From MITRE ATT&CKcon Power Hour October 2020
By Jen Burns, Lead Cybersecurity Engineer, MITRE, @snarejen
Jen Burns is a Lead Cybersecurity Engineer at MITRE and the Lead for MITRE ATT&CK® for Cloud. She’s also a red team developer and lead for ATT&CK Evaluations, using her skills in software engineering and adversary emulation. Previously, she was a tech lead at HubSpot on the Infrastructure Security team where she focused on red teaming and building detections in the cloud environment. This presentation is from the MITRE ATT&CKcon Power Hour session held on October 9, 2020.
TEST BANK For Essentials of Negotiation, 7th Edition by Roy Lewicki, Bruce Ba...
What's New with ATTACK for Cloud?
1. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13
� for Cloud?
Jen Burns
@snarejen
@MITREattack
2. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-000000
| 90 |
for Cloud
Credit to Dave Herrald and Ryan Kovar
3. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13
ATT&CK for Cloud Beginnings
Initial Release October 2019
Part of Enterprise ATT&CK
Almost 100% community-
contributed techniques!
Input from:
A cloud service provider
Threat analysts
Detection analysts
Red teams
4. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13
ATT&CK for Cloud Today
5. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13
ATT&CK for Cloud Scope
Add techniques generally visible via Cloud data sources
AWS CloudTrail Logs
Azure Activity Logs
Office365 Audit Logs
etc
Minimize duplication across Windows/Linux/macOS
Cloud is meant to add an additional layer to ATT&CK
Example:
6. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13
Future of Cloud Platforms
Current Future
SaaS
IaaS
Additional
SaaS
Additional
SaaS
Additional
SaaS
SaaS
7. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13
Why generalize to IaaS?
Current IaaS platforms share most
techniques
Differences between Cloud Service Providers
(CSPs) can be documented within the technique
All CSPs can be represented
Community feedback favors a single
platform
8. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13
Cloud Data Sources Today
AWS CloudTrail logs
Azure activity logs
GCP audit logs
Oauth audit logs
9. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13
Future of Cloud Data Sources
Data Source
One or more Data Components
Mapping(s) to Relevant Azure
Operation Name(s)
Mapping(s) to Relevant AWS
CloudTrail Event Name(s)
Mapping(s) to Relevant GCP REST
API Method(s)
Mapping(s) to Other CSPs or SaaS
Events
https://media.giphy.com/media/l41m6QYDHcEEwjo52/giphy.gif
10. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13
Example IaaS Data Source
Instance
Data Source Data Component Events (API)
Instance Creation
Instance Modification
Instance Deletion
Instance Metadata
Instance Enumeration
Instance Start
Instance Stop
AWS: ListInstances
AWS: ModifyInstanceAttribute
AWS: TerminateInstances
AWS: DescribeInstances
AWS: RunInstances
AWS: StartInstances
AWS: StopInstances
11. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13
Why the change?
Ensure approach is consistent with the rest of Enterprise
Suggest reading blog from Jose Luis Rodriguez
https://medium.com/mitre-attack/defining-attack-data-sources-part-i-
4c39e581454f
Create more meaningful data sources for Cloud
Refactor to align to events and API calls within these logs instead
Align to future Cloud platform updates
12. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13
We need your help!
thoughts on how can we improve ATT&CK for Cloud?
opinions on our platform or data source plans?
13. �2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-13
attack@mitre.org
@MITREattack
Jen Burns
@snarejen