SlideShare a Scribd company logo

Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK

M
MITRE ATT&CK

From ATT&CKcon 4.0 By Lauren Brennan, GuidePoint Security Evaluating the maturity of your security operations program can be complex and challenging. From choosing the right framework to use, to understanding all aspects of how people, processes, and technologies can cohesively operate to grow your SOC, evaluating your security operations is crucial. This presentation will discuss how to evaluate your security operations program using the MITRE ATT&CK framework and talk about best practices for evaluations. We will explore how to identify gaps in your operations and improve your overall security posture with foundational activities. Attendees can expect to learn practical tips for leveraging the MITRE framework as well as actionable takeaways for evaluating and improving their own security operations.

Technology
1 of 17
Download to read offline
Grow Up! Evaluating and Maturing your SOC with MITRE ATT&CK
Copyright ©2023 | guidepointsecurity.com HI THERE! Lauren Brennan Team Lead, SOC Optimization lauren.brennan@guidepointsecurity.com • 6+ years Cyber Security Industry Experience • Worked in GRC, SOC Operations, and Risk • Cat mom, avid knitter, and book lover (350 read so far this year!) • Chat with me! @litwtch on Twitter (no I’m not calling it X), Mastodon, Threads, BlueSky, and all other social media sites
Copyright ©2023 | guidepointsecurity.com Why do you need to evaluate your SOC? q Understand where you excel currently and where you may have gaps in your technology stack and operations q Guide future planning and roadmaps q Understand your threats and how well you respond to them (before they happen!) q Align your operations across the organization and ensure all relevant business units are aware and processes work for all teams
Copyright ©2023 | guidepointsecurity.com Ø The day-to-day function of a SOC, including leadership and analyst activities and how they work in real-world situations. Operations Ø The formal guidance meant to inform and dictate a SOC analyst's behavior during real-world situation. Procedures Ø The technology and information supplied to a SOC analyst to support them during real-world situations. Tooling Ø The interactions within a SOC (analysts/tiers/leaders), the SOC and other parts of the organization (IT, Legal, PR), and the SOC with external service providers (MSP, Contractors). Collaboration The Pillars of SOC Foundations
Copyright ©2023 | guidepointsecurity.com End-to-End Use Case Review & Mapping Threat Actor Research & MITRE ATT&CK TTP Mapping SIEM Detections Coverage Mapping SOC Assessment Workflow SIEM Detections Testing 1 3 2 4
Copyright ©2023 | guidepointsecurity.com Where does MITRE ATT&CK Come into Play? ❑ Standardize threat language across all pillars and business units ❑ Visualize threats to the organization ❑ Evaluate all pillars of your SOC
Copyright ©2023 | guidepointsecurity.com Identify Threats using ATT&CK 1 Operations Pillar of the SOC q Identify key threat actors (usually 5 – 10) that you are most concerned about q Look both internally and externally when developing this list q Example: Financial Industry Organization, concerned about admin@338, Indrik Spider, Lazarus Group, APT19, APT38, in addition to Ransomware and eCrime Groups (Exotic Lily, FIN7, TA505)
Copyright ©2023 | guidepointsecurity.com Example Navigator Mapping of Threat Actors
Copyright ©2023 | guidepointsecurity.com SIEM Detections Coverage Mapping (Detect Thy Enemy) Technology Pillar of the SOC ❑ Review your data sources AND your existing detection rules – are there any that aren’t currently coming into your SIEM? ❑ Use Navigator to overlay your existing tech stack against the adversary mapped techniques ❑ Look for any immediate gaps you notice in your technology stack that could affect your detections 2 Image source: https://www.crowdstrike.com/cybersecurity-101/observability/log-file/
Copyright ©2023 | guidepointsecurity.com Example Navigator Mapping of TA Detections
Copyright ©2023 | guidepointsecurity.com Test! Test! Test! Your Detections Technology + Operations Pillars of the SOC ❑ Use open source (Caldera, Atomic Red Team) or paid tools (Mandiant, SightGain) to evaluate detection capabilities ❑ If not possible to validate via testing - deep dive into the search language used for detections + review logs ❑ Build new detections if you have detection gaps ❑ Sigma rules and opensource detection sources can help you build new detections for gaps you identify 3
Copyright ©2023 | guidepointsecurity.com Workflow Analysis (Holistic Review) Procedures + Collaborations Pillars of the SOC ❑ Review current SOC/IR workflows ❑ Map existing runbooks to enabled use cases, detections, and/or threat actor TTP’s to identify coverage and gaps in response capabilities Threat Actor TTPs Detection and Alerting Runbooks (Response) 4 ❑ Evaluate: ❑ Runbook Accessibility ❑ Naming Conventions ❑ Source Control
Copyright ©2023 | guidepointsecurity.com q Review your existing coverage and the results of your tests q Evaluate and think about the other pillars of the SOC and how MITRE ATT&CK ties into the full process q Prioritize updating your detections based on the gaps in your MITRE coverage q Use MITRE ATT&CK as a measurement of your maturity q Use the language of MITRE ATT&CK to standardize your roadmap and measure your technical maturity on a regular basis Putting it all together – How to Grow Up!
Copyright ©2023 | guidepointsecurity.com Example Assessment Score and Target
Copyright ©2023 | guidepointsecurity.com Know What You Are Protecting and Why Measure Performance to Improve Performance Give the SOC the Authority to Do Iits Job Build a SOC Structure to Match Your Organizational Needs Hire and Grow Quality Staff Select and Collect the Right Data Leverage Tools to Support Analyst Workflow Illumniate Adversaries with Cyber Threat Intel Communicate Clearly, Collaborate Often, Share Generiously Prioritize Incident Response Current 12 Months 24 Months 5 1 0 4 3 2 Legend 0 – No Capability 1 – Initiating 2 – Ad Hoc/Defined 3 – Managed 4 – Quantitatively Managed 5 – Optimizing Example SOC Maturity Roadmap
Copyright ©2023 | guidepointsecurity.com Grow Up! The Value of Using MITRE ATT&CK q Build a roadmap for future improvement and utilize MITRE ATT&CK as a measurement for measuring success q Identify gaps in your existing technology stack and processes q Validate your existing detections and SOC/IR Processes q MITRE ATT&CK provides a standardized language for thinking about security operations in your organization
Q & A Thank You!

