SlideShare a Scribd company logo

ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own environment for better sleep and a safer tomorrow

J
JamieWilliams130

Presented at BSides Las Vegas 2019 by Sarah Yoder and Jamie Williams

Technology
1 of 47
Download to read offline
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. ATT&CKing Your Adversaries Operationalizing cyber intelligence in your own environment for better sleep and a safer tomorrow ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Introductions ▪ Jamie Williams ( @jamieantisocial) ▪ Cyber adversarial engineer ▪ Adversary emulation + behavior detection research ▪ Sarah Yoder ( @sarah__yoder) ▪ Cyber security engineer ▪ Cyber threat intelligence + red teaming ▪ ATT&CK & ATT&CK Evaluations ( @MITREattack) | 2 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. If You Were at 2018 BSidesLV ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK™ Slides available at https://www.slideshare.net/KatieNickels/bsideslv-2018- katie-nickels-and-john-wunder-attcking-the-status-quo Threat Intelligence
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. If You Were at 2018 BSidesLV
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Agenda | 5 | Intelligence Behaviors Detections Emulations
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 6 | Intelligence to Behaviors Intelligence Behaviors Detections Emulations
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 7 | "Cyber threat intelligence (CTI) is the process of analyzing information about adversaries, as well as the output of that analysis, in a way that can be applied to help network defenders and decisionmakers” What is Cyber Threat Intelligence? https://www.mitre.org/capabilities/cybersecurity/overview/ cybersecurity-blog/using-attck-to-advance-cyber-threat
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Where Does It Come From? | 8 | Internal Reporting Open Source Finished Reporting Indicators
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 9 | All this information can become overwhelming! but fear not! ATT&CK can help! https://www.pngkit.com/png/ full/53-533742_batman-vs- superman-open-shirt- vector.png ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 10 | Knowledge base of adversary behaviors Threat-informed defense Based on real-world observations References to publicly reported intelligence Free, open, and globally accessible attack.mitre.org Community contribution driven attack@mitre.org @MITREattack
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 11 | ATT&CK Structure Tactics: the adversary’s technical goals Techniques: how the goals are achieved … … Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact Procedures: specific technique implementations Command and Control
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. What is a Behavior? ▪More than hash values, signatures, IPs, etc. ▪Think ATT&CK structure ▪ Tactic (Why) ▪ Technique (How) ▪ Procedure (What) | 12 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Finding Behaviors in Finished Reporting | 13 | https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Finding Behaviors in Finished Reporting | 14 | https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Mapping the Behaviors to ATT&CK | 15 | 1. Start with the Tactic Defense Evasion Defense Evasion https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging Impact Discovery Discovery Defense Evasion Defense Evasion
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Mapping the Behaviors to ATT&CK | 16 | 2. Move onto Techniques Defense Evasion Defense Evasion Discovery Discovery | Obfuscated Files or Information(T1027) | Obfuscated Files or Information(T1027) | File and Directory Discovery (T1083) | Virtualization/Sandbox Evasion (T1497) | Data Encrypted for Impact (T1486) | Process Discovery (T1057) | System Service Discovery (T1007) https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging Defense Evasion Impact Defense Evasion | Execution Guardrails (T1480)
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. SynAck (S0242) | 17 | https://attack.mitre.org/software/S0242/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 18 | Behaviors to Detections Intelligence Behaviors Detections Emulations
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Understanding the Behavior ▪ Stages of a behavior 1. Prerequisites – What does execution require? 2. Mechanics – What does execution involve? 3. Artifacts – What does execution leave behind? ▪ Critical when considering detection | 19 | Driver loaded Image loaded Process creation ProcessAccess CreateRemoteThread Network connection FileCreate RegistryEvent 1 2 3
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Let’s Pick One Behavior to Focus On | 20 | https://attack.mitre.org/software/S0242/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Let’s Pick One Behavior to Focus On | 21 | https://attack.mitre.org/software/S0242/
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Understanding Process Doppelgänging ▪ Originally presented at Black Hat Europe 2017 ▪ Based on deprecated transactional NTFS (TxT) ▪ Load and execute arbitrary code in legitimate process ▪ Avoid typical process injection/hollowing mechanics and AV scans (disk writes) ▪ Undocumented process creation API (Zw/NtCreateProcessEx) to execute from memory section rather than disk | 22 | https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Legitimate File | 23 | Understanding Process Doppelgänging
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Legitimate FileMalicious File | 24 | 1 Transact – overwrite target file Understanding Process Doppelgänging
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Legitimate FileMalicious File | 25 | 2 Load – load target file Understanding Process Doppelgänging
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Legitimate File | 26 | 3 Rollback – undo write in step 1 Understanding Process Doppelgänging
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Changes are only visible within transaction Legitimate File Animate – execute loaded file from step 2 | 27 | 4 Understanding Process Doppelgänging
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. ▪ Monitor and analyze calls to CreateTranscation, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. ▪ Scan file objects reported during the PsSetCreateProcessNotifyRoutine, which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. Also consider comparing file objects loaded in memory to the corresponding file on disk. ▪ Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. | 28 | https://attack.mitre.org/techniques/T1186 Understanding Process Doppelgänging
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. ▪ Monitor and analyze calls to CreateTranscation, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. ▪ Scan file objects reported during the PsSetCreateProcessNotifyRoutine, which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. Also consider comparing file objects loaded in memory to the corresponding file on disk. ▪ Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. API Monitoring Process Monitoring File Monitoring | 29 | https://attack.mitre.org/techniques/T1186 Understanding Process Doppelgänging
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 30 | Detections to Emulations Intelligence Behaviors Detections Emulations
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Emulating Process Doppelgänging ▪ PoC available from Ruben Booen (@FuzzySec) ▪ github.com/FuzzySecurity/ PowerShell-Suite ▪ Start-Eidolon.ps1 ▪ Windows API (T1106) via PowerShell (T1086) | 31 | https://gph.is/1XJvaI6
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Start-Eidolon -Target Calc.exe -Mimikatz -Verbose Emulating Process Doppelgänging | 32 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation - Sysmon | 33 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – ETW | 34 | https://www.countercept.com/blog/d etecting-malicious-use-of-net-part-1 https://github.com/fireeye/pywintrace
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – ETW | 35 | https://www.countercept.com/blog/d etecting-malicious-use-of-net-part-1 https://github.com/fireeye/pywintrace
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation - ProcMon | 36 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation - ProcMon | 37 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – Windows Event ▪ Security Event Log ID 4985 - The state of a transaction has changed | 38 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – Windows Event ▪ Security Event Log ID 4985 - The state of a transaction has changed | 39 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – Wrap up | 40 | NTFS File events (ProcMon) Process creation (Sysmon) API Calls (ETW) Windows Event log 1 2 3 ▪ Be wary of costs and tradeoffs between data sources ▪ Capture and share analytic knowledge ▪ CAR, Sigma, EQL, etc.
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Expanding Emulation | 41 | https://github.com/mitre/caldera
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. CALDERA 1. Add our payload (Start-Eidon.ps1) in payloads 2. Add a new ability 3. Add a new adversary | 42 | https://github.com/mitre/caldera
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. CALDERA 1. Add our payload (Start-Eidon.ps1) in payloads 2. Add a new ability 3. Add a new adversary | 43 | https://github.com/mitre/caldera
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Emulate Entire Operation | 44 | https://github.com/mitre/caldera
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Emulate Entire Operation | 45 | https://github.com/mitre/caldera
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Important Takeaways ▪ Understand adversary behaviors ▪ Where you can get this intel ▪ What (procedure) they do as well as why (tactic) and how (technique) ▪ Emulate adversary behaviors ▪ Vary procedures for different impressions ▪ Understand defenses and how they apply to your environment and organization ▪ Recognize additional opportunities based on specific procedures ▪ Be wary of building analytics vice just enabling visibility (cost) | 46 |
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 47 | attack.mitre.org medium.com/mitre-attack attack@mitre.org @MITREattack @sarah__yoder @jamieantisocial

