From ATT&CKcon 3.0
By Jose Barajas and Stephan Chenette, AttackIQ
Every cybersecurity leader wants visibility into the health of their security program. Yet teams suffer with disparate data streams - CTI teams and the SOC often use separate Excel spreadsheets, an anachronistic practice - and silos constrain their ability to operate effectively. Enter the Jupyter notebook, an open-source computational notebook that researchers use to combine code, computing output, text, and media into a single interface. In this talk, we share three stories of how organizations use Jupyter notebooks to align ATT&CK-based attack flows to the security program, generating data about detection and prevention failures, defensive gaps, and longitudinal performance. By using Jupyter notebooks in this way, teams can better leverage ATT&CK for security effectiveness. It becomes less of a bingo card and more of a strategic tool for understanding the health of the program against big tactics (I.e., lateral movement), defensive gaps (I.e., micro-segmentation), and the team's performance.
Agentic RAG What it is its types applications and implementation.pdf
Landing on Jupyter: The transformative power of data-driven storytelling for security operations
1. Landing on Jupyter
Stephan Chenette & Jose Barajas
MITRE ATT&CK 3.0, March 2022
The Transformative Power of Data-Driven Storytelling for Security Operations
7. Attack Flows and Technology Investment Gaps
Presenter CISO / Security Team
Audience Technical Management (e.g. CISO, CIO, CRO, etc.)
Question
How can I demonstrate our current security posture against relevant
threat actor campaigns to the management team and demonstrate
where where we have gaps and where we are focused on improving?
Desired
reaction
I want the management team to see the results and support our budget
and prioritization of security and risk projects.
Narrative
As the presenter, you should be able to confidentiality present the
organizational security posture as well as how the above threat actor
campaigns were emulated and how they are relevant. You can then
discuss which behavior have coverage or where a gaps exists. For any
cells that are red, you can discuss what projects or actions are in
progress, what further tools/resources are needed to close the gap, and
how investing in those tools or resources will close the gap.
9. Attack Flows Detection Coverage and Discrepancies
Presenter CISO / Security Team
Audience Technical Operations
Question
How can I provide all details to my technical operations team
related to existing detection rules or enabled capabilities and
mapping to the related threat emulation results we executed so
that they have all the necessary details to improve our security
posture?
Desired
Reaction
I want my technical operations team to investigate and take
action regarding remediation and/or mitigation strategies to
improve the security controls and overall security posture of the
organization.
Narrative
As the presenter, you’re able to preempt any questions and
provide all the necessary details so that the individuals on the
technical operations team can investigate the scenarios and the
endpoint control policy to see what can be configured to improve
prevention and detection coverage. If nothing can be done
natively, then these details will allow discussion with the
endpoint control vendor so that the vendor can improve its
capabilities. Ultimately, once mitigation or remediation has
happened, the technical operations team can re-test themselves
directly or collaborate with the security testing team to re-test
and verify that the changes do, in fact, improve coverage.
Presenter CISO / Security Team
Audience Technical Management
Question
How can I provide all details to my technical management team
related to the threat emulation exercises we executed so they
can see at a MITRE ATT&CK tactical level what gaps we have
within the attack lifecycle and if gaps existing at the beginning,
middle or end or all of the above.
Desired
Reaction
I want my technical management team to support our efforts
regarding investigation, remediation and/or mitigation strategies
so we can improve the security controls and overall security
posture of the organization.
Narrative
As the presenter mapping to a framework like MITRE ATT&CK
and utilizing the tactics as a means to describe where in the
attack lifecycle gaps exists, is crucial to gaining support and
being enabled to prioritize resources appropriately to improve
security operations and response.
11. Historical Performance
Presenter CISO / Security Team
Audience Technical Operations
Question
How can we demonstrate and prove improvement over time of our
investments, controls and detection logic rules while demonstrating remaining
gaps?
Desired
reaction
I want the technical operations to see with evidence and details that the
improvements they made had an effect and improved our security posture
while also seeing gaps still exist and there is either room for improvement or a
need to justify not making changes so that they can take action!
Narrative
As the presenter, it’s important to provide a view historically of progress and
demonstrate that progress or demand a certain sense of urgency if no
progress is being made. Demonstrating improvement will create a momentum
of energy to continue to improve and take any existing gaps more seriously
for the purpose of allocating resources appropriately and to continue to
improve. It’s important to note that new attack flows can be updated or added
so this process will never end.
Presenter CISO / Security Team
Audience Technical Management
Question
How can I provide both high level detail and technical details to show to our management team that
we are improving over time and resources are being spent effectively but there is more to be done?
Desired
Reaction
I want my technical management team to support our efforts by seeing credible proof of
improvement and existing gaps.
Narrative
As a presenter, it’s important to abstract detail away so the picture is crystal clear of historical
performance while also providing accompanying technical details as a means of credibility that the
issues are known, some have been fixed but more work is ahead and it’s being prioritized
efficiently.
12. The Transformative Storytelling
Power of the Jupyter Notebook:
Unlike static PowerPoints where data was extracted and
is quickly out of date, Jupyter Notebooks allow users
to tell a real-time data-driven story
Unlike a customized dashboard where data might
be extract in real-time, Jupyter Notebooks can
allow a sequential storytelling element
Build a Jupyter Notebook for your audience that:
• Provides visual data insights
• Anticipates top level questions
• Provokes emotion
• Enable data-driven decision making
Conclusion: