MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)

MITRE ATT&CK® Updates:
State of the ATT&CK
Adam Pennington, ATT&CK Lead, MITRE
@_whatshisface
© 2023 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 23-00696-12.

Celebrating ATT&CK’s 10th Anniversary (2013-2023)

TTP Chart Early Progress
Persistence Lateral Movement
New service
Modify existing service
DLL Proxying
Hypervisor Rookit
Winlogon Helper dll
Path Interception
Registry run keys / Startup folder addition
Modification of shortcuts
MBR / BIOS rootkit
Editing of default handlers
AT / Schtasks / Cron
Persistence Lateral Movement
New service RDP
Modify existing service Windows admin shares (C$, ADMIN$)
DLL Proxying Windows shared webroot
Hypervisor Rookit Remote Windows / Accessible Application vulnerability
Winlogon Helper dll Logon scripts
Path Interception Use application deployment software
Registry run keys / Startup folder addition Taint shared content
Modification of shortcuts Access to remote services with valid credentials
MBR / BIOS rootkit
Obtaining credentials from weaknesses in OS or
software
Editing of default handlers Obtaining credentials from user
AT / Schtasks / Cron
Persistence Lateral Movement Credential Access Privilege Escalation Defense Evasion Command and Control Exfiltration Host Enumeration
New service RDP Administrator privileges Exploitation of vulnerability Process enumeration
Modify existing service Windows admin shares (C$, ADMIN$) Administrator privileges (API hooking) Service file permissions weakness Service enumeration
DLL Proxying Windows shared webroot Ability to capture network traffic
Service registry permissions
weakness Local networking enumeration
Hypervisor Rookit Remote Windows / Accessible Application vulnerability Access to files DLL path hijacking Local network connection enumeration
Winlogon Helper dll Logon scripts Path interception Window enumeration
Path Interception Use application deployment software Modification of shortcuts Account enumeration
Registry run keys / Startup folder
addition Taint shared content Editing of default handlers Group enumeration
Modification of shortcuts Access to remote services with valid credentials AT / Schtasks / Cron Owner/user enumeration
MBR / BIOS rootkit Obtaining credentials from weaknesses in OS or software Operating system enumeration
Editing of default handlers Obtaining credentials from user Security software enumeration
AT / Schtasks / Cron File system enumeration

A.T.T.A.C.K. (Adversarial Tactics, Techniques, And Common Knowledge)
§ 10th Anniversary Panel tomorrow at 9:05am with ATT&CK’s original creators – Moderated by Katie Nickels
§ Blake Strom
§ Jen Miller Osborn
§ Brad Crawford
§ Eric Sheesley
Persistence Lateral Movement Credential Access Privilege Escalation Defense Evasion Command and Control Exfiltration Host Enumeration
New service RDP Administrator privileges Exploitation of vulnerability Software packing Commonly used protocol / Follows protocol standards Normal C&C channel Process enumeration
Modify existing service Windows admin shares (C$, ADMIN$)
Administrator privileges (API
hooking) Service file permissions weakness Masquerading
Commonly used protocol / Does not follow protocol
standards Alternate data channel Service enumeration
DLL Proxying Windows shared webroot Ability to capture network traffic
Service registry permissions
weakness DLL Injection Commonly used protocol on non-standard port
Exfiltration over other network
medium Local networking enumeration
Hypervisor Rookit
Remote Windows / Accessible Application
vulnerability Access to files DLL path hijacking DLL loading
Communications encrypted beyond any protocol
encryption Exfiltration over physical medium
Local network connection
enumeration
Winlogon Helper dll Logon scripts Path interception Standard protocols Communications are obfuscated Encrypted separately Window enumeration
Path Interception Use application deployment software Modification of shortcuts Obfuscated payload Distributed communications Compressed separately Account enumeration
Registry run keys / Startup folder
addition Taint shared content Editing of default handlers Indicator removal Multiple protocols combined Data staged Group enumeration
Modification of shortcuts Access to remote services with valid credentials AT / Schtasks / Cron Indicator blocking
Automated or scripted data
exfiltration Owner/user enumeration
MBR / BIOS rootkit
Obtaining credentials from weaknesses in OS or
software Size limits Operating system enumeration
Editing of default handlers Obtaining credentials from user Scheduled transfer Security software enumeration
AT / Schtasks / Cron File system enumeration

