KN
Uploaded byKatie Nickels
PDF, PPTX9,648 views

FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

MITRE ATT&CK is a knowledge base of adversary behavior derived from real-world observations, designed to facilitate a common language and community-driven defense strategies. The document discusses various tactics and techniques used by adversaries throughout the attack lifecycle, as well as the importance of understanding biases in threat intelligence reporting. It emphasizes comparing behaviors, improving communication, and enhancing defenses using ATT&CK-mapped threat intelligence.

Embed presentation

Download as PDF, PPTX
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. Turning Intelligence into Action with MITRE ATT&CK™ Katie Nickels @likethecoins Adam Pennington @_whatshisface MITRE ATT&CK @MITREattack | 1 |
What is ? A knowledge base of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
The Difficult Task of Detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain ? + ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Zooming in on the Adversary Lifecycle Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise ATT&CKPRE-ATT&CK Mobile ATT&CK ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser Bookmark Discovery Exploitation of Remote Services Data from Information Repositories Exfiltration Over Physical Medium Remote Access Tools Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for Credential Access Port Knocking Supply Chain Compromise Local Job Scheduling Access Token Manipulation Network Share Discovery Distributed Component Object Model Video Capture Exfiltration Over Command and Control Channel Multi-hop Proxy Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting Spearphishing Attachment Launchctl Process Injection Hooking Peripheral Device Discovery Remote File Copy Automated Collection Data Encoding Signed Binary Proxy Execution Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy Exploit Public-Facing Application Plist Modification LLMNR/NBT-NS Poisoning File and Directory Discovery Replication Through Removable Media Email Collection Automated Exfiltration Multi-Stage Channels User Execution Valid Accounts Screen Capture Exfiltration Over Other Network Medium Web Service Replication Through Removable Media Exploitation for Client Execution DLL Search Order Hijacking Private Keys Permission Groups Discovery Windows Admin Shares Data Staged Standard Non-Application Layer Protocol AppCert DLLs Signed Script Proxy Execution Keychain Pass the Hash Input Capture Exfiltration Over Alternative Protocol Spearphishing via Service CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from Network Shared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network Connections Discovery Shared Webroot Data Transfer Size Limits Connection Proxy Spearphishing Link Mshta Launch Daemon Port Knocking Two-Factor Authentication Interception Logon Scripts Data from Local System Multilayer Encryption Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Execution System Owner/User Discovery Windows Remote Management Man in the Browser Data Compressed Standard Application Layer ProtocolValid Accounts Source Application Shimming Data from Removable Media Scheduled Transfer Space after Filename AppInit DLLs BITS Jobs Replication Through Removable Media System Network Configuration Discovery Application Deployment Software Commonly Used Port Execution through Module Load Web Shell Control Panel Items Standard Cryptographic Protocol Service Registry Permissions Weakness CMSTP Input Capture Application Window Discovery SSH Hijacking AppleScript Custom Cryptographic Protocol Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy Discovery Taint Shared Content Regsvr32 Path Interception Hidden Files and Directories Kerberoasting Remote Desktop Protocol Data Obfuscation Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services Rundll32 Kernel Modules and Extensions Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Discovery Communication Through Removable Media Third-party Software SID-History Injection HISTCONTROL Credentials in Files Scripting Port Knocking Sudo Hidden Users Security Software DiscoveryGraphical User Interface SIP and Trust Provider Hijacking Setuid and Setgid Clear Command History Multiband Communication Command-Line Interface Exploitation for Privilege Escalation Gatekeeper Bypass Network Service ScanningScreensaver Hidden Window Fallback Channels Service Execution Browser Extensions Deobfuscate/Decode Files or Information Remote System Discovery Uncommonly Used Port Windows Remote Re-opened Applications Breaking Down ATT&CK | 2 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command & Control Tactics: the adversary’s technical goals Techniques:howthegoalsare achieved Procedures: Specific technique implementation ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Groups and Software: Providing Technique Examples ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 3 | attack.mitre.org
Example Group: APT28 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 4 |
ATT&CK Threat Intelligence Use Cases ▪ Structuring threat intelligence with ATT&CK allows us to do cool things… – Compare behaviors – Communicate in a common language ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 5 |
Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 6 | *from open source reporting we’ve mapped APT28* ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 7 | APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 8 | APT28 APT29 Both groups Prioritize! ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Defenses | 9 | Overlay known defensive gaps APT28 APT29 Both groups ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups Over Time Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control | 10 | Notional group in 2018 Same gro p in 2019…why did we not see these techniques? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Communicate to Defenders | 11 | CTI Analyst Defender Registry Run Keys / Startup Folder (T1060) THIS is what the adversary is doing! The Run key is AdobeUpdater. Oh, we have Registry data, we can detect that! ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Communicate Across the Community ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 12 | CTI Consumer Registry Run Keys / Startup Folder (T1060) Oh, you mean T1060! APT1337 is using autorun FUZZYDUCK used a Run key Company A Company B
Mapping ATT&CK Techniques from a Threat Report https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html Exploitation for Privilege Escalation (T1068) Command-Line Interface (T1059) System Owner/User Discovery (T1033) Scheduled Task (T1053) Standard Non-Application Layer Protocol (T1095) Uncommonly Used Port (T1065) Uncommonly Used Port (T1065) Multi-Stage Channels (T1104) | 13 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Technique Mapping Work Available from ATT&CK ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 14 | 5 years of reviewing and mapping Technique examples for Software and Groups ~400 report sources Only freely-available public reporting
Biases in ATT&CK’s Mapped Data ▪ Important to understand and state our biases in CTI ▪ Two kinds of bias in technique examples in ATT&CK – Bias introduced by us – Bias inherent in the sources we use ▪ Understanding these is the first step in properly leveraging this data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 15 |
Security Vendors 92% Press Reports 5% Publicly- available Government Reports 3% Our Biases: Sources We Select | 16 | From reports used for technique examples in ATT&CK Groups ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Our Biases: Availability Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 17 | All Possible Techniques Techniques We Remember
Our Biases: Novelty Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 18 | Yet another FUZZYDUCK using Powershell report APT1337 Using Transmitted Data Manipulation
Source Biases: Availability Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 19 | All Possible Behaviors Familiar Behaviors
Source Biases: Novelty Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 20 | Another APT1337 Report APT1338 Report!!!
Source Biases: Victim Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 21 | Victim 4 Victim 5Victim 3 Victim 2 Victim 1
Source Biases: Visibility bias | 22 | Visible Disk Forensics Network Flows Process Execution Powershell Registry Monitoring Decoded C2 Not Seen ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Source Biases: Production Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 23 | Operation Snakepit APT1337 Report Operation Brown Fox APT1338 Report Ducks in the Wild FUZZYDUCK Report Source 1 Source 2
How Do We Deal With These Biases? ▪ Know that they exist – Once you know them, you can better determine what is real data vs. your biases ▪ Be honest and explain them ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 24| Tenor.com
Hedging Our Biases ▪ Work together – Diversity of thought makes for stronger teams ▪ Adjust and calibrate your data sources ▪ Add different data sources ▪ Remember we’re prioritizing the known over the unknown – As opposed to absolute comparison ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 25 |
Now that yo know those biases, here’s your imperfect data! | 26 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
1. Standard App Layer Protocol 2. Remote File Copy 3. System Information Discovery 4. Command-Line Interface 5. File and Directory Discovery 6. Registry Run Key/Startup Folder 7. Obfuscated Files or Information 8. File Deletion 9. Process Discovery 10.System Network Config Discovery 11.Credential Dumping 12.Screen Capture 13.Input Capture 14.System Owner/User Discovery 15.Scripting 16.Commonly Used Port 17.Standard Crypto Protocol 18.PowerShell 19.& 20 (tie!) Masquerading and New Service Top 20 Techniques from ATT&CK Group/Software Data Know and explain our bias: availability bias from analysts Hedge our bias: how could we calibrate by source? | 27 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
ATT&CK Group/Software Data Across Tactics ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 28 | 39 47 42 35 58 31 35 33 28 20 38 19 145 145 98 193 82 173 120 96 55 194 Groups Software Know and explain our bias: why is Initial Access low? Hedge our bias: work with others
Process for Making Recommendations from Techniques | 29 | 5. Make recommendations 4. Determine what tradeoffs are for org on specific options 3. Research organizational capability/constraints 2. Research defensive options related to technique 1. Research how techniques are being used 0. Determine priority techniques ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Takeaways ▪ Use ATT&CK for cyber threat intelligence to help yo … – Compare behaviors – Communicate in a common language ▪ Know the biases involved with mapping CTI reporting to ATT&CK ▪ Hedge those biases and use ATT&CK-mapped CTI to improve defenses ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 30 |
| 31 | https://attack.mitre.org attack@mitre.org @MITREattack Adam Pennington @_whatshisface Katie Nickels @likethecoins ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

