Under the wave of large-scale digital transformation of enterprises, all kinds of network intrusions are frequent, APT and hacker gangs are rampant, and the traditional compliance-driven security protection construction can no longer meet the demand. In recent years, with the development of red and blue confrontation actions at all levels, enterprise safety construction is gradually transforming into actual combat, ATT &；; CK framework is an important reference and can play a guiding role in this process.

ATT & amp； CK framework in Gartner Security &: At the risk management summit, it was rated as the top ten hot spots by F-Secure. ATT & amp； CK is a set of * * * shared knowledge base, which describes the attacker's tactics, techniques and execution process, and can be associated with known hacker organizations, attack tools, detection data sources, detection ideas and mitigation measures. ATT & amp； CK can completely cover the contents of the kill chain proposed by Lockheed Martin, and provide more detailed attack technology matrix and technical details on this basis. ATT & amp； CK is divided into three parts, namely pre-att & amp； CK，ATT & amp； Enterprise version of CK and ATT &；; CK of mobile phone. Among them, pre-att & CK contains tactics including priority definition, target selection, information collection, vulnerability identification, attacker open platform, infrastructure establishment and maintenance, and personnel training. ATT & amp； The strategies of enterprise CK include initial access, execution, persistence, privilege promotion, defense evasion, voucher access, discovery, lateral movement, collection, command and control, data transmission and influence. These detailed information based on the information leaked by APT organizations and hacker gangs can effectively guide the actual red-blue confrontation and have been well applied in many fields.

In the red-blue confrontation, the defender can deal with it in three stages: before, during and after. At ATT &；; Under the guidance of CK framework, the closed-loop improvement of the establishment, operation and promotion of safety system is realized.

First, the preparation stage.

Attack surface evaluation

The attack surface refers to the possible initial breakthrough point or intermediate springboard when an enterprise suffers from internal and external invasion, including but not limited to: Web systems, mail systems and VPN systems that provide services to the outside world, OA systems, operation and maintenance systems and development environments that provide services to the inside world, and various accounts and office terminals used by employees.

The attack surface of enterprises is widespread, and the evaluation of attack surface within enterprises belongs to the process of information collection and vulnerability identification, which can help enterprises to deal with the invasion activities of attackers at an early stage. This process is mapped into the attack chain and belongs to the "reconnaissance" stage.

Because of the asymmetry of attack and defense, the defender is often in a weak position in the red-blue confrontation. The attacker only needs a single breakthrough, while the defender needs to establish a defense system in depth covering all attack surfaces, which is difficult to be foolproof. But in the stage of information collection, it is a stage in which few defenders are dominant. The main reasons include:

1. Attackers can only obtain some enterprise information through public information on the Internet (Google, social networking sites, Github) or traditional social workers, while defenders can obtain complete enterprise internal information, including network architecture, business systems, asset information, employee information, etc. Mastering the above information can not only sort out the potential intrusion points and find the weak links of defense, but also combine deception or fraud techniques (such as honeypots).

2. Attack surface assessment can reduce the risk of invasion by adopting stricter control measures at a specific stage (such as reinsurance period), and achieve the greatest difficulty of attacker invasion with limited cost, which has a high return on investment. For example, obtaining VPN channel is equivalent to breaking through the traditional protection boundary of enterprises and directly obtaining the right to roam in the intranet. Under certain circumstances, by strengthening VPN protection, the possibility of successful invasion by attackers can be greatly reduced. There are two main ways to break VPN, using the vulnerability of VPN server itself or invading through legal VPN account. For the first way, paying attention to the vulnerability information of VPN vendors and doing a good job in patch upgrade management can effectively reduce most threats; For the scenario of using 0day vulnerability to attack VPN to gain remote access rights, unknown vulnerability attack behavior can also be found in time by auditing VPN logs, which is related to the creation and change of VPN accounts and the traffic initiated by VPN server itself to access the intranet. For the second way to attack a legitimate VPN account, increasing the password complexity requirement of VPN account, temporarily requiring to modify the password of VPN account, and increasing two-factor verification (such as binding mobile phone number SMS verification) can sacrifice some user experience and greatly reduce the possibility of successful attack by attackers.

