The document discusses using storytelling to increase understanding of cyber threats through ATT&CK threat sightings. It describes the AC3 methodology for documenting threat actor tactics, techniques, and procedures with full context and observables. Different levels of abstraction and tools are used to translate threat sightings into various formats to ensure understanding across audiences. Maintaining defensive playbooks adapted from threat sightings helps continuous understanding and improvement of defenses.

1. 1
1 Trellix | Always Learning. Always Adapting.
1
1
Knowledge for the Masses:
Storytelling with ATT&CK!
ATT&CKCON 3.0

2. 2
2
2
Ismael
Valenzuela
Jose Luis Sánchez
(Joseliyo)
Head of AC3 Team
SANS Author & Senior Instructor
Espeto master
- Security Researcher AC3 Team
§ Member ENISA Cyber Threat
Landscape Working Group
§ Salmorejo master
Alejandro Houspanossian
Asado master
@Joseliyo_Jstnk
https://www.linkedin.com/in/joseluissm
/
@aboutsecurity
https://www.linkedin.com/in/ivalenzuel
a/
@lekz86 https://www.linkedin.com/in/ahouspan/

3. 3
3
3

4. 4
4
4
Full meaning
+
Context
+
Expressivenes
s
+
Common
ground
The Power of Storytelling
fMRI shows similar brain activity in two people listening to the same real-life story.
https://blog.ted.com/what-happens-in-the-brain-when-we-hear-stories-uri-hasson-at-
ted2016/
Understanding
+
Sync’d brain waves
+
New ideas, beliefs, motivation and actions

5. 5
5
5
Partial Meaning
+
Mostly IOCs
+
Expressionless
+
Different
audiences using
different
‘languages’
The Power Lack of Storytelling
Limited distribution
+
Partial understanding
+
Limited defensive actionability

6. 6
6 Trellix | Always Learning. Always Adapting.
6
6
AC3 Threat Sightings Recap
https://www..com/video/event/urn:li:ugcPost:6847197567567060993/
AC3 Threat Sightings is a 1-year-old initiative that has the goal to increase
the UNDERSTANDING of Cyber Threats. To achieve this goal, we defined a
work methodology and a data schema.

7. 7
7 Trellix | Always Learning. Always Adapting.
7
7
Words Are Not Enough To Learn. We Need a Full
Story
You/Your Org might have a MISP
(or other TIP)
AC3 Threat Sightings are heavily focused on documenting threat actor
TTPs with full details of observables and context.
The objective is to learn about TTPs and
Tools!
(vs file hashes and IPs)
Who has
access to
your TIP?
Is it well
structured
and
labelled?
Does storage
increase
understanding?
What type
of data do
we store?

8. 8
8 Trellix | Always Learning. Always Adapting.
8
8
AC3 Threat Sightings Methodology & Schema
https://raw.githubusercontent.com/mcafee-enterprise/ac3-threat-sightings/main/sightings/Sightings_Guildma_RAT.yml
-- Meaning ++ Understanding
Information

9. 9
9 Trellix | Always Learning. Always Adapting.
9
9
First Level of Abstraction: High Level View
*Generated automatically out of the AC3 Threat Sighting for DarkSide.
This is the first step.
Some quick notes
following a
structured schema
in MITRE ATT&CK
format:
Threat Actor ->
verb -> Technique -
> Tactic

10. 10
10 Trellix | Always Learning. Always Adapting.
10
10 *Generated automatically out of the AC3 Threat Sighting for DarkSide.
This is a typical TTP
view.
Second Level of Abstraction: Medium Level View

11. 11
11 Trellix | Always Learning. Always Adapting.
11
11
*Generated automatically out of the AC3 Threat Sighting for DarkSide.
Useful for
Red/Purple
Emulation planning
&
Detection
Engineering
Third Level of Abstraction: Low Level View

12. 12
12
“I sit down and watch
videos. I take notes. That's
when that inspiration
comes - the moment that
makes sense of my
profession. That instant I
know, for sure, that I've
got it. I know how to win.
It's the moment that my
job becomes truly
meaningful.”
Pep Guardiola
Professional Football Manager

13. 13
13 Trellix | Always Learning. Always Adapting.
13
13
Studying the Opponent (video)
https://gource.io /
Video produced
with ‘gource’ with
real ransomware
attack data

14. 14
14 Trellix | Always Learning. Always Adapting.
14
14
Sometimes, we get creative
*Generated automatically with Mermaid out of the AC3 Threat Sighting for DarkS
AC3 Threat Sighting: Attack Flow
https://mermaid-js.github.io/docs/mermaid-live-editor-beta

