MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; Keith McCammon, Red Canary

•

8 j'aime•2,812 vues

MITRE - ATT&CKcon

Technologie

▪ Mean streets of Northern Virginia
▪ “The Government”
▪ Red Canary
Keith McCammon
@kwm
Presenter
There is no photo.
I’m right here :)

Y O U R S E C U R I T Y A L L Y
Y O U R S E C U R I T Y A L L Y
Y O U R S E C U R I T Y A L L Y
To learn how you can prioritize collection of ATT&CK data
sources, use this information to inform technology
selection, and ultimately build a strong foundation for
your detection engineering program.
Why we’re here
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >

Detection Engineering
DATA
Am I collecting the
right data to detect,
investigate, and
respond effectively
to threats?
ANALYTICS
Am I asking the right
questions of the
data that I have?
DETECTION
Do I have the
process, context,
and expertise that I
need to answer the
questions that I’ve
asked?

“We can’t detect what we can’t see.”
ATT&CK Data Sources useful for:
● Assigning value to tools, data
● Measuring progress, coverage

Olaf Hartong
▪ sysmon-modular
▪ ThreatHunting
Roberto & Jose Luis Rodriguez
▪ hunters-forge / ATTACK-Python Client
▪ Hunters ATT&CKing
The ATT&CK Team
Obligatory Nods

CONCEPT
Minimum Viable Detection
Being in a position to detect most threats,
most of the time.

Not where you want to end up . . .
. . . but a great way to think about how
you start.

Words to Live By (At Work)
MAXIMIZE
COVERAGE
MINIMIZE
COMPLEXITY
OPTIMIZE
FOR
ANSWERS

BACKGROUND
Data Sources: The linchpin
of ATT&CK

▪ 50 data sources
▪ One or more per each of the 240 ATT&CK (Enterprise)
techniques
About the ATT&CK Data Sources

▪ 50 59 data sources
▪ One or more per each of the 240 265 ATT&CK (Enterprise)
techniques
About the ATT&CK Data Sources

Useful for understanding how we
observe a given technique

▪ Do you need one or all data sources to properly
observe a technique?
▪ Data sources are not clearly defined.
Nits

PRIORITIZING DATA SOURCES
Where do we start?

1. Understanding prevalence
2. Focus on a class of data or product
3. Differentiate within a class of data / product
4. Coverage based on operational data,
insights
The stages of grief

PRIORITIZING DATA SOURCES
Understanding prevalence

https://github.com/keithmccammon/python-attack-utils
Step 1: ./attack.py --dump-metadata
Step 2: Excel :)
Alternatively: hunters-force/ATTACK-Python-Client
Determining Prevalence

PRIORITIZING DATA SOURCES
Focus on a class of data or product

PRIORITIZING DATA SOURCES
Differentiate within a class of data /
product

https://github.com/keithmccammon/python-attack-utils
./attack.py --match-data-source <filename>
Techniques by Data Source
Visibility Protection
Process command-line parameters
Process monitoring
Binary file metadata
DLL monitoring
File monitoring
Loaded DLLs
Process use of network
Process command-line parameters
Process monitoring

PRIORITIZING DATA SOURCES
Operational context
Less a data source thing. Critically important.

WHAT OTHERS ARE SAYING
“Everyone in this room should be
sharing confirmed threat data based on
ATTACK™.”
~ Me. I made this up. Still a valid point . . .

One more time . . .
MAXIMIZE
COVERAGE
MINIMIZE
COMPLEXITY
OPTIMIZE
FOR
ANSWERS

FEEDBACK, QUESTIONS, ROTTEN TOMATOES
Thank you!
@kwm

Contenu connexe

Tendances

From ATT&CKcon 3.0 By Jared Stroud, Lacework Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.

ATT&CKING Containers in The Cloud

MITRE ATT&CK

Introduction to MITRE ATT&CK

Arpan Raval

From MITRE ATT&CKcon Power Hour January 2021 By Adam Pennington, ATT&CK Lead, MITRE Adam leads ATT&CK at The MITRE Corporation and collected much of the intelligence leveraged in creating ATT&CK’s initial techniques. He has spent much of his 12 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon’s Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has presented and published in a number of venues including FIRST CTI, USENIX Security and ACM Transactions on Information and System Security.

