SlideShare a Scribd company logo

Knowledge for the masses: Storytelling with ATT&CK

M
MITRE ATT&CK

The document discusses using storytelling to increase understanding of cyber threats through ATT&CK threat sightings. It describes the AC3 methodology for documenting threat actor tactics, techniques, and procedures with full context and observables. Different levels of abstraction and tools are used to translate threat sightings into various formats to ensure understanding across audiences. Maintaining defensive playbooks adapted from threat sightings helps continuous understanding and improvement of defenses.

Technology
1 of 29
Download to read offline
1 1 Trellix | Always Learning. Always Adapting. 1 1 Knowledge for the Masses: Storytelling with ATT&CK! ATT&CKCON 3.0
2 2 2 Ismael Valenzuela Jose Luis Sánchez (Joseliyo) Head of AC3 Team SANS Author & Senior Instructor Espeto master - Security Researcher AC3 Team § Member ENISA Cyber Threat Landscape Working Group § Salmorejo master Alejandro Houspanossian Asado master @Joseliyo_Jstnk https://www.linkedin.com/in/joseluissm / @aboutsecurity https://www.linkedin.com/in/ivalenzuel a/ @lekz86 https://www.linkedin.com/in/ahouspan/
3 3 3
4 4 4 Full meaning + Context + Expressivenes s + Common ground The Power of Storytelling fMRI shows similar brain activity in two people listening to the same real-life story. https://blog.ted.com/what-happens-in-the-brain-when-we-hear-stories-uri-hasson-at- ted2016/ Understanding + Sync’d brain waves + New ideas, beliefs, motivation and actions
5 5 5 Partial Meaning + Mostly IOCs + Expressionless + Different audiences using different ‘languages’ The Power Lack of Storytelling Limited distribution + Partial understanding + Limited defensive actionability
6 6 Trellix | Always Learning. Always Adapting. 6 6 AC3 Threat Sightings Recap https://www..com/video/event/urn:li:ugcPost:6847197567567060993/ AC3 Threat Sightings is a 1-year-old initiative that has the goal to increase the UNDERSTANDING of Cyber Threats. To achieve this goal, we defined a work methodology and a data schema.
7 7 Trellix | Always Learning. Always Adapting. 7 7 Words Are Not Enough To Learn. We Need a Full Story You/Your Org might have a MISP (or other TIP) AC3 Threat Sightings are heavily focused on documenting threat actor TTPs with full details of observables and context. The objective is to learn about TTPs and Tools! (vs file hashes and IPs) Who has access to your TIP? Is it well structured and labelled? Does storage increase understanding? What type of data do we store?
8 8 Trellix | Always Learning. Always Adapting. 8 8 AC3 Threat Sightings Methodology & Schema https://raw.githubusercontent.com/mcafee-enterprise/ac3-threat-sightings/main/sightings/Sightings_Guildma_RAT.yml -- Meaning ++ Understanding Information
9 9 Trellix | Always Learning. Always Adapting. 9 9 First Level of Abstraction: High Level View *Generated automatically out of the AC3 Threat Sighting for DarkSide. This is the first step. Some quick notes following a structured schema in MITRE ATT&CK format: Threat Actor -> verb -> Technique - > Tactic
10 10 Trellix | Always Learning. Always Adapting. 10 10 *Generated automatically out of the AC3 Threat Sighting for DarkSide. This is a typical TTP view. Second Level of Abstraction: Medium Level View
11 11 Trellix | Always Learning. Always Adapting. 11 11 *Generated automatically out of the AC3 Threat Sighting for DarkSide. Useful for Red/Purple Emulation planning & Detection Engineering Third Level of Abstraction: Low Level View
12 12 “I sit down and watch videos. I take notes. That's when that inspiration comes - the moment that makes sense of my profession. That instant I know, for sure, that I've got it. I know how to win. It's the moment that my job becomes truly meaningful.” Pep Guardiola Professional Football Manager
13 13 Trellix | Always Learning. Always Adapting. 13 13 Studying the Opponent (video) https://gource.io / Video produced with ‘gource’ with real ransomware attack data
14 14 Trellix | Always Learning. Always Adapting. 14 14 Sometimes, we get creative *Generated automatically with Mermaid out of the AC3 Threat Sighting for DarkS AC3 Threat Sighting: Attack Flow https://mermaid-js.github.io/docs/mermaid-live-editor-beta
15 15 Storytelling With Tooling
