SlideShare ist ein Scribd-Unternehmen logo

MITRE ATTACKcon Power Hour - October

MITRE - ATT&CKcon
MITRE - ATT&CKcon

Presentation slides from the MITRE ATT&CKcon Power Hour session held on October 9, 2020.

Technologie
1 von 102
Downloaden Sie, um offline zu lesen
Welcome Follow the conversation on #slack @MITREattack attack.mitre.org
Brian Donohue Security Evangelist Red Canary
Starting over with sub-techniques Lessons learned re-mapping detection analytics
▪ I publish things, support open source tools ▪ Former journalist and CTI analyst ▪ A lied in an interview in 2010 and here I am! Brian Donohue PONTIFICATOR RED CANARY @thebriandonohue Presenter
1. Who am I? 2. Background 3. Seven lessons learned 4. Questions and answers Agenda
Red Canary MDR
Detector-level (analytics) ▪ Highly scalable ▪ Bad at nuance Detection-level (human) ▪ Difficult at scale ▪ Good at nuance Why not both?! ATT&CK mapping options
Red Canary MDR
What this looks like in practice
LESSON ONE Figure out where you’re using ATT&CK
LESSON ONE The things Red Canary maps to ATT&CK: ▪ Behavioral analytics for detection ▪ Atomic Red Team tests ▪ Research and educational content Other things you might map to ATT&CK: ▪ Threat intelligence and other reports ▪ Charts and tables for tracking detection and detection coverage ▪ Various different kinds of security controls ▪ Signatures, rules, IOCs, alerts, etc. What do you need to remap?
LESSON TWO Let the code do the work for you!
JSON crosswalk script MITRE created a nifty JSON crosswalk script to help ease the sub- technique transition LESSON TWO
LESSON THREE Divide and conquer… or don’t
LESSON THREETeam vs. individual Dividing and conquering: ▪ Gets done faster ▪ Less consistency Assigning to an individual or small team: ▪ Takes longer ▪ More consistency
BY THE NUMBERS 1000s active analytics 500+ Atomic Red Team tests ~200 parent/sub-techniques
▪ Intelligence ▪ Research ▪ Detection engineering ▪ Importantly, not me Our remap team
LESSON FOUR ATT&CK mapping is an art; not a science
LESSON FOUR Create a mapping style guide ▪ People interpret techniques in different ways ▪ A style guide will help enforce consistency ▪ Learn on the fly Review, review, review ▪ A small subset of re-mapppers can review ▪ This will help catch errors and increase consistency It’s an art, not a science
LESSON FIVE Find and fix your legacy mapping issues
A tale of two analytics WIN-SUSPECT-SVCHOST-EXECUTED This detector identifies untrusted binaries spawning suspicious Windows Service Host `svchost.exe` processes. WIN-SVCHOST-SUSPECT-PARENT This detector identifies `svchost.exe` executing with a suspect parent process.
Top analytics for Masquerading Technique Behavioral Analytics Threats T1036: MASQUERADING WIN-SUSPECT-SVCHOST-EXECUTED 2626 T1036: MASQUERADING WIN-SUSPECT-SVCHOST-EXECUTED WIN-SVCHOST-SUSPECT-PARENT 1088 T1036: MASQUERADING WIN-SVCHOST-SUSPECT-PARENT 570
LESSON SIX Considering all of the alternatives
LESSON SIXConditional Mapping Mapping at the detection level ▪ Most accurate Mapping at the analytic level ▪ Fastest Conditional mapping ▪ Identify ambiguous analytics and require human reviews
LESSON SEVEN Have fun!
LESSON SEVEN Just kidding…
LESSON SEVEN Give back to the ATT&CK community
▪ Contribute techniques ▪ Offer feedback on what works/doesn’t ▪ Suggest improvements ▪ Write blogs; give talks Ways to give back
redcanary.com/blog/mitre-sub-techniques
FEEDBACK Q & A
Q&A Jamie Williams Lead Cyber Adversarial Engineer MITRE
Aunshul Rege Associate Professor Temple University Rachel Bleiman PhD Student/NSF Graduate Research Assistant Temple University
Using MITRE PRE-ATT&CK and ATT&CK in Cybercrime Education and Research 2020 ATT&CKcon Power Hour Aunshul Rege & Rachel Bleiman CAREER Award # 1453040 SaTC EDU Award # 2032292
Agenda • MITRE PRE-ATT&CK and cybercrime/security education • MITRE ATT&CK and research datasets • Summary
MITRE PRE-ATT&CK & cybercrime/security education • Cybercrime course • Human aspects of cyberattacks/security via social engineering (SE) • Multidisciplinary composition (8 groups) • Objectives • Applications of PRE-ATT&CK to SE • Conduct threat intelligence • Understand limitations • 6 SE case studies with rich details • Overall mapping to the PRE-ATT&CK matrix • Specific expansion on tactics and techniques • Identify PRE-ATT&CK mitigation strategies • First attempt at this project (Fall 2020)
Overall mapping to the PRE-ATT&CK matrix • What is the mapping %? • What does this mean for: • Case study? • PRE-ATT&CK matrix? https://attack.mitre.org/versions/v7/matrices/pre/
Specific expansion on tactics and techniques
Identify PRE-ATT&CK mitigation strategies If none exist, students recommend mitigations
Agenda • MITRE PRE-ATT&CK and cybercrime/security education • MITRE ATT&CK and research datasets • Summary
Cybersecurity in Action, Research and Education • Offer FREE downloadable course projects and datasets • Sites.temple.edu/care • Social Engineering (SE) incidents • Version 5; N=623; 2011 - August 2020 • Critical Infrastructure Ransomware (CIRW) incidents • Version 10.4; N=747; November 2013 - September 2020 • Both datasets based on publicly disclosed incidents • Feedback to map CIRW dataset to ATT&CK • Why not for SE dataset too?