System Owner/User Discovery (T1033)
adamp$ whoami
§ He/him/his
§ Lead of MITRE ATT&CK
§ 15 years with MITRE
§ Focused on threat intel and deception
§ Past defender and CTI analyst
§ Involved with ATT&CK since it was a spreadsheet with no &
§ SCUBA diver certified for decompression and rebreather diving
©2022 THE MITRE CORPORATION. ALL RIGHTS RESERVED. APPROVED FOR PUBLIC RELEASE. DISTRIBUTION UNLIMITED 21-00706-27.

MITRE ATT&CK Remains Strong
§Backed by 40+ MITRE staff and a growing community
Enterprise
Jamie Williams
Mac/Linux
Cat Self
Cloud
Casey Knerr
ICS
Jake Steele
Mobile
Jason Ajmo
Defenses
Lex Crumpton
Development
Jared Ondricek
Outreach
Amy Robertson
Threat Intel
Mike Hartley (act)

Since we last met…

ATT&CKcon 3.0
(3/22)
ATT&CK v11
(4/22)
ATT&CK v12
(10/22)
ATT&CK v13
(4/23)
ATT&CKcon 4.0
(You are here)
ATT&CK v14
(10/31/23)

ATT&CK– By the Numbers (Since ATT&CKcon 3.0)
111 18 22 100
NEW
TECHNIQUES/
SUB-TECHNIQUES
NEW
GROUPS
NEW
CAMPAIGNS
NEW
SOFTWARE
525 83 3 218
UPDATED
TECHNIQUES/
SUB-TECHNIQUES
UPDATED
GROUPS
UPDATED
CAMPAIGNS
UPDATED
SOFTWARE

ATT&CKcon 4.0– By the Numbers
§CFP open from to May 17th to June 27th, 2023
§79 submissions
§66% in the final week
§47% in the final day
§13% in the final hour
§22% acceptance rate– Judged blind by 6 person PC

Enterprise Structured Detections

ATT&CK for ICS Joined the attack.mitre.org Party
§ Integrated into main STIX and https://attack.mitre.org
§ Formerly our last remaining MediaWiki matrix
§ ICS’s Groups and Software added in addition to Techniques
§ Continued movement towards feature parity with Enterprise
§ Data sources and structured detections

Mobile
§ Continuing to add Enterprise features
§ Sub-techniques added Summer 2022
§ Just ICS left now!
§ Data sources added in v13 (April 2023)

Campaigns
§ Introduced in ATT&CK v12 (October 2022)
§ Allow us to
§ Break down groups
§ Handle unclustered reporting
§ Represent “it’s complicated” activity like RaaS
§ Work ongoing – new Campaigns each release

