Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build an Evolving Threat Repository

•

0 likes•93 views

From ATT&CKcon 4.0 By Scott Roberts, Interpres Security "Building threat intelligence is challenging, even under the most ideal circumstances. But what if you are even more limited in your resources? You are part of a small (but skilled) team, with high expectations, and people are relying on you to make business-critical decisions…all the time! What do you do in that situation? Turn a Toyota Tercel into a tank, of course. The Interpres Security threat intelligence team found itself in that exact situation. Wanting to leverage the MITRE ATT&CK catalog in creating a comprehensive and timely threat intelligence repository, the Interpres team built a series of tools, processes, and paradigms that we call Intelligence Engineering. In this talk, we’ll examine how we combined ATT&CK, STIX2, the Vertex Project’s open-source intelligence platform, Synapse, and custom code to deliver meaningful, rapid, verifiable intelligence to our customers. We’ll share lessons learned on automation, how to run multiple ATT&CK libraries side-by-side, and making programmatic intelligence delivery scalable and effective – just like building a tank out of an imported sedan."

Technology

Scott J Roberts
Head of Threat Research
2023-10-25
Leveraging Limited Resources to Build an
Evolving Threat Repository
Driving Intelligence with
MITRE ATT&CK

Scott J Roberts
Head of Threat
Research at Interpres

What Interpres Does
Defense
Readiness
01
Defense
Surface
Optimization
02
Prioritize
Vulnerabilities
03
Stack &
Product
Rationalization
04

MITRE ATT&CK for Internal Customers
Interpres is Intel driven from the core.
Built originally on public threat intelligence data
straight from mitre/cti.
Needed custom threat data to keep up.

Metrics for Threat Research at Interpres
Depth Breadth Speed Accuracy

Goals
• Code First: git push or bust
• Depth: Collection Requirements
• Breadth: Collection Requirements
• Speed: Automation
• Accuracy: Automation & Manual
Review
• Compatibility: Output to STIX2

We want MITRE
Intelligence & Interpres
Intelligence… with as little
duplication as possible!

STIX2 != ATT&CK && ATT&CK != STIX2
ATT&CK Tactics Techniques Groups Software Campaigns
STIX2 Attack-
Pattern
Attack-
Pattern
Intrusion-Set Malware
(Usually…)
Campaigns
ATT&CK to STIX2

We want MITRE Intelligence & Interpres Intelligence…
with as little duplication as possible!
• Wherever possible we use MITRE ATT&CK Content
- Exclusively using MITRE ATT&CK Techniques
- Leverage MITRE ATT&CK Groups, Malware, Campaigns, & Relationships
• Build custom Groups, Malware, Campaigns & Relationships
- Based on internal research, RFIs, etc
- More on that a bit later
• Relationships are intelligently divided between MITRE/CTI & Intrepres/CTI
• DANGER (But Available): All lookups prioritize Interpres/CTI

Tooling is Limited
• All content is code (STIX2) and created with code
- Automated: Custom Automapper (Let computer do what computers are good at)
- By Hand Creation & Curation: Jupyter Notebooks + STIX2 Library
• Actively working on STIX2 Helper Library
- Merging, Bulk Actions, etc
- Testing Mapping Scenarios
• Git is workflow management
• Yes, we looked at Decider, TRAM, & ATT&CK Workbench

Advantages of Intelligence As Code: CI Error

Advantages of Intelligence As Code: Solutions as Code

The Future
There are
limitations of STIX2
Library & Jupyter
Notebooks
Synapse is code for
Intelligence &
Easier to Extend
Continue
leveraging STIX2
for Compatibility &
Tooling

Salvador Dali
“Have no fear of perfection –
you’ll never reach it.”

From ATT&CKcon 4.0 By Olaf Harton, FalconForce "Modern security teams have been engineering solid detections for a while now. All this great output also needs to be managed well. * How can we make sure that the detections we have spent a lot of time developing are deployed and are running in production in the same way as they were designed? * How can we assure our detection and prevention controls are still working and are detecting the attacks they have been designed to cover? We will show how we have built a robust and flexible development and deployment process using cloud technnologies. This process allows us to quickly and easily implement new detection controls, test them across multiple environments, and deploy them in a controlled and consistent manner. We will discuss how security teams can reap the benefits of using detection-as-code, and how this can help achieving a single source of truth for their detection logic. Adopting this approach enables teams to use automation and unit testing to manage and validate their detection controls across multiple environments and ensure proper documentation. By adopting a detection-as-code approach, teams can gain the confidence that comes from knowing that their detections and mitigations work as intended."

MITRE ATT&CK based Threat Analysis for Electronic Flight Bag

MITRE ATT&CK

From ATT&CKcon 4.0 By Ozan Olali, IBM Security The Electronic Flight Bag (EFB) has become an indispensable tool in modern aviation, providing pilots with digital resources and critical flight information. However, the increased reliance on EFB systems running on operating systems, introduces various security challenges. In this session, a technical assessment approach with MITRE ATT&CK framework to perform a comprehensive threat analysis of an EFB solution, will be presented. The potential attack vectors and relation with the risks for business/ flight operations will be demonstrated.