Recommended

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceChristopher Korban
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorMITRE ATT&CK
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 

Recommended

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceChristopher Korban
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developersMITRE ATT&CK
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorMITRE ATT&CK
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookMITRE ATT&CK
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon IntroMITRE ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACKMITRE - ATT&CKcon
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSMITRE ATT&CK
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...MITRE ATT&CK
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceMITRE ATT&CK
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsMITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...MongoDB
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 

More Related Content

What's hot

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookMITRE ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSMITRE ATT&CK
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...MITRE ATT&CK
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceMITRE ATT&CK
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsMITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
 

What's hot (20)

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 

Similar to ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own environment for better sleep and a safer tomorrow

MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...MongoDB
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfReZa AdineH
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITREMITRE - ATT&CKcon
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfReZa AdineH
 
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019Daniel Weiss
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITREMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetScrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetRyan Wisniewski
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfReZa AdineH
 
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
0Day to HeroDay: Surviving an Attack and Establishing a Security OrganizationRyan Wisniewski
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftOSIsoft, LLC
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfReZa AdineH
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITREMITRE - ATT&CKcon
 
Bootstrapping UX
Bootstrapping UXBootstrapping UX
Bootstrapping UXJim Lane
 
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...African Cyber Security Summit
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondSecPod Technologies
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITREMITRE - ATT&CKcon
 

Similar to ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own environment for better sleep and a safer tomorrow (20)

MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
 
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdfMITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdfMITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdf
 
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
 
Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budgetScrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budget
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoftHow Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITRE
 
Bootstrapping UX
Bootstrapping UXBootstrapping UX
Bootstrapping UX
 
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
 
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and BeyondHow BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
 

Recently uploaded

Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Recently uploaded (20)

Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own environment for better sleep and a safer tomorrow

