SlideShare a Scribd company logo

Introduction to MITRE ATT&CK

Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.

1 of 31
Download to read offline
1
MITRE ATT&CKTM
FRAMEWORK
Threat
Intelligence
Detection, Analytics
& Hunting
f
Assessment
& Engineering
L
Threat
Emulation
L
G
ARPAN RAVAL
null Bangalore & OWASP Bangalore Meet
28th March 2020
WHOAMI
❖Arpan Raval
❖Senior Threat Analyst @Optiv Inc
❖DFIR and Threat Hunting
❖Twitter @arpanrvl
❖https://www.linkedin.com/in/arpanraval
Software
p
i
CAR
s
Threat
Actors
Y
ATT&CK
MATRICES
PRE
ATT&CK
MITRE
Software
observed in
adversary
behavior
Adversaries
observed in
cyber
Knowledgebase
of developed
analytics
Observed
TTPs
MITRE ATT&CKTM
▪MITRE
•R&D focused, federally funded non-profit org
▪ATT&CK
•Knowledge base of adversary’s behaviors collected based on real
world observations and attacks
•Describes and Categorize adversarial behavioral in different phases
of attack cycle.
•Common Language
CHALLENGING
ANNOYING
TOUGH!
TRIVIAL
PYRAMID OF PAIN
Courtesy David J Bianco
TOOLS
TTP
SIMPLE
EASY
6
Tactical
Behavioral
▪ Reactive Indicators of
Compromise
▪ Doesn’t work for
malware-free
intrusions
▪ Point in time artifacts
▪ Proactive Indicators of
Attack
▪ Defined by adversary's
behavior
▪ Real time
https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/
Ad

Recommended

How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 

More Related Content

What's hot

No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSMITRE ATT&CK
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingSplunk
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
 Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...MITRE ATT&CK
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 

What's hot (20)

No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Breach and attack simulation tools
Breach and attack simulation toolsBreach and attack simulation tools
Breach and attack simulation tools
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
 Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 

Similar to Introduction to MITRE ATT&CK

(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...Priyanka Aash
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
MITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfAisyiFree
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Getting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellGetting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellJamieWilliams130
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamAdam Pennington
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks Tripwire
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesPriyanka Aash
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItJamieWilliams130
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKAdam Pennington
 
Understanding Application Threat Modelling & Architecture
 Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 

Similar to Introduction to MITRE ATT&CK (20)

(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
MITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdf
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Getting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellGetting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShell
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK Framework
 
Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven Methodologies
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against It
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
Understanding Application Threat Modelling & Architecture
 Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 

Recently uploaded

SABARI PRIYAN's self introduction as reference
SABARI PRIYAN's self introduction as referenceSABARI PRIYAN's self introduction as reference
SABARI PRIYAN's self introduction as referencepriyansabari355
 
Soil Health Policy Map Years 2020 to 2023
Soil Health Policy Map Years 2020 to 2023Soil Health Policy Map Years 2020 to 2023
Soil Health Policy Map Years 2020 to 2023stephizcoolio
 
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdfIIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdfAustraliaChapterIIBA
 
data analytics and tools from in2inglobal.pdf
data analytics  and tools from in2inglobal.pdfdata analytics  and tools from in2inglobal.pdf
data analytics and tools from in2inglobal.pdfdigimartfamily
 
Big Data - large Scale data (Amazon, FB)
Big Data - large Scale data (Amazon, FB)Big Data - large Scale data (Amazon, FB)
Big Data - large Scale data (Amazon, FB)CUO VEERANAN VEERANAN
 
AWS Identity and access management for users
AWS Identity and access management for usersAWS Identity and access management for users
AWS Identity and access management for usersStephenEfange3
 
Artificial Intelligence and its Impact on Society.pptx
Artificial Intelligence and its Impact on Society.pptxArtificial Intelligence and its Impact on Society.pptx
Artificial Intelligence and its Impact on Society.pptxVighnesh Shashtri
 
SABARI PRIYAN's self introduction as a reference
SABARI PRIYAN's self introduction as a referenceSABARI PRIYAN's self introduction as a reference
SABARI PRIYAN's self introduction as a referencepriyansabari355
 