Mapping SE dataset to ATT&CK framework • 50% (461/925) of the tactics mapped onto the ATT&CK technique or software • T1566: Phishing • T1566.001 • T1566.002 • 23% (23/100) of the attackers mapped onto the ATT&CK group- attacker • G0032 • G0059 • G0092 • G0094 Variables General Start Date General End Date Target Location Social Engineering Tactic MITRE ATT&CK Technique or Software Monetary Cost Attacker MITRE ATT&CK Group - Attacker Attacker posing as Ploy Source
Mapping CIRW dataset to ATT&CK framework Variables Year General Date Organization Name Location CIS Targeted Strain MITRE ATT&CK Software ID [if exists] Duration Duration Rank Ransom Amount Local Currency Ransom Amount Rank Paid Status Pay Method Amount Paid Source • V9→ V10 • NotPetya cases removed – ATT&CK defined it as wiperware • 56% of the strains mapped onto the ATT&CK software • S0366 • S0370 • S0372 • S0400 • S0446 • S0449 • S0457 • S0481
Mapping limitations/challenges • Many of the SE techniques do not currently exist (ex: whaling, vishing, etc). • Bulk of our data is phishing/spear phishing, skews mapping results • Major strains missing (could only map 56%) • Revil • RansomEXX • DoppelPaymer
Agenda • MITRE PRE-ATT&CK and cybercrime/security education • MITRE ATT&CK and research datasets • Summary
Summary: PRE-ATT&CK and ATT&CK uses • Education: PRE-ATT&CK benefits • Develop ability to map and understand threat intelligence • Develop ability to understand challenges/limitations • Map SE cases (not typically done) • All disciplines can engage • Research datasets: ATT&CK links • Educators: Class projects, research, publications • Students: Course projects, dissertation/thesis • Government: ICS training classes, raising awareness, assessing internal responses to CIRW attacks • Industry: Trends & patterns in TTPs across RW strains, comparing the data to their own internal datasets, threat modeling, awareness & training, risk & statistical analysis
Summary/future directions • Merging PRE-ATT&CK and ATT&CK • Data repository • Indictments • SE case studies • Focus groups/interviews • Weaving it into Collegiate SE CTF • Seeking collaboration! PRE- ATT&CK/ ATT&CK Social Science Education & Research
Using MITRE PRE-ATT&CK and ATT&CK in Cybercrime Education and Research 2020 ATT&CKcon Power Hour Aunshul Rege & Rachel Bleiman rege@temple.edu; rachel.bleiman@temple.edu @prof_rege; @rab1928 Q&A Feedback? Visit sites.temple.edu/care for downloading CIRW dataset; SE dataset - we welcome feedback and would love to engage with the community!
Matan Hart Co-Founder & CEO Cymptom
Transforming Adversary Emulation Into a Data Analysis Question : matan@cymptom.com: @machosec: matanhart
Who Am I ● Co-Founder, CEO @ Cymptom ● Security Researcher ● Speaker - Black Hat, BSides, etc. ● Content inspired by true events... During COVID...
Source: https://www.mitre.org/sites/default/files/publications/mitre-getting-started-with-attack-october-2019.pdf Adversary Emulation Tests how defenses fare against a specific threat Atomic testing cycle with ATT&CK
Adversary Emulation Does Not Scale Nor was it intended to...
Determining Exploitability By Detection Mitigation Capabilities
Validate Select Conclude Analyze ATT&CK technique and list mitigations effectiveness of each mitigation technique exploitability applicability of each mitigation The Methodology
Unbiased, Adversary-driven Prioritization Based on the no. of attack paths and the no. of attack techniques (steps) involved Test Case: Pass The Hash (T1550.002)
Unbiased, Adversary-driven Prioritization
Analyzing Exposure By Mitigation Mitigation What Where Effectiveness Privileged Account Management Credentials overlap SAM, LAPS, PAM solutions Mitigates all PtH scenarios Update Software KB2871997 patch existence Endpoint, WSUS, VM solutions Mitigates local non- administrative accounts PtH User Account Control Domain user is admin on both computers GPO, AD Mitigates domain user PtH User Account Management PtH UAC restrictions enabled Registry, GPO Mitigates local PtH except of built-in Administrator (RID 500) Great read: https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/
Defensive Gap Analysis Using ATT&CK Matrix
✓ Coverage ✓ Safety ✓ The real thing ✓ Test people & processes Adversary Emulation Data Analytics Pros and Cons x Business disruption x Resource intensive x Miss detective controls x Miss processes
Adversary Emulation is essential but should be practiced cautiously Takeaways Data Analytics is better for assessing defensive coverage can be assessed using ATT&CK mitigations Defensive Coverage
: matanhart : @machosec : matan@cymptom.com Let's Talk!
Brandon Levene Head of Applied Intelligence Google
TA505 A Study of High End Big Game Hunting in 2020 Brandon Levene ATT&CKCON October 9th, 2020
Proprietary + Confidential Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises.
Agenda Context and background Threat actor process Lessons learned Operational details 02 01 03 04
Context and background Threat actor process Lessons learned Operational details 02 01 03 04
Who is TA505? Customer of Dridex banking Trojan as well as Locky and Jaff Ransomware families from 2014-2017 NOT the developers of the tools above (that would be ‘EvilCorp’) Shift to backdoors in 2018 which coincides with a decrease in bespoke banking trojans and non-targeted ransomware Rapidly shifted through initial loaders and secondary payloads throughout 2018 and 2019, slowly shifted towards “in house” tooling Users* of CLOP ransomware (first seen in Feb 2019) as primary monetization mechanism There do not appear to be any other users, so this is likely another in- house tool Context and background
Proprietary + Confidential TA505 activity since 2018 has lead to... Context and background
