MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan Kirillov, MITRE

•

5 likes•973 views

The document summarizes the Cyber Analytics Repository (CAR), an openly available repository of ATT&CK-driven analytics maintained by MITRE. CAR contains analytics for detecting adversary tactics and techniques, mappings of analytics to sensors, and an exploration tool. Recent work has focused on increasing quality and usability by adding new analytics, converting analytics to a machine-readable format, and supporting multiple implementations. Future goals include expanding coverage of ATT&CK techniques, updating the data model and sensor coverage, and improving the analytic exploration tool. The document encourages contributions of new analytics to CAR.

©2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03621-8.
MITRE
| 1 |
Cyber Analytics Repository
Ivan Kirillov
(too cool for Twitter)
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
@MITREattack
#ATTACKcon

| 2 |
https://car.mitre.org/
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

Cyber Analytics Repository (CAR)
| 3 |
▪ ATT&CK-driven, actively maintained repository of open source analytics
– Also includes a data model, mappings to sensors, and an exploration tool (CARET)
▪ Recent work has focused on increasing quality and usability
– Adding new analytics
– Converting analytics to a structured, machine-parseable format (YAML)
– Supporting multiple implementations (e.g., Splunk, Sigma) for each analytic
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

CAR – But wait, there’s more!
| 4 |
▪ BZAR: Bro/Zeek ATT&CK-based Analytics and Reporting
– A set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol analyzers to
detect several network-specific ATT&CK techniques
▪ Data model updates
– Updates to process object model to account for newer analytics/EDR tools
▪ Tweaks to ATT&CK coverage for better accuracy
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

CAR – ATT&CK Coverage
| 5 |
As of October 2019
https://github.com/mitre-attack/car/blob/master/docs/car_attack/car_attack.json
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

CAR – Future Goals
| 6 |
▪ New Analytics
– Better coverage of top ATT&CK
Techniques
– Analytic “Building Blocks”
▪ Data Model Updates
– More network-based modeling –
especially Layer 7
– Updates based on Sysmon and
other EDR tools
▪ Analytic “Baseball Cards”
– Summary with critical info
(description, coverage, techniques
involved, etc.)
▪ Updates to Sensor Coverage
– Site currently has Sysmon 3.2
(2016 says hi!)
– YAML for sensors
▪ CARET Refactoring
▪ ATT&CK Coverage Redux
– Per-implementation coverage &
capturing ease of evasion
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

We want your analytics!
| 7 |
▪ Submit an issue on GitHub: https://github.com/mitre-attack/car/issues
▪ Out of the new analytics we’ve added this year, 50% were user-
contributed. Special thanks to:
– Meric Degirmenci // IBM
– Kaushal Parikh // Cyware Labs
– Tony Lambert // Red Canary
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

CAR Resources
| 8 |
▪ CAR Resources:
– Main site: https://car.mitre.org/
– YAML-ized analytics: https://github.com/mitre-attack/car/tree/master/analytics
– BZAR: https://github.com/mitre-attack/car/tree/master/implementations/bzar
– And remember…
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

| 9 |
attack@mitre.org
@MITREattack
#ATTACKcon
Ivan Kirillov
ikirillov@mitre.org
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

From MITRE ATT&CKcon Power Hour December 2020 By Katie Nickels, Director of Intelligence, Red Canary Good analysts (and good human beings) change their minds based on new information. In this presentation, Katie will share how her perspectives on ATT&CK have changed since moving from ATT&CK team member to ATT&CK end-user. She will discuss how her ideas about coverage, procedures, and detection creation have evolved and why those perspectives matter. Katie will also share practical examples from observed threats to help explain the nuances of her perspectives. Attendees should expect to leave this presentation with a better understanding of how to handle challenges they’re likely to face when navigating their own ATT&CK journey.

FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™

Katie Nickels

MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE

MITRE - ATT&CKcon

Purple Teaming with ATT&CK - x33fcon 2018

Christopher Korban

MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...

MITRE - ATT&CKcon

With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program. This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.

Projects to Impact- Operationalizing Work from the Center

MITRE ATT&CK

MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: ATT&CK Updates - PRE-ATT&CK Integration; Adam Pennington...

MITRE - ATT&CKcon

From ATT&CKcon 3.0 By Brian Donohue, Red Canary This presentation will highlight the Atomic Red Team project's efforts to define and increase the test coverage of MITRE ATT&CK techniques. We'll describe the challenges we encountered in defining what "coverage" means in the context of an ATT&CK-based framework, and how to use that definition to improve an open source project that's used by a diverse audience of practitioners to satisfy an equally diverse array of needs. The audience will learn how the Atomic Red Team maintainers standardize and categorize atomic tests, perform gap analysis to achieve deep technique-level coverage and broad matrix-level coverage, and quickly fill those gaps with new tests.

State of the ATTACK

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Adam Pennington, ATT&CK Lead, MITRE Adam leads ATT&CK at The MITRE Corporation and collected much of the intelligence leveraged in creating ATT&CK’s initial techniques. He has spent much of his 12 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon’s Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has presented and published in a number of venues including FIRST CTI, USENIX Security and ACM Transactions on Information and System Security.