State of the ATTACK

MITRE - ATT&CKcon

From ATT&CKcon 3.0 By Fred Frey and Jonathan Mulholland, SnapAttack Atomic Red Team and Sigma are the largest open-source attack simulation and analytic projects. Many organizations utilize one or both internally for security controls validation or supplementing their detections and alerts. Building on the work from these two great communities, we smashed (scientific-term) the attacks and analytics together and applied data science to analyze the results. We'll describe our methodology and testing framework, show the real-world MITRE ATT&CK coverage and gaps, discuss our algorithms for calculating analytic similarity, identifying log sources for a technique, and determining the best analytics to deploy that maximizes ATT&CK coverage. This project aims to: - Bring a measurable testing rigor to community analytics to improve adoption - Test every analytic against every attack, validating the true positive detection - Understand the log sources required to detect specific attack techniques - Apply data science to identify analytic similarity (reduce community duplication) - Identify gaps between the projects' analytics without attack simulations; attack simulations without detections; missing or incorrect MITRE ATT&CK labels, etc - Automate the process so insights can stay up to date with new attack/analytic contributions over time - Share our analysis back to the community to improve these projects

ATT&CKing the Red/Blue Divide

MITRE ATT&CK

Putting MITRE ATT&CK into Action with What You Have, Where You Are

Katie Nickels

From ATT&CKcon 3.0 By Jason Wood and Justin Swisher, CrowdStrike When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...

MITRE ATT&CK

From ATT&CKcon 3.0 By Santiago Pontiroli and Dmitry Bestuzhev, Kaspersky Financially motivated cyber-attacks thrive in emerging Latin American markets. However, there's room for locally grown threat actors operating in the cyber espionage field as well. During the last decade, this includes but is not limited to Blind Eagle, Puppeteer, Machete, Poseidon, and others. We also saw foreign operations targeting specific assets in Latin America, still connected to certain regional sources. Since the threat actors' origin, culture, and language is often different, it's not uncommon for tactics, techniques, and procedures (TTPs) to present marked differences. As a result of our regional expertise and experience, we created MITRE's ATT&CK play-by-play mappings to help other analysts understand regional actors. If you are interested in threat intelligence and what's going on in Latin America, this presentation is for you. Our work is based only on real-world attackers and their operations, including those not publicly known, such as COVID-19 Machete's targeted campaign.

The ATT&CK Latin American APT Playbook

MITRE ATT&CK

Many organizations and managed security providers are starting to move from SIEM, Security Information and Event Management, to EDR, Endpoint Detection and Response. The problem is this may not be the best decision for your organization. These technologies are similar but fundamentally different. This presentation also shares innovating ways to use your SIEM to catch the bad guys as well as learn some simple tricks for easing the burden of SIEM management.

EDR vs SIEM - The fight is on

Justin Henderson

Cyber Threat Hunting Workshop

Digit Oktavianto

Role of Forensic Triage In Cyber Security Trends 2021

Amrit Chhetri

From MITRE ATT&CKcon Power Hour - October By Brian Donohue, Security Evangelist, Red Canary, @thebriandonohue In early 2018, Red Canary adopted MITRE ATT&CK as the common language that they would use to categorize threats, measure detection coverage, and communicate about malicious behaviors. In the intervening years, they’ve relied on the framework to develop open source tools like Atomic Red Team and help security teams prioritize their defensive efforts with blogs and our annual Threat Detection Report. In early 2020, MITRE announced that ATT&CK would be expanding its original taxonomy of tactics and techniques to include sub-techniques. In the months that followed MITRE's announcement, Red Canary’s research, intelligence, and detection engineering teams painstakingly remapped their library of thousands of behavioral analytics to sub-techniques. In doing so, they improved their correlational logic, experimented with the idea of conditional technique mapping, and, unfortunately, rendered the 2020 Threat Detection Report out-of-date. In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Brian discusses how refactoring for sub-techniques offered us the opportunity to apply all the lessons learned in more than two years of operationalizing ATT&CK. He also explores how Red Canary has remodeled its ATT&CK mapping to allow for added flexibility and human input and shows what happens when the Red Canary applied their new sub-technique mappings to the 2020 Threat Detection Report.

Starting Over with Sub-Techniques

MITRE - ATT&CKcon

Purple Teaming with ATT&CK - x33fcon 2018

Christopher Korban

From MITRE ATT&CKcon Power Hour December 2020 By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.

