1. 5/15/ :10 PM
BRK2059
Your attacker thinks like my attacker: a common threat model to create better defense
Elia Florio Jessica Payne
Research Lead, WDATP Security Person
@jepayneMSFT
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. Trends and techniques in modern attacks
5/15/ :10 PM
Trends and techniques in modern attacks
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Old Malware vs Modern Malware
Tech Ready 15
5/15/2018
Old Malware vs Modern Malware
REGSVR32 installation
POWERSHELL execution
MSBUILD injection
WMI persistence
DNS C2 networking
Initial Dropper
Install EXE/DLL file
Change Autoruns or Registry
Malware Process running
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Tech Ready 15
5/15/2018
What’s changing?
Monolithic malware disappearing, modern malware is patchwork of multiple attacker techniques
Malware becoming direct expression of Pentester/Redteam research
Code-signing, Reputation, DeviceGuard forcing malware to re-use trusted components available in the OS to execute untrusted actions
File-less attacks are the norm, Memory the new battleground
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6. 5/15/ :10 PM
Case studies
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Attacker groups
The APT
The Wildcard
The Ransomware

8. The APT Targets software companies and game studios
UAC bypass via Event Viewer
Utilized PSAttack to do Powershell downgrades to evade logging, generating an Event ID 400 in the process
Mimikatz
Clear event logs generating an Event ID 1102
Will use psexec to move laterally on the network

9. The Wildcard (misfox)
Went unnoticed for years because it was “commodity”
Cyberextortion and data sales on black market
Persistence via PowerShell Empire, utilizing scheduled tasks and services
Does Powershell downgrades to evade detections
Utilized regsrv32 to load scripts (squiblydoo)
Use mimikatz to steal credentials
Clear event logs, genetating an event ID 1102

11. 5/15/2018
The ransomware
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. The Ransomware Came via supply chain compromise
Moves laterally using psexec, wmi, or EternalBlue
Steals credentials using createproc or Mimikatz
Clears the event logs (Event ID 1102)
Registers a new scheduled task to initiate the wiping/ransomware

13. Attacker groups
The APT
The Wildcard
The Ransomware

14. TTPs: Tools, Techniques, and Procedures
Lateral movement
Persistence
Anti-forensics

15. Behavioral overlap
Where to focus
The APT
The Wildcard
The Ransomware

16. Learn how attackers think

17. Measure and classify attacker techniques
5/15/ :10 PM
Measure and classify attacker techniques
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Evolving from indicators
Tech Ready 15
5/15/2018
Evolving from indicators
Classify generic attacker techniques is more durable than classifying indicators (IOC)
Can discover invariant points for detection, great to secure network and devices
Less accurate for attribution and actor mapping
Problem:
will an attacker technique become prevalent?
are all attacker techniques useful for attackers?
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19. Windows Defender ATP model
REDTEAM
STRONTIUM
Mimikatz
Sources 50 10
100
Attack Techniques
CreateRemoteThread Injection
Set Threat Context
Dump Credentials from lsass process 60 10
100
Remote Injection IOA
Access of lsass
Detections 70
100
+X Memory Allocations
Injection Functions
Open Process Event
Data Need 70
170
100

20. Windows Defender ATP detection dictionary
Indicators of exploitation:
Privilege Escalation Detection
Child process/process chain anomalies from frequently exploit apps
Generic UAC or elevation detection
Memory anomalies from frequently exploited apps
Social engineering waterhole
Generalized behavioral anomalies (file, etc..)
+more
Static CVE detection
Kernel exploit detection
ASEP and service persistence
DLL side-loading persistence
Sticky keys
Overwritten binary
Scheduled task installation
+more
General attacker tool and command detection
+more
Abnormal packing tool
+more
Lateral Movement
Installation
C&C
Delivery/Exploit
Persistence
Exploration
Exfiltration
File clustering
Suspected backdoor (ML)
Powershell suspect cmdline
Uncommon file/folder
Suspicious behavior of process tree (ML)
Social engineered file
Stolen code signing
Process migration and detection
Suspicious root certificate installation
+more
Domain anomaly detection
Shellcode callback
Anomalous port/protocol communication
Communication to uncommon IP
+more
LSASS credential theft
Generic hacking tool detection
Abnormal remote execution
Anomalous user behavior
U<->P anomaly – user process runs as system
Remote service anomalies
+more

21. Attack Technique example: UAC bypass
Tech Ready 15
5/15/2018
Attack Technique example: UAC bypass
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. Attack Technique example: Kernel exploit (EoP)
Tech Ready 15
5/15/2018
Attack Technique example: Kernel exploit (EoP)
EPROCESS/TOKEN MANIPULATION
AT#3351
AT#3352
AT#3355
AT#3357
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. …and resulting detection 
Tech Ready 15
5/15/2018
…and resulting detection 
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24. Attack Technique Trends
5/15/2018
Attack Technique Trends
Source new techniques and detect them before they reach customers
Identify growth trends in attacks
Data-driven sensor investments
Identify investment across the kill chain
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25. Attack Technique Trends
Tech Ready 15
5/15/2018
Attack Technique Trends
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26. Translate gaps into detections
5/15/2018
Translate gaps into detections

27. MITRE ATT&CK https://attack.mitre.org/
Tech Ready 15
5/15/2018
MITRE ATT&CK
“a threat modeling methodology and suite of models for the various phases of an adversary's lifecycle and platforms that are known to be targeted by cyber threats. ATT&CK models are useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.” [MITRE]
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28. MITRE ATT&CK Tech Ready 15 5/15/2018
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29. MITRE ATT&CK Tech Ready 15 5/15/2018
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30. Build the attacker’s playground
5/15/ :10 PM
Build the attacker’s playground
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31. Bugs are not the main issue in most breaches, operational issues and technical debt are.

32. Network Design
Goal
A “flat” network does little to hinder the attacker discovering and reaching goal

33. Network Design Goal Monitoring opportunities 5/15/2018 12:10 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34. You can’t just buy this, you have to build it.

35. Components of a Holistic Security Strategy
5/15/2018
Components of a Holistic Security Strategy
Credential Hygiene
Network Segmentation
Least Privilege
Targeted Monitoring
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36. https://aka.ms/buildtheplayground

37. Please evaluate this session
Tech Ready 15
5/15/2018
Please evaluate this session
From your
Please expand notes window at bottom of slide and read. Then Delete this text box.
PC or tablet: visit MyIgnite
Phone: download and use the Microsoft Ignite mobile app
Your input is important!
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38. 5/15/ :10 PM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.