Global Cyber Threat Intelligence

NTT Innovation Institute Inc.

Recently, NTT published the Global Threat Intelligence Report 2016 (GTIR). This year’s report focused both on the changes in threat trends and on how security organizations around the world can use the kill chain to help defend the enterprise. Turning threat intelligence data from multiple sources into actionable, contextual information is a challenge faced by many organizations today. The Global Threat Intelligence Platform provides increased efficiency, reduces risks and focuses on global coverage with accurate and up-to-date threat intelligence. This presentation was given at Carnegie Mellon University by Kenji Takahashi, VP of Product Management, Security at NTT Innovation Institute.

ATT&CK Updates- Campaigns

MITRE ATT&CK

ATT&CKing the Red/Blue Divide

MITRE ATT&CK

From ATT&CKcon 3.0 By Fred Frey and Jonathan Mulholland, SnapAttack Atomic Red Team and Sigma are the largest open-source attack simulation and analytic projects. Many organizations utilize one or both internally for security controls validation or supplementing their detections and alerts. Building on the work from these two great communities, we smashed (scientific-term) the attacks and analytics together and applied data science to analyze the results. We'll describe our methodology and testing framework, show the real-world MITRE ATT&CK coverage and gaps, discuss our algorithms for calculating analytic similarity, identifying log sources for a technique, and determining the best analytics to deploy that maximizes ATT&CK coverage. This project aims to: - Bring a measurable testing rigor to community analytics to improve adoption - Test every analytic against every attack, validating the true positive detection - Understand the log sources required to detect specific attack techniques - Apply data science to identify analytic similarity (reduce community duplication) - Identify gaps between the projects' analytics without attack simulations; attack simulations without detections; missing or incorrect MITRE ATT&CK labels, etc - Automate the process so insights can stay up to date with new attack/analytic contributions over time - Share our analysis back to the community to improve these projects

Knowledge for the masses: Storytelling with ATT&CK

MITRE ATT&CK

From ATT&CKcon 3.0 By Ismael Valenzuela and Jose Luis Sanchez Martinez, Trellix The Trellix team believes that creating and sharing compelling stories about cyber threats -with ATT&CK- is a powerful way for raising awareness and enabling actionability against cyber threats. In this talk the team will share their experiences leveraging ATT&CK to disseminate Threat knowledge to different audiences (Software Development teams, Managers, Threat detection engineers, Threat hunters, Cyber Threat Analysts, Support Engineers, upper management, etc.). They will show concrete examples and representations created with ATT&CK to describe the threats at different levels, including: 1) an Attack Path graph that shows the overall flow of the attack; 2) Tactic-specific TTP summary tables and graphs; 3) very detailed, step-by-step description of the attacker's behaviors.

It's just a jump to the left (of boom): Prioritizing detection implementation...

MITRE ATT&CK

From ATT&CKcon 3.0 By Lindsay Kaye and Scott Small, Recorded Future Many organizations ask: "Where do I start, and where do I go next" when prioritizing implementation of behavior-based detections? We often hear "use threat intelligence!" but your goals must be qualified and quantified in order to properly prioritize the most relevant TTPs. A wealth of open-sourced, ATT&CK-mapped resources now exists, giving security teams greater access to both detections and red team tests they can implement, but intelligence (also aligned with ATT&CK), is essential to provide necessary context to ensure that detection efforts are focused effectively. This session will discuss a new approach to the prioritization challenge, starting with an analysis of the current defensive landscape, as measured by ATT&CK coverage for more than a dozen detection repositories and technologies, and guidance on sourcing TTP intelligence. The team will then show how real-world defensive strategies can be strengthened by encompassing a full-spectrum view of threat detection, including the implementation of YARA, Sigma, and Snort in security appliances. Critically, alignment of both intelligence and defenses with ATT&CK enables defenders to move the focus of detection efforts to indications of malicious behavior before the final payload is deployed, where controls are most effective at preventing serious damage to the organization.

Landing on Jupyter: The transformative power of data-driven storytelling for ...

MITRE ATT&CK

From ATT&CKcon 3.0 By Jose Barajas and Stephan Chenette, AttackIQ Every cybersecurity leader wants visibility into the health of their security program. Yet teams suffer with disparate data streams - CTI teams and the SOC often use separate Excel spreadsheets, an anachronistic practice - and silos constrain their ability to operate effectively. Enter the Jupyter notebook, an open-source computational notebook that researchers use to combine code, computing output, text, and media into a single interface. In this talk, we share three stories of how organizations use Jupyter notebooks to align ATT&CK-based attack flows to the security program, generating data about detection and prevention failures, defensive gaps, and longitudinal performance. By using Jupyter notebooks in this way, teams can better leverage ATT&CK for security effectiveness. It becomes less of a bingo card and more of a strategic tool for understanding the health of the program against big tactics (I.e., lateral movement), defensive gaps (I.e., micro-segmentation), and the team's performance.

