Embed Size (px)
Citation preview
WHITE PAPER
Mapping BeyondTrust Solutions into
the MITRE ATT&CKTM Navigator
- 2 -
CONTENTS MITRE ATT&CKTM .............................................................................................................. - 3 -
DEFINING THE TACTICS .................................................................................................- 4 -
HOW BEYONDTRUST HELPS TO MITIGATE RISKS IDENTIFIED IN MITRE
ATT&CK ...............................................................................................................................- 6 -
THE BEYONDTRUST PRIVILEGED ACCESS MANAGEMENT PLATFORM ................. 15
ABOUT BEYONDTRUST ....................................................................................................... 16
- 3 -
MITRE ATT&CKTM
With the volume of cyberattacks growing every day, organizations are increasingly
relying on third-parties to help discover, prioritize, categorize, and provide guidance to
remediate threats. Once such third party is MITRE and their ATT&CKTM knowledge
base. According to the MITRE website:
MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics
and techniques based on real-world observations. The ATT&CK knowledge base
is used as a foundation for the development of specific threat models and
methodologies in the private sector, in government, and in the cybersecurity
product and service community.
Open and available to any person or organization for use at no charge, the goal
of MITRE ATT&CK is to bring communities together to develop more effective
cybersecurity.1
BeyondTrust has mapped its solutions for privileged access management, vulnerability
management, and remote support into the ATT&CK framework by tactic and technique.
With this mapping, organizations can better optimize their security investments, getting
more value for the dollar spent.
Please see the table below for summary mapping of BeyondTrust capabilities into the
ATT&CK framework.
1 https://attack.mitre.org/
- 4 -
DEFINING THE TACTICS
Before reviewing how BeyondTrust solutions map into the ATT&CK framework, let’s
take a quick look at the tactics. All definitions can be found on the MITRE website.
Please note that BeyondTrust has not defined each technique with each tactic.
• Initial Access: Represents the vectors adversaries use to gain an initial foothold
within a network.
• Execution: Represents techniques that result in execution of adversary-
controlled code on a local or remote system. This tactic is often used in
conjunction with initial access as the means of executing code once access is
obtained, and lateral movement to expand access to remote systems on a
network.
• Persistence: Any access, action, or configuration change to a system that gives
an adversary a persistent presence on that system. Adversaries will often need to
maintain access to systems through interruptions such as system restarts, loss of
credentials, or other failures that would require a remote access tool to restart or
alternate backdoor for them to regain access.
• Privilege Escalation: The result of actions that allows an adversary to obtain a
higher level of permissions on a system or network. Certain tools or actions
require a higher level of privilege to work and are likely necessary at many points
throughout an operation. Adversaries can enter a system with unprivileged access
and must take advantage of a system weakness to obtain local administrator or
SYSTEM/root level privileges. A user account with administrator-like access can
also be used. User accounts with permissions to access specific systems or
perform specific functions necessary for adversaries to achieve their objective
may also be considered an escalation of privilege.
• Defense Evasion: Consists of techniques an adversary may use to evade
detection or avoid other defenses. Sometimes these actions are the same as or
variations of techniques in other categories that have the added benefit of
subverting a particular defense or mitigation. Defense evasion may be considered
a set of attributes the adversary applies to all other phases of the operation.
- 5 -
• Credential Access: Represents techniques resulting in access to or control over
system, domain, or service credentials that are used within an enterprise
environment. Adversaries will likely attempt to obtain legitimate credentials from
users or administrator accounts (local system administrator or domain users with
administrator access) to use within the network. This allows the adversary to
assume the identity of the account, with all of that account's permissions on the
system and network and makes it harder for defenders to detect the adversary.
With sufficient access within a network, an adversary can create accounts for
later use within the environment.
• Discovery: Consists of techniques that allow the adversary to gain knowledge
about the system and internal network. When adversaries gain access to a new
system, they must orient themselves to what they now have control of and what
benefits operating from that system give to their current objective or overall goals
during the intrusion. The operating system provides many native tools that aid in
this post-compromise information-gathering phase.
• Lateral Movement: Consists of techniques that enable an adversary to access
and control remote systems on a network and could, but does not necessarily,
include execution of tools on remote systems. The lateral movement techniques
could allow an adversary to gather information from a system without needing
additional tools, such as a remote access tool.
• Collection: Consists of techniques used to identify and gather information, such
as sensitive files, from a target network prior to exfiltration. This category also
covers locations on a system or network where the adversary may look for
information to exfiltrate.
• Exfiltration: Refers to techniques and attributes that result or aid in the
adversary removing files and information from a target network. This category
also covers locations on a system or network where the adversary may look for
information to exfiltrate.
• Command and Control: Represents how adversaries communicate with
systems under their control within a target network. There are many ways an
adversary can establish command and control with various levels of covertness,
depending on system configuration and network topology. Due to the wide
degree of variation available to the adversary at the network level, only the most
common factors were used to describe the differences in command and control.