Sharpening your Threat-Hunting Program with ATTACK Framework

MITRE - ATT&CKcon

Offensive security and Ethical Hacking is about providing business value. One of the most efficient and effective ways to improve security is through Adversary Emulation Purple Team Exercises. Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement. In this talk, we will cover how to run a high-value adversary emulation through a Purple Team Exercise. https://www.scythe.io/library/threatthursday-apt33

Purple Team Exercises - GRIMMCon

Jorge Orchilles

PowerShell for Practical Purple Teaming

Nikhil Mittal

PHDays 2018 Threat Hunting Hands-On Lab

Teymur Kheirkhabarov

Threat Hunting with Splunk Hands-on

Splunk

Automation: The Wonderful Wizard of CTI (or is it?)

MITRE ATT&CK

How MITRE ATT&CK helps security operations

Sergey Soldatov

Introduction to red team operations

Sunny Neo

Tendances (20)

ATT&CKING Containers in The Cloud

Introduction to MITRE ATT&CK

State of the ATTACK

ATT&CKing the Red/Blue Divide

Putting MITRE ATT&CK into Action with What You Have, Where You Are

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...

The ATT&CK Latin American APT Playbook

EDR vs SIEM - The fight is on

Cyber Threat Hunting Workshop

Role of Forensic Triage In Cyber Security Trends 2021

Starting Over with Sub-Techniques

Purple Teaming with ATT&CK - x33fcon 2018

Sharpening your Threat-Hunting Program with ATTACK Framework

Purple Team Exercises - GRIMMCon

PowerShell for Practical Purple Teaming

PHDays 2018 Threat Hunting Hands-On Lab

Threat Hunting with Splunk Hands-on

Automation: The Wonderful Wizard of CTI (or is it?)

How MITRE ATT&CK helps security operations

Introduction to red team operations

Similaire à MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; Keith McCammon, Red Canary

MITRE ATTACKcon Power Hour - October

MITRE - ATT&CKcon

Embracing Threat Intelligence and Finding ROI in Your Decision

Cylance

We’ll be exploring some of the more advanced capabilities of Phantom and also discussing the security framework from MITRE “ATT&CK” and it’s valued use when integrating it with Splunk Enterprise! We’ll also have two SplunkTrust members available for some general Q&A in our own ‘Meet the Experts’. - Splunk Phantom Workbook Automation - SOAR (Security Orchestration, Automation & Response) -- Tom Wise (Phantom Security Solutions Engineer & Trainer) - Threat Hunting, Or: How I Learned to Stop Worrying & Love ATT&CK -- Cian Heasley / Fraser Dumayne (Security Engineers) - Meet the Experts with SplunkTrust -- Harry McLaren (Senior Splunk Consultant) -- Tom Wise (Splunk Consultant, Phantom Security Solutions Engineer & Trainer)

Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...

Harry McLaren

Top 25 location R&D Hardware

CEB TalentNeuron

Putting the Human Back in the Loop for Analysis

Andy Piazza

Are you maximizing your Service Manager and Cireson investment? Customer success is a core value at Cireson and we pride ourselves on providing an outstanding customer experience. This starts with the way both Service Manager and Cireson should be designed, implemented and used to meet your IT & business objectives. Join your System Center experts where they will present the benefits of a Health Check as tackling some of the biggest questions in Service Manager.

Service Manager and Cireson Health Check

Cireson

This is a presentation I delivered to the Irish Computer Society Data Protection Conference in February 2011 and again on a webinar for dataqualitypro.com in March 2011. It looks (for what I believe was the first time) at the relationship between Information Quality and Data Governance principles and practices and the objectives of Data Protection/Privacy compliance. it includes my first version of the mapping of the 8 Data Protection principles to the POSMAD Information Life Cycle referred to by McGilvray and others in the IQ/DQ fields.

From Asset to Impact - Presentation to ICS Data Protection Conference 2011

Castlebridge Associates

MITRE ATTACKcon Power Hour - January

MITRE - ATT&CKcon

Improving Findability through Site Search Analytics

Louis Rosenfeld

Data quality and data profiling

Shailja Khurana

Recruiting is arguably the HR function with highest visibility across every organization. Talent acquisition remains an ever-present concern for business leaders who risk declines in productivity if they can't fill their talent pipeline. To ensure success, HR teams need be vigilant about measuring the effectiveness of the hiring process. But that's easier said than done. While plenty of applicant tracking systems and other recruiting tools are set up to report on hiring activities, rates, and costs, they typically stop tracking applicants as soon as they're hired. Because of that crucial limitation—and because data about the long-term performance of the workforce inevitably lives in a vast array of disconnected systems—measuring the lasting impact of the recruiting process becomes a daunting, insurmountable task. Join workforce expert Ian Cook or this one-hour session to learn how talent acquisition teams can get past those hurdles to uncover insights from beyond their ATS that will help them: Discover which hiring activities improve quality of hire across the full employee lifecycle Optimize the recruiting process to target and hire candidates proven to have the best business impact over the long term Create more accurate hiring plans that draw on historical rates for turnover and hiring success Choose the right mix of FTE, agency, and RPO recruiting by comparing costs over time for each option

