SlideShare a Scribd company logo

MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, SpecterOps and Jose Luis Rodriguez, Student

With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program. This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.

1 of 123
Download to read offline
Hunters ATT&CKing
With The Right Data
1
@Cyb3rWard0g
● Adversary Detection Analyst @SpecterOps
● Author:
○ ThreatHunter-Playbook
○ Hunting ELK (HELK)
○ ATTACK-Python-Client
○ OSSEM (Open Source Security Event
Metadata)
● Form er:
Capital One - USA, Senior Threat Hunter
2https://github.com/Cyb3rWard0g
@Cyb3rPandaH
● Cyber Security Student @NOVAcommcollege
● Author:
○ Tableau-ATTCK
● Contributor:
○ ThreatHunter-Playbook, HELK, OSSEM
● Form er:
UNACEM- Peru, Senior Business Intelligence Analyst
3https://github.com/Cyb3rPanda
Agenda
● Current Threat Hunting & Data Overview
● Threat Hunting & ATT&CK
● What else do I need to know about ATT&CK data sources?
● Defining a data mapping methodology
● ATT&CKing with the right data!
○ Data mapping examples
4
Threat Hunting & Data
LOG IT ALL-> HUNT-> FIND EVIL- REPEAT … Right?,
Maybe?
5
Threat Hunting
What can be
automated?
- Not everything can be
automated
- Enhance SOC
operations
Lessons Learned
- Metrics
- Report Findings
- Transition to IR?
- What didn’t work?
Hunt
- Data Analytics
> Behavioral
> Anomalies/Outliers
- Validate Detection
Pre-Hunt
- Define Hunt Model
- Set Scope
- Define Team Roles
- Identify Adversarial
Technique
- Develop HypothesisThreat
Hunting
6
Ad

Recommended

How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 

More Related Content

What's hot

Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE - ATT&CKcon
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE - ATT&CKcon
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceChristopher Korban
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 

What's hot (20)

Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 

Similar to MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, SpecterOps and Jose Luis Rodriguez, Student

Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKElasticsearch
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Harry McLaren
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkLeszek Mi?
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE - ATT&CKcon
 
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...Chris Hammerschmidt
 
Amundsen: From discovering to security data
Amundsen: From discovering to security dataAmundsen: From discovering to security data
Amundsen: From discovering to security datamarkgrover
 
Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Demi Ben-Ari
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?Raffael Marty
 
Elasticsearch Performance Testing and Scaling @ Signal
Elasticsearch Performance Testing and Scaling @ SignalElasticsearch Performance Testing and Scaling @ Signal
Elasticsearch Performance Testing and Scaling @ SignalJoachim Draeger
 
Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint   c0c0n 2017Empowering red and blue teams with osint   c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017reconvillage
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Spyglass Security
 
Concepts, use cases and principles to build big data systems (1)
Concepts, use cases and principles to build big data systems (1)Concepts, use cases and principles to build big data systems (1)
Concepts, use cases and principles to build big data systems (1)Trieu Nguyen
 
Automatic Detection of Web Trackers by Vasia Kalavri
Automatic Detection of Web Trackers by Vasia KalavriAutomatic Detection of Web Trackers by Vasia Kalavri
Automatic Detection of Web Trackers by Vasia KalavriFlink Forward
 
Data Discovery and Metadata
Data Discovery and MetadataData Discovery and Metadata
Data Discovery and Metadatamarkgrover
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
AI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat DetectionAI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat DetectionDatabricks
 

Similar to MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, SpecterOps and Jose Luis Rodriguez, Student (20)

Threat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELKThreat Hunting with Elastic at SpectorOps: Welcome to HELK
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
 
900 keynote abbott
900 keynote abbott900 keynote abbott
900 keynote abbott
 
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
Machine Learning for (DF)IR with Velociraptor: From Setting Expectations to a...
 
Amundsen: From discovering to security data
Amundsen: From discovering to security dataAmundsen: From discovering to security data
Amundsen: From discovering to security data
 
Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"Monitoring Big Data Systems - "The Simple Way"
Monitoring Big Data Systems - "The Simple Way"
 
The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?The Heatmap
 - Why is Security Visualization so Hard?
The Heatmap
 - Why is Security Visualization so Hard?
 