ATT&CK’s Contributors
@ionstorm
Aagam Shah, @neutrinoguy, ABB
Aaron Jornet
Abel Morales, Exabeam
Abhijit Mohanta, @abhijit_mohanta, Uptycs
Achute Sharma, Keysight
Adam Lichters
Adam Mashinchi
Adrien Bataille
Ai Kimura, NEC Corporation
Akiko To, NEC Corporation
Akshat Pradhan, Qualys
Alain Homewood
Alain Homewood, Insomnia Security
Alan Neville, @abnev
Alex Hinchliffe, Palo Alto Networks
Alex Parsons, Crowdstrike
Alex Soler, AttackIQ
Alex Spivakovsky, Pentera
Alexandros Pappas
Alfredo Abarca
Alfredo Oliveira, Trend Micro
Allen DeRyke, ICE
Amir Gharib, Microsoft Threat Intelligence
Anastasios Pingios
Anders Vejlby
Andrea Serrano Urea, Telefónica Tech
Andrew Allen, @whitehat_zero
Andrew Northern, @ex_raritas
Andrew Smith, @jakx_
Antonio Piazza, @antman1p
Antonio Villani, @LDO_CyberSec, Leonardo's Cyber Security Division
AppOmni
Arad Inbar, Fidelis Security
Arie Olshtein, Check Point
Ariel Shuper, Cisco
Arnim Rupp, Deutsche Lufthansa AG
Assaf Morag, @MoragAssaf, Team Nautilus Aqua Security
Atul Nair, Qualys
Austin Clark, @c2defense
Austin Herrin
Aviran Hazum, Check Point
Avneet Singh
Awake Security
Ayan Saha, Keysight
Barry Shteiman, Exabeam
Bart Parys
Bartosz Jerzman
Ben Smith, @ezaspy
Bencherchali Nasreddine, @nas_bench, ELIT Security Team (DSSD)
Bernaldo Penas Antelo
Bilal Bahadır Yenici
Blake Strom, Microsoft 365 Defender
Blake Strom, Microsoft Threat Intelligence
Bobby, Filar, Elastic
Boominathan Sundaram
Brad Geesaman, @bradgeesaman
Brandon Dalton @PartyD0lphin
Brent Murphy, Elastic
Brian Donohue
Brian Wiltse @evalstrings
Bryan Campbell, @bry_campbell
Bryan Lee
Bryan Onel
Caio Silva
Carlos Borges, @huntingneo, CIP
Carrie Roberts, @OrOneEqualsOne
Casey Smith
Catherine Williams, BT Security
Center for Threat-Informed Defense (CTID)
Chen Erlich, @chen_erlich, enSilo
Chris Heald
Chris Roffe
Chris Romano, Crowdstrike
Chris Ross @xorrior
Christiaan Beek, @ChristiaanBeek
Christoffer Strömblad
Christopher Glyer, Mandiant, @cglyer
Christopher Peacock
Cian Heasley
Cisco
Clément Notin, Tenable
Cody Thomas, SpecterOps
Conrad Layne - GE Digital
Craig Aitchison
Craig Smith, BT Security
CrowdStrike
CrowdStrike Falcon OverWatch
Csaba Fitzl @theevilbit of Offensive Security
Cybereason Nocturnus, @nocturnus
Daisuke Suzuki
Dan Borges, @1njection
Dan Nutting, @KerberToast
Daniel Acevedo, @darmad0, ARMADO
Daniel Feichter, @VirtualAllocEx, Infosec Tirol
Daniel Oakley
Daniel Prizmant, Palo Alto Networks
Daniel Stepanic, Elastic
Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project
Daniyal Naeem, BT Security
Darin Smith, Cisco
Darren Spruell
Dave Westgard
David Ferguson, CyberSponse
David Fiser, @anu4is, Trend Micro
David French, Elastic
David Hughes, BT Security
David Lu, Tripwire
David Routin
David Tayouri
Deloitte Threat Library Team
Denise Tan
Diogo Fernandes
Dongwook Kim, KISA
Dor Edry, Microsoft
Doron Karmi, @DoronKarmi
Douglas Weir
Dragos Threat Intelligence
Dragos Threat Intelligence
Dray Agha, @Purp1eW0lf, Huntress Labs
Drew Church, Splunk
Dror Alon, Palo Alto Networks
Duane Michael
Dylan Silva, AWS Security
Ed Williams, Trustwave, SpiderLabs
Edward Millington
Edward Stevens, BT Security
Elastic
Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre
Eli Salem, @elisalem9
Elia Florio, Microsoft
Elly Searle, CrowdStrike — contributed to tactic definitions
