MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankowski & Travis McWaters

•

1 like•1,760 views

This lightning talk is a brief discussion around how PepsiCo is managing their ‘detection catalog’ and how it maps and is enhanced by the MITRE ATT&CK framework.

Technology

Detection Philosophy,
Evolution & ATT&CK
A BRIEF DISCUSSION AROUND HOW WE ARE MANAGING OUR
‘DETECTION CATALOG’ AND HOW IT MAPS TO AND IS ENHANCED BY
THE ATT&CK FRAMEWORK
Fred Stankowski & Travis McWaters

2
Who are you?
Cyber Threat
Intelligence (CTI)
Threat Detection
Operations (TDO)
Incident
Response (IR)
Attack Surface
Management (ASM)
Enterprise Incident
Mgmt (EIM)
Threat Detection
Operations (TDO)

3
Detection Philosophy
Why you need a catalog
• Historical Record
• Knowledge Transfer
• Work Management

8
Example ADS entry
Network - Suspicious Network Activity - SMB
Worm Behavior
Goal
Detect SMB Worms by the firewall deny messages they generate
Categorization
These attempts are categorized as Scanning / Network Service
Scanning (T1046)
Strategy Abstract
The strategy will function as follows:
•Look for traffic blocked by the firewalls bound for destination port 445
•Count the number of destination hosts a source tried to reach
•Validate the source is a Company asset, not external
•Alert if the number of targets exceeds NNN in under MMM minutes
Technical Context
<...>
• Blind Spots and Assumptions
• False Positives
• Validation
• Priority
• Response

9
Lessons Learned
Nomenclature
Matters
Use a code repo
sooner
Good docs
mitigate attrition
pains

What's hot

MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.

Sharpening your Threat-Hunting Program with ATTACK Framework

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Valentina Palacín, Sr. Cyber Threat Intelligence Analyst No one can deny the tremendous impact that ATT&CK had on the cybersecurity industry, nor the usefulness of having a good Threat Library at your disposal. But the question Valentina gets asked over and over by people from small companies is always the same: “How could I leverage threat intelligence using ATT&CK with limited time and resources?” And so far, there hasn't been a good answer. That’s why she decided to come up with the Threat Mapping Catalogue (TMC), a tool that combines the power of the mappings already available in the ATT&CK website, TRAM and the ATT&CK Navigator, to better process, consume and incorporate new mappings while organizing them around different categories.

Helping Small Companies Leverage CTI with an Open Source Threat Mapping

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By: Aunshul Rege, Associate Professor, Temple University, @prof_rege Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928 This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.

Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research

MITRE - ATT&CKcon

MITRE ATT&CKcon Power Hour - November

MITRE - ATT&CKcon

ATT&CK is an incredibly valuable framework for describing and analyzing what’s happening in your environment. Sometimes security professionals not only need a way to understand, but also need a way to clearly articulate to non-security leadership to gain support and investment in needed resourcing. Using UX design methods, CrowdStrike came up with a mental model and more conversational terms to help anyone quickly parse the big picture.

MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Matt Snyder, Senior Threat Analytics Engineer, VMware The market for Security products is flooded with vendors offering all sorts of solutions, and organizations are spending a record amount of money defending their environments. Nevertheless, an increasing number of breaches are reported each year, resulting in organizations spending millions of dollars to remediate them. The Security industry responds with more products, all offering to stop the next breach, and the cycle continues. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Matt discusses what VMware is doing internally to address this fundamental flaw in the Security industry and how they are leveraging the MITRE ATT&CK framework to reshape how we think about security.

What's a MITRE with your Security?

MITRE - ATT&CKcon

Dreaming of IoCs Adding Time Context to Threat Intelligence

Priyanka Aash

CTI ANT: Hunting for Chinese Threat Intelligence

JacklynTsai

From ATT&CKcon 3.0 By Haylee Mills, Splunk Having ATT&CK to identify threats, prioritize data sources, and improve security posture has been a huge step forward for our industry, but how do we actualize those insights for better detection and alerting? By shifting to observations of behavior over one-to-one direct alerts, noisy datasets become valuable treasure troves with ATT&CK metadata. Additionally, we can begin to look at detection and threat hunting on behavior instead of users or systems. In this presentation, Haylee will discuss the shift in mindset and the nuts and bolts of detections that leverage this metadata in Splunk, but the concept can be applied with custom tools to any valuable security dataset.

Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK

MITRE ATT&CK

From ATT&CKcon 3.0 By Matt Snyder, VMWare Insider threats are some of the most treacherous and every organization is susceptible: it's estimated that theft of Intellectual Property alone exceeds $600 billion a year. Armed with intimate knowledge of your organization and masked as legitimate business, often these attacks go unnoticed until it's too late and the damage is done. To make matters worse, threat actors are now trying to lure employees with the promise of large paydays to help carry out attacks. These advanced attacks require advanced solutions, and we are going to demonstrate how we are using the MITRE ATT&CK framework to proactively combat these threats. Armed with these tactics and techniques, we show you how to build intelligent detections to help secure even the toughest of environments.

When Insiders ATT&CK!

MITRE ATT&CK

Threat-Based Adversary Emulation with MITRE ATT&CK

Katie Nickels

From MITRE ATT&CKcon Power Hour October 2020 By Brandon Levene, Head of Applied Intelligence Google, @seraphimdomain Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises. This strategy has become the “end game” for the majority of organized cybercrime organizations, and one effect of this shift is the increased emphasis on enterprise-level targets. In this talk from the MITRE ATT&CKCon Power Hour session on October 9, 2020, Levene walks us through research about how a specific BGH threat actor pursues entry points, gains its foothold, pivots, and deploys payloads to maximize their financial gains with minimal effort - and infrastructure! You’ll walk away with an understanding of the latest BGH TTPs seen in enterprise environments, and how they map to the ATT&CK framework so you can build this research into your threat detection strategy and enhance your defenses.

TA505: A Study of High End Big Game Hunting in 2020

MITRE - ATT&CKcon

Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...

Adam Pennington

Bsides 2019 - Intelligent Threat Hunting

Dhruv Majumdar

Cyberthreats are assymetric risks: corporate defenders must secure and detect everything, but the attacker needs to exploit only once. As petabytes of data traverse the ecosystem, legacy data protection methods leave many gaps. By looking through the adversary’s eyes, you can create subterfuges, delay attack progress or reduce the value of any data ultimately accessed—and shift the risk equation. (Source : RSA Conference USA 2017)

Confusion and deception new tools for data protection

Priyanka Aash

MITRE ATT&CK is quickly gaining traction and is becoming an important standard to use to assess the overall cyber security posture of an organization. Tools like ATT&CK Navigator facilitate corporate adoption and allow for a holistic overview on attack techniques and how the organization is preventing and detecting them. Furthermore, many vendors, technologies and open-source initiatives are aligning with ATT&CK. Join Erik Van Buggenhout in this presentation, where he will discuss how MITRE ATT&CK can be leveraged in the organization as part of your overall cyber security program, with a focus on adversary emulation. Erik Van Buggenhout is the lead author of SANS SEC599 - Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses. Next to his activities at SANS, Erik is also a co-founder of NVISO, a European cyber security firm with offices in Brussels, Frankfurt and Munich.

Leveraging MITRE ATT&CK - Speaking the Common Language

Erik Van Buggenhout

What's hot (20)

MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...

Sharpening your Threat-Hunting Program with ATTACK Framework

Helping Small Companies Leverage CTI with an Open Source Threat Mapping

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...

MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...

Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research

MITRE ATT&CKcon Power Hour - November

MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...

MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET

What's a MITRE with your Security?

Dreaming of IoCs Adding Time Context to Threat Intelligence

CTI ANT: Hunting for Chinese Threat Intelligence

Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK

When Insiders ATT&CK!

Threat-Based Adversary Emulation with MITRE ATT&CK

TA505: A Study of High End Big Game Hunting in 2020

Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...

Bsides 2019 - Intelligent Threat Hunting

Confusion and deception new tools for data protection

Leveraging MITRE ATT&CK - Speaking the Common Language

Similar to MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankowski & Travis McWaters

SecurityOperations

Antonio (Tony) Robinson

From ATT&CKcon 4.0 By Tareq AlKhatib, Lacework, Inc "ATT&CK serves as the central language for CTI practitioners, Detection Engineers, Red Teamers, and more. Despite the benefit of having a central language, ATT&CK offers different levels of detail that might be useful for one team but not others. This paper points out some of these differences in the level of details available in ATT&CK, especially from the point of view of Detection Engineers, and focused on detection coverage. In summary, while ATT&CK does not define the Procedure level of the TTP trinity, it is still useful to define the “Degrees of Freedom” an attacker has within a technique. Some techniques only have a limited number of possible Procedures, some techniques might have more, and others might be so open ended that they offer an unlimited number of possible procedures per technique. We examine this concept on both the Technique and Tactic levels and make the argument that techniques that have a high number of possible Procedures cannot be covered by Detection Engineers. At the conference, we intend to release an ATT&CK Navigator layer to help Detection Engineers quickly filter out which Tactics and Techniques they need to focus on and which ones they simply cannot cover."