NETZSCH GROUP BASED IN GERMANY ALLEGEDLY BREACHED BY COP RANSOMWARE OPERATORS Hackers publish ExecuPharm internal data after ransomware attack CL0P Ransomware Breached UK’s Largest Privately-Owned Logistics Company--EV Cargo Logistics Ransomware Hits maastricht University, all Systems Taken Down Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
Context and background Threat actor process02 01 Lessons learned Operational details03 04
Source: ANSSI https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf Threat actor process Overview TA505 Legitimate compromised domain Malicious domain Malicious email HTML + Javascript Redirecting URL Phishing page Malicious office document Victim Malware 1 SENDS CONTAINS HOSTS HOSTSHOSTS 6 DROPS AND EXECUTES 2 3 4 5OPENS REDIRECTION DOWNLOADS AND ACTIVATES THE MACROS REDIRECTION
Context and background Threat actor process Operational details 02 01 03 Lessons learned04
Operational details Spear Phishing - T1192 + Spear Phishing Attachment - T1193 Initial Access
Operational details User Execution + T1204 [.002] Execution
Operational details Ingress Tool Transfer - T1055 Command and control
Operational details Process Injection - T1055 Defense Evasion and Priv Esc Application Layer Protocol - T1071 Command and control
Operational details Event Triggered Execution - T1546 (image file execution injections, sub .012) Persistence
Operational details Permission Groups Discovery - T1069 Discovery Subvert Trust Controls - T1553 Defense Evasion
Operational details Data Encrypted for Impact - T1486 Impact
Operational details Data Leak - Unmapped Impact
Context and background Threat actor process Lessons learned Operational details 02 01 03 04
Compliment defense in depth with detection in depth Study TTPs to seize interdiction opportunities Detecting the ransomware itself is too late Attackers use a blend of tools and techniques to get the job done: don’t overlook open source tools as too “amateur” Visibility is key
Jen Burns Lead Cybersecurity Engineer MITRE
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 What’s New with ATT&CK® for Cloud? Jen Burns @snarejen @MITREattack
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-000000 | 90 | for Cloud Credit to Dave Herrald and Ryan Kovar
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 ATT&CK for Cloud Beginnings • Initial Release October 2019 • Part of Enterprise ATT&CK • Almost 100% community- contributed techniques! • Input from: • A cloud service provider • Threat analysts • Detection analysts • Red teams
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 ATT&CK for Cloud Today
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 ATT&CK for Cloud Scope Add techniques generally visible via Cloud data sources • AWS CloudTrail Logs • Azure Activity Logs • Office365 Audit Logs • etc… Minimize duplication across Windows/Linux/macOS • Cloud is meant to add an additional layer to ATT&CK • Example: • An adversary may abuse Cron (T1053.003) on a Linux EC2 instance. That’s already covered by the Linux matrix, so we don’t add it to AWS.
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Future of Cloud Platforms Current Future SaaS IaaS Additional SaaS platforms…. Additional SaaS platforms…. Additional SaaS platforms…. SaaS
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Why generalize to IaaS? • Current IaaS platforms share most techniques • Differences between Cloud Service Providers (CSPs) can be documented within the technique • All CSPs can be represented • Community feedback favors a single platform
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Cloud Data Sources Today • AWS CloudTrail logs • Azure activity logs • GCP audit logs • Oauth audit logs • Office 365 trace logs…
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Future of Cloud Data Sources • Data Source • One or more Data Components • Mapping(s) to Relevant Azure Operation Name(s) • Mapping(s) to Relevant AWS CloudTrail Event Name(s) • Mapping(s) to Relevant GCP REST API Method(s) • Mapping(s) to Other CSPs or SaaS Events https://media.giphy.com/media/l41m6QYDHcEEwjo52/giphy.gif
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Example IaaS Data Source Instance Data Source Data Component Events (API) Instance Creation Instance Modification Instance Deletion Instance Metadata Instance Enumeration Instance Start Instance Stop AWS: ListInstances AWS: ModifyInstanceAttribute AWS: TerminateInstances AWS: DescribeInstances AWS: RunInstances AWS: StartInstances AWS: StopInstances
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Why the change? • Ensure approach is consistent with the rest of Enterprise • Suggest reading blog from Jose Luis Rodriguez • https://medium.com/mitre-attack/defining-attack-data-sources-part-i- 4c39e581454f • Create more meaningful data sources for Cloud • Move away from the “everything is logs” approach • Refactor to align to events and API calls within these logs instead • Align to future Cloud platform updates
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 We need your help! Do you have… • thoughts on how can we improve ATT&CK for Cloud? • “in the wild” visibility into adversaries in the Cloud? • opinions on our platform or data source plans?
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 attack@mitre.org @MITREattack Jen Burns @snarejen
Join our next session on November 12 Register now! https://na.eventscloud.com/ATTACKcon-november