Elasticsearch Performance Testing and Scaling @ Signal
Elasticsearch Performance Testing and Scaling @ SignalElasticsearch Performance Testing and Scaling @ Signal
Elasticsearch Performance Testing and Scaling @ Signal
 
Analyzing social media with Python and other tools (1/4)
Analyzing social media with Python and other tools (1/4)Analyzing social media with Python and other tools (1/4)
Analyzing social media with Python and other tools (1/4)
 
Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint   c0c0n 2017Empowering red and blue teams with osint   c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Concepts, use cases and principles to build big data systems (1)
Concepts, use cases and principles to build big data systems (1)Concepts, use cases and principles to build big data systems (1)
Concepts, use cases and principles to build big data systems (1)
 
Automatic Detection of Web Trackers by Vasia Kalavri
Automatic Detection of Web Trackers by Vasia KalavriAutomatic Detection of Web Trackers by Vasia Kalavri
Automatic Detection of Web Trackers by Vasia Kalavri
 
Data Discovery and Metadata
Data Discovery and MetadataData Discovery and Metadata
Data Discovery and Metadata
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
AI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat DetectionAI on Spark for Malware Analysis and Anomalous Threat Detection
AI on Spark for Malware Analysis and Anomalous Threat Detection
 

More from MITRE - ATT&CKcon

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesMITRE - ATT&CKcon
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE - ATT&CKcon
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
 
What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?MITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?MITRE - ATT&CKcon
 
ATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the MatricesATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the MatricesMITRE - ATT&CKcon
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMITRE - ATT&CKcon
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionMITRE - ATT&CKcon
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?MITRE - ATT&CKcon
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-TechniquesMITRE - ATT&CKcon
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 

More from MITRE - ATT&CKcon (20)

State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
MITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - JanuaryMITRE ATTACKcon Power Hour - January
MITRE ATTACKcon Power Hour - January
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsUsing ATTACK to Create Cyber DBTS for Nuclear Power Plants
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat MappingHelping Small Companies Leverage CTI with an Open Source Threat Mapping
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
 
What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
 
Putting the PRE into ATTACK
Putting the PRE into ATTACKPutting the PRE into ATTACK
Putting the PRE into ATTACK
 
What's a MITRE with your Security?
What's a MITRE with your Security?What's a MITRE with your Security?
What's a MITRE with your Security?
 
ATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the MatricesATTACKing the Cloud: Hopping Between the Matrices
ATTACKing the Cloud: Hopping Between the Matrices
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis Question
 
TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020TA505: A Study of High End Big Game Hunting in 2020
TA505: A Study of High End Big Game Hunting in 2020
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?What's New with ATTACK for Cloud?
What's New with ATTACK for Cloud?
 
Starting Over with Sub-Techniques
Starting Over with Sub-TechniquesStarting Over with Sub-Techniques
Starting Over with Sub-Techniques
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
 

Recently uploaded

How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanDatabarracks
 
10 things that helped me advance my career - PHP UK Conference 2024
10 things that helped me advance my career - PHP UK Conference 202410 things that helped me advance my career - PHP UK Conference 2024
10 things that helped me advance my career - PHP UK Conference 2024Thijs Feryn
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Umar Saif
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura RochniakFwdays
 
My sample product research idea for you!
My sample product research idea for you!My sample product research idea for you!
My sample product research idea for you!KivenRaySarsaba
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...UiPathCommunity
 
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...DianaGray10
 
Apex Replay Debugger and Salesforce Platform Events.pptx
Apex Replay Debugger and Salesforce Platform Events.pptxApex Replay Debugger and Salesforce Platform Events.pptx
Apex Replay Debugger and Salesforce Platform Events.pptxmohayyudin7826
 
Enterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewEnterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewAshraf Fouad
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIEDanBrown980551
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVARobert McDermott
 
