The Discovery tactic is one which is difficult to defend against. It has a lot of similarities to the Reconnaissance stage of the Lockheed Martin Cyber Kill Chain. There are certain aspects of an organization which need to be exposed in order to operate a business.
In fact, all of the techniques at this time provide little guidance on how to mitigate this tactic. Application whitelisting is quoted most often, which is a catch-all for most malware.
Discovery: Sacrificing a Pawn in Order to Save the Queen
On a local endpoint, an attacker is going to be able to discover any locally installed software, any system or application level file, or the time of the local system. The only aspect you can control on a local system is limiting what users are exposed. However, to power users, this level of information can still be leaked.
This tactic is less about how you mitigate or detect and more about how threat intelligence can be mapped into the matrix. Of all the tactics in the matrix, this is the least important to focus on. The important aspect to realize here is that sometimes you have to sacrifice a pawn in order to save the queen.
While not explicitly stated anywhere in the matrix, using honey tokens, files, or users is ideal in the Discovery tactic. Placing false information that attackers can discover allows you to detect an adversary’s activities. While there are some dedicated applications that curtail honey tokens, there are also options for monitoring the file system and registry on endpoints, as well.
In Windows, there are a few locations which are of interest when wanting to do some basic honey files. The first are Jump Lists, which are the most recently accessed files on the operating system. Located in each user’s AppData\Roaming\Microsoft\Windows\Recent directory is a set of LNK files that are shortcuts back to the most recently accessed files. By monitoring this location for a specific file name, you can track if users are accessing documents they should not be.
Within the registry, there are a few locations that can expose what a user is viewing. The first are the RecentDocs found in the HKEY_USERS hive under \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs. There are sub-keys that sort out by extension, but the values in this key are sorted by the most recently viewed files. The MRUListEx value will state the order in which the keys were opened. By decoding the binary values here, a LNK file, which was then stored in the Recent directory mentioned above, can be extracted
There are other options for monitoring the registry when looking at when files are opened as well as viewing the history of recent Office documents as well. I will go through these in a later blog post diving into incident response in more detail.
Of all the tactics in ATT&CK, discovery is one which will probably provide the least value when investing security dollars into mitigation and detection. Since users are typically doing many of the actions outlined in the various techniques in their daily job, sorting out malicious activity from the noise can be incredibly difficult. Having an understanding of what is normal and baselining expected behaviors will pay dividends when trying to support this tactic.
Read more about the MITRE ATT&CK Framework here:
- The MITRE ATT&CK Framework: Initial Access
- The MITRE ATT&CK Framework: Execution
- The MITRE ATT&CK Framework: Persistence
- The MITRE ATT&CK Framework: Privilege Escalation
- The MITRE ATT&CK Framework: Defense Evasion
- The MITRE ATT&CK Framework: Credential Access
- The MITRE ATT&CK Framework: Discovery
- The MITRE ATT&CK Framework: Lateral Movement
- The MITRE ATT&CK Framework: Collection
- The MITRE ATT&CK Framework: Exfiltration
- The MITRE ATT&CK Framework: Command and Control
- The MITRE ATT&CK Framework: Impact