- 6 -
There are still a great many specific techniques within the documented methods,
largely due to how easy it is to define new protocols and use existing, legitimate
protocols and network services for communication.
HOW BEYONDTRUST HELPS TO MITIGATE RISKS IDENTIFIED IN
MITRE ATT&CK
Please see the table below for a mapping of BeyondTrust solutions into the techniques
identified within the tactics categorized in MITRE ATT&CK.
TA0001 – Initial Access BeyondTrust
Capability TA 0002 – Execution
BeyondTrust Capability
Drive-by Compromise AppleScript
Exploit Public-Facing Application CMSTP
Hardware Additions Command-Line
Interface
Replication Through Removable Media
Compiled HTML File
Spearphishing Attachment Control Panel Items
Spearphishing Link Dynamic Data
Exchange NA
Spearphishing via Service Execution through API NA
Supply Chain Compromise NA Execution through
Module Load
Trusted Relationship Exploitation for Client
Execution
Valid Accounts Graphical User
Interface
InstallUtil
Launchctl
Local Job Scheduling
LSASS Driver
Mshta
PowerShell
Regsvcs/Regasm
Regsvr32
Rundll32
Scheduled Task
Scripting
Service Execution
- 7 -
TA0001 – Initial Access BeyondTrust
Capability TA 0002 – Execution
BeyondTrust Capability
Signed Binary Proxy Execution
Signed Script Proxy Execution
Source NA
This section intentionally left blank
Space after Filename
Third-party Software
Trap
Trusted Developer Utilities
User Execution
Windows Management Instrumentation
Windows Remote Management
XSL Script Processing
- 8 -
TA0003 – Persistence BeyondTrust
Capability TA0004 – Privilege Escalation
BeyondTrust Capability
.bash_profile and .bashrc Access Token Manipulation
Accessibility Features NA Accessibility Features
Account Manipulation AppCert DLLs
AppCert DLLs AppInit DLLs
AppInit DLLs Application Shimming
Application Shimming Bypass User Account
Control
Authentication Package DLL Search Order
Hijacking
BITS Jobs NA Dylib Hijacking NA
Bootkit Exploitation for Privilege
Escalation
Browser Extensions Extra Window Memory
Injection
Change Default File Association File System Permissions
Weakness
Component Firmware NA Hooking
Component Object Model Hijacking
Image File Execution Options Injection
Create Account Launch Daemon NA
DLL Search Order Hijacking New Service
Dylib Hijacking NA Path Interception
External Remote Services NA Plist Modification NA
File System Permissions Weakness
Port Monitors
NA
Hidden Files and Directories Process Injection
Hooking Scheduled Task
Hypervisor NA Service Registry
Permissions Weakness
Image File Execution Options Injection
NA Setuid and Setgid
Kernel Modules and Extensions SID-History Injection
Launch Agent NA Startup Items
Launch Daemon NA Sudo
Launchctl NA Sudo Caching
LC_LOAD_DYLIB Addition NA Valid Accounts
Local Job Scheduling Web Shell NA
Login Item NA
Logon Scripts
LSASS Driver
Modify Existing Service
Netsh Helper DLL
- 9 -
TA0003 – Persistence BeyondTrust
Capability TA0004 – Privilege Escalation
BeyondTrust Capability
New Service
This section intentionally left blank
Office Application Startup
Path Interception
Plist Modification NA
Port Knocking NA
Port Monitors NA
Rc.common NA
Re-opened Applications NA
Redundant Access NA
Registry Run Keys / Startup Folder
Scheduled Task
Screensaver
Security Support Provider
Service Registry Permissions Weakness
Setuid and Setgid
Shortcut Modification
SIP and Trust Provider Hijacking
Startup Items
System Firmware NA
Time Providers
Trap NA
Valid Accounts
This section intentionally left blank
Web Shell NA
Windows Management Instrumentation Event Subscription
Winlogon Helper DLL
- 10 -
TA0005 – Defense Evasion BeyondTrust
Capability TA0006 – Credential Access
BeyondTrust Capability
Access Token Manipulation Account Manipulation
Binary Padding Bash History
BITS Jobs NA Brute Force
Bypass User Account Control Credential Dumping
Clear Command History Credentials in Files
CMSTP Credentials in Registry
Code Signing Exploitation for
Credential Access
Compiled HTML File Forced Authentication
Component Firmware NA Hooking
Component Object Model Hijacking Input Capture
Control Panel Items Input Prompt
DCShadow Kerberoasting NA
Deobfuscate/Decode Files or Information
Keychain
Disabling Security Tools LLMNR/NBT-NS
Poisoning NA
DLL Search Order Hijacking Network Sniffing NA
DLL Side-Loading Password Filter DLL
Exploitation for Defense Evasion Private Keys
Extra Window Memory Injection NA Securityd Memory NA
File Deletion
Two-Factor Authentication Interception
NA
File Permissions Modification
This section intentionally left blank
File System Logical Offsets NA
Gatekeeper Bypass NA
Hidden Files and Directories
Hidden Users
Hidden Window NA
HISTCONTROL
Image File Execution Options Injection
Indicator Blocking NA This section intentionally left blank
Indicator Removal from Tools NA
