Detection Engineering with MITRE Top Techniques & Atomic Red Team

Written by Swapnil
Co-founder @ FourCore
Detection Engineering with MITRE Top Techniques & Atomic Red Team

Detection Engineering is the process of identifying threats that can impact your organisation. We talked about threat hunting in our previous blog, and continuing the theme, we will talk about the methodology and existing tools that can aid and build detection engineering capabilities in this blog.

Methodology for Detection Engineering

Since threat actors continuously evolve their attacks and techniques, security teams must also develop their detection capabilities to keep up with the current threat landscape. Detection Engineering is a lifecycle that requires a continuous effort to improve a threat's mean detection and response time. Every organisation is different; hence Detection Engineering is very specific to the organisation and its methodologies.

The first and foremost goal is to capture all types of events. We need to start with a generic logging mechanism that captures as many logs as possible from multiple sources, such as File events, Process events, Network logs etc. Once we have the events, the next step is to write detection logic to identify malicious activities.

Since all the alerts need to be reviewed by an analyst, finding a spot which is a good measure of specific and generalized behaviour is essential. A proper balance of false and true positives must be maintained because an exercise like this will potentially cause analyst fatigue. The key idea is to cover classes of threats and not just singular techniques. The events captured might need to be correlated across multiple sources. Some standard criteria are Parent-Child process relationships, command line, network connections and other attributes.

Once we apply a detection logic, we need to monitor for false positives in the environment and tune our rules accordingly. We also need to track metrics regarding how the detection performs and how many events are suspicious. This will help identify points of improvement for a more accurate rule.

Challenges in Detection Engineering

An organisation's security controls involve multiple complex pieces that connect with the procedures used by the analysts. Therefore, during a Detection Engineering exercise, it is vital to ensure that the security control at the test level works as intended and does not generate too many false results.

Since the detection pipeline has multiple moving pieces, things can go wrong at various levels. You can ask the following questions to get an idea.

  • Are the correct logs generated?
  • Are they being delivered promptly?
  • Are the proper detection rules set up to detect malicious activity?
  • Are there any documented false positives for such action?
  • Are the alerts being resolved promptly?
  • Have there been recent modifications which may change the behaviour of a rule? Is it documented?

To achieve the right balance between security and acceptable risk, you need to have a lifecycle which offers you confidence in your ability to detect and stop threats promptly. First, you need the latest threat intelligence that filters according to the threat model. Then, you need to perform gap analysis and deploy new detection strategies in your organisation. You can start by asking some of the following essential questions.

  • What is my threat model?
  • Which threat actors have been operating in my industry?
  • What are their tool/techniques and their relevance in my organisation?
  • What log sources can I use to detect such TTPs?
  • Are these log sources configured correctly?
  • Do the alerts have the proper severity assigned for the analyst to prioritise?

Top Threats in your Organisation

The MITRE Centre for Threat-Informed Defence and other industry leaders have collaborated on the Top ATT&CK Techniques project that created a methodology to help defenders focus on critical techniques relevant to their organisation's needs. The Top ATT&CK Techniques project is a customisable calculator that defenders can use to prioritise threats to their organisation. The project establishes the top techniques by considering their prevalence, actionability, and detection opportunities. The provided list can be further configured by the detection components, operating systems, detection analytics, and various applicable frameworks, such as CIS and NIST.

In the example below, after choosing Linux OS and a few more filters, we see that we are left with five techniques relevant to our organisation.

Mitre Top Ten Techniques project

If you are building a detection engineering capability, this calculator can be used as one of the first steps to starting your journey. For an experienced defender, combined with the right intelligence, this calculator can be used to prioritise techniques according to the organisation's needs.

Once you have the techniques you deem essential, the next step is to run tests to trigger detections. You can use some open source threat emulation platforms or write your tools to perform this activity. In this blog, we are going to use Atomic Red Team to simulate the threats.

Detection Engineering with Atomic Red Team

Atomic Red Team is a library of tests mapped to the MITRE ATT&CK framework that security teams can use to quickly, portably and reproducibly test their environments. Each test comes with a detailed description and commands. You can execute tests directly from the command line, use an execution framework like Invoke-Atomic, or build something of your own.