ATT & amp； All the attack technologies in the ck framework have corresponding attack purposes, environments and dependencies needed to execute attacks. By decomposing them, we can extract the applicable targets of each attack technology, and evaluate the exposure and risk level of the attack surface with reference to the assets and services in the enterprise, thus helping to formulate effective measures to reduce, eliminate or monitor the attack surface. For example, before the red-blue confrontation, the defending party needs to check whether the * * * shared directories, file servers and BYOD devices in the enterprise meet the safety baseline requirements and whether there are sensitive information, and set compliance requirements and enforcement measures for these contents to reduce the exposure of the attack surface.

To sum up, att & amp； CK framework can help defenders understand the attack target, refine the attack surface and formulate the means to reduce the attack surface. At the same time, it can also provide reference standards for enhancing threat perception, summarizing defense gaps and formulating improvement plans through attack surface evaluation.

Establishment of threat awareness system

The main problem of traditional security protection and control measures is that there is no panoramic threat awareness system, which can not monitor threat events, security risks and intrusion processes in time and effectively. The establishment of threat awareness system can effectively connect isolated security defense and security audit means in series, form a complete enterprise security situation, and provide a basis for the defense side to realize real-time threat monitoring, security analysis and response disposal. The establishment of threat awareness system mainly includes the following preparations:

1. data source combing: data is the basic element to achieve security visibility, and the lack of multi-dimensional and high-quality data will seriously affect the monitoring coverage; At the same time, many enterprises will store a large number of equipment, systems and business log data to meet the requirements of laws and regulations such as network security law and other security standards. Therefore, there are many problems in the planning and management of data sources, such as low matching degree, low utilization rate and low effectiveness, which need to be solved by maintainers.

* We cannot perceive what we can't see.

When planning the data source, it should be designed according to the actual attack surface, threat scenario and risk situation of the enterprise. For example, what data should be collected in view of the risk that employees' email accounts may be violently cracked by attackers and leaked to the social work library? First of all, we need to consider the actual mail system of the enterprise, such as using the self-built Exchange mail service. The data to be collected includes: Exchange mail tracking logs, IIS middleware logs, SMTP/POP3/IMAP and other mail protocol logs. Secondly, we need to pay special attention to whether the attacker accesses the page through OWA. Or through the mail protocol authentication blasting? Or through Webmail or client interface? Different enterprises have different access methods to open mailboxes, and the exposed attack surfaces and attack methods are also different. Need to sort out the required data sources according to the facts.

In data source sorting, it is difficult to consider all kinds of threats and ATT methods. You can refer to ATT &；; The CK framework selects enterprise-related attack technologies, counts the types of data sources needed, and sorts out the priorities of data source collection and access. About data source priority screening, Mitreatt &; The theme released by Red Canary at CKcon 2.0 conference: Prioritize data sources for minimum feasible detection, and rank them by Top 10 according to the frequency of the overall data sources, as shown in the following figure:

The statistical results do not consider the actual attack scope of the enterprise and the difficulty of obtaining data sources, so they cannot be mechanically copied. However, in most cases, we can consider building a collection scheme of basic data sources, including network mirror traffic, terminal behavior audit logs, key application service logs, etc., and then enhance and supplement them through actual detection results.

2. Development of detection rules: Intelligent security platform for big data (or refer to modern SIEM architecture proposed by Gartner) has gradually replaced traditional SIEM products and become the core brain of enterprise threat awareness system. Traditional attack detection methods are mostly based on signature, which is realized by IOC collision. In the actual process of attack-defense confrontation, there are some problems, such as excessive alarm noise, serious underreporting, and untimely updating of external intelligence data and feature database, so the defender cannot measure the detection effect and evaluation ability. Therefore, the new detection concept needs to start from behavior and motivation, improve the audit and monitoring mechanism of the actions that attackers may perform, and then identify the attack activities by using big data correlation analysis.

ATT & amp； CK framework plays a very important reference role here. For each attack technology in the framework, the knowledge base describes the corresponding detection means and process. Take t110 brute force cracking as an example, and its detection description is shown in the following figure.

Although the specific detection methods and rules are not abstracted, the devices that need to be monitored and the logs that can extract attack traces are extracted. Referring to this part of the description, the defender can efficiently complete the development, deployment and testing of detection methods and detection rules through relevant data collection, internal attack technology simulation and feature extraction. In addition, Advanced Persistent Threat (APT) uses more white exploit techniques, which can't effectively distinguish attackers from ordinary workers. But this kind of attack can be found by developing detection rules to filter and refine the data source, marking it with technology, and then synthesizing all abnormal behaviors. This combination with traditional detection methods provides a more effective supplementary means.

