MITRE ATT&CKcon 2.0: ATT&CK Updates - PRE-ATT&CK Integration; Adam Pennington, MITRE

•

2 likes•2,414 views

This document discusses the integration of the PRE-ATT&CK framework with the existing ATT&CK framework. It outlines how PRE-ATT&CK covers adversary activities in the pre-compromise phases of reconnaissance and resource development. Draft tactics and techniques are provided for these phases, including gathering victim information through searches, scans, and spearphishing as well as developing capabilities through acquiring or creating infrastructure, accounts, and tools. The goal is to expand ATT&CK to cover a wider range of the adversary lifecycle.

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-
MITRE
| 1 |
PRE-ATT&CK Integration
Adam Pennington
@_whatshisface
©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13.
@MITREattack
#ATTACKcon

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13.
PRE-ATT&CK
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Enterprise ATT&CKPRE-ATT&CK
| 2 |

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13.
Launch/Compromise -> Initial Access
| 3 |
2018

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13.
| 4 |
Enterprise ATT&CK
PRE-ATT&CK
It’s just

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13.
PRE’s Place in the Adversary Lifecycle
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Enterprise ATT&CKPRE-ATT&CK
| 5 |

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13.
How do we scope techniques?
| 7 |
Technical
Visible to some defenders
Evidence of adversary use

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13.
| 8 |

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13.
| 9 |
Intelligence
Planning
(Out of
scope)
Reconnaissance
Resource
Development

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13.
<DRAFT>Reconnaissance</DRAFT>
• Gather victim identity information
• Credentials
• Email addresses
• Employee names
• Gather victim network information
• Domain properties
• DNS
• Network trust dependencies
• Network topology
• IP addresses
• Firewall
• NIDS
• Gather victim host information
• Hardware
• Software
• Firmware
• Client configurations
• Search open websites/domains
• Social media
• Search engines
• Search victim-owned websites
• Active Scanning
• Scanning IP blocks
• Vulnerability scanning
• Search open technical databases
• Whois
• DNS/passive DNS
• TLS certs
• CDNs
• Scans databases
• Search closed databases
• Threat intel vendors
• Paid versions of open databases
• Spearphishing for Information
• Service
• Attachment
• Link
| 10 |
Tactic and Technique names/list are draft and subject to change

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13.
<DRAFT>Resource Development</DRAFT>
• Buy/Acquire Infrastructure
• Domains
• DNS
• VPS/Cloud VM
• Server
• Botnet
• Web services
• Compromise Infrastructure
• Domains
• DNS
• VPS/Cloud VMs
• Server
• Botnet
• Web services
• Create Accounts
• Social Media
• Email accounts
• Compromise Accounts
• Social Media
• Email accounts
• Develop Capabilities (Build)
• Malware
• Software
• SSL certs
• Vulnerabilities
• Exploits
• Acquire Capabilities (Buy or steal)
• Malware
• Software
• SSL certs
• Software certs
• Vulnerabilities
• Exploits
| 11 |
Tactic and Technique names/list are draft and subject to change

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13.
| 12 |
attack@mitre.org
@MITREattack
#ATTACKcon
Adam Pennington
@_whatshisface

From ATT&CKcon 3.0 By Ismael Valenzuela and Jose Luis Sanchez Martinez, Trellix The Trellix team believes that creating and sharing compelling stories about cyber threats -with ATT&CK- is a powerful way for raising awareness and enabling actionability against cyber threats. In this talk the team will share their experiences leveraging ATT&CK to disseminate Threat knowledge to different audiences (Software Development teams, Managers, Threat detection engineers, Threat hunters, Cyber Threat Analysts, Support Engineers, upper management, etc.). They will show concrete examples and representations created with ATT&CK to describe the threats at different levels, including: 1) an Attack Path graph that shows the overall flow of the attack; 2) Tactic-specific TTP summary tables and graphs; 3) very detailed, step-by-step description of the attacker's behaviors.

MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan ...