Dealing With ATT&CK's Different Levels Of Detail

MITRE ATT&CK

DTS Solution - Building a SOC (Security Operations Center)

Shah Sheikh

Modern Security Operations & Common Roles/Competencies

Harry McLaren

A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries. Asset visibility and network baselining Continuous network monitoring Threat intelligence ingestion Thorough incident response plans

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

Angeloluca Barba

An introduction to SOC (Security Operation Center)

Ahmad Haghighi

How to Respond to Industrial Intrusions

Dragos, Inc.

Cloud Security @ TIM - Current Practises and Future Challanges

Michele Vecchione

You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model. Learning Objectives: 1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm? 2: What are the pros and cons of in-house, fully managed and hybrid security? 3: What considerations go into deciding whether to employ a hybrid strategy? (Source: RSA Conference USA 2018)

From SIEM to SOC: Crossing the Cybersecurity Chasm

Priyanka Aash

The SOC analyst training program is meticulously designed by the subject matter experts at Infosec Train. The training program offers a deep insight into the SOC operations and workflows. It is an excellent opportunity for aspiring and current SOC analysts (L1/L2/L3) to level up their skills to mitigate business risks by effectively handling and responding to security threats. https://www.infosectrain.com/courses/soc-analyst-expert-training/

Soc analyst course content v3

ShivamSharma909

Soc analyst course content

ShivamSharma909

Our Technical Coordinator Dr. Nicholas Kolokotronis from UOP, was the keynote speaker at the 13th Meeting of the Community of Users on Secure, Safe, Resilient Societies”, which is an annual event is co-organised by DG HOME and DG CONNECT of the European Commission. CYBER-TRUST project participated in the “13th Meeting of the Community of Users on Secure, Safe, Resilient Societies”, which is an annual event is co-organised by DG HOME and DG CONNECT of the European Commission (www.securityresearch-cou.eu/node/9200). A presentation was given in the area of cybersecurity intelligence and the thematic group on cyber-crime and security. The talk was entitled “Mining for cyber-threat intelligence to improve cyber-security risk mitigation”. Many interesting discussions with other projects’ representatives were made in areas of CYBER-TRUST's interest.

2019 cou kolokotronis_nicholas - nicholas kolokotronis

Liza Charalambous

Understanding Cyber Kill Chain and OODA loop

David Sweigert

Security Strategy and Tactic with Cyber Threat Intelligence (CTI)

Priyanka Aash

Tenable Solutions for Enterprise Cloud Security

MarketingArrowECS_CZ

Dragos S4x20: How to Build an OT Security Operations Center

Dragos, Inc.

Ecommerce Security

Rebecca Jones

1. Network Security Monitoring Rationale

Sam Bowne

This presentation from Cal Net Tech Talk’s Vulnerability Management 101 Webinar -: 10 Essential Rules to Help Prevent Cyberattacks covers 10 Golden rules that every business must consider in order to protect data assets, employees and brand from cybercriminals. Learn about current trends and the critical considerations to make when investing in your cybersecurity strategy. Cal Net Technology Group will highlight proven methodologies to help you detect, prevent and respond to cybersecurity events, in this must see presentation.

Cal Net TechTalk Webinar - Vulnerability Management 101-10 Essential Rules to...

Cal Net Technology Group

Cybercriminals - One of the fastest growing threats for your business, they are well funded, organized and adapting quickly in effective and targeted attacks on small and med-sized businesses. This presentation from Cal Net Tech Talk’s Vulnerability Management 101 Webinar -: 10 Essential Rules to Help Prevent Cyberattacks covers 10 Golden rules that every business must consider in order to protect data assets, employees and brand from cybercriminals.

Cal Net Tech Talk Webinar Vulnerability Management 101-10 Essential Rules to ...

