The document discusses the importance of the MITRE ATT&CK framework in enhancing cybersecurity practices, emphasizing its role in identifying security gaps and improving defense mechanisms based on actual adversary behaviors. It outlines how ATT&CK acts as a baseline for security improvements, allowing organizations to map their tools and capabilities against known tactics and techniques. Additionally, resources such as cheat sheets and tools for mapping and hunting within the ATT&CK framework are provided to assist security professionals in their efforts to fortify defenses.

1. Mitre ATT&CK is for all of us, and it
is time to pay attention to it
Michael Gough – Co-Founder
IMFSecurity.com
LOG-MD.com

2. Whoami
• Blue Team Defender Ninja, Incident Responder, Logaholic
• Creator of all those “Windows Logging Cheat Sheets” and the
Malware Management Framework
• Including LOG-MD and Windows Logging ATT&CK cheat sheets
• Co-Creator of “Log-MD” – The Log and Malicious Discovery Tool
• Co-Host
– “Brakeing Down Incident Response”
LOG-MD.com

3. HOMEWORK
LOG-MD.com

4. There is more than this talk
• But we only have 50 minutes
• Brakeing Down Incident Response Podcast
– Episode 007 BDIRPodcast.com
– https://www.imfsecurity.com/podcasts/2018/9/16/bd
ir-podcast-episode-007
• SANS Threat Hunting and Incident Response
Summit New Orleans 2018
– My talk and many others covered ATT&CK, find the
PDF’s and videos as SANS releases them
• MITRE ATT&CKcon is this week !!!
– I was invited, but I am here educating my peeps
LOG-MD.com

5. Why do we care?
• People ask me all the time
• “How do you know what to look for”?
– Experience
– Because Hacker Hurricane said so ;-)
– The Malware Management Framework
• Reports that show what the bad guys actually did
• So how or what do we map our defenses to?
– PCI?
– OWASP?
– Compliance XYZ?
– Because InfoSec or WebAppSec says so?
LOG-MD.com

6. Why do we care?
• If you can identify your gaps
• Whether a consultant or an employee
• You can define potential budget needs
• You may have to admit a tool is not mapping
well, so an opportunity to recommend a
replacement that has better coverage
• Budget re-allocation is always a bonus
• The goal is to IMPROVE your security posture
LOG-MD.com

7. Why do we care?
• ATT&CK is your new baseline
• You heard me
• We FINALLY have a goal of what to achieve
• Map to ATT&CK and you WILL pass or exceed any and
all compliance requirements if you are doing them!
• Forget the Cyber Kill Chain
– https://www.lockheedmartin.com/en-
us/capabilities/cyber/cyber-kill-chain.html
• ATT&CK is more detailed at what you should detect…
along the Cyber Kill Chain
LOG-MD.com

8. What is ATT&CK ?
LOG-MD.com

9. MITRE ATT&CK
• MITRE’s Adversarial Tactics, Techniques, &
Common Knowledge (ATT&CK™) is a curated
knowledge base and model for cyber adversary
behavior, reflecting the various phases of an
adversary’s lifecycle and the platforms they are
known to target.
• ATT&CK is useful for understanding security risk
against known adversary behavior, for planning
security improvements, and verifying defenses
work as expected.
LOG-MD.com

10. ATT&CK Tactics and Techniques
• 11 Tactics
• 283 Techniques
• Covers the following Operating Systems
– Windows
– MAC OS
– Linux
LOG-MD.com
11

11. Why care about ATT&CK
• It is HUGE… extensive information of what the
adversaries actually do to YOUR systems
LOG-MD.com

12. ATT&CK requires some
‘Back to Basics’ to
achieve “Totality”
MalwareArchaeology.com

13. Achieve Totality
Coverage - Asset Management
• Can you see every host?
• Do you have ghost assets?
• Remote systems (Road Warriors)
• Powered down VM’s/Systems
• IP Scan all devices and identify the OS
Completeness - Deployment
• Are your agent(s) installed and running properly
Configuration – System Settings
• Are the systems configured correctly
• Enable all that you want and expect
MalwareArchaeology.com
Coverage
Completeness
Configuration

14. 80/20 rule
• A VERY important point is we need to ignore or not worry
about the 20% that you don’t, or can’t cover.
• Don’t get hung up on the 20% or you will continue to
flounder
• Worry about the 80% you CAN or COULD do
• You have to learn to walk before you worry about trying to
be, or cover 100% (run)
• Being good at 80% should be a goal
• You will improve over time as you get better
• It’s really more 74%-26%
– You must accept more false positives to reach 80% or higher
(Devon Kerr EndGame)
MalwareArchaeology.com

15. Let’s Look at an
Example
MalwareArchaeology.com

16. Credential Access
• Tactic - Credential Access
– Guessing
– Cred Dump
– Keystroke logging
– Off the wire
LOG-MD.com

17. Technique – Brute Force
• Technique ID – T1110
• Tactic – Credential Access
• Lists Platforms
• Shows Data Sources
LOG-MD.com

18. Examples – More Data
• Groups that used it
• Tools or kits
• Good for background information
• Read the reports (aka Malware Management)
and on the actors campaign(s)
LOG-MD.com

19. ATT&CK Provides Guidance
• Mitigation examples
• Detection examples
• References
• You must translate them into what Processes,
Procedures, Products you have
LOG-MD.com

20. What about APPSEC?
How does this apply
to us?
MalwareArchaeology.com

21. Map your capabilities to ATT&CK
• Map the tools you have to the ATT&CK Matrix
• This will give you a place to start and a way to
track and rate your activities
MalwareArchaeology.com

