SlideShare a Scribd company logo
© 2018 The MITRE Corporation. All rights reserved.
| 1 |
Christopher Korban
Cody Thomas
HOPE - July 2018
ATT&CKing with Threat
Intelligence
Approved for public release. Distribution unlimited 18-0944-10
| 2 |
© 2018 The MITRE Corporation. All rights reserved.
ATT&CK T1033 – User Discovery
 Christopher Korban
– Lead Cyber Security Engineer
– ATT&CKing for the past 5+ years
– Creates Adversary Emulation Plans
– @ckorban
 Cody Thomas
– Senior Cyber Security Engineer
– Created Mac/Linux ATT&CK
– Red Teamer and Tool Developer
– @its_a_feature_
Approved for public release. Distribution unlimited 18-0944-10
| 3 |
© 2018 The MITRE Corporation. All rights reserved.
Traditional Offensive Testing Workflow
Intel
Gathering
Vulnerability
Assessment
Target
Acquisition
Exploitation
Privilege
Escalation
Lateral
Movement
Persistence Exfiltration
Report
Findings
Collect Protect Detect Triage Investigate Coordinate Remediate
 Typical Red vs Blue event flow
Approved for public release. Distribution unlimited 18-0944-10
| 4 |
© 2018 The MITRE Corporation. All rights reserved.
Traditional Outcomes
 Red
– Creates report of offensive techniques and IoCs for what they did
– Wants to make sure they ‘win’ again next time
– Leaves for a year
 Blue
– Deciphers Red’s report
– Continues to deal with daily incident reports
– Creates static detections for Red’s tools and IoCs
– Might try to characterize malicious behavior
 Typically has small sample size
 No good way to keep testing
https://aconsciouslifenow.com/wp-content/uploads/2017/07/Health-Wealth-Purpose-and-Love-thru-Releasing-the-Adversary.jpg
Approved for public release. Distribution unlimited 18-0944-10
| 5 |
© 2018 The MITRE Corporation. All rights reserved.
How do these outcomes progress?
 Blue signatures Red tool (MD5=4de587ac29…)
– Red changes tool slightly (new hash)
 Blue signatures Red tool (string=“mimikatz”)
– Red changes tool slightly (string=“mimidogz”)
 Blue stops single red instantiation (psexec)
– Red modifies implementation (psexec manually)
 …
 This isn’t really helping blue or red
Approved for public release. Distribution unlimited 18-0944-10
| 6 |
© 2018 The MITRE Corporation. All rights reserved.
Change the game, even for Red
David Bianco’s Pyramid of Pain
Approved for public release. Distribution unlimited 18-0944-10
| 7 |
© 2018 The MITRE Corporation. All rights reserved.
Need Common Language for TTPs
 What do we need from this common language?
– Communicate and articulate what happened in a test, and results
– Do so at a level that’s specific enough that it’s repeatable
– Enable us to create metrics that make sense
 What do we use for this?
– MITRE’s Adversarial Tactics, Techniques, and Common Knowledge
Approved for public release. Distribution unlimited 18-0944-10
| 8 |
ATT&CK™ is increasingly
being used by the community
as a common way to describe
adversary behavior.
ATT&CK™ is a globally-accessible
knowledge base of adversary tactics
and techniques, developed by
MITRE based on real-world
observations of adversaries’
operations.
attack.mitre.org
Approved for public release. Distribution unlimited 18-0944-10
| 9 |
© 2018 The MITRE Corporation. All rights reserved.
ATT&CK Matrix Format
Tactic: Adversary’s technical goal, the “Why”
Technique: Adversary’s action to achieves the goal, the “What”
Approved for public release. Distribution unlimited 18-0944-10
| 10 |
© 2018 The MITRE Corporation. All rights reserved.
Example of Technique: New Service
 Description: When operating systems boot up, they can start programs or applications called
services that perform background system functions. … Adversaries may install a new service
which will be executed at startup by directly modifying the registry or by using tools.
 Platform: Windows
 Permissions required: Administrator, SYSTEM
 Effective permissions: SYSTEM
 Detection:
– Monitor service creation through changes in the Registry and common utilities using command-
line invocation
– Tools such as Sysinternals Autoruns may be used to detect system changes that could be
attempts at persistence
– Monitor processes and command-line arguments for actions that could create services
 Mitigation:
– Limit privileges of user accounts and remediate Privilege Escalation vectors
– Identify and block unnecessary system utilities or potentially malicious software that may be used
to create services
 Data Sources: Windows Registry, process monitoring, command-line parameters
 Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, …
Approved for public release. Distribution unlimited 18-0944-10
| 11 |
© 2018 The MITRE Corporation. All rights reserved.
ATT&CK Spans Multiple Tech Domains
PRE-ATT&CK: left
of exploit
behaviors
Enterprise:
Windows, Linux, Mac
Mobile:
Android,
iOS
Approved for public release. Distribution unlimited 18-0944-10
| 12 |
© 2018 The MITRE Corporation. All rights reserved.
Key ATT&CK use cases:
 Guide threat hunting campaigns