Laryssa Mereszczak

Similar to MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankowski & Travis McWaters (20)

SecurityOperations

Dealing With ATT&CK's Different Levels Of Detail

DTS Solution - Building a SOC (Security Operations Center)

Modern Security Operations & Common Roles/Competencies

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

An introduction to SOC (Security Operation Center)

How to Respond to Industrial Intrusions

Cloud Security @ TIM - Current Practises and Future Challanges

From SIEM to SOC: Crossing the Cybersecurity Chasm

Soc analyst course content v3

Soc analyst course content

2019 cou kolokotronis_nicholas - nicholas kolokotronis

Understanding Cyber Kill Chain and OODA loop

Security Strategy and Tactic with Cyber Threat Intelligence (CTI)

Tenable Solutions for Enterprise Cloud Security

Dragos S4x20: How to Build an OT Security Operations Center

Ecommerce Security

1. Network Security Monitoring Rationale

Cal Net TechTalk Webinar - Vulnerability Management 101-10 Essential Rules to...

Cal Net Tech Talk Webinar Vulnerability Management 101-10 Essential Rules to ...

More from MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Valentine Mairet, Security Researcher, McAfee The MITRE ATT&CK framework is the industry standard to dissect cyberattacks into used techniques. At McAfee, all attack information is disseminated into different categories, including ATT&CK techniques. What results from this exercise is an extensive repository of techniques used in cyberattacks that goes back many years. Much can be learned from looking at historical attack data, but how can we piece all this information together to identify new relationships between threats and attacks? In her recent efforts, Valentine has embraced analyzing ATT&CK data in graphical representations. One lesson learned is that it is not just about merely mapping out attacks and techniques used into graphs, but the strength lies in applying different algorithms to answer specific questions. In this presentation, Valentine will showcase the results and techniques obtained from her research journey using graph and graph algorithms.

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Adam Pennington, ATT&CK Lead, MITRE Adam leads ATT&CK at The MITRE Corporation and collected much of the intelligence leveraged in creating ATT&CK’s initial techniques. He has spent much of his 12 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon’s Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has presented and published in a number of venues including FIRST CTI, USENIX Security and ACM Transactions on Information and System Security.

State of the ATTACK

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Gert-Jan Bruggink, Defensive Specialist, FalconForce Adversaries are humans as well. They have objectives, deadlines and resources for programming. In a sense, very similar to corporations grounded in the economics of effort vs time vs results. Now understanding techniques is one thing, taking it a step further and understanding what the economic impact is of using certain techniques is another. Developing tools takes time. For example, developing a custom process injection module might take days or weeks to develop, where using an open source tool could prevent extensive development costs incurred. This talk explores the economic considerations for defending against techniques used by adversaries. It explores fundamental considerations all referenced to MITRE’s ATT&CK framework. The objective of this talk is to inspire defensive strategies designed to impact cost incurred by adversaries to perform compromises.

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Daniel Wyleczuk-Stern, Senior Security Engineer, Snowflake Cyber security is inherently a function of risk management. Risk management is the identification, evaluation, and prioritization of risks followed by the effort to reduce those risks in a coordinated and economical manner (thanks wikipedia!). In this talk, Daniel will be going over some strategies for measuring and prioritizing your cyber risks using MITRE ATT&CK. He'll discuss some lessons learned in atomic testing of techniques vs attack chaining as well as what to measure and how to make decisions with that data.

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...

MITRE - ATT&CKcon

MITRE ATTACKcon Power Hour - January

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Jacob Benjamin, Principal Industrial Consultant Dragos, INL, & University of Idaho Design Basis Threat (DBT) is concept introduced by the Nuclear Regulatory Commission (NRC). It is a profile of the type, composition, and capabilities of an adversary. DBT is the key input nuclear power plants use for the design of systems against acts of radiological sabotage and theft of special nuclear material. The NRC expects its licensees, nuclear power plants, to demonstrate that they can defend against the DBT. Currently, cyber is included in DBTs simply as a prescribed list of IT centric security controls. Using MITRE’s ATT&CK framework, Cyber DBTs can be created that are specific to the facility, its material, or adversary activities.

Using ATTACK to Create Cyber DBTS for Nuclear Power Plants

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Otis Alexander, Principal Cybersecurity Engineer, MITRE Otis Alexander is a Principal Cyber Security Engineer at the MITRE Corporation and has worked in the areas of security engineering and research, analytic development, and adversary modeling and emulation. Otis is a co-creator of ATT&CK for ICS and has been leading the project since its inception. He also leads an effort to bring MITRE ATT&CK Evaluations to ICS security vendors providing anomaly and threat detection solutions. He advocates for network and host visibility in operational technology environments to increase the situational awareness of defenders.

What's New with ATTACK for ICS?

