Thank you to everyone who attended and spoke as ATT&CKcon went virtual in 2020. Broken into a series of four 1.5 hour virtual sessions, ATT&CKcon Power Hour talks have been viewed over 12,000 times. ATT&CKcon Power Hour brought us talks on areas of ATT&CK we haven't heard about before such as Cloud and Mobile as well as insights on how organizations are adapting to features such as sub-techniques. Please continue to watch and share these talks!
Presentations
1. Starting Over with Sub-Techniques: Lessons Learned Remapping Detection Analytics (Brian Donohue, Red Canary)
In early 2018, Red Canary adopted MITRE ATT&CK as the common language that they would use to categorize threats, measure detection coverage, and communicate about malicious behaviors. In the intervening years, they’ve relied on the framework to develop open source tools like Atomic Red Team and help security teams prioritize their defensive efforts with blogs and our annual Threat Detection Report.
In early 2020, MITRE announced that ATT&CK would be expanding its original taxonomy of tactics and techniques to include sub-techniques. In the months that followed MITRE's announcement, Red Canary’s research, intelligence, and detection engineering teams painstakingly remapped their library of thousands of behavioral analytics to sub-techniques. In doing so, they improved their correlational logic, experimented with the idea of conditional technique mapping, and, unfortunately, rendered the 2020 Threat Detection Report out-of-date.
In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Brian discusses how refactoring for sub-techniques offered us the opportunity to apply all the lessons learned in more than two years of operationalizing ATT&CK. He also explores how Red Canary has remodeled its ATT&CK mapping to allow for added flexibility and human input and shows what happens when the Red Canary applied their new sub-technique mappings to the 2020 Threat Detection Report.
video2. Using MITRE PRE-ATT&CK and ATT&CK In Cybercrime Education and Research (Aunshul Rege and Rachel Bleiman, Temple University)
This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.
video3. Without Attacking: Transforming Adversary Emulations Into A Data Analysis Question (Matan Hart, Cymptom)
Adversary emulation is commonly used to validate security controls and is considered one of the most popular use-cases for the ATT&CK framework. However, emulating adversary TTPs on production environments is often very limited in testing scope and frequency, and such practice may cause unwanted business disruption. In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Hart presents a different approach to testing controls against ATT&CK. He demonstrates how it is possible to provide data-based methods to evaluate the exploitability of ATT&CK techniques by gathering information from the network, endpoint, and services; this unique approach does not emulate any sort of malicious action, thus reducing the potential of causing business disruption to the minimum. Hart also outlines a new open-source guideline based on ATT&CK mitigations, that security teams can use to assess their security posture non-intrusively and at scale.
video4. Detecting ATT&CK's With Dynamic Thresholds Using Tukey’s Test and Azure Sentinel (Jair Santanna, Northwave)
How do you detect abnormal activities based on frequency, for example, a suspicious number of sign-ins (leading to a brute force attack), suspicious amount of data transfer (leading to a data exfiltration), and malicious scanning or discovering activities? Usually, you would count the frequency of the activity and if this number exceeds a pre-defined threshold then you would consider it abnormal/attack. The problem here is the definition of this threshold (and the reduction of false positives and negatives). Some practitioners set this threshold to 5, others to 10, and in some situations, to 30 or even higher. The remaining question is how to obtain a statistically sounding threshold? In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Jair Santanna answers this question by using a half-century-old statistical method to define such a dynamic threshold (John Tukey’s "honestly significant difference"-HSD). Northwave has implemented this method in a production environment over several ATT&CK techniques using the Security Information and Event Management (SIEM) from Microsoft, Azure Sentinel. Northwave’s scripts are publicly available. In this presentation, Santanna sheds light on dynamic thresholds for security monitoring and discuss how to move forward with this challenging old problem.
video5. Ta505 - A Study of High End Big Game Hunting In 2020 (Brandon Levene, Google)
Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises. This strategy has become the “end game” for the majority of organized cybercrime organizations, and one effect of this shift is the increased emphasis on enterprise-level targets. In this talk from the MITRE ATT&CKCon Power Hour session on October 9, 2020, Levene walks us through research about how a specific BGH threat actor pursues entry points, gains its foothold, pivots, and deploys payloads to maximize their financial gains with minimal effort - and infrastructure! You’ll walk away with an understanding of the latest BGH TTPs seen in enterprise environments, and how they map to the ATT&CK framework so you can build this research into your threat detection strategy and enhance your defenses.
video6. What’s New with ATT&CK for Cloud? (Jen Burns, MITRE)
Jen Burns is a Lead Cybersecurity Engineer at MITRE and the Lead for MITRE ATT&CK for Cloud. She’s also a red team developer and lead for ATT&CK Evaluations, using her skills in software engineering and adversary emulation. Previously, she was a tech lead at HubSpot on the Infrastructure Security team where she focused on red teaming and building detections in the cloud environment. This presentation is from the MITRE ATT&Ckcon Power Hour session held on October 9, 2020.
video7. Mapping The Eventbot Mobile Banking Trojan With MITRE ATT&CK For Mobile (Allie Mellen, Cybereason)
In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, Allie discusses how the Cybereason research team uses both MITRE ATT&CK and MITRE ATT&CK for Mobile to map and communicate new malware to the larger security community. Teams use the MITRE ATT&CK framework to share techniques, tactics, and procedures with their team and the community at large. This knowledge base has been incredibly beneficial for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Many of these uses have centered around traditional endpoints like laptops and workstations. However, the MITRE ATT&CK team has also created a cutting-edge portion of their framework: MITRE ATT&CK for Mobile.
