Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
MITRE
| ...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
| 2 |
AT...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
| 4 |
AT...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
We Didn’...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
Updates ...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
| 7 |
AT...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
ATT&CK f...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
| 9 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
| 10 |
I...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
| 11 |
M...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
Abstract...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
| 13 |
G...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
Sub-Tech...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
| 15 |
C...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
Sub-Tech...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
Growth o...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
| 18 |
M...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
More ATT...
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
| 20 |
a...
Upcoming SlideShare
Loading in …5
×

of

MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 1 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 2 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 3 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 4 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 5 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 6 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 7 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 8 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 9 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 10 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 11 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 12 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 13 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 14 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 15 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 16 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 17 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 18 MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE Slide 19
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

1 Like

Share

Download to read offline

MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE

Download to read offline

MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE

  1. 1. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. MITRE | 1 | State of the ATT&CK Blake Strom @stromcoffee @MITREattack #ATTACKcon ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15
  2. 2. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 | 2 | ATT&CK Circa 2014 Persistence Privilege Escalation Credential Access Host Enumeration Defense Evasion Lateral Movement Command and Control Exfiltration New service Exploitation of vulnerability OS/Software Weakness Process enumeration Software packing RDP Common protocol, follows standard Normal C&C channel Modify existing service Service file permissions weakness User interaction Service enumeration Masquerading Windows admin shares (C$, ADMIN$) Common protocol, non- standard Alternate data channel DLL Proxying Service registry permissions weakness Network sniffing Local network config DLL Injection Windows shared webroot Commonly used protocol on non- standard port Exfiltration over other network medium Hypervisor Rookit DLL path hijacking Stored file Local network connections DLL loading Remote vulnerability Communications encrypted Exfiltration over physical medium Winlogon Helper DLL Path interception Window enumeration Standard protocols Logon scripts Communications are obfuscated Encrypted separately Path Interception Modification of shortcuts Account enumeration Obfuscated payload Application deployment software Distributed communications Compressed separately Registry run keys / Startup folder addition Editing of default handlers Group enumeration Indicator removal Taint shared content Multiple protocols combined Data staged Modification of shortcuts AT / Schtasks / Cron Owner/user enumeration Indicator blocking Access to remote services with valid credentials Automated or scripted data exfiltration MBR / BIOS rootkit Operating system enumeration Pass the hash Size limits Editing of default handlers Security software enumeration Scheduled transfer AT / Schtasks / Cron File system enumeration Detect Partially Detect No Detect No Usage
  3. 3. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 | 4 | ATT&CK Today ATT&CK for ICS ATT&CK Evaluations Cyber Analytics Repository ATT&CK-Based SOC Assessments PRE-ATT&CK Mobile ATT&CK ATT&CK TodayATT&CK Sightings
  4. 4. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 We Didn’t Get Here By Accident | 5 |
  5. 5. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 Updates this Year – By the Numbers | 6 | 1 43 13 16 87 NEW TACTIC NEW TECHNIQUES NEW MOBILE TECHNIQUES NEW GROUPS NEW SOFTWARE 41 87 16 67 92 NEW MITIGATIONS UPDATED TECHNIQUES UPDATED MOB TECHNIQUES UPDATED GROUPS UPDATED SOFTWARE
  6. 6. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 7 | ATT&CK for Cloud for Cloud Credit to Dave Herrald and Ryan Kovar
  7. 7. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 ATT&CK for Cloud • 36 techniques • Part of Enterprise ATT&CK • Almost 100% community- contributed techniques! • Input from: • A cloud service provider • Red teams • Threat analysts • Detection analysts | 8 |
  8. 8. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 | 9 |
  9. 9. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 | 10 | Impact Tactic Data Destruction Data Encrypted for Impact DefacementDisk Content Wipe Disk Structure Wipe Endpoint DoS Firmware Corruption Inhibit System Recovery Network DoS Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation System Shutdown/Reboot Account Access Removal ▪ Attacks targeting availability and integrity ▪ Ex: Ransomware, DoS, destruction ▪ 16 techniques