16 16 Trellix | Always Learning. Always Adapting. 16 16 Choose Your Appropriate Story Are videos games made for all the audiences? Are cybersecurity reports made for all the audiences? AC3 TACTICA L T AC3 OPERATION AL O AC3 STRATEGIC AL S
17 17 Trellix | Always Learning. Always Adapting. 17 17 Choose Your Appropriate Story SOC Managers Cyber Threat Intelligence Analysts Threat Detection Engineers Head of Cybersecurity Security Strategists CISO SOC Analysts Incident Responders Threat Hunters Content Development/QA Engineers Strategical Operational Tactical • SIGMA • IOCs • Behaviors • Context • Malware, tools, industry, etc… • Behaviors • MITRE ATT&CK • Trends • Coverage to prioritize security efforts
18 18 Trellix | Always Learning. Always Adapting. 18 18 Stories In Different Languages There may be audiences and analysts who do not speak the same language For this reason, we’ve created tools to translate our threat sightings to other languages!
19 19 Trellix | Always Learning. Always Adapting. 19 19 Stories In Different Languages Sorry, but in our CTI team we only speak MITRE!
20 20 Trellix | Always Learning. Always Adapting. 20 20 Stories In Different Languages AC3 Threat Sighting for Ryuk in STIX format Our SOC has been working with STIX for the last 4 years Two types of visualizations High Level: Actor, weapon, technique and tactic Low Level: Actor, weapon and IOCs
21 21 Trellix | Always Learning. Always Adapting. 21 21 Stories In Different Languages We better understand research with Maltego visualizations Two types of visualizations High Level: Actor, behavior, weapon, technique and tactic Low Level: Actor, behavior, weapon and IOCs
22 22 Trellix | Always Learning. Always Adapting. 22 22 Stories In Different Languages We share IOCs with different CERTs using OpenIOC
23 23 Trellix | Always Learning. Always Adapting. 23 23 Improve Your Storytelling and Understanding • Convert your threat sightings to MISP events automatically to • Improve your storytelling • Improve your understanding • Get correlations I need to know all the threat sightings we have where OpenSCManager API calls are made Sure boss! Lea d Tea m Threat Sightings are YAML files… How can we correlate this information ?!?!?!
24 24 Trellix | Always Learning. Always Adapting. 24 24 Our Approach OpenIO C AC3 THREAT SIGHTINGS
25 25 ”Tactics are so important because everybody has to know WHAT they have to do on the pitch and WHEN to do it.” Pep Guardiola Professional Football Manager
26 26 26 Continuous Understanding: Adaptive Defensive Model Threat Sightings
27 27 27 • A defensive playbook (DPs) is a set of tactics and methods that model defenders’ behaviors before, during, and after an attack. • They include effective countermeasures that defenders can apply in anticipation of an attack: • The ability to identify and reduce exposure before an attack • The ability to protect assets at risk during an attack • The ability to have visibility of an attack • The ability to hunt for an attack • The ability to detect an attack • The ability to investigate an attack • The ability to respond to an attack • Some implementations: • MITRE D3FEND (https://d3fend.mitre.org/) • OASIS CACAO (https://www.oasis-open.org/committees/cacao/) • Trellix Defensive Playbooks* Next Steps: Defensive Playbooks Defensive Playbooks Countermeasures
28 28 Trellix | Always Learning. Always Adapting. 28 28 • AC3 Threat Sightings provide understanding, they ’tell a story’ • 7 Sightings, 77 TTPs (+Observables) • The better we explain things, the more we learn, and the more defenders we’ll enable • Web site/Wiki with multiple views: TTPs, TTPs with Observables, Attack Flow, Weapon inventory, Techniques, etc. • They integrate with your existing technologies (doesn’t replace what you have, it enhances it) • Integrations with multiple tools/format: Maltego, MISP, OpenIOC, STIX, ATT&CK Navigator, etc Summary & Key Takeaways https://github.com/mcafee-enterprise/ac3-threat-sightings https://github.com/mcafee-enterprise/ac3-threat- sightings/tree/main/tools https://mcafee-enterprise.github.io/ac3-threat- sightings/docs/Welcome/
29 29 Trellix | Always Learning. Always Adapting. 29 Thank you! Gracias! @aboutsecurity https://www.linkedin.com/in/ivalenzuela/ @Joseliyo_Jstnk https://www.linkedin.com/in/joseluissm/