 Leverage threat intelligence to
prioritize technique detection
 Remediate gaps by mapping
solutions back to ATT&CK techniques
 Emulate adversaries to measure
defenses against relevant threats
Approved for public release. Distribution unlimited 18-0944-10
| 13 |
© 2018 The MITRE Corporation. All rights reserved.
Adversary Emulation
 AKA: Threat-based Red Teaming
 Adversary Emulation
– Emulate the techniques of an adversary that’s most likely to target
your environment
– Focus on the behaviors of those techniques instead of specific
implementations
https://giphy.com/explore/hackerman https://tenor.com/view/hackerman-transformation-kung-fury-kung-fury-gif-7263543
Approved for public release. Distribution unlimited 18-0944-10
| 14 |
© 2018 The MITRE Corporation. All rights reserved.
Adversary Emulation with ATT&CK
Prototype APT3 emulation plan on attack.mitre.org
Approved for public release. Distribution unlimited 18-0944-10
| 15 |
© 2018 The MITRE Corporation. All rights reserved.
How to start doing adversary emulation?
 Identify an adversary you want to emulate
– Consider the target you’re going up against
 Defense Contractor
 Financial Sector
 Health Care
 E-Commerce
 Etc.
– Adversaries change accordingly
 Country Specific (APT3, APT28, APT29, APT34, ….)
 Financially Motivated (FIN6, FIN7, …)
Approved for public release. Distribution unlimited 18-0944-10
| 16 |
© 2018 The MITRE Corporation. All rights reserved.
How to start doing adversary emulation?
1. Threat Intelligence Acquisition
– Analyze Reporting:
 Adversary Reports (APTX)
 Reports on Adversary’s toolsets (APTX uses A,B,C)
 Aliases (APTX i.e. ThreatGroup ###, adjective-animal)
 Toolset aliases (A i.e. Trojan.malwareName)
 Associated Campaigns (OperationZ)
 Keep time of reports in mind
Threat
Intelligence
Acquisition
Extract
Actionable
Techniques
and Analyze
M.O.
Develop Tools
Set up
Infrastructure
Emulate
Adversary
Approved for public release. Distribution unlimited 18-0944-10
| 17 |
© 2018 The MITRE Corporation. All rights reserved.
Threat Intel - Follow the Leads
https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong
Aliases, Aliases, Aliases everywhere!
Approved for public release. Distribution unlimited 18-0944-10
| 18 |
© 2018 The MITRE Corporation. All rights reserved.
How to start doing adversary emulation?
2. Extract Actionable Techniques and M.O.
– Look for adversary behaviors
– Look for tool functionality
– Establish the adversary’s goal
– Think about the what, why, and how
 In ATT&CK - Technique, Tactic, Procedure
Threat
Intelligence
Acquisition
Extract
Actionable
Techniques
and Analyze
M.O.
Develop Tools
Set up
Infrastructure
Emulate
Adversary
Approved for public release. Distribution unlimited 18-0944-10
| 19 |
© 2018 The MITRE Corporation. All rights reserved.
Threat Intel - What does it really say?
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
T1068 - Exploitation for Privilege Escalation
T1059 - Command-Line Interface
T1033 - System Owner/User Discovery
T1053 - Scheduled Task
T1065 - Uncommonly Used Port
T1094 - Custom Command and Control Protocol
Approved for public release. Distribution unlimited 18-0944-10
| 20 |
© 2018 The MITRE Corporation. All rights reserved.
Threat Intel - Into the Binary Strings
https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-
evolution_of_pirpi.pdf
T1069 - Permission Groups Discovery
T1049 - System Network
Connections Discovery
T1059 - Command-Line Interface
T1018 - Remote System Discovery
T1107 - File Deletion
T1057 - Process Discovery
T1034 - Path Interception?
Approved for public release. Distribution unlimited 18-0944-10
| 21 |
© 2018 The MITRE Corporation. All rights reserved.
Threat Intel - Into the Binaries
T1056 - Input Capture T1027 - Obfuscated Files or Information
T1016 - System Network Configuration Discovery
T1077 - Windows Admin Shares
T1035 - Service Execution
T1003 - Credential Dumping
T1055 - Process Injection
https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong
Approved for public release. Distribution unlimited 18-0944-10
| 22 |
© 2018 The MITRE Corporation. All rights reserved.
Threat Intel - Adversary M.O.
https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong
Buckeye seems to target file and print servers, which makes it likely the group is
looking to steal documents
https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-
identified-in-targeted-attacks.html
They are extremely proficient at lateral movement … and typically
do not reuse command and control infrastructure
https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/
The rarsfx archive is created 5-6 months before this attack … used
the same rarsfx archive with other payloads before this attack.
Approved for public release. Distribution unlimited 18-0944-10
| 23 |
© 2018 The MITRE Corporation. All rights reserved.
Developing an Emulation Plan
 This is the hardest part of the puzzle
 No plan will be perfect, so approximate where needed