15. 15
15
Storytelling With
Tooling

16. 16
16 Trellix | Always Learning. Always Adapting.
16
16
Choose Your Appropriate Story
Are videos games made for all the
audiences?
Are cybersecurity reports made for all the
audiences?
AC3
TACTICA
L
T AC3
OPERATION
AL
O AC3
STRATEGIC
AL
S

17. 17
17 Trellix | Always Learning. Always Adapting.
17
17
Choose Your Appropriate Story
SOC Managers
Cyber Threat Intelligence Analysts
Threat Detection Engineers
Head of Cybersecurity
Security Strategists
CISO
SOC Analysts
Incident Responders
Threat Hunters
Content Development/QA Engineers
Strategical
Operational
Tactical
• SIGMA
• IOCs
• Behaviors
• Context
• Malware, tools, industry,
etc…
• Behaviors
• MITRE ATT&CK
• Trends
• Coverage to prioritize security
efforts

18. 18
18 Trellix | Always Learning. Always Adapting.
18
18
Stories In Different Languages
There may be audiences and analysts who do not speak the same
language
For this reason, we’ve created tools to
translate our threat sightings to other
languages!

19. 19
19 Trellix | Always Learning. Always Adapting.
19
19
Stories In Different Languages
Sorry, but in our CTI
team we only speak
MITRE!

20. 20
20 Trellix | Always Learning. Always Adapting.
20
20
Stories In Different Languages
AC3 Threat Sighting for Ryuk
in STIX format
Our SOC has been
working with STIX for
the last 4 years
Two types of
visualizations
High Level: Actor,
weapon, technique and
tactic
Low Level: Actor,
weapon and IOCs

21. 21
21 Trellix | Always Learning. Always Adapting.
21
21
Stories In Different Languages
We better understand
research with Maltego
visualizations
Two types of
visualizations
High Level: Actor,
behavior, weapon,
technique and tactic
Low Level: Actor,
behavior, weapon and
IOCs

22. 22
22 Trellix | Always Learning. Always Adapting.
22
22
Stories In Different Languages
We share IOCs with
different CERTs using
OpenIOC

23. 23
23 Trellix | Always Learning. Always Adapting.
23
23
Improve Your Storytelling and Understanding
• Convert your threat sightings
to MISP events automatically
to
• Improve your storytelling
• Improve your understanding
• Get correlations
I need to know all the
threat sightings we have
where OpenSCManager
API calls are made
Sure
boss!
Lea
d
Tea
m
Threat Sightings are YAML
files… How can we correlate this
information ?!?!?!

24. 24
24 Trellix | Always Learning. Always Adapting.
24
24
Our Approach
OpenIO
C
AC3 THREAT
SIGHTINGS

25. 25
25
”Tactics are so
important
because
everybody has to
know WHAT they
have to do on the
pitch and WHEN
to do it.”
Pep Guardiola
Professional Football Manager

26. 26
26
26
Continuous Understanding: Adaptive Defensive
Model
Threat
Sightings

27. 27
27
27
• A defensive playbook (DPs) is a set of tactics and methods that
model defenders’ behaviors before, during, and after an attack.
• They include effective countermeasures that defenders can apply in
anticipation of an attack:
• The ability to identify and reduce exposure before an attack
• The ability to protect assets at risk during an attack
• The ability to have visibility of an attack
• The ability to hunt for an attack
• The ability to detect an attack
• The ability to investigate an attack
• The ability to respond to an attack
• Some implementations:
• MITRE D3FEND (https://d3fend.mitre.org/)
• OASIS CACAO (https://www.oasis-open.org/committees/cacao/)
• Trellix Defensive Playbooks*
Next Steps: Defensive Playbooks
Defensive
Playbooks
Countermeasures

28. 28
28 Trellix | Always Learning. Always Adapting.
28
28
• AC3 Threat Sightings provide understanding, they ’tell a
story’
• 7 Sightings, 77 TTPs (+Observables)
• The better we explain things, the more we learn, and the
more defenders we’ll enable
• Web site/Wiki with multiple views: TTPs, TTPs with Observables,
Attack Flow, Weapon inventory, Techniques, etc.
• They integrate with your existing technologies (doesn’t
replace what you have, it enhances it)
• Integrations with multiple tools/format: Maltego, MISP, OpenIOC,
STIX, ATT&CK Navigator, etc
Summary & Key Takeaways
https://github.com/mcafee-enterprise/ac3-threat-sightings
https://github.com/mcafee-enterprise/ac3-threat-
sightings/tree/main/tools
https://mcafee-enterprise.github.io/ac3-threat-
sightings/docs/Welcome/

29. 29
29 Trellix | Always Learning. Always Adapting.
29
Thank you! Gracias!
@aboutsecurity
https://www.linkedin.com/in/ivalenzuela/
@Joseliyo_Jstnk
https://www.linkedin.com/in/joseluissm/