.LNK Tears of the Kingdom

MITRE ATT&CK

From ATT&CKcon 4.0 By Andrew Northern, Proofpoint and Michael August Raggi, Google "Join us for an enthralling exploration of Defense Evasion (TA0005) within the captivating realm of Hyrule. Prepare to immerse yourself in the intriguing history of shortcut (.lnk) abuse and its associated procedures, as we unveil and demonstrate an innovative and previously undisclosed sub-technique (proposed) of T1027 (Obfuscated Files or Information). During this talk, we will go beyond theory and share real-world insights. Discover firsthand how publicly attributed APT actors have leveraged this new sub-technique in their attacks against government entities. Through captivating stories and in-depth observations, we will shed light on the techniques and procedures employed by these adversaries. Levity and entertainment will be courtesy of timely and relevant bespoke Legend of Zelda memes playing upon the concept of the ""master hand ability"" gluing together bizarre elements to create surprisingly effective weapons, a concept that runs parallel to the discussion of abusing known Windows file types in unconventional ways. Join us as we embark on this fascinating journey filled with knowledge, entertainment, and a touch of Legend of Zelda magic!"

CISA usage of ATT&CK in Cybersecurity Advisories

MITRE ATT&CK

From ATT&CKcon 4.0 By James Stanley, CISA "CISA's Adoption of the MITRE ATT&CK Framework Over the past several years, CISA has worked to incorporate ATT&CK whenever applicable into our Cybersecurity Advisories and other cyber guidance. It has become the universal language for discussing how the adversary operates, and we leverage it for our stakeholders to respond to urgent events in real time, as well as detailed reports on subjects like our Red Team activities to give network defenders proactive guidance on how to harden their networks."

Updates from the Center for Threat-Informed Defense

MITRE ATT&CK

Cloud Native Workload ATT&CK Matrix

MITRE ATT&CK

From ATT&CKcon 4.0 By Matthew Mills, Nathaniel Beckstead, and Ryan Simon, Datadog Cloud native computing has fundamentally changed traditional security methodologies and attack surfaces. This new architectural approach combines new operational tools and services like continuous integration, container engines, and orchestrators. Some organizations struggle to identify and respond to threats they specifically face when running cloud native workloads. Perimeter-centric security evangelizes defense-in-depth or the onion model to implement different layers of defense. Cloud native security hyper-focuses on four unique layers: Cloud, Clusters, Containers, and Code. Today's defenders have to look across several existing ATT&CK matrices including Linux Enterprise, Containers, Kubernetes, and IaaS to holistically evaluate and model threats or attack paths across the four distinct layers of cloud native workloads. In conclusion, we will discuss some of the challenges facing threat modeling cloud native workloads, including showing how to leverage several different ATT&CK matrices to create a distinct Cloud Native Workload ATT&CK matrix. The creation of this matrix will help defenders take the guesswork out of identifying what tactics serve as potential threats against a cloud native workload in order to enhance their defensive baseline and detection coverage.

One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK

MITRE ATT&CK

From ATT&CKcon 4.0 By Nicole Hoffman and James Nutland, Cisco How many times have you added MITRE ATT&CK techniques to the end of a report and thought you could be doing more? Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. Avast ye maties! Within this presentation, we are going to show analysts how they can use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking. Gone are the days of floundering about looking for information collected about a specific adversary or behavior. Gone are the days of wondering why the rum and context are always gone. Ahoy, me hearties! Hoist up the sails and prepare your sea legs for some swashbuckling adversary tales from the high seas where we will focus on the fickle commodity loader, Qakbot.

Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry

MITRE ATT&CK

From ATT&CKcon 4.0 By Adam Ostrich and Jesse Brown, Red Canary "Endpoint Detection & Response (EDR) telemetry offers defenders a powerful tool for catching threats. However, understanding how to validate ATT&CK technique coverage using EDR telemetry can be a challenge. As Detection Validation Engineers at a Managed Detection & Response (MDR) provider that ingests nearly a petabyte of endpoint telemetry every day, we’re in the unique and necessary position to analyze this telemetry at scale and validate its efficacy against common adversary tradecraft. After providing a brief introduction to EDR telemetry, we’ll discuss how to break ATT&CK techniques down to individual data components, perform functional tests, analyze the ways that specific actions translate to telemetry records, and compare this analysis across different EDR sensors. We’ll discuss the tooling we’ve built to assist us in running these tests and analyzing the resulting telemetry, and we’ll explain how security teams can improve their own functional testing efforts by creating an automated validation workflow. Finally, we’ll describe how this approach has enabled us to more effectively understand and use EDR telemetry, highlighting where this telemetry excels and fails at detecting ATT&CK techniques."

