BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo

©2018 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-15.
ATT&CKing the Status Quo:
Improving Threat Intelligence and
Cyber Defense with MITRE ATT&CK™
Katie Nickels
John Wunder
August 7, 2018
| 1 |

The Plan for Today
▪ Define the challenges we’re facing
▪ Explain what ATT&CK is
▪ Show how to use it for:
– Threat intelligence
– Detection and analytics
▪ Tell you what’s next for ATT&CK
▪ Chat as a community
| 2 |

Tough Questions for Defenders
▪ How effective are my defenses?
▪ Do I have a chance at detecting APT28?
▪ Is the data I’m collecting useful?
▪ Do I have overlapping tool coverage?
▪ Will this *shiny new* product from vendor XYZ help my
organization’s defenses?
| 3 |

The Difficult Task of Detecting TTPs
Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
David Bianco’s Pyramid of Pain
| 4 |

| 5 |
What is
?
A knowledge base of
adversary behavior
➢ Based on real-world observations
➢ Free, open, and globally accessible
➢ A common language
➢ Community-driven

Zooming in on the Adversary Lifecycle
| 6 |
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Command and Control
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Priority Definition
• Planning, Direction
Target Selection
Information Gathering
• Technical, People, Organizational
Weakness Identification
• Technical, People, Organizational
Adversary OpSec
Establish & Maintain Infrastructure
Persona Development
Build Capabilities
Test Capabilities
Stage Capabilities
Enterprise

Spanning Multiple Technology Domains
| 7 |
Enterprise:
Windows, Linux, macOS
Mobile:
Android, iOS

Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser Bookmark
Discovery
Exploitation of Remote
Services
Data from Information
Repositories
Exfiltration Over
Physical Medium
Remote Access Tools
Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for
Credential Access
Port Knocking
Supply Chain Compromise
Local Job Scheduling Access Token Manipulation Network Share
Discovery
Distributed Component
Object Model
Video Capture
Exfiltration Over
Command and
Control Channel
Multi-hop Proxy
Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting
Spearphishing Attachment
Launchctl Process Injection Hooking Peripheral Device
Discovery
Remote File Copy Automated Collection Data Encoding
Signed Binary
Proxy Execution
Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy
Exploit Public-Facing
Application
Plist Modification LLMNR/NBT-NS
Poisoning
File and Directory
Discovery
Replication Through
Removable Media
Email Collection Automated Exfiltration Multi-Stage Channels
User Execution Valid Accounts Screen Capture Exfiltration Over Other
Network Medium
Web Service
Replication Through
Removable Media
Exploitation for
Client Execution
DLL Search Order Hijacking Private Keys Permission Groups
Discovery
Windows Admin Shares Data Staged
Standard
Non-Application
Layer Protocol
AppCert DLLs Signed Script
Proxy Execution
Keychain Pass the Hash Input Capture Exfiltration Over
Alternative Protocol
Spearphishing via
Service
CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from Network
Shared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network
Connections Discovery
Shared Webroot Data Transfer
Size Limits
Connection Proxy
Spearphishing Link Mshta Launch Daemon Port Knocking
Two-Factor
Authentication
Interception
Logon Scripts Data from Local System Multilayer Encryption
Drive-by Compromise AppleScript Dylib Hijacking Indirect Command
Execution
System Owner/User
Discovery
Windows Remote
Management
Man in the Browser Data Compressed Standard Application
Layer ProtocolValid Accounts Source Application Shimming Data from Removable
Media
Scheduled Transfer
Space after Filename AppInit DLLs BITS Jobs Replication Through
Removable Media
System Network
Configuration Discovery
Application
Deployment Software
Commonly Used Port
Execution through
Module Load
Web Shell Control Panel Items Standard Cryptographic
Protocol
Service Registry Permissions Weakness CMSTP Input Capture Application Window
Discovery
SSH Hijacking
AppleScript Custom Cryptographic
Protocol
Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing
InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy
Discovery
Taint Shared Content
Regsvr32 Path Interception Hidden Files
and Directories
Kerberoasting Remote Desktop
Protocol
Data Obfuscation
Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command
and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services
Rundll32 Kernel Modules
and Extensions
Sudo Caching LC_MAIN Hijacking Account Manipulation System Information
Discovery
Communication
Through
Removable Media
Third-party Software SID-History Injection HISTCONTROL Credentials in Files
Scripting Port Knocking Sudo Hidden Users Security Software
DiscoveryGraphical User Interface SIP and Trust
Provider Hijacking
Setuid and Setgid Clear Command History Multiband
Communication
Command-Line
Interface
Exploitation for
Privilege Escalation
Gatekeeper Bypass Network Service
ScanningScreensaver Hidden Window Fallback Channels
Service Execution Browser Extensions Deobfuscate/Decode
Files or Information
Remote System
Discovery
Uncommonly Used Port
Windows Remote
Management
Re-opened Applications
Rc.common Trusted Developer Query Registry
| 8 |
Initial
Access
Execution Persistence
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Collection Exfiltration
Command
& Control
What is ATT&CK, really?
Tactics: the adversary’s technical goals
Techniques:howthegoalsare
achieved
Procedures – Specific technique implementation