Recruiting Analytics: What Your ATS Won't Tell You

Human Capital Media

Root cause analysis

Krishnan Lakshmi Narayanan

What Managers Need to Know about Data Science

Annie Flippo

Why are Command and Control (C&C) communications so significant to detecting advanced threats and how should you go about detecting them? We’ll discuss the various pitfalls of the traditional methods of detecting C&C and specifically those currently based on machine learning. Machine Learning must be structured, designed and delivered in exactly the right way to deliver impact for detection of advanced threats. The session will introduce our approach, which has significantly improved both detection rates and efficiency. We’ll discuss several test cases and the lessons we’ve learned over time. Learning Outcomes: Learn why Command and Control monitoring is the key to detecting advanced threats Uncover pitfalls of the current approaches to C&C detection Understand Machine Learning and it's role in detecting malicious activity Understand the potential dangers of the wrong machine learning approach Learn about the impact a new supervised learning approach can have – in both theory and practice

InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are...

Moshe Zioni

Many believe that regression testing an application with minimal data is sufficient. With big data applications, the data testing methodology becomes far more complex. Testing can now be done within the data fabrication process as well as in the data delivery process. Today, comprehensive testing is often mandated by regulatory agencies—and more importantly by customers. Finding issues before deployment and saving your company’s reputation—and in some cases preventing litigation—are critical. Jason Rauen presents an overview of the architecture, processes, techniques, and lessons learned by an original big data company. Detecting defects up-front is vital. Learn how to test thousands, millions, and in some cases billions—yes, billions—of records directly, rendering sampling procedures obsolete. Save time and money for your organization with better data test coverage than ever before.

Become a Big Data Quality Hero

TechWell

ATT&CK is an incredibly valuable framework for describing and analyzing what’s happening in your environment. Sometimes security professionals not only need a way to understand, but also need a way to clearly articulate to non-security leadership to gain support and investment in needed resourcing. Using UX design methods, CrowdStrike came up with a mental model and more conversational terms to help anyone quickly parse the big picture.

MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...

MITRE - ATT&CKcon

Ellicium Solutions - Making Data Science Work

Ellicium Solutions Inc.

From ATT&CKcon 4.0 By Lauren Brennan, GuidePoint Security Evaluating the maturity of your security operations program can be complex and challenging. From choosing the right framework to use, to understanding all aspects of how people, processes, and technologies can cohesively operate to grow your SOC, evaluating your security operations is crucial. This presentation will discuss how to evaluate your security operations program using the MITRE ATT&CK framework and talk about best practices for evaluations. We will explore how to identify gaps in your operations and improve your overall security posture with foundational activities. Attendees can expect to learn practical tips for leveraging the MITRE framework as well as actionable takeaways for evaluating and improving their own security operations.

Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK

MITRE ATT&CK

Data loss is considered by security experts to be one of the most serious threats that businesses currently face. Maintaining the confidentiality of personal information and data is an essential factor in operating a successful business. People must be able to trust that their service provider takes the appropriate measures to implement security controls that will ultimately protect their privacy. However, some of the largest and most reputable organizations have fallen victim to data loss security breaches resulting in significant legal, financial, and reputation loss, including [1]: The Bank of America: Losing the personal employee information of over one million employees The United States Government: Losing data related to the military Heartland Payment Systems: Transferring credit card information and other personal records of over 130 million customers In 2013, it was estimated that data breaches had resulted in the exploitation of over 800 million personal records [2]. This number is also expected to rise over the next several years given the advanced tools that cybercriminals use to steal information and data. Interestingly, it is not just cybercriminals who represent a threat as: 64% of data loss is caused by well-meaning insiders. 50% of employees leave with data. $3.5 million average cost of a security breach. Considering these extensive data breaches, it is practical for organizations to understand where their critical data is located and understanding current security controls that can stop data loss. Data Loss Prevention (DLP) solutions locate critical and personal data for organizations and help prevent data loss. By having a deeper understanding of efficient DLP security controls, you will help protect the reputation of your organization. For more information contact: rkopaee@riskview.ca https://www.threatview.ca http://www.riskview.ca

