include more attributes, as follows.

Through the above script definition of JSON format, the workflow objects in the operation process can be converted into machine-readable scripts. Some typical plays are shown below. For example, for hit Threat Intelligence or malicious IP that has been studied and judged manually, you can directly call the block ﹣ IP script to achieve IP blocking.

5.4 process response

The core of soar is to develop, organize scripts and actions, and execute scripts automatically / semi automatically. The security event is generated under the recognition of the detection engine script. For certain security events, such as known attack routines, corresponding scripts are arranged according to their workflow patterns. With the advancement of workflow, the script actions will be executed orderly. For uncertain security events (such as unknown threats), manual operation and event investigation and analysis are required. According to the investigation results, on the one hand, actions can be directly studied and executed; on the other hand, new response scripts can be created. After strict verification, it is solidified into the system script and action set. When triggered next time, the response can be automated. The following figure shows the general relationship among events, people, scripts, actions and equipment during operation.

In addition, refine and abstract the rich knowledge and experience of security personnel into a process easy to repeat, form a new script, and solidify it into the system after verification. It is necessary to provide a manual research and judgment entry for the script, so that excellent analysis knowledge and experience can be retained and inherited.

6、 Case introduction

Security operation platform usually connects multi-source logs, associates att & CK knowledge base, embeds security analysis capability components flexibly, and accurately identifies attack events. By the way of combination of prediction and research, the automatic disposal of clear events and manual operation and maintenance of suspicious events can be realized, and the security events can be disposed quickly and comprehensively, so as to realize the closed-loop management of security operations. The general safety operation process is as follows.

6.1 threat data tagging

In the actual operation process, through the att & CK tagged security events, we can know what kind of tactics and technology the attacker used. For example, the new generation of intelligent security operation platform of green alliance, ISOP, not only gives the dangerous degree of security events from the perspective of attack chain at a higher level. The detailed att & CK information is also given to describe the specific technical details of the attack. Provide customers with a comprehensive threat analysis view, which can see both forests and trees.

6.2 fishing attack analysis

In a more complex case, for example, through fishing attack, the attack process is as follows:

Such a complex scene can be detected from multiple points and generate multiple events. For example: email attachment detection, office macro call, scheduled task, PowerShell behavior, abnormal process discovery, data encryption, etc. The hit situation of the detected security events in att & CK and the relationship between them are shown in the following figure.

For the suspicious process sts.exe event found in it, we call the investigativeu process script to view the context of the suspicious process and show it visually.

When an IP is found to be connected outside the process, the investigative_ip script can be called for threat intelligence analysis. If the malicious IP is hit, call the IP block play IP to implement one click blocking. In fact, in this case, we can realize the automatic blocking response of malicious IP by arranging the workflow with detect ﹣ external ﹣ connection ﹣ IP script, investment ﹣ IP script and block ﹣ IP script as linear script.

7、 Conclusion

In the dilemma of asymmetric attack and defense, an effective way to improve the efficiency of security operation is to find and respond to threats in time and strive for the minimum exposure time of the system. New technologies such as att & CK and soar bring fresh blood for threat detection and response, and provide new ideas for safe operation optimization. However, just because of its excellent capabilities and characteristics, how to make good use of ATT & CK and soar and integrate them into the product to improve the safety capability of the product is a problem that needs deep consideration.

Please click "..." at the top right of the screen

Long press QR code to download Lvmeng cloud app