Imaging and Design for the Online Environment Part 1.pptx
Imaging and Design for the Online Environment Part 1.pptxImaging and Design for the Online Environment Part 1.pptx
Imaging and Design for the Online Environment Part 1.pptxPower Point
 
The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolProduct School
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Adrian Sanabria
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?MENGSAYLOEM1
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys VasylievFwdays
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceVijayananda Mohire
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceSusan Ibach
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Adrian Sanabria
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxVotarikari Shravan
 

Recently uploaded (20)

How to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response PlanHow to write an effective Cyber Incident Response Plan
How to write an effective Cyber Incident Response Plan
 
10 things that helped me advance my career - PHP UK Conference 2024
10 things that helped me advance my career - PHP UK Conference 202410 things that helped me advance my career - PHP UK Conference 2024
10 things that helped me advance my career - PHP UK Conference 2024
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak
 
My sample product research idea for you!
My sample product research idea for you!My sample product research idea for you!
My sample product research idea for you!
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
 
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
Automation Ops Series: Session 1 - Introduction and setup DevOps for UiPath p...
 
Apex Replay Debugger and Salesforce Platform Events.pptx
Apex Replay Debugger and Salesforce Platform Events.pptxApex Replay Debugger and Salesforce Platform Events.pptx
Apex Replay Debugger and Salesforce Platform Events.pptx
 
Enterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book ReviewEnterprise Architecture As Strategy - Book Review
Enterprise Architecture As Strategy - Book Review
 
LF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIELF Energy Webinar: Introduction to TROLIE
LF Energy Webinar: Introduction to TROLIE
 
Introduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVAIntroduction to Multimodal LLMs with LLaVA
Introduction to Multimodal LLMs with LLaVA
 
Imaging and Design for the Online Environment Part 1.pptx
Imaging and Design for the Online Environment Part 1.pptxImaging and Design for the Online Environment Part 1.pptx
Imaging and Design for the Online Environment Part 1.pptx
 
The Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product SchoolThe Future of Product, by Founder & CEO, Product School
The Future of Product, by Founder & CEO, Product School
 
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
Avoiding Bad Stats and the Benefits of Playing Trivia with Friends: PancakesC...
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev
 
My Journey towards Artificial Intelligence
My Journey towards Artificial IntelligenceMy Journey towards Artificial Intelligence
My Journey towards Artificial Intelligence
 
Confoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data scienceConfoo 2024 Gettings started with OpenAI and data science
Confoo 2024 Gettings started with OpenAI and data science
 
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
Early Tech Adoption: Foolish or Pragmatic? - 17th ISACA South Florida WOW Con...
 
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docxLeveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
Leveraging SLF4j for Effective Logging in IBM App Connect Enterprise.docx
 

MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, SpecterOps and Jose Luis Rodriguez, Student