Data Loss Prevention

Reza Kopaee

The data revolution is well underway. Regardless of the industry or department you manage, working with data will soon be an essential part of all of our jobs, if it isn’t already. This could take the form of basic data analytics, data science, machine learning or artificial intelligence. This can be overwhelming: what do all these terms mean and how can they be leveraged to impact your employees’ work, whether that be in finance, healthcare, tech or the public sector, among many others? This webinar will give you a primer for understanding how data can impact your employees’ work, what they need to know and how to go about educating them on it.

What your employees need to learn to work with data in the 21 st century

Human Capital Media

Similaire à MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; Keith McCammon, Red Canary (20)

MITRE ATTACKcon Power Hour - October

Embracing Threat Intelligence and Finding ROI in Your Decision

Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...

Top 25 location R&D Hardware

Putting the Human Back in the Loop for Analysis

Service Manager and Cireson Health Check

From Asset to Impact - Presentation to ICS Data Protection Conference 2011

MITRE ATTACKcon Power Hour - January

Improving Findability through Site Search Analytics

Data quality and data profiling

Recruiting Analytics: What Your ATS Won't Tell You

Root cause analysis

What Managers Need to Know about Data Science

InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are...

Become a Big Data Quality Hero

MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...

Ellicium Solutions - Making Data Science Work

Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK

Data Loss Prevention

What your employees need to learn to work with data in the 21 st century

Plus de MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Gert-Jan Bruggink, Defensive Specialist, FalconForce Adversaries are humans as well. They have objectives, deadlines and resources for programming. In a sense, very similar to corporations grounded in the economics of effort vs time vs results. Now understanding techniques is one thing, taking it a step further and understanding what the economic impact is of using certain techniques is another. Developing tools takes time. For example, developing a custom process injection module might take days or weeks to develop, where using an open source tool could prevent extensive development costs incurred. This talk explores the economic considerations for defending against techniques used by adversaries. It explores fundamental considerations all referenced to MITRE’s ATT&CK framework. The objective of this talk is to inspire defensive strategies designed to impact cost incurred by adversaries to perform compromises.

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Daniel Wyleczuk-Stern, Senior Security Engineer, Snowflake Cyber security is inherently a function of risk management. Risk management is the identification, evaluation, and prioritization of risks followed by the effort to reduce those risks in a coordinated and economical manner (thanks wikipedia!). In this talk, Daniel will be going over some strategies for measuring and prioritizing your cyber risks using MITRE ATT&CK. He'll discuss some lessons learned in atomic testing of techniques vs attack chaining as well as what to measure and how to make decisions with that data.

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Jacob Benjamin, Principal Industrial Consultant Dragos, INL, & University of Idaho Design Basis Threat (DBT) is concept introduced by the Nuclear Regulatory Commission (NRC). It is a profile of the type, composition, and capabilities of an adversary. DBT is the key input nuclear power plants use for the design of systems against acts of radiological sabotage and theft of special nuclear material. The NRC expects its licensees, nuclear power plants, to demonstrate that they can defend against the DBT. Currently, cyber is included in DBTs simply as a prescribed list of IT centric security controls. Using MITRE’s ATT&CK framework, Cyber DBTs can be created that are specific to the facility, its material, or adversary activities.

Using ATTACK to Create Cyber DBTS for Nuclear Power Plants

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Valentina Palacín, Sr. Cyber Threat Intelligence Analyst No one can deny the tremendous impact that ATT&CK had on the cybersecurity industry, nor the usefulness of having a good Threat Library at your disposal. But the question Valentina gets asked over and over by people from small companies is always the same: “How could I leverage threat intelligence using ATT&CK with limited time and resources?” And so far, there hasn't been a good answer. That’s why she decided to come up with the Threat Mapping Catalogue (TMC), a tool that combines the power of the mappings already available in the ATT&CK website, TRAM and the ATT&CK Navigator, to better process, consume and incorporate new mappings while organizing them around different categories.