Example Technique: New Service
| 9 |
Description: When operating systems boot up, they can start programs or applications called services that
perform background system functions. […] Adversaries may install a new service which will be
executed at startup by directly modifying the registry or by using tools. 1
Platform: Windows
Permissions required: Administrator, SYSTEM
Effective permissions: SYSTEM
Detection: • Monitor service creation through changes in the Registry and common utilities using
command-line invocation
• …
Mitigation: • Limit privileges of user accounts and remediate Privilege Escalation vectors
• …
Data sources: Windows registry, process monitoring, command-line parameters
Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, …
References: 1. Microsoft. (n.d.). Services. Retrieved June 7, 2016.

Example Group: APT28
| 10 |
Description: APT28 is a threat group that has been attributed to the Russian government.1 2 3 4
This group reportedly compromised the Democratic National Committee in April
2016.5
Aliases: Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-
4127, TG-4127 1 2 3 4 5 6 7
Techniques: • Data Obfuscation 1
• Connection Proxy 1 8
• Standard Application Layer Protocol 1
• Remote File Copy 8 9
• Rundll32 8 9
• Indicator Removal on Host 5
• Timestomp5
• Credential Dumping 10
• Screen Capture 10 11
• Bootkit 7 and more…
Software: CHOPSTICK, JHUHUGIT, ADVSTORESHELL, XTunnel, Mimikatz, HIDEDRV, USBStealer,
CORESHELL, OLDBAIT, XAgentOSX, Komplex, Responder, Forfiles, Winexe, certutil 1 3 6
References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?.
Retrieved August 19, 2015.
…

Example Software: CHOPSTICK
| 11 |
Description: CHOPSTICK is malware family of modular backdoors used by APT28. It has been used
from at least November 2012 to August 2016 and is usually dropped on victims as
second-stage malware, though it has been used as first-stage malware in several cases. 1
2 3
Aliases: CHOPSTICK, SPLM, Xagent, X-Agent, webhp
Techniques: Input Capture - CHOPSTICK is capable of performing keylogging. 5 2
Command-Line Interface - CHOPSTICK is capable of performing remote command
execution.5
Fallback Channels - CHOPSTICK can switch to a new C2 channel if the current one is
broken. 2
Connection Proxy - CHOPSTICK used a proxy server between victims and the C2 server. 2
and more…
Groups: APT28
References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?.
Retrieved August 19, 2015.
…

