Technique Inference Engine, Top 10 Ransomware Calculator and Stop Ransomware Advisory CISA

Rapid Incident Response with the help of prioritization & prediction — another great tool developed by the CTID Mitre Engenuity

Technique Inference Engine

The Center for Threat-Informed Defense develops free solutions for our industries worldwide. Although these solutions are developed by the brightest minds, they are still very little used. To change that I publish since December 2022 those tools to encourage the community using it and to collaborate with the CTID improving the solutions. These free tools are available for everyone, also smaller companies that very often need a starting point or helping hand of how to measure, maximize and mature their defenses threat-informed.

Prediction vs. Reaction — Proactive Countermeasure

The TIE is a newly developed tool of the Center for Threat Informed Defense and published officially today. On the project website you can find a short description of the tool as well as on the Medium blog written by Mike Cunningham.

What is the next step an adversary could take?

With the TIE, you can get the top 20 prioritized & predicted techniques based on an observed MITRE ATTACK technique you choose, for example, to get top threat hunting TTPs or to use them for analysis in the incident response as triage. Other examples are given, such as cyber assurance or as an aid to emulation plans. I also see a great advantages to working with TIE through prediction and prioritization of use cases in detection engineering. It is a machine learning model trained on CTI with generated over 6,200 reports, covering 96% of the techniques in ATT&CK.

The Technique Inference Engine (TIE) uses a machine learning model trained on cyber threat intelligence to recommend likely TTPs based on a known input TTP. TIE will help analysts quickly understand what is likely to have happened next based on a broad corpus of threat intelligence.

Having the right dataset is critical to the predictive nature of the model. We identified four key attributes of our dataset to assure our model delivers relevant results.

The data is based on real-world observations of adversary activity.

The data represents sets of techniques that have occurred as part of the same activity.

The data contains multiple implementations covered by each technique. The model has sufficiently many TTP examples to discover trends in activity and avoid bias towards predicting the most common or popular techniques.

We exclude contrived or speculative data. For our purposes, we did not augment the data set with artificial data to prevent introducing non-existent associations between techniques.

Cyber threat intelligence (CTI) reports meet all the above criteria as they are crafted through expert analysis of cyber intrusions and observed adversary activity. By combining data used in previous Center research projects, CTI repositories, and contributions from our research partners we generated over 6,200 reports, covering 96% of the techniques in ATT&CK.

Use of the Technique Inference Engine

You can organize the predicted techniques ascending or descending, also by the tactic if you want. The TTPs can be downloaded ranked for all techniques that the model involves via .csv or you can download the JSON navigator layer.

Observed Technique — Initial Access T1190

What is the goal?

There are several goals you can achieve with, for e.g. to close the gaps as quickly as possible and at the same time avoid analytical errors, such as overlooking techniques that the attacker uses. By proactively analyzing the techniques and hardening the environment accordingly, you make it more difficult for the attacker to get into the systems and adversaries have to expand their skills, thus needs more resources or our detections detect them earlier because they have to use techniques that makes them “louder” or noisier.

To test the newly developed TIE, I took the latest CISA #StopRansomware: RansomHub advisory and compared the techniques with those of the TIE if the Intial Access is T1190 Exploit is Public-Facing Application.

Assumption Ransomware Attack

Let’s assume that a company has been attacked, there has been a ransomware incident and so far we only know that the attacker gained access via a vulnerability such as the Microsoft Exchange Server or a vulnerability in the Share Point, etc. We assume that we know that it is RansomHub and decide on the CISA report as well as the TTPs from rasomware[.]live.

If you take now the results of the TIE with the 20 following techniques and compare them with the TTPs of RansomHub from the CISA Report, you get result of a 70% accuracy, which is quite decent. It means that 14 out of 20 TTPs fit.