Recommended

Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixMITRE ATT&CK
 
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKOne Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKMITRE ATT&CK
 
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK
 
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...MITRE ATT&CK
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryMITRE ATT&CK
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingMITRE ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...MITRE ATT&CK
 

Recommended

Cloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixCloud Native Workload ATT&CK Matrix
Cloud Native Workload ATT&CK MatrixMITRE ATT&CK
 
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKOne Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKMITRE ATT&CK
 
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK
 
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...MITRE ATT&CK
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryMITRE ATT&CK
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingMITRE ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...MITRE ATT&CK
 
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesCISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesMITRE ATT&CK
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...MITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookMITRE ATT&CK
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...MITRE ATT&CK
 
Updates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed DefenseUpdates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed DefenseMITRE ATT&CK
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK
 
.LNK Tears of the Kingdom
.LNK Tears of the Kingdom.LNK Tears of the Kingdom
.LNK Tears of the KingdomMITRE ATT&CK
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSMITRE ATT&CK
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsMITRE ATT&CK
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceMITRE ATT&CK
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...MITRE ATT&CK
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 

More Related Content

What's hot

CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesCISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesMITRE ATT&CK
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...MITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookMITRE ATT&CK
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...MITRE ATT&CK
 
Updates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed DefenseUpdates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed DefenseMITRE ATT&CK
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK
 
.LNK Tears of the Kingdom
.LNK Tears of the Kingdom.LNK Tears of the Kingdom
.LNK Tears of the KingdomMITRE ATT&CK
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSMITRE ATT&CK
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsMITRE ATT&CK
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response RolesFlorian Roth
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceMITRE ATT&CK
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...MITRE ATT&CK
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
 

What's hot (20)

CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesCISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity Advisories
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
 
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
 
Updates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed DefenseUpdates from the Center for Threat-Informed Defense
Updates from the Center for Threat-Informed Defense
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICS
 
.LNK Tears of the Kingdom
.LNK Tears of the Kingdom.LNK Tears of the Kingdom
.LNK Tears of the Kingdom
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
 
Detection and Response Roles
Detection and Response RolesDetection and Response Roles
Detection and Response Roles
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
 

Similar to Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK

2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfJustinBrown267905
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence programMark Arena
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchMcKonly & Asbury, LLP
 
Security metrics
Security metrics Security metrics
Security metrics PRAYAGRAJ11
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_ConclaveNSConclave
 
Cmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEWCmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEWshyamuop
 
CMGT 400 Entire Course NEW
CMGT 400 Entire Course NEWCMGT 400 Entire Course NEW
CMGT 400 Entire Course NEWshyamuopfive
 
Extreme risk - how bad tech mgmt destroys firms
Extreme risk - how bad tech mgmt destroys firmsExtreme risk - how bad tech mgmt destroys firms
Extreme risk - how bad tech mgmt destroys firmsEric Tachibana
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...West Monroe Partners
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security BreakfastRackspace
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 

Similar to Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK (20)

2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence program
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
Ctia course outline
Ctia course outlineCtia course outline
Ctia course outline
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Security metrics
Security metrics Security metrics
Security metrics
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
CISO's first 100 days
CISO's first 100 daysCISO's first 100 days
CISO's first 100 days
 
comesa cybersecurity
comesa cybersecuritycomesa cybersecurity
comesa cybersecurity
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
Cmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEWCmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEW
 
CMGT 400 Entire Course NEW
CMGT 400 Entire Course NEWCMGT 400 Entire Course NEW
CMGT 400 Entire Course NEW
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Extreme risk - how bad tech mgmt destroys firms
Extreme risk - how bad tech mgmt destroys firmsExtreme risk - how bad tech mgmt destroys firms
Extreme risk - how bad tech mgmt destroys firms
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security Breakfast
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 

More from MITRE ATT&CK

Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailMITRE ATT&CK
 
Automating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard ArchitectureAutomating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard ArchitectureMITRE ATT&CK
 
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKMITRE ATT&CK
 
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)MITRE ATT&CK
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSMITRE ATT&CK
 
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the CloudMITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the CloudMITRE ATT&CK
 
Using ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real dataUsing ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real dataMITRE ATT&CK
 
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...MITRE ATT&CK
 
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...MITRE ATT&CK
 
The case for quishing
The case for quishingThe case for quishing
The case for quishingMITRE ATT&CK
 
Discussion on Finding Relationships in Cyber Data
Discussion on Finding Relationships in Cyber DataDiscussion on Finding Relationships in Cyber Data
Discussion on Finding Relationships in Cyber DataMITRE ATT&CK
 
The art of communicating ATT&CK to the CFO
The art of communicating ATT&CK to the CFOThe art of communicating ATT&CK to the CFO
The art of communicating ATT&CK to the CFOMITRE ATT&CK
 
MITRE ATT&CK Updates: Software
MITRE ATT&CK Updates: SoftwareMITRE ATT&CK Updates: Software
MITRE ATT&CK Updates: SoftwareMITRE ATT&CK
 
Or Lenses and Layers: Adding Business Context to Enterprise Mappings
Or Lenses and Layers: Adding Business Context to Enterprise MappingsOr Lenses and Layers: Adding Business Context to Enterprise Mappings
Or Lenses and Layers: Adding Business Context to Enterprise MappingsMITRE ATT&CK
 
Adjectives for ATT&CK
Adjectives for ATT&CKAdjectives for ATT&CK
Adjectives for ATT&CKMITRE ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 

More from MITRE ATT&CK (16)

Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of Detail
 
Automating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard ArchitectureAutomating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard Architecture
 
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CK
 
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
 
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the CloudMITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the Cloud
 
Using ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real dataUsing ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real data
 
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
 
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
 
The case for quishing
The case for quishingThe case for quishing
The case for quishing
 
Discussion on Finding Relationships in Cyber Data
Discussion on Finding Relationships in Cyber DataDiscussion on Finding Relationships in Cyber Data
Discussion on Finding Relationships in Cyber Data
 
The art of communicating ATT&CK to the CFO
The art of communicating ATT&CK to the CFOThe art of communicating ATT&CK to the CFO
The art of communicating ATT&CK to the CFO
 
MITRE ATT&CK Updates: Software
MITRE ATT&CK Updates: SoftwareMITRE ATT&CK Updates: Software
MITRE ATT&CK Updates: Software
 
Or Lenses and Layers: Adding Business Context to Enterprise Mappings
Or Lenses and Layers: Adding Business Context to Enterprise MappingsOr Lenses and Layers: Adding Business Context to Enterprise Mappings
Or Lenses and Layers: Adding Business Context to Enterprise Mappings
 
Adjectives for ATT&CK
Adjectives for ATT&CKAdjectives for ATT&CK
Adjectives for ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 