How can I actually *use* it?
| 12 |
Threat Intelligence
processes = search Process:Create
reg = filter processes where (exe == "reg.exe" and parent_exe
== "cmd.exe")
cmd = filter processes where (exe == "cmd.exe" and
parent_exe != "explorer.exe"")
reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and
reg.hostname == cmd.hostname)
output reg_and_cmd
Detection
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control
Accessibility Features Accessibility Features Binary Padding Brute Force Account Discovery
Application Deployment
Software
Command-Line Automated Collection Automated Exfiltration Commonly Used Port
AppInit DLLs AppInit DLLs
Bypass User Account
Control
Credential Dumping
Application Window
Discovery
Exploitation of
Vulnerability
Execution through API Clipboard Data Data Compressed
Communication Through
Removable Media
Basic Input/Output System
Bypass User Account
Control
Code Signing Credential Manipulation
File and Directory
Discovery
Logon Scripts Graphical User Interface Data Staged Data Encrypted
Custom Command and
Control Protocol
Bootkit DLL Injection Component Firmware Credentials in Files
Local Network
Configuration Discovery
Pass the Hash PowerShell Data from Local System Data Transfer Size Limits
Custom Cryptographic
Protocol
Change Default File
Handlers
DLL Search Order Hijacking DLL Injection
Exploitation of
Vulnerability
Local Network Connections
Discovery
Pass the Ticket Process Hollowing
Data from Network Shared
Drive
Exfiltration Over
Alternative Protocol
Data Obfuscation
Component Firmware
Exploitation of
Vulnerability
DLL Search Order Hijacking Input Capture Network Service Scanning Remote Desktop Protocol Rundll32
Data from Removable
Media
Exfiltration Over Command
and Control Channel
Fallback Channels
DLL Search Order Hijacking Legitimate Credentials DLL Side-Loading Network Sniffing
Peripheral Device
Discovery
Remote File Copy Scheduled Task Email Collection
Exfiltration Over Other
Network Medium
Multi-Stage Channels
Hypervisor Local Port Monitor Disabling Security Tools
Two-Factor Authentication
Interception
Permission Groups
Discovery
Remote Services Service Execution Input Capture
Exfiltration Over Physical
Medium
Multiband Communication
Legitimate Credentials New Service
Exploitation of
Vulnerability
Process Discovery
Replication Through
Removable Media
Third-party Software Screen Capture Scheduled Transfer Multilayer Encryption
Local Port Monitor Path Interception File Deletion Query Registry Shared Webroot
Windows Management
Instrumentation
Peer Connections
Logon Scripts Scheduled Task File System Logical Offsets Remote System Discovery Taint Shared Content
Windows Remote
Management
Remote File Copy
Modify Existing Service
Service File Permissions
Weakness
Indicator Blocking on Host
Security Software
Discovery
Windows Admin Shares
Standard Application Layer
Protocol
New Service
Service Registry
Permissions Weakness
Indicator Removal from
Tools
System Information
Discovery
Windows Remote
Management
Standard Cryptographic
Protocol
Path Interception Web Shell Indicator Removal on Host
System Owner/User
Discovery
Standard Non-Application
Layer Protocol
Redundant Access Legitimate Credentials System Service Discovery Uncommonly Used Port
Registry Run Keys / Start
Adversary Emulation
Assessment and Engineering

All the ATT&CK Things!
| 13 |
Public ATT&CK
Knowledge Base
attack.mitre.org
ATT&CK Navigator
Structured Content
github.com/mitre/cti
cti-taxii.mitre.org
Adversary Emulation Plans
mitre.github.io/attack-navigator
attack.mitre.org/wiki/Adversary_Emulation_Plans
Cyber Analytic Repository
car.mitre.org

ATT&CK for Threat Intelligence
| 14 |

The Status Quo in Threat Intelligence
| 15 |
Reliance on
indicators
So.
Many.
Reports!
Tough to
apply intel to
defense

So what can we do?
Structure threat intelligence using ATT&CK!
Here’s how…
| 16 |