 This isn’t a replay of an incident - variation is OK
Approved for public release. Distribution unlimited 18-0944-10
| 24 |
© 2018 The MITRE Corporation. All rights reserved.
Developing an Emulation Plan
Threat
Intelligence
Acquisition
Extract
Actionable
Techniques
and Analyze
M.O.
Develop Tools
Set up
Infrastructure
Emulate
Adversary
3. Develop Tools if needed to emulate behaviors
– What are the COTS / Open Source tools available?
– Can you exhibit the right behaviors with these tools?
 Can you extend them?
 Can you modify them?
– Do you need to develop something specific?
 Delivery mechanisms
 Command and Control
 Capabilities
Approved for public release. Distribution unlimited 18-0944-10
| 25 |
© 2018 The MITRE Corporation. All rights reserved.
What is behavior emulation for TTPs?
 Performing adversary techniques with variations
– Adversary created “C:aos.exe” for Priv Esc via path interception
 You intercept any service path that runs under higher privileges
– Adversary used “PSExec” for Lateral Movement
 You do it manually with “sc.exe” or via PowerShell
– Adversary runs “whoami” for Discovery
 You do it with environment variables
“%USERDOMAIN%%USERNAME%”
 Thinking about what you’re trying to accomplish
– Technique in ATT&CK
– And Why you’re trying to accomplish it
 Tactic in ATT&CK
Approved for public release. Distribution unlimited 18-0944-10
| 26 |
© 2018 The MITRE Corporation. All rights reserved.
Defining Your Toolset
 Don’t limit yourself to a single environment or tool
– Python, PowerShell, Command-Line, Custom Binary, etc
 Do stay within the behavior boundaries
Approved for public release. Distribution unlimited 18-0944-10
| 27 |
© 2018 The MITRE Corporation. All rights reserved.
Create an Adversary Emulation Field Manual
Discovery
T1069 - Permission
Groups Discovery
net
localgroup
net group
/domain
dsquery
group
T1087 - Account
Discovery
net user
/domain
wmic user dsquery user
 Provides multiple implementations across toolsets
 Provides offensive command-line examples
 Create this as you go, and use for reference later
Approved for public release. Distribution unlimited 18-0944-10
| 28 |
© 2018 The MITRE Corporation. All rights reserved.
Developing an Emulation Plan
Threat
Intelligence
Acquisition
Extract
Actionable
Techniques
and Analyze
M.O.
Develop Tools
Set up
Infrastructure
Emulate
Adversary
4. Set up offensive infrastructure
– Set up Command and Control server(s) and redirector(s), buy
domains, test techniques, install offensive frameworks
– Create Payloads ”inspired by” the adversary’s tradecraft
 Modify IoCs and behaviors if possible
 Obfuscate with purpose, NOT all the things
– Over obfuscation is itself suspicious
Approved for public release. Distribution unlimited 18-0944-10
| 29 |
© 2018 The MITRE Corporation. All rights reserved.
Developing an Emulation Plan
5. Emulate the Adversary
– Follow the M.O. of your target adversary
– “Domain Admin” most likely isn’t your goal
– Keep the ‘speed of the adversary’ in mind
 Low and slow vs smash and grab
Threat
Intelligence
Acquisition
Extract
Actionable
Techniques
and Analyze
M.O.
Develop Tools
Set up
Infrastructure
Emulate
Adversary
https://d21ic6tdqjqnyw.cloudfront.net/wp-content/uploads/2017/12/03221736/Automated-
Adversary-Emulation-System-CALDERA.jpg
Approved for public release. Distribution unlimited 18-0944-10
| 30 |
© 2018 The MITRE Corporation. All rights reserved.
Providing a Starting Point for Red/Blue
 To kickstart the process for Red/Blue teams
everywhere, MITRE is providing two prototypes
 APT3 and APT29
– All based on open-source intelligence
– Breakdowns of APT tools and capabilities mapped to ATT&CK
– Descriptions of how these techniques are implemented
– Potential operator flows during emulations
– Cheat Sheets of commands across
 Live off the Land binaries/scripts
 Open source tools
 Commercial toolkits
 APT3 is on attack.mitre.org now
 APT29 is Coming Soon™
Approved for public release. Distribution unlimited 18-0944-10
| 31 |
© 2018 The MITRE Corporation. All rights reserved.
Contact Us
 Chris - @ckorban, ckorban@mitre.org
 Cody - @its_a_feature_, cbthomas@mitre.org
 ATT&CK
– https://attack.mitre.org
– @MITREattack
 ATT&CK Navigator
– https://github.com/mitre/attack-navigator
– https://mitre.github.io/attack-navigator/enterprise/
 Adversary Emulation Plans
– https://attack.mitre.org/wiki/Adversary_Emulation_Plans
 CALDERA: Automated Adversary Emulation
– https://github.com/mitre/caldera
Approved for public release. Distribution unlimited 18-0944-10
| 32 |
© 2018 The MITRE Corporation. All rights reserved.
MITRE is a not-for-profit organization whose sole focus is to
operate federally funded research and development centers,
or FFRDCs. Independent and objective, we take on some of
our nation's—and the world’s—most critical challenges and
provide innovative, practical solutions.
Learn and share more about MITRE, FFRDCs,
and our unique value at www.mitre.org