Recommended

Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
MITRE ATT&CK
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...
MITRE ATT&CK
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
MITRE ATT&CK
 
The ATT&CK Philharmonic
The ATT&CK PhilharmonicThe ATT&CK Philharmonic
The ATT&CK Philharmonic
MITRE ATT&CK
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 

Recommended

Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
MITRE ATT&CK
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...
MITRE ATT&CK
 
State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CK
MITRE ATT&CK
 
The ATT&CK Philharmonic
The ATT&CK PhilharmonicThe ATT&CK Philharmonic
The ATT&CK Philharmonic
MITRE ATT&CK
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
MITRE ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
MITRE ATT&CK
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
MITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
MITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
MITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
MITRE ATT&CK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
MITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
MITRE ATT&CK
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/Linux
MITRE ATT&CK
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
MITRE ATT&CK
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
MITRE - ATT&CKcon
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
Threat modeling from the trenches to the clouds
Threat modeling from the trenches to the cloudsThreat modeling from the trenches to the clouds
Threat modeling from the trenches to the clouds
Priyanka Aash
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
Adam Shostack
 

More Related Content

What's hot

Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
MITRE ATT&CK
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
MITRE ATT&CK
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
MITRE ATT&CK
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
MITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
MITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
MITRE ATT&CK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
MITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
MITRE ATT&CK
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/Linux
MITRE ATT&CK
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
MITRE ATT&CK
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
MITRE - ATT&CKcon
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
MITRE ATT&CK
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 

What's hot (20)

Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
 
Threat Modelling - It's not just for developers
Threat Modelling - It's not just for developersThreat Modelling - It's not just for developers
Threat Modelling - It's not just for developers
 
ATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open SourceATT&CK Updates- ATT&CK's Open Source
ATT&CK Updates- ATT&CK's Open Source
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
 
ATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/LinuxATT&CK Updates- ATT&CK for mac/Linux
ATT&CK Updates- ATT&CK for mac/Linux
 
ATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICSATT&CK Updates- ATT&CK for ICS
ATT&CK Updates- ATT&CK for ICS
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro... Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Automating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections CollectorAutomating the mundanity of technique IDs with ATT&CK Detections Collector
Automating the mundanity of technique IDs with ATT&CK Detections Collector
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 

Similar to Knowledge for the masses: Storytelling with ATT&CK

Threat modeling from the trenches to the clouds
Threat modeling from the trenches to the cloudsThreat modeling from the trenches to the clouds
Threat modeling from the trenches to the clouds
Priyanka Aash
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
Adam Shostack
 
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
Izar Tarandach
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Mark Simos
 
Huntpedia
HuntpediaHuntpedia
Huntpedia
Jc Sv
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
Izar Tarandach
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
Securing the “Weakest Link”
Securing the “Weakest Link”Securing the “Weakest Link”
Securing the “Weakest Link”
Priyanka Aash
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
Elizabeth Ayer
 
Splunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdfSplunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdf
Amanda Richardson
 
us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...
us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...
us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...jzadeh
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdf
CecilSu
 
Self-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecuritySelf-Learning Systems for Cyber Security
Self-Learning Systems for Cyber Security
Kim Hammar
 
Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]
Frode Hommedal
 
Get full visibility and find hidden security issues
Get full visibility and find hidden security issuesGet full visibility and find hidden security issues
Get full visibility and find hidden security issues
Elasticsearch
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
Priyanka Aash
 
Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...
Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...
Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...
hacktivity
 
The TTPs of hard hat incident response
The TTPs of hard hat incident responseThe TTPs of hard hat incident response
The TTPs of hard hat incident response
Hinne Hettema
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
OWASP EEE
 

Similar to Knowledge for the masses: Storytelling with ATT&CK (20)

Threat modeling from the trenches to the clouds
Threat modeling from the trenches to the cloudsThreat modeling from the trenches to the clouds
Threat modeling from the trenches to the clouds
 
