MITRE - ATT&CKcon, profile picture
Uploaded byMITRE - ATT&CKcon
PDF, PPTX1,058 views

MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frameworks, Emily Shawgo, PNC

The document discusses decision analysis applications within threat analysis frameworks, focusing on identifying top threats and understanding attack methods through a decision tree. It highlights the success and failure stages of various attacks including spearphishing, malware execution, and service provider attacks, while emphasizing that the framework aids in the prioritization of mitigations and personalization of corporate policy. The presentation concludes by encouraging future directions and inquiries related to the framework's implementation.

Embed presentation

Download as PDF, PPTX
DecisionAnalysis Applications inThreat Analysis Frameworks Emily Shawgo October 6, 2018
Agenda  Background  Framework  Future directions  Conclusion  Questions
Background
Framework Identify top threats Research attack methods of threats Form decision tree to understand primary and secondary attacks Synthesize with organizational weaknesses
Spearphishing SUCCESS – stage completed Process discovery SUCCESS – stage completed Malware execution and data exfiltration FAILURE – alternate method Lateral movement SUCCESS – stage completed Malware execution and data exfiltration FAILURE – alternate method Brute force SUCCESS – stage completed Process discovery SUCCESS – stage completed Malware execution and data exfiltration FAILURE – alternate method Lateral movement SUCCESS – stage completed Malware execution and data exfiltration Turla
Spearphishing SUCCESS – stage complete Backdoor execution SUCCESS – stage completed Establish C2 server comm SUCCESS – stage completed Exfiltrate data FAILURE – alternate method Service provider attack SUCCESS – stage completed Spoofed communication SUCCESS – stage completed Backdoor execution SUCCESS – stage completed Establish C2 server comm SUCCESS – stage completed Exfiltrate data FAILURE – alternate method System vulnerability exploit SUCCESS – stage completed Exfiltrate data System vulnerability exploit SUCCESS – stage completed FAILURE – alternate method Service provider attack SUCCESS – stage completed Spoofed communication SUCCESS – stage completed Backdoor execution SUCCESS – stage completed Establish C2 server comm SUCCESS – stage completed Exfiltrate data APT10
Conclusion  Framework can be used for prioritization of mitigations  It can also allow for personalization of corporate policy  It is not just for APTs!
Questions? Twitter: @EmilyShawgo LinkedIn: https://www.linkedin.com/in/emily-shawgo-00ab73100/
References  (1)Binde, B.E., McRee, R., & O’Connor, T.J. (2017). Assessing outbound traffic to uncover Advanced Persistent Threat. SANS Technology Institute. Retrieved from https://www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor- slideswnote.pdf  (2)FireEye Intelligence. (2017, April 06). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved from https://www.fireeye.com/blog/threat- research/2017/04/apt10_menupass_grou.html  (3)ICS-CERT (n.d.). Cyber Threat Source Descriptions. Retrieved from https://ics-cert.us-cert.gov/content/cyber-threat- source-descriptions  (4)Lockheed Martin (n.d.). Gaining the advantage: Applying Cyber Kill Chain methodology to network defense. Retrieved from https://www.lockheedmartin.com/content/dam/lockheed- martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf  (5)MITRE. (n.d.). Group: Turla, Waterbug, WhiteBear. Retrieved from https://attack.mitre.org/wiki/Group/G0010  (6)MITRE. (n.d). Group: menuPass, Stone Panda, ... Retrieved from https://attack.mitre.org/wiki/Group/G0045  (7)MITRE. (n.d.). Introduction and Overview. Retrieved from https://attack.mitre.org/wiki/Introduction_and_Overview  (8)Neely, L. (2017). 2017 Threat Landscape Survey: Users on the Front Line. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/threats/2017-threat-landscape-survey-users-front-line-37910  (9)Rapid7. (2017, December 06). Top Threat Actors and Their Tactics, Techniques, Tools, and Targets. Retrieved from https://blog.rapid7.com/2017/05/16/top-threat-actors/  (10)Rass, S., König, S., & Schauer, S. (2017). Defending Against Advanced Persistent Threats Using Game-Theory. PLoS ONE, 12(1), e0168675. http://doi.org/10.1371/journal.pone.0168675  (11)Recorded Future. (2017, February 04). Top 6 Sources for Identifying Threat Actor TTPs. Retrieved from https://www.recordedfuture.com/threat-actor-ttp-sources/