One of the most recent pieces of malware they have found is EventBot, a mobile banking trojan that targets Android devices and the financial services applications on them, including popular apps like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more. In this talk, learn about this specific attack, intended targets, a timeline of the attack, and the MITRE ATT&CK for Mobile mapping. Learn why the Cybereason team map to MITRE ATT&CK and MITRE ATT&CK for Mobile and what benefits it has given them and their interactions with the community.
video8. ATT&CKing The Cloud: Hopping Between The Matrices (Anthony Randazzo, Expel)
The team at Expel has been migrating to the cloud for the last 10 years, but as usual, security has lagged behind. Which means we don't have a comprehensive detection and response framework for cloud like we do with the Enterprise ATT&CK matrix. Cloud has evolved into a complex beast as technologies and concepts - like Infrastructure As Code, Containers, Kubernetes and so forth - have emerged. These new attack surfaces have been added that introduce additional challenges to detection and response in our cloud environments. We don't know what we don't know about attack life cycles in the cloud. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Anthony shares some interesting lessons learned so far when it comes to finding bad guys in the cloud.
video9. Building Detections For Cloud With KQL and ATT&CK (Nitya Garg, LinkedIn)
Writing and deploying custom detections with high efficacy is one of the most important goals of any SIRT team. It involves multiple stages, starting from developing a detection hypothesis, to writing the detection query, and validating it against a simulated true positive scenario. With ever-changing threat landscape and hybrid cloud environments, the process can be intensive and overwhelming. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Nitya talks about how we can leverage MITRE ATT&CK to not only simplify detection engineering but make it more efficient. The presentation will also include a demo on how to build a detection query, written in KQL(Kusto Query Languauge), for an ATT&CK technique from MITRE Cloud Matrix.
video10. What’s a MITRE with Your Security? (Matt Snyder, VMWare)
The market for Security products is flooded with vendors offering all sorts of solutions, and organizations are spending a record amount of money defending their environments. Nevertheless, an increasing number of breaches are reported each year, resulting in organizations spending millions of dollars to remediate them. The Security industry responds with more products, all offering to stop the next breach, and the cycle continues. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Matt discusses what VMware is doing internally to address this fundamental flaw in the Security industry and how they are leveraging the MITRE ATT&CK framework to reshape how we think about security.
video11. Putting the PRE into ATT&CK (Jamie Williams and Mike Hartley, MITRE)
12. Helping Small Companies Leverage CTI with an Open Source Threat Mapping (Valentina Palacín, Senior Cyber Threat Intelligence Analyst)
No one can deny the tremendous impact that ATT&CK had on the cybersecurity industry, nor the usefulness of having a good Threat Library at your disposal. But the question Valentina gets asked over and over by people from small companies is always the same: “How could I leverage threat intelligence using ATT&CK with limited time and resources?” And so far, there hasn't been a good answer. That’s why she decided to come up with the Threat Mapping Catalogue (TMC), a tool that combines the power of the mappings already available in the ATT&CK website, TRAM and the ATT&CK Navigator, to better process, consume and incorporate new mappings while organizing them around different categories.
This talk is from the MITRE ATT&CKcon Power Hour session held on December 11, 2020.
video13. From Theory to Practice: How My ATT&CK Perspectives Have Changed (Katie Nickels, Red Canary)
Good analysts (and good human beings) change their minds based on new information. In this presentation, Katie will share how her perspectives on ATT&CK have changed since moving from ATT&CK team member to ATT&CK end-user. She will discuss how her ideas about coverage, procedures, and detection creation have evolved and why those perspectives matter. Katie will also share practical examples from observed threats to help explain the nuances of her perspectives. Attendees should expect to leave this presentation with a better understanding of how to handle challenges they’re likely to face when navigating their own ATT&CK journey.
This talk is from the MITRE ATT&CKcon Power Hour session held on December 11, 2020.
video14. Sharpening Your Threat Hunting Program with ATT&CK Framework (Hieu Tran, FPT Cybersecurity Division)
No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
This talk is from the MITRE ATT&CKcon Power Hour session held on December 11, 2020.
video15. Using ATT&CK To Create Cyber DBTs For Nuclear Power Plants (Jacob Benjamin, Dragos)
Design Basis Threat (DBT) is a concept introduced by the Nuclear Regulatory Commission (NRC). It is a profile of the type, composition, and capabilities of an adversary. DBT is the key input nuclear power plants use for the design of systems against acts of radiological sabotage and theft of special nuclear material. The NRC expects its licensees, nuclear power plants, to demonstrate that they can defend against the DBT. Currently, cyber is included in DBTs simply as a prescribed list of IT centric security controls. Using MITRE’s ATT&CK framework, Cyber DBTs can be created that are specific to the facility, its material, or adversary activities.
This talk is from the MITRE ATT&CKcon Power Hour session held on December 11, 2020.
video16. What’s New with ATT&CK for ICS? (Otis Alexander, MITRE)
Otis Alexander is a Principal Cyber Security Engineer at the MITRE Corporation and has worked in the areas of security engineering and research, analytic development, and adversary modeling and emulation. Otis is a co-creator of ATT&CK for ICS and has been leading the project since its inception. He also leads an effort to bring MITRE ATT&CK Evaluations to ICS security vendors providing anomaly and threat detection solutions. He advocates for network and host visibility in operational technology environments to increase the situational awareness of defenders.