Empfohlen

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
 
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkGert-Jan Bruggink
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE - ATT&CKcon
 

Empfohlen

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
 
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan brugginkGert-Jan Bruggink
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE - ATT&CKcon
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Mitre getting-started-with-attack-october-2019
Mitre getting-started-with-attack-october-2019Mitre getting-started-with-attack-october-2019
Mitre getting-started-with-attack-october-2019Thang Nguyen
 
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...MITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?MITRE - ATT&CKcon
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE - ATT&CKcon
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE - ATT&CKcon
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 

Weitere ähnliche Inhalte

Was ist angesagt?

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Mitre getting-started-with-attack-october-2019
Mitre getting-started-with-attack-october-2019Mitre getting-started-with-attack-october-2019
Mitre getting-started-with-attack-october-2019Thang Nguyen
 
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...MITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?MITRE - ATT&CKcon
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE - ATT&CKcon
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceJacklynTsai
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligencePriyanka Aash
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE - ATT&CKcon
 

Was ist angesagt? (20)

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Mitre getting-started-with-attack-october-2019
Mitre getting-started-with-attack-october-2019Mitre getting-started-with-attack-october-2019
Mitre getting-started-with-attack-october-2019
 
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESETMITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - January
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 
CTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat IntelligenceCTI ANT: Hunting for Chinese Threat Intelligence
CTI ANT: Hunting for Chinese Threat Intelligence
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat IntelligenceDreaming of IoCs Adding Time Context to Threat Intelligence
Dreaming of IoCs Adding Time Context to Threat Intelligence
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
 

Ähnlich wie MITRE ATTACKcon Power Hour - October

Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKGrow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKMITRE ATT&CK
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsJoe McCray
 
Security Operation Centre Specialist Course Content
Security Operation Centre Specialist Course ContentSecurity Operation Centre Specialist Course Content
Security Operation Centre Specialist Course ContentInfosec train
 
Security operations center_Specialist_training_course_content
Security operations center_Specialist_training_course_contentSecurity operations center_Specialist_training_course_content
Security operations center_Specialist_training_course_contentpriyanshamadhwal2
 
BSidesLV -The SOC Counter ATT&CK
BSidesLV -The SOC Counter ATT&CKBSidesLV -The SOC Counter ATT&CK
BSidesLV -The SOC Counter ATT&CKMathieu Saulnier
 
Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailMITRE ATT&CK
 
Detecting advanced and evasive threats on the network
Detecting advanced and evasive threats on the networkDetecting advanced and evasive threats on the network
Detecting advanced and evasive threats on the networkDell World
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
Splunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdfSplunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdfAmanda Richardson
 
Collective intelligence: Crowdsourcing Cyber Threat Intel Successes, Challeng...
Collective intelligence: Crowdsourcing Cyber Threat Intel Successes, Challeng...Collective intelligence: Crowdsourcing Cyber Threat Intel Successes, Challeng...
Collective intelligence: Crowdsourcing Cyber Threat Intel Successes, Challeng...Rob Fry
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersMegan DeBlois
 
Using Chaos to Disentangle an ISIS-Related Twitter Network
Using Chaos to Disentangle an ISIS-Related Twitter NetworkUsing Chaos to Disentangle an ISIS-Related Twitter Network
Using Chaos to Disentangle an ISIS-Related Twitter NetworkSteve Kramer
 
