SlideShare a Scribd company logo

ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink

G
Gert-Jan Bruggink

The objective of this talk is to inspire defensive strategies designed to impact cost incurred by adversaries to perform compromises. It explores targeting economic considerations when defending against techniques used by adversaries. Diving into economics for adversaries to use or build certain techniques and tools over others. How can defenders defend against specific techniques by increasing the adversaries cost per intrusion. How can ATT&CK be used to make strategic risk management decisions.

Technology
1 of 11
Download to read offline
1@gertjanbruggink ATT&CK-ONOMICS Attacking the economics behind techniques used by adversaries Gert-Jan Bruggink | Defensive Specialist | FalconForce ATT&CKCON Power Hour 2020-2021 TLP: White Classification: Public
2@gertjanbruggink Who am I? FalconForce Gert-Jan Bruggink Defensive Specialist 10+ years in InfoSec Consulted at financial services, high tech, manufacturing and governmental • Built / led CTI capabilities • Creation & delivery of CTI products • Intelligence-led Red- & Purple Teaming • Strategic change through CTI-, SOC- & Cyber transformation programs Cynical optimist, artist, CTI, bluetivism & pioneering Don’t like magic tricks Father² @gertjanbruggink github.com/gertjanbruggink /gertjanbrugink gj@falconforce.nl
3@gertjanbruggink Why am I here? ▪ The industry currently emphasizes post-compromise behavior in the criminal value chain. Detection & response is the reality, prevention is the goal. ▪ Advocate the use of ATT&CK as your security program’s evidence- based, statistical, frame of reference. ▪ Inspire defensive strategies designed to impact ‘cost per intrusion’ incurred by adversaries.
4@gertjanbruggink Example: burglars vs UNC2452 Understanding the cybercrime value chain There’s more to it than just the compromise Kerman Hang et al; https://sloanreview.mit.edu/article/casting-the-dark-web-in-a-new-light/ 1. Discover vulnerabilities 2. Prepare to exploit vulnerabilities 3. Deliver exploit 4. Activate cyberattack Manage the attack life-cycle Organize crew Determine opportunity & select target Overcome attempts to disrupt ROI from attack Marketing and Delivery Develop marketplace for trading Build reputation in community Evaluate value of trading Launder money HR Recruit new hackers Train new hackers
5@gertjanbruggink Using ATT&CK to plot economic drivers Getting rich, or arrested, or indicted, or worse, trying 1. Discover vulnerabilities 2. Prepare to exploit vulnerabilities 3. Deliver exploit 4. Activate cyberattack Explored the following - from an adversary perspective: 1. Can we be detected/disrupted by our target? (yes/no/partial) 2. Is tooling currently available to execute the technique? (Manual activity/custom code/scripts/tools/frameworks) 3. Level of expertise required to ‘do’ the technique? (easy / hard) Data available @ https://github.com/gertjanbruggink