Operations Data On Mobile - inSis Mobile App - Sample Screens
Operations Data On Mobile - inSis Mobile App - Sample ScreensOperations Data On Mobile - inSis Mobile App - Sample Screens
Operations Data On Mobile - inSis Mobile App - Sample ScreensKondapi V Siva Rama Brahmam
 
Industry 4.0 in IoT Transforming the Future.pptx
Industry 4.0 in IoT Transforming the Future.pptxIndustry 4.0 in IoT Transforming the Future.pptx
Industry 4.0 in IoT Transforming the Future.pptxMdRafiqulIslam403212
 
Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...
Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...
Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...Cyber Security Experts
 
A Gentle Introduction to Text Analysis :)
A Gentle Introduction to Text Analysis :)A Gentle Introduction to Text Analysis :)
A Gentle Introduction to Text Analysis :)UNCResearchHub
 
Oppotus - Malaysians on Malaysia 4Q 2023.pdf
Oppotus - Malaysians on Malaysia 4Q 2023.pdfOppotus - Malaysians on Malaysia 4Q 2023.pdf
Oppotus - Malaysians on Malaysia 4Q 2023.pdfOppotus
 
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...Thibaud Le Douarin
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaAdrian Sanabria
 

Recently uploaded (17)

SABARI PRIYAN's self introduction as reference
SABARI PRIYAN's self introduction as referenceSABARI PRIYAN's self introduction as reference
SABARI PRIYAN's self introduction as reference
 
Soil Health Policy Map Years 2020 to 2023
Soil Health Policy Map Years 2020 to 2023Soil Health Policy Map Years 2020 to 2023
Soil Health Policy Map Years 2020 to 2023
 
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdfIIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
IIBA Adl - Being Effective on Day 1 - Slide Deck.pdf
 
data analytics and tools from in2inglobal.pdf
data analytics  and tools from in2inglobal.pdfdata analytics  and tools from in2inglobal.pdf
data analytics and tools from in2inglobal.pdf
 
Big Data - large Scale data (Amazon, FB)
Big Data - large Scale data (Amazon, FB)Big Data - large Scale data (Amazon, FB)
Big Data - large Scale data (Amazon, FB)
 
AWS Identity and access management for users
AWS Identity and access management for usersAWS Identity and access management for users
AWS Identity and access management for users
 
Artificial Intelligence and its Impact on Society.pptx
Artificial Intelligence and its Impact on Society.pptxArtificial Intelligence and its Impact on Society.pptx
Artificial Intelligence and its Impact on Society.pptx
 
2.pptx
2.pptx2.pptx
2.pptx
 
SABARI PRIYAN's self introduction as a reference
SABARI PRIYAN's self introduction as a referenceSABARI PRIYAN's self introduction as a reference
SABARI PRIYAN's self introduction as a reference
 
Operations Data On Mobile - inSis Mobile App - Sample Screens
Operations Data On Mobile - inSis Mobile App - Sample ScreensOperations Data On Mobile - inSis Mobile App - Sample Screens
Operations Data On Mobile - inSis Mobile App - Sample Screens
 
Industry 4.0 in IoT Transforming the Future.pptx
Industry 4.0 in IoT Transforming the Future.pptxIndustry 4.0 in IoT Transforming the Future.pptx
Industry 4.0 in IoT Transforming the Future.pptx
 
Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...
Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...
Web 3.0 in Data Privacy and Security | Data Privacy |Blockchain Security| Cyb...
 
A Gentle Introduction to Text Analysis :)
A Gentle Introduction to Text Analysis :)A Gentle Introduction to Text Analysis :)
A Gentle Introduction to Text Analysis :)
 
Oppotus - Malaysians on Malaysia 4Q 2023.pdf
Oppotus - Malaysians on Malaysia 4Q 2023.pdfOppotus - Malaysians on Malaysia 4Q 2023.pdf
Oppotus - Malaysians on Malaysia 4Q 2023.pdf
 
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
Generative AI Rennes Meetup with OVHcloud - WAICF highlights & how to deploy ...
 