Threat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star WarsThreat Modeling Lessons From Star Wars
Threat Modeling Lessons From Star Wars
 
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You..."Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
"Threat Model Every Story": Practical Continuous Threat Modeling Work for You...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Huntpedia
HuntpediaHuntpedia
Huntpedia
 
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
O'Reilly SACon 2019 - (Continuous) Threat Modeling - What works?
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Securing the “Weakest Link”
Securing the “Weakest Link”Securing the “Weakest Link”
Securing the “Weakest Link”
 
DevSecOps at Agile 2019
DevSecOps at Agile 2019 DevSecOps at Agile 2019
DevSecOps at Agile 2019
 
Splunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdfSplunk September 2023 User Group PDX.pdf
Splunk September 2023 User Group PDX.pdf
 
us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...
us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...
us-15-Zadeh-From-False-Positives-To-Actionable-Analysis-Behavioral-Intrusion-...
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdf
 
Self-Learning Systems for Cyber Security
Self-Learning Systems for Cyber SecuritySelf-Learning Systems for Cyber Security
Self-Learning Systems for Cyber Security
 
Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]Taking the Attacker Eviction Red Pill [updated]
Taking the Attacker Eviction Red Pill [updated]
 
Get full visibility and find hidden security issues
Get full visibility and find hidden security issuesGet full visibility and find hidden security issues
Get full visibility and find hidden security issues
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
 
Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...
Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...
Rodrigo Branco - How Offensive Security is Defining the Way We Compute // Key...
 
The TTPs of hard hat incident response
The TTPs of hard hat incident responseThe TTPs of hard hat incident response
The TTPs of hard hat incident response
 
[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence[Bucharest] Attack is easy, let's talk defence
[Bucharest] Attack is easy, let's talk defence
 

More from MITRE ATT&CK

Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of Detail
MITRE ATT&CK
 
Automating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard ArchitectureAutomating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard Architecture
MITRE ATT&CK
 
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CK
MITRE ATT&CK
 
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesCISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity Advisories
MITRE ATT&CK
 
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
MITRE ATT&CK
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
MITRE ATT&CK
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
MITRE ATT&CK
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK
 
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
MITRE ATT&CK
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
MITRE ATT&CK
 
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the CloudMITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK
 
Using ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real dataUsing ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real data
MITRE ATT&CK
 
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK
 
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
MITRE ATT&CK
 
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
MITRE ATT&CK
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
MITRE ATT&CK
 
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
MITRE ATT&CK
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICS
MITRE ATT&CK
 
The case for quishing
The case for quishingThe case for quishing
The case for quishing
MITRE ATT&CK
 

More from MITRE ATT&CK (20)

Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of Detail
 
Automating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard ArchitectureAutomating testing by implementing ATT&CK using the Blackboard Architecture
Automating testing by implementing ATT&CK using the Blackboard Architecture
 
I can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CKI can haz cake: Benefits of working with MITRE on ATT&CK
I can haz cake: Benefits of working with MITRE on ATT&CK
 
CISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity AdvisoriesCISA usage of ATT&CK in Cybersecurity Advisories
CISA usage of ATT&CK in Cybersecurity Advisories
 
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
 
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingEvaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
 
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK based Threat Analysis for Electronic Flight Bag
MITRE ATT&CK based Threat Analysis for Electronic Flight Bag
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
 
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSExploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOS
 
MITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the CloudMITRE ATT&CK Updates: State of the Cloud
MITRE ATT&CK Updates: State of the Cloud
 
Using ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real dataUsing ATT&CK to created wicked actors in real data
Using ATT&CK to created wicked actors in real data
 
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT...
 
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...
 
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
 
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...
 
MITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICSMITRE ATT&CK Updates: ICS
MITRE ATT&CK Updates: ICS
 
The case for quishing
The case for quishingThe case for quishing
The case for quishing
 

Recently uploaded

Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 

Recently uploaded (20)

Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 

Knowledge for the masses: Storytelling with ATT&CK

  • 1. 1 1 Trellix | Always Learning. Always Adapting. 1 1 Knowledge for the Masses: Storytelling with ATT&CK! ATT&CKCON 3.0
  • 2. 2 2 2 Ismael Valenzuela Jose Luis Sánchez (Joseliyo) Head of AC3 Team SANS Author & Senior Instructor Espeto master - Security Researcher AC3 Team § Member ENISA Cyber Threat Landscape Working Group § Salmorejo master Alejandro Houspanossian Asado master @Joseliyo_Jstnk https://www.linkedin.com/in/joseluissm / @aboutsecurity https://www.linkedin.com/in/ivalenzuel a/ @lekz86 https://www.linkedin.com/in/ahouspan/
  • 4. 4 4 4 Full meaning + Context + Expressivenes s + Common ground The Power of Storytelling fMRI shows similar brain activity in two people listening to the same real-life story. https://blog.ted.com/what-happens-in-the-brain-when-we-hear-stories-uri-hasson-at- ted2016/ Understanding + Sync’d brain waves + New ideas, beliefs, motivation and actions
  • 5. 5 5 5 Partial Meaning + Mostly IOCs + Expressionless + Different audiences using different ‘languages’ The Power Lack of Storytelling Limited distribution + Partial understanding + Limited defensive actionability
  • 6. 6 6 Trellix | Always Learning. Always Adapting. 6 6 AC3 Threat Sightings Recap https://www..com/video/event/urn:li:ugcPost:6847197567567060993/ AC3 Threat Sightings is a 1-year-old initiative that has the goal to increase the UNDERSTANDING of Cyber Threats. To achieve this goal, we defined a work methodology and a data schema.
  • 7. 7 7 Trellix | Always Learning. Always Adapting. 7 7 Words Are Not Enough To Learn. We Need a Full Story You/Your Org might have a MISP (or other TIP) AC3 Threat Sightings are heavily focused on documenting threat actor TTPs with full details of observables and context. The objective is to learn about TTPs and Tools! (vs file hashes and IPs) Who has access to your TIP? Is it well structured and labelled? Does storage increase understanding? What type of data do we store?
  • 8. 8 8 Trellix | Always Learning. Always Adapting. 8 8 AC3 Threat Sightings Methodology & Schema https://raw.githubusercontent.com/mcafee-enterprise/ac3-threat-sightings/main/sightings/Sightings_Guildma_RAT.yml -- Meaning ++ Understanding Information
  • 9. 9 9 Trellix | Always Learning. Always Adapting. 9 9 First Level of Abstraction: High Level View *Generated automatically out of the AC3 Threat Sighting for DarkSide. This is the first step. Some quick notes following a structured schema in MITRE ATT&CK format: Threat Actor -> verb -> Technique - > Tactic
  • 10. 10 10 Trellix | Always Learning. Always Adapting. 10 10 *Generated automatically out of the AC3 Threat Sighting for DarkSide. This is a typical TTP view. Second Level of Abstraction: Medium Level View
  • 11. 11 11 Trellix | Always Learning. Always Adapting. 11 11 *Generated automatically out of the AC3 Threat Sighting for DarkSide. Useful for Red/Purple Emulation planning & Detection Engineering Third Level of Abstraction: Low Level View
  • 12. 12 12 “I sit down and watch videos. I take notes. That's when that inspiration comes - the moment that makes sense of my profession. That instant I know, for sure, that I've got it. I know how to win. It's the moment that my job becomes truly meaningful.” Pep Guardiola Professional Football Manager
  • 13. 13 13 Trellix | Always Learning. Always Adapting. 13 13 Studying the Opponent (video) https://gource.io / Video produced with ‘gource’ with real ransomware attack data
  • 14. 14 14 Trellix | Always Learning. Always Adapting. 14 14 Sometimes, we get creative *Generated automatically with Mermaid out of the AC3 Threat Sighting for DarkS AC3 Threat Sighting: Attack Flow https://mermaid-js.github.io/docs/mermaid-live-editor-beta
  • 16. 16 16 Trellix | Always Learning. Always Adapting. 16 16 Choose Your Appropriate Story Are videos games made for all the audiences? Are cybersecurity reports made for all the audiences? AC3 TACTICA L T AC3 OPERATION AL O AC3 STRATEGIC AL S