This talk is from the MITRE ATT&CKcon Power Hour session held on December 11, 2020.
video17. Measure What Matters: How to Use ATT&CK to Do the Right Things in the Right Order (Daniel Wyleczuk-Stern, Snowflake)
Cyber security is inherently a function of risk management. Risk management is the identification, evaluation, and prioritization of risks followed by the effort to reduce those risks in a coordinated and economical manner (thanks wikipedia!). In this talk, Daniel will be going over some strategies for measuring and prioritizing your cyber risks using MITRE ATT&CK . He'll discuss some lessons learned in atomic testing of techniques vs attack chaining as well as what to measure and how to make decisions with that data.
This talk is from the MITRE ATT&CKcon Power Hour session held on January 14, 2021.
video18. ATT&CKers Think in Graphs (Valentine Mairet, McAfee)
The MITRE ATT&CK framework is the industry standard to dissect cyberattacks into used techniques. At McAfee, all attack information is disseminated into different categories, including ATT&CK techniques. What results from this exercise is an extensive repository of techniques used in cyberattacks that goes back many years. Much can be learned from looking at historical attack data, but how can we piece all this information together to identify new relationships between threats and attacks? In her recent efforts, Valentine has embraced analyzing ATT&CK data in graphical representations. One lesson learned is that it is not just about merely mapping out attacks and techniques used into graphs, but the strength lies in applying different algorithms to answer specific questions. In this presentation, Valentine will showcase the results and techniques obtained from her research journey using graph and graph algorithms.
This talk is from the MITRE ATT&CKcon Power Hour session held on January 14, 2021.
video19. ATT&CK-Onomics: Exploring the Economics Behind Techniques Used By Adversaries (Gert-Jan Bruggink, FalconForce)
Adversaries are humans as well. They have objectives, deadlines and resources for programming.
In a sense, very similar to corporations grounded in the economics of effort vs time vs results. Now understanding techniques is one thing, taking it a step further and understanding what the economic impact is of using certain techniques is another. Developing tools takes time. For example, developing a custom process injection module might take days or weeks to develop, where using an open source tool could prevent extensive development costs incurred.
This talk explores the economic considerations for defending against techniques used by adversaries. It explores fundamental considerations all referenced to MITRE’s ATT&CK framework. The objective of this talk is to inspire defensive strategies designed to impact cost incurred by adversaries to perform compromises.
This talk is from the MITRE ATT&CKcon Power Hour session held on January 14, 2021.
video
Presentations
1. Welcome (Katie Nickels, MITRE)
ATT&CK Threat Intelligence Lead Katie Nickels welcomes attendees and introduces the members of the ATT&CK team.
video2. The Friends We Made Along the Way, Keynote Address (Toni Gidwani, Google)
3. State of the ATT&CK (Blake Strom, MITRE)
4. Using Threat Intelligence to Focus ATT&CK Activities (David Westin and Andy Kettell, Nationwide)
In October 2018, Nationwide began its MITRE ATT&CK journey. Nationwide looked at a number of different approaches to getting started, but it wasn’t until they prioritized efforts based on threat actors likely to target the finance/insurance industry that things started to click. Ultimately, Nationwide focused on 27 high concern threat actors targeting their industry, reducing the overall number of techniques from 240+ to 91. With this manageable chunk of techniques, Nationwide was able to test, analyze, and provide recommendations for improving its detection and mitigation capabilities. Nationwide is continuing to keep threat actor focus at the heart of its ATT&CK efforts, leading to prioritization of remediation actions, integration into penetration testing, and selection of security tools.
video5. Prioritizing ATT&CK Informed Defenses the CIS Way (Philippe Langlois, Verizon DBIR; Joshua Franklin, Center for Internet Security)
In a world of limited resources, organizations have to be strategic and meticulous in their planning and selection of security controls and the MITRE ATT&CK model has become an important piece for categorizing and understanding adversary techniques and contextualizing our own defenses. However, there still underlies a difficult question, where should organizations start and how should they prioritize their cybersecurity efforts? Join CIS as we explore our attempt to tackle this problem through the use of our community, content and real-world threat data collected as part of the Multi-State Information Sharing and Analysis Center (MS-ISAC). Participants should look forward to learning how to prioritize their security efforts and leverage the process for their own data and threats.
video6. Alertable Techniques for Linux using ATT&CK (Tony Lambert, Red Canary)
Community members continually ask, should I have detection capabilities across every technique in ATT&CK? This question inevitably leads to the same conclusion that not every technique is alertable and not all of them provide the same value for immediate detection. In this session we’ll discuss the concept of alertable detections using Linux ATT&CK techniques as a case study. We’ll introduce decision criteria we’ve learned through experience to illustrate the challenges, and we’ll recommend specific techniques that work well with an alert-driven workflow.
video7. ATT&CK Updates – TRAM (Jackie Lasky and Sarah Yoder, MITRE)
8. Raiders of the MITRE Framework: How to Build Your Own Threat Library (Valentina Palacin and Ruth Esmeralda Barbacil, Deloitte)
It's the year 2019 and the internet has been around long enough to be filled with what seems to be "ancient" data. Digging through, classifying and analyzing everything sometimes makes you feel a lot like Indiana Jones searching for the right clues in a moving puzzle. But how could you move through the caves without getting buried under piles of data rubble? How might anyone revisit and study the data from the past to transform it into actionable information for the present? In this talk we are going to show you how a threat intel Indiana Jones analyst should tackle these issues in order to find the treasure of the Threat Library. We will show you how we used the MITRE ATT&CK Framework as our book of secrets for turning dusty old Internet artifacts into a library of actionable Threat Intelligence.