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Katie Nickels, Director of Intelligence, Red Canary Good analysts (and good human beings) change their minds based on new information. In this presentation, Katie will share how her perspectives on ATT&CK have changed since moving from ATT&CK team member to ATT&CK end-user. She will discuss how her ideas about coverage, procedures, and detection creation have evolved and why those perspectives matter. Katie will also share practical examples from observed threats to help explain the nuances of her perspectives. Attendees should expect to leave this presentation with a better understanding of how to handle challenges they’re likely to face when navigating their own ATT&CK journey.

From Theory to Practice: How My ATTACK Perspectives Have Changed

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By: Jamie Williams, Lead Cyber Adversarial Engineer, MITRE Mike Hartley, Lead Cybersecurity Engineer, MITRE In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020 Jamie Williams and Mike Hartley from MITRE discuss the process for merging PRE-ATT&CK and adding two new tactics to Enterprise ATT&CK – Reconnaissance and Resource Development.

Putting the PRE into ATTACK

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Anthony Randazzo, Global Response Lead, Expel The team at Expel has been migrating to the cloud for the last 10 years, but as usual, security has lagged behind. Which means we don't have a comprehensive detection and response framework for cloud like we do with the Enterprise ATT&CK matrix. Cloud has evolved into a complex beast as technologies and concepts – like Infrastructure As Code, Containers, Kubernetes and so forth – have emerged. These new attack surfaces have been added that introduce additional challenges to detection and response in our cloud environments. We don't know what we don't know about attack life cycles in the cloud. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Anthony shares some interesting lessons learned so far when it comes to finding bad guys in the cloud.

ATTACKing the Cloud: Hopping Between the Matrices

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Allie Mellen, Security Strategist, Office of the CSO, Cybereason In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, Allie discusses how the Cybereason research team uses both MITRE ATT&CK and MITRE ATT&CK for Mobile to map and communicate new malware to the larger security community. Teams use the MITRE ATT&CK framework to share techniques, tactics, and procedures with their team and the community at large. This knowledge base has been incredibly beneficial for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Many of these uses have centered around traditional endpoints like laptops and workstations. However, the MITRE ATT&CK team has also created a cutting-edge portion of their framework: MITRE ATT&CK for Mobile. One of the most recent pieces of malware they have found is EventBot, a mobile banking trojan that targets Android devices and the financial services applications on them, including popular apps like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more. In this talk, learn about this specific attack, intended targets, a timeline of the attack, and the MITRE ATT&CK for Mobile mapping. Learn why the Cybereason team map to MITRE ATT&CK and MITRE ATT&CK for Mobile and what benefits it has given them and their interactions with the community.

Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By Matan Hart, Co-Founder & CEO Cymptom @machosec Adversary emulation is commonly used to validate security controls and is considered one of the most popular use-cases for the ATT&CK framework. However, emulating adversary TTPs on production environments is often very limited in testing scope and frequency, and such practice may cause unwanted business disruption. In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Hart presents a different approach to testing controls against ATT&CK. He demonstrates how it is possible to provide data-based methods to evaluate the exploitability of ATT&CK techniques by gathering information from the network, endpoint, and services; this unique approach does not emulate any sort of malicious action, thus reducing the potential of causing business disruption to the minimum. Hart also outlines a new open-source guideline based on ATT&CK mitigations, that security teams can use to assess their security posture non-intrusively and at scale.

Transforming Adversary Emulation Into a Data Analysis Question

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By Jen Burns, Lead Cybersecurity Engineer, MITRE, @snarejen Jen Burns is a Lead Cybersecurity Engineer at MITRE and the Lead for MITRE ATT&CK® for Cloud. She’s also a red team developer and lead for ATT&CK Evaluations, using her skills in software engineering and adversary emulation. Previously, she was a tech lead at HubSpot on the Infrastructure Security team where she focused on red teaming and building detections in the cloud environment. This presentation is from the MITRE ATT&CKcon Power Hour session held on October 9, 2020.

What's New with ATTACK for Cloud?