  10. 10. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 | 11 | Mitigations
  11. 11. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 Abstraction Issues in ATT&CK • Some broad techniques • Account Manipulation • Credential Dumping • Some narrow • Rundll32 • MSBuild • Hard to strike the right balance now | 12 |
  12. 12. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 | 13 | Groups of behaviors Use what we have Maintain an adversary mindset Platform specific techniques How Do We Scope Sub-Techniques?
  13. 13. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 Sub-Technique Implementation • Rough stats (so far) • Techniques: 266 166 • Sub-techniques: 280 • Implementing now • Pausing other updates • No groups/software! • Going into companion website for preview • Won’t be defacto ATT&CK • 3+ month feedback period | 14 |
  14. 14. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 | 15 | Credential Access Account Manipulation Bash History Brute Force Credential Dumping Credentials in Files … Credential Dumping Sub-Techniques (draft) SAM (Security Accounts Manager) Local Security Authority (LSA) Secrets NTDS from Domain Controller Cached Credentials … Sub-Technique Example
  15. 15. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 Sub-Technique Feedback • Are sub-techniques necessary and are we on the right track? • Overwhelmingly, yes! • Aren’t they procedures? • No • Visualization challenges • One-to-many issues • Mapping old to new • Data source refinement • OS agnostic techniques • Techniques should always have sub-techniques • Sub-techniques should be OS specific • Will help with false sense of security | 16 |
  16. 16. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 Growth of the ATT&CK Community | 17 | •Alain Homewood, Insomnia Security •Alan Neville, @abnev •Alex Hinchliffe, Palo Alto Networks •Alfredo Abarca •Allen DeRyke, ICE •Anastasios Pingios •Andrew Smith, @jakx_ •Avneet Singh •Barry Shteiman, Exabeam •Bart Parys •Bartosz Jerzman •Brian Prange •Bryan Lee •Carlos Borges, @huntingneo, CIP •Casey Smith •Christiaan Beek, @ChristiaanBeek •Christoffer Strömblad •Cody Thomas, SpecterOps •Craig Aitchison •CrowdStrike Falcon OverWatch •Cybereason Nocturnus, @nocturnus •Daniel Oakley •Darren Spruell •Dave Westgard •David Ferguson, CyberSponse •David Lu, Tripwire •David Routin •Drew Church, Splunk •Ed Williams, Trustwave, SpiderLabs •Edward Millington •Elger Vinicius S. Rodrigues, CYBINT Centre •Elia Florio, Microsoft •Elly Searle, CrowdStrike •Emily Ratliff, IBM •ENDGAME •Eric Kuehn, Secure Ideas •Erika Noerenberg, @gutterchurl, Carbon Black •Erye Hernandez, Palo Alto Networks •ESET •Felipe Espósito, @Pr0teus •Filip Kafka, ESET •FS-ISAC •Hans Christoffer Gaardløs •Heather Linn •Itamar Mizrahi •Itzik Kotler, SafeBreach •Ivan Sinyakov •Jacob Wilkin, Trustwave, SpiderLabs •Jan Miller, CrowdStrike •Jannie Li, Microsoft (MSTIC) •Jared Atkinson, @jaredcatkinson •Jean-Ian Boutin, ESET •Jeff Sakowicz, Microsoft (IDPM Services) •Jeremy Galloway •Jimmy Astle, @AstleJimmy, Carbon Black •Johann Rehberger •John Lambert, Microsoft (MSTIC) •John Strand •Josh Abraham •Justin Warner, ICEBRG •Jörg Abraham, EclecticIQ •Kaspersky •Lab52 by S2 Grupo •Leo Loobeek, @leoloobeek •Loic Jaquemet •Lucas da Silva Pereira, @vulcanunsec, CIP •Lukáš Štefanko, ESET •Marc-Etienne M.Léveillé, ESET •Mark Wee •Martin Jirkal, ESET •Martin Smolar, ESET •Matias Nicolas Porolli, ESET •Matt Graeber, @mattifestation, SpecterOps •Matt Kelly, @breakersall •Matthew Demaske, Adaptforward •Matthew Molyett, @s1air •McAfee •Michael Cox •Michal Dida, ESET •Microsoft Threat Intelligence Center (MSTIC) •Mike Kemmerer •Milos Stojadinovic •Mnemonic •Netskope •Nick Carr, FireEye •Nik Seetharaman, Palantir •Nishan Maharjan, @loki248 •Oddvar Moe, @oddvarmoe •Oleg Kolesnikov •Oleg Skulkin, Group-IB •Omkar Gudhate •Patrick Campbell, @pjcampbe11 •Paul Speulstra, AECOM •Pedro Harrison •Praetorian •Prashant Verma, Paladion •Rahmat Nurfauzi, PT Xynexis International •Red Canary •RedHuntLabs, @redhuntlabs •Ricardo Dias •Richard Gold, Digital Shadows •Richie Cyrus, SpecterOps •Rob Smith •Robby Winchester, @robwinchester3 •Robert Falcone •Romain Dumont, ESET •Ryan Becwar •Ryan Benson, Exabeam •Sahar Shukrun •Saisha Agrawal, Microsoft (MSTIC) •Scott Lundgren, @5twenty9, Carbon Black •Shailesh Tiwary (Indian Army) •Shane Tully, @securitygypsy •Stefan Kanthak •Sudhanshu Chauhan, @Sudhanshu_C •Sunny Neo •Swetha Prabakaran, Microsoft (MSTIC) •Sylvain Gil, Exabeam •Tatsuya Daitoku, Cyber Defense Institute, Inc. •Teodor Cimpoesu •Tim MalcomVetter •Tom Ueltschi @c_APT_ure •Tony Lambert, Red Canary •Travis Smith, Tripwire •Tristan Bennett, Seamless Intelligence •Valerii Marchuk, Cybersecurity Help s.r.o. •Veeral Patel •Vincent Le Toux •Walker Johnson •Wayne Silva, Countercept •Ye Yint Min Thu Htut, DBS Bank •Yonatan Gotlib, Deep Instinct Individuals + orgs contributing to ATT&CK!
  17. 17. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 | 18 | Mobile ATT&CK Enterprise ATT&CK PRE-ATT&CK It’s just ICS ATT&CK Mappings to Controls Frameworks Things Yet to Come
  18. 18. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 More ATT&CK Updates! Tuesday 1:30 pm TRAM 3:45 pm ATT&CK Sightings Wednesday 10:15 am ICS ATT&CK 12:00 pm Controls Mapping 2:00 pm CAR and Analytics 3:15 pm PRE Integration | 19 |
  19. 19. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-00696-15 | 20 | attack@mitre.org @MITREattack #ATTACKcon Blake Strom @stromcoffee
  • JenniferJackson451663

    Dec. 5, 2021

MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE

Views

Total views

1,213

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

111

Shares

0

Comments

0

Likes

1

×