6@gertjanbruggink Detecting early has always been complicated Exploring ‘defending to the left’ in ‘TA0043 – Reconnaissance’ Is it possible to detect these techniques? No Partial Yes Grand Total 67% 0% 33% 100% T1589 Gather Victim Identity Information 100% 0% 0% 100% T1590 Gather Victim Network Information 100% 0% 0% 100% T1591 Gather Victim Org Information 100% 0% 0% 100% T1593 Search Open Websites/Domains 100% 0% 0% 100% T1594 Search Victim-Owned Websites 0% 0% 100% 100% T1595 Active Scanning 0% 0% 100% 100% T1596 Search Open Technical Databases 100% 0% 0% 100% T1597 Search Closed Sources 100% 0% 0% 100% T1598 Phishing for Information 0% 0% 100% 100% Reason we can’t detect 67% of these techniques: very high occurrence & associated false positive rates. Also potentially taking place outside the visibility of the target organization. All these techniques can be executed with automated tooling & little to no expertise Mitigation efforts should focus on detecting related stages of the cybercrime value chain Start using Greynoise (https://viz.greynoise.io/signup) to understand targeted from broad scanning
7@gertjanbruggink Sub techniques (2) focus on establishing Social Media & email accounts Picking up & actioning their preparation phase Things get more nuanced in ‘TA0042 - Resource Development’ T1583 Acquire Infrastructure T1584 Compromise Infrastructure T1585 Establish Accounts T1586 Compromise Accounts T1587 Develop Capabilities T1588 Obtain Capabilities Can we detect these techniques? Yes No Acquisition of domains can be monitored & tracked Sub techniques (2) focus on establishing Social Media & email accounts Focus on establishing Social Media & email accounts; monitoring Social Media as most effective initial mitigation Tracking certificates usage in sites across the internet
8@gertjanbruggink Valid accounts Replication Through Removable Media External Remote Services Drive-by Compromise Exploit Public-Facing Application Supply Chain Compromise Trusted Relationship Hardware Additions Phishing There are only so much ways to gain ‘Initial Access’ Attacking the ‘deliver exploit’ phase TA0001 Phishing remains the go-to, low cost, low effort and easy- to-automate attack vector Honorable mention Infiltrating supply chains (Hardware & Software) remains high-cost & risk but also high-ROI Exploitation external infrastructure & applications close second as top attack vector Please note, the graph sizing is based on # of subtechniques per technique Exploiting external infrastructure & applications close second top attack vector Mitigations come down to security basics & hygiene (unfortunately) Obtained credentials from other breaches
9@gertjanbruggink Disincentivize the ‘cyberattack’ ATT&CK the rest 100% of post ‘Initial Access’ techniques have detection suggestions. (sidenote: coverage should never be the objective) Work with community to identify ‘top technique’ lists and tailor defenses accordingly Force adversaries to spend time developing tooling Red Canary’s 2020 threat detection report 1. Process injection (T1055) 2. Scheduled Task (T1053) 3. Windows Admin Shares (T1077) 4. PowerShell (T1105) 5. Remote File Copy (T1036) Paul Litvak @ VB2020 Mapping threat actor usage of open-source offensive security tools https://youtu.be/gkxAgaluRpM Share actionable content, for example intel, KQL detections and response content FalconForce’s FalconFriday https://github.com/FalconForceTeam /FalconFriday
10@gertjanbruggink Closing thoughts on decreasing adversary ROI Time-to-implement Cost-to-implement Real-time Cheap High Year Defender Attacker Effective risk management Initial mitigatione.g. tool or malware release Faster and smaller initial mitigations, early in the cybercrime value chain Please note, the graph positioning is estimative and meant just to illustrate the point
11@gertjanbruggink Let’s continue the discussion! Gert-Jan Bruggink gj@falconforce.nl Shout-outs MITRE for developing an ATT&CK-to-excel export feature

