基于Att&ck模型的整体威胁框架方法论

概要(Abstract)

使用Att&ck的方法框架，基于行为的威胁检测模型，期间需要模拟攻击者进行测试，为了改进基于行为的分析检测能力，这台方法论可以用于加强企业整体的网络安全

介绍(Introduction)

基于主机和网络行为来检测后渗透阶段的攻击行为是保证企业安全的重要部分，这具体检测方式就是基于Att&ck模型,总体来讲，本章节介绍基于APT攻击威胁的检测方法论的探讨

mitre

引用参考APT例子(Frame of Reference)

列举了一个APT攻击事件的例子，描绘了整个APT的攻击过程，其他指出了ATT&Ck模型中用到的技术点

例子中Att&ck技术点

1 ATT&CK: T1104 – Command and Control/Multi-Stage Channels
2 ATT&CK: T1102 – Command and Control/Web Service
3 ATT&CK: T1050 – Persistence/New Service
4 ATT&CK: T1036 – Defense Evasion/Masquerading
5 ATT&CK: T1066 – Indicator Removal from Tools
6 ATT&CK: T1059 – Execution/Command-Line Interface
7 ATT&CK: T1087 – Discovery/Account Discovery
8 ATT&CK: T1069 – Discovery/Permission Groups Discovery
9 ATT&CK: T1057 – Discovery/Process Discovery
10 ATT&CK: T1007 – Discovery/System Service Discovery
11 ATT&CK: T1016 – Discovery/Local Network Configuration Discovery
12 ATT&CK: T1049 – Discovery/Local Network Connections Discovery
13 ATT&CK: T1018 – Discovery/Remote System Discovery
14 ATT&CK: T1003 – Credential Access/Credential Dumping
15 ATT&CK: T1064 – Defense Evasion/Scripting
16 ATT&CK: T1086 – Execution/PowerShell
17 ATT&CK: T1077 – Lateral Movement/Windows Admin Shares
18 ATT&CK: T1105 – Lateral Movement/Remote File Copy
19 ATT&CK: T1053 – Execution/Scheduled Task
20 ATT&CK: T1083 – Discovery/File and Directory Discovery
21 ATT&CK: T1005 – Collection/Data from Local System
22 ATT&CK: T1025 – Collection/Data from Removable Media
23 ATT&CK: T1039 – Collection/Data from Network Shared Drive
24 ATT&CK: T1074 – Collection/Data Staged
25 ATT&CK: T1002 – Exfiltration/Data Compressed
26 ATT&CK: T1022 – Exfiltration/Data Encrypted
27 ATT&CK: T1071 – Command and Control/Standard Application Layer Protocol
28 ATT&CK: T1032 – Command and Control/Standard Cryptographic Protocol

现有检测方法的短板(Shortcomings of Contemporary Approaches for Detection)

• 现有的检测手段是基于防病毒软件来检测，但是攻击者会在实现先进行各种测试免杀处理，导致实际攻击使用的过程无法被检测或难以发现
• 当今的检测手段还包括威胁情报的订阅和共享，但是这种误报太多，而且变化太快
• 典型的网络流量检测也没有用，因为APT流量是通过SSL进行加密，并且混合在正常流量中，也没有已知的特征，所以想检测这种级别的恶意流量实在太难，这是当前检测的方法的短板；
• 基于上面的短板，Mitre推出了Att&ck威胁模型来进行检测

基于威胁的安全方法论(Threat-Based Security Approach)

有5项原则是基于本章讲到的APT攻击的威胁检测方法论
1.后渗透阶段的攻击行为依然保持检测
2.基于行为去检测，当今的检测方式是基于特征签名和威胁情报的等方式进行检测，但是当特征与不断变化的威胁相关联的时候，那么依赖已知的特征就变的不可靠，在此种复杂的情况下需要检测后渗透阶段的各种攻击行为，也就是上面说的Att&ck模型去检测
3.使用一个威胁模型来检测
4.随着时间的推移，技术在发展，所以需要不断的设计和迭代安全对抗技术，安全模型，技术，工具都是需要不断测试，验证，演练和改进
5.在真实环境下进行开发和测试，不能纸上谈兵，要接近真实网络环境和条件进行测试，必要的时候可以模拟攻击者的行为进行测试和检测

原因解释

原则1：检测包含后渗透攻击的行为(Principle 1: Include Post-Compromise Detection)
目前是无法有效的防御0day攻击，也无法保证企业的所有相关的软件补丁都及时打上，无法保证每个人都不泄露自己的密码或者常用密码或者弱口令等，同样无法保证每个类似供应链源头都是安全的，所以基于以上情形，是非常有必要检测后渗透攻击的行为

原则2：关注行为的检测(Principle 2: Focus on Behavior)
当前的威胁情报和特征库仍然容易被绕过，而且有误报的情景，攻击者会使用各种手段进行绕过

原则3：使用威胁模型(Principle 3: Use a Threat-based Model)
使用整体的一套安全威胁检测模型，包括上面的原则1和2，也包括了Att&ck模型中的各个阶段

1.Persistence
2.Privilege Escalation
3.Defense Evasion
4.Credential Access
5.Discovery
6.Lateral Movement
7.Execution
8.Collection
9.Exfitration
10.Command and Control

原则4：设计和迭代(Principle 4: Iterate by Design)
针对真实网络环境进行模拟APT攻击来迭代改进现有的威胁防御模型，同样还需要跟进近期新的APT攻击案例

