Activity 2.1 Explore the ATT&CK Framework

In this activity I will analyze a threat using the MITRE ATT&CK framework. For this example, I will use the 2019 Capital One Data Breach.

Threat Profile

On July 29 2019, Capital One Bank announced a data breach which affected approximately 100 million individuals in the USA and 6 million in Canada. The personal information of individuals who applied for Credit Cards was exfiltrated in the breach. The vulnerability leading to the incident was stated by Capital One as a specific configuration vulnerability in their infrastructure. This vulnerability was leveraged by an individual to extract info on March 22 to 23 2019. Capital One was made aware of the breach from an anonymous email to their reponsible disclosure program. Data was encrypted at rest, however the perpetrator was able to decrypt some of the data. Data fields such as Social security numbers and account numbers remained encrypted.

The threat actor was determined to be Paige Thompson, a former Amazon Web Services Engineer. Thompson leveraged a misconfiguration in the bank’s ModSecurity Web Application Firewall in order to execute commands on the firewall to exfiltrate the data from Capital One’s Amazon S3 buckets. The misconfiguration of the WAF was key in the exfiltration of the data. Specifically, the WAF was assigned excessive permissions which allowed it to read and list the files in any S3 bucket. The type of vulnerability exploited is a “Server Side Request Forgery” or SSRF. This is attack manipulates a server or in this instance the WAF into running unintended commands. The attack then ran an S3 sync command in order to copy the data to their server. Logs from Capital One show Thompson connected several time from both TOR exit nodes and a VPN service in order to cover her tracks.

In regards to evidence, Thompson was confirmed to have a list of over 700 AWS S3 Storage buckets. Logs at the bank were also able to show attempted connections from TOR exit nodes which listed bucket content. Other commands executed on the buckets originated from a VPN service which Thompson subscribes too. After the breach, Thompson also posted to several public forums, i.e. Slack and GitHub boasting about the breach. Thompson was arrested by the FBI. During the raid, FBI agents seized several storage devices containing copies of the breached data

Analysis

The following is a mapping of the above threat profile to the MITRE ATT&CK framework.

Stage Step of the attack ATT&CK
Initial Access Utilize the AWS Command Line Credentials, AccessKeyID and SecretAccessKey, in order to execute commands Valid Accounts
Intial Access Use previous work experience building Capital One Cloud Infraastrucutre in order to plan attack Trusted Relationship
Execution Execute several AWS CLI commands in order to exfiltrate data Exploitation for Client Execution
Credential Access Leverage misconfiguration of WAF to relay commands to AWS services in order to retrieve credentials Exploitation for Credential Access
Discovery run CLI commands in order to list content of AWS storage prior to exfiltration Cloud Infrastructure Discovery
Exfiltration Use the sync command to copy AWS data to local storage Exfiltration Over Alternative Protocol

This diagram breaks down the approximate timeline the attacker followed when exfiltrating the data.

Cap One Timeline

Sources

http://web.mit.edu/smadnick/www/wp/2020-16.pdf
https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
https://www.zdnet.com/article/100-million-americans-and-6-million-canadians-caught-up-in-capital-one-breach/
https://www.capitalone.com/about/newsroom/capital-one-announces-data-security-incident/
https://www.justice.gov/usao-wdwa/pr/seattle-tech-worker-arrested-data-theft-involving-large-financial-services-company

Activity 2.2 Set Up a STIX/TAXII Feed

In this acitivity I will setup the Anomali STAXX in order to process STIXX feeds for threat intel. Anomali STAXX allows you to connect to STIX/TAXII servers and poll threat intelligence from them. Using STAXX, you are able to run keyword searches on vulnerabilities.

  1. Installation

For this setup you will need either VMWare Workstation or Oracle VirtualBox. Anomali STAXX can be downloaded from here.

Once downloaded open the virtual appliance and be sure to assign it 4GB of RAM and 2 CPUs. If you are using VirtualBox, check that the network adapter is set to Bridged. Start the VM.

  1. Before logging in to Anomali and gathering threat data, first I will set the timezone. Login to the VM server with the username/password displayed at the top of the VM.

Anomali Password Change

Reset the password as prompted.

Anomali Password Change

Once logged in, use the following command to change your timezone.

sudo timedatectl set-timezone (your timezone)

Timezones can be listed with the folllowing command

timedatectl list-timezones

  1. The VM will then display an IP address for you to connect to locally.

Login to the interface with a webrowser using the following credentials:

User name: admin Password: changeme

After that, set your own password – and you are good to go.

  1. After logging in, agree use the Limo service to gather data for your first threat feeds. The dashboard will then begin to populate with threat feeds!

Anomali Limo Accept

Glossary

A glossary of all the terms, acronyms and slang I run across for this chapter.

STIX Structured Threat Information Expression -- standardized XML language for sharing threat intel
TAXII Trusted Automated Exchange of Indicator Information -- Protocol for cyberthreat info to be shared at the application layer via HTTPS
OpenIOC Open Indicators of Compromise -- standardized XML language for sharing threat intel
Threat Intelligence Cycle Lifecycle for using threat intelligence -- Requirements Gathering > Data Collection > Analysis > Info Dissemination > Feedback
ISAC Information Sharing and Analysis Centers -- organizations in the USA for sharing of threat intel pertaining to a specific industry
Threat Actor Types The following are the main threat actor types: 1. Nation-state 2.Organized Crime 3. Hacktivists 4. Insider threats
STRIDE Microsoft method for classifying threats -- 1. Spoofing of user identity 2. Tampering 3. Repudiation 4. Information disclosure 5. Denial of service 6. Elevation of privilege
Threat Modeling Activity for understanding threats an organization faces. Requires assessing 1. Adversary capability 2. Attack surface 3. Attack vectors 4. Possible attack impact 5. Likelihood of an attack succeeding
Threat Reputation Examining a site or IP to determine if it has a history of malicious behaviour
IOC Indicators of compromise -- forensic evidence and data that can help identify an attack
MITRE ATT&K Adversarial Tactics Techniques and Common Knowledge attack framework
Diamond Model Intrusion analysis model focusing on the 1. Core features (adversary + capability + infraastrucre + victim) 2. Meta features 3. Confidence Value and their relationship together
CVSS Common Vulnerability Scoring System
Cyber Kill Chain Lockheed Martin's seven step process: 1. Recon 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command and control 7. Actions on Objectives
Unified Kill Chain Combination of the Lockheed Martin Cyber Kill Chain and MITRE ATT&K framework -- an 18 phase process