  • 1. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. ATT&CKing Your Adversaries Operationalizing cyber intelligence in your own environment for better sleep and a safer tomorrow ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
  • 2. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Introductions ▪ Jamie Williams ( @jamieantisocial) ▪ Cyber adversarial engineer ▪ Adversary emulation + behavior detection research ▪ Sarah Yoder ( @sarah__yoder) ▪ Cyber security engineer ▪ Cyber threat intelligence + red teaming ▪ ATT&CK & ATT&CK Evaluations ( @MITREattack) | 2 |
  • 3. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. If You Were at 2018 BSidesLV ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK™ Slides available at https://www.slideshare.net/KatieNickels/bsideslv-2018- katie-nickels-and-john-wunder-attcking-the-status-quo Threat Intelligence
  • 4. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. If You Were at 2018 BSidesLV
  • 5. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Agenda | 5 | Intelligence Behaviors Detections Emulations
  • 6. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 6 | Intelligence to Behaviors Intelligence Behaviors Detections Emulations
  • 7. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 7 | "Cyber threat intelligence (CTI) is the process of analyzing information about adversaries, as well as the output of that analysis, in a way that can be applied to help network defenders and decisionmakers” What is Cyber Threat Intelligence? https://www.mitre.org/capabilities/cybersecurity/overview/ cybersecurity-blog/using-attck-to-advance-cyber-threat
  • 8. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Where Does It Come From? | 8 | Internal Reporting Open Source Finished Reporting Indicators
  • 9. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 9 | All this information can become overwhelming! but fear not! ATT&CK can help! https://www.pngkit.com/png/ full/53-533742_batman-vs- superman-open-shirt- vector.png ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
  • 10. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 10 | Knowledge base of adversary behaviors Threat-informed defense Based on real-world observations References to publicly reported intelligence Free, open, and globally accessible attack.mitre.org Community contribution driven attack@mitre.org @MITREattack
  • 11. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 11 | ATT&CK Structure Tactics: the adversary’s technical goals Techniques: how the goals are achieved … … Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact Procedures: specific technique implementations Command and Control
  • 12. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. What is a Behavior? ▪More than hash values, signatures, IPs, etc. ▪Think ATT&CK structure ▪ Tactic (Why) ▪ Technique (How) ▪ Procedure (What) | 12 |
  • 13. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Finding Behaviors in Finished Reporting | 13 | https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging
  • 14. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Finding Behaviors in Finished Reporting | 14 | https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging
  • 15. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Mapping the Behaviors to ATT&CK | 15 | 1. Start with the Tactic Defense Evasion Defense Evasion https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging Impact Discovery Discovery Defense Evasion Defense Evasion
  • 16. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Mapping the Behaviors to ATT&CK | 16 | 2. Move onto Techniques Defense Evasion Defense Evasion Discovery Discovery | Obfuscated Files or Information(T1027) | Obfuscated Files or Information(T1027) | File and Directory Discovery (T1083) | Virtualization/Sandbox Evasion (T1497) | Data Encrypted for Impact (T1486) | Process Discovery (T1057) | System Service Discovery (T1007) https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging Defense Evasion Impact Defense Evasion | Execution Guardrails (T1480)
  • 17. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. SynAck (S0242) | 17 | https://attack.mitre.org/software/S0242/
  • 18. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 18 | Behaviors to Detections Intelligence Behaviors Detections Emulations
  • 19. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Understanding the Behavior ▪ Stages of a behavior 1. Prerequisites – What does execution require? 2. Mechanics – What does execution involve? 3. Artifacts – What does execution leave behind? ▪ Critical when considering detection | 19 | Driver loaded Image loaded Process creation ProcessAccess CreateRemoteThread Network connection FileCreate RegistryEvent 1 2 3
  • 20. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Let’s Pick One Behavior to Focus On | 20 | https://attack.mitre.org/software/S0242/
  • 21. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Let’s Pick One Behavior to Focus On | 21 | https://attack.mitre.org/software/S0242/
  • 22. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Understanding Process Doppelgänging ▪ Originally presented at Black Hat Europe 2017 ▪ Based on deprecated transactional NTFS (TxT) ▪ Load and execute arbitrary code in legitimate process ▪ Avoid typical process injection/hollowing mechanics and AV scans (disk writes) ▪ Undocumented process creation API (Zw/NtCreateProcessEx) to execute from memory section rather than disk | 22 | https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