Threat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star WarsThreat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star WarsAdam Shostack
 

Ähnlich wie MITRE ATTACKcon Power Hour - October (20)

Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKGrow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
Big Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security EnvironmentsBig Bang Theory: The Evolution of Pentesting High Security Environments
Big Bang Theory: The Evolution of Pentesting High Security Environments
 
Security Operation Centre Specialist Course Content
Security Operation Centre Specialist Course ContentSecurity Operation Centre Specialist Course Content
Security Operation Centre Specialist Course Content
 
Security operations center_Specialist_training_course_content
Security operations center_Specialist_training_course_contentSecurity operations center_Specialist_training_course_content
Security operations center_Specialist_training_course_content
 
BSidesLV -The SOC Counter ATT&CK
BSidesLV -The SOC Counter ATT&CKBSidesLV -The SOC Counter ATT&CK
BSidesLV -The SOC Counter ATT&CK
 
Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of Detail
 
Detecting advanced and evasive threats on the network
Detecting advanced and evasive threats on the networkDetecting advanced and evasive threats on the network
Detecting advanced and evasive threats on the network
 
CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptx
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Splunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdfSplunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdf
 
Collective intelligence: Crowdsourcing Cyber Threat Intel Successes, Challeng...
Collective intelligence: Crowdsourcing Cyber Threat Intel Successes, Challeng...Collective intelligence: Crowdsourcing Cyber Threat Intel Successes, Challeng...
Collective intelligence: Crowdsourcing Cyber Threat Intel Successes, Challeng...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
 
Using Chaos to Disentangle an ISIS-Related Twitter Network
Using Chaos to Disentangle an ISIS-Related Twitter NetworkUsing Chaos to Disentangle an ISIS-Related Twitter Network
Using Chaos to Disentangle an ISIS-Related Twitter Network
 
Threat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star WarsThreat Modeling Lessons from Star Wars
Threat Modeling Lessons from Star Wars
 

Mehr von MITRE - ATT&CKcon

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesMITRE - ATT&CKcon
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?MITRE - ATT&CKcon
 
ATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the MatricesATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the MatricesMITRE - ATT&CKcon
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMITRE - ATT&CKcon
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionMITRE - ATT&CKcon
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
 
What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?MITRE - ATT&CKcon
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-TechniquesMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...MITRE - ATT&CKcon
 

Mehr von MITRE - ATT&CKcon (17)

State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?
 
Putting the PRE into ATTACK
Putting the PRE into ATTACKPutting the PRE into ATTACK
Putting the PRE into ATTACK
 
ATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the MatricesATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the Matrices
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis Question
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
 
What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-Techniques
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
 
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
 
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
 

Kürzlich hochgeladen

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Kürzlich hochgeladen (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