More Related Content

PDF
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
byJamieWilliams130
 
PPTX
ATT&CKing with Threat Intelligence
byChristopher Korban
 
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
PPTX
Purple Teaming with ATT&CK - x33fcon 2018
byChristopher Korban
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
PPTX
Leveraging MITRE ATT&CK - Speaking the Common Language
byErik Van Buggenhout
 
PDF
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
byJamieWilliams130
 
ATT&CKing with Threat Intelligence
byChristopher Korban
 
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
Purple Teaming with ATT&CK - x33fcon 2018
byChristopher Korban
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
Leveraging MITRE ATT&CK - Speaking the Common Language
byErik Van Buggenhout
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 

What's hot

PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
PDF
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
PDF
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
byMITRE ATT&CK
 
PDF
Mapping ATT&CK Techniques to ENGAGE Activities
byMITRE ATT&CK
 
PDF
State of the ATT&CK
byMITRE ATT&CK
 
PDF
ATT&CK Updates- Defensive ATT&CK
byMITRE ATT&CK
 
PDF
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
byMITRE ATT&CK
 
PDF
Automation: The Wonderful Wizard of CTI (or is it?)
byMITRE ATT&CK
 
PDF
ATT&CKing the Red/Blue Divide
byMITRE ATT&CK
 
PDF
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
PPTX
MITRE ATT&CK framework
byBhushan Gurav
 
PPTX
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
PDF
It's just a jump to the left (of boom): Prioritizing detection implementation...
byMITRE ATT&CK
 
PDF
Threat Modelling - It's not just for developers
byMITRE ATT&CK
 
PDF
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
byMITRE ATT&CK
 
PPTX
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
byHarry McLaren
 
PDF
ATT&CK Updates- ATT&CK's Open Source
byMITRE ATT&CK
 
PPTX
WTF is Penetration Testing v.2
byScott Sutherland
 
PPTX
Adversary Emulation using CALDERA
byErik Van Buggenhout
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
byMITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
byMITRE ATT&CK
 
State of the ATT&CK
byMITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
byMITRE ATT&CK
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
byMITRE ATT&CK
 
Automation: The Wonderful Wizard of CTI (or is it?)
byMITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
byMITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
MITRE ATT&CK framework
byBhushan Gurav
 
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
byMITRE ATT&CK
 
Threat Modelling - It's not just for developers
byMITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
byMITRE ATT&CK
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
byHarry McLaren
 
ATT&CK Updates- ATT&CK's Open Source
byMITRE ATT&CK
 
WTF is Penetration Testing v.2
byScott Sutherland
 
Adversary Emulation using CALDERA
byErik Van Buggenhout
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 

Similar to FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

PDF
MITRE-Module 1 Slides.pdf
byReZa AdineH
 
PDF
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
byRobert Brandel
 
PDF
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
PPTX
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
PDF
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
byAdam Pennington
 