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour - October By Brian Donohue, Security Evangelist, Red Canary, @thebriandonohue In early 2018, Red Canary adopted MITRE ATT&CK as the common language that they would use to categorize threats, measure detection coverage, and communicate about malicious behaviors. In the intervening years, they’ve relied on the framework to develop open source tools like Atomic Red Team and help security teams prioritize their defensive efforts with blogs and our annual Threat Detection Report. In early 2020, MITRE announced that ATT&CK would be expanding its original taxonomy of tactics and techniques to include sub-techniques. In the months that followed MITRE's announcement, Red Canary’s research, intelligence, and detection engineering teams painstakingly remapped their library of thousands of behavioral analytics to sub-techniques. In doing so, they improved their correlational logic, experimented with the idea of conditional technique mapping, and, unfortunately, rendered the 2020 Threat Detection Report out-of-date. In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Brian discusses how refactoring for sub-techniques offered us the opportunity to apply all the lessons learned in more than two years of operationalizing ATT&CK. He also explores how Red Canary has remodeled its ATT&CK mapping to allow for added flexibility and human input and shows what happens when the Red Canary applied their new sub-technique mappings to the 2020 Threat Detection Report.

Starting Over with Sub-Techniques

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...

MITRE - ATT&CKcon

More from MITRE - ATT&CKcon (19)

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence

State of the ATTACK

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...

MITRE ATTACKcon Power Hour - January

Using ATTACK to Create Cyber DBTS for Nuclear Power Plants

What's New with ATTACK for ICS?

From Theory to Practice: How My ATTACK Perspectives Have Changed

Putting the PRE into ATTACK

ATTACKing the Cloud: Hopping Between the Matrices

Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile

Transforming Adversary Emulation Into a Data Analysis Question

What's New with ATTACK for Cloud?

Starting Over with Sub-Techniques

MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...

MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...

MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...

MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...

Recently uploaded

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

AWS Community Day CPH - Three problems of Terraform

Andrey Devyatkin

Architecting Cloud Native Applications

WSO2

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

ICT role in 21st century education and its challenges

rafiqahmad00786416

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Exploring Multimodal Embeddings with Milvus

Zilliz

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Understanding the FAA Part 107 License ..

Christopher Logan Kennedy

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Discover the innovative features and strategic vision that keep WSO2 an industry leader. Explore the exciting 2024 roadmap of WSO2 API management, showcasing innovations, unified APIM/APK control plane, natural language API interaction, and cloud native agility. Discover how open source solutions, microservices architecture, and cloud native technologies unlock seamless API management in today's dynamic landscapes. Leave with a clear blueprint to revolutionize your API journey and achieve industry success!

WSO2's API Vision: Unifying Control, Empowering Developers

WSO2

Recently uploaded (20)

CNIC Information System with Pakdata Cf In Pakistan

How to Troubleshoot Apps for the Modern Connected Worker

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

AWS Community Day CPH - Three problems of Terraform

Architecting Cloud Native Applications

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

ICT role in 21st century education and its challenges

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Exploring Multimodal Embeddings with Milvus

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Corporate and higher education May webinar.pptx

MS Copilot expands with MS Graph connectors

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Understanding the FAA Part 107 License ..

Strategies for Landing an Oracle DBA Job as a Fresher

WSO2's API Vision: Unifying Control, Empowering Developers

MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankowski & Travis McWaters

1. Detection Philosophy, Evolution & ATT&CK A BRIEF DISCUSSION AROUND HOW WE ARE MANAGING OUR ‘DETECTION CATALOG’ AND HOW IT MAPS TO AND IS ENHANCED BY THE ATT&CK FRAMEWORK Fred Stankowski & Travis McWaters

2. 2 Who are you? Cyber Threat Intelligence (CTI) Threat Detection Operations (TDO) Incident Response (IR) Attack Surface Management (ASM) Enterprise Incident Mgmt (EIM) Threat Detection Operations (TDO)

3. 3 Detection Philosophy Why you need a catalog • Historical Record • Knowledge Transfer • Work Management

8. 8 Example ADS entry Network - Suspicious Network Activity - SMB Worm Behavior Goal Detect SMB Worms by the firewall deny messages they generate Categorization These attempts are categorized as Scanning / Network Service Scanning (T1046) Strategy Abstract The strategy will function as follows: •Look for traffic blocked by the firewalls bound for destination port 445 •Count the number of destination hosts a source tried to reach •Validate the source is a Company asset, not external •Alert if the number of targets exceeds NNN in under MMM minutes Technical Context <...> • Blind Spots and Assumptions • False Positives • Validation • Priority • Response

9. 9 Lessons Learned Nomenclature Matters Use a code repo sooner Good docs mitigate attrition pains

MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankowski & Travis McWaters

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankowski & Travis McWaters

Similar to MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankowski & Travis McWaters (20)

More from MITRE - ATT&CKcon

More from MITRE - ATT&CKcon (19)

Recently uploaded

Recently uploaded (20)

MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankowski & Travis McWaters