Helping Small Companies Leverage CTI with an Open Source Threat Mapping

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Otis Alexander, Principal Cybersecurity Engineer, MITRE Otis Alexander is a Principal Cyber Security Engineer at the MITRE Corporation and has worked in the areas of security engineering and research, analytic development, and adversary modeling and emulation. Otis is a co-creator of ATT&CK for ICS and has been leading the project since its inception. He also leads an effort to bring MITRE ATT&CK Evaluations to ICS security vendors providing anomaly and threat detection solutions. He advocates for network and host visibility in operational technology environments to increase the situational awareness of defenders.

What's New with ATTACK for ICS?

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Katie Nickels, Director of Intelligence, Red Canary Good analysts (and good human beings) change their minds based on new information. In this presentation, Katie will share how her perspectives on ATT&CK have changed since moving from ATT&CK team member to ATT&CK end-user. She will discuss how her ideas about coverage, procedures, and detection creation have evolved and why those perspectives matter. Katie will also share practical examples from observed threats to help explain the nuances of her perspectives. Attendees should expect to leave this presentation with a better understanding of how to handle challenges they’re likely to face when navigating their own ATT&CK journey.

From Theory to Practice: How My ATTACK Perspectives Have Changed

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By: Jamie Williams, Lead Cyber Adversarial Engineer, MITRE Mike Hartley, Lead Cybersecurity Engineer, MITRE In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020 Jamie Williams and Mike Hartley from MITRE discuss the process for merging PRE-ATT&CK and adding two new tactics to Enterprise ATT&CK – Reconnaissance and Resource Development.

Putting the PRE into ATTACK

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Matt Snyder, Senior Threat Analytics Engineer, VMware The market for Security products is flooded with vendors offering all sorts of solutions, and organizations are spending a record amount of money defending their environments. Nevertheless, an increasing number of breaches are reported each year, resulting in organizations spending millions of dollars to remediate them. The Security industry responds with more products, all offering to stop the next breach, and the cycle continues. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Matt discusses what VMware is doing internally to address this fundamental flaw in the Security industry and how they are leveraging the MITRE ATT&CK framework to reshape how we think about security.

What's a MITRE with your Security?

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Anthony Randazzo, Global Response Lead, Expel The team at Expel has been migrating to the cloud for the last 10 years, but as usual, security has lagged behind. Which means we don't have a comprehensive detection and response framework for cloud like we do with the Enterprise ATT&CK matrix. Cloud has evolved into a complex beast as technologies and concepts – like Infrastructure As Code, Containers, Kubernetes and so forth – have emerged. These new attack surfaces have been added that introduce additional challenges to detection and response in our cloud environments. We don't know what we don't know about attack life cycles in the cloud. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Anthony shares some interesting lessons learned so far when it comes to finding bad guys in the cloud.

ATTACKing the Cloud: Hopping Between the Matrices

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Allie Mellen, Security Strategist, Office of the CSO, Cybereason In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, Allie discusses how the Cybereason research team uses both MITRE ATT&CK and MITRE ATT&CK for Mobile to map and communicate new malware to the larger security community. Teams use the MITRE ATT&CK framework to share techniques, tactics, and procedures with their team and the community at large. This knowledge base has been incredibly beneficial for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Many of these uses have centered around traditional endpoints like laptops and workstations. However, the MITRE ATT&CK team has also created a cutting-edge portion of their framework: MITRE ATT&CK for Mobile. One of the most recent pieces of malware they have found is EventBot, a mobile banking trojan that targets Android devices and the financial services applications on them, including popular apps like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more. In this talk, learn about this specific attack, intended targets, a timeline of the attack, and the MITRE ATT&CK for Mobile mapping. Learn why the Cybereason team map to MITRE ATT&CK and MITRE ATT&CK for Mobile and what benefits it has given them and their interactions with the community.

Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By Matan Hart, Co-Founder & CEO Cymptom @machosec Adversary emulation is commonly used to validate security controls and is considered one of the most popular use-cases for the ATT&CK framework. However, emulating adversary TTPs on production environments is often very limited in testing scope and frequency, and such practice may cause unwanted business disruption. In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Hart presents a different approach to testing controls against ATT&CK. He demonstrates how it is possible to provide data-based methods to evaluate the exploitability of ATT&CK techniques by gathering information from the network, endpoint, and services; this unique approach does not emulate any sort of malicious action, thus reducing the potential of causing business disruption to the minimum. Hart also outlines a new open-source guideline based on ATT&CK mitigations, that security teams can use to assess their security posture non-intrusively and at scale.