Recommended

Sans cti summit the joy of threat landscaping - bruggink - final
Sans cti summit the joy of threat landscaping - bruggink - finalSans cti summit the joy of threat landscaping - bruggink - final
Sans cti summit the joy of threat landscaping - bruggink - finalGert-Jan Bruggink
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert TrendSC Leung
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE - ATT&CKcon
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Jerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTJerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
 
Open Source Insight: Balancing Agility and Open Source Security for DevOps
Open Source Insight: Balancing Agility and Open Source Security for DevOpsOpen Source Insight: Balancing Agility and Open Source Security for DevOps
Open Source Insight: Balancing Agility and Open Source Security for DevOpsBlack Duck by Synopsys
 

Recommended

Sans cti summit the joy of threat landscaping - bruggink - final
Sans cti summit the joy of threat landscaping - bruggink - finalSans cti summit the joy of threat landscaping - bruggink - final
Sans cti summit the joy of threat landscaping - bruggink - finalGert-Jan Bruggink
 
3 Hkcert Trend
3 Hkcert Trend3 Hkcert Trend
3 Hkcert TrendSC Leung
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...MITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE - ATT&CKcon
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Jerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTJerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
 
Open Source Insight: Balancing Agility and Open Source Security for DevOps
Open Source Insight: Balancing Agility and Open Source Security for DevOpsOpen Source Insight: Balancing Agility and Open Source Security for DevOps
Open Source Insight: Balancing Agility and Open Source Security for DevOpsBlack Duck by Synopsys
 
The good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurityThe good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurityMohammad Khreesha
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...MITRE - ATT&CKcon
 
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseDeepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseaditi agarwal
 
Challenges in Applying AI to Enterprise Cybersecurity
Challenges in Applying AI to Enterprise CybersecurityChallenges in Applying AI to Enterprise Cybersecurity
Challenges in Applying AI to Enterprise CybersecurityTahseen Shabab
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory RealmShawn Tuma
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE - ATT&CKcon
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
 
Post naval thesis in cyber security
Post naval thesis in cyber securityPost naval thesis in cyber security
Post naval thesis in cyber securityMichaelRodriguesdosS1
 
From machine learning to deepfakes - how AI is revolutionizing cybersecurity
From machine learning to deepfakes - how AI is revolutionizing cybersecurityFrom machine learning to deepfakes - how AI is revolutionizing cybersecurity
From machine learning to deepfakes - how AI is revolutionizing cybersecurityInfosec
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
Cyber Threat Intelligence - La rilevanza del dato per il business
Cyber Threat Intelligence - La rilevanza del dato per il businessCyber Threat Intelligence - La rilevanza del dato per il business
Cyber Threat Intelligence - La rilevanza del dato per il businessFrancesco Faenzi
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Black Duck by Synopsys
 
Sans cyber-threat-intelligence-survey-2015
Sans cyber-threat-intelligence-survey-2015Sans cyber-threat-intelligence-survey-2015
Sans cyber-threat-intelligence-survey-2015Roy Ramkrishna
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?Ramin Farajpour Cami
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictionscentralohioissa
 
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...CODE BLUE
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesMITRE - ATT&CKcon
 
EU ATT&CK community ATT&CK-onomics
EU ATT&CK community ATT&CK-onomicsEU ATT&CK community ATT&CK-onomics
EU ATT&CK community ATT&CK-onomicsGert-Jan Bruggink
 

More Related Content

What's hot

The good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurityThe good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurityMohammad Khreesha
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...MITRE - ATT&CKcon
 
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseDeepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseaditi agarwal
 
Challenges in Applying AI to Enterprise Cybersecurity
Challenges in Applying AI to Enterprise CybersecurityChallenges in Applying AI to Enterprise Cybersecurity
Challenges in Applying AI to Enterprise CybersecurityTahseen Shabab
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory RealmShawn Tuma
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE - ATT&CKcon
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
 
From machine learning to deepfakes - how AI is revolutionizing cybersecurity
From machine learning to deepfakes - how AI is revolutionizing cybersecurityFrom machine learning to deepfakes - how AI is revolutionizing cybersecurity
From machine learning to deepfakes - how AI is revolutionizing cybersecurityInfosec
 
Cyber Threat Intelligence - La rilevanza del dato per il business
Cyber Threat Intelligence - La rilevanza del dato per il businessCyber Threat Intelligence - La rilevanza del dato per il business
Cyber Threat Intelligence - La rilevanza del dato per il businessFrancesco Faenzi
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Black Duck by Synopsys
 
Sans cyber-threat-intelligence-survey-2015
Sans cyber-threat-intelligence-survey-2015Sans cyber-threat-intelligence-survey-2015
Sans cyber-threat-intelligence-survey-2015Roy Ramkrishna
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligencecentralohioissa
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictionscentralohioissa
 
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...CODE BLUE
 

What's hot (20)

The good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurityThe good, the bad, and the ugly on integration ai with cybersecurity
The good, the bad, and the ugly on integration ai with cybersecurity
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
 
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
 
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phaseDeepfake anyone, the ai synthetic media industry enters a dangerous phase
Deepfake anyone, the ai synthetic media industry enters a dangerous phase
 
