{"id":6856,"date":"2019-10-24T22:45:07","date_gmt":"2019-10-24T22:45:07","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6856"},"modified":"2019-10-24T23:16:01","modified_gmt":"2019-10-24T23:16:01","slug":"attck-updates","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/10\/24\/attck-updates\/","title":{"rendered":"Att&#038;ck updates&#8230;"},"content":{"rendered":"\n<p>I like the recent update to <a href=\"https:\/\/twitter.com\/MITREattack\/status\/1187366974529126401?s=20\">Mitre Att&amp;ck<\/a>. For many reasons:<\/p>\n\n\n\n<ul><li>It finally covers the cloud as a separate entity!<\/li><li>It introduces cloud-specific techniques<\/li><li>and most importantly &#8211; it breaks many assumptions<\/li><\/ul>\n\n\n\n<p>Many of us took Att&amp;ck for granted. It is already there, it&#8217;s pretty established, and it doesn&#8217;t change much. New tactics and techniques are introduced on regular basis, but in fairness &#8212; changes were very manageable. <\/p>\n\n\n\n<p>This is why the recent update is so important. It emphasizes the volatile state of the framework that is still closer to <em><a href=\"https:\/\/en.wikipedia.org\/wiki\/Nascent_state_(disambiguation)\">in statu nascendi<\/a><\/em> than a fully formalized and complete framework.<\/p>\n\n\n\n<p>Proof?<\/p>\n\n\n\n<p>We are so used to OS platforms being Windows, Linux and OS that we may find it surprising that now it&#8217;s a completely different game &#8211; the update includes the following platforms:<\/p>\n\n\n\n<ul><li>Linux<\/li><li>macOS<\/li><li>Windows<\/li><li>Office 365<\/li><li>Azure AD<\/li><li>Azure<\/li><li>GCP<\/li><li>AWS<\/li><li>SaaS<\/li><\/ul>\n\n\n\n<p>In terms of log sources, we now have:<\/p>\n\n\n\n<ul><li>File monitoring<\/li><li>Process monitoring<\/li><li>Process command-line parameters<\/li><li>Process use of network<\/li><li>API monitoring<\/li><li>Access tokens<\/li><li>Windows Registry<\/li><li>Windows event logs<\/li><li>Azure activity logs<\/li><li>Office 365 account logs<\/li><li>Authentication logs<\/li><li>Packet capture<\/li><li>Loaded DLLs<\/li><li>System calls<\/li><li>OAuth audit logs<\/li><li>DLL monitoring<\/li><li>Data loss prevention<\/li><li>Binary file metadata<\/li><li>Malware reverse engineering<\/li><li>MBR<\/li><li>VBR<\/li><li>Network protocol analysis<\/li><li>Browser extensions<\/li><li>AWS CloudTrail logs<\/li><li>Office 365 audit logs<\/li><li>Stackdriver logs<\/li><li>Netflow\/Enclave netflow<\/li><li>Disk forensics<\/li><li>Component firmware<\/li><li>PowerShell logs<\/li><li>Host network interface<\/li><li>Network intrusion detection system<\/li><li>Kernel drivers<\/li><li>Application logs<\/li><li>Third-party application logs<\/li><li>Web application firewall logs<\/li><li>Web logs<\/li><li>Services<\/li><li>Anti-virus<\/li><li>SSL\/TLS inspection<\/li><li>Network device logs<\/li><li>DNS records<\/li><li>Web proxy<\/li><li>Office 365 trace logs<\/li><li>Mail server<\/li><li>Email gateway<\/li><li>User interface<\/li><li>Windows Error Reporting<\/li><li>BIOS<\/li><li>Environment variable<\/li><li>Asset management<\/li><li>Sensor health and status<\/li><li>Digital certificate logs<\/li><li>Named Pipes<\/li><li>Azure OS logs<\/li><li>AWS OS logs<\/li><li>Detonation chamber<\/li><li>EFI<\/li><li>WMI Objects<\/li><\/ul>\n\n\n\n<p>These logs are very wide in scope and many of them now directly reference cloud-specific sources.<\/p>\n\n\n\n<p>I would still like them broken down into even more granular pieces though, for instance: the Windows event logs. If you think of them as a single item you will fail to observe the following:<\/p>\n\n\n\n<ul><li>Not all Event Logs come enabled by default and need specific audits to be enabled<\/li><li>Event Logs come from various buckets: system, security, application are the most popular, but there are more: powershell, BITS, WMI, Sysmon, etc. (you should follow <a href=\"https:\/\/twitter.com\/SBousseaden\">@SBousseaden<\/a> for more ideas) &#8212; in my opinion every combo Log Event Source\/Event ID needs to be called out as a separate log soource entry. It has to be configured, tested, and then used &amp; monitored&#8230;<\/li><li>The metrics are as good as your input data; if you fly high, you miss the subtleties&#8230; and in the Blue Team game subtleties matter a lot; you do want to know how many systems are covered by each security control (whether provided by a vendor, or developed in-house)<\/li><\/ul>\n\n\n\n<p>Also&#8230;<\/p>\n\n\n\n<ul><li>Some of these logs do seem a bit redundant e.g. <em>Loaded DLLs<\/em> vs DLL <em>monitoring<\/em><\/li><li><em>Windows Event Logs<\/em> do cover <em>Powershell<\/em> logs and these are listed separately<\/li><li><em>Named Pipes<\/em> sounds like a weird log source &#8212; is it a subset of <em>API Monitoring<\/em>(?)<\/li><li><em>API Monitoring<\/em> and <em>System calls<\/em> are hard to obtain; we have the auditd on Linux that helps, but a full-blown API monitoring on Windows is hard to implement (performance hit)<\/li><li>I personally don&#8217;t like the term <em>Detonation chamber<\/em> &#8211; it suggests a sandbox processing of some sort, but kinda misses the point of dynamic metadata extraction&#8230; while saying so, I can&#8217;t propose a better term, so I guess it&#8217;s probably the most accurate&#8230;<\/li><li>Some are not granular enough: Anti-virus logs require a dedicated book where every popular security solution is inspected for the crazy number of events they provide and in what form, let alone their fidelity (distinction between various <a href=\"https:\/\/www.hexacorn.com\/blog\/2018\/12\/05\/get-your-logging-act-together-loggers\/\">types of logs<\/a> would help too)<\/li><\/ul>\n\n\n\n<p>In any case&#8230; it&#8217;s a great update and a very exciting one. We have got 266 unique techniques defined as of today. It&#8217;s time to catch up!<\/p>\n\n\n\n<p>Really great work from the Mitre Att&amp;ck team &#8211; imho it&#8217;s a defining milestone for our industry.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I like the recent update to Mitre Att&amp;ck. For many reasons: It finally covers the cloud as a separate entity! It introduces cloud-specific techniques and most importantly &#8211; it breaks many assumptions Many of us took Att&amp;ck for granted. It &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/10\/24\/attck-updates\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[74],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6856"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6856"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6856\/revisions"}],"predecessor-version":[{"id":6859,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6856\/revisions\/6859"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6856"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6856"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6856"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}