More Related Content

What's hot

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingNikhil Mittal
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceMITRE ATT&CK
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatJorge Orchilles
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 

What's hot (20)

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHat
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 

Similar to ATT&CKing with Threat Intelligence

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceAdam Pennington
 
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019Daniel Weiss
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfReZa AdineH
 
Cheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial WorldCheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial WorldRehgan Avon
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfReZa AdineH
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITREMITRE - ATT&CKcon
 
CSPA Keynote: BLOCKCHAIN for Enterprise
CSPA Keynote: BLOCKCHAIN for EnterpriseCSPA Keynote: BLOCKCHAIN for Enterprise
CSPA Keynote: BLOCKCHAIN for EnterpriseDavid Haimes
 
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data AnalyticsMotadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data Analyticsnovsela
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...MITRE - ATT&CKcon
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKAdam Pennington
 
Application Asset Management with ThreadFix
 Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFixDenim Group
 

Similar to ATT&CKing with Threat Intelligence (20)

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
MASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoTMASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoT
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
 
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
Cheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial WorldCheryl Wiebe - Advanced Analytics in the Industrial World
Cheryl Wiebe - Advanced Analytics in the Industrial World
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdf
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
 
CSPA Keynote: BLOCKCHAIN for Enterprise
CSPA Keynote: BLOCKCHAIN for EnterpriseCSPA Keynote: BLOCKCHAIN for Enterprise
CSPA Keynote: BLOCKCHAIN for Enterprise
 
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data AnalyticsMotadata - Unified Product Suite for IT Operations and Big Data Analytics
Motadata - Unified Product Suite for IT Operations and Big Data Analytics
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
Application Asset Management with ThreadFix
 Application Asset Management with ThreadFix Application Asset Management with ThreadFix
Application Asset Management with ThreadFix
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...CzechDreamin
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessUXDXConf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaRTTS
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxAbida Shariff
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIES VE
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backElena Simperl
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101vincent683379
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Boni Yeamin
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty SecureFemke de Vroome
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyUXDXConf
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.Enterprise Security Monitoring, And Log Management.
Enterprise Security Monitoring, And Log Management.
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 