  • 2. @Cyb3rWard0g ● Adversary Detection Analyst @SpecterOps ● Author: ○ ThreatHunter-Playbook ○ Hunting ELK (HELK) ○ ATTACK-Python-Client ○ OSSEM (Open Source Security Event Metadata) ● Form er: Capital One - USA, Senior Threat Hunter 2https://github.com/Cyb3rWard0g
  • 3. @Cyb3rPandaH ● Cyber Security Student @NOVAcommcollege ● Author: ○ Tableau-ATTCK ● Contributor: ○ ThreatHunter-Playbook, HELK, OSSEM ● Form er: UNACEM- Peru, Senior Business Intelligence Analyst 3https://github.com/Cyb3rPanda
  • 4. Agenda ● Current Threat Hunting & Data Overview ● Threat Hunting & ATT&CK ● What else do I need to know about ATT&CK data sources? ● Defining a data mapping methodology ● ATT&CKing with the right data! ○ Data mapping examples 4
  • 5. Threat Hunting & Data LOG IT ALL-> HUNT-> FIND EVIL- REPEAT … Right?, Maybe? 5
  • 6. Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop HypothesisThreat Hunting 6
  • 7. Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 7 Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
  • 8. Threat Hunting What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 8 Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
  • 9. What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 9 Threat Hunting Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
  • 10. What can be automated? - Not everything can be automated - Enhance SOC operations Lessons Learned - Metrics - Report Findings - Transition to IR? - What didn’t work? Hunt - Data Analytics > Behavioral > Anomalies/Outliers - Validate Detection Threat Hunting 10 Threat Hunting Pre-Hunt - Define Hunt Model - Set Scope - Define Team Roles - Identify Adversarial Technique - Develop Hypothesis
  • 11. Data Swamps & Threat Hunting (Reality) 11
  • 12. More data = More problems? ● This benefits security analysts from a data availability perspective! ● How do you prioritize collection of event logs? ● Do you know what you are collecting? ● Do you know the data you are collecting? ● Again, do you know the data you are collecting? 12
  • 13. Yeah, do you know your data? But, do you know your logs? 13
  • 14. Threat Hunting & ATT&C How are you doing it? 14
  • 15. Threat Hunting & ATT&CK https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf 15 Threat Hunting Identify adversarial technique Develop a hypothesis
  • 16. Threat Hunting & ATT&CK: Create Account 16https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf
  • 17. What is a data source? “Source of information collected by a sensor or logging system that may be used to collect information relevant to identifying the action being performed, sequence of actions , or the results of those actions by an adversary .” https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf 17
  • 18. Threat Hunting & ATT&CK Data SourcesHelp detect 18https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf
  • 19. Threat Hunting & ATT&CK https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf Data SourcesHelp detect 19
  • 20. What else do I need to kn about that? 20
  • 21. Main Goals ● Expand on the current ATT&CK data sources (Extra Context) ● Help to prioritize the collection of event logs ● Define a methodology to map event logs to ATT&CK data sources ● Allow blue teamers to understand what they could use to validate the detection of specific adversarial techniques ● Allow red teamers to understand what they might look like in the environment while using specific adversarial techniques ● Learn more about event logs and ATT&CK data sources 21
  • 22. Defining a data mapping methodology What worked for us! 22
  • 23. Our Methodology ● Explore ATT&CK data sources ● Document event logs related to ATT&Ck data sources ● Develop a data model ● Map event logs to ATT&CK data sources ● Validate data mappings 23
  • 24. Explore ATT&CK Data So What can we do with ATT&CK data sources? 24
  • 25. How do I access ATT&CK Metadata? 25
  • 26. ATTACK-Python-Client Github Project ● A Python module to access up to date ATT&CK content available in STIX via public TAXII server. It leverages cti -python -stix2 and cti - taxii -client python libraries developed by MITRE. ● Goals ○ Allow the integration of ATT&CK content with other platform s ○ Allow security analysts to quickly explore ATT&CK content and apply it in their daily operations ○ Explore all available ATT&CK m etadata at once ○ Learn STIX2 and TAXII Client Python libraries https://github.com/Cyb3rWard0g/ATTACK-Python-Client 26
