Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What's New with ATTACK for Cloud?

From MITRE ATT&CKcon Power Hour October 2020

By Jen Burns, Lead Cybersecurity Engineer, MITRE, @snarejen

Jen Burns is a Lead Cybersecurity Engineer at MITRE and the Lead for MITRE ATT&CK® for Cloud. She’s also a red team developer and lead for ATT&CK Evaluations, using her skills in software engineering and adversary emulation. Previously, she was a tech lead at HubSpot on the Infrastructure Security team where she focused on red teaming and building detections in the cloud environment. This presentation is from the MITRE ATT&CKcon Power Hour session held on October 9, 2020.

  • Be the first to comment

  • Be the first to like this

What's New with ATTACK for Cloud?

  1. 1. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 � for Cloud? Jen Burns @snarejen @MITREattack
  2. 2. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-000000 | 90 | for Cloud Credit to Dave Herrald and Ryan Kovar
  3. 3. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 ATT&CK for Cloud Beginnings Initial Release October 2019 Part of Enterprise ATT&CK Almost 100% community- contributed techniques! Input from: A cloud service provider Threat analysts Detection analysts Red teams
  4. 4. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 ATT&CK for Cloud Today
  5. 5. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 ATT&CK for Cloud Scope Add techniques generally visible via Cloud data sources AWS CloudTrail Logs Azure Activity Logs Office365 Audit Logs etc Minimize duplication across Windows/Linux/macOS Cloud is meant to add an additional layer to ATT&CK Example:
  6. 6. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Future of Cloud Platforms Current Future SaaS IaaS Additional SaaS Additional SaaS Additional SaaS SaaS
  7. 7. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Why generalize to IaaS? Current IaaS platforms share most techniques Differences between Cloud Service Providers (CSPs) can be documented within the technique All CSPs can be represented Community feedback favors a single platform
  8. 8. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Cloud Data Sources Today AWS CloudTrail logs Azure activity logs GCP audit logs Oauth audit logs
  9. 9. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Future of Cloud Data Sources Data Source One or more Data Components Mapping(s) to Relevant Azure Operation Name(s) Mapping(s) to Relevant AWS CloudTrail Event Name(s) Mapping(s) to Relevant GCP REST API Method(s) Mapping(s) to Other CSPs or SaaS Events https://media.giphy.com/media/l41m6QYDHcEEwjo52/giphy.gif
  10. 10. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Example IaaS Data Source Instance Data Source Data Component Events (API) Instance Creation Instance Modification Instance Deletion Instance Metadata Instance Enumeration Instance Start Instance Stop AWS: ListInstances AWS: ModifyInstanceAttribute AWS: TerminateInstances AWS: DescribeInstances AWS: RunInstances AWS: StartInstances AWS: StopInstances
  11. 11. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Why the change? Ensure approach is consistent with the rest of Enterprise Suggest reading blog from Jose Luis Rodriguez https://medium.com/mitre-attack/defining-attack-data-sources-part-i- 4c39e581454f Create more meaningful data sources for Cloud Refactor to align to events and API calls within these logs instead Align to future Cloud platform updates
  12. 12. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 We need your help! thoughts on how can we improve ATT&CK for Cloud? opinions on our platform or data source plans?
  13. 13. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 attack@mitre.org @MITREattack Jen Burns @snarejen

×