video9. Climbing the ATT&CK Ladder: How a Threat Hunting Team Has Upgraded Its Use of ATT&CK (Karl Scheuerman and Piotr Wojtyla, CrowdStrike)
CrowdStrike’s OverWatch threat hunting team has continued to mature in its use of the ATT&CK framework to categorize and track targeted adversary behavior. This presentation will build on our talk from last year’s ATT&CKcon, where we shared tactic/technique trends and unique examples observed in the wild. Since that time, we have taken a number of steps to enhance our usage of ATT&CK, including:
- Mapping of hunting leads to ATT&CK techniques
- Based on that mapping, auto-tagging techniques used in any given intrusion observed in our data set
- For that intrusion, automatically extracting process data to easily create tables of TTP details (“ATT&CK Sightings”)
- Supplementing automated ATT&CK technique tagging by human analyst reviews
- Leveraging MISP’s API to build ATT&CK heat maps with an array of filters on demand
By using practices like those outlined above, we have been able to continue building what is likely the most comprehensive and detailed library of targeted intrusion data from the wild that is mapped to ATT&CK. As such, the presentation will also share significant trends and techniques from the intrusions we’ve analyzed over the past year.
video10. From Susceptible to ATT&CK: A Threat Hunting Story (Chris Thayer, Mastercard)
The story of one man's crusade to convince the Senior Management of a fortune 500 company that security resources were needed beyond the perimeter, and the role ATT&CK played in those decisions. This talk documents the creation and persuasion required to create a successful threat hunting program at an enterprise level, and how the Mitre ATT&CK framework made this possible for one investigator, in his spare time, to prove the program's worth to senior management within 1 year of creation.
video11. ATT&CK Updates – Sightings (John Wunder, MITRE)
12. Zeek-based ATT&CK Metrics & Gap Analysis (Allan Thomson, LookingGlass Cyber Solutions)
Today many organizations are using Bro (newly named Zeek) for network security monitor as it provides a powerful network analysis framework. This presentation will describe how to leverage Zeek to report on ATT&CK TTPs, raw events and other detectable activities. Key take-aways include how to report on sightings and occurrences of ATT&CK TTPs and events providing both metrics and gap analysis to inform security operations teams on where their defense may require improvement.
video13. attckr: A Toolkit for Analysis & Visualization of ATT&CK Incident Data for Service Providers & Organizations (Bob Rudis, Rapid7)
The ATT&CK framework provides a standardized way for organizations to record and share attacker techniques used at each stage in attacker campaigns. Having and sharing this discrete, normalized attacker behavior is great, but these normalized bundles of incident events can also be used to identify areas of improvement in both incident response teams as well as by vendors who provide tools/solutions to triage and manage incidents.
This talk will introduce {attckr}: an R package and application that provides programmatic, command-line, and interactive tools to analyze and visualize incident ATT&CK metrics. Attendees will see real-life (i.e. using real, anonymized incident data) examples of how to look across an ATT&CK incident corpus to identify trends (or outliers), support the development of ATT&CK incident baseline metrics, and develop reports and visualizations to assist in communicating operational performance, threat event frequency & type distributions for risk analysis, and identification of strengths and weaknesses in detection capability.
video14. MITRE ATT&CK Assessment from a Data Perspective (Olaf Hartong, Deloitte)
MITRE ATT&CK has quickly become the industry standard for referencing techniques. All though the framework is a great and valuable asset it is still lacking actionable detail on may levels to most people. I've bridged that gap by building a relatively simple assessment toolkit to visualize your potential coverage from the data already present in your environment, your mitigative measures and your detection content. The toolkit will help you focus your efforts based on your data and your goal.
video15. Threat-Informed Defense: Where do we go from here? (Richard Struse, MITRE)
16. AMITT: ATT&CK-based Standards for Misinformation Threat Sharing (Sara-Jayne Terp and John Gray, Credibility Coalition MisinfoSec Working Group)
State actors, private influence operators and grassroots groups are exploiting the openness and reach of the Internet to manipulate populations at a distance. They are extending a decades-long struggle for “hearts and minds” via propaganda, influence operations and information warfare, often in the form of coordinated incidents that are part of longer-timescale narrative-based campaigns.
The Credibility Coalition is an interdisciplinary community committed to addressing the proliferation and amplification of misinformation online, through transparent and collaborative research. Its MisinfoSec working group develops information security-based standards to promote a more formal and rigorous treatment of 1) detecting misinformation-based attacks and 2) devising methods to protect against misinformation-based attacks. Specifically, we have adapted and extended frameworks used to describe information security incidents, for use in ISACs, ISAOs and other groups sharing misinformation threats and responses.