  • 23. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Legitimate File | 23 | Understanding Process Doppelgänging
  • 24. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Legitimate FileMalicious File | 24 | 1 Transact – overwrite target file Understanding Process Doppelgänging
  • 25. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Legitimate FileMalicious File | 25 | 2 Load – load target file Understanding Process Doppelgänging
  • 26. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Legitimate File | 26 | 3 Rollback – undo write in step 1 Understanding Process Doppelgänging
  • 27. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Changes are only visible within transaction Legitimate File Animate – execute loaded file from step 2 | 27 | 4 Understanding Process Doppelgänging
  • 28. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. ▪ Monitor and analyze calls to CreateTranscation, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. ▪ Scan file objects reported during the PsSetCreateProcessNotifyRoutine, which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. Also consider comparing file objects loaded in memory to the corresponding file on disk. ▪ Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. | 28 | https://attack.mitre.org/techniques/T1186 Understanding Process Doppelgänging
  • 29. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. ▪ Monitor and analyze calls to CreateTranscation, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. ▪ Scan file objects reported during the PsSetCreateProcessNotifyRoutine, which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. Also consider comparing file objects loaded in memory to the corresponding file on disk. ▪ Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. API Monitoring Process Monitoring File Monitoring | 29 | https://attack.mitre.org/techniques/T1186 Understanding Process Doppelgänging
  • 30. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 30 | Detections to Emulations Intelligence Behaviors Detections Emulations
  • 31. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Emulating Process Doppelgänging ▪ PoC available from Ruben Booen (@FuzzySec) ▪ github.com/FuzzySecurity/ PowerShell-Suite ▪ Start-Eidolon.ps1 ▪ Windows API (T1106) via PowerShell (T1086) | 31 | https://gph.is/1XJvaI6
  • 32. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Start-Eidolon -Target Calc.exe -Mimikatz -Verbose Emulating Process Doppelgänging | 32 |
  • 33. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation - Sysmon | 33 |
  • 34. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – ETW | 34 | https://www.countercept.com/blog/d etecting-malicious-use-of-net-part-1 https://github.com/fireeye/pywintrace
  • 35. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – ETW | 35 | https://www.countercept.com/blog/d etecting-malicious-use-of-net-part-1 https://github.com/fireeye/pywintrace
  • 36. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation - ProcMon | 36 |
  • 37. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation - ProcMon | 37 |
  • 38. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – Windows Event ▪ Security Event Log ID 4985 - The state of a transaction has changed | 38 |
  • 39. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – Windows Event ▪ Security Event Log ID 4985 - The state of a transaction has changed | 39 |
  • 40. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – Wrap up | 40 | NTFS File events (ProcMon) Process creation (Sysmon) API Calls (ETW) Windows Event log 1 2 3 ▪ Be wary of costs and tradeoffs between data sources ▪ Capture and share analytic knowledge ▪ CAR, Sigma, EQL, etc.
  • 41. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Expanding Emulation | 41 | https://github.com/mitre/caldera
  • 42. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. CALDERA 1. Add our payload (Start-Eidon.ps1) in payloads 2. Add a new ability 3. Add a new adversary | 42 | https://github.com/mitre/caldera
  • 43. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. CALDERA 1. Add our payload (Start-Eidon.ps1) in payloads 2. Add a new ability 3. Add a new adversary | 43 | https://github.com/mitre/caldera
  • 44. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Emulate Entire Operation | 44 | https://github.com/mitre/caldera
  • 45. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Emulate Entire Operation | 45 | https://github.com/mitre/caldera
  • 46. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Important Takeaways ▪ Understand adversary behaviors ▪ Where you can get this intel ▪ What (procedure) they do as well as why (tactic) and how (technique) ▪ Emulate adversary behaviors ▪ Vary procedures for different impressions ▪ Understand defenses and how they apply to your environment and organization ▪ Recognize additional opportunities based on specific procedures ▪ Be wary of building analytics vice just enabling visibility (cost) | 46 |
  • 47. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 47 | attack.mitre.org medium.com/mitre-attack attack@mitre.org @MITREattack @sarah__yoder @jamieantisocial