Challenges in Applying AI to Enterprise Cybersecurity
Challenges in Applying AI to Enterprise CybersecurityChallenges in Applying AI to Enterprise Cybersecurity
Challenges in Applying AI to Enterprise Cybersecurity
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
 
Post naval thesis in cyber security
Post naval thesis in cyber securityPost naval thesis in cyber security
Post naval thesis in cyber security
 
From machine learning to deepfakes - how AI is revolutionizing cybersecurity
From machine learning to deepfakes - how AI is revolutionizing cybersecurityFrom machine learning to deepfakes - how AI is revolutionizing cybersecurity
From machine learning to deepfakes - how AI is revolutionizing cybersecurity
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
 
Cyber Threat Intelligence - La rilevanza del dato per il business
Cyber Threat Intelligence - La rilevanza del dato per il businessCyber Threat Intelligence - La rilevanza del dato per il business
Cyber Threat Intelligence - La rilevanza del dato per il business
 
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
Open Source Insight: Meltdown, Spectre Security Flaws “Impact Everything”
 
Sans cyber-threat-intelligence-survey-2015
Sans cyber-threat-intelligence-survey-2015Sans cyber-threat-intelligence-survey-2015
Sans cyber-threat-intelligence-survey-2015
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat IntelligenceEd McCabe - Putting the Intelligence back in Threat Intelligence
Ed McCabe - Putting the Intelligence back in Threat Intelligence
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Jason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 PredictionsJason Samide - State of Security & 2016 Predictions
Jason Samide - State of Security & 2016 Predictions
 
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
[CB20] Cleaning up the mess: discovery, monitoring, analysis, and notificatio...
 

Similar to ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesMITRE - ATT&CKcon
 
EU ATT&CK community ATT&CK-onomics
EU ATT&CK community ATT&CK-onomicsEU ATT&CK community ATT&CK-onomics
EU ATT&CK community ATT&CK-onomicsGert-Jan Bruggink
 
Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015Samuel Kamuli
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionShah Sheikh
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE - ATT&CKcon
 
GartnerComodo_AEP_Newsletter2016
GartnerComodo_AEP_Newsletter2016GartnerComodo_AEP_Newsletter2016
GartnerComodo_AEP_Newsletter2016Eric Staudinger
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuNixu Corporation
 
Cybersecurity During the COVID Era
Cybersecurity During the COVID EraCybersecurity During the COVID Era
Cybersecurity During the COVID EraCitrin Cooperman
 
Cybercrime future perspectives
Cybercrime future perspectivesCybercrime future perspectives
Cybercrime future perspectivesSensePost
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations♟Sergej Epp
 
Tcs cybersecurity for healthcare
Tcs cybersecurity for healthcareTcs cybersecurity for healthcare
Tcs cybersecurity for healthcareComtech TCS
 
GBS - Prevent network security fires
GBS - Prevent network security firesGBS - Prevent network security fires
GBS - Prevent network security firesKristin Helgeson
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougUlf Mattsson
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security IntelligenceSplunk
 
Module 1 (legality)
Module 1 (legality)Module 1 (legality)
Module 1 (legality)Wail Hassan
 
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseJason Bloomberg
 
2008 Trends
2008 Trends2008 Trends
2008 TrendsTBledsoe
 

Similar to ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink (20)

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
 
EU ATT&CK community ATT&CK-onomics
EU ATT&CK community ATT&CK-onomicsEU ATT&CK community ATT&CK-onomics
EU ATT&CK community ATT&CK-onomics
 
Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015Gartner technologies for Infosec 2014-2015
Gartner technologies for Infosec 2014-2015
 
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS SolutionGISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
GISEC 2015 Your Network in the Eyes of a Hacker - DTS Solution
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
 
GartnerComodo_AEP_Newsletter2016
GartnerComodo_AEP_Newsletter2016GartnerComodo_AEP_Newsletter2016
GartnerComodo_AEP_Newsletter2016
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
Mitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo NixuMitre ATT&CK by Mattias Almeflo Nixu
Mitre ATT&CK by Mattias Almeflo Nixu
 