MITRE - ATT&CKcon

ATT&CKing the Red/Blue Divide

MITRE ATT&CK

From ATT&CKcon 3.0 By Fred Frey and Jonathan Mulholland, SnapAttack Atomic Red Team and Sigma are the largest open-source attack simulation and analytic projects. Many organizations utilize one or both internally for security controls validation or supplementing their detections and alerts. Building on the work from these two great communities, we smashed (scientific-term) the attacks and analytics together and applied data science to analyze the results. We'll describe our methodology and testing framework, show the real-world MITRE ATT&CK coverage and gaps, discuss our algorithms for calculating analytic similarity, identifying log sources for a technique, and determining the best analytics to deploy that maximizes ATT&CK coverage. This project aims to: - Bring a measurable testing rigor to community analytics to improve adoption - Test every analytic against every attack, validating the true positive detection - Understand the log sources required to detect specific attack techniques - Apply data science to identify analytic similarity (reduce community duplication) - Identify gaps between the projects' analytics without attack simulations; attack simulations without detections; missing or incorrect MITRE ATT&CK labels, etc - Automate the process so insights can stay up to date with new attack/analytic contributions over time - Share our analysis back to the community to improve these projects

MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...

MITRE - ATT&CKcon

With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program. This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.

Threat hunting 101 by Sandeep Singh

OWASP Delhi

Cyber Threat hunting workshop

Arpan Raval

MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire

MITRE - ATT&CKcon

ATT&CK is valuable for those of us who are heads down in security day in and day out. But what about using ATT&CK to each college interns about security? This presentation details how Tripwire used ATT&CK to build- out a new training regimen for summer interns. By going through and finding quick wins, Tripwire’s interns were actively engaged in learning about security. The detailed break downs of ATT&CK were greatly beneficial in helping teach security concepts to those who were not yet familiar with them. This session shows the program details and how you might be able to adapt it to your requirements.

Putting MITRE ATT&CK into Action with What You Have, Where You Are

Katie Nickels

Presentation at DEF CON Red Team Village - Mayhem Virtual Summit 2020 Adversary Emulation - Red Team emulating APT19 with Empire3 and Starkiller Connect: https://twitter.com/jorgeorchilles https://twitter.com/c2_matrix References: https://mitre-attack.github.io/attack-navigator/enterprise/ https://attack.mitre.org/groups/G0073/ https://www.thec2matrix.com/ https://howto.thec2matrix.com/slingshot-c2-matrix-edition https://howto.thec2matrix.com/c2/empire#red-team-village-mayhem-demo-of-apt19 https://vectr.io/ https://www.scythe.io/

OSINT with Practical: Real Life Examples

SyedAmoz

Threat Hunting Workshop

Splunk

FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

Katie Nickels

MITRE ATT&CK Framework

n|u - The Open Security Community

MITRE ATT&CK framework

Bhushan Gurav

Introduction to MITRE ATT&CK

Arpan Raval

When Insiders ATT&CK!

MITRE ATT&CK

From ATT&CKcon 3.0 By Matt Snyder, VMWare Insider threats are some of the most treacherous and every organization is susceptible: it's estimated that theft of Intellectual Property alone exceeds $600 billion a year. Armed with intimate knowledge of your organization and masked as legitimate business, often these attacks go unnoticed until it's too late and the damage is done. To make matters worse, threat actors are now trying to lure employees with the promise of large paydays to help carry out attacks. These advanced attacks require advanced solutions, and we are going to demonstrate how we are using the MITRE ATT&CK framework to proactively combat these threats. Armed with these tactics and techniques, we show you how to build intelligent detections to help secure even the toughest of environments.

How MITRE ATT&CK helps security operations

Sergey Soldatov

MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...

MITRE - ATT&CKcon

Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...

MITRE ATT&CK

From ATT&CKcon 3.0 By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo

Katie Nickels

Threat hunting for Beginners

SKMohamedKasim

MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...

MITRE - ATT&CKcon

Operationalizing the ATT&CK framework has enabled GE to deploy custom detection to evolving threat actor behaviors. By leveraging an in-house developed tool called TIAMAT (Tactical Intelligence Adversary Mapping and Analysis Tool) the ATT&CK framework is incorporated into an end-to-end operational process from intelligence collection to customized detection deployment. The designing of this new operational process is examined, and a use case presented of how examining a historical incident led to a new method of deploying detection based on ATT&CK and the detection of previously undiscovered activity. There is also a demo that walks the audience through the end-to-end process and explains TIAMATs capabilities.