PDF
MITRE_ATTACK_Enterprise_11x17.pdf
byAisyiFree
 
PDF
Introduction to MITRE ATT&CK
byArpan Raval
 
PDF
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
PDF
Update from the MITRE ATT&CK Team
byAdam Pennington
 
PDF
MITRE-Module 4 Slides.pdf
byReZa AdineH
 
PDF
State of the ATT&CK - ATT&CKcon Power Hour
byAdam Pennington
 
PDF
State of the ATTACK
byMITRE - ATT&CKcon
 
PDF
Cyber Threat hunting workshop
byArpan Raval
 
PDF
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
byAdam Pennington
 
PDF
State of the ATT&CK May 2023
byAdam Pennington
 
PDF
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
byMITRE - ATT&CKcon
 
PDF
Getting Bear-y Cozy with PowerShell
byJamieWilliams130
 
PDF
MITRE-Module 2 Slides.pdf
byReZa AdineH
 
PDF
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
PDF
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
byPriyanka Aash
 
MITRE-Module 1 Slides.pdf
byReZa AdineH
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
byRobert Brandel
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
byAdam Pennington
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
byAdam Pennington
 
MITRE_ATTACK_Enterprise_11x17.pdf
byAisyiFree
 
Introduction to MITRE ATT&CK
byArpan Raval
 
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
Update from the MITRE ATT&CK Team
byAdam Pennington
 
MITRE-Module 4 Slides.pdf
byReZa AdineH
 
State of the ATT&CK - ATT&CKcon Power Hour
byAdam Pennington
 
State of the ATTACK
byMITRE - ATT&CKcon
 
Cyber Threat hunting workshop
byArpan Raval
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
byAdam Pennington
 
State of the ATT&CK May 2023
byAdam Pennington
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
byMITRE - ATT&CKcon
 
Getting Bear-y Cozy with PowerShell
byJamieWilliams130
 
MITRE-Module 2 Slides.pdf
byReZa AdineH
 
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
byPriyanka Aash
 

Recently uploaded

PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PPTX
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PPTX
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
WEEK 1-introduction of industrial arts grade 7.pptx
byrosierufinomaliongan
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
Introduction to Artificial Intelligence (AI).pptx
byammar414783
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
OpenCharacter AI Reviews: Features, Plans, and Best Alternative
byOpenCharacter AI
 