In this talk, we discuss misinformation and why stage-based frameworks like ATT&CK are appropriate for it. We describe the AMITT (Adversarial Misinformation and Influence Tactics and Techniques) misinformation response framework and its roots in and deliberate compatibility with ATT&CK, its creation, relationships with other models, its components (including ways, means, and ends to achieve influence goals) and potential uses.
video17. Flashback with ATT&CK: Exploring Malware History with ATT&CK (2003-2018) (Kris Oosthoek, Delft University of Technology)
Attackers keep innovating their TTPs to circumvent established defenses, so gaining insight into attacker innovation is fundamental. Our Twitter feeds are saturated with helpful reports daily, but how does this relate to trends and developments within the threat ecosystem as a whole? Take a step back, relax and get an ATT&CK-based overview of 15 years TTP evolution to inform your defense.
This presentation will discuss ATT&CK techniques found in 950+ unique Windows malware families as part of an academic research project. With the malware harvested from an unbiased and reputable source, a representative view on 15 years of evolution in the malware field is ensured. For each ATT&CK tactic, the talk provides insight into trends and shifts in real-world adversary behavior. It will also highlight how a malware analysis automation pipeline can introduce biases into your CTI and based on that, best practices on how ATT&CK can be used to ensure CTI accuracy. This entertaining presentation provides practical takeaways that inform and help prioritize your threat defense.
video18. Tell Tall Tales With ATT&CK! (James Lerud, Titania Solutions Group)
Once upon a time there was a security expert with all kinds of ATT&CK data. There were Atomic tests, breach simulations, and metrics abound! Our hero knew he could mold the data to illustrate a story of triumph. He would deliver magnificent slides and graphs with color and shape that, even the dull c-suite would know he was great. This presentation will teach the audience how to torture ATT&CK data until it confesses. Manipulation of ordinal scales, dirty data, playing into biases, nothing is off limits if it makes us look good. Follow the advice here and you will be ready to tell tall tales with ATT&CK… or for the true hearted tell boring realistic stories.
video19. ATT&CK Updates – ICS (Otis Alexander, MITRE)
20. Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate Your Data Analytics! (Roberto Rodriguez, Cybersecurity Specialist; Jose Luis Rodriguez, Student)
"How do we collect the right data for the detection of specific adversarial techniques?" That is a very important and common question for organizations planning on leveraging ATT&CK for their defensive strategy. One approach might be reading the data sources metadata available per each technique in the ATT&CK framework. That is a good first step, and it is already helping organizations to integrate the framework with their current security controls. However, as you go deeper into the specific recommended data sources per technique, it is very important to understand that not every technique variation requires the same data sources. In addition, there needs to be a way to validate if what we are collecting aligns with the data analytics being created. In this talk, we will share our current experiences contributing to the "Data Sources" section of ATT&CK framework and the Cyber Analytics Repository (CAR) project. We will show how to use pre-captured datasets from our open source project named Mordor to expedite simulation of adversarial techniques and validation of data analytics. In addition, we will show how we leverage Jupyter Notebooks to develop and test data analytics from projects like CAR to finish the validation process and provide recommendations.
video21. Prioritizing Data Sources for Minimum Viable Detection (Keith McCammon, Red Canary)
MITRE ATT&CK® is more than a glossary of security terminology that offers us a common language to communicate about threats. While each technique includes a description, it also includes a list of the requisite data sources necessary to observe an adversary leveraging that technique—transforming ATT&CK from a nebulous collection of definitions into a practical tool for improving detection coverage. However, in the same way that you can’t simply build alerts for every technique, you can’t gain access to every data source. How do you effectively prioritize data sources so that you are getting the best returns on your visibility investments?
video22. ATT&CK Updates – Controls Mapping (Mike Long, MITRE)
23. The World’s Most Dangerous ATT&CKers (Robert Lipovský, ESET)
As a research-oriented cybersecurity company that regularly discloses detailed analyses of cyberattacks to clients and/or the public, the introduction of MITRE ATT&CK as a common language to describe adversary techniques and tactics was certainly welcome.
We’ll begin our presentation by introducing exactly how and why we started using ATT&CK, providing examples of mappings in our research publications, as well as the role it plays in enhancing our EDR solutions. We’ll also describe our experience with contributing to the ATT&CK knowledge base.
The main part of the talk will be example-driven. Having played a key role in analyzing some of the most significant cyberattacks in history, we’ll go over the most interesting tactics, techniques, and procedures (TTPs) of the adversaries, mapping them to ATT&CK.
Specifically, we’ll analyze the TTPs of Sednit (a.k.a. APT28), the group reportedly responsible for the Democratic National Committee hack that affected the US 2016 elections, and Telebots (a.k.a. Sandworm), the group behind the first malware-driven electricity blackouts (BlackEnergy and Industroyer) and, the most damaging cyberattack ever (NotPetya).
Finally, we’ll conclude with our analysis of the current threat landscape and trends, and highlight how we anticipate it will shape ATT&CK going forward.
video24. Lessons in Purple Teaming with ATT&CK (Daniel Wyleczuk-Stern, Praetorian; Matt Southworth, Priceline, Booking Holdings)
For the past year, Praetorian and Priceline have been working together to conduct a series of Purple Team exercises to improve Priceline’s Detection and Response. These exercises utilized tactics, techniques, and procedures (TTPs) from the MITRE ATT&CK framework to baseline Priceline’s telemetry and analysis capabilities. Praetorian leveraged their recently released Metasploit Framework fork to rapidly automate basic TTPs before working cooperatively with Priceline for more advanced tests.
