Presentations
1. Welcome (Katie Nickels, MITRE)
ATT&CK Threat Intelligence Lead Katie Nickels welcomes attendees and introduces the members of the ATT&CK team.
video
(no slides)
2. The Friends We Made Along the Way, Keynote Address (Toni Gidwani, Google)
3. State of the ATT&CK (Blake Strom, MITRE)
4. Using Threat Intelligence to Focus ATT&CK Activities (David Westin and Andy Kettell, Nationwide)
In October 2018, Nationwide began its MITRE ATT&CK journey. Nationwide looked at a number of different approaches to getting started, but it wasn’t until they prioritized efforts based on threat actors likely to target the finance/insurance industry that things started to click. Ultimately, Nationwide focused on 27 high concern threat actors targeting their industry, reducing the overall number of techniques from 240+ to 91. With this manageable chunk of techniques, Nationwide was able to test, analyze, and provide recommendations for improving its detection and mitigation capabilities. Nationwide is continuing to keep threat actor focus at the heart of its ATT&CK efforts, leading to prioritization of remediation actions, integration into penetration testing, and selection of security tools.
video
slides
5. Prioritizing ATT&CK Informed Defenses the CIS Way (Philippe Langlois, Verizon DBIR; Joshua Franklin, Center for Internet Security)
In a world of limited resources, organizations have to be strategic and meticulous in their planning and selection of security controls and the MITRE ATT&CK model has become an important piece for categorizing and understanding adversary techniques and contextualizing our own defenses. However, there still underlies a difficult question, where should organizations start and how should they prioritize their cybersecurity efforts? Join CIS as we explore our attempt to tackle this problem through the use of our community, content and real-world threat data collected as part of the Multi-State Information Sharing and Analysis Center (MS-ISAC). Participants should look forward to learning how to prioritize their security efforts and leverage the process for their own data and threats.
video
slides
6. Alertable Techniques for Linux using ATT&CK (Tony Lambert, Red Canary)
Community members continually ask, should I have detection capabilities across every technique in ATT&CK? This question inevitably leads to the same conclusion that not every technique is alertable and not all of them provide the same value for immediate detection. In this session we’ll discuss the concept of alertable detections using Linux ATT&CK techniques as a case study. We’ll introduce decision criteria we’ve learned through experience to illustrate the challenges, and we’ll recommend specific techniques that work well with an alert-driven workflow.
video
slides
7. ATT&CK Updates – TRAM (Jackie Lasky and Sarah Yoder, MITRE)
8. Raiders of the MITRE Framework: How to Build Your Own Threat Library (Valentina Palacin and Ruth Esmeralda Barbacil, Deloitte)
It's the year 2019 and the internet has been around long enough to be filled with what seems to be "ancient" data. Digging through, classifying and analyzing everything sometimes makes you feel a lot like Indiana Jones searching for the right clues in a moving puzzle. But how could you move through the caves without getting buried under piles of data rubble? How might anyone revisit and study the data from the past to transform it into actionable information for the present? In this talk we are going to show you how a threat intel Indiana Jones analyst should tackle these issues in order to find the treasure of the Threat Library. We will show you how we used the MITRE ATT&CK Framework as our book of secrets for turning dusty old Internet artifacts into a library of actionable Threat Intelligence.
video
slides
9. Climbing the ATT&CK Ladder: How a Threat Hunting Team Has Upgraded Its Use of ATT&CK (Karl Scheuerman and Piotr Wojtyla, CrowdStrike)
CrowdStrike’s OverWatch threat hunting team has continued to mature in its use of the ATT&CK framework to categorize and track targeted adversary behavior. This presentation will build on our talk from last year’s ATT&CKcon, where we shared tactic/technique trends and unique examples observed in the wild. Since that time, we have taken a number of steps to enhance our usage of ATT&CK, including:
- Mapping of hunting leads to ATT&CK techniques
- Based on that mapping, auto-tagging techniques used in any given intrusion observed in our data set
- For that intrusion, automatically extracting process data to easily create tables of TTP details (“ATT&CK Sightings”)
- Supplementing automated ATT&CK technique tagging by human analyst reviews
- Leveraging MISP’s API to build ATT&CK heat maps with an array of filters on demand
By using practices like those outlined above, we have been able to continue building what is likely the most comprehensive and detailed library of targeted intrusion data from the wild that is mapped to ATT&CK. As such, the presentation will also share significant trends and techniques from the intrusions we’ve analyzed over the past year.