How to build hackthon projects from ZERO!
byishantyadav1111
 

FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

  • 1.
    ©2019 The MITRECorporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. Turning Intelligence into Action with MITRE ATT&CK™ Katie Nickels @likethecoins Adam Pennington @_whatshisface MITRE ATT&CK @MITREattack | 1 |
  • 2.
    What is ? A knowledgebase of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 3.
    The Difficult Taskof Detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain ? + ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 4.
    Zooming in onthe Adversary Lifecycle Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise ATT&CKPRE-ATT&CK Mobile ATT&CK ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 5.
    Hardware Additions ScheduledTask Binary Padding Credentials in Registry Browser Bookmark Discovery Exploitation of Remote Services Data from Information Repositories Exfiltration Over Physical Medium Remote Access Tools Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for Credential Access Port Knocking Supply Chain Compromise Local Job Scheduling Access Token Manipulation Network Share Discovery Distributed Component Object Model Video Capture Exfiltration Over Command and Control Channel Multi-hop Proxy Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting Spearphishing Attachment Launchctl Process Injection Hooking Peripheral Device Discovery Remote File Copy Automated Collection Data Encoding Signed Binary Proxy Execution Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy Exploit Public-Facing Application Plist Modification LLMNR/NBT-NS Poisoning File and Directory Discovery Replication Through Removable Media Email Collection Automated Exfiltration Multi-Stage Channels User Execution Valid Accounts Screen Capture Exfiltration Over Other Network Medium Web Service Replication Through Removable Media Exploitation for Client Execution DLL Search Order Hijacking Private Keys Permission Groups Discovery Windows Admin Shares Data Staged Standard Non-Application Layer Protocol AppCert DLLs Signed Script Proxy Execution Keychain Pass the Hash Input Capture Exfiltration Over Alternative Protocol Spearphishing via Service CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from Network Shared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network Connections Discovery Shared Webroot Data Transfer Size Limits Connection Proxy Spearphishing Link Mshta Launch Daemon Port Knocking Two-Factor Authentication Interception Logon Scripts Data from Local System Multilayer Encryption Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Execution System Owner/User Discovery Windows Remote Management Man in the Browser Data Compressed Standard Application Layer ProtocolValid Accounts Source Application Shimming Data from Removable Media Scheduled Transfer Space after Filename AppInit DLLs BITS Jobs Replication Through Removable Media System Network Configuration Discovery Application Deployment Software Commonly Used Port Execution through Module Load Web Shell Control Panel Items Standard Cryptographic Protocol Service Registry Permissions Weakness CMSTP Input Capture Application Window Discovery SSH Hijacking AppleScript Custom Cryptographic Protocol Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy Discovery Taint Shared Content Regsvr32 Path Interception Hidden Files and Directories Kerberoasting Remote Desktop Protocol Data Obfuscation Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services Rundll32 Kernel Modules and Extensions Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Discovery Communication Through Removable Media Third-party Software SID-History Injection HISTCONTROL Credentials in Files Scripting Port Knocking Sudo Hidden Users Security Software DiscoveryGraphical User Interface SIP and Trust Provider Hijacking Setuid and Setgid Clear Command History Multiband Communication Command-Line Interface Exploitation for Privilege Escalation Gatekeeper Bypass Network Service ScanningScreensaver Hidden Window Fallback Channels Service Execution Browser Extensions Deobfuscate/Decode Files or Information Remote System Discovery Uncommonly Used Port Windows Remote Re-opened Applications Breaking Down ATT&CK | 2 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command & Control Tactics: the adversary’s technical goals Techniques:howthegoalsare achieved Procedures: Specific technique implementation ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 6.
    Groups and Software:Providing Technique Examples ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 3 | attack.mitre.org
  • 7.
    Example Group: APT28 ©2019The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 4 |
  • 8.
    ATT&CK Threat IntelligenceUse Cases ▪ Structuring threat intelligence with ATT&CK allows us to do cool things… – Compare behaviors – Communicate in a common language ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 5 |
  • 9.
    Initial Access Eec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 6 | *from open source reporting we’ve mapped APT28* ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 10.
    Initial Access Eec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 7 | APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 11.
    Initial Access Eec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 8 | APT28 APT29 Both groups Prioritize! ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 12.
    Initial Access Eec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Defenses | 9 | Overlay known defensive gaps APT28 APT29 Both groups ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 13.