Priceline then did the heavy lift of ingesting that data, prioritizing shortcomings, and making strategic and tactical decisions to improve their security program. Through the use of ATT&CK, they were able to trace specific lines of effort back to various TTPs. This traceability helped provide support for various decisions as well as facilitated with prioritization. ATT&CK also provided a common taxonomy when working with vendors when gaps in detection were identified. Finally, ATT&CK helped Priceline track improvements through later rounds of testing to help measure the effectiveness of various improvements.
video25. ATT&CK Updates – CAR and Analytics (Ivan Kirillov, MITRE)
26. Lightning Talk: A Love Song for Heat Maps (Brian Donohue, Red Canary)
How do you decide where to allocate your security resources and budget? Maybe you've got seasoned security professionals making decisions based on experience and intuition, maybe your decisions are driven by insurance or compliance requirements, or maybe they're completely arbitrary. Whatever the case, we can all associate ATT&CK techniques and data sources with the events we prevent, detect, or respond to. This talk will explore how security professionals can turn their internal security data into community intelligence that enumerates the threats that occur most often, enabling us all to establish data-based priorities that guide the way we spend our money and time—whether we’re buying, developing, or selling security tools.
video27. Lightning Talk: Operationalize ATT&CK with Boring Dashboards (Dan Cole, ThreatConnect Inc)
Vendors often showcase dashboards with 3D rotating globes, animated bar graphs, and enough colors to fill a Crayola 64 pack. In this talk, I'll show how a simple dashboard of dull, boring, non-flashy, inanimate DATATABLES can be used (along with ATT&CK and a decent intel requirements process) to help analysts stay focused.
video28. Lightning Talk: MITRE ATT&CK Maturity Model Mappings from In the Field Observations (Stephan Chenette, AttackIQ)
In this lightning talk, I'll present in the field observations of what elements of ATT&CK organizations can put into action at each maturity level of their security program to start or continue to incorporate and operationalize the MITRE ATT&CK framework.
video29. Lightning Talk: ATT&CK Poker (Ivan Ninichuck, Cyber Knights)
30. Lightning Talk: Tracking and measuring your ATT&CK coverage with ATT&CK2Jira (Mauricio Velazco)
31. Lightning Talk: STIX in the Mud (Bryson Bort, SCYTHE)
32. Lightning Talk: ATT&CK, Intelligence, and Micro-Purple Teaming (Emma MacMullan, Federal Reserve)
Intel-driven Purple Teaming can enhance simulated attacks by using ATT&CK to create real-time tactical information on current threat actor behaviors, as well as validate existing detections and identify gaps in coverage. This lightning talk will be a snapshot into an ad-hoc side project that showed you don’t need a big report or a lot of man hours to ask some interesting questions; you just need a little spontaneity, a single TTP, and of course, ATT&CK.
video33. Lightning Talk: #GuardrailsoftheGalaxy: The Prologue (Nick Carr, FireEye)
Providing a quick survey of execution guardrails, environmental keying, and announcing the 2019 nominees for best in-the-wild adversary use of guardrailing.
video34. ATT&CK Updates – PRE Integration (Adam Pennington, MITRE)
35. Closing Remarks (Katie Nickels and Blake Strom, MITRE)
ATT&CK Threat Intelligence Lead Katie Nickels and ATT&CK Lead Blake Strom wrap up the conference and share the results of the ATT&CKcon 2.0 Birds of a Feather sessions.
videoSponsors
Thank you for all the passion and engagement that made ATT&CKcon such a success. Over 250 of you joined us in person at MITRE’s McLean campus for our first ever event that was live streamed to more than 1,000 people at its peak. Our videos have been viewed over 10,000 times already, and there’s a lot of energy around the community to keep improving the ATT&CK framework. Please continue to watch and share these presentations.
Click here to read our blog post about ATT&CKcon 2018!
Presentations
1. Advancing Infosec, Keynote Presentation (John Lambert, Microsoft)
In this presentation at MITRE ATT&CKcon, John Lambert, Distinguished Engineer and General Manager of the Threat Intelligence Center at Microsoft, presents “Advancing InfoSec: Towards an Open, Shareable, Contributor-Friendly Model of Speeding InfoSec Learning.” The talk details a model where infosec know-how is more organized, community sourced, vendor neutral, and shareable by all defenders. It includes a call for the community to publish mappings of ATT&CK techniques used by groups.
video2. How Did We Get Here? (Blake Strom and Richard Struse, MITRE)
Richard Struse, MITRE’s Principal Strategist for Cyber Threat Intelligence, interviews Blake Strom, MITRE’s principal ATT&CK engineer, on how MITRE ATT&CK was developed, its current state, and future direction.
video3. Operationalizing ATT&CK (Bryson Bort, SCYTHE)
4. Summiting the Pyramid of Pain: Operationalizing ATT&CK (Emma MacMullan and Justin Sherenco, General Electric)
Operationalizing the ATT&CK framework has enabled GE to deploy custom detection to evolving threat actor behaviors. By leveraging an in-house developed tool called TIAMAT (Tactical Intelligence Adversary Mapping and Analysis Tool) the ATT&CK framework is incorporated into an end-to-end operational process from intelligence collection to customized detection deployment. The designing of this new operational process is examined, and a use case presented of how examining a historical incident led to a new method of deploying detection based on ATT&CK and the detection of previously undiscovered activity. There is also a demo that walks the audience through the end-to-end process and explains TIAMATs capabilities.