Elpidoforos Maragkos, @emaragkos
Elvis Veliz, Citi
Emad Al-Mousa, Saudi Aramco
Emile Kenning, Sophos
Emily Ratliff, IBM
ENDGAME
Eran Ayalon, Cybereason
Eric Kaiser @ideologysec
Eric Kuehn, Secure Ideas
Erik Schamper, @Schamperr, Fox-IT
Erika Noerenberg, @gutterchurl, Carbon Black
Erye Hernandez, Palo Alto Networks
ESET
Expel
ExtraHop
Felipe Espósito, @Pr0teus
Felix Eberstaller
Filip Kafka, ESET
FIRST.ORG's Cyber Threat Intelligence SIG
Flavio Costa, Cisco
Ford Qin, Trend Micro
Francesco Bigarella
FS-ISAC
Gaetan van Diemen, ThreatFabric
Gal Singer, @galsinger29, Team Nautilus Aqua Security
Gareth Phillips, Seek Ltd.
Gavin Knapp
George Allen, VMware Carbon Black
George Thomas
Giorgi Gurgenidze, ISAC
Goldstein Menachem
Gordon Long, Box, Inc., @ethicalhax
Gregory Lesnewich
Gunji Satoshi, NEC Corporation
Hannah Simes, BT Security
Hans Christoffer Gaardløs
Harry Hill, BT Security
Harry Kim, CODEMIZE
Harry, CODEMIZE
Harshal Tupsamudre, Qualys
Harun Kuessner
Harun Küßner
Heather Linn
Hiroki Nagahama, NEC Corporation
Hubert Mank
Ian Davila, Tidal Cyber
Ian McKay
Ibrahim Ali Khan
ICSCoE Japan
Idan Frimark, Cisco
Idan Revivo, @idanr86, Team Nautilus Aqua Security
Ilan Sokol, Cybereason
Inna Danilevich, U.S. Bank
Isif Ibrahima, Mandiant
Itamar Mizrahi, Cymptom
Itzik Kotler, SafeBreach
Ivan Sinyakov
Jack Burns, HubSpot
Jacob Wilkin, Trustwave, SpiderLabs
Jacques Pluviose, @Jacqueswildy_IT
Jai Minton
James Dunn, @jamdunnDFW, EY
James_inthe_box, Me
Jan Miller, CrowdStrike
Jan Petrov, Citi
Janantha Marasinghe
Jannie Li, Microsoft Threat Intelligence Center (MSTIC)
Jared Atkinson, @jaredcatkinson
Jared Wilson
Jaron Bradley @jbradley89
Jason Sevilla
Jay Chen, Palo Alto Networks
Jean-Ian Boutin, ESET
Jeff Felling, Red Canary
Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services)
Jeffrey Barto
Jen Burns, HubSpot
Jennifer Kim Roman, CrowdStrike
Jeremy Galloway
Jeremy Kennelly
Jesse Brown, Red Canary
Jimmy Astle, @AstleJimmy, Carbon Black
Jimmy Wylie, Dragos, Inc.
Joas Antonio dos Santos, @C0d3Cr4zy
Joas Antonio dos Santos, @C0d3Cr4zy, Inmetrics
Joas Antonio dos Santos, @Cr4zyC0d3
Joe Gervais
Joe Gumke, U.S. Bank
Joe Slowik - Dragos
Joey Lei
Johann Rehberger
John Lambert, Microsoft Threat Intelligence Center
John Page (aka hyp3rlinx), ApparitionSec
John Strand
Jon Sheedy
Jon Sternstein, Stern Security
Jonathan Boucher, @crash_wave, Bank of Canada
Jonathan Shimonovich, Check Point
Jonhnathan Ribeiro, 3CORESec, @_w0rk3r
Jonny Johnson
Jorell Magtibay, National Australia Bank Limited
Jorge Orchilles, SCYTHE
Jos Wetzels - Midnight Blue
Jose Luis Sánchez Martinez
Josh Abraham
Josh Arenas, Trustwave Spiderlabs
Josh Campbell, Cyborg Security, @cyb0rgsecur1ty
Josh Day, Gigamon
Josh Liburdi, @jshlbrd
João Paulo de A. Filho, @Hug1nN__
Juan Carlos Campuzano - Mnemo-CERT
Juan Tapiador
Justin Warner, ICEBRG
Jörg Abraham, EclecticIQ
Karim Hasanen, @_karimhasanen
Kaspersky
Katie & Tony Lambert
Katie Nickels, Red Canary
Kiyohito Yamamoto, RedLark, NTT Communications
Kobi Eisenkraft, Check Point
Kobi Haimovich, CardinalOps
Krishnan Subramanian, @krish203
Kyaw Pyiyt Htet, @KyawPyiytHtet
Kyoung-ju Kwak (S2W)
Lab52 by S2 Grupo
Lacework Labs
Lee Christensen, SpecterOps
Leo Loobeek, @leoloobeek
Leo Zhang, Trend Micro
Lior Ribak, SentinelOne
Liora Itkin
Liran Ravich, CardinalOps
Loic Jaquemet
Lorin Wu, Trend Micro