    Initial Access Eec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups Over Time Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control | 10 | Notional group in 2018 Same gro p in 2019…why did we not see these techniques? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 14.
    Communicate to Defenders |11 | CTI Analyst Defender Registry Run Keys / Startup Folder (T1060) THIS is what the adversary is doing! The Run key is AdobeUpdater. Oh, we have Registry data, we can detect that! ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 15.
    Communicate Across theCommunity ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 12 | CTI Consumer Registry Run Keys / Startup Folder (T1060) Oh, you mean T1060! APT1337 is using autorun FUZZYDUCK used a Run key Company A Company B
  • 16.
    Mapping ATT&CK Techniquesfrom a Threat Report https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html Exploitation for Privilege Escalation (T1068) Command-Line Interface (T1059) System Owner/User Discovery (T1033) Scheduled Task (T1053) Standard Non-Application Layer Protocol (T1095) Uncommonly Used Port (T1065) Uncommonly Used Port (T1065) Multi-Stage Channels (T1104) | 13 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 17.
    Technique Mapping WorkAvailable from ATT&CK ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 14 | 5 years of reviewing and mapping Technique examples for Software and Groups ~400 report sources Only freely-available public reporting
  • 18.
    Biases in ATT&CK’sMapped Data ▪ Important to understand and state our biases in CTI ▪ Two kinds of bias in technique examples in ATT&CK – Bias introduced by us – Bias inherent in the sources we use ▪ Understanding these is the first step in properly leveraging this data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 15 |
  • 19.
    Security Vendors 92% Press Reports 5% Publicly- available Government Reports 3% Our Biases: SourcesWe Select | 16 | From reports used for technique examples in ATT&CK Groups ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 20.
    Our Biases: AvailabilityBias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 17 | All Possible Techniques Techniques We Remember
  • 21.
    Our Biases: NoveltyBias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 18 | Yet another FUZZYDUCK using Powershell report APT1337 Using Transmitted Data Manipulation
  • 22.
    Source Biases: AvailabilityBias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 19 | All Possible Behaviors Familiar Behaviors
  • 23.
    Source Biases: NoveltyBias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 20 | Another APT1337 Report APT1338 Report!!!
  • 24.
    Source Biases: VictimBias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 21 | Victim 4 Victim 5Victim 3 Victim 2 Victim 1
  • 25.
    Source Biases: Visibilitybias | 22 | Visible Disk Forensics Network Flows Process Execution Powershell Registry Monitoring Decoded C2 Not Seen ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 26.
    Source Biases: ProductionBias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 23 | Operation Snakepit APT1337 Report Operation Brown Fox APT1338 Report Ducks in the Wild FUZZYDUCK Report Source 1 Source 2
  • 27.
    How Do WeDeal With These Biases? ▪ Know that they exist – Once you know them, you can better determine what is real data vs. your biases ▪ Be honest and explain them ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 24| Tenor.com
  • 28.
    Hedging Our Biases ▪Work together – Diversity of thought makes for stronger teams ▪ Adjust and calibrate your data sources ▪ Add different data sources ▪ Remember we’re prioritizing the known over the unknown – As opposed to absolute comparison ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 25 |
  • 29.
    Now that yoknow those biases, here’s your imperfect data! | 26 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 30.
    1. Standard AppLayer Protocol 2. Remote File Copy 3. System Information Discovery 4. Command-Line Interface 5. File and Directory Discovery 6. Registry Run Key/Startup Folder 7. Obfuscated Files or Information 8. File Deletion 9. Process Discovery 10.System Network Config Discovery 11.Credential Dumping 12.Screen Capture 13.Input Capture 14.System Owner/User Discovery 15.Scripting 16.Commonly Used Port 17.Standard Crypto Protocol 18.PowerShell 19.& 20 (tie!) Masquerading and New Service Top 20 Techniques from ATT&CK Group/Software Data Know and explain our bias: availability bias from analysts Hedge our bias: how could we calibrate by source? | 27 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 31.
    ATT&CK Group/Software DataAcross Tactics ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 28 | 39 47 42 35 58 31 35 33 28 20 38 19 145 145 98 193 82 173 120 96 55 194 Groups Software Know and explain our bias: why is Initial Access low? Hedge our bias: work with others
  • 32.
    Process for MakingRecommendations from Techniques | 29 | 5. Make recommendations 4. Determine what tradeoffs are for org on specific options 3. Research organizational capability/constraints 2. Research defensive options related to technique 1. Research how techniques are being used 0. Determine priority techniques ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 33.
    Takeaways ▪ Use ATT&CKfor cyber threat intelligence to help yo … – Compare behaviors – Communicate in a common language ▪ Know the biases involved with mapping CTI reporting to ATT&CK ▪ Hedge those biases and use ATT&CK-mapped CTI to improve defenses ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 30 |
  • 34.
    | 31 | https://attack.mitre.org attack@mitre.org @MITREattack AdamPennington @_whatshisface Katie Nickels @likethecoins ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.