video5. ATT&CK: All the Things (Neelsen Cyrus and David Thompson, USAA)
USAA has utilized the ATT&CK framework as a unique means to map their current detection infrastructure and assess their ability to defend against the most relevant threats to their network. In this presentation they share some lessons learned during their journey with ATT&CK leading to identified best practices for workflow integration through team composition and custom tool development.
video6. Agile Continuous Improvement Using ATT&CK (Matthew Stiak and Jason Sinchak, Level Nine Group)
Organizations implementing SOC/IR with limited resources confront two issues: prioritization and measurement. Any successful SOC/IR implementation must have a robust way to prioritize content development and technology investment, and measurements that reflect the effectiveness of the investments to drive the next round of prioritization. Organizations can maximize their return on investment by using MITRE ATT&CK to focus resources on repeatable behaviors and provide a simple structure to reporting how well the organization can detect, block, or respond to those behaviors. During this talk security testing and operations experts Matt Stiak and Jason Sinchak share their thoughts on how to operationalize a continuous improvement and measurement framework based on MITRE ATT&CK, as well as some early results from their implementation of that framework.
video7. Vendor Panel Discussion (Moderated by Ed Amoroso, TAG Cyber)
Panelists:
- Devon Kerr, Endgame
- Jen Miller-Osborn, Unit 42 at Palo Alto Networks
- Ross Rustici, Cybereason
- Carl Wright, ATTACKIQ
Ed Amoroso moderates a panel that discusses:
- The role of a threat taxonomy in the design of a commercial solution
- How commercial providers keep up with a changing threat landscape
- Stories around the most intriguing threat scenarios or methods seen
- Requirements from commercial clients regarding threat frameworks
8. VCAF: Expanding the ATT&CK Framework to cover VERIS Threat Action Varieties (Alex Pinto, Verizon)
The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS has been the base analysis framework for supporting the Verizon Data Breach Investigations Report (DBIR) since its inception. However, as organizations work to interpret the richness of information present on the DBIR to a more tactical level, the Threat Action Varieties available on VERIS fail to capture the detail present on the incidents recorded. This talk presents the Verizon Common Attack Framework (VCAF), an effort from the Security Data Science team and the DBIR team in Verizon to expand and map the ATT&CK framework in alignment with the DBIR Threat Action Varieties to provide this much-sought level of granularity in recording and analyzing recorded breaches. Additionally, this talk describes possible outcomes when this data is available and organized as such. Examples include applying DBIR-inspired attack vector analytics upon ATT&CK layer information, effectively identifying optimal control choke points on the attack graphs according to specific industries covered by the DBIR.
video9. Playing Devil’s Advocate to Security Initiatives with ATT&CK (David Middlehurst, Trustwave)
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity. The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control. DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control? This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
video10. From Red VS Blue to Red Loves Blue (Olaf Hartong and Vincent Van Mieghem, Deloitte)
This session discusses Deloitte’s purple teaming approach which is using ATT&CK as a guiding principle to help both teams improve. This session shows how this works in a customer scenario, how to scope that scenario, how to plan the scenario and choose the various TTPs to be covered to how we assist the customers blue team in understanding the TTPs and helping them design detective capabilities for them. When the Blue Team is able to connect the dots from offensive activities in the network and what they see in their logs, rewalls, SIEMs, etc. they have the ability to fully understand what adversaries do and what the TTP’s of attackers actually look like if they are active in their network. It’s much easier to find the needle in the haystack if you know there is a needle to find to begin with. Purple teaming is providing this pointy needle, used to accelerate the Blue Team.
video11. Helping Your Non-Security Executives Understand ATT&CK in 10 Minutes or Less (Emily Searle, CrowdStrike)
ATT&CK is an incredibly valuable framework for describing and analyzing what’s happening in your environment. Sometimes security professionals not only need a way to understand, but also need a way to clearly articulate to non-security leadership to gain support and investment in needed resourcing. Using UX design methods, CrowdStrike came up with a mental model and more conversational terms to help anyone quickly parse the big picture.
video12. ATT&CK as a Teacher (Travis Smith, Tripwire)
ATT&CK is valuable for those of us who are heads down in security day in and day out. But what about using ATT&CK to each college interns about security? This presentation details how Tripwire used ATT&CK to build- out a new training regimen for summer interns. By going through and finding quick wins, Tripwire’s interns were actively engaged in learning about security. The detailed break downs of ATT&CK were greatly beneficial in helping teach security concepts to those who were not yet familiar with them. This session shows the program details and how you might be able to adapt it to your requirements.
video13. Detection Philosophy, Evolution & ATT&CK (Fred Stankowski and Travis McWaters, Pepsico)
14. Decision Analysis Applications in Threat Analysis Frameworks (Emily Shawgo, PNC)
In the modern age, all organizations face threats from various types of cyber attacks. Although great strides have been made to consider human factors in cybersecurity and to become more proactive in threat analysis, security is still generally a reactive, technical field. The research presented in this talk seeks to develop a framework which adapts the existing MITRE ATT&CK framework to look at attacks in a less linear, more human-centered framework that focuses on the capabilities and decisions of the threat actor. The framework approaches threat analysis from a binary assessment of success vs. failure in order to see the entire attack and consider the potential for a number of methods and attempts made in a single attack. A detailed methodology and sample charts are included for a reference and a starting point in developing one’s own personalized charts, and recommendations are made for ways to integrate this methodology into the risk management process.