More Related Content

PDF
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
byMITRE - ATT&CKcon
 
PDF
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
byMITRE ATT&CK
 
PDF
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
byMITRE - ATT&CKcon
 
PDF
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
byMITRE - ATT&CKcon
 
PDF
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
PDF
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
PDF
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
byGert-Jan Bruggink
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
byMITRE - ATT&CKcon
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
byMITRE ATT&CK
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
byMITRE - ATT&CKcon
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
byMITRE - ATT&CKcon
 
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
byGert-Jan Bruggink
 

What's hot

PPTX
Leveraging MITRE ATT&CK - Speaking the Common Language
byErik Van Buggenhout
 
PDF
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
PDF
Mitre getting-started-with-attack-october-2019
byThang Nguyen
 
PDF
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
PDF
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
PDF
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
byMITRE - ATT&CKcon
 
PDF
Threat Intelligence in Cyber Risk Programs
byRahul Neel Mani
 
PDF
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
PDF
Dreaming of IoCs Adding Time Context to Threat Intelligence
byPriyanka Aash
 
PDF
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
byMITRE - ATT&CKcon
 
PPTX
Cyber threat intelligence: maturity and metrics
byMark Arena
 
PDF
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
byOutpost24
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
byMITRE - ATT&CKcon
 
PDF
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
byMITRE - ATT&CKcon
 
PDF
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
PDF
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
byMITRE - ATT&CKcon
 
Leveraging MITRE ATT&CK - Speaking the Common Language
byErik Van Buggenhout
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
Mitre getting-started-with-attack-october-2019
byThang Nguyen
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
byMITRE - ATT&CKcon
 
Threat Intelligence in Cyber Risk Programs
byRahul Neel Mani
 
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
byPriyanka Aash
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
byMITRE - ATT&CKcon
 
Cyber threat intelligence: maturity and metrics
byMark Arena
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
byOutpost24
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
byMITRE - ATT&CKcon
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: AMITT - ATT&CK-based Standards for Misinformation Threat...
byMITRE - ATT&CKcon
 
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
byMITRE - ATT&CKcon
 

Similar to MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frameworks, Emily Shawgo, PNC

PPTX
Operational Security Intelligence
bySplunk
 
PPT
NetWitness
byTechBiz Forense Digital
 
PDF
Cyber Defense - How to be prepared to APT
bySimone Onofri
 
PDF
Top Threat Hunting Interview Questions.pdf
byinfosec train
 
PDF
Top Threat Hunting Interview Questions download white paper!
bypriyanshamadhwal2
 
PDF
Top Threat Hunting Interview Questions.pdf
byinfosecTrain
 
PDF
𝐓𝐨𝐩 𝐓𝐡𝐫𝐞𝐚𝐭 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧𝐬: 𝐃𝐨𝐰𝐧𝐥𝐨𝐚𝐝 𝐎𝐮𝐫 𝐖𝐡𝐢𝐭𝐞 𝐏𝐚𝐩𝐞𝐫!
byMansi Kandari
 
PPTX
Detection Rules Coverage
bySunny Neo
 
PPTX
PowerPoint on advanced network threats.pptx
byAngieloBecenia1
 
PPTX
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
byAndrew Gerber
 
PDF
distinguishing-threat-actors-vectors-and-intelligence-sources-slides.pdf
byDoctorGarcia1
 
PDF
Leveraging Campaigns to Untangle the Threat Group Ship of Theseus
byAdam Pennington
 
PDF
MITRE-Module 5 Slides.pdf
byReZa AdineH
 
PDF
Welcome to the world of Cyber Threat Intelligence
byAndreas Sfakianakis
 
PDF
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
byGabriel Dusil
 
PDF
Pitfalls of Cyber Data
byPhil Huggins FBCS CITP
 
PDF
Global Cyber Threat Intelligence
byNTT Innovation Institute Inc.
 