Initial List of 20 Techniques:

1. T1110 — Brute Force
2. T1059 — Command and Scripting Interpreter
3. T1486 — Data Encrypted for Impact
4. T1068 — Exploitation for Privilege Escalation
5. T1190 — Exploit Public-Facing Application
6. T1133 — External Remote Services
7. T1070 — Indicator Removal
8. T1003.001 — LSASS Memory
9. T1036 — Masquerading
10. T1046 — Network Service Discovery
11. T1003 — OS Credential Dumping
12. T1566 — Phishing
13. T1059.001 — PowerShell
14. T1090 — Proxy
15. T1021.001 — Remote Desktop Protocol
16. T1021 — Remote Services
17. T1018 — Remote System Discovery
18. T1053 — Scheduled Task/Job
19. T1078 — Valid Accounts
20. T1047 — Windows Management Instrumentation

Techniques from CISA Report:

1. T1588.005 — Buy/Steal/Download Exploits
2. T1566 — Phishing
3. T1190 — Exploit Public-Facing Application
4. T1059.001 — Command and Scripting Interpreter
5. T1047 — Windows Management Instrumentation
6. T1136 — Create Account
7. T1098 — Account Manipulation
8. T1021.001 — Remote Desktop Protocol
9. T1036 — Masquerading
10. T1070 — Indicator Removal on Host
11. T1562.001 — Disable or Modify Tools
12. T1003 — OS Credential Dumping
13. T1110.003 — Brute Force: Password Spraying
14. T1018 — Remote System Discovery
15. T1046 — Network Service Discovery
16. T1210 — Exploitation of Remote Services
17. T1219 — Remote Access Software
18. T1048.002 — Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
19. T1537 — Transfer Data to Cloud Account
20. T1048.003 — Exfiltration Over Asymmetric Unencrypted Non-C2 Protocol
21. T1486 — Data Encrypted for Impact
22. T1490 — Inhibit System Recovery

TTPs that match between the TIE and the CISA Ransomware reports:

• T1059 — Command and Scripting Interpreter
• T1486 — Data Encrypted for Impact
• T1190 — Exploit Public-Facing Application
• T1133 — External Remote Services
• T1070 — Indicator Removal
• T1003.001 — LSASS Memory (variant of OS Credential Dumping)
• T1003 — OS Credential Dumping
• T1566 — Phishing
• T1059.001 — PowerShell
• T1021 — Remote Services (includes RDP, SSH, etc.)
• T1018 — Remote System Discovery
• T1053 — Scheduled Task/Job
• T1078 — Valid Accounts
• T1047 — Windows Management Instrumentation

Techniques from CISA Report Not in the Initial List:

1. T1588.005 — Buy/Steal/Download Exploits
2. T1136 — Create Account
3. T1098 — Account Manipulation
4. T1562.001 — Disable or Modify Tools
5. T1210 — Exploitation of Remote Services
6. T1219 — Remote Access Software
7. T1048.002 — Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
8. T1537 — Transfer Data to Cloud Account
9. T1048.003 — Exfiltration Over Asymmetric Unencrypted Non-C2 Protocol
10. T1490 — Inhibit System Recovery

If we take variants of the T1003 and T1021 Remote Services we get 14 out of 20 techniques that matches with our predicted TIE.

Accuracy Calculation:

If we now add the Ransomware Calculator that I’ve described in this article and the top 10 techniques by default, we get another 4 important techniques that are relevant such as T1083 File and Directory Discovery, T1105 Ingress Tool Transfer, T1490 Inhibit System Recovery and T1489 Service Stop we should triage or search after.

Default Top 10 Ransomware Techniques

Top TIE Techniques with the Top 10 Ransomware Calculator TTPs -Default

In the next step, I took the Ransomware Calculator and made the decision to checkbox the NIST and CIS controls on the T1190 to get more MITRE ATTACK techniques for prioritization.