From ATT&CKcon 4.0 By Lauren Brennan, GuidePoint Security Evaluating the maturity of your security operations program can be complex and challenging. From choosing the right framework to use, to understanding all aspects of how people, processes, and technologies can cohesively operate to grow your SOC, evaluating your security operations is crucial. This presentation will discuss how to evaluate your security operations program using the MITRE ATT&CK framework and talk about best practices for evaluations. We will explore how to identify gaps in your operations and improve your overall security posture with foundational activities. Attendees can expect to learn practical tips for leveraging the MITRE framework as well as actionable takeaways for evaluating and improving their own security operations.

Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...

MITRE ATT&CK

Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping

MITRE ATT&CK

From ATT&CKcon 4.0 By Pranusha Somareddy, Lark Health "By aligning security controls with specific adversary techniques and tactics, organizations can gain a comprehensive understanding of their defensive capabilities. This mapping exercise serves as a vital step in identifying potential gaps and weaknesses within the security architecture. The evaluation of security maturity using the MITRE ATT&CK framework provides valuable insights into the effectiveness of existing controls, shedding light on areas that require improvement or further attention. In this presentation, we will delve into practical strategies and real-world examples that showcase how organizations can successfully leverage the MITRE ATT&CK framework to enhance their security maturity. We will also explore key topics such as: (i)Customizing security training and awareness programs based on roles and responsibilities (ii)Conducting thorough assessments of incident response capabilities through the framework (iii)Integrating threat intelligence derived from ATT&CK to continuously improve the security posture"

MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)

MITRE ATT&CK

Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS

MITRE ATT&CK

From ATT&CKcon 4.0 By Marina Liang "LABYRINTH CHOLLIMA is a prolific Democratic People's Republic of Korea (DPRK) nexus adversary focused on cyber espionage. They have been recently observed targeting FinTech (financial technology) companies in cryptocurrency revenue generation efforts. LABYRINTH CHOLLIMA has been associated with many high profile attacks, including the Sony Pictures Entertainment (SPE) breach, the WannaCry 2.0 global surge, and most recently, the 3CX supply chain compromise. Increasingly versed in cross-platform intrusions, LABYRINTH CHOLLIMA has been observed targeting macOS operating systems, and evolving their tactics, techniques, and tooling to keep in lockstep with the evolving security landscape. This talk will deep dive into the interactive macOS intrusions Crowdstrike has attributed to LABYRINTH CHOLLIMA. We will delve into the adversary's macOS tradecraft, techniques to circumvent existing OS protections, and social engineering tactics, while showcasing how their mechanisms and tooling map to the MITRE ATT&CK kill chain, featuring some newly proposed MITRE techniques related to the Transparency, Consent, and Control (TCC) database."

FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

Katie Nickels

ATT&CK Updates- ATT&CK for ICS

MITRE ATT&CK

ATT&CK Updates- ATT&CK's Open Source

MITRE ATT&CK

It's just a jump to the left (of boom): Prioritizing detection implementation...

MITRE ATT&CK

From ATT&CKcon 3.0 By Lindsay Kaye and Scott Small, Recorded Future Many organizations ask: "Where do I start, and where do I go next" when prioritizing implementation of behavior-based detections? We often hear "use threat intelligence!" but your goals must be qualified and quantified in order to properly prioritize the most relevant TTPs. A wealth of open-sourced, ATT&CK-mapped resources now exists, giving security teams greater access to both detections and red team tests they can implement, but intelligence (also aligned with ATT&CK), is essential to provide necessary context to ensure that detection efforts are focused effectively. This session will discuss a new approach to the prioritization challenge, starting with an analysis of the current defensive landscape, as measured by ATT&CK coverage for more than a dozen detection repositories and technologies, and guidance on sourcing TTP intelligence. The team will then show how real-world defensive strategies can be strengthened by encompassing a full-spectrum view of threat detection, including the implementation of YARA, Sigma, and Snort in security appliances. Critically, alignment of both intelligence and defenses with ATT&CK enables defenders to move the focus of detection efforts to indications of malicious behavior before the final payload is deployed, where controls are most effective at preventing serious damage to the organization.

ATT&CKcon Intro

MITRE ATT&CK

Mapping ATT&CK Techniques to ENGAGE Activities

MITRE ATT&CK

From ATT&CKcon 3.0 By David Barroso, CounterCraft When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK technique, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness. During the presentation we will see some real examples of how we can use different ATT&CK techniques in order to plan different adversary engagement activities.

Threat Modelling - It's not just for developers

MITRE ATT&CK

From ATT&CKcon 3.0 By Tim Wadhwa-Brown, Cisco The purpose of this session will be to look at how you can take public information about threat actors, vulnerabilities, and incidents and use them to build better defenses, utilizing ATT&CK along the way to align your security organization to the people and assets that matter. Stories are critical to how humans learn, so this session will leverage a story book approach to give the audience some ideas on approaches they could use. Tim will take the audience through 3 real world examples where he has leveraged ATT&CK to drive operational improvement. The premise of each story will be real, although some of the details will be apocryphal to protect the innocent. One story will focus on defending a network, one will look at adversary detection, while the final one will look at responding to an active attack and in each case, Tim will guide the audience to think about the kinds of data sources that ATT&CK tracks, that they might call upon to achieve a successful outcome.

Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...

MITRE ATT&CK

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...

MITRE ATT&CK

From ATT&CKcon 3.0 By Jason Wood and Justin Swisher, CrowdStrike When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.

Landing on Jupyter: The transformative power of data-driven storytelling for ...

MITRE ATT&CK

From ATT&CKcon 3.0 By Jose Barajas and Stephan Chenette, AttackIQ Every cybersecurity leader wants visibility into the health of their security program. Yet teams suffer with disparate data streams - CTI teams and the SOC often use separate Excel spreadsheets, an anachronistic practice - and silos constrain their ability to operate effectively. Enter the Jupyter notebook, an open-source computational notebook that researchers use to combine code, computing output, text, and media into a single interface. In this talk, we share three stories of how organizations use Jupyter notebooks to align ATT&CK-based attack flows to the security program, generating data about detection and prevention failures, defensive gaps, and longitudinal performance. By using Jupyter notebooks in this way, teams can better leverage ATT&CK for security effectiveness. It becomes less of a bingo card and more of a strategic tool for understanding the health of the program against big tactics (I.e., lateral movement), defensive gaps (I.e., micro-segmentation), and the team's performance.

MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...

MITRE - ATT&CKcon

ATT&CKING Containers in The Cloud

MITRE ATT&CK

From ATT&CKcon 3.0 By Jared Stroud, Lacework Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.

ATT&CK Updates- Campaigns

MITRE ATT&CK

AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurity

Tasnim Alasali

Why defensive research is sexy too.. … and a real sign of skill

Ollie Whitehouse

What's hot

ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...

MITRE ATT&CK

MITRE ATT&CK Updates: ICS

MITRE ATT&CK

Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK

MITRE ATT&CK

Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...

MITRE ATT&CK

Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping

MITRE ATT&CK

MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)

MITRE ATT&CK

Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS

MITRE ATT&CK

FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

Katie Nickels

ATT&CK Updates- ATT&CK for ICS

MITRE ATT&CK

ATT&CK Updates- ATT&CK's Open Source

MITRE ATT&CK

It's just a jump to the left (of boom): Prioritizing detection implementation...

MITRE ATT&CK

ATT&CKcon Intro

MITRE ATT&CK

Mapping ATT&CK Techniques to ENGAGE Activities

MITRE ATT&CK

Threat Modelling - It's not just for developers

MITRE ATT&CK

Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...

MITRE ATT&CK

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...

MITRE ATT&CK

Landing on Jupyter: The transformative power of data-driven storytelling for ...

MITRE ATT&CK

MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...

MITRE - ATT&CKcon

ATT&CKING Containers in The Cloud

MITRE ATT&CK

ATT&CK Updates- Campaigns

MITRE ATT&CK

What's hot (20)

ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...

MITRE ATT&CK Updates: ICS

Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK

Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...

Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping

MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)

Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS

FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

ATT&CK Updates- ATT&CK for ICS

ATT&CK Updates- ATT&CK's Open Source

It's just a jump to the left (of boom): Prioritizing detection implementation...

ATT&CKcon Intro

Mapping ATT&CK Techniques to ENGAGE Activities

Threat Modelling - It's not just for developers

Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...

Landing on Jupyter: The transformative power of data-driven storytelling for ...

MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...

ATT&CKING Containers in The Cloud

ATT&CK Updates- Campaigns

Similar to Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build an Evolving Threat Repository

AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurity

Tasnim Alasali

Why defensive research is sexy too.. … and a real sign of skill

Ollie Whitehouse

Upgrade Your SOC with Cortex XSOAR & Elastic SIEM

Elasticsearch

Ashrith Barthur, Security Scientist, H2o.ai, at MLconf 2017

MLconf

Machine Learning Based Attack Vector Modeling for CyberSecurity: Connections have behavioural patterns that are unique to protocols, loads, window sizes, bandwidth, and mainly the type of traffic. A CDN enterprise behaves completely differently than how a Cloud service company would behave and they both would be different from a corporation. This also means that attack vectors and attack landscapes are different in all these places. In this talk we speak about modeling different kinds of attacks and build a model that is able to identify these different kinds of attacks using ML. The method we use is to identify different profiles based on many variables that specifically but robustly identify attacks of different kinds. The variables are specific to business, network profile, traffic. The variables are also high-level i.e. aggregate, and packet-level. This way the models are specifically picking up on constant variations in traffic, and create machine learning models to identify these attacks. Using the power of H2O these analyses are not just limited to a research and analysis of the traffic and concluding with a “OH, this was what it was.” moment but to actually deploy code, besides existing IDS and IPS, or deploying highly optimized, independent programs that can handle high thruputs at the rate of 1.2 Million decisions per second making it one of the fastest implementations of ML to identify, defend and protect critical infrastructure that are potentially under threat.