MITRE ATTACKcon Power Hour - October

  • 1. Welcome Follow the conversation on #slack @MITREattack attack.mitre.org
  • 3. Starting over with sub-techniques Lessons learned re-mapping detection analytics
  • 4. ▪ I publish things, support open source tools ▪ Former journalist and CTI analyst ▪ A lied in an interview in 2010 and here I am! Brian Donohue PONTIFICATOR RED CANARY @thebriandonohue Presenter
  • 5. 1. Who am I? 2. Background 3. Seven lessons learned 4. Questions and answers Agenda
  • 7. Detector-level (analytics) ▪ Highly scalable ▪ Bad at nuance Detection-level (human) ▪ Difficult at scale ▪ Good at nuance Why not both?! ATT&CK mapping options
  • 9. What this looks like in practice
  • 10. LESSON ONE Figure out where you’re using ATT&CK
  • 11. LESSON ONE The things Red Canary maps to ATT&CK: ▪ Behavioral analytics for detection ▪ Atomic Red Team tests ▪ Research and educational content Other things you might map to ATT&CK: ▪ Threat intelligence and other reports ▪ Charts and tables for tracking detection and detection coverage ▪ Various different kinds of security controls ▪ Signatures, rules, IOCs, alerts, etc. What do you need to remap?
  • 12. LESSON TWO Let the code do the work for you!
  • 13. JSON crosswalk script MITRE created a nifty JSON crosswalk script to help ease the sub- technique transition LESSON TWO
  • 15. LESSON THREETeam vs. individual Dividing and conquering: ▪ Gets done faster ▪ Less consistency Assigning to an individual or small team: ▪ Takes longer ▪ More consistency
  • 16. BY THE NUMBERS 1000s active analytics 500+ Atomic Red Team tests ~200 parent/sub-techniques
  • 17. ▪ Intelligence ▪ Research ▪ Detection engineering ▪ Importantly, not me Our remap team
  • 18. LESSON FOUR ATT&CK mapping is an art; not a science
  • 19. LESSON FOUR Create a mapping style guide ▪ People interpret techniques in different ways ▪ A style guide will help enforce consistency ▪ Learn on the fly Review, review, review ▪ A small subset of re-mapppers can review ▪ This will help catch errors and increase consistency It’s an art, not a science
  • 20. LESSON FIVE Find and fix your legacy mapping issues
  • 21. A tale of two analytics WIN-SUSPECT-SVCHOST-EXECUTED This detector identifies untrusted binaries spawning suspicious Windows Service Host `svchost.exe` processes. WIN-SVCHOST-SUSPECT-PARENT This detector identifies `svchost.exe` executing with a suspect parent process.
  • 22. Top analytics for Masquerading Technique Behavioral Analytics Threats T1036: MASQUERADING WIN-SUSPECT-SVCHOST-EXECUTED 2626 T1036: MASQUERADING WIN-SUSPECT-SVCHOST-EXECUTED WIN-SVCHOST-SUSPECT-PARENT 1088 T1036: MASQUERADING WIN-SVCHOST-SUSPECT-PARENT 570
  • 23.
  • 24.
  • 25. LESSON SIX Considering all of the alternatives
  • 26. LESSON SIXConditional Mapping Mapping at the detection level ▪ Most accurate Mapping at the analytic level ▪ Fastest Conditional mapping ▪ Identify ambiguous analytics and require human reviews
  • 29. LESSON SEVEN Give back to the ATT&CK community
  • 30. ▪ Contribute techniques ▪ Offer feedback on what works/doesn’t ▪ Suggest improvements ▪ Write blogs; give talks Ways to give back
  • 33. Q&A Jamie Williams Lead Cyber Adversarial Engineer MITRE
  • 34. Aunshul Rege Associate Professor Temple University Rachel Bleiman PhD Student/NSF Graduate Research Assistant Temple University
  • 35. Using MITRE PRE-ATT&CK and ATT&CK in Cybercrime Education and Research 2020 ATT&CKcon Power Hour Aunshul Rege & Rachel Bleiman CAREER Award # 1453040 SaTC EDU Award # 2032292
  • 36. Agenda • MITRE PRE-ATT&CK and cybercrime/security education • MITRE ATT&CK and research datasets • Summary
  • 37. MITRE PRE-ATT&CK & cybercrime/security education • Cybercrime course • Human aspects of cyberattacks/security via social engineering (SE) • Multidisciplinary composition (8 groups) • Objectives • Applications of PRE-ATT&CK to SE • Conduct threat intelligence • Understand limitations • 6 SE case studies with rich details • Overall mapping to the PRE-ATT&CK matrix • Specific expansion on tactics and techniques • Identify PRE-ATT&CK mitigation strategies • First attempt at this project (Fall 2020)
  • 38. Overall mapping to the PRE-ATT&CK matrix • What is the mapping %? • What does this mean for: • Case study? • PRE-ATT&CK matrix? https://attack.mitre.org/versions/v7/matrices/pre/
  • 39. Specific expansion on tactics and techniques
  • 40. Identify PRE-ATT&CK mitigation strategies If none exist, students recommend mitigations
  • 41. Agenda • MITRE PRE-ATT&CK and cybercrime/security education • MITRE ATT&CK and research datasets • Summary
  • 42. Cybersecurity in Action, Research and Education • Offer FREE downloadable course projects and datasets • Sites.temple.edu/care • Social Engineering (SE) incidents • Version 5; N=623; 2011 - August 2020 • Critical Infrastructure Ransomware (CIRW) incidents • Version 10.4; N=747; November 2013 - September 2020 • Both datasets based on publicly disclosed incidents • Feedback to map CIRW dataset to ATT&CK • Why not for SE dataset too?
  • 43. Mapping SE dataset to ATT&CK framework • 50% (461/925) of the tactics mapped onto the ATT&CK technique or software • T1566: Phishing • T1566.001 • T1566.002 • 23% (23/100) of the attackers mapped onto the ATT&CK group- attacker • G0032 • G0059 • G0092 • G0094 Variables General Start Date General End Date Target Location Social Engineering Tactic MITRE ATT&CK Technique or Software Monetary Cost Attacker MITRE ATT&CK Group - Attacker Attacker posing as Ploy Source