Lies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix EnigmaLies and Myths in InfoSec - 2023 Usenix Enigma
Lies and Myths in InfoSec - 2023 Usenix Enigma
 
Electricity Year 2023_updated_22022024.pptx
Electricity Year 2023_updated_22022024.pptxElectricity Year 2023_updated_22022024.pptx
Electricity Year 2023_updated_22022024.pptx
 

Introduction to MITRE ATT&CK

  • 1. 1 MITRE ATT&CKTM FRAMEWORK Threat Intelligence Detection, Analytics & Hunting f Assessment & Engineering L Threat Emulation L G ARPAN RAVAL null Bangalore & OWASP Bangalore Meet 28th March 2020
  • 2. WHOAMI ❖Arpan Raval ❖Senior Threat Analyst @Optiv Inc ❖DFIR and Threat Hunting ❖Twitter @arpanrvl ❖https://www.linkedin.com/in/arpanraval
  • 4. MITRE ATT&CKTM ▪MITRE •R&D focused, federally funded non-profit org ▪ATT&CK •Knowledge base of adversary’s behaviors collected based on real world observations and attacks •Describes and Categorize adversarial behavioral in different phases of attack cycle. •Common Language
  • 6. 6 Tactical Behavioral ▪ Reactive Indicators of Compromise ▪ Doesn’t work for malware-free intrusions ▪ Point in time artifacts ▪ Proactive Indicators of Attack ▪ Defined by adversary's behavior ▪ Real time https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/
  • 7. Matrix Tactic Enterprise 12 Mobile 13 ICS 11 Enterprise Mobile ICS Initial Access Initial Access Collection Execution Persistence Command and Control Persistence Privilege Escalation Discovery Privilege Escalation Defense Evasion Evasion Defense Evasion Credential Access Execution Credential Access Discovery Impact Discovery Lateral Movement Impair Process Control Lateral Movement Impact Inhibit Response Function Collection Collection Initial Access Command and Control Exfiltration Lateral Movement Exfiltration Command and Control Persistence Impact Network Effects Remote Service Effects MITRE Explained: Tactic 7 ▪Answers Why? for adversary’s actions. ▪Adversary’s objective behind an action ▪Represented by Columns in MITRE ATT&CK Matrix Example An adversary want to achieve credential access.
  • 8. MITRE Explained: Technique 9 ▪Answers how? for adversary’s objective achievement. ▪Adversary used a technique to achieve an objective ▪Represented by individual cell in MITRE ATT&CK Matrix Matrix Technique PRE-ATT&CK 174 Enterprise 266 Mobile 79 ICS 81 Example Example: an adversary may dump credentials to achieve credential access.
  • 9. MITRE Explained: Technique-Metainfo 10 ❖Tactic: Related MITRE Tactic ❖Platform: Required platform for a technique to work in. ❖Permissions Required: Lowest permission for an adversary to implement the technique ❖Effective Permissions: Permission an adversary achieves after successful implementation of the technique ❖Data Sources: Recommended data to be collection for detection of the technique
  • 10. MITRE Explained: Procedure 11 ▪Answers what? for adversary’s technique usage. ▪Actual implementation of each technique. ▪Individual technique has a page for description, examples, sources, references. Example A procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim.
  • 12. MITRE Explained: Sub Technique 13 ▪Sub-techniques are a way to describe a specific implementation of a technique in more detail. OS Credential Dumping ▪ LSASS Memory ▪ Security Account Manager ▪ NTDS ▪ DCSync ▪ Proc File System ▪ etc/passwd
  • 13. MITRE Explained: Enumeration 14 Tactic Example Technique Obtaining Persistence via Windows Service Creation Privilege Escalation via Legitimate Credentials Reuse Defense Evasion via Office-Based Malware Credential Access via Memory Credential Dumping Discovery via Built-In Windows Tools Lateral Movement via Share Service Accounts Execution via PowerShell Execution Collection via Network Share Identification Exfiltration via Plaintext Exfiltration Impact via Data Encryption
  • 14. Detection and Analytics Adversary Emulation and Red Teaming Threat Intelligence Assessment and Engineering MITRE ATT&CK Use Cases . T f d