video15. Building an Atomic Testing Program (Brian Beyer, Red Canary)
Red Canary’s applied research team built the Atomic Red Team project based on a simple idea: encourage security teams to test their systems. Leveraging MITRE ATT&CK, the series of small tests can be combined into chains to help teams gain insight into gaps in their security program at all levels. This talk describes how to use Atomic Red Team and how MITRE ATT&CK is leveraged to write the tests.
video16. 5 Ways to Screw Up Your Security Program with ATT&CK (Kyle Rainey, Red Canary)
Over the past year there has been a significant uptick in adoption of MITRE ATT&CK. Adoption of a common language and taxonomy for adversarial tactics and techniques comes with a few unspoken traps. This talk is to bring awareness to the pitfalls of implementing and adopting any variation of MITRE ATT&CK and how you can avoid falling for them.
video17. ATT&CK + OSQuery = Love (Scott Lundgren, Carbon Black)
MITRE ATT&CK is cool and it's open, with a heavy emphasis on how attackers behave on the endpoint. OSQuery is cool and it's open, with a heavy emphasis on endpoint visibility. This talk focuses on an open-source extension to OSQuery that provides a free, repeatable mechanism to identify and detect ATT&CK techniques.
video18. An ATT&CK Review of 200 Hybrid-Analysis Submissions (James Lerud, Verodin)
How can you consistently categorize Techniques a given piece of malware uses? The answer to this question could be provided by sandbox vendors. CrowdStrike has embraced ATT&CK by including Technique detection in their public Hybrid-Analysis reports. This talk reviews the submission results of 100 malicious and 100 benign executables.
video19. From Technique to Detection (Paul Ewing and Ross Wolf, Endgame)
20. Hunters ATT&CKing with the Data (Roberto Rodriguez, SpecterOps; Jose Luis Rodriguez, Student)
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program. This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
video21. Analyzing Targeted Intrusions Through the Lens of the ATT&CK Framework (Karl Scheuerman, CrowdStrike)
The security community is quickly adopting the MITRE ATT&CK matrix as a framework for understanding and analyzing targeted intrusions. However, one of its potential limitations is a lack of detailed historical intrusion data for developing accurate and thorough ATT&CK-based threat modeling. Crowdstrike’s Falcon OverWatch threat hunting team analyzes adversary behavior on a regular basis. The amount of OverWatch's malicious intrusion data is significant given the valuable telemetry delivered by Falcon's endpoint technology. As a result, CrowdStrike has amassed a rich data library of malicious activity that can be applied to the ATT&CK model. The OverWatch Strategic Counter-Adversary Research (SCAR) team has now evaluated all OverWatch intrusion data since January 1, 2018 through the lens of the ATT&CK framework. This presentation presents these findings and highlights cases of unique adversary TTP use. The results of this analysis will provide a baseline from which CrowdStrike can better identify changes in threat actor TTP trends moving forward. In addition, the presentation discusses limitations in this type of research.
video22. End User Panel Disussion (Moderated by Katie Nickels, MITRE)
Panelists:
- Jon Bagg, Booz Allen Hamilton
- Daniel Bernholz, JPMorgan Chase
- Dave Westgard, Target Corporation
Katie Nickels moderates a panel that discusses:
- What are the best practices and lessons learned for organizations who are just getting started with ATT&CK?
- What has been the most difficult part of implementing ATT&CK? What changes could be made to ATT&CK to make it easier for others in the future?
- Where would you like to see ATT&CK go in the future that would help make it more useful for your team?
- What else haven’t we talked about that you think is important for someone who wants to use ATT&CK to know?
23. Sofacy 2018 and the Adversary Playbook (Robert Falcone, Palo Alto Networks)
Unit 42 researches threat activity and publishes detailed reports on attack campaigns launched by these adversaries. One of these adversaries, known as Sofacy, has been carrying out attack campaigns on high profile targets for many years and has continued into 2018. To understand how to defend against these threats, an analyst has to read our reports, process them and mentally map them to their defenses. In most cases we expect readers just "block" all of the indicators we include in the report and assume they are covered. Last year we started using ATT&CK to codify the techniques we observed, linking those techniques to indicator patterns and encoding them into STIX 2 objects, with the goal of creating something that a defender can use to answer the question: "How am I defending against this adversary?" We call these documents, "Adversary Playbooks" as they contain our best approximation of how the adversary launches their attacks. This talk describes the concept of Adversary Playbooks, as well as provides an overview of the attack campaigns Unit 42 has attributed to the Sofacy group in 2018. It uses the discussed attacks to show how these playbooks are constructed and explain some of the challenges of incorporating ATT&CK and STIX 2 together for this purpose.
video24. From Automation to Analytics: Simulating the Adversary to Create Better Detections (David Herrald and Ryan Kovar, Splunk)
Security teams have more detection tools at their disposal than ever before, yet most are still struggling to find even the most basic malicious activity occurring in their environments. Building effective detection analytics requires realistic data and the ability to iterate quickly in a rapid analytic development cycle. This talk introduces a full lifecycle attack simulation and analytics development environment featuring the MITRE ATT&CK framework and the Atomic Red Team project using Splunk and Splunk Phantom mapped to an imaginary APT group, Taedonggang. It focuses on how security teams can use such a system to rapidly develop and share new detection analytics. Links to all components referenced in the talk are provided, including a cloud-based dataset that can act as a playground for users who want to see the results of the activity.
video