video
(no slides)
10. From Susceptible to ATT&CK: A Threat Hunting Story (Chris Thayer, Mastercard)
The story of one man's crusade to convince the Senior Management of a fortune 500 company that security resources were needed beyond the perimeter, and the role ATT&CK played in those decisions. This talk documents the creation and persuasion required to create a successful threat hunting program at an enterprise level, and how the Mitre ATT&CK framework made this possible for one investigator, in his spare time, to prove the program's worth to senior management within 1 year of creation.
video
slides
11. ATT&CK Updates – Sightings (John Wunder, MITRE)
12. Zeek-based ATT&CK Metrics & Gap Analysis (Allan Thomson, LookingGlass Cyber Solutions)
Today many organizations are using Bro (newly named Zeek) for network security monitor as it provides a powerful network analysis framework. This presentation will describe how to leverage Zeek to report on ATT&CK TTPs, raw events and other detectable activities. Key take-aways include how to report on sightings and occurrences of ATT&CK TTPs and events providing both metrics and gap analysis to inform security operations teams on where their defense may require improvement.
video
slides
13. attckr: A Toolkit for Analysis & Visualization of ATT&CK Incident Data for Service Providers & Organizations (Bob Rudis, Rapid7)
The ATT&CK framework provides a standardized way for organizations to record and share attacker techniques used at each stage in attacker campaigns. Having and sharing this discrete, normalized attacker behavior is great, but these normalized bundles of incident events can also be used to identify areas of improvement in both incident response teams as well as by vendors who provide tools/solutions to triage and manage incidents.
This talk will introduce {attckr}: an R package and application that provides programmatic, command-line, and interactive tools to analyze and visualize incident ATT&CK metrics. Attendees will see real-life (i.e. using real, anonymized incident data) examples of how to look across an ATT&CK incident corpus to identify trends (or outliers), support the development of ATT&CK incident baseline metrics, and develop reports and visualizations to assist in communicating operational performance, threat event frequency & type distributions for risk analysis, and identification of strengths and weaknesses in detection capability.
video
slides
14. MITRE ATT&CK Assessment from a Data Perspective (Olaf Hartong, Deloitte)
MITRE ATT&CK has quickly become the industry standard for referencing techniques. All though the framework is a great and valuable asset it is still lacking actionable detail on may levels to most people. I've bridged that gap by building a relatively simple assessment toolkit to visualize your potential coverage from the data already present in your environment, your mitigative measures and your detection content. The toolkit will help you focus your efforts based on your data and your goal.
video
slides
15. Threat-Informed Defense: Where do we go from here? (Richard Struse, MITRE)
16. AMITT: ATT&CK-based Standards for Misinformation Threat Sharing (Sara-Jayne Terp and John Gray, Credibility Coalition MisinfoSec Working Group)
State actors, private influence operators and grassroots groups are exploiting the openness and reach of the Internet to manipulate populations at a distance. They are extending a decades-long struggle for “hearts and minds” via propaganda, influence operations and information warfare, often in the form of coordinated incidents that are part of longer-timescale narrative-based campaigns.
The Credibility Coalition is an interdisciplinary community committed to addressing the proliferation and amplification of misinformation online, through transparent and collaborative research. Its MisinfoSec working group develops information security-based standards to promote a more formal and rigorous treatment of 1) detecting misinformation-based attacks and 2) devising methods to protect against misinformation-based attacks. Specifically, we have adapted and extended frameworks used to describe information security incidents, for use in ISACs, ISAOs and other groups sharing misinformation threats and responses.
In this talk, we discuss misinformation and why stage-based frameworks like ATT&CK are appropriate for it. We describe the AMITT (Adversarial Misinformation and Influence Tactics and Techniques) misinformation response framework and its roots in and deliberate compatibility with ATT&CK, its creation, relationships with other models, its components (including ways, means, and ends to achieve influence goals) and potential uses.
video
slides
17. Flashback with ATT&CK: Exploring Malware History with ATT&CK (2003-2018) (Kris Oosthoek, Delft University of Technology)
Attackers keep innovating their TTPs to circumvent established defenses, so gaining insight into attacker innovation is fundamental. Our Twitter feeds are saturated with helpful reports daily, but how does this relate to trends and developments within the threat ecosystem as a whole? Take a step back, relax and get an ATT&CK-based overview of 15 years TTP evolution to inform your defense.