22. Sample of ATT&CK and Applications
LOG-MD.com

23. Mitre Att@ck
• This is a good place to start and map all your detection, prevention,
and hunt activities to
• Not enough details as to how
– You will need to map them
– Or find someone that has, maybe a product(s)
• Add your Web Proxy
• Add your WAF
• Add your IPS
• Add Network tools
• Add code scanners
• Fill any other gaps
• Of course…. ADD YOUR LOGGING !!!
MalwareArchaeology.com

24. Mitre Att@ck - Logging
Let’s look at Windows Logging, my personal favorite
• Most Techniques can be mapped to logging
• Add Log Management
• Add some Sysmon or WLS to the logs for more
details
• Add LOG-MD-Pro, and other tools or script(s)
• Add a solution to query the OS ( I love BigFix)
• Add Network tools
• Fill other gaps
• See the previous slide for application stuff
MalwareArchaeology.com

25. Map your capabilities to ATT&CK
• The Windows ATT&CK Logging Cheat Sheet
• 11 Tactics and 187 Techniques mapped to
Windows Event IDs
MalwareArchaeology.com

26. Map your capabilities to ATT&CK
• The Windows LOG-MD ATT&CK Cheat Sheet
• 11 Tactics and 187 Techniques mapped to
Windows Event IDs, LOG-MD, and Sysmon
MalwareArchaeology.com

27. Find your Gaps, and Strengths
• By filling out the ATT&CK matrix to YOUR
capabilities, you begin to understand what you
CAN and CAN NOT do against the actual tactics
and techniques the bad guys use against you
• I was shocked, I mean SHOCKED at how much I
do in Windows logging mapped to actual tactics
and techniques
• But then again I have been practicing Malware
Management since I created it over 6 years ago
LOG-MD.com

28. Example
Suspicious PowerShell
Hunt
MalwareArchaeology.com

29. How do I Hunt for PS?
• Without Log Management?
• Or with it, we consume LOG-MD-Pro logs into
Log Management too
MalwareArchaeology.com

30. TOOLS
LOG-MD.com

31. What is available to you
• MITRE ATT&CK Navigator
• You select items you have, select colors and
export it
LOG-MD.com

32. ATT&CK Navigator
• ATT&CK Navigator
– Https://mitre.github.io/attack-navigator/enterprise/
• Mobile too
– https://mitre.github.io/attack-navigator/mobile/
• Pre-ATT&CK
– https://attack.mitre.org/pre-attack/index.php/Main_Page
LOG-MD.com

33. SOCPrime
LOG-MD.com

34. SOCPrime
• TDM – Threat Detection Marketplace
• SIGMA Rules
– Generic Signature Format for SIEM Systems
• ATT&CK mappings
• Lots of log solution options
• Convert from one platform to another
• SIGMA rule convertor
• Subscription service to gain access
• Some free SIGMA based rules
LOG-MD.com

35. Tools
• Unfetter
– https://nsacyber.github.io/unfetter/
– https://mitre.github.io/unfetter/getting-started/
• Tanium
– https://www.tanium.com/blog/getting-started-with-
the-mitre-attack-framework-improving-detection-
capabilities/
• SIGMA
– https://github.com/Neo23x0/sigma
– https://github.com/Neo23x0/sigma/wiki/Specification
LOG-MD.com

36. API
• MITRE has an API for ATT&CK
– https://attack.mitre.org/wiki/Using_the_API
• Cyb3rWarD0g – Invoke-ATTACKAPI
– https://github.com/Cyb3rWard0g/Invoke-ATTACKAPI
• https://github.com/annamcabee/Mitre-Attack-API
Mitre Pre-ATT&CK Mappings
• https://github.com/rmusser01/Infosec_Reference/tree/master/Dra
ft/ATT%26CK-Stuff
• Blog on Brute Force example with ATT&CK
– https://thehackerwhorolls.blogspot.com/2018/10/home-lab-att-use-
case.html
LOG-MD.com

37. RECOMMENDATIONS
LOG-MD.com

38. HUNT !
• Some say create a hypothesis
• I say start by eliminating things you CAN hunt
for and know you do NOT have
• Then build more hypothesis
• Map your capabilities to ATT&CK
• For Windows logging and LOG-MD there are 2
Cheat Sheets mapped to ATT&CK
– MalwareArchaeology.com/cheat-sheets
LOG-MD.com

39. Conclusion
• MITRE ATT&CK is GREAT stuff
• It gives you a way to measure what you have and can
detect, based on what your adversaries ACTUALLY do,
not what compliance, an auditor or consultant says
• You don’t have to get very detailed at first
• Use simple coloring at first
– Green (good), Yellow (needs work), Red (poor), no color
(we got nuttin)
• Expand it once you map it
• Then expand as you rate your capabilities
• But get to know this framework!
LOG-MD.com

40. Additional Reading
This Is the Fastest Way to Hunt Windows Endpoints
– https://www.slideshare.net/Hackerhurricane/mwarch-
fastestwaytohuntonwindowsv101
– SANS will post the video at some point
SANS THIR 2018 PDF’s and videos
Most of the talks had ATT&CK involved
Quantify your hunt not your parents red teaming Devon Kerr
– https://www.youtube.com/watch?v=w_kByDwB6J0
Quantify Your Hunt: Not Your Parents' Red Team– Devon and Roberto
– https://www.sans.org/summit-archives/file/summit-archive-
1536351477.pdf
Finding Related ATT&CK Techniques
– https://medium.com/mitre-attack/finding-related-att-ck-techniques-
f1a4e8dfe2b6
LOG-MD.com

41. Questions
• You can find us on the Twitters
– @HackerHurricane
• LOG-MD.com
• MalwareArchaeology.com
• Preso will be on SlideShare and linked on
MalwareArchaeology.com
• Listen to the PodCast to hear the rest of this topic
– BDIRPodcast.com
LOG-MD.com