ATT&CKing with Threat Intelligence

  • 1. © 2018 The MITRE Corporation. All rights reserved. | 1 | Christopher Korban Cody Thomas HOPE - July 2018 ATT&CKing with Threat Intelligence Approved for public release. Distribution unlimited 18-0944-10
  • 2. | 2 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK T1033 – User Discovery  Christopher Korban – Lead Cyber Security Engineer – ATT&CKing for the past 5+ years – Creates Adversary Emulation Plans – @ckorban  Cody Thomas – Senior Cyber Security Engineer – Created Mac/Linux ATT&CK – Red Teamer and Tool Developer – @its_a_feature_ Approved for public release. Distribution unlimited 18-0944-10
  • 3. | 3 | © 2018 The MITRE Corporation. All rights reserved. Traditional Offensive Testing Workflow Intel Gathering Vulnerability Assessment Target Acquisition Exploitation Privilege Escalation Lateral Movement Persistence Exfiltration Report Findings Collect Protect Detect Triage Investigate Coordinate Remediate  Typical Red vs Blue event flow Approved for public release. Distribution unlimited 18-0944-10
  • 4. | 4 | © 2018 The MITRE Corporation. All rights reserved. Traditional Outcomes  Red – Creates report of offensive techniques and IoCs for what they did – Wants to make sure they ‘win’ again next time – Leaves for a year  Blue – Deciphers Red’s report – Continues to deal with daily incident reports – Creates static detections for Red’s tools and IoCs – Might try to characterize malicious behavior  Typically has small sample size  No good way to keep testing https://aconsciouslifenow.com/wp-content/uploads/2017/07/Health-Wealth-Purpose-and-Love-thru-Releasing-the-Adversary.jpg Approved for public release. Distribution unlimited 18-0944-10
  • 5. | 5 | © 2018 The MITRE Corporation. All rights reserved. How do these outcomes progress?  Blue signatures Red tool (MD5=4de587ac29…) – Red changes tool slightly (new hash)  Blue signatures Red tool (string=“mimikatz”) – Red changes tool slightly (string=“mimidogz”)  Blue stops single red instantiation (psexec) – Red modifies implementation (psexec manually)  …  This isn’t really helping blue or red Approved for public release. Distribution unlimited 18-0944-10
  • 6. | 6 | © 2018 The MITRE Corporation. All rights reserved. Change the game, even for Red David Bianco’s Pyramid of Pain Approved for public release. Distribution unlimited 18-0944-10
  • 7. | 7 | © 2018 The MITRE Corporation. All rights reserved. Need Common Language for TTPs  What do we need from this common language? – Communicate and articulate what happened in a test, and results – Do so at a level that’s specific enough that it’s repeatable – Enable us to create metrics that make sense  What do we use for this? – MITRE’s Adversarial Tactics, Techniques, and Common Knowledge Approved for public release. Distribution unlimited 18-0944-10
  • 8. | 8 | ATT&CK™ is increasingly being used by the community as a common way to describe adversary behavior. ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques, developed by MITRE based on real-world observations of adversaries’ operations. attack.mitre.org Approved for public release. Distribution unlimited 18-0944-10
  • 9. | 9 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK Matrix Format Tactic: Adversary’s technical goal, the “Why” Technique: Adversary’s action to achieves the goal, the “What” Approved for public release. Distribution unlimited 18-0944-10
  • 10. | 10 | © 2018 The MITRE Corporation. All rights reserved. Example of Technique: New Service  Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. … Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools.  Platform: Windows  Permissions required: Administrator, SYSTEM  Effective permissions: SYSTEM  Detection: – Monitor service creation through changes in the Registry and common utilities using command- line invocation – Tools such as Sysinternals Autoruns may be used to detect system changes that could be attempts at persistence – Monitor processes and command-line arguments for actions that could create services  Mitigation: – Limit privileges of user accounts and remediate Privilege Escalation vectors – Identify and block unnecessary system utilities or potentially malicious software that may be used to create services  Data Sources: Windows Registry, process monitoring, command-line parameters  Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … Approved for public release. Distribution unlimited 18-0944-10
  • 11. | 11 | © 2018 The MITRE Corporation. All rights reserved. ATT&CK Spans Multiple Tech Domains PRE-ATT&CK: left of exploit behaviors Enterprise: Windows, Linux, Mac Mobile: Android, iOS Approved for public release. Distribution unlimited 18-0944-10
