The document discusses the detection philosophy and evolution of threat detection catalog management within the context of the ATT&CK framework. It emphasizes the importance of maintaining a catalog for knowledge transfer and historical record, and outlines strategies for detecting suspicious network activity, specifically SMB worm behavior. Key lessons learned include the significance of nomenclature and proper documentation in enhancing operational effectiveness.

1. Detection Philosophy,
Evolution & ATT&CK
A BRIEF DISCUSSION AROUND HOW WE ARE MANAGING OUR
‘DETECTION CATALOG’ AND HOW IT MAPS TO AND IS ENHANCED BY
THE ATT&CK FRAMEWORK
Fred Stankowski & Travis McWaters

2. 2
Who are you?
Cyber Threat
Intelligence (CTI)
Threat Detection
Operations (TDO)
Incident
Response (IR)
Attack Surface
Management (ASM)
Enterprise Incident
Mgmt (EIM)
Threat Detection
Operations (TDO)

3. 3
Detection Philosophy
Why you need a catalog
• Historical Record
• Knowledge Transfer
• Work Management

4. 4
Evolution – V0

5. 5
Evolution V1

6. 6
Evolution V1

7. 7
Evolution V2

8. 8
Example ADS entry
Network - Suspicious Network Activity - SMB
Worm Behavior
Goal
Detect SMB Worms by the firewall deny messages they generate
Categorization
These attempts are categorized as Scanning / Network Service
Scanning (T1046)
Strategy Abstract
The strategy will function as follows:
•Look for traffic blocked by the firewalls bound for destination port 445
•Count the number of destination hosts a source tried to reach
•Validate the source is a Company asset, not external
•Alert if the number of targets exceeds NNN in under MMM minutes
Technical Context
<...>
• Blind Spots and Assumptions
• False Positives
• Validation
• Priority
• Response

9. 9
Lessons Learned
Nomenclature
Matters
Use a code repo
sooner
Good docs
mitigate attrition
pains