{"id":4670,"date":"2018-03-12T00:14:47","date_gmt":"2018-03-12T00:14:47","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4670"},"modified":"2018-03-14T00:06:04","modified_gmt":"2018-03-14T00:06:04","slug":"threat-frameworks-some-quick-thoughts","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2018\/03\/12\/threat-frameworks-some-quick-thoughts\/","title":{"rendered":"Threat Frameworks &#8211; some quick thoughts"},"content":{"rendered":"<p><strong>Update<\/strong><\/p>\n<p>Added some more ideas<\/p>\n<p><strong>Old Post<\/strong><\/p>\n<p>We reached the stage where we have a number of threat frameworks on &#8216;the market&#8217; &#8211; they all look at the threat taxonomy from different angles &#8211; they overlap, they compete, and sometimes they go in some weird directions. I&#8217;ve been thinking of the usefulness and completeness of these frameworks for a while and eventually decided to post some quick thoughts about it. What actually inspired me to write this post is the <a href=\"https:\/\/twitter.com\/rickhholland\/status\/971490683176542209\">Twit<\/a> posted by Rick Holland where he said:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/03\/twit1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-4671\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/03\/twit1.png\" alt=\"\" width=\"516\" height=\"96\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/03\/twit1.png 516w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2018\/03\/twit1-300x56.png 300w\" sizes=\"(max-width: 516px) 100vw, 516px\" \/><\/a><\/p>\n<p>I was happy to see that I am not the only one who sees it as a new buzzword and a fad really.<\/p>\n<p>BUT<\/p>\n<p>Having said that, I do believe there is a great need to choose _some_ threat framework and use it to model your defensive strategy around that.<\/p>\n<p>And I actually like <a href=\"https:\/\/attack.mitre.org\/wiki\/Main_Page\">Att&amp;ck<\/a> more and more.<\/p>\n<p>If Kill Chain was very high-level, Att&amp;ck attempts to itemize every single tactic &amp; technique that affects Confidentiality, Integrity &amp; Availability. This is actually a great approach as it can very directly drive the anomaly hunting, use cases, choice of additional controls, etc. Being in a position to say you cover this and that % of the Att&amp;ck matrix with your defenses can be a very good quantitative data that can be presented to the senior management, and maybe even auditors.<\/p>\n<p>Before you go to use the Att&amp;ck in its current form, be aware that this is work in progress and it will certainly change in the future.<\/p>\n<p>Why?<\/p>\n<p>Because it&#8217;s far from being complete.<\/p>\n<p>For instance, looking at techniques, you won&#8217;t find a lot of tricks that could be included there, or items for which description could be potentially amended:<\/p>\n<ul>\n<li>alternate data streams on NTFS<\/li>\n<li>extended attributes on NTFS<\/li>\n<li>many persistence tricks<\/li>\n<li>cases where malware is found dormant in archives (e.g. mailboxes, backups, or remnants of very old infection) or on removable devices &#8211; it&#8217;s actually not even an active attack, but it does affect integrity of the system<\/li>\n<li>cases where artifacts are downgrading the security posture of the system (e.g. disabling UAC, changing IE zone settings, etc.)<\/li>\n<li>cases where malware belongs to old-school OSs e.g. win95\/DOS (risk is minimal, but threat taxonomy should include them)<\/li>\n<li>EICAR<\/li>\n<li>remnant from internal pentesting (sometimes can be detected long after the actual test)<\/li>\n<li>viral infection, including unusual infection methods like EPO (Entry Point Obscuring)<\/li>\n<li>I didn&#8217;t seem to be able to find worm<\/li>\n<li>trojanized applications (e.g. web shells, but also fake applications on torrent sites)<\/li>\n<li>adware, PUA\/PUP (is it considered an attack if a legitimate software is bundled with adware?)<\/li>\n<li>tracking cookies (not sure if it fits)<\/li>\n<li>atombombing and propagate code injection tricks<\/li>\n<li>enabling DEBUG\/VERBOSE flags of the applications (e.g. to enable logs to include track data that bad guys can collect)<\/li>\n<li>hooking is a very loaded technique &#8211; it&#8217;s actually a class of techniques; the current description talks mainly about Windows, but misses EAT hooking, COM hooking, SSDT hooking, and there is also hooking that can be observed on a web side (e.g. hooking of functions managing php buffers or adding javascript callbacks); there are also cases where hooking is incorporated via a subtle, small patching inside a native OS binary that loads a malicious DLL; and plenty of other tricks like this (I once saw a vendor DLL replaced with a malicious one that injected itself as a man-in-the-middle, observing all buffers transmitted, in plain text)<\/li>\n<li>&#8216;Modify Registry&#8217; is such a loaded technique too &#8211; not sure if it should be listed there as a separate technique, since it&#8217;s a class of techniques really&#8230; on the other hand, I don&#8217;t know where else we could place it<\/li>\n<li>Accidental data leakage (e.g. github, wikipedia, translation services)<\/li>\n<li>LSASS Driver &#8211; &#8216;driver&#8217; word may be a bit misleading &#8211; the word is usually reserved for kernel mode drivers<\/li>\n<li>etc.<\/li>\n<\/ul>\n<p>There is also additional complexity which comes from the fact the framework tries to cover Windows, OS\/X and Linux platforms in one table (correction: there are various views available, so it helps a lot). Obviously, digging into each item will give you lots of information and references.<\/p>\n<p>Now, it&#8217;s easy to sit down and criticize.<\/p>\n<p>I have tried to build some taxonomy in the past myself and it&#8217;s an extremely daunting task to build such a multidimensional database &#8211; and Att&amp;ck already contains lots of very useful information &#8211; we really need to applaud the efforts of the Mitre team!<\/p>\n<p>Fad, or not we are slowly moving from technology- or control-oriented approach to security to more measurable, and reliable risk management-driven approach.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update Added some more ideas Old Post We reached the stage where we have a number of threat frameworks on &#8216;the market&#8217; &#8211; they all look at the threat taxonomy from different angles &#8211; they overlap, they compete, and sometimes &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/03\/12\/threat-frameworks-some-quick-thoughts\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[46,8],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4670"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4670"}],"version-history":[{"count":9,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4670\/revisions"}],"predecessor-version":[{"id":4680,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4670\/revisions\/4680"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4670"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4670"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4670"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}