AI for Manufacturing (Machine Vision, Edge AI, Federated Learning)

byteLAKE

This is the extended presentation about byteLAKE's and Lenovo's Artificial Intelligence solutions for Manufacturing. Topics covered: AI strategy for manufacturing, Edge AI, Federated Learning and Machine Vision. It's the first publication in the upcoming series: AI for Manufacturing. Highlights: AI-assisted quality monitoring automation, AI-assisted production line monitoring and issues detection, AI-assisted measurements, Intelligent Cameras and many more. Reach out to us to learn more: welcome@byteLAKE.com. Presented during the world's first Federated Learning conference (Jun'20). Recording: https://youtu.be/IMqRIi45dDA Related articles: - Revolution in factories: Industry 4.0. https://medium.com/@marcrojek/revolution-in-factories-industry-4-0-conference-made-in-wroclaw-2020-translation-ae96e5e14d55 - Cognitive Automation helps where RPAs fall short. https://medium.com/@marcrojek/cognitive-automation-helps-where-rpas-fall-short-a1c5a01a66f8 - Machine Vision, how AI brings value to industries. https://medium.com/@marcrojek/machine-vision-how-ai-brings-value-to-industries-e6a4f8e56f42 Learn more: - https://www.bytelake.com/en/cognitive-services/ - https://www.lenovo.com/ai - https://federatedlearningconference.com/

I can haz cake: Benefits of working with MITRE on ATT&CK

MITRE ATT&CK

From ATT&CKcon 4.0 By Tim Wadhwa-Brown, Cisco The purpose of this session will be to look at how the linux-malware repo came to take shape and how we've used it to inform our view on adversarial behaviour over the last couple of years. Since the original reason for staring this project was to look at Linux coverage in ATT&CK, we'll play back some of the interesting points and reflect on how they've affected ATT&CK itself.

Security Operations, MITRE ATT&CK, SOC Roles / Competencies

Harry McLaren

Embeded system Basics.pptx

KundanSuman4

Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...

Harry McLaren

We’ll be exploring some of the more advanced capabilities of Phantom and also discussing the security framework from MITRE “ATT&CK” and it’s valued use when integrating it with Splunk Enterprise! We’ll also have two SplunkTrust members available for some general Q&A in our own ‘Meet the Experts’. - Splunk Phantom Workbook Automation - SOAR (Security Orchestration, Automation & Response) -- Tom Wise (Phantom Security Solutions Engineer & Trainer) - Threat Hunting, Or: How I Learned to Stop Worrying & Love ATT&CK -- Cian Heasley / Fraser Dumayne (Security Engineers) - Meet the Experts with SplunkTrust -- Harry McLaren (Senior Splunk Consultant) -- Tom Wise (Splunk Consultant, Phantom Security Solutions Engineer & Trainer)

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

Angeloluca Barba

A presentation given in April 2019 in London during ICS Cyber Security Conference. I discuss an anonymized investigation conducted by our team to identify a real malware infection on a production network, the tools and techniques used to contain this threat and how to use threat intelligence and visibility to stay ahead of cyber adversaries. Asset visibility and network baselining Continuous network monitoring Threat intelligence ingestion Thorough incident response plans

Advanced Machine Learning for Hardware Trojan Detection_v2.pdf

Chien Cheng Wu

ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...

CloudVillage

Speaker 1: Olaf Hartong Speaker 2: Edoardo Gerosa Azure Sentinel, Microsoft's new cloud SIEM solution, was recently released on the market. Notwithstanding its strengths Sentinel offers limited threat hunting capabilities out of the box and setting up an effective hunting solution is not straightforward. The Sentinel ATT&CK GitHub project is designed to provide guidance on setting up an ATT&CK-driven process monitoring solution within Sentinel; giving DFIR professionals a tool to effectively hunt in the Azure cloud. The project, building on previous work from the open source DFIR community, provides instructions on how to properly configure Sysmon to monitor and detect specific processes in alignment with MITRE's ATT&CK framework. Secondly it provides clarity on how to onboard Sysmon logs from Windows virtual machines, shedding light on some poorly documented areas, while also offering an open source parser to correctly ingest Sysmon data in conformity with the Open Source Security Event Metadata information model. Thirdly it offers around 120 open source Kusto Query Language alerts ready for deployment; each mapped to a unique MITRE ATT&CK technique. Fourthly it provides a dedicated threat hunting dashboard to help DFIR professionals monitor their environment and execute precise hunts. Finally, Sentinel ATT&CK provides ready-made hunting queries to be leveraged when responding to alert notifications raised by the threat hunting dashboard. This talk delivers an overview of how the Sentinel ATT&CK project can help organisations establish an effective threat hunting capability in Azure as well as an opportunity to share with the community the strengths and shortcomings of Sentinel when it comes to hunting adversaries within the Microsoft cloud.

