SlideShare a Scribd company logo

FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

K
Katie Nickels

Katie Nickels and Adam Pennington presented "Turning intelligence into action with MITRE ATT&CK™" at the FIRST CTI Symposium in London on 20 March 2019.

Technology
1 of 34
Download to read offline
©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. Turning Intelligence into Action with MITRE ATT&CK™ Katie Nickels @likethecoins Adam Pennington @_whatshisface MITRE ATT&CK @MITREattack | 1 |
What is ? A knowledge base of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
The Difficult Task of Detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain ? + ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Zooming in on the Adversary Lifecycle Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise ATT&CKPRE-ATT&CK Mobile ATT&CK ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser Bookmark Discovery Exploitation of Remote Services Data from Information Repositories Exfiltration Over Physical Medium Remote Access Tools Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for Credential Access Port Knocking Supply Chain Compromise Local Job Scheduling Access Token Manipulation Network Share Discovery Distributed Component Object Model Video Capture Exfiltration Over Command and Control Channel Multi-hop Proxy Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting Spearphishing Attachment Launchctl Process Injection Hooking Peripheral Device Discovery Remote File Copy Automated Collection Data Encoding Signed Binary Proxy Execution Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy Exploit Public-Facing Application Plist Modification LLMNR/NBT-NS Poisoning File and Directory Discovery Replication Through Removable Media Email Collection Automated Exfiltration Multi-Stage Channels User Execution Valid Accounts Screen Capture Exfiltration Over Other Network Medium Web Service Replication Through Removable Media Exploitation for Client Execution DLL Search Order Hijacking Private Keys Permission Groups Discovery Windows Admin Shares Data Staged Standard Non-Application Layer Protocol AppCert DLLs Signed Script Proxy Execution Keychain Pass the Hash Input Capture Exfiltration Over Alternative Protocol Spearphishing via Service CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from Network Shared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network Connections Discovery Shared Webroot Data Transfer Size Limits Connection Proxy Spearphishing Link Mshta Launch Daemon Port Knocking Two-Factor Authentication Interception Logon Scripts Data from Local System Multilayer Encryption Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Execution System Owner/User Discovery Windows Remote Management Man in the Browser Data Compressed Standard Application Layer ProtocolValid Accounts Source Application Shimming Data from Removable Media Scheduled Transfer Space after Filename AppInit DLLs BITS Jobs Replication Through Removable Media System Network Configuration Discovery Application Deployment Software Commonly Used Port Execution through Module Load Web Shell Control Panel Items Standard Cryptographic Protocol Service Registry Permissions Weakness CMSTP Input Capture Application Window Discovery SSH Hijacking AppleScript Custom Cryptographic Protocol Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy Discovery Taint Shared Content Regsvr32 Path Interception Hidden Files and Directories Kerberoasting Remote Desktop Protocol Data Obfuscation Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services Rundll32 Kernel Modules and Extensions Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Discovery Communication Through Removable Media Third-party Software SID-History Injection HISTCONTROL Credentials in Files Scripting Port Knocking Sudo Hidden Users Security Software DiscoveryGraphical User Interface SIP and Trust Provider Hijacking Setuid and Setgid Clear Command History Multiband Communication Command-Line Interface Exploitation for Privilege Escalation Gatekeeper Bypass Network Service ScanningScreensaver Hidden Window Fallback Channels Service Execution Browser Extensions Deobfuscate/Decode Files or Information Remote System Discovery Uncommonly Used Port Windows Remote Re-opened Applications Breaking Down ATT&CK | 2 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command & Control Tactics: the adversary’s technical goals Techniques:howthegoalsare achieved Procedures: Specific technique implementation ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Groups and Software: Providing Technique Examples ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 3 | attack.mitre.org
Example Group: APT28 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 4 |
ATT&CK Threat Intelligence Use Cases ▪ Structuring threat intelligence with ATT&CK allows us to do cool things… – Compare behaviors – Communicate in a common language ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 5 |
Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 6 | *from open source reporting we’ve mapped APT28* ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 7 | APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 8 | APT28 APT29 Both groups Prioritize! ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Defenses | 9 | Overlay known defensive gaps APT28 APT29 Both groups ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups Over Time Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control | 10 | Notional group in 2018 Same gro p in 2019…why did we not see these techniques? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Communicate to Defenders | 11 | CTI Analyst Defender Registry Run Keys / Startup Folder (T1060) THIS is what the adversary is doing! The Run key is AdobeUpdater. Oh, we have Registry data, we can detect that! ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Communicate Across the Community ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 12 | CTI Consumer Registry Run Keys / Startup Folder (T1060) Oh, you mean T1060! APT1337 is using autorun FUZZYDUCK used a Run key Company A Company B
Mapping ATT&CK Techniques from a Threat Report https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html Exploitation for Privilege Escalation (T1068) Command-Line Interface (T1059) System Owner/User Discovery (T1033) Scheduled Task (T1053) Standard Non-Application Layer Protocol (T1095) Uncommonly Used Port (T1065) Uncommonly Used Port (T1065) Multi-Stage Channels (T1104) | 13 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Technique Mapping Work Available from ATT&CK ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 14 | 5 years of reviewing and mapping Technique examples for Software and Groups ~400 report sources Only freely-available public reporting
Biases in ATT&CK’s Mapped Data ▪ Important to understand and state our biases in CTI ▪ Two kinds of bias in technique examples in ATT&CK – Bias introduced by us – Bias inherent in the sources we use ▪ Understanding these is the first step in properly leveraging this data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 15 |
Security Vendors 92% Press Reports 5% Publicly- available Government Reports 3% Our Biases: Sources We Select | 16 | From reports used for technique examples in ATT&CK Groups ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Our Biases: Availability Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 17 | All Possible Techniques Techniques We Remember
Our Biases: Novelty Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 18 | Yet another FUZZYDUCK using Powershell report APT1337 Using Transmitted Data Manipulation
Source Biases: Availability Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 19 | All Possible Behaviors Familiar Behaviors
Source Biases: Novelty Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 20 | Another APT1337 Report APT1338 Report!!!
Source Biases: Victim Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 21 | Victim 4 Victim 5Victim 3 Victim 2 Victim 1
Source Biases: Visibility bias | 22 | Visible Disk Forensics Network Flows Process Execution Powershell Registry Monitoring Decoded C2 Not Seen ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Source Biases: Production Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 23 | Operation Snakepit APT1337 Report Operation Brown Fox APT1338 Report Ducks in the Wild FUZZYDUCK Report Source 1 Source 2
How Do We Deal With These Biases? ▪ Know that they exist – Once you know them, you can better determine what is real data vs. your biases ▪ Be honest and explain them ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 24| Tenor.com
Hedging Our Biases ▪ Work together – Diversity of thought makes for stronger teams ▪ Adjust and calibrate your data sources ▪ Add different data sources ▪ Remember we’re prioritizing the known over the unknown – As opposed to absolute comparison ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 25 |
Now that yo know those biases, here’s your imperfect data! | 26 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
1. Standard App Layer Protocol 2. Remote File Copy 3. System Information Discovery 4. Command-Line Interface 5. File and Directory Discovery 6. Registry Run Key/Startup Folder 7. Obfuscated Files or Information 8. File Deletion 9. Process Discovery 10.System Network Config Discovery 11.Credential Dumping 12.Screen Capture 13.Input Capture 14.System Owner/User Discovery 15.Scripting 16.Commonly Used Port 17.Standard Crypto Protocol 18.PowerShell 19.& 20 (tie!) Masquerading and New Service Top 20 Techniques from ATT&CK Group/Software Data Know and explain our bias: availability bias from analysts Hedge our bias: how could we calibrate by source? | 27 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
ATT&CK Group/Software Data Across Tactics ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 28 | 39 47 42 35 58 31 35 33 28 20 38 19 145 145 98 193 82 173 120 96 55 194 Groups Software Know and explain our bias: why is Initial Access low? Hedge our bias: work with others
Process for Making Recommendations from Techniques | 29 | 5. Make recommendations 4. Determine what tradeoffs are for org on specific options 3. Research organizational capability/constraints 2. Research defensive options related to technique 1. Research how techniques are being used 0. Determine priority techniques ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
Takeaways ▪ Use ATT&CK for cyber threat intelligence to help yo … – Compare behaviors – Communicate in a common language ▪ Know the biases involved with mapping CTI reporting to ATT&CK ▪ Hedge those biases and use ATT&CK-mapped CTI to improve defenses ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 30 |
| 31 | https://attack.mitre.org attack@mitre.org @MITREattack Adam Pennington @_whatshisface Katie Nickels @likethecoins ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.

Recommended

ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Christopher Korban
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
MITRE ATT&CK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
MITRE ATT&CK
 

Recommended

ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat Intelligence
Christopher Korban
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
MITRE ATT&CK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
MITRE ATT&CK
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Christopher Korban
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
MITRE ATT&CK
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
MITRE ATT&CK
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
MITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
MITRE - ATT&CKcon
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Robert Brandel
 

More Related Content

What's hot

MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Christopher Korban
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
MITRE ATT&CK
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
MITRE ATT&CK
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
MITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
MITRE - ATT&CKcon
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 

What's hot (20)

MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 

Similar to FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Robert Brandel
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
ReZa AdineH
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
Adam Pennington
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Adam Pennington
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
ReZa AdineH
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
FireEye, Inc.
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB
 
Leveraging Campaigns to Untangle the Threat Group Ship of Theseus
Leveraging Campaigns to Untangle the Threat Group Ship of TheseusLeveraging Campaigns to Untangle the Threat Group Ship of Theseus
Leveraging Campaigns to Untangle the Threat Group Ship of Theseus
Adam Pennington
 
MASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoTMASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoT
Juanjo MARTINEZ PAGAN
 
[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa
TI Safe
 
CrowdSec - Smart Money Round deck
CrowdSec - Smart Money Round deckCrowdSec - Smart Money Round deck
CrowdSec - Smart Money Round deck
CrowdSec
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
hcls
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
SBWebinars
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE - ATT&CKcon
 
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
African Cyber Security Summit
 

Similar to FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™ (20)

Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
MITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdfMITRE-Module 4 Slides.pdf
MITRE-Module 4 Slides.pdf
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
MongoDB World 2019: Turkeys vs. Swans: Building Antifragile IT Systems for Di...
 
Leveraging Campaigns to Untangle the Threat Group Ship of Theseus
Leveraging Campaigns to Untangle the Threat Group Ship of TheseusLeveraging Campaigns to Untangle the Threat Group Ship of Theseus
Leveraging Campaigns to Untangle the Threat Group Ship of Theseus
 
MASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoTMASSIVE SCALE SECURITY FOR THE IoT
MASSIVE SCALE SECURITY FOR THE IoT
 
[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa[CLASS 2014] Palestra Técnica - Fabio Rosa
[CLASS 2014] Palestra Técnica - Fabio Rosa
 
CrowdSec - Smart Money Round deck
CrowdSec - Smart Money Round deckCrowdSec - Smart Money Round deck
CrowdSec - Smart Money Round deck
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITREMITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
 
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...
 

Recently uploaded

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 

Recently uploaded (20)

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 

FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

  • 1. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. Turning Intelligence into Action with MITRE ATT&CK™ Katie Nickels @likethecoins Adam Pennington @_whatshisface MITRE ATT&CK @MITREattack | 1 |
  • 2. What is ? A knowledge base of adversary behavior ➢ Based on real-world observations ➢ Free, open, and globally accessible ➢ A common language ➢ Community-driven ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 3. The Difficult Task of Detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain ? + ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 4. Zooming in on the Adversary Lifecycle Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise ATT&CKPRE-ATT&CK Mobile ATT&CK ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 5. Hardware Additions Scheduled Task Binary Padding Credentials in Registry Browser Bookmark Discovery Exploitation of Remote Services Data from Information Repositories Exfiltration Over Physical Medium Remote Access Tools Trusted Relationship LSASS Driver Extra Window Memory Injection Exploitation for Credential Access Port Knocking Supply Chain Compromise Local Job Scheduling Access Token Manipulation Network Share Discovery Distributed Component Object Model Video Capture Exfiltration Over Command and Control Channel Multi-hop Proxy Trap Bypass User Account Control Forced Authentication Audio Capture Domain Fronting Spearphishing Attachment Launchctl Process Injection Hooking Peripheral Device Discovery Remote File Copy Automated Collection Data Encoding Signed Binary Proxy Execution Image File Execution Options Injection Password Filter DLL Pass the Ticket Clipboard Data Data Encrypted Remote File Copy Exploit Public-Facing Application Plist Modification LLMNR/NBT-NS Poisoning File and Directory Discovery Replication Through Removable Media Email Collection Automated Exfiltration Multi-Stage Channels User Execution Valid Accounts Screen Capture Exfiltration Over Other Network Medium Web Service Replication Through Removable Media Exploitation for Client Execution DLL Search Order Hijacking Private Keys Permission Groups Discovery Windows Admin Shares Data Staged Standard Non-Application Layer Protocol AppCert DLLs Signed Script Proxy Execution Keychain Pass the Hash Input Capture Exfiltration Over Alternative Protocol Spearphishing via Service CMSTP Hooking Input Prompt Process Discovery Third-party Software Data from Network Shared DriveDynamic Data Exchange Startup Items DCShadow Bash History System Network Connections Discovery Shared Webroot Data Transfer Size Limits Connection Proxy Spearphishing Link Mshta Launch Daemon Port Knocking Two-Factor Authentication Interception Logon Scripts Data from Local System Multilayer Encryption Drive-by Compromise AppleScript Dylib Hijacking Indirect Command Execution System Owner/User Discovery Windows Remote Management Man in the Browser Data Compressed Standard Application Layer ProtocolValid Accounts Source Application Shimming Data from Removable Media Scheduled Transfer Space after Filename AppInit DLLs BITS Jobs Replication Through Removable Media System Network Configuration Discovery Application Deployment Software Commonly Used Port Execution through Module Load Web Shell Control Panel Items Standard Cryptographic Protocol Service Registry Permissions Weakness CMSTP Input Capture Application Window Discovery SSH Hijacking AppleScript Custom Cryptographic Protocol Regsvcs/Regasm New Service Process Doppelgänging Network Sniffing InstallUtil File System Permissions Weakness Mshta Credential Dumping Password Policy Discovery Taint Shared Content Regsvr32 Path Interception Hidden Files and Directories Kerberoasting Remote Desktop Protocol Data Obfuscation Execution through API Accessibility Features Securityd Memory System Time Discovery Custom Command and Control ProtocolPowerShell Port Monitors Space after Filename Brute Force Account Discovery Remote Services Rundll32 Kernel Modules and Extensions Sudo Caching LC_MAIN Hijacking Account Manipulation System Information Discovery Communication Through Removable Media Third-party Software SID-History Injection HISTCONTROL Credentials in Files Scripting Port Knocking Sudo Hidden Users Security Software DiscoveryGraphical User Interface SIP and Trust Provider Hijacking Setuid and Setgid Clear Command History Multiband Communication Command-Line Interface Exploitation for Privilege Escalation Gatekeeper Bypass Network Service ScanningScreensaver Hidden Window Fallback Channels Service Execution Browser Extensions Deobfuscate/Decode Files or Information Remote System Discovery Uncommonly Used Port Windows Remote Re-opened Applications Breaking Down ATT&CK | 2 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command & Control Tactics: the adversary’s technical goals Techniques:howthegoalsare achieved Procedures: Specific technique implementation ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 6. Groups and Software: Providing Technique Examples ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 3 | attack.mitre.org
  • 7. Example Group: APT28 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 4 |
  • 8. ATT&CK Threat Intelligence Use Cases ▪ Structuring threat intelligence with ATT&CK allows us to do cool things… – Compare behaviors – Communicate in a common language ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 5 |
  • 9. Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 6 | *from open source reporting we’ve mapped APT28* ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 10. Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 7 | APT29 ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 11. Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Each Other | 8 | APT28 APT29 Both groups Prioritize! ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 12. Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups to Defenses | 9 | Overlay known defensive gaps APT28 APT29 Both groups ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 13. Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control Compare Groups Over Time Initial Access E ec tion Persistence Privilege Escalation Defense Evasion Credential Access Discovery ateral Movement Collection E filtration Command And Control | 10 | Notional group in 2018 Same gro p in 2019…why did we not see these techniques? ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 14. Communicate to Defenders | 11 | CTI Analyst Defender Registry Run Keys / Startup Folder (T1060) THIS is what the adversary is doing! The Run key is AdobeUpdater. Oh, we have Registry data, we can detect that! ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 15. Communicate Across the Community ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 12 | CTI Consumer Registry Run Keys / Startup Folder (T1060) Oh, you mean T1060! APT1337 is using autorun FUZZYDUCK used a Run key Company A Company B
  • 16. Mapping ATT&CK Techniques from a Threat Report https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html Exploitation for Privilege Escalation (T1068) Command-Line Interface (T1059) System Owner/User Discovery (T1033) Scheduled Task (T1053) Standard Non-Application Layer Protocol (T1095) Uncommonly Used Port (T1065) Uncommonly Used Port (T1065) Multi-Stage Channels (T1104) | 13 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 17. Technique Mapping Work Available from ATT&CK ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 14 | 5 years of reviewing and mapping Technique examples for Software and Groups ~400 report sources Only freely-available public reporting
  • 18. Biases in ATT&CK’s Mapped Data ▪ Important to understand and state our biases in CTI ▪ Two kinds of bias in technique examples in ATT&CK – Bias introduced by us – Bias inherent in the sources we use ▪ Understanding these is the first step in properly leveraging this data ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 15 |
  • 19. Security Vendors 92% Press Reports 5% Publicly- available Government Reports 3% Our Biases: Sources We Select | 16 | From reports used for technique examples in ATT&CK Groups ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 20. Our Biases: Availability Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 17 | All Possible Techniques Techniques We Remember
  • 21. Our Biases: Novelty Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 18 | Yet another FUZZYDUCK using Powershell report APT1337 Using Transmitted Data Manipulation
  • 22. Source Biases: Availability Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 19 | All Possible Behaviors Familiar Behaviors
  • 23. Source Biases: Novelty Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 20 | Another APT1337 Report APT1338 Report!!!
  • 24. Source Biases: Victim Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 21 | Victim 4 Victim 5Victim 3 Victim 2 Victim 1
  • 25. Source Biases: Visibility bias | 22 | Visible Disk Forensics Network Flows Process Execution Powershell Registry Monitoring Decoded C2 Not Seen ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 26. Source Biases: Production Bias ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 23 | Operation Snakepit APT1337 Report Operation Brown Fox APT1338 Report Ducks in the Wild FUZZYDUCK Report Source 1 Source 2
  • 27. How Do We Deal With These Biases? ▪ Know that they exist – Once you know them, you can better determine what is real data vs. your biases ▪ Be honest and explain them ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 24| Tenor.com
  • 28. Hedging Our Biases ▪ Work together – Diversity of thought makes for stronger teams ▪ Adjust and calibrate your data sources ▪ Add different data sources ▪ Remember we’re prioritizing the known over the unknown – As opposed to absolute comparison ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 25 |
  • 29. Now that yo know those biases, here’s your imperfect data! | 26 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 30. 1. Standard App Layer Protocol 2. Remote File Copy 3. System Information Discovery 4. Command-Line Interface 5. File and Directory Discovery 6. Registry Run Key/Startup Folder 7. Obfuscated Files or Information 8. File Deletion 9. Process Discovery 10.System Network Config Discovery 11.Credential Dumping 12.Screen Capture 13.Input Capture 14.System Owner/User Discovery 15.Scripting 16.Commonly Used Port 17.Standard Crypto Protocol 18.PowerShell 19.& 20 (tie!) Masquerading and New Service Top 20 Techniques from ATT&CK Group/Software Data Know and explain our bias: availability bias from analysts Hedge our bias: how could we calibrate by source? | 27 | ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 31. ATT&CK Group/Software Data Across Tactics ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 28 | 39 47 42 35 58 31 35 33 28 20 38 19 145 145 98 193 82 173 120 96 55 194 Groups Software Know and explain our bias: why is Initial Access low? Hedge our bias: work with others
  • 32. Process for Making Recommendations from Techniques | 29 | 5. Make recommendations 4. Determine what tradeoffs are for org on specific options 3. Research organizational capability/constraints 2. Research defensive options related to technique 1. Research how techniques are being used 0. Determine priority techniques ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.
  • 33. Takeaways ▪ Use ATT&CK for cyber threat intelligence to help yo … – Compare behaviors – Communicate in a common language ▪ Know the biases involved with mapping CTI reporting to ATT&CK ▪ Hedge those biases and use ATT&CK-mapped CTI to improve defenses ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42. | 30 |
  • 34. | 31 | https://attack.mitre.org attack@mitre.org @MITREattack Adam Pennington @_whatshisface Katie Nickels @likethecoins ©2019 The MITRE Corporation. ALL RIGHTS RESERVED Approved for public release. Distribution unlimited 18-1528-42.