Lucas da Silva Pereira, @vulcanunsec, CIP
Lucas Heiligenstein
Lukáš Štefanko, ESET
Maarten van Dantzig, @MaartenVDantzig, Fox-IT
Magno Logan, @magnologan, Trend Micro
Manikantan Srinivasan, NEC Corporation India
Marc-Etienne M.Léveillé, ESET
Marcus Weeks
Maril Vernon @shewhohacks
Marina Krotofil
Mark Wee
Martin Jirkal, ESET
Martin McCloskey, Datadog
Martin Smolár, ESET
Martin Sohn Christensen, Improsec
Massimiliano Romano, BT Security
Matan Dobrushin - Otorio
Mathieu Hinse
Mathieu Tartare, ESET
Matias Nicolas Porolli, ESET
Matt Brenton, Zurich Global Information Security
Matt Brenton, Zurich Insurance Group
Matt Burrough, @mattburrough, Microsoft
Matt Graeber, @mattifestation, SpecterOps
Matt Kelly, @breakersall
Matt Snyder, VMware
Matthew Demaske, Adaptforward
Matthew Green
Matthew Molyett, @s1air, Cisco Talos
Matthieu Faou, ESET
Mayan Arora aka Mayan Mohan
Mayuresh Dani, Qualys
McAfee
Menachem Goldstein
Menachem Shafran, XM Cyber
Michael Cox
Michael Katchinskiy, @michael64194968, Team Nautilus Aqua Security
Michael Raggi @aRtAGGI
Michal Dida, ESET
Microsoft Detection and Response Team (DART)
Microsoft Security
Microsoft Threat Intelligence Center (MSTIC)
Mike Burns, Mandiant
Mike Kemmerer
Mike Moran
Milos Stojadinovic
Mindaugas Gudzis, BT Security
Miriam Wiesner, @miriamxyra, Microsoft Security
Mnemonic
Mnemonic AS
Mohamed Kmal
Mohit Rathore
Mugdha Peter Bansode
Muhammad Moiz Arshad, @5T34L7H
Nader Zaveri
Naikordian
Nathaniel Quist, Palo Alto Networks
Naveen Devaraja, bolttech
Naveen Vijayaraghavan, Nilesh Dherange (Gurucul)
NEC
Netskope
Nichols Jasper
Nick Cairns, @grotezinfosec
Nick Carr, Mandiant
Nik Seetharaman, Palantir
Nino Verde, @LDO_CyberSec, Leonardo's Cyber Security Division
Nishan Maharjan, @loki248
Noam Lifshitz, Sygnia
NST Assure Research Team, NetSentries Technologies
Oddvar Moe, @oddvarmoe
Ofir Almkias, Cybereason
Ohad Mana, Check Point
Ohad Zaidenberg, @ohad_mz
Olaf Hartong, Falcon Force
Oleg Kolesnikov, Securonix
Oleg Skulkin, Group-IB
Oleksiy Gayda
Omkar Gudhate
Or Kliger, Palo Alto Networks
Oren Biderman, Sygnia
Oren Ofer, Cybereason
Ozan Olali
Ozer Sarilar, @ozersarilar, STM
Pallavi Sivakumaran, WithSecure
Patrick Campbell, @pjcampbe11
Patrick Sungbahadoor
Paul Speulstra, AECOM Global Security Operations Center
Pawan Kinger, @kingerpawan, Trend Micro
Pawel Partyka, Microsoft 365 Defender
Pawel Partyka, Microsoft Threat Intelligence
Pedro Harrison
Phil Stokes, SentinelOne
Philip Winther
Phill Taylor, BT Security
Phyo Paing Htun
Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd
Pià Consigny, Tenable
Pooja Natarajan, NEC Corporation India
Praetorian
Prasad Somasamudram, McAfee
Prasanth Sadanala, Cigna Information Protection (CIP) - Threat Response
Engineering Team
Prashant Verma, Paladion
Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International
Ram Pliskin, Microsoft Azure Security Center
Raphaël Lheureux
Red Canary
RedHuntLabs, @redhuntlabs
Regina Elwell
Rex Guo, @Xiaofei_REX, Confluera
Ricardo Dias
Richard Gold, Digital Shadows
Richard Julian, Citi
Richie Cyrus, SpecterOps
Rick Cole, Mandiant
Rob Smith
Robby Winchester, @robwinchester3
Robert Falcone
Robert Simmons, @MalwareUtkonos
Robert Wilson
Rodrigo Garcia, Red Canary
Roi Kol, @roykol1, Team Nautilus Aqua Security
Romain Dumont, ESET
Rory McCune, Aqua Security