  • 12. | 12 | © 2018 The MITRE Corporation. All rights reserved. Key ATT&CK use cases:  Guide threat hunting campaigns  Leverage threat intelligence to prioritize technique detection  Remediate gaps by mapping solutions back to ATT&CK techniques  Emulate adversaries to measure defenses against relevant threats Approved for public release. Distribution unlimited 18-0944-10
  • 13. | 13 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation  AKA: Threat-based Red Teaming  Adversary Emulation – Emulate the techniques of an adversary that’s most likely to target your environment – Focus on the behaviors of those techniques instead of specific implementations https://giphy.com/explore/hackerman https://tenor.com/view/hackerman-transformation-kung-fury-kung-fury-gif-7263543 Approved for public release. Distribution unlimited 18-0944-10
  • 14. | 14 | © 2018 The MITRE Corporation. All rights reserved. Adversary Emulation with ATT&CK Prototype APT3 emulation plan on attack.mitre.org Approved for public release. Distribution unlimited 18-0944-10
  • 15. | 15 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation?  Identify an adversary you want to emulate – Consider the target you’re going up against  Defense Contractor  Financial Sector  Health Care  E-Commerce  Etc. – Adversaries change accordingly  Country Specific (APT3, APT28, APT29, APT34, ….)  Financially Motivated (FIN6, FIN7, …) Approved for public release. Distribution unlimited 18-0944-10
  • 16. | 16 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation? 1. Threat Intelligence Acquisition – Analyze Reporting:  Adversary Reports (APTX)  Reports on Adversary’s toolsets (APTX uses A,B,C)  Aliases (APTX i.e. ThreatGroup ###, adjective-animal)  Toolset aliases (A i.e. Trojan.malwareName)  Associated Campaigns (OperationZ)  Keep time of reports in mind Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-10
  • 17. | 17 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Follow the Leads https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Aliases, Aliases, Aliases everywhere! Approved for public release. Distribution unlimited 18-0944-10
  • 18. | 18 | © 2018 The MITRE Corporation. All rights reserved. How to start doing adversary emulation? 2. Extract Actionable Techniques and M.O. – Look for adversary behaviors – Look for tool functionality – Establish the adversary’s goal – Think about the what, why, and how  In ATT&CK - Technique, Tactic, Procedure Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary Approved for public release. Distribution unlimited 18-0944-10
  • 19. | 19 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - What does it really say? https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html T1068 - Exploitation for Privilege Escalation T1059 - Command-Line Interface T1033 - System Owner/User Discovery T1053 - Scheduled Task T1065 - Uncommonly Used Port T1094 - Custom Command and Control Protocol Approved for public release. Distribution unlimited 18-0944-10
  • 20. | 20 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Into the Binary Strings https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017- evolution_of_pirpi.pdf T1069 - Permission Groups Discovery T1049 - System Network Connections Discovery T1059 - Command-Line Interface T1018 - Remote System Discovery T1107 - File Deletion T1057 - Process Discovery T1034 - Path Interception? Approved for public release. Distribution unlimited 18-0944-10
  • 21. | 21 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Into the Binaries T1056 - Input Capture T1027 - Obfuscated Files or Information T1016 - System Network Configuration Discovery T1077 - Windows Admin Shares T1035 - Service Execution T1003 - Credential Dumping T1055 - Process Injection https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Approved for public release. Distribution unlimited 18-0944-10
  • 22. | 22 | © 2018 The MITRE Corporation. All rights reserved. Threat Intel - Adversary M.O. https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong Buckeye seems to target file and print servers, which makes it likely the group is looking to steal documents https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11- identified-in-targeted-attacks.html They are extremely proficient at lateral movement … and typically do not reuse command and control infrastructure https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/ The rarsfx archive is created 5-6 months before this attack … used the same rarsfx archive with other payloads before this attack. Approved for public release. Distribution unlimited 18-0944-10
