KillChainSlides

Report
Detection Scenarios
Recon
Weaponization
Deliver
File
File
Behavior
Behavior
File - Name
File - Path
File
Win Registry Key
URI – Domain
Name
URI – URL
HTTP - GET
HTTP – UA String
Address – e-mail
Address – ipv4addr
URI - URL
File - Path
Exploitation
File
File - Name
File - Name
URI- Domain Name
URI – Domain
Name
URI - URL
HTTP - POST
Email Header Subject
Email Header – XMailer
Hash – MD5
Act on
Objectives
Installation
C2
Code – Binary
Code
Behavior
Behavior
Win Process
Win Registry
Key
Win Process
Win Registry Key
File
Win Registry Key
File
Win Service
File
File - Path
URI – Domain
Name
File - Path
URI – URL
File - Name
URI - URL
File - Name
Hash – MD5
URI – Domain
Name
HTTP - GET
URI – Domain
Name
Hash – SHA1
Address – cidr
Address – ipv4addr
URI - URL
HTTP - GET
HTTP – UA String
Hash – SHA1
Hash – MD5
Address – e-mail
Hash – SHA1
Address – ipv4addr
Address – e-mail
Address – ipv4addr
HTTP - POST
HTTP – UA String
Hash – MD5
Hash – SHA1
Address – e-mail
Address – ipv4addr
URI – URL
Hash – MD5
Hash – SHA1
Address – ipv4addr
Platform Strengths (example IDS Solution)
Recon
Weaponization
Deliver
File
File
Behavior
Behavior
File - Name
File - Path
File
Win Registry Key
URI – Domain
Name
URI – URL
HTTP - GET
HTTP – UA String
Address – e-mail
Address – ipv4addr
URI - URL
File - Path
Exploitation
File
File - Name
File - Name
URI- Domain Name
URI – Domain
Name
URI - URL
HTTP - POST
Email Header Subject
Email Header – XMailer
Hash – MD5
Act on
Objectives
Installation
C2
Code – Binary
Code
Behavior
Behavior
Win Process
Win Registry
Key
Win Process
Win Registry Key
File
Win Registry Key
File
Win Service
File
File - Path
URI – Domain
Name
File - Path
URI – URL
File - Name
URI - URL
File - Name
Hash – MD5
URI – Domain
Name
HTTP - GET
URI – Domain
Name
Hash – SHA1
Address – cidr
Address – ipv4addr
URI - URL
HTTP - GET
HTTP – UA String
Hash – SHA1
Hash – MD5
Address – e-mail
Hash – SHA1
Address – ipv4addr
Address – e-mail
Address – ipv4addr
Notes:
Security solutions are able to investigate, analyze and monitor this indicator type
Security solutions are unable to track this indicator type. These areas represent gaps
HTTP - POST
HTTP – UA String
Hash – MD5
Hash – SHA1
Address – e-mail
Address – ipv4addr
URI – URL
Hash – MD5
Hash – SHA1
Address – ipv4addr
All Detection Platforms (aggregated view)
Recon
Weaponization
Deliver
File
File
Behavior
Behavior
File - Name
File - Path
File
Win Registry Key
URI – Domain
Name
URI – URL
HTTP - GET
HTTP – UA String
Address – e-mail
Address – ipv4addr
URI - URL
File - Path
Exploitation
File
File - Name
File - Name
URI- Domain Name
URI – Domain
Name
URI - URL
HTTP - POST
Email Header Subject
Email Header – XMailer
Hash – MD5
Act on
Objectives
Installation
C2
Code – Binary
Code
Behavior
Behavior
Win Process
Win Registry
Key
Win Process
Win Registry Key
File
Win Registry Key
File
Win Service
File
File - Path
URI – Domain
Name
File - Path
URI – URL
File - Name
URI - URL
File - Name
Hash – MD5
URI – Domain
Name
HTTP - GET
URI – Domain
Name
Hash – SHA1
Address – cidr
Address – ipv4addr
URI - URL
HTTP - GET
HTTP – UA String
Hash – SHA1
Hash – MD5
Address – e-mail
Hash – SHA1
Address – ipv4addr
Address – e-mail
Address – ipv4addr
Notes:
Security solutions are able to investigate, analyze and monitor this indicator type
Security solutions are unable to track this indicator type. These areas represent gaps
HTTP - POST
HTTP – UA String
Hash – MD5
Hash – SHA1
Address – e-mail
Address – ipv4addr
URI – URL
Hash – MD5
Hash – SHA1
Address – ipv4addr
Visibility Gaps by Threat Actor
Recon
HTTP – UA String
Weaponization
Deliver
Exploitation
Installation
C2
Act on
Objectives
File
Email Header - Subject
Hash – MD5
File - Path
Email Header – X-Mailer
Hash – SHA1
URI - URL
Post-Incident Review
(What did the a ctor do?)
(Why did it work?)
(What should we do?)
Actor Action
Used commercial web scanner
Failure Mode
Potential gaps in threat tool & scanning
capability
Mitigation Action
Establish detection
capability
SQL injection on vulnerable ASP
page to gain admin user access
Could not detect SSL traffic; vulnerable to SQL
injection
Explore Secure
Development and
Application Security
Assessments
Installation
IIS web service used to
upload web shell
Failure to restrict file upload types or configure
web server to not execute uploaded files
Comm & Control
Used web shell on initially
compromised host
Accessed “id.txt” which held
account information with admin
access
Could not detect SSL traffic
Kill Chain
Reconnaissance
W eaponization
Delivery
Exploitation
Actions on
intent
Management scripts failed to delete “id.txt”
after running
Explore Secure
Development and
Application Security
Assessments
Scripts retired and
environment scanned.

similar documents