“Extracting” ATT&CK techniques from a threat report
| 17 |
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
T1068 - Exploitation for Privilege Escalation
T1059 - Command-Line Interface
T1033 - System Owner/User Discovery
T1053 - Scheduled Task T1065 - Uncommonly Used Port
T1095 - Standard Non-Application Layer Protocol T1104 - Multi-Stage Channels

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection Exfiltration Command And Control
APT28 techniques*
| 18 |
*from open source
reporting we’ve mapped
Initial
Access
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Command
and Control

APT29 techniques
| 19 |
Initial
Access
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Command
and Control

Comparing APT28 and APT29
| 20 |
Initial
Access
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Command
and Control
Overlay known gaps
APT28
APT29
Both groups

Example from industry – Unit 42 Adversary Playbook
https://pan-unit42.github.io/playbook_viewer/

Implementation Tips
▪ Tailor your existing threat intel repository
– Threat Intelligence Platforms are starting to support ATT&CK
(MISP, ThreatQ, others)
▪ Have the threat intel originator do it
▪ Start at the tactic level
▪ Use existing website examples
▪ Work as a team
▪ Remember it’s still human analysis

So what does this get us?
▪ Plus!
 Gives us a common language to communicate
 Allows us to compare groups
Status Quo ATT&CKing threat intel
So. Many. Reports! Structures threat intel so it’s easier to
consume a lot of it
Tough to apply intel to defenses Provides a way to directly compare
intel to defenses
Reliance on indicators Moves to TTPs and behaviors

Detection and Analytics

Analytics vs. Indicators
AnalyticsIndicators
Known malicious behavior
Fewer false positives
More atomic
Higher quantity
Suspicious behavior
More false positives
Broader
Lower quantity

How do analytics work?
▪ Analytics look for observable events and artifacts that indicate adversary
behavior
– E.g., if an adversary uses RDP, Windows Event Logs will show a Login with
type=RemoteInteractive
▪ The trick: distinguishing the good from the bad
Almost
everything
in ATT&CK
Our goal: place
event in one circle
Evidence
Good Bad Good Bad

Example: Detecting UAC Bypass
index=__your sysmon stuff__ IntegrityLevel=High |
search (
ParentImage=c:windowssystem32fodhelper.exe
OR
CommandLine="*.exe”*cleanmgr.exe /autoclean*"
OR ... |
eval PossibleTechniques=case(
like(lower(ParentImage),"c:windowssystem32fodhelper.exe"),
"UACME #33", like(lower(CommandLine),"%.exe"%cleanmgr.exe /autoclean%"),
"UACME #34",
...
)
FOR ILLUSTRATIVE PURPOSES ONLY - INCOMPLETE

Developing an Analytic
▪ Read the ATT&CK page and understand the attack
– ’
– Think from an adversary perspective
– Try to mentally separate legitimate usage from malicious usage
▪ Try it
– Carry out the attacks via your own testing or pre-written scripts
– What does it look like in the logs?
▪ Write and iterate
– Write your first search, narrow down false positives, and iterate
– Keep testing – make sure you check for a variety of ways it can be used, not just
the easiest