Using IOCs to Design and Control Threat Activities During a Red Team Engagement

Joe Vest

The term Red Team or Red Teaming has become more prevalent in the security industry. Both commercial and government organizations conduct "Red Team Exercises". What does this mean? What is a Red Team engagement? How is it different that other security tests? Isn't current penetration and vulnerability security testing enough? Red Teaming share many of the fundamentals of other security testing types, yet focuses on specific scenarios and goals that are used to evaluate and measure an organization's overall security defense posture. Organizations spend a great deal of time and money on the security of their systems. Red Teams have a unique goal of testing an organization's ability to detect, respond to, and recover from an attack. When properly conducted, Red Team activities can significantly contribute to the improvement an organization's security controls, help hone defensive capabilities, and measure the effectiveness of security operations. This presentation introduces the Red Teaming concept of IOC management, how a Red Team operator can use specific IOCs to blend in to a target, and how to design specific scenarios to test a Blue Team's defensive posture.

Adversary Emulation using CALDERA

Erik Van Buggenhout

From OSINT to Phishing presentation

Jesse Ratcliffe, OSCP

Emulating an Adversary with Imperfect Intelligence

Adam Pennington

ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...

JamieWilliams130

What's hot

Threat-Based Adversary Emulation with MITRE ATT&CK

Katie Nickels

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...

MITRE - ATT&CKcon

Adversary Emulation - Red Team Village - Mayhem 2020

Jorge Orchilles

OSINT with Practical: Real Life Examples

SyedAmoz

Threat Hunting Workshop

Splunk

FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

Katie Nickels

MITRE ATT&CK Framework

n|u - The Open Security Community

MITRE ATT&CK framework

Bhushan Gurav

Introduction to MITRE ATT&CK

Arpan Raval

When Insiders ATT&CK!

MITRE ATT&CK

How MITRE ATT&CK helps security operations

Sergey Soldatov

MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...

MITRE - ATT&CKcon

Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...

MITRE ATT&CK

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo

Katie Nickels

Threat hunting for Beginners

SKMohamedKasim

MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...

MITRE - ATT&CKcon

Using IOCs to Design and Control Threat Activities During a Red Team Engagement

Joe Vest

Adversary Emulation using CALDERA

Erik Van Buggenhout

From OSINT to Phishing presentation

Jesse Ratcliffe, OSCP

What's hot (20)

Threat-Based Adversary Emulation with MITRE ATT&CK

MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...

Adversary Emulation - Red Team Village - Mayhem 2020

OSINT with Practical: Real Life Examples

Threat Hunting Workshop

FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

MITRE ATT&CK Framework

MITRE ATT&CK framework

Introduction to MITRE ATT&CK

When Insiders ATT&CK!

How MITRE ATT&CK helps security operations

MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...

MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...

Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo

Threat hunting for Beginners

MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...

Using IOCs to Design and Control Threat Activities During a Red Team Engagement

Adversary Emulation using CALDERA

From OSINT to Phishing presentation

Similar to MITRE ATT&CKcon 2.0: ATT&CK Updates - PRE-ATT&CK Integration; Adam Pennington, MITRE

Emulating an Adversary with Imperfect Intelligence

Adam Pennington

ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...

JamieWilliams130

MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE

MITRE - ATT&CKcon

7 Things You Need to Know for Your Cloud-First Strategy

Flexera

MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE

MITRE - ATT&CKcon

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...

Adam Pennington

ATT&CKing with Threat Intelligence

Christopher Korban

MITRE’s ATT&CK is a community-driven knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. By scoping the wide breadth of the MITRE ATT&CK matrix to focus initially on the techniques used by threat actors you specifically care about, you can help the defenders create more useful and impactful detections first. Once you start emulating the appropriate threat actors, you can practice your defenses in a scenario that’s more realistic and applicable without the need for an actual intrusion. The speakers are providing a process and a case study of APT3 - a China-based threat group - for how to go from finding threat intelligence, sifting through it for actionable techniques, creating emulation plans, discovering how to emulate different techniques... to actually operating on a network. They are also providing a beginning "cheat sheet" for this actor to give a starting point for red and blue teams to accomplish these techniques in their own environment without the need to build their own tooling.