  • 27. ATTACK-Python-Client Installation ● Via PIP: pip install attackcti ● Or Straight from Source ○ git clone https://github.com/Cyb3rWard0g /ATTACK-Python-Client ○ cd ATTACK-Python-Client ○ pip install . ● Jupyter Notebooks Available ○ pip install -r requirements.txt ○ cd notebooks ○ jupyter lab https://github.com/Cyb3rWard0g/ATTACK-Python-Client 27
  • 28. ATT&CK Metadata- Jupyter Notebook https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 28
  • 29. ATT&CK Techniques (478) and Data Sourc ● Almost 46% of techniques have data sources defined ● Around 54% of techniques do NOT have data sources defined ● Pre-ATT&CKdata sources m aybe? ● Opportunities to collaborate and define those without data sources? https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 29
  • 30. ATT&CK Techniques (478) and Data Sourc https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 30
  • 31. Looking for anything to do this weekend? https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 31
  • 32. ATT&CK Techniques with Data Sources (21 https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 32 Process Monitoring: 157 TechniquesFile Monitoring: 90 Techniques Process Command Line: 87 Techniques
  • 33. ATT&CK Techniques with Data Sources (21 https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 33 Process Monitoring: 157 TechniquesFile Monitoring: 90 Techniques Process Command Line: 87 Techniques
  • 34. ATT&CK Windows Data Sources & Platform 34https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
  • 35. ATT&CK Techniques with Data Sources (21 https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks 35 Process Monitoring: 157 TechniquesFile Monitoring: 90 Techniques Process Command Line: 87 Techniques
  • 36. Prioritization of ATT&CK Data Sources 36 Only 19 (9%) techniques require 1 data source. 200 techniques require at least 2 data sources to analyze them … MORE CONTEXT https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
  • 37. Prioritization of ATT&CK Data Sources (Top 37https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
  • 38. Document Event Logs What event logs are related to ATT&CK data sources 38
  • 39. Windows Technique: Credential In Registry T1214 Windows Registry Process Monitoring Process Command-Line Parameters 39
  • 40. Windows Security 4688- Process Creation T1214 Windows Registry Process Monitoring Process Command-Line Parameters 40 Windows Security
  • 41. Windows Security 4689- Process Termination T1214 Windows Registry Process Monitoring Process Command-Line Parameters 41 Windows Security
  • 42. Windows Sysmon 1- Process Create T1214 Windows Registry Process Monitoring Process Command-Line Parameters 42 Windows Sysmon
  • 43. Windows Sysmon 10- Process Accessed T1214 Windows Registry Process Monitoring Process Command-Line Parameters 43 Windows Sysmon
  • 45. Another reason why I should document my https://github.com/mattifestation/BHUSA2018_Sysmon/blob/master/Whitepaper_Subverting_Sysmon.pdf 45
  • 46. Develop A Data Model 46 Defining data objects and their relationships
  • 47. What is a data model? ● A data model basically determines the structure of data and the relationships identified among each other. ● MITRE Data Model: ○ Strongly inspired by CybOX, is an organization of the objects that m ay be m onitored from a host-based or network-based perspective. https://car.m itre.org/wiki/Data_Model ● STIX™ Version 2.0. Part 4: Cyber Observable Objects ○ http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part4-cyber- observable-objects.htm l 47
  • 48. Data Model Levels https://www.1keydata.com/datawarehousing/data-modeling-levels.html 48 Conceptual Model Design Logical Model Design Physical Model Design
  • 49. Data Modeling & Cyber Threat Intelligence https://oasis-open.github.io/cti-stix-visualization/?url=https://raw.githubusercontent.com/oasis-open/cti- documentation/master/examples/example_json/threat-actor-leveraging-attack-patterns-and-malware.json 49
  • 50. Data Modeling & Cyber Threat Intelligence https://oasis-open.github.io/cti-documentation/examples/threat-actor-leveraging-attack-patterns-and-malware 50
  • 51. What about data modeling and security eve 51 Process IPFile
  • 52. What about data modeling and security eve 52 Process IPconnected_toFile created
  • 53. What about data modeling and security eve 53 Process IPconnected_toFile created process_name process_command_line process_guid file_name file_directory process_guid dst_ip src_ip process_guid