原则5：在现实环境中开发和测试(Principle 5: Develop and Test in a Realistic Environment)
重点来说就是要不断的通过真实环境来进行测试是否能够检测到真实环境中的APT攻击行为

Att&ck战术类别

• Persistence – Any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures.
  持久性访问，保证系统重启了，权限丢失了，还能再进来
• Privilege Escalation – The result of techniques that cause an adversary to obtain a higher
  level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout a remote operation.
  权限提升-提权
• Defense Evasion – Techniques an adversary may use for the purpose of evading detection or avoiding other defenses.
  防御逃逸-免杀
• Credential Access – Techniques resulting in the access of, or control over, system, domain,
  or service credentials that are used within an enterprise environment.
  凭据访问-各种方式读取或窃取账户密码信息
• Discovery – Techniques that allow an adversary to gain knowledge about a system and its
  internal network.
  发现-后期的信息搜集，扩大战果，发现更多攻击面
• Lateral Movement – Techniques that enable an adversary to access and control remote
  systems on a network. Often the next step for lateral movement is remote execution of tools introduced by an adversary.
  横向移动-后渗透阶段移动到其他内网位置
• Execution – Techniques that result in execution of adversary-controlled code on a local or
  remote system.
  执行攻击者的恶意代码或脚本达到某种目的
• Collection – Techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration.
  信息搜集，搜集后渗透阶段中所有内网可以被利用的有价值的信息
• Exfiltration – Techniques and attributes that result or aid in an adversary removing files and information from a target network. This category also covers locations on a system or
  network where an adversary may look for information to exfiltrate.
  事情干完了，删除操作的各种记录
• Command and Control – Techniques and attributes of how adversaries communicate with
  systems under their control within a target network. Examples include using legitimate
  protocols such as HTTP to carry C2 information.
  在拿到的权限中执行命令和控制操作

基于Att&ck攻击模型建立开发防御的威胁场景

主要分3个队伍

• 白队：就是开发人员构建开发防御的威胁场景
• 红队：就是我们说的攻击者，攻击队伍
• 蓝队：就是我们说的防御防守方

分7个步骤

1. 识别行为-从威胁模型中识别攻击者的行为并确认能够检测
2. 获取数据-确认并收集攻击者在攻击的过程中所产生的数据
3. 根据收集到的数据让白队开发构建能够分析并检测识别行为的工程，同时确保其误报率在可接受范围内
4. 由白队基于Att&ck开发攻击者场景，技术细节由红队指导
5. 红队模拟实施攻击行为用以验证白队基于Att&ck开发的威胁模型，看是否能够被检测和识别
6. 调查攻击-蓝队试图在攻击者攻击的过程中去分析检测
7. 评估总结-通过评估总结白队，红队，蓝队的上述过程，进行循环往复的上述步骤来打磨威胁防御模型

英文原版-7个步骤

1. Identify Behaviors – Identify and prioritize adversary behaviors from the threat model to
   detect.
2. Acquire Data – Identify the data that is necessary to detect a desired adversary behavior.
   If the capability to acquire the data does not exist, a sensor must be created to collect this
   data.
3. Develop Analytics – Create analytics from collected data to detect identified behaviors. It
   is also important to ensure that analytics do not have an unacceptable false positive rate
   on benign environmental events.
4. Develop an Adversary Emulation Scenario – The White Team develops an adversary
   emulation scenario, based on ATT&CK, that includes behaviors identified in Step 1 (Identify Behaviors). The scenario includes specific techniques that should be used by the
   Red Team.
5. Emulate Threat – The Red Team attempts to achieve the objectives outlined by the
   White Team by exercising behaviors and techniques described in the ATT&CK model.
6. Investigate Attack – The Blue Team attempts to recreate the timeline of Red Team
   activity using analytics and data developed in Step 3 (Develop Analytics).
7. Evaluate Performance – White, Red, and Blue Teams review the engagement to evaluate
   to what extent the Blue Team was able to use the analytics and sensor data to successfully
   detect the simulated APT behaviors. After this evaluation, the cycle repeats and returns to
   Step 1.

红蓝对抗评估重点

基于打磨产品的目的，在实施红蓝对抗的期间，蓝队必须重点侧重于检测，让产品能够准确快速的检测，而不是发现了恶意行为及时阻止

详细介绍每个步骤

识别行为-(Step 1: Identify Behaviors)

1.确定哪些是常见的优先要处理的攻击行为
2.确定哪些行为的负面影响是最大的
3.确认哪些行为数据容易获取且很容易开发构建
4.确定哪些明显行为是最有可能存在恶意操作

获取数据-(Step 2: Acquire Data)

收集可靠的数据，然后进行端点感知分析

开发分析-(Step 3: Develop Analytics)

1.行为检测
2.整体态势感知
3.异常可以行为分析检测
4.调查取证
实际情况是安全运营工程师在态势感知收到警报之后进行验证确认

开发场景-(Step 4: Develop Scenario)

1.根据红队攻击测试的过程中返回给开发者对开发的模拟场景进行打磨提炼
2.首先开发一套攻击场景，这套场景不需要让红队和蓝队知道具体细节，然后让红对和蓝队来进行攻击和防御检测，最终让他们给出有哪些差距结果
3.类似基于下面两个场景进行开发构建

场景1

场景2

模拟威胁-(Step 5:Emulate Threat)

这个就是让红队进行攻击验证测试上面开发构建出来的威胁模型

调查攻击-(Step 6:Investigate Attack)

评估总结-(Step 7:Evaluate Performance)