Atomic Red Team has more than 1070 procedures spanning cloud, containers, and native operating systems, constantly growing with community support. In addition, it covers 12 out of 14 MITRE ATT&CK tactics, barring only Recconaisance and Resource Development. Finally, with the Top ATT&CK Techniques project, defenders can use these tests as a practical testing ground for their security controls and detection capabilities.

Test your Detection Controls with Atomic Red Team

Let's take the example of Windows Management Instrumentation(T1047). WMI is an administration feature which provides a uniform environment across Windows systems, and adversaries abuse this feature to execute malicious commands and payloads. Adversaries use WMI to execute commands locally and remotely, gather information, and for Lateral Movement. Mitre Top Ten Techniques puts WMI very close to the top as it has a high prevalence and usage by attackers. WMI can also be detected using various data sources such as Command Execution, File Access and Network Traffic.

WMI Rweconnaissance Users

Since many legitimate applications also use WMI for administration, it is crucial to write rules so that there are as few false positives as possible. We will use Sysmon to see how we can detect WMI activity and build our detections around it. Atomic Red Team provides commands which you can run on your own or use the Invoke-Atomic Powershell cmdlet to run these commands.

Invoke-Atomic with WMI(T1047)

Our target system has Sysmon installed with Olaf Hartong's configuration. We will quickly install the local version of Atomic Red Team to simplify running our test.

Installing Atomic Red Team is a 2 step process, as mentioned on their Github. First, you can run the below command to install Atomic Red Team on your machine.

IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing); Install-AtomicRedTeam

1PS C:\Users\Swapnil> IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
2PS C:\Users\Swapnil> Install-AtomicRedTeam
3
4NuGet provider is required to continue
5PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
6 provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
7'C:\Users\Swapnil\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by
8running 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install
9and import the NuGet provider now?
10[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
11Installation of Invoke-AtomicRedTeam is complete. You can now use the Invoke-AtomicTest function
12See Wiki at https://github.com/redcanaryco/invoke-atomicredteam/wiki for complete details

Once we have Atomic Red Team installed, we then need to install the local tests using

Install-AtomicRedTeam -getAtomics -Force

1PS C:\Users\Swapnil> Install-AtomicRedTeam -getAtomics -Force
2Installation of Invoke-AtomicRedTeam is complete. You can now use the Invoke-AtomicTest function
3See Wiki at https://github.com/redcanaryco/invoke-atomicredteam/wiki for complete details

After installing the test, we can verify the installation using

Invoke-AtomicTest T1047 -ShowDetails

The command will display the available tests for WMI and the commands to run the test manually.

1PS C:\Users\Swapnil> Invoke-AtomicTest T1047 -ShowDetails
2PathToAtomicsFolder = C:\AtomicRedTeam\atomics
3
4[********BEGIN TEST*******]
5Technique: Windows Management Instrumentation T1047
6Atomic Test Name: WMI Reconnaissance Users
7Atomic Test Number: 1
8Atomic Test GUID: c107778c-dcf5-47c5-af2e-1d058a3df3ea
9Description: An adversary might use WMI to list all local User Accounts.  When the test completes , there should be local user accounts information displayed on the command line.
10
11Attack Commands:
12Executor: command_prompt
13ElevationRequired: False
14Command:
15wmic useraccount get /ALL /format:csv
16[!!!!!!!!END TEST!!!!!!!]
17
18[********BEGIN TEST*******]
19Technique: Windows Management Instrumentation T1047
20Atomic Test Name: WMI Reconnaissance Processes
21Atomic Test Number: 2
22<snip>

Finally, we can execute the test using the following command.

Invoke-AtomicTest T1047 -TestNumbers 1.

The command will run the WMI Reconnaissance Users test and display the output on your terminal.