This presentation will discuss ATT&CK techniques found in 950+ unique Windows malware families as part of an academic research project. With the malware harvested from an unbiased and reputable source, a representative view on 15 years of evolution in the malware field is ensured. For each ATT&CK tactic, the talk provides insight into trends and shifts in real-world adversary behavior. It will also highlight how a malware analysis automation pipeline can introduce biases into your CTI and based on that, best practices on how ATT&CK can be used to ensure CTI accuracy. This entertaining presentation provides practical takeaways that inform and help prioritize your threat defense.
video
slides
18. Tell Tall Tales With ATT&CK! (James Lerud, Titania Solutions Group)
Once upon a time there was a security expert with all kinds of ATT&CK data. There were Atomic tests, breach simulations, and metrics abound! Our hero knew he could mold the data to illustrate a story of triumph. He would deliver magnificent slides and graphs with color and shape that, even the dull c-suite would know he was great. This presentation will teach the audience how to torture ATT&CK data until it confesses. Manipulation of ordinal scales, dirty data, playing into biases, nothing is off limits if it makes us look good. Follow the advice here and you will be ready to tell tall tales with ATT&CK… or for the true hearted tell boring realistic stories.
video
slides
19. ATT&CK Updates – ICS (Otis Alexander, MITRE)
20. Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate Your Data Analytics! (Roberto Rodriguez, Cybersecurity Specialist; Jose Luis Rodriguez, Student)
"How do we collect the right data for the detection of specific adversarial techniques?" That is a very important and common question for organizations planning on leveraging ATT&CK for their defensive strategy. One approach might be reading the data sources metadata available per each technique in the ATT&CK framework. That is a good first step, and it is already helping organizations to integrate the framework with their current security controls. However, as you go deeper into the specific recommended data sources per technique, it is very important to understand that not every technique variation requires the same data sources. In addition, there needs to be a way to validate if what we are collecting aligns with the data analytics being created. In this talk, we will share our current experiences contributing to the "Data Sources" section of ATT&CK framework and the Cyber Analytics Repository (CAR) project. We will show how to use pre-captured datasets from our open source project named Mordor to expedite simulation of adversarial techniques and validation of data analytics. In addition, we will show how we leverage Jupyter Notebooks to develop and test data analytics from projects like CAR to finish the validation process and provide recommendations.
video
slides
21. Prioritizing Data Sources for Minimum Viable Detection (Keith McCammon, Red Canary)
MITRE ATT&CK® is more than a glossary of security terminology that offers us a common language to communicate about threats. While each technique includes a description, it also includes a list of the requisite data sources necessary to observe an adversary leveraging that technique—transforming ATT&CK from a nebulous collection of definitions into a practical tool for improving detection coverage. However, in the same way that you can’t simply build alerts for every technique, you can’t gain access to every data source. How do you effectively prioritize data sources so that you are getting the best returns on your visibility investments?
video
slides
22. ATT&CK Updates – Controls Mapping (Mike Long, MITRE)
23. The World’s Most Dangerous ATT&CKers (Robert Lipovský, ESET)
As a research-oriented cybersecurity company that regularly discloses detailed analyses of cyberattacks to clients and/or the public, the introduction of MITRE ATT&CK as a common language to describe adversary techniques and tactics was certainly welcome.
We’ll begin our presentation by introducing exactly how and why we started using ATT&CK, providing examples of mappings in our research publications, as well as the role it plays in enhancing our EDR solutions. We’ll also describe our experience with contributing to the ATT&CK knowledge base.
The main part of the talk will be example-driven. Having played a key role in analyzing some of the most significant cyberattacks in history, we’ll go over the most interesting tactics, techniques, and procedures (TTPs) of the adversaries, mapping them to ATT&CK.
Specifically, we’ll analyze the TTPs of Sednit (a.k.a. APT28), the group reportedly responsible for the Democratic National Committee hack that affected the US 2016 elections, and Telebots (a.k.a. Sandworm), the group behind the first malware-driven electricity blackouts (BlackEnergy and Industroyer) and, the most damaging cyberattack ever (NotPetya).