PDF
[Bucharest] Attack is easy, let's talk defence
byOWASP EEE
 
PDF
Secure Decisions - Cyber Security Sensemaking
byAnita D'Amico
 
PDF
What Happens Before the Kill Chain
byOpenDNS
 
Operational Security Intelligence
bySplunk
 
NetWitness
byTechBiz Forense Digital
 
Cyber Defense - How to be prepared to APT
bySimone Onofri
 
Top Threat Hunting Interview Questions.pdf
byinfosec train
 
Top Threat Hunting Interview Questions download white paper!
bypriyanshamadhwal2
 
Top Threat Hunting Interview Questions.pdf
byinfosecTrain
 
𝐓𝐨𝐩 𝐓𝐡𝐫𝐞𝐚𝐭 𝐇𝐮𝐧𝐭𝐢𝐧𝐠 𝐈𝐧𝐭𝐞𝐫𝐯𝐢𝐞𝐰 𝐐𝐮𝐞𝐬𝐭𝐢𝐨𝐧𝐬: 𝐃𝐨𝐰𝐧𝐥𝐨𝐚𝐝 𝐎𝐮𝐫 𝐖𝐡𝐢𝐭𝐞 𝐏𝐚𝐩𝐞𝐫!
byMansi Kandari
 
Detection Rules Coverage
bySunny Neo
 
PowerPoint on advanced network threats.pptx
byAngieloBecenia1
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
byAndrew Gerber
 
distinguishing-threat-actors-vectors-and-intelligence-sources-slides.pdf
byDoctorGarcia1
 
Leveraging Campaigns to Untangle the Threat Group Ship of Theseus
byAdam Pennington
 
MITRE-Module 5 Slides.pdf
byReZa AdineH
 
Welcome to the world of Cyber Threat Intelligence
byAndreas Sfakianakis
 
Cognitive Security - Anatomy of Advanced Persistent Threats ('12)
byGabriel Dusil
 
Pitfalls of Cyber Data
byPhil Huggins FBCS CITP
 
Global Cyber Threat Intelligence
byNTT Innovation Institute Inc.
 
[Bucharest] Attack is easy, let's talk defence
byOWASP EEE
 
Secure Decisions - Cyber Security Sensemaking
byAnita D'Amico
 
What Happens Before the Kill Chain
byOpenDNS
 

More from MITRE - ATT&CKcon

PDF
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
byMITRE - ATT&CKcon
 
PDF
Sharpening your Threat-Hunting Program with ATTACK Framework
byMITRE - ATT&CKcon
 
PDF
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
byMITRE - ATT&CKcon
 
PDF
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
PDF
State of the ATTACK
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
byMITRE - ATT&CKcon
 
PDF
ATTACKing the Cloud: Hopping Between the Matrices
byMITRE - ATT&CKcon
 
PDF
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
PDF
What's New with ATTACK for ICS?
byMITRE - ATT&CKcon
 
PDF
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
byMITRE - ATT&CKcon
 
PDF
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
byMITRE - ATT&CKcon
 
PDF
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
PDF
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
byMITRE - ATT&CKcon
 
PDF
What's New with ATTACK for Cloud?
byMITRE - ATT&CKcon
 
PDF
Starting Over with Sub-Techniques
byMITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
byMITRE - ATT&CKcon
 
Sharpening your Threat-Hunting Program with ATTACK Framework
byMITRE - ATT&CKcon
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
byMITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
State of the ATTACK
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
byMITRE - ATT&CKcon
 
ATTACKing the Cloud: Hopping Between the Matrices
byMITRE - ATT&CKcon
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
What's New with ATTACK for ICS?
byMITRE - ATT&CKcon
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
byMITRE - ATT&CKcon
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
byMITRE - ATT&CKcon
 
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
byMITRE - ATT&CKcon
 
What's New with ATTACK for Cloud?
byMITRE - ATT&CKcon
 
Starting Over with Sub-Techniques
byMITRE - ATT&CKcon
 

Recently uploaded

PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
December Patch Tuesday
byIvanti
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
Energy Storage Landscape Clean Energy Ministerial
bySurajitBanerjee38
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 

MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frameworks, Emily Shawgo, PNC

  • 1.
  • 2.
    Agenda  Background  Framework Future directions  Conclusion  Questions
  • 3.
  • 4.
    Framework Identify top threats Researchattack methods of threats Form decision tree to understand primary and secondary attacks Synthesize with organizational weaknesses
  • 5.
    Spearphishing SUCCESS – stage completed Processdiscovery SUCCESS – stage completed Malware execution and data exfiltration FAILURE – alternate method Lateral movement SUCCESS – stage completed Malware execution and data exfiltration FAILURE – alternate method Brute force SUCCESS – stage completed Process discovery SUCCESS – stage completed Malware execution and data exfiltration FAILURE – alternate method Lateral movement SUCCESS – stage completed Malware execution and data exfiltration Turla
  • 6.
    Spearphishing SUCCESS – stage complete Backdoor execution SUCCESS– stage completed Establish C2 server comm SUCCESS – stage completed Exfiltrate data FAILURE – alternate method Service provider attack SUCCESS – stage completed Spoofed communication SUCCESS – stage completed Backdoor execution SUCCESS – stage completed Establish C2 server comm SUCCESS – stage completed Exfiltrate data FAILURE – alternate method System vulnerability exploit SUCCESS – stage completed Exfiltrate data System vulnerability exploit SUCCESS – stage completed FAILURE – alternate method Service provider attack SUCCESS – stage completed Spoofed communication SUCCESS – stage completed Backdoor execution SUCCESS – stage completed Establish C2 server comm SUCCESS – stage completed Exfiltrate data APT10
  • 7.
    Conclusion  Framework canbe used for prioritization of mitigations  It can also allow for personalization of corporate policy  It is not just for APTs!
  • 8.
  • 9.
    References  (1)Binde, B.E.,McRee, R., & O’Connor, T.J. (2017). Assessing outbound traffic to uncover Advanced Persistent Threat. SANS Technology Institute. Retrieved from https://www.sans.edu/student-files/projects/JWP-Binde-McRee-OConnor- slideswnote.pdf  (2)FireEye Intelligence. (2017, April 06). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved from https://www.fireeye.com/blog/threat- research/2017/04/apt10_menupass_grou.html  (3)ICS-CERT (n.d.). Cyber Threat Source Descriptions. Retrieved from https://ics-cert.us-cert.gov/content/cyber-threat- source-descriptions  (4)Lockheed Martin (n.d.). Gaining the advantage: Applying Cyber Kill Chain methodology to network defense. Retrieved from https://www.lockheedmartin.com/content/dam/lockheed- martin/rms/documents/cyber/Gaining_the_Advantage_Cyber_Kill_Chain.pdf  (5)MITRE. (n.d.). Group: Turla, Waterbug, WhiteBear. Retrieved from https://attack.mitre.org/wiki/Group/G0010  (6)MITRE. (n.d). Group: menuPass, Stone Panda, ... Retrieved from https://attack.mitre.org/wiki/Group/G0045  (7)MITRE. (n.d.). Introduction and Overview. Retrieved from https://attack.mitre.org/wiki/Introduction_and_Overview  (8)Neely, L. (2017). 2017 Threat Landscape Survey: Users on the Front Line. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/threats/2017-threat-landscape-survey-users-front-line-37910  (9)Rapid7. (2017, December 06). Top Threat Actors and Their Tactics, Techniques, Tools, and Targets. Retrieved from https://blog.rapid7.com/2017/05/16/top-threat-actors/  (10)Rass, S., König, S., & Schauer, S. (2017). Defending Against Advanced Persistent Threats Using Game-Theory. PLoS ONE, 12(1), e0168675. http://doi.org/10.1371/journal.pone.0168675  (11)Recorded Future. (2017, February 04). Top 6 Sources for Identifying Threat Actor TTPs. Retrieved from https://www.recordedfuture.com/threat-actor-ttp-sources/