Submit Search
Upload
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own environment for better sleep and a safer tomorrow
•
2 likes
•
5,385 views
J
JamieWilliams130
Follow
Presented at BSides Las Vegas 2019 by Sarah Yoder and Jamie Williams
Read less
Read more
Technology
Report
Share
Report
Share
1 of 47
Download now
Download to read offline
Recommended
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
ATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Christopher Korban
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
MITRE ATT&CK
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...
MITRE ATT&CK
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
MITRE ATT&CK
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
Recommended
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
ATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Christopher Korban
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
MITRE ATT&CK
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...
MITRE ATT&CK
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
MITRE ATT&CK
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
State of the ATT&CK
State of the ATT&CK
MITRE ATT&CK
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
MITRE ATT&CK
ATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
State of the ATTACK
State of the ATTACK
MITRE - ATT&CKcon
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
MITRE - ATT&CKcon
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
MITRE ATT&CK
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
MITRE ATT&CK
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
Adversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
MITRE ATT&CK
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
ATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
MITRE ATT&CK
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
MITRE ATT&CK
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
ReZa AdineH
More Related Content
What's hot
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
State of the ATT&CK
State of the ATT&CK
MITRE ATT&CK
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
MITRE ATT&CK
ATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
State of the ATTACK
State of the ATTACK
MITRE - ATT&CKcon
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
MITRE - ATT&CKcon
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
MITRE ATT&CK
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
MITRE ATT&CK
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
Adversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
MITRE ATT&CK
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
ATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
MITRE ATT&CK
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
MITRE ATT&CK
What's hot
(20)
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
State of the ATT&CK
State of the ATT&CK
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
ATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
State of the ATTACK
State of the ATTACK
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Adversary Emulation using CALDERA
Adversary Emulation using CALDERA
When Insiders ATT&CK!
When Insiders ATT&CK!
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
ATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Similar to ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own environment for better sleep and a safer tomorrow
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
ReZa AdineH
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE - ATT&CKcon
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdf
ReZa AdineH
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
Daniel Weiss
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE - ATT&CKcon
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budget
Ryan Wisniewski
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
ReZa AdineH
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
Ryan Wisniewski
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
SBWebinars
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
OSIsoft, LLC
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
ReZa AdineH
MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITRE
MITRE - ATT&CKcon
Bootstrapping UX
Bootstrapping UX
Jim Lane
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
African Cyber Security Summit
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
SecPod Technologies
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
MITRE - ATT&CKcon
Similar to ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own environment for better sleep and a safer tomorrow
(20)
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MITRE-Module 2 Slides.pdf
MITRE-Module 2 Slides.pdf
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
MITRE-Module 5 Slides.pdf
MITRE-Module 5 Slides.pdf
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
APT ATT&CK - Threat-based Purple Teaming with ATT&CK - x33fcon 2019
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
Scrapping for Pennies: How to implement security without a budget
Scrapping for Pennies: How to implement security without a budget
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
0Day to HeroDay: Surviving an Attack and Establishing a Security Organization
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
How Facility Controls Systems Present Cybersecurity Challenges - OSIsoft
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITRE
Bootstrapping UX
Bootstrapping UX
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
How BlueHat Cyber Uses SanerNow to Automate Patch Management and Beyond
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE
Recently uploaded
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Mattias Andersson
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
Memoori
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Scott Keck-Warren
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Andrey Dotsenko