1PS C:\Users\Swapnil> Invoke-AtomicTest T1047 -TestNumbers 1
2PathToAtomicsFolder = C:\AtomicRedTeam\atomics
3
4Executing test: T1047-1 WMI Reconnaissance Users
5Node,AccountType,Caption,Description,Disabled,Domain,FullName,InstallDate,LocalAccount,Lockout,Name,PasswordChangeable,PasswordExpires,PasswordRequired,SID,SIDType,Status
6DESKTOP-DMNMKL9,512,DESKTOP-DMNMKL9\Administrator,Built-in account for administering the computer/domain,TRUE,DESKTOP-DMNMKL9,,,TRUE,FALSE,Administrator,TRUE,FALSE,TRUE,S-1-5-21-842570548-351139973-3147693403-500,1,Degraded
7DESKTOP-DMNMKL9,512,DESKTOP-DMNMKL9\DefaultAccount,A user account managed by the system.,TRUE,DESKTOP-DMNMKL9,,,TRUE,FALSE,DefaultAccount,TRUE,FALSE,FALSE,S-1-5-21-842570548-351139973-3147693403-503,1,Degraded
8DESKTOP-DMNMKL9,512,DESKTOP-DMNMKL9\Guest,Built-in account for guest access to the computer/domain,TRUE,DESKTOP-DMNMKL9,,,TRUE,FALSE,Guest,FALSE,FALSE,FALSE,S-1-5-21-842570548-351139973-3147693403-501,1,Degraded
9DESKTOP-DMNMKL9,512,DESKTOP-DMNMKL9\Swapnil,,FALSE,DESKTOP-DMNMKL9,,,TRUE,FALSE,Swapnil,TRUE,FALSE,FALSE,S-1-5-21-842570548-351139973-3147693403-1001,1,OK
10DESKTOP-DMNMKL9,512,DESKTOP-DMNMKL9\WDAGUtilityAccount,A user account managed and used by the system for Windows Defender Application Guard scenarios.,TRUE,DESKTOP-DMNMKL9,,,TRUE,FALSE,WDAGUtilityAccount,TRUE,TRUE,TRUE,S-1-5-21-842570548-351139973-3147693403-504,1,Degraded
11Done executing test: T1047-1 WMI Reconnaissance Users

Validating Detections

The execution would be captured by Sysmon as a Process Create event, where many details are available, such as ProcessId, ParentProcessId, ParentCommandLine, etc., which defenders can use to verify the detection on your SIEM or EDR.

Sysmon detecting wmic activity

If the log is not present, you can assess your detection controls to find and fix the misconfigurations. Next, you have to baseline your environment to reduce the false positives while still not missing out on the actual usage. Again, the goal is to reduce false positives while retaining true positives.

Running a test through an open source platform requires setting up the tool and fixing any issues you might face. Even though Atomic Red Team is easy to use, running a test has multiple steps. For example, you are using MITRE Top Ten Techniques first to identify the technique, install the technique, and validate the parameters.

During a technique run, it's not visible what commands are being run, what the parameters are etc. Finding the correct logs become a challenge as there is no indication of any PID or PPID which can be input to the SIEM.

Running WMI test with FourCore Attack

We will run the same WMI Test with the FourCore ATTACK platform to highlight the simplicity of our security control validation technology.

WMI Reconnaissance Users on FourCore ATTACK

Running the simulation requires you to select which threat you want to run and the asset you want to run the threat on.

FourCore ATTACK Asset page

The final report highlights the commands that are run, the events generated and any output.

FourCore ATTACK Asset page

The report also contains the PID, PPID, command line etc., so you can quickly verify the activity in your logs.

FourCore ATTACK Sysmon Correlation
Correlation using provided IOCs

An in-house custom solution or a paid product eases the pain points present in an open source tool by providing access to relevant information in the right place, simplifying a lot of manual labour and reducing the time required to conduct such exercises.

Conclusion

Detection Engineering is an essential capability for an organisation to interpret and deal with modern threats efficiently. The primary outcome of detection engineering is the detection rules tuned according to the organisations' needs which help reduce analyst fatigue. However, it is crucial to embrace false positives initially, so you don't miss out on true positives. MITRE Top Techniques is a project that can help analysts embark on this journey and find threats to which their organisation is most vulnerable.

Using existing threat simulation tools and platforms such as Atomic Red Team, FourCore ATTACK can further simplify the number of steps you need to perform and decrease the time required for optimization.

It is essential to track your detection metrics so that you have an efficient process of detecting new threats quickly.

Optimise your rules by simulating attackers' TTPs with FourCore ATTACK.

References