  • 23. | 23 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan  This is the hardest part of the puzzle  No plan will be perfect, so approximate where needed  This isn’t a replay of an incident - variation is OK Approved for public release. Distribution unlimited 18-0944-10
  • 24. | 24 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary 3. Develop Tools if needed to emulate behaviors – What are the COTS / Open Source tools available? – Can you exhibit the right behaviors with these tools?  Can you extend them?  Can you modify them? – Do you need to develop something specific?  Delivery mechanisms  Command and Control  Capabilities Approved for public release. Distribution unlimited 18-0944-10
  • 25. | 25 | © 2018 The MITRE Corporation. All rights reserved. What is behavior emulation for TTPs?  Performing adversary techniques with variations – Adversary created “C:aos.exe” for Priv Esc via path interception  You intercept any service path that runs under higher privileges – Adversary used “PSExec” for Lateral Movement  You do it manually with “sc.exe” or via PowerShell – Adversary runs “whoami” for Discovery  You do it with environment variables “%USERDOMAIN%%USERNAME%”  Thinking about what you’re trying to accomplish – Technique in ATT&CK – And Why you’re trying to accomplish it  Tactic in ATT&CK Approved for public release. Distribution unlimited 18-0944-10
  • 26. | 26 | © 2018 The MITRE Corporation. All rights reserved. Defining Your Toolset  Don’t limit yourself to a single environment or tool – Python, PowerShell, Command-Line, Custom Binary, etc  Do stay within the behavior boundaries Approved for public release. Distribution unlimited 18-0944-10
  • 27. | 27 | © 2018 The MITRE Corporation. All rights reserved. Create an Adversary Emulation Field Manual Discovery T1069 - Permission Groups Discovery net localgroup net group /domain dsquery group T1087 - Account Discovery net user /domain wmic user dsquery user  Provides multiple implementations across toolsets  Provides offensive command-line examples  Create this as you go, and use for reference later Approved for public release. Distribution unlimited 18-0944-10
  • 28. | 28 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary 4. Set up offensive infrastructure – Set up Command and Control server(s) and redirector(s), buy domains, test techniques, install offensive frameworks – Create Payloads ”inspired by” the adversary’s tradecraft  Modify IoCs and behaviors if possible  Obfuscate with purpose, NOT all the things – Over obfuscation is itself suspicious Approved for public release. Distribution unlimited 18-0944-10
  • 29. | 29 | © 2018 The MITRE Corporation. All rights reserved. Developing an Emulation Plan 5. Emulate the Adversary – Follow the M.O. of your target adversary – “Domain Admin” most likely isn’t your goal – Keep the ‘speed of the adversary’ in mind  Low and slow vs smash and grab Threat Intelligence Acquisition Extract Actionable Techniques and Analyze M.O. Develop Tools Set up Infrastructure Emulate Adversary https://d21ic6tdqjqnyw.cloudfront.net/wp-content/uploads/2017/12/03221736/Automated- Adversary-Emulation-System-CALDERA.jpg Approved for public release. Distribution unlimited 18-0944-10
  • 30. | 30 | © 2018 The MITRE Corporation. All rights reserved. Providing a Starting Point for Red/Blue  To kickstart the process for Red/Blue teams everywhere, MITRE is providing two prototypes  APT3 and APT29 – All based on open-source intelligence – Breakdowns of APT tools and capabilities mapped to ATT&CK – Descriptions of how these techniques are implemented – Potential operator flows during emulations – Cheat Sheets of commands across  Live off the Land binaries/scripts  Open source tools  Commercial toolkits  APT3 is on attack.mitre.org now  APT29 is Coming Soon™ Approved for public release. Distribution unlimited 18-0944-10
  • 31. | 31 | © 2018 The MITRE Corporation. All rights reserved. Contact Us  Chris - @ckorban, ckorban@mitre.org  Cody - @its_a_feature_, cbthomas@mitre.org  ATT&CK – https://attack.mitre.org – @MITREattack  ATT&CK Navigator – https://github.com/mitre/attack-navigator – https://mitre.github.io/attack-navigator/enterprise/  Adversary Emulation Plans – https://attack.mitre.org/wiki/Adversary_Emulation_Plans  CALDERA: Automated Adversary Emulation – https://github.com/mitre/caldera Approved for public release. Distribution unlimited 18-0944-10
  • 32. | 32 | © 2018 The MITRE Corporation. All rights reserved. MITRE is a not-for-profit organization whose sole focus is to operate federally funded research and development centers, or FFRDCs. Independent and objective, we take on some of our nation's—and the world’s—most critical challenges and provide innovative, practical solutions. Learn and share more about MITRE, FFRDCs, and our unique value at www.mitre.org