To sum up, the establishment of threat awareness system needs to comb the data sources and make detection rules, and att& completes the basic preparations; CK framework can help the defender to quickly understand the required data sources, and help to formulate corresponding detection rules, so that the defender can get rid of the blind spot of security visibility and realize quantifiable and improved security protection capabilities.

Internal simulation countermeasure

In order to find out the current network security defense capabilities and find out the weak points, some enterprises will conduct internal red-blue confrontation simulation drills, ATT &；; CK knowledge base has high reference value in simulating the attack of the Red Team and practicing the internal confrontation of the organization.

1. red team technical guidance: att & amp； The CK framework contains descriptions of 266 attack techniques, and the simulated red team can learn from some of them for special testing or comprehensive scenario testing for specific tactical purposes. In the special test of intranet information collection, we can refer to and reproduce the attack technology under the tactical purposes of "discovery" and "collection" to test the attack surfaces exposed in the intranet one by one; When conducting simulated scenario drills, we can choose different tactical purposes to formulate simulated attack flow, and select relevant technologies from the matrix to implement. Taking the typical red team fishing attack scene as an example, the attack technology chain includes: fishing->; Hta execution-> Service resident->; Voucher acquisition-> Remote system discovery->; Administrators * * * enjoy, as shown in the red link below.

2. Evaluation of blue team effect: Internal simulated confrontation is the best means for enterprises to check the actual threat perception ability, and it can help the blue team to find out the missing and fill the gaps. Whether the attack behavior is recorded, whether the detection rules are effective, whether there is bypass or false alarm, whether the attack surface is combed, whether the threat scene is fully considered and many other issues will only be exposed in the actual test. At the same time, the defense can also refine the mitigation plan in extreme cases through simulation drills, including: temporarily increasing defensive interception measures, increasing business access control requirements, strengthening personnel safety awareness education and baseline management.

To sum up, internal simulation is a means to verify the effectiveness of various preparations in the actual combat stage of red-blue confrontation. As a mock exam before the college entrance examination, it plays a great role in checking leaks and filling gaps, optimizing and perfecting the defense, while ATT &；; At this stage, CK framework plays a reference role in simulating the red team's attack and assisting the blue team to find problems.

Second, the development stage.

The more thorough the preparation process, the easier it will be for the defender in the actual red-blue confrontation stage. Mature threat awareness system will play a leading role in this respect.

Asset risk monitoring

In addition to the potential red team ATT & amp； IP blocking and reporting, for attackers who break through the border protection and enter the intranet roaming stage, based on att & amp； CK framework can effectively identify the risks of assets (terminals/servers) and find suspicious intranet hosts.

By creating a separate att &；; CK host threat distribution matrix, which gathers all the latest attack technology activities detected on the host, and then trains an abnormal model according to the distribution characteristics of attack technology marked on the matrix to monitor whether the host has fallen. The anomaly model identifies attacks from the following three aspects:

1. The distribution of attack technology is abnormal: attacks under multiple tactics, multiple different attacks under one tactic, etc.

2. Abnormal number of attack technologies: A large number of attack technologies are detected on the host, which is quite different from the baseline.

3. Specific high credibility loss indicator: A high-risk alarm detected by a high credibility rule is triggered on the host (traditional trigger mechanism).

Take the following figure as an example. The host triggers a series of attack techniques under the "discovery" tactics in a short time, which is rare in daily operation and maintenance, and has a great deviation from the baseline of the host or the same type of host. After the victim host is controlled, it may perform a lot of such operations, so the risk of the machine is high and it is judged as a lost/high-risk asset.

Determination and traceability of suspicious processes

According to the collected terminal behavior logs (including process activity, registry activity, file activity and network activity), parent and child processes can be associated by unique process ID(GUID). When suspicious process activity is found, it can be traced back to the process tree of the process until the system initially calls the process, including all sub-processes down and adding att & amp； CK attack technology tags, such as network request, domain name request, file release and other rich information, help the security analyst of the defending party to judge whether the process is suspicious and take timely disposal measures.