Transforming Adversary Emulation Into a Data Analysis Question

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By Brandon Levene, Head of Applied Intelligence Google, @seraphimdomain Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises. This strategy has become the “end game” for the majority of organized cybercrime organizations, and one effect of this shift is the increased emphasis on enterprise-level targets. In this talk from the MITRE ATT&CKCon Power Hour session on October 9, 2020, Levene walks us through research about how a specific BGH threat actor pursues entry points, gains its foothold, pivots, and deploys payloads to maximize their financial gains with minimal effort - and infrastructure! You’ll walk away with an understanding of the latest BGH TTPs seen in enterprise environments, and how they map to the ATT&CK framework so you can build this research into your threat detection strategy and enhance your defenses.

TA505: A Study of High End Big Game Hunting in 2020

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By Jen Burns, Lead Cybersecurity Engineer, MITRE, @snarejen Jen Burns is a Lead Cybersecurity Engineer at MITRE and the Lead for MITRE ATT&CK® for Cloud. She’s also a red team developer and lead for ATT&CK Evaluations, using her skills in software engineering and adversary emulation. Previously, she was a tech lead at HubSpot on the Infrastructure Security team where she focused on red teaming and building detections in the cloud environment. This presentation is from the MITRE ATT&CKcon Power Hour session held on October 9, 2020.

What's New with ATTACK for Cloud?

MITRE - ATT&CKcon

MITRE ATTACKCon Power Hour - December

MITRE - ATT&CKcon

MITRE ATT&CKcon Power Hour - November

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...

MITRE - ATT&CKcon

Plus de MITRE - ATT&CKcon (20)

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...

Using ATTACK to Create Cyber DBTS for Nuclear Power Plants

Helping Small Companies Leverage CTI with an Open Source Threat Mapping

What's New with ATTACK for ICS?

From Theory to Practice: How My ATTACK Perspectives Have Changed

Putting the PRE into ATTACK

What's a MITRE with your Security?

ATTACKing the Cloud: Hopping Between the Matrices

Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile

Transforming Adversary Emulation Into a Data Analysis Question

TA505: A Study of High End Big Game Hunting in 2020

What's New with ATTACK for Cloud?

MITRE ATTACKCon Power Hour - December

MITRE ATT&CKcon Power Hour - November

MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...

MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...

MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...

MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...

Dernier

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

Histor y of HAM Radio presentation slide

vu2urc

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

Scaling API-first – The story of a global engineering organization

Radu Cotescu

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Tech Trends Report 2024 Future Today Institute.pdf

hans926745

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

Handwritten Text Recognition for manuscripts and early printed texts

Maria Levchenko

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

[2024]Digital Global Overview Report 2024 Meltwater.pdf

hans926745

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

Neo4j

What is a good lead in your organisation? Which leads are priority? What happens to leads? When sales and marketing give different answers to these questions, or perhaps aren't sure of the answers at all, frustrations build and opportunities are left on the table. Join us for an illuminating session with Cian McLoughlin, HubSpot Principal Customer Success Manager, as we look at that crucial piece of the customer journey in which leads are transferred from marketing to sales.

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

HampshireHUG

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

Dernier (20)

Data Cloud, More than a CDP by Matt Robison

Boost Fertility New Invention Ups Success Rates.pdf

How to Troubleshoot Apps for the Modern Connected Worker

A Domino Admins Adventures (Engage 2024)

Histor y of HAM Radio presentation slide

Powerful Google developer tools for immediate impact! (2023-24 C)

Scaling API-first – The story of a global engineering organization

How to Troubleshoot Apps for the Modern Connected Worker

Tech Trends Report 2024 Future Today Institute.pdf

Apidays New York 2024 - The value of a flexible API Management solution for O...

🐬 The future of MySQL is Postgres 🐘

Handwritten Text Recognition for manuscripts and early printed texts

Exploring the Future Potential of AI-Enabled Smartphone Processors

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

[2024]Digital Global Overview Report 2024 Meltwater.pdf

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Strategies for Landing an Oracle DBA Job as a Fresher

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; Keith McCammon, Red Canary

1. Prioritizing Data Sources for Minimum Viable Detection

2. ▪ Mean streets of Northern Virginia ▪ “The Government” ▪ Red Canary Keith McCammon @kwm Presenter There is no photo. I’m right here :)

3. Y O U R S E C U R I T Y A L L Y Y O U R S E C U R I T Y A L L Y Y O U R S E C U R I T Y A L L Y To learn how you can prioritize collection of ATT&CK data sources, use this information to inform technology selection, and ultimately build a strong foundation for your detection engineering program. Why we’re here > > > > > > > > > > > > > > > > > > > > > > > > >

4. Detection Engineering DATA Am I collecting the right data to detect, investigate, and respond effectively to threats? ANALYTICS Am I asking the right questions of the data that I have? DETECTION Do I have the process, context, and expertise that I need to answer the questions that I’ve asked?