Ross Brittain
Ruben Dodge, @shotgunner101
Runa Sandvik
Ryan Becwar
Ryan Benson, Exabeam
Ryo Tamura, SecureBrain Corporation
Sahar Shukrun
Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)
Sam Seabrook, Duke Energy
Sarathkumar Rajendran, Microsoft Defender365
SarathKumar Rajendran, Trimble Inc
Scott Cook, Capital One
Scott Dougherty
Scott Knight, @sdotknight, VMware Carbon Black
Scott Lundgren, @5twenty9, Carbon Black
Sebastian Salla, McAfee
Sebastian Showell-Westrip, BT Security
Sekhar Sarukkai, McAfee
Selena Larson, @selenalarson
Sergey Persikov, Check Point
Serhii Melnyk, Trustwave SpiderLabs
Shailesh Tiwary (Indian Army)
Shane Tully, @securitygypsy
Shanief Webb
Shankar Raman, Gen Digital and Abhinand, Amrita University
Shilpesh Trivedi, Uptycs
Shlomi Salem, SentinelOne
Shotaro Hamamoto, NEC Solution Innovators, Ltd
Shuhei Sasada, Cyber Defense Institute, Inc
Silvio La Porta, @LDO_CyberSec, Leonardo's Cyber Security Division
Simona David
Sittikorn Sangrattanapitak
SOCCRATES
Stan Hegt, Outflank
Stefan Kanthak
Steven Du, Trend Micro
Sudhanshu Chauhan, @Sudhanshu_C
Sunders Bruskin, Microsoft Threat Intelligence
Sunny Neo
Suzy Schapperle - Microsoft Azure Red Team
Swapnil Kumbhar
Swasti Bhushan Deb, IBM India Pvt. Ltd.
Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)
Syed Ummar Farooqh, McAfee
Sylvain Gil, Exabeam
Sébastien Ruel, CGI
Taewoo Lee, KISA
Tahseen Bin Taj
Takuma Matsumoto, LAC Co., Ltd
Tatsuya Daitoku, Cyber Defense Institute, Inc.
Ted Samuels, Rapid7
Teodor Cimpoesu
Thanabodi Phrakhun, I-SECURE
The DFIR Report, @TheDFIRReport
The Wover, @TheRealWover
Thijn Bukkems, Amazon
Thirumalai Natarajan, Mandiant
Tiago Faria, 3CORESec
Tim (Wadhwa-)Brown
Tim MalcomVetter
Tim Peck
Toby Kohlenberg
Tom Hegel
Tom Simpson, CrowdStrike Falcon OverWatch
Tom Ueltschi @c_APT_ure
Tony Lambert, Red Canary
Tony Lee
Travis Smith, Qualys
Travis Smith, Tripwire
Trend Micro Incorporated
Tristan Bennett, Seamless Intelligence
Tristan Madani (Cybereason)
TruKno
Tsubasa Matsuda, NEC Corporation
Uriel Kosayev
Vadim Khrykov
Valerii Marchuk, Cybersecurity Help s.r.o.
Varonis Threat Labs
Veeral Patel
Vijay Lalwani
Vikas Singh, Sophos
Vinay Pidathala
Vinayak Wadhwa, Lucideus
Vinayak Wadhwa, SAFE Security
Vincent Le Toux
Viren Chaudhari, Qualys
Vishwas Manral, McAfee
Walker Johnson
Wataru Takahashi, NEC Corporation
Wayne Silva, F-Secure Countercept
Wes Hurd
Wietze Beukema, @wietze
Will Jolliffe
Will Thomas, Cyjax
Will Thomas, Equinix
Will Thomas, Equinix Threat Analysis Center (ETAC)
William Cain
Wojciech Lesicki
Xavier Rousseau
Yaniv Agman, @AgmanYaniv, Team Nautilus Aqua Security
Yasuhito Kawanishi, NEC Corporation
Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
Yinon Engelsman, Talon Cyber Security
Yonatan Gotlib, Deep Instinct
Yonatan Gotlib, Talon Cyber Security
Yoshihiro Kori, NEC Corporation
Yossi Nisani, Cymptom
Yossi Weizman, Azure Defender Research Team
Yossi Weizman, Microsoft Threat Intelligence
Yusuke Kubo, RedLark, NTT Communications
Yusuke Niwa, ITOCHU Corporation
Yuval Avrahami, Palo Alto Networks
Zachary Abzug, @ZackDoesML
Zachary Stanford, @svch0st
Zaw Min Htun, @Z3TAE
Ziv Karliner, @ziv_kr, Team Nautilus Aqua Security
Ziv Kaspersky, Cymptom
Zur Ulianitzky, XM Cyber
468 orgs and
individuals
82 in 2019
130 in 2020
155 in 2021
155 in 2022
4 pt font
Thank You!