Cybersecurity During the COVID Era
Cybersecurity During the COVID EraCybersecurity During the COVID Era
Cybersecurity During the COVID Era
 
Cybercrime future perspectives
Cybercrime future perspectivesCybercrime future perspectives
Cybercrime future perspectives
 
Journey to the Center of Security Operations
Journey to the Center of Security OperationsJourney to the Center of Security Operations
Journey to the Center of Security Operations
 
Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018 Conférence ENGIE ACSS 2018
Conférence ENGIE ACSS 2018
 
Tcs cybersecurity for healthcare
Tcs cybersecurity for healthcareTcs cybersecurity for healthcare
Tcs cybersecurity for healthcare
 
Symantec Data Loss Prevention 9
Symantec Data Loss Prevention 9Symantec Data Loss Prevention 9
Symantec Data Loss Prevention 9
 
GBS - Prevent network security fires
GBS - Prevent network security firesGBS - Prevent network security fires
GBS - Prevent network security fires
 
Key note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyougKey note in nyc the next breach target and how oracle can help - nyoug
Key note in nyc the next breach target and how oracle can help - nyoug
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
 
Module 1 (legality)
Module 1 (legality)Module 1 (legality)
Module 1 (legality)
 
Certes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterpriseCertes webinar securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
 
2008 Trends
2008 Trends2008 Trends
2008 Trends
 

Recently uploaded

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Recently uploaded (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink

  • 1. 1@gertjanbruggink ATT&CK-ONOMICS Attacking the economics behind techniques used by adversaries Gert-Jan Bruggink | Defensive Specialist | FalconForce ATT&CKCON Power Hour 2020-2021 TLP: White Classification: Public
  • 2. 2@gertjanbruggink Who am I? FalconForce Gert-Jan Bruggink Defensive Specialist 10+ years in InfoSec Consulted at financial services, high tech, manufacturing and governmental • Built / led CTI capabilities • Creation & delivery of CTI products • Intelligence-led Red- & Purple Teaming • Strategic change through CTI-, SOC- & Cyber transformation programs Cynical optimist, artist, CTI, bluetivism & pioneering Don’t like magic tricks Father² @gertjanbruggink github.com/gertjanbruggink /gertjanbrugink gj@falconforce.nl
  • 3. 3@gertjanbruggink Why am I here? ▪ The industry currently emphasizes post-compromise behavior in the criminal value chain. Detection & response is the reality, prevention is the goal. ▪ Advocate the use of ATT&CK as your security program’s evidence- based, statistical, frame of reference. ▪ Inspire defensive strategies designed to impact ‘cost per intrusion’ incurred by adversaries.
  • 4. 4@gertjanbruggink Example: burglars vs UNC2452 Understanding the cybercrime value chain There’s more to it than just the compromise Kerman Hang et al; https://sloanreview.mit.edu/article/casting-the-dark-web-in-a-new-light/ 1. Discover vulnerabilities 2. Prepare to exploit vulnerabilities 3. Deliver exploit 4. Activate cyberattack Manage the attack life-cycle Organize crew Determine opportunity & select target Overcome attempts to disrupt ROI from attack Marketing and Delivery Develop marketplace for trading Build reputation in community Evaluate value of trading Launder money HR Recruit new hackers Train new hackers
  • 5. 5@gertjanbruggink Using ATT&CK to plot economic drivers Getting rich, or arrested, or indicted, or worse, trying 1. Discover vulnerabilities 2. Prepare to exploit vulnerabilities 3. Deliver exploit 4. Activate cyberattack Explored the following - from an adversary perspective: 1. Can we be detected/disrupted by our target? (yes/no/partial) 2. Is tooling currently available to execute the technique? (Manual activity/custom code/scripts/tools/frameworks) 3. Level of expertise required to ‘do’ the technique? (easy / hard) Data available @ https://github.com/gertjanbruggink
  • 6. 6@gertjanbruggink Detecting early has always been complicated Exploring ‘defending to the left’ in ‘TA0043 – Reconnaissance’ Is it possible to detect these techniques? No Partial Yes Grand Total 67% 0% 33% 100% T1589 Gather Victim Identity Information 100% 0% 0% 100% T1590 Gather Victim Network Information 100% 0% 0% 100% T1591 Gather Victim Org Information 100% 0% 0% 100% T1593 Search Open Websites/Domains 100% 0% 0% 100% T1594 Search Victim-Owned Websites 0% 0% 100% 100% T1595 Active Scanning 0% 0% 100% 100% T1596 Search Open Technical Databases 100% 0% 0% 100% T1597 Search Closed Sources 100% 0% 0% 100% T1598 Phishing for Information 0% 0% 100% 100% Reason we can’t detect 67% of these techniques: very high occurrence & associated false positive rates. Also potentially taking place outside the visibility of the target organization. All these techniques can be executed with automated tooling & little to no expertise Mitigation efforts should focus on detecting related stages of the cybercrime value chain Start using Greynoise (https://viz.greynoise.io/signup) to understand targeted from broad scanning
  • 7. 7@gertjanbruggink Sub techniques (2) focus on establishing Social Media & email accounts Picking up & actioning their preparation phase Things get more nuanced in ‘TA0042 - Resource Development’ T1583 Acquire Infrastructure T1584 Compromise Infrastructure T1585 Establish Accounts T1586 Compromise Accounts T1587 Develop Capabilities T1588 Obtain Capabilities Can we detect these techniques? Yes No Acquisition of domains can be monitored & tracked Sub techniques (2) focus on establishing Social Media & email accounts Focus on establishing Social Media & email accounts; monitoring Social Media as most effective initial mitigation Tracking certificates usage in sites across the internet
  • 8. 8@gertjanbruggink Valid accounts Replication Through Removable Media External Remote Services Drive-by Compromise Exploit Public-Facing Application Supply Chain Compromise Trusted Relationship Hardware Additions Phishing There are only so much ways to gain ‘Initial Access’ Attacking the ‘deliver exploit’ phase TA0001 Phishing remains the go-to, low cost, low effort and easy- to-automate attack vector Honorable mention Infiltrating supply chains (Hardware & Software) remains high-cost & risk but also high-ROI Exploitation external infrastructure & applications close second as top attack vector Please note, the graph sizing is based on # of subtechniques per technique Exploiting external infrastructure & applications close second top attack vector Mitigations come down to security basics & hygiene (unfortunately) Obtained credentials from other breaches
  • 9. 9@gertjanbruggink Disincentivize the ‘cyberattack’ ATT&CK the rest 100% of post ‘Initial Access’ techniques have detection suggestions. (sidenote: coverage should never be the objective) Work with community to identify ‘top technique’ lists and tailor defenses accordingly Force adversaries to spend time developing tooling Red Canary’s 2020 threat detection report 1. Process injection (T1055) 2. Scheduled Task (T1053) 3. Windows Admin Shares (T1077) 4. PowerShell (T1105) 5. Remote File Copy (T1036) Paul Litvak @ VB2020 Mapping threat actor usage of open-source offensive security tools https://youtu.be/gkxAgaluRpM Share actionable content, for example intel, KQL detections and response content FalconForce’s FalconFriday https://github.com/FalconForceTeam /FalconFriday
  • 10. 10@gertjanbruggink Closing thoughts on decreasing adversary ROI Time-to-implement Cost-to-implement Real-time Cheap High Year Defender Attacker Effective risk management Initial mitigatione.g. tool or malware release Faster and smaller initial mitigations, early in the cybercrime value chain Please note, the graph positioning is estimative and meant just to illustrate the point
  • 11. 11@gertjanbruggink Let’s continue the discussion! Gert-Jan Bruggink gj@falconforce.nl Shout-outs MITRE for developing an ATT&CK-to-excel export feature