5. What does this have to do with ATT&CK™?

6. Detection Engineering DATA Am I collecting the right data to detect, investigate, and respond effectively to threats? ANALYTICS Am I asking the right questions of the data that I have? DETECTION Do I have the process, context, and expertise that I need to answer the questions that I’ve asked? We love to fixate on this!

7. Detection Engineering DATA Am I collecting the right data to detect, investigate, and respond effectively to threats? ANALYTICS Am I asking the right questions of the data that I have? DETECTION Do I have the process, context, and expertise that I need to answer the questions that I’ve asked? We should pay closer attention to this . . .

8. “We can’t detect what we can’t see.” ATT&CK Data Sources useful for: ● Assigning value to tools, data ● Measuring progress, coverage

9. Olaf Hartong ▪ sysmon-modular ▪ ThreatHunting Roberto & Jose Luis Rodriguez ▪ hunters-forge / ATTACK-Python Client ▪ Hunters ATT&CKing The ATT&CK Team Obligatory Nods

10. CONCEPT Minimum Viable Detection Being in a position to detect most threats, most of the time.

11. Not where you want to end up . . . . . . but a great way to think about how you start.

12. Words to Live By (At Work) MAXIMIZE COVERAGE MINIMIZE COMPLEXITY OPTIMIZE FOR ANSWERS

13. BACKGROUND Data Sources: The linchpin of ATT&CK

14. ▪ 50 data sources ▪ One or more per each of the 240 ATT&CK (Enterprise) techniques About the ATT&CK Data Sources

15. ▪ 50 59 data sources ▪ One or more per each of the 240 265 ATT&CK (Enterprise) techniques About the ATT&CK Data Sources

16. Useful for understanding how we observe a given technique

17. ▪ Do you need one or all data sources to properly observe a technique? ▪ Data sources are not clearly defined. Nits

18. PRIORITIZING DATA SOURCES Where do we start?

19. 1. Understanding prevalence 2. Focus on a class of data or product 3. Differentiate within a class of data / product 4. Coverage based on operational data, insights The stages of grief

20. PRIORITIZING DATA SOURCES Understanding prevalence

21. https://github.com/keithmccammon/python-attack-utils Step 1: ./attack.py --dump-metadata Step 2: Excel :) Alternatively: hunters-force/ATTACK-Python-Client Determining Prevalence

22. Top 10 Data Sources by Prevalence

23. PRIORITIZING DATA SOURCES Focus on a class of data or product

24. Data Source . . . Sources

25. The Top 10

26. PRIORITIZING DATA SOURCES Differentiate within a class of data / product

27.

28. https://github.com/keithmccammon/python-attack-utils ./attack.py --match-data-source <filename> Techniques by Data Source Visibility Protection Process command-line parameters Process monitoring Binary file metadata DLL monitoring File monitoring Loaded DLLs Process use of network Process command-line parameters Process monitoring

29. . . . and then

30. PRIORITIZING DATA SOURCES Operational context Less a data source thing. Critically important.

31.

32. Trends: Powershell

33. Trends: Windows Admin Shares

34. Trends: Remote File Copy

35. Trends: Spearphishing Attachment

36. WHAT OTHERS ARE SAYING “Everyone in this room should be sharing confirmed threat data based on ATTACK™.” ~ Me. I made this up. Still a valid point . . .

37. One more time . . . MAXIMIZE COVERAGE MINIMIZE COMPLEXITY OPTIMIZE FOR ANSWERS

38. FEEDBACK, QUESTIONS, ROTTEN TOMATOES Thank you! @kwm

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; Keith McCammon, Red Canary

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; Keith McCammon, Red Canary

Similaire à MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; Keith McCammon, Red Canary (20)

Plus de MITRE - ATT&CKcon

Plus de MITRE - ATT&CKcon (20)

Dernier

Dernier (20)

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; Keith McCammon, Red Canary