Finally, we’ll conclude with our analysis of the current threat landscape and trends, and highlight how we anticipate it will shape ATT&CK going forward.
video
slides
24. Lessons in Purple Teaming with ATT&CK (Daniel Wyleczuk-Stern, Praetorian; Matt Southworth, Priceline, Booking Holdings)
For the past year, Praetorian and Priceline have been working together to conduct a series of Purple Team exercises to improve Priceline’s Detection and Response. These exercises utilized tactics, techniques, and procedures (TTPs) from the MITRE ATT&CK framework to baseline Priceline’s telemetry and analysis capabilities. Praetorian leveraged their recently released Metasploit Framework fork to rapidly automate basic TTPs before working cooperatively with Priceline for more advanced tests.
Priceline then did the heavy lift of ingesting that data, prioritizing shortcomings, and making strategic and tactical decisions to improve their security program. Through the use of ATT&CK, they were able to trace specific lines of effort back to various TTPs. This traceability helped provide support for various decisions as well as facilitated with prioritization. ATT&CK also provided a common taxonomy when working with vendors when gaps in detection were identified. Finally, ATT&CK helped Priceline track improvements through later rounds of testing to help measure the effectiveness of various improvements.
video
slides
25. ATT&CK Updates – CAR and Analytics (Ivan Kirillov, MITRE)
26. Lightning Talk: A Love Song for Heat Maps (Brian Donohue, Red Canary)
How do you decide where to allocate your security resources and budget? Maybe you've got seasoned security professionals making decisions based on experience and intuition, maybe your decisions are driven by insurance or compliance requirements, or maybe they're completely arbitrary. Whatever the case, we can all associate ATT&CK techniques and data sources with the events we prevent, detect, or respond to. This talk will explore how security professionals can turn their internal security data into community intelligence that enumerates the threats that occur most often, enabling us all to establish data-based priorities that guide the way we spend our money and time—whether we’re buying, developing, or selling security tools.
video
(no slides)
27. Lightning Talk: Operationalize ATT&CK with Boring Dashboards (Dan Cole, ThreatConnect Inc)
Vendors often showcase dashboards with 3D rotating globes, animated bar graphs, and enough colors to fill a Crayola 64 pack. In this talk, I'll show how a simple dashboard of dull, boring, non-flashy, inanimate DATATABLES can be used (along with ATT&CK and a decent intel requirements process) to help analysts stay focused.
video
(no slides)
28. Lightning Talk: MITRE ATT&CK Maturity Model Mappings from In the Field Observations (Stephan Chenette, AttackIQ)
In this lightning talk, I'll present in the field observations of what elements of ATT&CK organizations can put into action at each maturity level of their security program to start or continue to incorporate and operationalize the MITRE ATT&CK framework.
video
(no slides)
29. Lightning Talk: ATT&CK Poker (Ivan Ninichuck, Cyber Knights)
30. Lightning Talk: Tracking and measuring your ATT&CK coverage with ATT&CK2Jira (Mauricio Velazco)
31. Lightning Talk: STIX in the Mud (Bryson Bort, SCYTHE)
32. Lightning Talk: ATT&CK, Intelligence, and Micro-Purple Teaming (Emma MacMullan, Federal Reserve)
Intel-driven Purple Teaming can enhance simulated attacks by using ATT&CK to create real-time tactical information on current threat actor behaviors, as well as validate existing detections and identify gaps in coverage. This lightning talk will be a snapshot into an ad-hoc side project that showed you don’t need a big report or a lot of man hours to ask some interesting questions; you just need a little spontaneity, a single TTP, and of course, ATT&CK.
video
(no slides)
33. Lightning Talk: #GuardrailsoftheGalaxy: The Prologue (Nick Carr, FireEye)
Providing a quick survey of execution guardrails, environmental keying, and announcing the 2019 nominees for best in-the-wild adversary use of guardrailing.
video
(no slides)
34. ATT&CK Updates – PRE Integration (Adam Pennington, MITRE)
35. Closing Remarks (Katie Nickels and Blake Strom, MITRE)
ATT&CK Threat Intelligence Lead Katie Nickels and ATT&CK Lead Blake Strom wrap up the conference and share the results of the ATT&CKcon 2.0 Birds of a Feather sessions.
video
(no slides)
Sponsors
Thank you for all the passion and engagement that made ATT&CKcon such a success. Over 250 of you joined us in person at MITRE’s McLean campus for our first ever event that was live streamed to more than 1,000 people at its peak. Our videos have been viewed over 10,000 times already, and there’s a lot of energy around the community to keep improving the ATT&CK framework. Please continue to watch and share these presentations.