  • 17. 17 17 Trellix | Always Learning. Always Adapting. 17 17 Choose Your Appropriate Story SOC Managers Cyber Threat Intelligence Analysts Threat Detection Engineers Head of Cybersecurity Security Strategists CISO SOC Analysts Incident Responders Threat Hunters Content Development/QA Engineers Strategical Operational Tactical • SIGMA • IOCs • Behaviors • Context • Malware, tools, industry, etc… • Behaviors • MITRE ATT&CK • Trends • Coverage to prioritize security efforts
  • 18. 18 18 Trellix | Always Learning. Always Adapting. 18 18 Stories In Different Languages There may be audiences and analysts who do not speak the same language For this reason, we’ve created tools to translate our threat sightings to other languages!
  • 19. 19 19 Trellix | Always Learning. Always Adapting. 19 19 Stories In Different Languages Sorry, but in our CTI team we only speak MITRE!
  • 20. 20 20 Trellix | Always Learning. Always Adapting. 20 20 Stories In Different Languages AC3 Threat Sighting for Ryuk in STIX format Our SOC has been working with STIX for the last 4 years Two types of visualizations High Level: Actor, weapon, technique and tactic Low Level: Actor, weapon and IOCs
  • 21. 21 21 Trellix | Always Learning. Always Adapting. 21 21 Stories In Different Languages We better understand research with Maltego visualizations Two types of visualizations High Level: Actor, behavior, weapon, technique and tactic Low Level: Actor, behavior, weapon and IOCs
  • 22. 22 22 Trellix | Always Learning. Always Adapting. 22 22 Stories In Different Languages We share IOCs with different CERTs using OpenIOC
  • 23. 23 23 Trellix | Always Learning. Always Adapting. 23 23 Improve Your Storytelling and Understanding • Convert your threat sightings to MISP events automatically to • Improve your storytelling • Improve your understanding • Get correlations I need to know all the threat sightings we have where OpenSCManager API calls are made Sure boss! Lea d Tea m Threat Sightings are YAML files… How can we correlate this information ?!?!?!
  • 24. 24 24 Trellix | Always Learning. Always Adapting. 24 24 Our Approach OpenIO C AC3 THREAT SIGHTINGS
  • 25. 25 25 ”Tactics are so important because everybody has to know WHAT they have to do on the pitch and WHEN to do it.” Pep Guardiola Professional Football Manager
  • 26. 26 26 26 Continuous Understanding: Adaptive Defensive Model Threat Sightings
  • 27. 27 27 27 • A defensive playbook (DPs) is a set of tactics and methods that model defenders’ behaviors before, during, and after an attack. • They include effective countermeasures that defenders can apply in anticipation of an attack: • The ability to identify and reduce exposure before an attack • The ability to protect assets at risk during an attack • The ability to have visibility of an attack • The ability to hunt for an attack • The ability to detect an attack • The ability to investigate an attack • The ability to respond to an attack • Some implementations: • MITRE D3FEND (https://d3fend.mitre.org/) • OASIS CACAO (https://www.oasis-open.org/committees/cacao/) • Trellix Defensive Playbooks* Next Steps: Defensive Playbooks Defensive Playbooks Countermeasures
  • 28. 28 28 Trellix | Always Learning. Always Adapting. 28 28 • AC3 Threat Sightings provide understanding, they ’tell a story’ • 7 Sightings, 77 TTPs (+Observables) • The better we explain things, the more we learn, and the more defenders we’ll enable • Web site/Wiki with multiple views: TTPs, TTPs with Observables, Attack Flow, Weapon inventory, Techniques, etc. • They integrate with your existing technologies (doesn’t replace what you have, it enhances it) • Integrations with multiple tools/format: Maltego, MISP, OpenIOC, STIX, ATT&CK Navigator, etc Summary & Key Takeaways https://github.com/mcafee-enterprise/ac3-threat-sightings https://github.com/mcafee-enterprise/ac3-threat- sightings/tree/main/tools https://mcafee-enterprise.github.io/ac3-threat- sightings/docs/Welcome/
  • 29. 29 29 Trellix | Always Learning. Always Adapting. 29 Thank you! Gracias! @aboutsecurity https://www.linkedin.com/in/ivalenzuela/ @Joseliyo_Jstnk https://www.linkedin.com/in/joseluissm/