Successfully reported this slideshow.
Your SlideShare is downloading. ×

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; Keith McCammon, Red Canary

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 38 Ad

More Related Content

Slideshows for you (20)

Similar to MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; Keith McCammon, Red Canary (20)

Advertisement

More from MITRE - ATT&CKcon (20)

Recently uploaded (20)

Advertisement

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; Keith McCammon, Red Canary

  1. 1. Prioritizing Data Sources for Minimum Viable Detection
  2. 2. ▪ Mean streets of Northern Virginia ▪ “The Government” ▪ Red Canary Keith McCammon @kwm Presenter There is no photo. I’m right here :)
  3. 3. Y O U R S E C U R I T Y A L L Y Y O U R S E C U R I T Y A L L Y Y O U R S E C U R I T Y A L L Y To learn how you can prioritize collection of ATT&CK data sources, use this information to inform technology selection, and ultimately build a strong foundation for your detection engineering program. Why we’re here > > > > > > > > > > > > > > > > > > > > > > > > >
  4. 4. Detection Engineering DATA Am I collecting the right data to detect, investigate, and respond effectively to threats? ANALYTICS Am I asking the right questions of the data that I have? DETECTION Do I have the process, context, and expertise that I need to answer the questions that I’ve asked?
  5. 5. What does this have to do with ATT&CK™?
  6. 6. Detection Engineering DATA Am I collecting the right data to detect, investigate, and respond effectively to threats? ANALYTICS Am I asking the right questions of the data that I have? DETECTION Do I have the process, context, and expertise that I need to answer the questions that I’ve asked? We love to fixate on this!
  7. 7. Detection Engineering DATA Am I collecting the right data to detect, investigate, and respond effectively to threats? ANALYTICS Am I asking the right questions of the data that I have? DETECTION Do I have the process, context, and expertise that I need to answer the questions that I’ve asked? We should pay closer attention to this . . .
  8. 8. “We can’t detect what we can’t see.” ATT&CK Data Sources useful for: ● Assigning value to tools, data ● Measuring progress, coverage
  9. 9. Olaf Hartong ▪ sysmon-modular ▪ ThreatHunting Roberto & Jose Luis Rodriguez ▪ hunters-forge / ATTACK-Python Client ▪ Hunters ATT&CKing The ATT&CK Team Obligatory Nods
  10. 10. CONCEPT Minimum Viable Detection Being in a position to detect most threats, most of the time.
  11. 11. Not where you want to end up . . . . . . but a great way to think about how you start.
  12. 12. Words to Live By (At Work) MAXIMIZE COVERAGE MINIMIZE COMPLEXITY OPTIMIZE FOR ANSWERS
  13. 13. BACKGROUND Data Sources: The linchpin of ATT&CK
  14. 14. ▪ 50 data sources ▪ One or more per each of the 240 ATT&CK (Enterprise) techniques About the ATT&CK Data Sources
  15. 15. ▪ 50 59 data sources ▪ One or more per each of the 240 265 ATT&CK (Enterprise) techniques About the ATT&CK Data Sources
  16. 16. Useful for understanding how we observe a given technique
  17. 17. ▪ Do you need one or all data sources to properly observe a technique? ▪ Data sources are not clearly defined. Nits
  18. 18. PRIORITIZING DATA SOURCES Where do we start?
  19. 19. 1. Understanding prevalence 2. Focus on a class of data or product 3. Differentiate within a class of data / product 4. Coverage based on operational data, insights The stages of grief
  20. 20. PRIORITIZING DATA SOURCES Understanding prevalence
  21. 21. https://github.com/keithmccammon/python-attack-utils Step 1: ./attack.py --dump-metadata Step 2: Excel :) Alternatively: hunters-force/ATTACK-Python-Client Determining Prevalence
  22. 22. Top 10 Data Sources by Prevalence
  23. 23. PRIORITIZING DATA SOURCES Focus on a class of data or product
  24. 24. Data Source . . . Sources
  25. 25. The Top 10
  26. 26. PRIORITIZING DATA SOURCES Differentiate within a class of data / product
  27. 27. https://github.com/keithmccammon/python-attack-utils ./attack.py --match-data-source <filename> Techniques by Data Source Visibility Protection Process command-line parameters Process monitoring Binary file metadata DLL monitoring File monitoring Loaded DLLs Process use of network Process command-line parameters Process monitoring
  28. 28. . . . and then
  29. 29. PRIORITIZING DATA SOURCES Operational context Less a data source thing. Critically important.
  30. 30. Trends: Powershell
  31. 31. Trends: Windows Admin Shares
  32. 32. Trends: Remote File Copy
  33. 33. Trends: Spearphishing Attachment
  34. 34. WHAT OTHERS ARE SAYING “Everyone in this room should be sharing confirmed threat data based on ATTACK™.” ~ Me. I made this up. Still a valid point . . .
  35. 35. One more time . . . MAXIMIZE COVERAGE MINIMIZE COMPLEXITY OPTIMIZE FOR ANSWERS
  36. 36. FEEDBACK, QUESTIONS, ROTTEN TOMATOES Thank you! @kwm

×