Measuring Defense: what can you cover?
DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port
Legitimate Credentials
Credential Dumping
Application Window
Discovery
Third-party Software Clipboard Data Data Compressed Communication Through
Removable MediaAccessibility Features Binary Padding Application Deployment
Software
Command-Line Data Staged Data Encrypted
AppInit DLLs Code Signing
Credential Manipulation File and Directory Discovery
Execution through API Data from Local System Data Transfer Size Limits Custom Command and
Control ProtocolLocal Port Monitor Component Firmware
Exploitation of Vulnerability
Graphical User Interface Data from Network Shared
Drive
Exfiltration Over Alternative
ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration
Discovery
InstallUtil Custom Cryptographic
ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShell Data from Removable
Media Exfiltration Over Command
and Control Channel
Scheduled Task File Deletion Network Sniffing Local Network Connections
Discovery
Pass the Hash Process Hollowing Data Obfuscation
File System Permissions Weakness
File System Logical Offsets Two-Factor Authentication
Interception
Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels
Service Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other
Network Medium
Web Shell Indicator Blocking
Peripheral Device Discovery
Remote File Copy Rundll32 Screen Capture
Exploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical
MediumBypass User Account Control Permission Groups
Discovery
Replication Through
Removable Media
Scripting Video Capture Multilayer Encryption
Bootkit DLL Injection Service Execution Scheduled Transfer Peer Connections
Change Default File
Association
Component Object Model Hijacking Process Discovery Shared Webroot Windows Management
Instrumentation
Remote File Copy
Tools
Query Registry Taint Shared Content Standard Application Layer
ProtocolComponent Firmware Remote System Discovery Windows Admin Shares MSBuild
Hypervisor
Indicator Removal on Host Security Software Discovery
Execution through Module
Load Standard Cryptographic
Protocol
Logon Scripts
Modify Existing Service InstallUtil System Information
Discovery
Layer ProtocolRedundant Access Masquerading
Folder
Modify Registry System Owner/User
Discovery
NTFS Extended Attributes Web Service
Security Support Provider Obfuscated Files or
Information
System Service Discovery Data Encoding
Shortcut Modification System Time Discovery
Windows Management
Instrumentation Event
Subscription
Process Hollowing
Redundant Access
Regsvcs/Regasm
Winlogon Helper DLL Regsvr32
Netsh Helper DLL Rootkit
Authentication Package Rundll32
External Remote Services Scripting
Software Packing
Timestomp
MSBuild
Network Share Removal
Install Root Certificate

Prioritizing techniques
DLL Search Order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port
Legitimate Credentials
Credential Dumping
Application Window
Discovery
Third-party Software Clipboard Data Data Compressed Communication Through
Removable MediaAccessibility Features Binary Padding Application Deployment
Software
Command-Line Data Staged Data Encrypted
AppInit DLLs Code Signing
Credential Manipulation File and Directory Discovery
Execution through API Data from Local System Data Transfer Size Limits Custom Command and
Control ProtocolLocal Port Monitor Component Firmware
Exploitation of Vulnerability
Graphical User Interface Data from Network Shared
Drive
Exfiltration Over Alternative
ProtocolNew Service DLL Side-Loading Credentials in Files Local Network Configuration
Discovery
InstallUtil Custom Cryptographic
ProtocolPath Interception Disabling Security Tools Input Capture Logon Scripts PowerShell Data from Removable
Media Exfiltration Over Command
and Control Channel
Scheduled Task File Deletion Network Sniffing Local Network Connections
Discovery
Pass the Hash Process Hollowing Data Obfuscation
File System Permissions Weakness
File System Logical Offsets Two-Factor Authentication
Interception
Pass the Ticket Regsvcs/Regasm Email Collection Fallback Channels
Service Registry Permissions Weakness Network Service Scanning Remote Desktop Protocol Regsvr32 Input Capture Exfiltration Over Other
Network Medium
Web Shell Indicator Blocking
Peripheral Device Discovery
Remote File Copy Rundll32 Screen Capture
Exploitation of Vulnerability Remote Services Scheduled Task Audio Capture Exfiltration Over Physical
MediumBypass User Account Control Permission Groups
Discovery
Replication Through
Removable Media
Scripting Video Capture Multilayer Encryption
Bootkit DLL Injection Service Execution Scheduled Transfer Peer Connections
Change Default File
Association
Component Object Model Hijacking Process Discovery Shared Webroot Windows Management
Instrumentation
Remote File Copy
Tools
Query Registry Taint Shared Content Standard Application Layer
ProtocolComponent Firmware Remote System Discovery Windows Admin Shares MSBuild
Hypervisor
Indicator Removal on Host Security Software Discovery
Execution through Module
Load Standard Cryptographic
Protocol
Logon Scripts
Modify Existing Service InstallUtil System Information
Discovery
Layer ProtocolRedundant Access Masquerading
Folder
Modify Registry System Owner/User
Discovery
NTFS Extended Attributes Web Service
Security Support Provider Obfuscated Files or
Information
System Service Discovery Data Encoding
Shortcut Modification System Time Discovery
Windows Management
Instrumentation Event
Subscription
Process Hollowing
Redundant Access
Regsvcs/Regasm
Winlogon Helper DLL Regsvr32
Netsh Helper DLL Rootkit
Authentication Package Rundll32
External Remote Services Scripting
Software Packing
Timestomp
MSBuild
Network Share Removal
Install Root Certificate
Legend
Moderate Confidence of Detection
High Confidence of Detection
Low Confidence of Detection
IOC Coverage
Prioritized Adversary Techniques
Define your
threat model
Assess your
coverage
Identify
gaps
Fill gaps