NIST 800–53 Controls Related to T1190 — Exploit Public-Facing Application and in the Calculator available:

RA-5: Vulnerability Monitoring and Scanning

SI-2: Flaw Remediation

CM-2: Baseline Configuration

CM-6: Configuration Settings

SA-11: Developer Security Testing and Evaluation

AC-17: Remote Access

SI-10: Information Input Validation

SC-7: Boundary Protection

CIS Controls Related to T1190 — Exploit Public-Facing Application and in the Calculator available:

CIS Control 02: Inventory and Control of Software Assets

CIS Control 04: Secure Configuration of Enterprise Assets and Software

CIS Control 05: Account Management

CIS Control 06: Access Control Management

CIS Control 07: Continuous Vulnerability Management

CIS Control 08: Audit Log Management

CIS Control 09: Email and Web Browser Protections

CIS Control 11: Secure Configuration for Network Devices

CIS Control 13: Data Protection

CIS Control 14: Security Awareness and Skills Training

NIST 800–53 Controls and CIS Security Controls

Tidal Cyber Enterprise Edition — Mapping the Top 10 Ransomware Techniques focus T1190

In the last step, the techniques of the ransomware itself were added from the website ransomware[.]live and in a relatively short time you have a holistic picture of the techniques used by the specific ransomware group and which techniques are particularly to investigate on.

RansomHub Ransomware Execution TTPs

We get additionally following information relevant for our threat hunting, triage or detection engineering:

Windows Management Instrumentation (T1047)
The ransomware deletes shadow copies using the WMIC.exe utility.

Command and Scripting Interpreter: Windows Command Shell (T1059.003)
The ransomware utilizes cmd.exe to execute various Windows utilities to implement various other techniques.

Indicator Removal: Clear Windows Event Logs (T1070.001)
The ransomware clears the victim machine’s application, system, and security event logs using the wevtutil.exe utility.

Impair Defenses: Disable or Modify Tools (T1562)
Threat actors use files such as: STONESTOP and POORTRY to load drivers for the purpose of disabling and deleting AV files.

Lateral Tool Transfer (T1570)
Affiliates were identified using: psexec.exe, PsExec.exe, and smbexec.exe for lateral movement.

Service Stop (T1489)
The Windows IIS service stop command is executed using iisreset.exe. Allows for encryption of web applications hosted on IIS servers as files linked to these applications are typically locked while IIS is running.

Inhibit System Recovery (T1490)
The ransomware deletes system shadow copies to inhibit system recovery.

Data Encrypted for Impact (T1486)
Files are encrypted using file replacement method.

All TTPs together with the CISA Report

In the last step we get now the holistic overview including the TIE TTPs, calculator TTPs, the ransomware execution TTPs and the CISA report.

All TTPs rapid Prioritization

Conclusion and Caveat

My conclusion is that the TIE in combination with current CTI and the Ransomware Calculator offers a very fast way to prioritize and predict TTPs. After that, you can start relatively quickly to build an attack flow and to search for possible intrusion vectors with threat hunting and to harden the security controls to set early choke points. It is a rapid improvement measurable. It helps companies not only to measure, but to maximize and mature with the help of threat informed defense. To gain the full picture of the adversary, makes it more difficult for him/her to get into the systems. The better we understand relevant threat actor, the better we also understand the own environment and reduce risks.

My “test” of the tool is only for one ransomware group, but the whole thing could be extended to the top 10 ransomware groups for e.g. It is published today, I’m sure there will be many great ways to use it.

Also, only one technique was taken as initial access. Various vectors of initial access could be added, such as phishing, external remote service or valid accounts. After that, the top 20 techniques could be correlated, and the most prevalent techniques could then be prioritized in the context of the attack surface. Depending on the goal another mapping could also help to get relevant Windows Event or where to find procedures with the help of the Sysmon telemetry. For Emulation TIE could be taken to start with Atomic Red Team emulating ransomware groups.

LockBit Emulation with Atomic Red Team and Caldera

Open Repository for KQL, Sigma or YARA rules is a great starting point after prioritization. Even to write own Sigma rules with the help of prioritization makes us better and faster in the detection engineering process.

One thing I noticed, however. The exfiltration techniques are not prioritized in either of the CTID tools. In addition to the encryption and destruction of data, exfiltration is certainly one of the worst impacts a company can have.

Therefore, it is always advisable to adapt the prioritization to the individual assessment and threat modeling even if a technique is less prevalent. It depends on your own environment, your own crown jules, in which sector your company operates and what the latest threats are…