The Future

Detection Enhancements
Notes
Analytics

Mobile

Linux
§ We’ve added to our Linux platform the past several releases
§ It’s used heavily in containers, cloud, embedded devices, network appliances, IoT, etc
§ Linux systems are often mentioned as a part of intrusions
§ …And yet it’s still an incredibly challenging platform to gather intelligence on
§ Continues to be a focus area for us
§ Seeking better intelligence on Linux actor behaviors
§ Join us in #linux_attack on the MITRE ATT&CK Slack (same Slack as Q&A)

ATT&CK Update Presentations

ATT&CK Updates: ICS
§Today – 1:30pm
§ Jake Steele
§Adding assets to better represent the space
§ Lots of industries with many kinds of devices
§ Much broader space than Enterprise platforms
§Bringing standards into the mix
§ High adoption in the ICS community

ATT&CK Updates: Software
§Today – 3:45pm
§ Jared Ondricek
§ Improvements to ATT&CK website search!
§ ATT&CK develops several open source projects
§ Tools for managing/maintaining ATT&CK
§ Tools for working with ATT&CK

ATT&CK Updates: A Few New Ideas in Enterprise
§Tomorrow – 10:20am
§ Patrick Howell O’Neill
§There are spaces we’ve explicitly avoided in ATT&CK
§You’ve been asking about them for years
§As our adversaries evolve, we do too

ATT&CK Updates: Cloud
§Tomorrow – 12:00pm
§ Casey Knerr
§Cloud is different!
§ Complicated to defend
§ Sparse public reporting
§Is it time for some new platforms?
https://media.giphy.com/media/r3Yeh3aAjsyYGObizC/giphy.gif

ATT&CK Benefactor Program
§ Opportunity for organizations to help sustain and advance ATT&CK
§ Accepting charitable donations via the Center for Threat-Informed Defense
§ Contributions leveraged directly by ATT&CK
§ Parallel programs for Engage, Caldera, and the Center for Threat-Informed Defense
§ Recognition on attack.mitre.org, CTID’s website, and our social media
§ To learn about other benefits or to contact us visit https://bit.ly/ATBenif

https://attack.mitre.org
attack@mitre.org
@mitreattack
Adam Pennington
@_whatshisface
whatshisface@infosec.exchange
Join our Slack for Q&A: https://bit.ly/ATTj
Or Join the #attackcon4 channel: https://bit.ly/ATTk
#attackcon4-qa-pennington

MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)

Similar to MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition) (20)

More from MITRE ATT&CK

More from MITRE ATT&CK (20)

Recently uploaded

Recently uploaded (20)

MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)