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
jimielynbastida
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
null - The Open Security Community
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Wonjun Hwang
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
The transition to renewables in India.pdf
The transition to renewables in India.pdf
Competition Advisory Services (India) LLP
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
Pixlogix Infotech
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
BookNet Canada
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
LBM Solutions
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
null - The Open Security Community
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Hyundai Motor Group
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Enterprise Knowledge
Recently uploaded
(20)
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
The transition to renewables in India.pdf
The transition to renewables in India.pdf
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own environment for better sleep and a safer tomorrow
1.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. ATT&CKing Your Adversaries Operationalizing cyber intelligence in your own environment for better sleep and a safer tomorrow ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
2.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Introductions ▪ Jamie Williams ( @jamieantisocial) ▪ Cyber adversarial engineer ▪ Adversary emulation + behavior detection research ▪ Sarah Yoder ( @sarah__yoder) ▪ Cyber security engineer ▪ Cyber threat intelligence + red teaming ▪ ATT&CK & ATT&CK Evaluations ( @MITREattack) | 2 |
3.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. If You Were at 2018 BSidesLV ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK™ Slides available at https://www.slideshare.net/KatieNickels/bsideslv-2018- katie-nickels-and-john-wunder-attcking-the-status-quo Threat Intelligence
4.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. If You Were at 2018 BSidesLV
5.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Agenda | 5 | Intelligence Behaviors Detections Emulations
6.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 6 | Intelligence to Behaviors Intelligence Behaviors Detections Emulations
7.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 7 | "Cyber threat intelligence (CTI) is the process of analyzing information about adversaries, as well as the output of that analysis, in a way that can be applied to help network defenders and decisionmakers” What is Cyber Threat Intelligence? https://www.mitre.org/capabilities/cybersecurity/overview/ cybersecurity-blog/using-attck-to-advance-cyber-threat
8.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Where Does It Come From? | 8 | Internal Reporting Open Source Finished Reporting Indicators
9.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 9 | All this information can become overwhelming! but fear not! ATT&CK can help! https://www.pngkit.com/png/ full/53-533742_batman-vs- superman-open-shirt- vector.png ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
10.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 10 | Knowledge base of adversary behaviors Threat-informed defense Based on real-world observations References to publicly reported intelligence Free, open, and globally accessible attack.mitre.org Community contribution driven attack@mitre.org @MITREattack
11.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 11 | ATT&CK Structure Tactics: the adversary’s technical goals Techniques: how the goals are achieved … … Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Impact Procedures: specific technique implementations Command and Control
12.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. What is a Behavior? ▪More than hash values, signatures, IPs, etc. ▪Think ATT&CK structure ▪ Tactic (Why) ▪ Technique (How) ▪ Procedure (What) | 12 |
13.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Finding Behaviors in Finished Reporting | 13 | https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging
14.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Finding Behaviors in Finished Reporting | 14 | https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging
15.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Mapping the Behaviors to ATT&CK | 15 | 1. Start with the Tactic Defense Evasion Defense Evasion https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging Impact Discovery Discovery Defense Evasion Defense Evasion
16.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Mapping the Behaviors to ATT&CK | 16 | 2. Move onto Techniques Defense Evasion Defense Evasion Discovery Discovery | Obfuscated Files or Information(T1027) | Obfuscated Files or Information(T1027) | File and Directory Discovery (T1083) | Virtualization/Sandbox Evasion (T1497) | Data Encrypted for Impact (T1486) | Process Discovery (T1057) | System Service Discovery (T1007) https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging Defense Evasion Impact Defense Evasion | Execution Guardrails (T1480)
17.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. SynAck (S0242) | 17 | https://attack.mitre.org/software/S0242/
18.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 18 | Behaviors to Detections Intelligence Behaviors Detections Emulations
19.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Understanding the Behavior ▪ Stages of a behavior 1. Prerequisites – What does execution require? 2. Mechanics – What does execution involve? 3. Artifacts – What does execution leave behind? ▪ Critical when considering detection | 19 | Driver loaded Image loaded Process creation ProcessAccess CreateRemoteThread Network connection FileCreate RegistryEvent 1 2 3
20.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Let’s Pick One Behavior to Focus On | 20 | https://attack.mitre.org/software/S0242/
21.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Let’s Pick One Behavior to Focus On | 21 | https://attack.mitre.org/software/S0242/