Editor's Notes

  1. *
  2. Person 1
  3. Person 1
  4. This slide comes up a lot for defenders to change how they’re approaching the problem of identifying the adversary. This is helpful to change the red teamer’s frame of mind as well. As a red teamer, you need to be thinking, refining, expanding your TTPs and Tools rather than simply thinking about domain names, hash values, binary strings, etc. These are important to consider when creating payloads and planning operations, but they should be second nature by now to randomize them all the time.
  5. Person 1 What is needed for this kind of language to work well for purple teaming? It means that red and blue need to be able to communicate effectively to articulate what happened in a test and the results It means that there needs to be a way to talk about what was done during a test so that it’s repeatable And it means that the language needs some way to measure improvement between tests
  6. We like to use ATT&CK for purple teaming. ATT&CK is Adversary Tactics, Techniques, and Common Knowledge We have a small sample of it here. There are currently 11 Tactics across the top - each one refers to a ‘goal’ of the attacker. This equates to the reason why an attacker is doing any given technique. Down each column are different techniques that achieve that tactic. These techniques equate to what the adversary is doing (creating services, using WMI for persistence, dumping credentials, etc). If you just glance across the different techniques we have listed, you’ll notice something start to jump out - these are descriptions of adversary behaviors, not indicators of compromise. The same holds true for the information we capture about different threat groups on ATT&CK - we tie everything back to behaviors. We focus on adversary TTPs and behaviors because that’s the hardest thing for an adversary to change.
  7. *Person 2 Ok, so we talked about a common language to use, but ATT&CK is getting pretty big! We’ve scoped the realm of the possible down to the realm of the probable, but can we start to prioritize a bit more from there? We sure can! This is where we start doing Adversary Emulation, or sometimes called Threat-based Red Teaming. In our case, we don’t want to just look like advanced adversaries, we want to look like a very specific adversary. We want to look like the adversary you’re most likely going to face (based on your industry, your company, your past incidents, etc) so that we can prioritize working on defenses for those techniques first. Remember, this is a prioritization mechanism to help frame where you should start working on defenses and forcing your offense and defense to work together to build stronger behavior-based defensive measures. Ok, this is cool, but how can I do this adversary emulation thing you describe?
  8. Person 2 We like ATT&CK, so we do this adversary emulation thing with ATT&CK (and we already have one example here for you). More emulation plans to come, and we welcome all community additions or edits to the emulation plans (email attack@mitre.org)
  9. We break it down into 5 steps for doing adversary emulation. For this first step, Threat intel acquisition, consider the following Start by simply googling the name, but then start following the leads You should also gather info on the tools that adversary uses Aliases is a really hot topic in the threat intel community right now, and I'm not going to throw that into the mix of what we're covering today, but just keep that in mind as you start searching for reporting. Threat intel is also binned into broad categories like campaigns, so be sure to look into those as well. Lastly, keep in mind when these reports are released. Reports about an adversary 5 years ago shouldn't carry as much weight as a report released yesterday. Lets take a few examples to see how this looks in practice.
  10. Here's a report on APT3, and you'll see right here at the beginning it refers to them as Buckeye. Lots of times these aliases are indicated front and center in reporting. Remember when I said to not forget campaigns? Operation Double Tap and Operation Clandestine Fox are both attributed to APT3, or UPS. Sometimes these aliases start to get a little conflated though, so you need to be careful Here we see the APT3 group referred to as 'Pirpi', which is actually the name of one of their tools. Because of this, it's sometimes hard to differentiate between what the behavior of the group is vs the behavior of a tool
  11. So, we've gathered a bunch of threat intel. Cool. Now what? In step 2, we need to actually go through that threat intel to figure out what the behaviors are, determine capabilities, and establish motives. There are a few things to keep in mind as we go through this next piece: the what, the why, and the how This is one reason why it's nice to use ATT&CK because it captures a lot of this information already in its TTP format
  12. There are three main kinds of reporting I see with information needed for Adversary Emulation: Prose writing in paragraphs (like you see here) In-depth analysis of specific malware samples (which you'll see next) Prose writing of specific malware samples (somewhere between the two and that's our last example) So, how do you approach something like this, and what is interesting for you as a red teamer wanting to do adversary emulation
  13. Person 2