  • 44. Mapping CIRW dataset to ATT&CK framework Variables Year General Date Organization Name Location CIS Targeted Strain MITRE ATT&CK Software ID [if exists] Duration Duration Rank Ransom Amount Local Currency Ransom Amount Rank Paid Status Pay Method Amount Paid Source • V9→ V10 • NotPetya cases removed – ATT&CK defined it as wiperware • 56% of the strains mapped onto the ATT&CK software • S0366 • S0370 • S0372 • S0400 • S0446 • S0449 • S0457 • S0481
  • 45. Mapping limitations/challenges • Many of the SE techniques do not currently exist (ex: whaling, vishing, etc). • Bulk of our data is phishing/spear phishing, skews mapping results • Major strains missing (could only map 56%) • Revil • RansomEXX • DoppelPaymer
  • 46. Agenda • MITRE PRE-ATT&CK and cybercrime/security education • MITRE ATT&CK and research datasets • Summary
  • 47. Summary: PRE-ATT&CK and ATT&CK uses • Education: PRE-ATT&CK benefits • Develop ability to map and understand threat intelligence • Develop ability to understand challenges/limitations • Map SE cases (not typically done) • All disciplines can engage • Research datasets: ATT&CK links • Educators: Class projects, research, publications • Students: Course projects, dissertation/thesis • Government: ICS training classes, raising awareness, assessing internal responses to CIRW attacks • Industry: Trends & patterns in TTPs across RW strains, comparing the data to their own internal datasets, threat modeling, awareness & training, risk & statistical analysis
  • 48.
  • 49. Summary/future directions • Merging PRE-ATT&CK and ATT&CK • Data repository • Indictments • SE case studies • Focus groups/interviews • Weaving it into Collegiate SE CTF • Seeking collaboration! PRE- ATT&CK/ ATT&CK Social Science Education & Research
  • 50. Using MITRE PRE-ATT&CK and ATT&CK in Cybercrime Education and Research 2020 ATT&CKcon Power Hour Aunshul Rege & Rachel Bleiman rege@temple.edu; rachel.bleiman@temple.edu @prof_rege; @rab1928 Q&A Feedback? Visit sites.temple.edu/care for downloading CIRW dataset; SE dataset - we welcome feedback and would love to engage with the community!
  • 51. Matan Hart Co-Founder & CEO Cymptom
  • 52. Transforming Adversary Emulation Into a Data Analysis Question : matan@cymptom.com: @machosec: matanhart
  • 53. Who Am I ● Co-Founder, CEO @ Cymptom ● Security Researcher ● Speaker - Black Hat, BSides, etc. ● Content inspired by true events... During COVID...
  • 55. Adversary Emulation Does Not Scale Nor was it intended to...
  • 56.
  • 57. Determining Exploitability By Detection Mitigation Capabilities
  • 58. Validate Select Conclude Analyze ATT&CK technique and list mitigations effectiveness of each mitigation technique exploitability applicability of each mitigation The Methodology
  • 59. Unbiased, Adversary-driven Prioritization Based on the no. of attack paths and the no. of attack techniques (steps) involved Test Case: Pass The Hash (T1550.002)
  • 61. Analyzing Exposure By Mitigation Mitigation What Where Effectiveness Privileged Account Management Credentials overlap SAM, LAPS, PAM solutions Mitigates all PtH scenarios Update Software KB2871997 patch existence Endpoint, WSUS, VM solutions Mitigates local non- administrative accounts PtH User Account Control Domain user is admin on both computers GPO, AD Mitigates domain user PtH User Account Management PtH UAC restrictions enabled Registry, GPO Mitigates local PtH except of built-in Administrator (RID 500) Great read: https://www.harmj0y.net/blog/redteaming/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy/
  • 62.
  • 63. Defensive Gap Analysis Using ATT&CK Matrix
  • 64. ✓ Coverage ✓ Safety ✓ The real thing ✓ Test people & processes Adversary Emulation Data Analytics Pros and Cons x Business disruption x Resource intensive x Miss detective controls x Miss processes
  • 65. Adversary Emulation is essential but should be practiced cautiously Takeaways Data Analytics is better for assessing defensive coverage can be assessed using ATT&CK mitigations Defensive Coverage
  • 66. : matanhart : @machosec : matan@cymptom.com Let's Talk!
  • 67. Brandon Levene Head of Applied Intelligence Google
  • 68. TA505 A Study of High End Big Game Hunting in 2020 Brandon Levene ATT&CKCON October 9th, 2020
  • 69. Proprietary + Confidential Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises.
  • 70. Agenda Context and background Threat actor process Lessons learned Operational details 02 01 03 04
  • 71. Context and background Threat actor process Lessons learned Operational details 02 01 03 04
  • 72. Who is TA505? Customer of Dridex banking Trojan as well as Locky and Jaff Ransomware families from 2014-2017 NOT the developers of the tools above (that would be ‘EvilCorp’) Shift to backdoors in 2018 which coincides with a decrease in bespoke banking trojans and non-targeted ransomware Rapidly shifted through initial loaders and secondary payloads throughout 2018 and 2019, slowly shifted towards “in house” tooling Users* of CLOP ransomware (first seen in Feb 2019) as primary monetization mechanism There do not appear to be any other users, so this is likely another in- house tool Context and background
  • 73. Proprietary + Confidential TA505 activity since 2018 has lead to... Context and background