  • 54. What about data modeling and security eve 54 Process IPconnected_toFile created process_name process_command_line process_guid file_name file_directory process_guid dst_ip src_ip process_guid
  • 55. Sysmon Data Model After Documentation 55https://github.com/Cyb3rWard0g/presentations/blob/master/SANS_THIR_2018.pdf
  • 56. Windows Technique: Credential In Registry T1214 Windows Registry Process Monitoring Process Command-Line Parameters 56
  • 57. Windows Technique: Credential In Registry T1214 Windows Registry Process Monitoring Process Command-Line Parameters 57 Process Creation Process Termination Process Write To Process Process Access
  • 58. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 58 Process Creation Process Termination Process Write To Process Process Access Process Processcreated
  • 59. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 59 Process Creation Process Termination Process Write To Process Process Access Process User Processcreated terminated Process
  • 60. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 60 Process Creation Process Termination Process Write To Process Process Access Process Process Process Process created wrote_to User terminated Process
  • 61. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 61 Process Creation Process Termination Process Write To Process Process Access Process Process Process Process Process Process created wrote_to accessed User terminated Process
  • 62. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 62 Registry Creation Registry Deletion Registry Modification Registry Access Process Registrycreated
  • 63. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 63 Registry Creation Registry Deletion Registry Modification Registry Access Process Process Registrycreated deleted Registry
  • 64. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 64 Registry Creation Registry Deletion Registry Modification Registry Access Process Process Process Registrycreated modified deleted Registry Registry
  • 65. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 65 Registry Creation Registry Deletion Registry Modification Registry Access Process Process Process Process Registrycreated modified accessed deleted Registry Registry Registry
  • 66. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 66 Registry Creation Registry Deletion Registry Modification Registry Access Process User User User Registrycreated modified accessed deleted Registry Registry Registry
  • 67. Map Event Logs To ATT&CK Data Sources Blue Teamer: What you have VS what you need! Red Teamer: What you might look like! 67
  • 68. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 68
  • 69. ATT&CK Data Sources & Data Modeling T1214 Windows Registry Process Monitoring Process Command-Line Parameters 69 Process Creation Process created Process Process Write To Process Process wrote_to Process Process Access Process accessed Process Process Termination user terminated Process
  • 70. ATT&CK Data Sources & Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 70 Process Creation Process created Process Process Termination user terminated Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Process wrote_to accessed
  • 71. ATT&CK Data Sources & Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 71 Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 5 Process Termination user terminated Process wrote_to accessed
  • 72. ATT&CK Data Sources & Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 72 Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 5 Sysmon 8 Process Termination user terminated Process wrote_to accessed
  • 73. ATT&CK Data Sources & Event Logs T1214 Windows Registry Process Monitoring Process Command-Line Parameters 73 Process Creation Process created Process Process Write To Process Process Process Process Access Process Process Security 4688 Sysmon 1 Security 4689 Sysmon 5 Sysmon 8 Sysmon 10 Process Termination user terminated Process wrote_to accessed
  • 74. Prioritization of ATT&CK Data Sources (Top 74https://github.com/Cyb3rWard0g/ATTACK-Python-Client/tree/master/notebooks
  • 75. File& Process Monitoring (66 Techniques) 68 Process Monitoring File Monitoring 75 Process Creation Security 4688 Sysmon 1 Process Termination Process Write To Process Process Access File Creation File Access Request File Deletion Request File Access File Deletion Security 4689 Sysmon 5 Sysmon 8 Sysmon 10 Sysmon 11 Security 4656 Security 4663