Take the following figure as an example. After the wscript.exe of the suspicious process is found, it is traced back to its process tree, in which the subprocess marked with exclamation mark is hit by att&; The process of CK attack technology, the sub-process without exclamation mark also belongs to the suspicious process tree, which may be the normal system process used by the attacker or the process that has not been detected because of evading the detection rules. Through the information displayed in this process tree, we can intuitively find that there are a lot of suspicious behaviors in wscript process and its derived powershell process, and these process information also provides sufficient information for the subsequent disposal of linked terminal protection software or manual investigation and disposal.

Emergency response docking

After the lost assets are found and traced back to the suspicious process, information such as the process entity path, process command line, process creation file and process network connection on the process tree can be exported and submitted to the emergency team for cleaning. Through the above information, the emergency team can quickly dispose and analyze the intrusion path on the host, and further investigate whether there is an omission attack caused by the lack of data and rules by backtracking the means of implanting Trojan horses by attackers; And confirm whether there are other unknown lost assets by associating all terminals with similar behaviors.

The above is based on att &；; The method of asset risk monitoring and suspicious process judgment established by CK framework can effectively find the traces of successful attacks by attackers in the process of red-blue confrontation, and provide data support for traceability and emergency response. These are inseparable from the concept of building a blue team with threat awareness system as the core, and it is more related to ATT &；; The application methods of CK framework adaptation will be enriched and strengthened in the future.

Third, the recovery stage.

Defense effect evaluation

At the end of the red-blue confrontation, it is very important for the defender to evaluate the defensive effect. Specifically, it includes the following contents:

Analysis of missing reports of security devices: according to the reports provided by attackers, assign each attack type to the corresponding security detection devices, check whether the alarms of related devices match the attack process in the report, and analyze the current detection capability of security devices. For the equipment with low detection rate, it is necessary to coordinate with the manufacturer to optimize and update the rules in order to strengthen and improve.

Rule false alarm optimization: in the development stage of red-blue confrontation, in order to ensure the comprehensive coverage detection of the attacker's attack process, the rule detection mode with loose restrictions is usually adopted to prevent omissions from affecting the defender. For example, for brute force cracking scenarios, the threshold of continuous login failure requests that trigger alarms can be set lower; For Webshell implantation scenario, all attempts to upload dynamic script files may be monitored or intercepted to prevent attackers from bypassing feature detection through some coding and confusion. These loose detection rules can reduce the number of missed detection as much as possible in the process of red-blue confrontation, and the effect is good; But at the same time, the alarm noise caused by lax restrictions will also increase. In the process of red-blue confrontation recovery, it is necessary to statistically analyze the data and reasons of false positives, improve the logic of detection rules and boundary conditions, and configure appropriate white list filtering to provide more operable and practical threat detection rules for subsequent daily operations.

Re-evaluation of attack surface and data visibility analysis: in the preparation stage of red-blue confrontation and the development stage of red-blue confrontation, defenders and attackers evaluate attack surface and collect attack target information respectively. Therefore, in the recovery stage, by comparing the information of attack surface and the choice of attack target held by both parties, we can find out whether there are previously missing edge assets and unknown attack surfaces, and check and fill the gaps from the attacker's perspective. At the same time, the missing attack surface can be analyzed through the requirements of relevant data sources to supplement the missing data visibility and threat perception.

Defensive gap evaluation and improvement: In view of the weak links found in the red-blue confrontation, the defender can refine the improvement target and guide the subsequent safety construction work. Because different enterprises have different attack areas and focus on different core assets and targets, in the preparation process, several key areas may be selected for priority development, while other weak links found through red-blue confrontation provide reference for the follow-up work. For example, people who pay attention to strengthening the safety protection of the production environment may ignore the cultivation of employees' safety awareness, leading to the attacker's fishing method breaking through the invasion; People who pay attention to website security may ignore the existence of other exposed ports or services on the server, which are discovered by attackers through detection, and use known vulnerabilities or 0day vulnerabilities to control the server to bypass. Combined with att&CK framework, the corresponding data source and attack technology detection means are supplemented, which can quickly make up for this omission.

The evaluation of defense effect is an important summary process in the stage of red-blue confrontation resumption, and also provides reference for subsequent continuous optimization and improvement. Here att & amp； The function of CK framework is mainly to unify the languages of both sides, and split each attack event into technologies and processes that both sides can understand, thus making it possible for the red-blue confrontation to move towards red-blue cooperation.