The As, Bs, and Four Cs of Testing Cloud-Native Applications

Denim Group

Security assessments are a critical part of any security program. Being able to identify – and communicate about – vulnerabilities systems is required to get vulnerabilities prioritized for remediation. For web and mobile applications, assessment methodologies are reasonably straightforward and established. However, for cloud-native applications, the combination of new technologies and architectural elements has introduced questions about how to scope, plan, and execute security assessments. This presentation looks at how the assessment landscape has changed with the introduction of cloud-native applications and explores how threat modeling is central to testing their security. In addition, the “Four C’s” conceptual model for looking at cloud-native application security is introduced, including a discussion of how both automated and manual testing methodologies can be used to accomplish assessment goals. Finally, vulnerability contextualization and reporting are discussed, so that teams running cloud-native application assessments can properly characterize the results of their efforts to aid in the prioritization and remediation of identified issues.

NetNordic_DDoS-War-Room_25-april-2019.pptx

MansurAli32

Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK

Symantec

CipherCloud Webinar - Cloud Encryption & Tokenization 101

CipherCloud

Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...

African Cyber Security Summit

Les équipes de sécurité ont besoin de solutions de cyber sécurité de pointe (Arbor Edge Defense) , capables de détecter et d’arrêter tous les types de menaces cybernétiques - qu’elles soient des menaces entrantes (DDOS & Advanced Threat) ou des communications malveillantes sortantes à partir de périphériques internes compromis. De manière aussi importante, ces solutions doivent également pouvoir s'intégrer dans la pile de sécurité existante d'une organisation et / ou consolider des fonctionnalités afin de réduire les coûts, la complexité et les risques. La conférence a pour objectif de montrer l’évolution des menaces DDOS et Advanced threat sur le volet de la complexité et aussi la volumétrie. Cette évolution a un impact directe sur les solutions à mettre en place pour faire face à ce changement. NETSCOUT AED (Arbor Edge Defence) est une telle solution pour répondre efficacement à cette problématique. La position unique d'AED sur le bord du réseau (c'est-à-dire entre le routeur et le pare-feu), son moteur de traitement de paquets sans état et les informations de menace basées sur la réputation qu'elle reçoit du flux ATLAS Threat Intelligence de NETSCOUT lui permettent de détecter et d'arrêter automatiquement les menaces entrantes et les communications sortantes. des hôtes internes compromis - agissant essentiellement en tant que première et dernière ligne de défense pour les organisations. Moncef ZID - Arbor Networks Sales Manager France and North Africa - Netscout

From Mirai to Monero – One Year’s Worth of Honeypot Data

DefCamp

Kondo-ing API Authorization

Nordic APIs

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...

Adam Pennington

apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...

apidays

MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITRE

MITRE - ATT&CKcon

CSPA Keynote: BLOCKCHAIN for Enterprise

David Haimes

Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...

Robert Brandel

MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE

MITRE - ATT&CKcon

Similar to MITRE ATT&CKcon 2.0: ATT&CK Updates - PRE-ATT&CK Integration; Adam Pennington, MITRE (20)

Emulating an Adversary with Imperfect Intelligence

ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...

MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE

7 Things You Need to Know for Your Cloud-First Strategy

MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...

ATT&CKing with Threat Intelligence

The As, Bs, and Four Cs of Testing Cloud-Native Applications

NetNordic_DDoS-War-Room_25-april-2019.pptx

Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK

CipherCloud Webinar - Cloud Encryption & Tokenization 101

Conférence - Arbor Edge Defense, Première et dernière ligne de défense intell...

From Mirai to Monero – One Year’s Worth of Honeypot Data

Kondo-ing API Authorization

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...

apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...

MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITRE

CSPA Keynote: BLOCKCHAIN for Enterprise

Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...

MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE

More from MITRE - ATT&CKcon

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Valentine Mairet, Security Researcher, McAfee The MITRE ATT&CK framework is the industry standard to dissect cyberattacks into used techniques. At McAfee, all attack information is disseminated into different categories, including ATT&CK techniques. What results from this exercise is an extensive repository of techniques used in cyberattacks that goes back many years. Much can be learned from looking at historical attack data, but how can we piece all this information together to identify new relationships between threats and attacks? In her recent efforts, Valentine has embraced analyzing ATT&CK data in graphical representations. One lesson learned is that it is not just about merely mapping out attacks and techniques used into graphs, but the strength lies in applying different algorithms to answer specific questions. In this presentation, Valentine will showcase the results and techniques obtained from her research journey using graph and graph algorithms.

State of the ATTACK

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Adam Pennington, ATT&CK Lead, MITRE Adam leads ATT&CK at The MITRE Corporation and collected much of the intelligence leveraged in creating ATT&CK’s initial techniques. He has spent much of his 12 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon’s Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has presented and published in a number of venues including FIRST CTI, USENIX Security and ACM Transactions on Information and System Security.

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Gert-Jan Bruggink, Defensive Specialist, FalconForce Adversaries are humans as well. They have objectives, deadlines and resources for programming. In a sense, very similar to corporations grounded in the economics of effort vs time vs results. Now understanding techniques is one thing, taking it a step further and understanding what the economic impact is of using certain techniques is another. Developing tools takes time. For example, developing a custom process injection module might take days or weeks to develop, where using an open source tool could prevent extensive development costs incurred. This talk explores the economic considerations for defending against techniques used by adversaries. It explores fundamental considerations all referenced to MITRE’s ATT&CK framework. The objective of this talk is to inspire defensive strategies designed to impact cost incurred by adversaries to perform compromises.

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Daniel Wyleczuk-Stern, Senior Security Engineer, Snowflake Cyber security is inherently a function of risk management. Risk management is the identification, evaluation, and prioritization of risks followed by the effort to reduce those risks in a coordinated and economical manner (thanks wikipedia!). In this talk, Daniel will be going over some strategies for measuring and prioritizing your cyber risks using MITRE ATT&CK. He'll discuss some lessons learned in atomic testing of techniques vs attack chaining as well as what to measure and how to make decisions with that data.

MITRE ATTACKcon Power Hour - January

MITRE - ATT&CKcon

Using ATTACK to Create Cyber DBTS for Nuclear Power Plants

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Jacob Benjamin, Principal Industrial Consultant Dragos, INL, & University of Idaho Design Basis Threat (DBT) is concept introduced by the Nuclear Regulatory Commission (NRC). It is a profile of the type, composition, and capabilities of an adversary. DBT is the key input nuclear power plants use for the design of systems against acts of radiological sabotage and theft of special nuclear material. The NRC expects its licensees, nuclear power plants, to demonstrate that they can defend against the DBT. Currently, cyber is included in DBTs simply as a prescribed list of IT centric security controls. Using MITRE’s ATT&CK framework, Cyber DBTs can be created that are specific to the facility, its material, or adversary activities.

Sharpening your Threat-Hunting Program with ATTACK Framework

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.

Helping Small Companies Leverage CTI with an Open Source Threat Mapping

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Valentina Palacín, Sr. Cyber Threat Intelligence Analyst No one can deny the tremendous impact that ATT&CK had on the cybersecurity industry, nor the usefulness of having a good Threat Library at your disposal. But the question Valentina gets asked over and over by people from small companies is always the same: “How could I leverage threat intelligence using ATT&CK with limited time and resources?” And so far, there hasn't been a good answer. That’s why she decided to come up with the Threat Mapping Catalogue (TMC), a tool that combines the power of the mappings already available in the ATT&CK website, TRAM and the ATT&CK Navigator, to better process, consume and incorporate new mappings while organizing them around different categories.

What's New with ATTACK for ICS?

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Otis Alexander, Principal Cybersecurity Engineer, MITRE Otis Alexander is a Principal Cyber Security Engineer at the MITRE Corporation and has worked in the areas of security engineering and research, analytic development, and adversary modeling and emulation. Otis is a co-creator of ATT&CK for ICS and has been leading the project since its inception. He also leads an effort to bring MITRE ATT&CK Evaluations to ICS security vendors providing anomaly and threat detection solutions. He advocates for network and host visibility in operational technology environments to increase the situational awareness of defenders.

From Theory to Practice: How My ATTACK Perspectives Have Changed

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Katie Nickels, Director of Intelligence, Red Canary Good analysts (and good human beings) change their minds based on new information. In this presentation, Katie will share how her perspectives on ATT&CK have changed since moving from ATT&CK team member to ATT&CK end-user. She will discuss how her ideas about coverage, procedures, and detection creation have evolved and why those perspectives matter. Katie will also share practical examples from observed threats to help explain the nuances of her perspectives. Attendees should expect to leave this presentation with a better understanding of how to handle challenges they’re likely to face when navigating their own ATT&CK journey.

Putting the PRE into ATTACK

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By: Jamie Williams, Lead Cyber Adversarial Engineer, MITRE Mike Hartley, Lead Cybersecurity Engineer, MITRE In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020 Jamie Williams and Mike Hartley from MITRE discuss the process for merging PRE-ATT&CK and adding two new tactics to Enterprise ATT&CK – Reconnaissance and Resource Development.

What's a MITRE with your Security?

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Matt Snyder, Senior Threat Analytics Engineer, VMware The market for Security products is flooded with vendors offering all sorts of solutions, and organizations are spending a record amount of money defending their environments. Nevertheless, an increasing number of breaches are reported each year, resulting in organizations spending millions of dollars to remediate them. The Security industry responds with more products, all offering to stop the next breach, and the cycle continues. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Matt discusses what VMware is doing internally to address this fundamental flaw in the Security industry and how they are leveraging the MITRE ATT&CK framework to reshape how we think about security.

ATTACKing the Cloud: Hopping Between the Matrices

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Anthony Randazzo, Global Response Lead, Expel The team at Expel has been migrating to the cloud for the last 10 years, but as usual, security has lagged behind. Which means we don't have a comprehensive detection and response framework for cloud like we do with the Enterprise ATT&CK matrix. Cloud has evolved into a complex beast as technologies and concepts – like Infrastructure As Code, Containers, Kubernetes and so forth – have emerged. These new attack surfaces have been added that introduce additional challenges to detection and response in our cloud environments. We don't know what we don't know about attack life cycles in the cloud. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Anthony shares some interesting lessons learned so far when it comes to finding bad guys in the cloud.

Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Allie Mellen, Security Strategist, Office of the CSO, Cybereason In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, Allie discusses how the Cybereason research team uses both MITRE ATT&CK and MITRE ATT&CK for Mobile to map and communicate new malware to the larger security community. Teams use the MITRE ATT&CK framework to share techniques, tactics, and procedures with their team and the community at large. This knowledge base has been incredibly beneficial for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Many of these uses have centered around traditional endpoints like laptops and workstations. However, the MITRE ATT&CK team has also created a cutting-edge portion of their framework: MITRE ATT&CK for Mobile. One of the most recent pieces of malware they have found is EventBot, a mobile banking trojan that targets Android devices and the financial services applications on them, including popular apps like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more. In this talk, learn about this specific attack, intended targets, a timeline of the attack, and the MITRE ATT&CK for Mobile mapping. Learn why the Cybereason team map to MITRE ATT&CK and MITRE ATT&CK for Mobile and what benefits it has given them and their interactions with the community.

Transforming Adversary Emulation Into a Data Analysis Question

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By Matan Hart, Co-Founder & CEO Cymptom @machosec Adversary emulation is commonly used to validate security controls and is considered one of the most popular use-cases for the ATT&CK framework. However, emulating adversary TTPs on production environments is often very limited in testing scope and frequency, and such practice may cause unwanted business disruption. In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Hart presents a different approach to testing controls against ATT&CK. He demonstrates how it is possible to provide data-based methods to evaluate the exploitability of ATT&CK techniques by gathering information from the network, endpoint, and services; this unique approach does not emulate any sort of malicious action, thus reducing the potential of causing business disruption to the minimum. Hart also outlines a new open-source guideline based on ATT&CK mitigations, that security teams can use to assess their security posture non-intrusively and at scale.