Leveraging MITRE ATT&CK - Speaking the Common Language

Erik Van Buggenhout

MITRE ATT&CK is quickly gaining traction and is becoming an important standard to use to assess the overall cyber security posture of an organization. Tools like ATT&CK Navigator facilitate corporate adoption and allow for a holistic overview on attack techniques and how the organization is preventing and detecting them. Furthermore, many vendors, technologies and open-source initiatives are aligning with ATT&CK. Join Erik Van Buggenhout in this presentation, where he will discuss how MITRE ATT&CK can be leveraged in the organization as part of your overall cyber security program, with a focus on adversary emulation. Erik Van Buggenhout is the lead author of SANS SEC599 - Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses. Next to his activities at SANS, Erik is also a co-founder of NVISO, a European cyber security firm with offices in Brussels, Frankfurt and Munich.

Hack one iot device, break them all!

Justin Black

This presentation aims to share working knowledge on how attackers are taking an advantage of connected (IOT) devices for scaling attacks. From hardware to repeatable software exploitation that scale. X-ray on the current security resilience of some of today's connected devices. Typically challenges developers are facing today and a proof of concept attack on a "secure" connected camera with critical consequences. Finally we give valuable takeaways for improving the security of your solutions and avoid these horrible mistakes.

Ncc hackers session 4

Jemma Davis

CompTIA Cyber Career Pathway: Developing skills for 2020 and beyond

Zeshan Sattar

Python-Assisted Red-Teaming Operation

Satria Ady Pradana

Careers in Cyber Security

Deep Shankar Yadav

CTFs, Bugbounty and your security career

Ibrahim El-Sayed

How to Build a Career in Cyber Security?

Intellipaat

Youtube link : https://www.youtube.com/watch?v=CPiLJflLuTE Intellipaat cyber security training : https://intellipaat.com/cyber-security-expert-master-program-training-course/ Interested to learn cyber security training and ethical hacking still more? Please check similar cyber security blogs here:- https://intellipaat.com/blog/wannacry-a-grim-reminder-of-what-can-go-wrong-in-a-digitized-world/

Similar to Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build an Evolving Threat Repository (20)

AI Cybersecurity: Pros & Cons. AI is reshaping cybersecurity

Why defensive research is sexy too.. … and a real sign of skill

Upgrade Your SOC with Cortex XSOAR & Elastic SIEM

Ashrith Barthur, Security Scientist, H2o.ai, at MLconf 2017

AI for Manufacturing (Machine Vision, Edge AI, Federated Learning)

I can haz cake: Benefits of working with MITRE on ATT&CK

Security Operations, MITRE ATT&CK, SOC Roles / Competencies

Embeded system Basics.pptx

Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...

Lessons Learned Fighting Modern Cyberthreats in Critical ICS Networks

Advanced Machine Learning for Hardware Trojan Detection_v2.pdf

ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...

Leveraging MITRE ATT&CK - Speaking the Common Language

Hack one iot device, break them all!

Ncc hackers session 4

CompTIA Cyber Career Pathway: Developing skills for 2020 and beyond

Python-Assisted Red-Teaming Operation

Careers in Cyber Security

CTFs, Bugbounty and your security career

How to Build a Career in Cyber Security?

More from MITRE ATT&CK

Dealing With ATT&CK's Different Levels Of Detail

MITRE ATT&CK

From ATT&CKcon 4.0 By Tareq AlKhatib, Lacework, Inc "ATT&CK serves as the central language for CTI practitioners, Detection Engineers, Red Teamers, and more. Despite the benefit of having a central language, ATT&CK offers different levels of detail that might be useful for one team but not others. This paper points out some of these differences in the level of details available in ATT&CK, especially from the point of view of Detection Engineers, and focused on detection coverage. In summary, while ATT&CK does not define the Procedure level of the TTP trinity, it is still useful to define the “Degrees of Freedom” an attacker has within a technique. Some techniques only have a limited number of possible Procedures, some techniques might have more, and others might be so open ended that they offer an unlimited number of possible procedures per technique. We examine this concept on both the Technique and Tactic levels and make the argument that techniques that have a high number of possible Procedures cannot be covered by Detection Engineers. At the conference, we intend to release an ATT&CK Navigator layer to help Detection Engineers quickly filter out which Tactics and Techniques they need to focus on and which ones they simply cannot cover."

Automating testing by implementing ATT&CK using the Blackboard Architecture

MITRE ATT&CK

From ATT&CKcon 4.0 By Jeremy Straub, NDSU Cybersecurity Institute This presentation will briefly summarize work that we've done regarding implementing the ATT&CK framework as a rule-fact-action network within a Blackboard Architecture, allowing the ATT&CK framework to enable security testing automation. The presentation will start with a quick summary of the concept behind this and then present a few implementation examples.

ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)

MITRE ATT&CK

From ATT&CKcon 4.0 By Scott Small, Tidal Cyber This metrics- and meme-based lightning session spotlights the success story that is the CTI industry’s impressive (and expanding) adoption of ATT&CK in their products. Using nearly 6 years’ worth of ATT&CK-mapped, public threat reports collected from government, vendor, & independent sources, we’ll show how the rate (and detail) of mapping has increased considerably, while showcasing (anonymized) examples of high-quality end-products, with the aim of inspiring further ATT&CK adoption in this important corner of the field.

MITRE ATT&CK Updates: State of the Cloud

MITRE ATT&CK

Using ATT&CK to created wicked actors in real data

MITRE ATT&CK

From ATT&CKcon 4.0 By Simeon Kakpovi and Greg Schloemer, KC7 Foundation "KC7 uses an experiential learning pedagogy to teach cybersecurity analysis to students of all levels, from elementary school all the way to industry professionals. In the KC7 experience, students analyze realistic cybersecurity data and answer a series of CTF-style questions that guide them through an investigative journey. In order to generate authentic intrusion data, we create a fictional company that is attacked by cyber threat actors. The attributes and behaviors of these actors are defined via yaml configurations that are modeled based on MITRE ATT&CK categories and techniques. For example, we can granularly define what techniques an attacker uses for initial access or lateral movement, and how the actor explicitly uses those techniques. Students that effectively analyze KC7 intrusion data can map the observed activity to the various stages of the MITRE ATTA&CK framework. Organizing actor definitions around the ATTA&CK framework allows KC7 to create a rich set of intrusion data in various permutations - and ensure that students are exposed to a diverse array of scenarios. A pleasant byproduct of this methodology is that students of MITRE ATT&CK can now study techniques contextually in data rather than just reading about them in reports."

MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...

MITRE ATT&CK

Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...

MITRE ATT&CK

From ATT&CKcon 4.0 By Alexandrea Berninger, Accenture We live in a world where attention is scarce. And yet we need to communicate complex information effectively to a variety of audiences. This talk will discuss how to cut through the noise of information overload by using MITRE ATT&CK to reach your audience. It will use lessons I have learned from videography, combined with Cyber Threat Intelligence (CTI) to weave a story around how to think about communicating to your audience when gaining their focus is becoming increasingly difficult. Using current research into focus and attention spans, combined with trends in how people like to obtain information, this talk will recommend paths to building compelling stories with MITRE ATT&CK so that stakeholders can immediately gain value from threat intelligence reports without having to read a full long-form report.

The case for quishing

MITRE ATT&CK

Discussion on Finding Relationships in Cyber Data

MITRE ATT&CK

From ATT&CKcon 4.0 By Stephen Johnson and Emma MacMullan, Capital One Capital One is currently building a Security Graph to tie together various Cyber Teams and their data -- Controls, Objectives, Tools, and Countermeasures, Threats. It is an ambitious project that will help us identify gaps and focus our controls on the most likely and persistent threats. It is a work in progress that is using MITRE ATT&CK and D3FEND as a "lingua franca" to tie together the elements of the graph, so we have a common understanding across the enterprise.

The art of communicating ATT&CK to the CFO

MITRE ATT&CK

From ATT&CKcon 4.0 By Phil Davies, Distilled Security "You have had a pen test, a red team or a threat intelligence report and drawn up a plan for remediation. You have been told you have 15 mins in front of the CFO in 48 hours! How do you show ,on one page, the connection between the techniques you are exposed and vulnerable to, the path of least resistance and the focused control changes required right now? How will the CFO get the picture so the result is ""I get it, what do you need?"" Understanding ATT&CK as a practitioner is great with the current matrix but it is inaccessible to the CFO. But it doesn't have to be that way. Phil will chart the journey to improved visualisation of ATT&CK techniques. He will show how the DNA of ATT&CK doesn’t just make ATT&CK accessible for all but that it can be beautiful!"

MITRE ATT&CK Updates: Software

MITRE ATT&CK

Or Lenses and Layers: Adding Business Context to Enterprise Mappings

MITRE ATT&CK

From ATT&CKcon 4.0 By Andrew Malone Many use the ATT&CK matrix to map tool coverage across the environment. This blanket coverage is a good baseline but it can miss certain aspects of the enterprise's context like risk levels, organisational priorities, and industry specific threat intelligence. I want to discuss ways to layer these lenses on top of an enterprise mapping to make ATT&CK more relevant to the specific enterprise. If done right this can lead to more actionable metrics and reporting on improvements.

Adjectives for ATT&CK

MITRE ATT&CK

From ATT&CKcon 4.0 By Benjamin Langrill, Security Optimizer If you tell me an attacker performed OS Credential Dumping, did they dump credentials with meterpreter, recompile mimikatz, or use a custom tool? The technique reference lacks a way to categorize how they performed the action and each type requires its own mitigation. In this talk, Ben Langirll will propose formal adjectives for ATT&CK techniques that map to adversary capabilities and how we can use them to optimize defensive choices.

More from MITRE ATT&CK (13)

Dealing With ATT&CK's Different Levels Of Detail

Automating testing by implementing ATT&CK using the Blackboard Architecture

ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)

MITRE ATT&CK Updates: State of the Cloud

Using ATT&CK to created wicked actors in real data

MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...

Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...

The case for quishing

Discussion on Finding Relationships in Cyber Data

The art of communicating ATT&CK to the CFO

MITRE ATT&CK Updates: Software

Or Lenses and Layers: Adding Business Context to Enterprise Mappings

Adjectives for ATT&CK

Recently uploaded

Search and Society: Reimagining Information Access for Radical Futures

Bhaskar Mitra

The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

FIDO Alliance Osaka Seminar: Overview.pdf

FIDO Alliance

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

Sri Ambati

ODC, Data Fabric and Architecture User Group

CatarinaPereira64715

DevOps and Testing slides at DASA Connect

Kari Kakkonen

Bits & Pixels using AI for Good.........

Alison B. Lowndes

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Product School

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

FIDO Alliance

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Inflectra

In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring. Learn about: • The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks. • Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective. • Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification. • Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process. Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Ramesh Iyer

In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Abida Shariff

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Product School

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

The Art of the Pitch: WordPress Relationships and Sales

Laura Byrne

Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes? All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

The Future of Platform Engineering

Jemma Hussein Allen

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

Recently uploaded (20)

Search and Society: Reimagining Information Access for Radical Futures

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance Osaka Seminar: Overview.pdf

GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...

ODC, Data Fabric and Architecture User Group

DevOps and Testing slides at DASA Connect

Bits & Pixels using AI for Good.........

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf

Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

The Art of the Pitch: WordPress Relationships and Sales

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

The Future of Platform Engineering

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build an Evolving Threat Repository

1. Scott J Roberts Head of Threat Research 2023-10-25 Leveraging Limited Resources to Build an Evolving Threat Repository Driving Intelligence with MITRE ATT&CK

2. Scott J Roberts Head of Threat Research at Interpres

3. What Interpres Does Defense Readiness 01 Defense Surface Optimization 02 Prioritize Vulnerabilities 03 Stack & Product Rationalization 04

4. The Goal

5. MITRE ATT&CK for Internal Customers Interpres is Intel driven from the core. Built originally on public threat intelligence data straight from mitre/cti. Needed custom threat data to keep up.

6. Metrics for Threat Research at Interpres Depth Breadth Speed Accuracy

7. Goals • Code First: git push or bust • Depth: Collection Requirements • Breadth: Collection Requirements • Speed: Automation • Accuracy: Automation & Manual Review • Compatibility: Output to STIX2

8. The Problem (Well… 3!!!)

9. STIX2 != ATT&CK && ATT&CK != STIX2

10. We want MITRE Intelligence & Interpres Intelligence… with as little duplication as possible!

11. Tooling is Limited

12. The Solution

13. STIX2 != ATT&CK && ATT&CK != STIX2 ATT&CK Tactics Techniques Groups Software Campaigns STIX2 Attack- Pattern Attack- Pattern Intrusion-Set Malware (Usually…) Campaigns ATT&CK to STIX2

14. STIX2 != ATT&CK && ATT&CK != STIX2

15. We want MITRE Intelligence & Interpres Intelligence… with as little duplication as possible!

16. We want MITRE Intelligence & Interpres Intelligence… with as little duplication as possible! • Wherever possible we use MITRE ATT&CK Content - Exclusively using MITRE ATT&CK Techniques - Leverage MITRE ATT&CK Groups, Malware, Campaigns, & Relationships • Build custom Groups, Malware, Campaigns & Relationships - Based on internal research, RFIs, etc - More on that a bit later • Relationships are intelligently divided between MITRE/CTI & Intrepres/CTI • DANGER (But Available): All lookups prioritize Interpres/CTI

17. An Aside for a Good Name™

18. Tooling is Limited • All content is code (STIX2) and created with code - Automated: Custom Automapper (Let computer do what computers are good at) - By Hand Creation & Curation: Jupyter Notebooks + STIX2 Library • Actively working on STIX2 Helper Library - Merging, Bulk Actions, etc - Testing Mapping Scenarios • Git is workflow management • Yes, we looked at Decider, TRAM, & ATT&CK Workbench

19. Advantages of Intelligence As Code: CI Error

20. Advantages of Intelligence As Code: CI Error

21. Advantages of Intelligence As Code: Solutions as Code

22. Advantages of Intelligence As Code: CI

23. Advantages of Intelligence As Code: CI

24. The Future There are limitations of STIX2 Library & Jupyter Notebooks Synapse is code for Intelligence & Easier to Extend Continue leveraging STIX2 for Compatibility & Tooling

25. Salvador Dali “Have no fear of perfection – you’ll never reach it.”

26. Thank you!

27. InterpresSecurity.com

Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build an Evolving Threat Repository

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build an Evolving Threat Repository

Similar to Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build an Evolving Threat Repository (20)

More from MITRE ATT&CK

More from MITRE ATT&CK (13)

Recently uploaded

Recently uploaded (20)

Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build an Evolving Threat Repository