Recently uploaded

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK

  • 1. Grow Up! Evaluating and Maturing your SOC with MITRE ATT&CK
  • 2. Copyright ©2023 | guidepointsecurity.com HI THERE! Lauren Brennan Team Lead, SOC Optimization lauren.brennan@guidepointsecurity.com • 6+ years Cyber Security Industry Experience • Worked in GRC, SOC Operations, and Risk • Cat mom, avid knitter, and book lover (350 read so far this year!) • Chat with me! @litwtch on Twitter (no I’m not calling it X), Mastodon, Threads, BlueSky, and all other social media sites
  • 3. Copyright ©2023 | guidepointsecurity.com Why do you need to evaluate your SOC? q Understand where you excel currently and where you may have gaps in your technology stack and operations q Guide future planning and roadmaps q Understand your threats and how well you respond to them (before they happen!) q Align your operations across the organization and ensure all relevant business units are aware and processes work for all teams
  • 4. Copyright ©2023 | guidepointsecurity.com Ø The day-to-day function of a SOC, including leadership and analyst activities and how they work in real-world situations. Operations Ø The formal guidance meant to inform and dictate a SOC analyst's behavior during real-world situation. Procedures Ø The technology and information supplied to a SOC analyst to support them during real-world situations. Tooling Ø The interactions within a SOC (analysts/tiers/leaders), the SOC and other parts of the organization (IT, Legal, PR), and the SOC with external service providers (MSP, Contractors). Collaboration The Pillars of SOC Foundations
  • 5. Copyright ©2023 | guidepointsecurity.com End-to-End Use Case Review & Mapping Threat Actor Research & MITRE ATT&CK TTP Mapping SIEM Detections Coverage Mapping SOC Assessment Workflow SIEM Detections Testing 1 3 2 4
  • 6. Copyright ©2023 | guidepointsecurity.com Where does MITRE ATT&CK Come into Play? ❑ Standardize threat language across all pillars and business units ❑ Visualize threats to the organization ❑ Evaluate all pillars of your SOC
  • 7. Copyright ©2023 | guidepointsecurity.com Identify Threats using ATT&CK 1 Operations Pillar of the SOC q Identify key threat actors (usually 5 – 10) that you are most concerned about q Look both internally and externally when developing this list q Example: Financial Industry Organization, concerned about admin@338, Indrik Spider, Lazarus Group, APT19, APT38, in addition to Ransomware and eCrime Groups (Exotic Lily, FIN7, TA505)
  • 8. Copyright ©2023 | guidepointsecurity.com Example Navigator Mapping of Threat Actors
  • 9. Copyright ©2023 | guidepointsecurity.com SIEM Detections Coverage Mapping (Detect Thy Enemy) Technology Pillar of the SOC ❑ Review your data sources AND your existing detection rules – are there any that aren’t currently coming into your SIEM? ❑ Use Navigator to overlay your existing tech stack against the adversary mapped techniques ❑ Look for any immediate gaps you notice in your technology stack that could affect your detections 2 Image source: https://www.crowdstrike.com/cybersecurity-101/observability/log-file/
  • 10. Copyright ©2023 | guidepointsecurity.com Example Navigator Mapping of TA Detections
  • 11. Copyright ©2023 | guidepointsecurity.com Test! Test! Test! Your Detections Technology + Operations Pillars of the SOC ❑ Use open source (Caldera, Atomic Red Team) or paid tools (Mandiant, SightGain) to evaluate detection capabilities ❑ If not possible to validate via testing - deep dive into the search language used for detections + review logs ❑ Build new detections if you have detection gaps ❑ Sigma rules and opensource detection sources can help you build new detections for gaps you identify 3
  • 12. Copyright ©2023 | guidepointsecurity.com Workflow Analysis (Holistic Review) Procedures + Collaborations Pillars of the SOC ❑ Review current SOC/IR workflows ❑ Map existing runbooks to enabled use cases, detections, and/or threat actor TTP’s to identify coverage and gaps in response capabilities Threat Actor TTPs Detection and Alerting Runbooks (Response) 4 ❑ Evaluate: ❑ Runbook Accessibility ❑ Naming Conventions ❑ Source Control
  • 13. Copyright ©2023 | guidepointsecurity.com q Review your existing coverage and the results of your tests q Evaluate and think about the other pillars of the SOC and how MITRE ATT&CK ties into the full process q Prioritize updating your detections based on the gaps in your MITRE coverage q Use MITRE ATT&CK as a measurement of your maturity q Use the language of MITRE ATT&CK to standardize your roadmap and measure your technical maturity on a regular basis Putting it all together – How to Grow Up!
  • 14. Copyright ©2023 | guidepointsecurity.com Example Assessment Score and Target
  • 15. Copyright ©2023 | guidepointsecurity.com Know What You Are Protecting and Why Measure Performance to Improve Performance Give the SOC the Authority to Do Iits Job Build a SOC Structure to Match Your Organizational Needs Hire and Grow Quality Staff Select and Collect the Right Data Leverage Tools to Support Analyst Workflow Illumniate Adversaries with Cyber Threat Intel Communicate Clearly, Collaborate Often, Share Generiously Prioritize Incident Response Current 12 Months 24 Months 5 1 0 4 3 2 Legend 0 – No Capability 1 – Initiating 2 – Ad Hoc/Defined 3 – Managed 4 – Quantitatively Managed 5 – Optimizing Example SOC Maturity Roadmap
  • 16. Copyright ©2023 | guidepointsecurity.com Grow Up! The Value of Using MITRE ATT&CK q Build a roadmap for future improvement and utilize MITRE ATT&CK as a measurement for measuring success q Identify gaps in your existing technology stack and processes q Validate your existing detections and SOC/IR Processes q MITRE ATT&CK provides a standardized language for thinking about security operations in your organization
  • 17. Q & A Thank You!