CSO Online discusses Mitre’s five-year old ATT&CK and how it is an effective tool for organizations desiring to build red teams to perform penetration testing and vulnerability assessments:

As adversaries get more skilled, defenders have to up their game too. By classifying attacks into discreet units, it’s easier for researchers to see common patterns, figure out who authored different campaigns, and track how a piece of malware has evolved over the years as the author added new features and attack methods.

While other tools can identify malware hashes and behaviors, ATT&CK is one of the more comprehensive methods that can look at the actual malware components and lay them out in detail. Most modern malware uses a combination of techniques to hide its operation, stage its exploits, evade detection, and leverage network weaknesses. Finding these various building blocks is a key part of defending against their perfidy.

The first matrix is a “pre-attack” collection of 17 different categories that help to prevent an attack before the adversary has a chance to get inside your network — when an attacker is reconnoitering your domain, for example. Three matrices, each with a collection for Windows, Mac or Linux endpoints that cover a total of 169 different techniques. Finally, a fifth collection offers additional categories for mobile-based attacks.

Each cell of these matrices contains a single tactic, such as forced authentication using Server Message Block (SMB) protocols and how a malware author can use this to gain entry to your network. The framework also contains information on recent malware that uses this technique (in this case, Dragonfly), the way you can detect it (monitor SMB traffic on the appropriate ports), and how you can mitigate its abuse (using egress filters to block SMB traffic).

I am heretofore completely unfamiliar with ATT&CK but it sounds like a unique and highly useful tool for organizations with the right amount of expertise. This is not something to be used by a small organization with little to no resources or capabilities, but mature ones with credentialed cyber professionals.

The basic goal of ATT&CK is quite solid, but what makes it genius is its ability to be extended. There are a number of free and open source projects to add functionality to ATT&CK, such as creating scripts for several dozen ATT&CK techniques for testing endpoint detection tools among others.

Just like the malware it is designed to investigate, ATT&CK is constantly being updated and modified to stay ahead of the power curve. If you are interested in the white hat side of malware, ATT&CK is a strong project worth checking out.

I had never heard of Mimikatz until one week ago when Tim Medin from SANS came to Tokyo and gave a demonstration of how easy it is to pull plaintext passwords from RAM on a Windows box:

The Mimikatz kerberos command set enables modification of Kerberos tickets and interacts with the official Microsoft Kerberos API. This is the command that creates Golden Tickets. Pass the ticket is also possible with this command since it can inject Kerberos ticket(s) (TGT or TGS) into the current session. External Kerberos tools may be used for session injection, but they must follow the Kerberos credential format (KRB_CRED). Mimikatz kerberos also enables the creation of Silver Tickets which are Kerberos tickets (TGT or TGS) with arbitrary data enabling AD user/ group

Crypto enables export of certificates on the system that are not marked exportable since it bypasses the standard export process.

Vault enables dumping data from the Windows vault.

Lsadump enables dumping credential data from the Security Account Manager (SAM) database which contains the NTLM (sometimes LM hash) and supports online and offline mode as well as dumping credential data from the LSASS process in memory. Lsadump can also be used to dump cached credentials. In a Windows domain, credentials are cached (up to 10) in case a Domain Controller is unavailable for authentication. However, these credentials are stored on the computer.

This is a really powerful tool for demonstrating to prospective clients the importance of having a nuanced cyber security strategy.

If you are a penetration tester or just interested in the tools attackers use then chances are you are more than familiar with Kali Linux. The distro was recently updated to Kali Linux 2.0, and here are the top ten post-install tips designed to maximize your experience with this outstanding OS:

There’s several ways you can use Kali – either as a “throw away pentesting machine” or as a “long term use OS“. The “throw away” method entails setting up Kali for a one off engagement or short term use, and then killing off the OS when done (this usually happens in virtual environments). The “long term use” use case describes people who want to use Kali on an ongoing basis for day-to-day use. Both methods are perfectly valid, but require different treatment. If you plan to use Kali on a day-to-day basis, you should avoid manual installs of programs in FSH defined directories, as this would conflict with the existing apt package manager.

After a lengthy quiet period, the team responsible for Kali Linux took to their blog today to offer a teaser about the upcoming release day for Kali Linux 2.0:

We’ve been awfully quiet lately, which usually means something is brewing below the surface. In the past few months we’ve been working feverishly on our next generation of Kali Linux and we’re really happy with how it’s looking so far. There’s a lot of new features and interesting new aspects to this updated version, however we’ll keep our mouths shut until we’re done with the release. We won’t leave you completely hanging though…here’s a small teaser of things to come!

If you are unfamiliar with Kali Linux, it is the best penetration testing and white-hat hacking Linux distribution available. It comes built with Metasploit and tons of other tools to help make ethical hacking a lot easier and more productive.