  • 15. Improve Detection & Visibility Capability with MITRE ATT&CK 21
  • 16. PRIORITIZED MITRE ATT&CK SUBSETS 22 Let’s create our own prioritized MITRE ATT&CK Subset based adversarial TTPs based derived from any of these: ❖ Threat Intelligence ❖ Whitepapers ❖ Data Sources ❖ Ad-Hoc Requests Note: Matrix in upcoming slides are example matrix with dummy data for which not necessarily is true or to promote any tool/technology.
  • 17. MITRE DETECTION MAPPING 23 MITRE Enumeration Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking WDATP Brute Force Elastic Account Discovery Elastic Windows Remote Management TBD Automated Collection UEBA Automated Exfiltration ZScaler Commonly Used Port ZScaler Valid Accounts UEBA Credential Dumping WDATP Application Window Discovery ZScaler COM and DCOM Elastic Clipboard Data WDATP Data Compressed ZScaler Communicatio n Through Removable Media Symantec DLP Spearphishing Attachment TBD Accessibility Features TBD Indicator Removal on Host WDATP Application Deployment Software Elastic Command Line WDATP Data Staged UEBA Data Encrypted Symantec DLP Spearphishing Link TBD AppInit DLLS WDATP Masquerading WDATP Credential Manipulation UEBA File and Directory Discovery UEBA Execution through API TBD Data from Local System UEBA Data Transfer Size Limits TBD Custom Command and Control Protocol Symantec DLPAppCert DLLs WDATP Decode File or Info TBD Pass the Ticket WDATP Graphic User Interface TBD Data from Network Shared Drive ZScaler Exfiltration Over Alternative Protocol ZScalerApplication Shimming TBD DLL Side- Loading WDATP Credentials in Files UEBA WDATP Process Discovery Elastic InstallUtil WDATP Custom Cryptographic Protocol ZScalerNew Service TBD Disabling Security Tools Elastic Input Capture WDATP Remote Desktop Protocol Elastic PowerShell WDATP No detection Detected, No validation Detected Key
  • 18. DATA SOURCE MAPPING 24 MITRE Enumeration Data does not exist Data exists, not monitored Data exists analyzed and monitoredKey Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communicatio n Through Removable MediaSpearphishing Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLS Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolAppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
  • 20. DETECTION MATURITY HEATMAP 26 MITRE Enumeration Limited Initial Stable Current InnovativeMaturity Key Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communicatio n Through Removable MediaSpearphishing Attachment Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLs Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control Protocol AppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
  • 21. 27 If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu -
  • 22. Don’t Do This 28 ❖ Use Matrix as a Checklist to Create Alerts for everything ▪ Specific Technique – High Fidelity Alert ▪ Less Specific Technique – Data Enrichment ❖ Believe Matrix is every possible attack behavior ▪ Adversaries probably don’t report their own TTPs to MITRE ❖ Replace fundamentals with MITRE ATT&CK ▪ Term Does not found (404): MITRE COMPLIANT ❖ Make it Green if you detect one command of Technique ▪ There can be N number of procedure to implement a technique.
  • 29. ATT&CK is not juts a Framework, ATT&CK is community!
  • 30. References and Awesome Resources 36 ▪ Indicators of Attack vs Indicators of Compromise ▪ https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise ▪ Using ATT&CK for Cyber Threat Intelligence ▪ https://attack.mitre.org/resources/training/cti/ ▪ MITRE ATT&CK Getting Started ▪ https://attack.mitre.org/resources/getting-started/ ▪ ATT&CK Con Talks ▪ https://attack.mitre.org/resources/attackcon/ ▪ ATT&CK 101 ▪ https://medium.com/mitre-attack/att-ck-101-17074d3bc62 ▪ ATT&CK Sub Technique Preview ▪https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a ▪ 2020 ATT&CK Roadmap ▪https://medium.com/mitre-attack/2020-attack-roadmap-4820d30b38ba