Working together
Filling the gaps is hard,
time-consuming, and expensive.
• There are a lot of prevalent techniques
• Adversary practices are always evolving
• Techniques have a wide set of procedures
• We all have limited resources
• Requires in-depth expertise of system
internals
But you’re not alone.
• Work with your red-team
• Work with others in your
industry
• Talk on Twitter or Slack
• Contribute to open source
• Read blogs and blog yourself!

Challenge area: being realistic about coverage
▪ ATT&CK coverage heatmaps
are great
– Easy to understand
– From a defender perspective
“ ”
straightforward
▪ BUT: Understanding coverage
this way is often deceiving and
doesn’t align with how attacks
are actually detected
1. ATT&CK techniques can be executed
and detected in many ways
2. Detecting single ATT&CK techniques
is usually not the right level of
abstraction

Challenge area: handling false positives
▪ We think we need to develop comprehensive coverage, but is it realistic with
current FP rates and current approaches to detection?
– Analytics are noisy, and more coverage means more false positives
– Waste of analyst time, alert fatigue, etc.
Novel Approaches
Detecting event graphs
Machine-Learning
Tighten the feedback loop
Target detections

Challenge area: getting and searching data
▪ Analytics require increasing amounts of data
– , “ ”
markers become less useful
– Data often needs to come from endpoint + network +
infrastructure
Collection
▪ Can collection be targeted?
▪ Can collection be agile?
▪ Can collection be decentralized?
Search
▪ How can graph-based search
scale?
▪ How can you make effective use
of your resources?

Getting started on your own
▪ Take a look at Detection Lab
– https://github.com/clong/DetectionLab
– https://medium.com/@clong/introducing-detection-lab-61db34bed6ae
▪ Be bad!
– Atomic Red Team has a lot of commands to try: https://atomicredteam.io/
▪ See what bad looks like, write some detections.
– https://github.com/Cyb3rWard0g/ThreatHunter-Playbook is a good place for
inspiration
▪ Share!

Bringing it all together…

Threat-informed defense, but for real
Structured Threat Intel
An ever-improving & validated defenseIntel-Driven Adversary Emulation

What’s next for ATT&CK?
| 38 |
Create a new
website and
infrastructure that
makes ATT&CK
easier to use
Continue to expand
the ATT&CK
community
Open up the
development
and governance
of ATT&CK
Improve and
add to ATT&CK
content:
• Sub-techniques
• Impacts
• New technology
domains

et’s Chat!
▪ Any questions for us?
▪ How have you tackled the challenges we discussed?
▪ If this is new to you…
– How do you think you could use ATT&CK?
– What could we do to help you start?
▪ If you’re already familiar with ATT&CK…
– How are you using it?
– What could we do to help you do that better?
▪ What is missing from ATT&CK?
| 39 |

| 40 |
@likethecoins
attack.mitre.org
attack@mitre.org
@MITREattack
Katie Nickels John Wunder
@jwunder

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo

Recommended

More Related Content

What's hot

What's hot(20)

Similar to BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo

Similar to BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo(20)

Recently uploaded

Recently uploaded(20)

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo