Submit Search
Upload
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bolster Defenses
•
0 likes
•
320 views
M
MITRE ATT&CK
Follow
From ATT&CKcon 4.0 By Sajal Thomas and Vishnu Raju, Crowdstrike
Read less
Read more
Technology
Slideshow view
Report
Share
Slideshow view
Report
Share
1 of 30
Download now
Download to read offline
Recommended
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK
.LNK Tears of the Kingdom
.LNK Tears of the Kingdom
MITRE ATT&CK
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
MITRE ATT&CK
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
MITRE ATT&CK
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
MITRE ATT&CK
Updates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed Defense
MITRE ATT&CK
Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK Matrix
MITRE ATT&CK
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
MITRE ATT&CK
Recommended
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK
.LNK Tears of the Kingdom
.LNK Tears of the Kingdom
MITRE ATT&CK
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
MITRE ATT&CK
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
MITRE ATT&CK
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
MITRE ATT&CK
Updates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed Defense
MITRE ATT&CK
Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK Matrix
MITRE ATT&CK
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
MITRE ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
MITRE ATT&CK
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity Advisories
MITRE ATT&CK
ATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
MITRE ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
MITRE ATT&CK
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
MITRE ATT&CK
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/Linux
MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
Adversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
MITRE ATT&CK
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
More Related Content
What's hot
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
MITRE ATT&CK
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity Advisories
MITRE ATT&CK
ATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
MITRE ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
MITRE ATT&CK
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
MITRE ATT&CK
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/Linux
MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
Adversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
MITRE ATT&CK
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
What's hot
(20)
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity Advisories
ATT&CKcon Intro
ATT&CKcon Intro
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/Linux
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
Adversary Emulation using CALDERA
Adversary Emulation using CALDERA
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Similar to ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bolster Defenses
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
Insert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdf
Stefano Maccaglia
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Luca Bongiorni
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
fangjiafu
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
conjur_inc
Overcoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the Cloud
Zscaler
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscaler
Zscaler
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
Cristian Garcia G.
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial Institutions
Angelo Agatino Nicolosi
I got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
Mark Secretario
A Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
Imperva
Trusted Third Parties are NOT Trust Worthy!
Trusted Third Parties are NOT Trust Worthy!
nettitude_labs
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
CODE BLUE
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
sparkfabrik
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurity
George Boobyer
Containers At-Risk: A Review of 21,000 Cloud Environments
Containers At-Risk: A Review of 21,000 Cloud Environments
Lacework
Securing your Cloud Environment v2
Securing your Cloud Environment v2
ShapeBlue
Similar to ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bolster Defenses
(20)
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Insert coin to continue - Ransomware in the gaming industry.pdf
Insert coin to continue - Ransomware in the gaming industry.pdf
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Q Con New York 2015 Presentation - Conjur
Q Con New York 2015 Presentation - Conjur
Overcoming the Challenges of Architecting for the Cloud
Overcoming the Challenges of Architecting for the Cloud
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscaler
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
CLÍNICA DE RESPUESTAS A INCIDENTES Y THREAT HUNTING - WORKSHOP DAY TÉCNICO DE...
A Blueprint for Cloud-Native Financial Institutions
A Blueprint for Cloud-Native Financial Institutions
I got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
A Blueprint for Web Attack Survival
A Blueprint for Web Attack Survival
Trusted Third Parties are NOT Trust Worthy!
Trusted Third Parties are NOT Trust Worthy!
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurity
Containers At-Risk: A Review of 21,000 Cloud Environments
Containers At-Risk: A Review of 21,000 Cloud Environments
Securing your Cloud Environment v2
Securing your Cloud Environment v2
More from MITRE ATT&CK
Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of Detail
MITRE ATT&CK
Automating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard Architecture
MITRE ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CK
MITRE ATT&CK
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
MITRE ATT&CK
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
MITRE ATT&CK
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
MITRE ATT&CK
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK
Using ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real data
MITRE ATT&CK
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
MITRE ATT&CK
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICS
MITRE ATT&CK
The case for quishing
The case for quishing
MITRE ATT&CK
Discussion on Finding Relationships in Cyber Data
Discussion on Finding Relationships in Cyber Data
MITRE ATT&CK
The art of communicating ATT&CK to the CFO
The art of communicating ATT&CK to the CFO
MITRE ATT&CK
MITRE ATT&CK Updates: Software
MITRE ATT&CK Updates: Software
MITRE ATT&CK
Or Lenses and Layers: Adding Business Context to Enterprise Mappings
Or Lenses and Layers: Adding Business Context to Enterprise Mappings
MITRE ATT&CK
Adjectives for ATT&CK
Adjectives for ATT&CK
MITRE ATT&CK
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
MITRE ATT&CK
More from MITRE ATT&CK
(18)
Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of Detail
Automating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard Architecture
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CK
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the Cloud
Using ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real data
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICS
The case for quishing
The case for quishing
Discussion on Finding Relationships in Cyber Data
Discussion on Finding Relationships in Cyber Data
The art of communicating ATT&CK to the CFO
The art of communicating ATT&CK to the CFO
MITRE ATT&CK Updates: Software
MITRE ATT&CK Updates: Software
Or Lenses and Layers: Adding Business Context to Enterprise Mappings
Or Lenses and Layers: Adding Business Context to Enterprise Mappings
Adjectives for ATT&CK
Adjectives for ATT&CK
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
Recently uploaded
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard37
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Zilliz
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Christopher Logan Kennedy
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
WSO2
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
Pixlogix Infotech
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
MarkSteadman7
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
WSO2
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
johnbeverley2021
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
Architecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
Paolo Missier
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
WSO2
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
Sandro Moreira
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
WSO2
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
Andrey Devyatkin
Recently uploaded
(20)
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Architecting Cloud Native Applications
Architecting Cloud Native Applications
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bolster Defenses
1.
Sajal Thomas Vishnu Raju ATT&CK
is the Best Defense Emulating Sophisticated Adversary Malware to Bolster Defenses
2.
Sajal Thomas ▪ Adversary
Tradecraft Research @ CrowdStrike ▪ Former red team operator turned researcher ▪ Connoisseur of the finest adversary tradecraft Introductions VishnuRaju ▪ Adversary Emulation@ CrowdStrike ▪ Ex-red teamoperator, Ex-threat hunter ▪ Livingthe security spectrum- Red, Blue, Purple ©2023CROWDSTRIKE, INC. ALL RIGHTSRESERVED.
3.
Adversary Emulation is
an intelligence-driven approach to research and execute tactics, techniques and procedures (TTPs) used by a real-world adversary known to target an organization. ▪ Killchains contain very specific tradecraft ▪ No hypothetical scenario like Adversary Simulation ▪ Validates defences against a specific adversary What is Adversary Emulation? ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
4.
▪ Assessed with
high confidence to be attributable to the Federal Security Service (FSB) of the Russian Federation ▪ Operating for nearly 2 decades ▪ Targets gov institutes that handle diplomatic efforts, interior, foreign services, etc ▪ Novel and sophisticated tradecraft Venomous Bear aka Turla ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
5.
▪ LightNeuron is
a backdoor installed on Exchange Servers ▪ Supports command-and-control entirely via incoming and outgoing emails ▪ Can intercept, block or modify emails going through the infected Exchange Server ▪ Can execute commands sent by emails in attachments that use steganography ▪ Difficult to remediate and remove LightNeuron/BLUEPRINT ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
6.
Our Approach to
Emulation Gather intelligence Extract techniques Analyze & organize Develop tooling 2 Emulate 3 4 5 1 Research phase Improve Falcon 6 Fun part ! Address gaps ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
7.
Components: ▪ PowerShell script
for installation ▪ Mail Transport Agent (DLL written in .NET) ▪ Companion DLL (DLL written in C++) ▪ Encrypted config file masquerading ▪ Rules file in XML Tradecraft https://web-assets.esetstatic.com/wls/2019/05/ESET-LightNeuron.pdf ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
8.
Components: ▪ PowerShell script
for installation Tradecraft https://web-assets.esetstatic.com/wls/2019/05/ESET-LightNeuron.pdf ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
9.
Components: ▪ Mail Transport
Agent Tradecraft https://web-assets.esetstatic.com/wls/2019/05/ESET-LightNeuron.pdf ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
10.
Components: ▪ Companion DLL Tradecraft ©2023
CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
11.
Components: ▪ Config file Tradecraft https://web-assets.esetstatic.com/wls/2019/05/ESET-LightNeuron.pdf ©2023
CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
12.
Components: ▪ Rules file
in XML Tradecraft https://web-assets.esetstatic.com/wls/2019/05/ESET-LightNeuron.pdf ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
13.
ATT&CK Techniques Based
on Public & Private Reports ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
14.
MITRE’s ATT&CK Techniques ©2023
CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
15.
Enter - Micro
Emulation Plans ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
16.
Installation: ▪ Exchange Management
Shell ▪ Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn ▪ Exchange Server PowerShell through WinRM ▪ Manually modifying agents.config Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
17.
Emulation ©2023 CROWDSTRIKE, INC.
ALL RIGHTS RESERVED.
18.
First generation Mail
Transport Agent: ▪ read XML rules file from disk ▪ parsed the email ▪ if subject contained “alert”, subject changed to “external” Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
19.
First generation companion
DLL: ▪ used open-source AES library - crypto++ ▪ hardcoded AES key and IV ▪ accepted encrypted text as argument ▪ only performed decryption Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
20.
Second generation Mail
Transport Agent: ▪ referenced the companion DLL export function ▪ read plain text attachment received via email ▪ passed it on to Companion DLL Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
21.
Second generation companion
DLL: ▪ parsed attachment ▪ decrypted encrypted payload ▪ checked for prefix ▪ command execution via C++ “system” ▪ command execution via CreateProcess Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
22.
Third generation companion
DLL: ▪ zipped sensitive files ▪ added base64 encoded zip to EML ▪ staged under Pickup folder ▪ exfiltration Emulation ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
23.
Emulation in Action ©2023
CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
24.
Emulation in Action ©2023
CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
25.
Emulation in Action ©2023
CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
26.
▪ Identify modifications
to agents.config file ▪ Observe anomalous process behaviour and relationships: ▪ EdgeTransport.exe spawning cmd.exe/powershell.exe ▪ Automate sandbox submission for ‘interesting’ files dropped in ‘interesting’ file paths ▪ Examine all unsigned DLLs loaded by Exchange Server (EdgeTransport.exe) ▪ Supplement XDR with Email logs to create a timeline of events: ▪ Email arrives -> EdgeTransport spawns cmd.exe -> evil happens Detection and Response Strategy ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
27.
▪ Highly sophisticated
adversary ▪ Custom and complex malware toolkit ▪ Public intel reporting for Venomous Bear is malware-specific ▪ Few details on actual tradecraft used in intrusions ▪ Not easy to automate Challenges Faced ©2023 CROWDSTRIKE, INC. ALL RIGHTS RESERVED.
28.
Challenges Faced ©2023 CROWDSTRIKE,
INC. ALL RIGHTS RESERVED.
29.
Questions? ©2023 CROWDSTRIKE, INC.
ALL RIGHTS RESERVED.
30.
Thank You ©2023 CROWDSTRIKE,
INC. ALL RIGHTS RESERVED.
Download now