The document discusses the implementation of behavioral detections in cybersecurity using intelligence and the ATT&CK framework as a guiding methodology. It highlights the importance of bridging operational intelligence with security controls to effectively counter threats, including a case study demonstrating the proactive development of detection rules based on emerging malware. Additionally, it emphasizes the classification of threats and tactics, providing resources to guide cybersecurity teams in prioritizing detection efforts.

1. It’s Just a Jump To The Left (of Boom)
Prioritizing Detection Implementation With
Intelligence and ATT&CK

2. Introduction
Lindsay Kaye
Director, Operational Outcomes, Insikt Group
Recorded Future
@TheQueenofELF
Scott Small
Threat Intelligence Consultant
Recorded Future
@IntelScott

3. Nearly 600 techniques & sub-techniques
9,000+ detection rules, 2,100+ tests

4. For defenders, deciding where to start when implementing behavioral
detections can be daunting
Ideally, a “best practice” approach involves closing the gap between existing
controls and relevant threats - but this is easier said than done
Background

5. Intelligence as a Bridge

6. Intelligence as a Bridge
Assets,
IP, PII
Technology,
Processes
Bridge between
External & Internal
Bridge between
Offense & Defense
(Threats & Controls)
Intelligence-
Informed Control
Validation
Bridge between
Strategic & Tactical
Threat
Security Controls

7. Different sources provide different operational value
Coverage across the entire attack chain
ATT&CK
hierarchy
Layer behavior
groupings to
identify overlap
Emerging Tools &
TTPs
Closed Sources Open Sources Technical
Sourcing
Emerging Tools &
TTPs
Open-sourced tools
are routinely used by
bad actors
Validate controls
against these TTPs for
a proactive posture
Closed Sources
High-tier criminal &
special access forums
TTPs used to gain
illicit network access
Internal telemetry,
alerts, hunting,
sandbox, proprietary
sourcing
Open Sources
Government & vendor
reporting, social media
(researchers), publicly
reported events &
incident analyses
Technical
Sourcing
Publicly accessible
malware sandbox
results
Behavioral analysis
More proactive More reactive
Sourcing TTP-Focused Intelligence

8. Lateral Movement,
Discovery, Privilege
Escalation,
Persistence,
Reconnaissance
Case Study: Anatomy of a Ransomware Attack
Initial Access Exfiltrate Data
Drop
Ransomware
Cobalt Strike
Active Directory
Enumeration
RClone
7Zip
Phishing
Exploits
VPN appliances Credential
Harvesting
Stolen
Credentials
MEGA.nz
Other
Purchased
Accesses
Domain Access
Living off the
Land
Kerberoasting
WinSCP
←Lots of opportunity for detections here

9. ATT&CK serves as a common language between highly technical concepts or
reports and defenders’/operators’ needs
Intel driving rule development (Insikt’s process)
Open Source Data
Closed Source Data
Technical Sources
Insikt Group’s Tools and
TTPs Team
“TTP Note”
Insikt Validated
TTP
Aligned to ATT&CK!

10. Case Study: Intelligence Driving Rule Development
We saw a threat actor “release” Jester Stealer on the dark
web in August 2021 - produced a “note”
Then, in January 2022, we saw a user on social media
shared a sample of Jester Stealer on MalwareBazaar….

11. Now that Jester Stealer was openly in use, an Insikt Validated TTP was
created to provide a Sigma rule to our clients, to help detect the malware
Case Study: Intelligence Driving Rule Development

12. One month later, other vendors identified Jester Stealer as a priority threat
Case Study: Intelligence Driving Rule Development

13. Intelligence-Informed Detection Development
Top Techniques in Threat Intel & Our Rules

14. Top Techniques in Emerging Tools & TTP Reports Top Techniques in Insikt Sigma Rules
T1562.001: Disable or Modify Tools T1059.003: Windows Command Shell
T1518.001: Security Software Discovery T1562.001: Disable or Modify Tools
T1547.001: Registry Run Keys / Startup Folder T1543.003: Windows Service
T1555.003: Credentials from Web Browsers T1070.004: File Deletion
T1070.004: File Deletion T1547.001: Registry Run Keys / Startup Folder
T1059.001: PowerShell T1518.001: Security Software Discovery
T1548.002: Bypass User Account Control T1204.002: Malicious File
T1056.001: Keylogging T1059.001: PowerShell
T1037.005: Startup Items T1555.003: Credentials from Web Browsers
T1027.002: Software Packing T1555.001: Keychain
T1574.002: DLL Side-Loading T1552.004: Private Keys
T1059.003: Windows Command Shell T1003.008: /etc/passwd and /etc/shadow
T1204.002: Malicious File T1003.007: Proc Filesystem
T1552.001: Credentials In Files T1003.005: Cached Domain Credentials
T1564.001: Hidden Files and Directories T1003.004: LSA Secrets
Indicates technique is present in both sets
Intelligence-Informed Detection Development

15. Emerging Tools & TTPs: Intelligence Summary
Other Top Malware Categories:
Loaders, Worms, Keyloggers, Cryptominers,
Spyware, Rootkits, Packers, Exploit & DDOS
Kits, Adware
Threat Actor Categories:
Advanced Cybercriminal (24%),
Ransomware (18%), Russia APT (12%),
China APT (6%), Iran APT (6%), APT -
Unknown affiliation (6%), Hacktivist (3%)
Top 15 Techniques:
Malware & Actor Clustering

16. Visibility
(Data Sources)
Resources, Maturity, &
Bandwidth (affects
validation frequency)
Threat Profile /
Model
Actual Control
Coverage
Threat Profile /
Model
Prioritizing Detections: Risk Profiling

17. Prioritizing Detections: A Compass to Guide You
controlcompass.github.io
Open source tool pointing cybersecurity teams to 9,000+ publicly-accessible detection rules and
2,100+ offensive security tests, aligned with over 500 ATT&CK (sub)techniques

18. controlcompass.
github.io

19. Th&nk You!