  • 74. NETZSCH GROUP BASED IN GERMANY ALLEGEDLY BREACHED BY COP RANSOMWARE OPERATORS Hackers publish ExecuPharm internal data after ransomware attack CL0P Ransomware Breached UK’s Largest Privately-Owned Logistics Company--EV Cargo Logistics Ransomware Hits maastricht University, all Systems Taken Down Indiabulls Group hit by CLOP Ransomware, gets 24h leak deadline
  • 75. Context and background Threat actor process02 01 Lessons learned Operational details03 04
  • 76. Source: ANSSI https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf Threat actor process Overview TA505 Legitimate compromised domain Malicious domain Malicious email HTML + Javascript Redirecting URL Phishing page Malicious office document Victim Malware 1 SENDS CONTAINS HOSTS HOSTSHOSTS 6 DROPS AND EXECUTES 2 3 4 5OPENS REDIRECTION DOWNLOADS AND ACTIVATES THE MACROS REDIRECTION
  • 77. Context and background Threat actor process Operational details 02 01 03 Lessons learned04
  • 78. Operational details Spear Phishing - T1192 + Spear Phishing Attachment - T1193 Initial Access
  • 79. Operational details User Execution + T1204 [.002] Execution
  • 80. Operational details Ingress Tool Transfer - T1055 Command and control
  • 81. Operational details Process Injection - T1055 Defense Evasion and Priv Esc Application Layer Protocol - T1071 Command and control
  • 82. Operational details Event Triggered Execution - T1546 (image file execution injections, sub .012) Persistence
  • 83. Operational details Permission Groups Discovery - T1069 Discovery Subvert Trust Controls - T1553 Defense Evasion
  • 84. Operational details Data Encrypted for Impact - T1486 Impact
  • 85. Operational details Data Leak - Unmapped Impact
  • 86. Context and background Threat actor process Lessons learned Operational details 02 01 03 04
  • 87. Compliment defense in depth with detection in depth Study TTPs to seize interdiction opportunities Detecting the ransomware itself is too late Attackers use a blend of tools and techniques to get the job done: don’t overlook open source tools as too “amateur” Visibility is key
  • 89. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 What’s New with ATT&CK® for Cloud? Jen Burns @snarejen @MITREattack
  • 90. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-000000 | 90 | for Cloud Credit to Dave Herrald and Ryan Kovar
  • 91. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 ATT&CK for Cloud Beginnings • Initial Release October 2019 • Part of Enterprise ATT&CK • Almost 100% community- contributed techniques! • Input from: • A cloud service provider • Threat analysts • Detection analysts • Red teams
  • 92. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 ATT&CK for Cloud Today
  • 93. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 ATT&CK for Cloud Scope Add techniques generally visible via Cloud data sources • AWS CloudTrail Logs • Azure Activity Logs • Office365 Audit Logs • etc… Minimize duplication across Windows/Linux/macOS • Cloud is meant to add an additional layer to ATT&CK • Example: • An adversary may abuse Cron (T1053.003) on a Linux EC2 instance. That’s already covered by the Linux matrix, so we don’t add it to AWS.
  • 94. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Future of Cloud Platforms Current Future SaaS IaaS Additional SaaS platforms…. Additional SaaS platforms…. Additional SaaS platforms…. SaaS
  • 95. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Why generalize to IaaS? • Current IaaS platforms share most techniques • Differences between Cloud Service Providers (CSPs) can be documented within the technique • All CSPs can be represented • Community feedback favors a single platform
  • 96. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Cloud Data Sources Today • AWS CloudTrail logs • Azure activity logs • GCP audit logs • Oauth audit logs • Office 365 trace logs…
  • 97. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Future of Cloud Data Sources • Data Source • One or more Data Components • Mapping(s) to Relevant Azure Operation Name(s) • Mapping(s) to Relevant AWS CloudTrail Event Name(s) • Mapping(s) to Relevant GCP REST API Method(s) • Mapping(s) to Other CSPs or SaaS Events https://media.giphy.com/media/l41m6QYDHcEEwjo52/giphy.gif
  • 98. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Example IaaS Data Source Instance Data Source Data Component Events (API) Instance Creation Instance Modification Instance Deletion Instance Metadata Instance Enumeration Instance Start Instance Stop AWS: ListInstances AWS: ModifyInstanceAttribute AWS: TerminateInstances AWS: DescribeInstances AWS: RunInstances AWS: StartInstances AWS: StopInstances
  • 99. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 Why the change? • Ensure approach is consistent with the rest of Enterprise • Suggest reading blog from Jose Luis Rodriguez • https://medium.com/mitre-attack/defining-attack-data-sources-part-i- 4c39e581454f • Create more meaningful data sources for Cloud • Move away from the “everything is logs” approach • Refactor to align to events and API calls within these logs instead • Align to future Cloud platform updates
  • 100. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 We need your help! Do you have… • thoughts on how can we improve ATT&CK for Cloud? • “in the wild” visibility into adversaries in the Cloud? • opinions on our platform or data source plans?
  • 101. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13 attack@mitre.org @MITREattack Jen Burns @snarejen
  • 102. Join our next session on November 12 Register now! https://na.eventscloud.com/ATTACKcon-november