TA505: A Study of High End Big Game Hunting in 2020

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By Brandon Levene, Head of Applied Intelligence Google, @seraphimdomain Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises. This strategy has become the “end game” for the majority of organized cybercrime organizations, and one effect of this shift is the increased emphasis on enterprise-level targets. In this talk from the MITRE ATT&CKCon Power Hour session on October 9, 2020, Levene walks us through research about how a specific BGH threat actor pursues entry points, gains its foothold, pivots, and deploys payloads to maximize their financial gains with minimal effort - and infrastructure! You’ll walk away with an understanding of the latest BGH TTPs seen in enterprise environments, and how they map to the ATT&CK framework so you can build this research into your threat detection strategy and enhance your defenses.

Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By: Aunshul Rege, Associate Professor, Temple University, @prof_rege Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928 This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.

What's New with ATTACK for Cloud?

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By Jen Burns, Lead Cybersecurity Engineer, MITRE, @snarejen Jen Burns is a Lead Cybersecurity Engineer at MITRE and the Lead for MITRE ATT&CK® for Cloud. She’s also a red team developer and lead for ATT&CK Evaluations, using her skills in software engineering and adversary emulation. Previously, she was a tech lead at HubSpot on the Infrastructure Security team where she focused on red teaming and building detections in the cloud environment. This presentation is from the MITRE ATT&CKcon Power Hour session held on October 9, 2020.

Starting Over with Sub-Techniques

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour - October By Brian Donohue, Security Evangelist, Red Canary, @thebriandonohue In early 2018, Red Canary adopted MITRE ATT&CK as the common language that they would use to categorize threats, measure detection coverage, and communicate about malicious behaviors. In the intervening years, they’ve relied on the framework to develop open source tools like Atomic Red Team and help security teams prioritize their defensive efforts with blogs and our annual Threat Detection Report. In early 2020, MITRE announced that ATT&CK would be expanding its original taxonomy of tactics and techniques to include sub-techniques. In the months that followed MITRE's announcement, Red Canary’s research, intelligence, and detection engineering teams painstakingly remapped their library of thousands of behavioral analytics to sub-techniques. In doing so, they improved their correlational logic, experimented with the idea of conditional technique mapping, and, unfortunately, rendered the 2020 Threat Detection Report out-of-date. In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Brian discusses how refactoring for sub-techniques offered us the opportunity to apply all the lessons learned in more than two years of operationalizing ATT&CK. He also explores how Red Canary has remodeled its ATT&CK mapping to allow for added flexibility and human input and shows what happens when the Red Canary applied their new sub-technique mappings to the 2020 Threat Detection Report.

MITRE ATTACKCon Power Hour - December

MITRE - ATT&CKcon

More from MITRE - ATT&CKcon (20)

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence

State of the ATTACK

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...

MITRE ATTACKcon Power Hour - January

Using ATTACK to Create Cyber DBTS for Nuclear Power Plants

Sharpening your Threat-Hunting Program with ATTACK Framework

Helping Small Companies Leverage CTI with an Open Source Threat Mapping

What's New with ATTACK for ICS?

From Theory to Practice: How My ATTACK Perspectives Have Changed

Putting the PRE into ATTACK

What's a MITRE with your Security?

ATTACKing the Cloud: Hopping Between the Matrices

Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile

Transforming Adversary Emulation Into a Data Analysis Question

TA505: A Study of High End Big Game Hunting in 2020

Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research

What's New with ATTACK for Cloud?

Starting Over with Sub-Techniques

MITRE ATTACKCon Power Hour - December

Recently uploaded

Accelerate your Kubernetes clusters with Varnish Caching

Thijs Feryn

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Product School

Knowledge engineering: from people to machines and back

Elena Simperl

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

Bits & Pixels using AI for Good.........

Alison B. Lowndes

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Ramesh Iyer

In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

Paul Groth

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams. Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Key Trends Shaping the Future of Infrastructure.pdf

Cheryl Hung

Leading Change strategies and insights for effective change management pdf 1.pdf

OnBoard

When stars align: studies in data quality, knowledge graphs, and machine lear...

Elena Simperl

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Tobias Schneck

As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other? Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

How world-class product teams are winning in the AI era by CEO and Founder, P...

Product School

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

DevOps and Testing slides at DASA Connect

Kari Kakkonen

Recently uploaded (20)

Accelerate your Kubernetes clusters with Varnish Caching

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Knowledge engineering: from people to machines and back

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Bits & Pixels using AI for Good.........

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

To Graph or Not to Graph Knowledge Graph Architectures and LLMs

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Key Trends Shaping the Future of Infrastructure.pdf

Leading Change strategies and insights for effective change management pdf 1.pdf

When stars align: studies in data quality, knowledge graphs, and machine lear...

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Assuring Contact Center Experiences for Your Customers With ThousandEyes

How world-class product teams are winning in the AI era by CEO and Founder, P...

Epistemic Interaction - tuning interfaces to provide information for AI support

DevOps and Testing slides at DASA Connect

MITRE ATT&CKcon 2.0: ATT&CK Updates - PRE-ATT&CK Integration; Adam Pennington, MITRE

1. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075- MITRE | 1 | PRE-ATT&CK Integration Adam Pennington @_whatshisface ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13. @MITREattack #ATTACKcon

2. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13. PRE-ATT&CK Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise ATT&CKPRE-ATT&CK | 2 |

5. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13. PRE’s Place in the Adversary Lifecycle Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise ATT&CKPRE-ATT&CK | 5 |

6. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13. PRE’s Place in the Adversary Lifecycle Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise ATT&CKPRE-ATT&CK | 6 | Intel Planning

7. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13. How do we scope techniques? | 7 | Technical Visible to some defenders Evidence of adversary use

10. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13. <DRAFT>Reconnaissance</DRAFT> • Gather victim identity information • Credentials • Email addresses • Employee names • Gather victim network information • Domain properties • DNS • Network trust dependencies • Network topology • IP addresses • Firewall • NIDS • Gather victim host information • Hardware • Software • Firmware • Client configurations • Search open websites/domains • Social media • Search engines • Search victim-owned websites • Active Scanning • Scanning IP blocks • Vulnerability scanning • Search open technical databases • Whois • DNS/passive DNS • TLS certs • CDNs • Scans databases • Search closed databases • Threat intel vendors • Paid versions of open databases • Spearphishing for Information • Service • Attachment • Link | 10 | Tactic and Technique names/list are draft and subject to change

11. ©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-13. <DRAFT>Resource Development</DRAFT> • Buy/Acquire Infrastructure • Domains • DNS • VPS/Cloud VM • Server • Botnet • Web services • Compromise Infrastructure • Domains • DNS • VPS/Cloud VMs • Server • Botnet • Web services • Create Accounts • Social Media • Email accounts • Compromise Accounts • Social Media • Email accounts • Develop Capabilities (Build) • Malware • Software • SSL certs • Vulnerabilities • Exploits • Acquire Capabilities (Buy or steal) • Malware • Software • SSL certs • Software certs • Vulnerabilities • Exploits | 11 | Tactic and Technique names/list are draft and subject to change

MITRE ATT&CKcon 2.0: ATT&CK Updates - PRE-ATT&CK Integration; Adam Pennington, MITRE

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to MITRE ATT&CKcon 2.0: ATT&CK Updates - PRE-ATT&CK Integration; Adam Pennington, MITRE

Similar to MITRE ATT&CKcon 2.0: ATT&CK Updates - PRE-ATT&CK Integration; Adam Pennington, MITRE (20)

More from MITRE - ATT&CKcon

More from MITRE - ATT&CKcon (20)

Recently uploaded

Recently uploaded (20)

MITRE ATT&CKcon 2.0: ATT&CK Updates - PRE-ATT&CK Integration; Adam Pennington, MITRE