Click here to read our blog post about ATT&CKcon 2018!
Presentations
1. Advancing Infosec, Keynote Presentation (John Lambert, Microsoft)
In this presentation at MITRE ATT&CKcon, John Lambert, Distinguished Engineer and General Manager of the Threat Intelligence Center at Microsoft, presents “Advancing InfoSec: Towards an Open, Shareable, Contributor-Friendly Model of Speeding InfoSec Learning.” The talk details a model where infosec know-how is more organized, community sourced, vendor neutral, and shareable by all defenders. It includes a call for the community to publish mappings of ATT&CK techniques used by groups.
video
slides
2. How Did We Get Here? (Blake Strom and Richard Struse, MITRE)
Richard Struse, MITRE’s Principal Strategist for Cyber Threat Intelligence, interviews Blake Strom, MITRE’s principal ATT&CK engineer, on how MITRE ATT&CK was developed, its current state, and future direction.
video
(no slides)
3. Operationalizing ATT&CK (Bryson Bort, SCYTHE)
4. Summiting the Pyramid of Pain: Operationalizing ATT&CK (Emma MacMullan and Justin Sherenco, General Electric)
Operationalizing the ATT&CK framework has enabled GE to deploy custom detection to evolving threat actor behaviors. By leveraging an in-house developed tool called TIAMAT (Tactical Intelligence Adversary Mapping and Analysis Tool) the ATT&CK framework is incorporated into an end-to-end operational process from intelligence collection to customized detection deployment. The designing of this new operational process is examined, and a use case presented of how examining a historical incident led to a new method of deploying detection based on ATT&CK and the detection of previously undiscovered activity. There is also a demo that walks the audience through the end-to-end process and explains TIAMATs capabilities.
video
slides
5. ATT&CK: All the Things (Neelsen Cyrus and David Thompson, USAA)
USAA has utilized the ATT&CK framework as a unique means to map their current detection infrastructure and assess their ability to defend against the most relevant threats to their network. In this presentation they share some lessons learned during their journey with ATT&CK leading to identified best practices for workflow integration through team composition and custom tool development.
video
slides
6. Agile Continuous Improvement Using ATT&CK (Matthew Stiak and Jason Sinchak, Level Nine Group)
Organizations implementing SOC/IR with limited resources confront two issues: prioritization and measurement. Any successful SOC/IR implementation must have a robust way to prioritize content development and technology investment, and measurements that reflect the effectiveness of the investments to drive the next round of prioritization. Organizations can maximize their return on investment by using MITRE ATT&CK to focus resources on repeatable behaviors and provide a simple structure to reporting how well the organization can detect, block, or respond to those behaviors. During this talk security testing and operations experts Matt Stiak and Jason Sinchak share their thoughts on how to operationalize a continuous improvement and measurement framework based on MITRE ATT&CK, as well as some early results from their implementation of that framework.
video
slides
7. Vendor Panel Discussion (Moderated by Ed Amoroso, TAG Cyber)
Panelists:
- Devon Kerr, Endgame
- Jen Miller-Osborn, Unit 42 at Palo Alto Networks
- Ross Rustici, Cybereason
- Carl Wright, ATTACKIQ
Ed Amoroso moderates a panel that discusses:
- The role of a threat taxonomy in the design of a commercial solution
- How commercial providers keep up with a changing threat landscape
- Stories around the most intriguing threat scenarios or methods seen
- Requirements from commercial clients regarding threat frameworks
(no slides)
8. VCAF: Expanding the ATT&CK Framework to cover VERIS Threat Action Varieties (Alex Pinto, Verizon)
The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS has been the base analysis framework for supporting the Verizon Data Breach Investigations Report (DBIR) since its inception. However, as organizations work to interpret the richness of information present on the DBIR to a more tactical level, the Threat Action Varieties available on VERIS fail to capture the detail present on the incidents recorded. This talk presents the Verizon Common Attack Framework (VCAF), an effort from the Security Data Science team and the DBIR team in Verizon to expand and map the ATT&CK framework in alignment with the DBIR Threat Action Varieties to provide this much-sought level of granularity in recording and analyzing recorded breaches. Additionally, this talk describes possible outcomes when this data is available and organized as such. Examples include applying DBIR-inspired attack vector analytics upon ATT&CK layer information, effectively identifying optimal control choke points on the attack graphs according to specific industries covered by the DBIR.