Indicator Removal on Host NA
Indirect Command Execution
Install Root Certificate
InstallUtil
Launchctl NA
LC_MAIN Hijacking NA
- 11 -
TA0005 – Defense Evasion BeyondTrust
Capability TA0006 – Credential Access
BeyondTrust Capability
Masquerading
Modify Registry
Mshta
Network Share Connection Removal
NTFS File Attributes NA
Obfuscated Files or Information NA
Plist Modification NA
Port Knocking NA
Process Doppelgänging NA
Process Hollowing NA
Process Injection NA
Redundant Access
Regsvcs/Regasm
Regsvr32
Rootkit NA
Rundll32
Scripting
Signed Binary Proxy Execution
Signed Script Proxy Execution NA
SIP and Trust Provider Hijacking NA
Software Packing
This section intentionally left blank
Space after Filename NA
Template Injection NA
Timestomp NA
Trusted Developer Utilities
Valid Accounts
Web Service NA
XSL Script Processing NA
- 12 -
TA0007 – Discovery BeyondTrust
Capability TA0008 – Lateral Movement
BeyondTrust Capability
Account Discovery AppleScript
Application Window Discovery Application Deployment
Software
Browser Bookmark Discovery NA Distributed Component
Object Model
File and Directory Discovery Exploitation of Remote
Services
Network Service Scanning Logon Scripts
Network Share Discovery Pass the Hash
Network Sniffing NA Pass the Ticket
Password Policy Discovery Remote Desktop Protocol
Peripheral Device Discovery Remote File Copy
Permission Groups Discovery Remote Services
Process Discovery Replication Through
Removable Media
Query Registry Shared Webroot NA
Remote System Discovery SSH Hijacking
Security Software Discovery Taint Shared Content NA
System Information Discovery Third-party Software
System Network Configuration Discovery
Windows Admin Shares
System Network Connections Discovery
Windows Remote Management
System Owner/User Discovery This section intentionally left blank
System Service Discovery
System Time Discovery
- 13 -
TA0009 – Collection BeyondTrust
Capability TA0010 – Exfiltration
BeyondTrust Capability
Audio Capture NA Automated Exfiltration NA
Automated Collection Data Compressed
Clipboard Data NA Data Encrypted
Data from Information Repositories Data Transfer Size
Limits NA
Data from Local System Exfiltration Over
Alternative Protocol NA
Data from Network Shared Drive
Exfiltration Over Command and Control Channel
NA
Data from Removable Media Exfiltration Over Other
Network Medium NA
Data Staged Exfiltration Over
Physical Medium
Email Collection NA Scheduled Transfer NA
Input Capture
This section intentionally left blank
Man in the Browser NA
Screen Capture
Video Capture
- 14 -
TA0011 – Command And Control BeyondTrust
Capability
Commonly Used Port
Communication Through Removable Media
Connection Proxy NA
Custom Command and Control Protocol NA
Custom Cryptographic Protocol NA
Data Encoding NA
Data Obfuscation NA
Domain Fronting NA
Fallback Channels NA
Multi-hop Proxy NA
Multi-Stage Channels NA
Multiband Communication NA
Multilayer Encryption NA
Port Knocking NA
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol NA
Standard Non-Application Layer Protocol NA
Uncommonly Used Port
Web Service NA
THE BEYONDTRUST PRIVILEGED ACCESS MANAGEMENT
PLATFORM
The BeyondTrust Privileged Access Management Platform is an integrated solution to
provide control and visibility over all privileged accounts, users and access. By uniting
capabilities that many alternative providers offer as disjointed tools, the BeyondTrust
platform simplifies deployments, reduces costs, improves system security and closes
gaps to reduce privileged risks.
BeyondTrust PAM solutions enable organizations to secure their IT network assets and protect them from the risk of a breach. For more information, visit beyondtrust.com/solutions.
- 16 -
ABOUT BEYONDTRUST
BeyondTrust is the worldwide leader in Privileged Access Management, offering the
most seamless approach to preventing data breaches related to stolen credentials,
misused privileges, and compromised remote access.
Our extensible platform empowers organizations to easily scale privilege security as
threats evolve across endpoint, server, cloud, DevOps, and network device
environments. BeyondTrust unifies the industry’s broadest set of privileged access
capabilities with centralized management, reporting, and analytics, enabling leaders to
take decisive and informed actions to defeat attackers. Our holistic platform stands out
for its flexible design that simplifies integrations, enhances user productivity, and
maximizes IT and security investments.
BeyondTrust gives organizations the visibility and control they need to reduce risk,
achieve compliance objectives, and boost operational performance. We are trusted by
20,000 customers, including half of the Fortune 500, and a global partner network.
Learn more at www.beyondtrust.com.
V2019_05_ENG