  • 76. File& Process Monitoring (Technique variat 68 Process Monitoring File Monitoring 76 Process Creation Security 4688 Sysmon 1 Process Termination Process Write To Process Process Access File Creation File Access Request File Deletion Request File Access File Deletion Security 4689 Sysmon 5 Sysmon 8 Sysmon 10 Sysmon 11 Security 4656 Security 4663
  • 77. From an ATT&CK Data Sources to Event Lo 77
  • 78. Where do I get this information? 78 ● Data Dictionaries ○ Windows (Security, Sysmon, etc) ○ Carbon Black Logs ● Data Models ○ Relationships ● ATT&CK Data Sources ○ Definitions & Data Mapping ● Common Information Model https://github.com/Cyb3rWard0g/OSSEM
  • 79. Hunters ATT&CKing with the right data! Threat Hunting Operations 79
  • 80. Threat Hunting Approach 80 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report
  • 81. Threat Hunting & Data 81 Identify technique(s) Define Technique Variation Generate Hypothesis Simulate Technique Variation Identify Recommended Data Sources Define Data Analytics Validate Detection Perform Data Quality Assessment Execute Hunt Hunter Notes / Report
  • 82. Hunters ATT&CKing with the right data! Detecting potential “overpass-the-hash” techniques 82
  • 83. Identify Technique: Pass the Hash “Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password.” https://attack.mitre.org/wiki/Technique/T1075 83
  • 84. Define Technique Variation: Overpass-The-Hash https://www.blackhat.com/docs/us-14/materials/us-14-Duckwall-Abusing-Microsoft-Kerberos-Sorry-You-Guys-Don't-Get-It-wp.pdf 84 ● Authentication via Kerberos ○ Authentication Protocol based on keys and tickets ● “Upgrading a NT hash into a full Kerberos ticket” ● It requires elevated privileges (privilege::debug or SYSTEM account) ○ (Depends on how this attack is perform ed. You m ight not need)
  • 85. Technical Details: Normal kerberos Authent https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it 85
  • 87. Technical Details: Mimikatz- Overpass-The-Hash https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth 87 ● mimikatz can perform the well -known operation 'Pass -The-Hash' to run a process under another credentials with NTLM (or AES128/156_HMAC) hash of the user’s password, instead of its real password. ● For this, it starts a process with a fake identity, then replaces fake information (NTLM hash of the fake password) with real information (NTLM hash of the real password). ● DEMO
  • 88. Technical Details: Mimikatz- Overpass-The-Hash https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth 88
  • 89. Mimikatz- pth: Security Event 4673 (Client Si 89 Field Values process_name mimikatz.exe service_name Security service_privilege SeTcbPrivilege user_name cbrown Sensitive Privileged Service Operation Process called service
  • 90. Mimikatz- pth: Security Event 4673 (Client Si 90 Field Values process_name lsass.exe service_name LsaRegisterLogonProcess() service_privilege SeTcbPrivilege user_name cbrown Sensitive Privileged Service Operation Process called service
  • 91. Mimikatz- pth: Security Event 4624 (Client Si 91 Field Values logon_type 9 user_name cbrown user_network_account_name pedro User Account Successful Authentication User Authenticated Host
  • 92. Mimikatz- pth: Security Event 4656 (Client Si 92 Field Values process_name mimikatz.exe process_granted_access 0x1010 target_process_name lsass.exe Process Access Process Accessed Process
  • 93. Mimikatz- pth: Security Event 4656 (Client Si 93 Field Values process_name mimikatz.exe process_granted_access 0x1038 target_process_name lsass.exe Process Access Process Accessed Process
  • 94. Mimikatz- pth: Security Event 5158 (Client Si 94 Field Values process_name lsass.exe src_ip 0.0.0.0 src_port 50066 Process Network Local Port Bind Allow Process bound_to Port
  • 95. Mimikatz- pth: Security Event 5156 (Client Si 95 Field Values process_name lsass.exe dst_ip 192.168.64.147 dst_port 88 Process Network Connection Allow Process connected_to Ip
  • 96. Mimikatz- pth: Sysmon Event 3 (Client Side) 96 Field Values process_name lsass.exe dst_ip 192.168.64.147 dst_port 88 user_name SYSTEM dst_host DC-WD-001 Process Network Connection Allow Process connected_to Ip
  • 97. Mimikatz- pth: Security Event 4648 (Client Si 97 Field Values user_name cbrown target_user_name pedro target_host_name DC-WD-001 user account authentication with explicit credential User authenticated host