video
slides
9. Playing Devil’s Advocate to Security Initiatives with ATT&CK (David Middlehurst, Trustwave)
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity. The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control. DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control? This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
video
slides
10. From Red VS Blue to Red Loves Blue (Olaf Hartong and Vincent Van Mieghem, Deloitte)
This session discusses Deloitte’s purple teaming approach which is using ATT&CK as a guiding principle to help both teams improve. This session shows how this works in a customer scenario, how to scope that scenario, how to plan the scenario and choose the various TTPs to be covered to how we assist the customers blue team in understanding the TTPs and helping them design detective capabilities for them. When the Blue Team is able to connect the dots from offensive activities in the network and what they see in their logs, rewalls, SIEMs, etc. they have the ability to fully understand what adversaries do and what the TTP’s of attackers actually look like if they are active in their network. It’s much easier to find the needle in the haystack if you know there is a needle to find to begin with. Purple teaming is providing this pointy needle, used to accelerate the Blue Team.
video
slides
11. Helping Your Non-Security Executives Understand ATT&CK in 10 Minutes or Less (Emily Searle, CrowdStrike)
ATT&CK is an incredibly valuable framework for describing and analyzing what’s happening in your environment. Sometimes security professionals not only need a way to understand, but also need a way to clearly articulate to non-security leadership to gain support and investment in needed resourcing. Using UX design methods, CrowdStrike came up with a mental model and more conversational terms to help anyone quickly parse the big picture.
video
slides
12. ATT&CK as a Teacher (Travis Smith, Tripwire)
ATT&CK is valuable for those of us who are heads down in security day in and day out. But what about using ATT&CK to each college interns about security? This presentation details how Tripwire used ATT&CK to build- out a new training regimen for summer interns. By going through and finding quick wins, Tripwire’s interns were actively engaged in learning about security. The detailed break downs of ATT&CK were greatly beneficial in helping teach security concepts to those who were not yet familiar with them. This session shows the program details and how you might be able to adapt it to your requirements.
video
slides
13. Detection Philosophy, Evolution & ATT&CK (Fred Stankowski and Travis McWaters, Pepsico)
14. Decision Analysis Applications in Threat Analysis Frameworks (Emily Shawgo, PNC)
In the modern age, all organizations face threats from various types of cyber attacks. Although great strides have been made to consider human factors in cybersecurity and to become more proactive in threat analysis, security is still generally a reactive, technical field. The research presented in this talk seeks to develop a framework which adapts the existing MITRE ATT&CK framework to look at attacks in a less linear, more human-centered framework that focuses on the capabilities and decisions of the threat actor. The framework approaches threat analysis from a binary assessment of success vs. failure in order to see the entire attack and consider the potential for a number of methods and attempts made in a single attack. A detailed methodology and sample charts are included for a reference and a starting point in developing one’s own personalized charts, and recommendations are made for ways to integrate this methodology into the risk management process.
video
slides
15. Building an Atomic Testing Program (Brian Beyer, Red Canary)
Red Canary’s applied research team built the Atomic Red Team project based on a simple idea: encourage security teams to test their systems. Leveraging MITRE ATT&CK, the series of small tests can be combined into chains to help teams gain insight into gaps in their security program at all levels. This talk describes how to use Atomic Red Team and how MITRE ATT&CK is leveraged to write the tests.
video
slides
16. 5 Ways to Screw Up Your Security Program with ATT&CK (Kyle Rainey, Red Canary)
Over the past year there has been a significant uptick in adoption of MITRE ATT&CK. Adoption of a common language and taxonomy for adversarial tactics and techniques comes with a few unspoken traps. This talk is to bring awareness to the pitfalls of implementing and adopting any variation of MITRE ATT&CK and how you can avoid falling for them.
video
(no slides)
17. ATT&CK + OSQuery = Love (Scott Lundgren, Carbon Black)
MITRE ATT&CK is cool and it's open, with a heavy emphasis on how attackers behave on the endpoint. OSQuery is cool and it's open, with a heavy emphasis on endpoint visibility. This talk focuses on an open-source extension to OSQuery that provides a free, repeatable mechanism to identify and detect ATT&CK techniques.