22.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Understanding Process Doppelgänging ▪ Originally presented at Black Hat Europe 2017 ▪ Based on deprecated transactional NTFS (TxT) ▪ Load and execute arbitrary code in legitimate process ▪ Avoid typical process injection/hollowing mechanics and AV scans (disk writes) ▪ Undocumented process creation API (Zw/NtCreateProcessEx) to execute from memory section rather than disk | 22 | https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
23.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Legitimate File | 23 | Understanding Process Doppelgänging
24.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Legitimate FileMalicious File | 24 | 1 Transact – overwrite target file Understanding Process Doppelgänging
25.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Legitimate FileMalicious File | 25 | 2 Load – load target file Understanding Process Doppelgänging
26.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Legitimate File | 26 | 3 Rollback – undo write in step 1 Understanding Process Doppelgänging
27.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Changes are only visible within transaction Legitimate File Animate – execute loaded file from step 2 | 27 | 4 Understanding Process Doppelgänging
28.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. ▪ Monitor and analyze calls to CreateTranscation, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. ▪ Scan file objects reported during the PsSetCreateProcessNotifyRoutine, which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. Also consider comparing file objects loaded in memory to the corresponding file on disk. ▪ Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. | 28 | https://attack.mitre.org/techniques/T1186 Understanding Process Doppelgänging
29.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. ▪ Monitor and analyze calls to CreateTranscation, CreateFileTransacted, RollbackTransaction, and other rarely used functions indicative of TxF activity. Process Doppelgänging also invokes an outdated and undocumented implementation of the Windows process loader via calls to NtCreateProcessEx and NtCreateThreadEx as well as API calls used to modify memory within another process, such as WriteProcessMemory. ▪ Scan file objects reported during the PsSetCreateProcessNotifyRoutine, which triggers a callback whenever a process is created or deleted, specifically looking for file objects with enabled write access. Also consider comparing file objects loaded in memory to the corresponding file on disk. ▪ Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. API Monitoring Process Monitoring File Monitoring | 29 | https://attack.mitre.org/techniques/T1186 Understanding Process Doppelgänging
30.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 30 | Detections to Emulations Intelligence Behaviors Detections Emulations
31.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Emulating Process Doppelgänging ▪ PoC available from Ruben Booen (@FuzzySec) ▪ github.com/FuzzySecurity/ PowerShell-Suite ▪ Start-Eidolon.ps1 ▪ Windows API (T1106) via PowerShell (T1086) | 31 | https://gph.is/1XJvaI6
32.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Start-Eidolon -Target Calc.exe -Mimikatz -Verbose Emulating Process Doppelgänging | 32 |
33.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation - Sysmon | 33 |
34.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – ETW | 34 | https://www.countercept.com/blog/d etecting-malicious-use-of-net-part-1 https://github.com/fireeye/pywintrace
35.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – ETW | 35 | https://www.countercept.com/blog/d etecting-malicious-use-of-net-part-1 https://github.com/fireeye/pywintrace
36.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation - ProcMon | 36 |
37.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation - ProcMon | 37 |
38.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – Windows Event ▪ Security Event Log ID 4985 - The state of a transaction has changed | 38 |
39.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – Windows Event ▪ Security Event Log ID 4985 - The state of a transaction has changed | 39 |
40.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Detecting Emulation – Wrap up | 40 | NTFS File events (ProcMon) Process creation (Sysmon) API Calls (ETW) Windows Event log 1 2 3 ▪ Be wary of costs and tradeoffs between data sources ▪ Capture and share analytic knowledge ▪ CAR, Sigma, EQL, etc.
41.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Expanding Emulation | 41 | https://github.com/mitre/caldera
42.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. CALDERA 1. Add our payload (Start-Eidon.ps1) in payloads 2. Add a new ability 3. Add a new adversary | 42 | https://github.com/mitre/caldera
43.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. CALDERA 1. Add our payload (Start-Eidon.ps1) in payloads 2. Add a new ability 3. Add a new adversary | 43 | https://github.com/mitre/caldera
44.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Emulate Entire Operation | 44 | https://github.com/mitre/caldera
45.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Emulate Entire Operation | 45 | https://github.com/mitre/caldera
46.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. Important Takeaways ▪ Understand adversary behaviors ▪ Where you can get this intel ▪ What (procedure) they do as well as why (tactic) and how (technique) ▪ Emulate adversary behaviors ▪ Vary procedures for different impressions ▪ Understand defenses and how they apply to your environment and organization ▪ Recognize additional opportunities based on specific procedures ▪ Be wary of building analytics vice just enabling visibility (cost) | 46 |
47.
©2019 The MITRE
Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 47 | attack.mitre.org medium.com/mitre-attack attack@mitre.org @MITREattack @sarah__yoder @jamieantisocial
Download now