  • 98. Mimikatz- pth: Security Event 4768 (Server S 98 Field Values user_name pedro ticket_encryption_type 0x17 src_ip 192.168.64.137 Kerberos TGT Request User requested Ticket
  • 99. Mimikatz- pth: Security Event 4769 (Server S 99 Field Values user_name pedro ticket_encryption_type 0x12 src_ip 192.168.64.137 service_name krbtgt Kerberos Service Ticket Request User requested Ticket
  • 100. Mimikatz- pth: Security Event 4769 (Server S 100 Field Values user_name pedro ticket_encryption_type 0x12 src_ip 192.168.64.137 service_name DC-WD-001$ Kerberos Service Ticket Request User requested Ticket
  • 101. Mimikatz- pth: Security Event 4624 (Server S 101 Field Values user_name pedro logon_type 3 src_ip 192.168.64.137 service_name DC-WD-001$ logon_process kerberos User Account Successful Authentication User authenticated Host
  • 102. Mimikatz- pth: Security Event 5140 (Server S 102 Field Values user_name pedro share_name *C$ src_ip 192.168.64.137 Network Share Access User accessed Network share
  • 103. Technical Details: Rubeus- Overpass-the-hash https://github.com/GhostPack/Rubeus 103 ● Rubeus is a C# re-implementation of some of the functionality from Benjamin Delpy’s Kekeo project ○ Kerberos structures built by hand… ○ Rubeus works nicely with execute -assembly ○ So why not use Kekeo? Because ASN.1! ■ Requires a commercial ASN.1 library to customize/rebuild the Kekeo codebase ● Author: Will Schroeder @harmj0y @SpecterOps ● DEMO
  • 104. Technical Details: Rubeus- Overpass-the-hash https://github.com/GhostPack/Rubeus 104
  • 105. Rubeus- ptt: Security Event 4673 (Client Side 105 Field Values process_name rubeus.exe service_privilege SeCreateGlobalPrivilege user_name cbrown Sensitive Privileged Service Operation Process called service
  • 106. Rubeus- ptt: Security Event 5158 (Client Side 106 Field Values process_name rubeus.exe src_ip 0.0.0.0 src_port 50209 Process Network Local Port Bind Allow Process bound_to port
  • 107. Rubeus- ptt: Security Event 5156 (Client Side 107 Field Values process_name rubeus.exe dst_ip 192.168.64.147 dst_port 88 Process Network Connection Allow Process connected_to Ip
  • 108. Rubeus- ptt: Sysmon 3 (Client Side) 108 Field Values process_name rubeus.exe dst_ip 192.168.64.147 dst_port 88 user_name cbrown dst_host DC-WD-001 Process Network Connection Allow Process connected_to Ip
  • 109. Rubeus- ptt: Security Event 4768 (Server Sid 109 Field Values user_name pedro ticket_encryption_type 0x17 service_name krbtgt src_ip 192.168.64.137 Kerberos TGT Request User requested Ticket
  • 110. Rubeus- ptt: Security Event 4769 (Server Sid 110 Field Values user_name pedro ticket_encryption_type 0x12 service_name DC-WD-001$ src_ip 192.168.64.137 Kerberos Service Ticket Request User requested Ticket
  • 111. Rubeus- ptt: Security Event 4624 (Server Sid 111 Field Values user_name pedro logon_type 3 logon_process Kerberos src_ip 192.168.64.137 User Account Successful Authentication User authenticated Host
  • 112. Rubeus- ptt: Security Event 5140 (Server Sid 112 Field Values user_name pedro share_name *C$ src_ip 192.168.64.137 Network Share Access User accessed Network share
  • 113. Mimikatz vs Rubeus- Kerberos Authentication 113
  • 114. Mimikatz vs Rubeus- Kerberos Authentication 114
  • 115. Mmmm… Who else connects to the DC via 115
  • 116. Mmmm… Who else connects to the DC via 116
  • 117. Mmmm… Who else connects to the DC via 117
  • 119. Mimikatz Data Mapping- Pass The Hash- T1075 119 T1075 Authentication Logs Process Monitoring User Account Successful Authentication Security 4624 User Account Authentication With Explicit Credentials Process Access Process Network Local Port Bind Allow Process Network Connection Allow Security 4648 Sysmon 10 Security 4656 Process Use of Network Security 5158 Security 5156 Sysmon 3 Kerberos TGT Request Kerberos Service Ticket Request Security 4768 Security 4769 Sensitive Privileged Service Operation Security 4673
  • 120. Rubeus Data Mapping- Pass The Hash- T1075 120 T1075 Authentication Logs Process Monitoring User Account Successful Authentication Security 4624 User Account Authentication With Explicit Credentials Process Access Process Network Local Port Bind Allow Process Network Connection Allow Security 4648 Sysmon 10 Security 4656 Process Use of Network Security 5158 Security 5156 Sysmon 3 Kerberos TGT Request Kerberos Service Ticket Request Security 4768 Security 4769 Sensitive Privileged Service Operation Security 4673
  • 121. Thank You! Muchas Grac 121
  • 123. THREAT HUNTING SLACK CHANNEL 123