video
slides
18. An ATT&CK Review of 200 Hybrid-Analysis Submissions (James Lerud, Verodin)
How can you consistently categorize Techniques a given piece of malware uses? The answer to this question could be provided by sandbox vendors. CrowdStrike has embraced ATT&CK by including Technique detection in their public Hybrid-Analysis reports. This talk reviews the submission results of 100 malicious and 100 benign executables.
video
slides
19. From Technique to Detection (Paul Ewing and Ross Wolf, Endgame)
20. Hunters ATT&CKing with the Data (Roberto Rodriguez, SpecterOps; Jose Luis Rodriguez, Student)
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program. This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
video
slides
21. Analyzing Targeted Intrusions Through the Lens of the ATT&CK Framework (Karl Scheuerman, CrowdStrike)
The security community is quickly adopting the MITRE ATT&CK matrix as a framework for understanding and analyzing targeted intrusions. However, one of its potential limitations is a lack of detailed historical intrusion data for developing accurate and thorough ATT&CK-based threat modeling. Crowdstrike’s Falcon OverWatch threat hunting team analyzes adversary behavior on a regular basis. The amount of OverWatch's malicious intrusion data is significant given the valuable telemetry delivered by Falcon's endpoint technology. As a result, CrowdStrike has amassed a rich data library of malicious activity that can be applied to the ATT&CK model. The OverWatch Strategic Counter-Adversary Research (SCAR) team has now evaluated all OverWatch intrusion data since January 1, 2018 through the lens of the ATT&CK framework. This presentation presents these findings and highlights cases of unique adversary TTP use. The results of this analysis will provide a baseline from which CrowdStrike can better identify changes in threat actor TTP trends moving forward. In addition, the presentation discusses limitations in this type of research.
video
(no slides)
22. End User Panel Disussion (Moderated by Katie Nickels, MITRE)
Panelists:
- Jon Bagg, Booz Allen Hamilton
- Daniel Bernholz, JPMorgan Chase
- Dave Westgard, Target Corporation
Katie Nickels moderates a panel that discusses:
- What are the best practices and lessons learned for organizations who are just getting started with ATT&CK?
- What has been the most difficult part of implementing ATT&CK? What changes could be made to ATT&CK to make it easier for others in the future?
- Where would you like to see ATT&CK go in the future that would help make it more useful for your team?
- What else haven’t we talked about that you think is important for someone who wants to use ATT&CK to know?
(no slides)
23. Sofacy 2018 and the Adversary Playbook (Robert Falcone, Palo Alto Networks)
Unit 42 researches threat activity and publishes detailed reports on attack campaigns launched by these adversaries. One of these adversaries, known as Sofacy, has been carrying out attack campaigns on high profile targets for many years and has continued into 2018. To understand how to defend against these threats, an analyst has to read our reports, process them and mentally map them to their defenses. In most cases we expect readers just "block" all of the indicators we include in the report and assume they are covered. Last year we started using ATT&CK to codify the techniques we observed, linking those techniques to indicator patterns and encoding them into STIX 2 objects, with the goal of creating something that a defender can use to answer the question: "How am I defending against this adversary?" We call these documents, "Adversary Playbooks" as they contain our best approximation of how the adversary launches their attacks. This talk describes the concept of Adversary Playbooks, as well as provides an overview of the attack campaigns Unit 42 has attributed to the Sofacy group in 2018. It uses the discussed attacks to show how these playbooks are constructed and explain some of the challenges of incorporating ATT&CK and STIX 2 together for this purpose.
video
slides
24. From Automation to Analytics: Simulating the Adversary to Create Better Detections (David Herrald and Ryan Kovar, Splunk)
Security teams have more detection tools at their disposal than ever before, yet most are still struggling to find even the most basic malicious activity occurring in their environments. Building effective detection analytics requires realistic data and the ability to iterate quickly in a rapid analytic development cycle. This talk introduces a full lifecycle attack simulation and analytics development environment featuring the MITRE ATT&CK framework and the Atomic Red Team project using Splunk and Splunk Phantom mapped to an imaginary APT group, Taedonggang. It focuses on how security teams can use such a system to rapidly develop and share new detection analytics. Links to all components referenced in the talk are provided, including a cloud-based dataset that can act as a playground for users who want to see the results of the activity.
video
slides
Sponsors