Putting MITRE ATT&CK into Action with What You Have, Where You Are

Katie Nickels

Cyber Threat Intelligence

mohamed nasri

MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE

MITRE - ATT&CKcon

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Daniel Wyleczuk-Stern, Senior Security Engineer, Snowflake Cyber security is inherently a function of risk management. Risk management is the identification, evaluation, and prioritization of risks followed by the effort to reduce those risks in a coordinated and economical manner (thanks wikipedia!). In this talk, Daniel will be going over some strategies for measuring and prioritizing your cyber risks using MITRE ATT&CK. He'll discuss some lessons learned in atomic testing of techniques vs attack chaining as well as what to measure and how to make decisions with that data.

Mapping ATT&CK Techniques to ENGAGE Activities

MITRE ATT&CK

From ATT&CKcon 3.0 By David Barroso, CounterCraft When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK technique, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness. During the presentation we will see some real examples of how we can use different ATT&CK techniques in order to plan different adversary engagement activities.

Cyber Threat Intelligence

Prachi Mishra

The ATT&CK Latin American APT Playbook

MITRE ATT&CK

From ATT&CKcon 3.0 By Santiago Pontiroli and Dmitry Bestuzhev, Kaspersky Financially motivated cyber-attacks thrive in emerging Latin American markets. However, there's room for locally grown threat actors operating in the cyber espionage field as well. During the last decade, this includes but is not limited to Blind Eagle, Puppeteer, Machete, Poseidon, and others. We also saw foreign operations targeting specific assets in Latin America, still connected to certain regional sources. Since the threat actors' origin, culture, and language is often different, it's not uncommon for tactics, techniques, and procedures (TTPs) to present marked differences. As a result of our regional expertise and experience, we created MITRE's ATT&CK play-by-play mappings to help other analysts understand regional actors. If you are interested in threat intelligence and what's going on in Latin America, this presentation is for you. Our work is based only on real-world attackers and their operations, including those not publicly known, such as COVID-19 Machete's targeted campaign.

Cyber threat Intelligence and Incident Response by:-Sandeep Singh

OWASP Delhi

Cyber Threat hunting workshop

Arpan Raval

Adversary Emulation - Red Team Village - Mayhem 2020

Jorge Orchilles

Presentation at DEF CON Red Team Village - Mayhem Virtual Summit 2020 Adversary Emulation - Red Team emulating APT19 with Empire3 and Starkiller Connect: https://twitter.com/jorgeorchilles https://twitter.com/c2_matrix References: https://mitre-attack.github.io/attack-navigator/enterprise/ https://attack.mitre.org/groups/G0073/ https://www.thec2matrix.com/ https://howto.thec2matrix.com/slingshot-c2-matrix-edition https://howto.thec2matrix.com/c2/empire#red-team-village-mayhem-demo-of-apt19 https://vectr.io/ https://www.scythe.io/

State of the ATT&CK

MITRE ATT&CK

Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans

Christopher Korban

MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITRE

MITRE - ATT&CKcon

Cosmi cjuin sig2018

Charles Symons

What's hot

What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team

MITRE ATT&CK

State of the ATTACK

MITRE - ATT&CKcon

Global Cyber Threat Intelligence

NTT Innovation Institute Inc.

ATT&CK Updates- Campaigns

MITRE ATT&CK

ATT&CKing the Red/Blue Divide

MITRE ATT&CK

Knowledge for the masses: Storytelling with ATT&CK

MITRE ATT&CK

It's just a jump to the left (of boom): Prioritizing detection implementation...

MITRE ATT&CK

Landing on Jupyter: The transformative power of data-driven storytelling for ...

MITRE ATT&CK

Putting MITRE ATT&CK into Action with What You Have, Where You Are

Katie Nickels

Cyber Threat Intelligence

mohamed nasri

MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE

MITRE - ATT&CKcon

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...

MITRE - ATT&CKcon

Mapping ATT&CK Techniques to ENGAGE Activities

MITRE ATT&CK

Cyber Threat Intelligence

Prachi Mishra

The ATT&CK Latin American APT Playbook

MITRE ATT&CK

Cyber threat Intelligence and Incident Response by:-Sandeep Singh

OWASP Delhi

Cyber Threat hunting workshop

Arpan Raval

Adversary Emulation - Red Team Village - Mayhem 2020

Jorge Orchilles

State of the ATT&CK

MITRE ATT&CK

Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans

Christopher Korban

What's hot (20)

What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team

State of the ATTACK

Global Cyber Threat Intelligence

ATT&CK Updates- Campaigns

ATT&CKing the Red/Blue Divide

Knowledge for the masses: Storytelling with ATT&CK

It's just a jump to the left (of boom): Prioritizing detection implementation...

Landing on Jupyter: The transformative power of data-driven storytelling for ...

Putting MITRE ATT&CK into Action with What You Have, Where You Are

Cyber Threat Intelligence

MITRE ATT&CKcon 2.0: ATT&CK Updates - TRAM; Jackie Lasky and Sarah Yoder, MITRE

Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...

Mapping ATT&CK Techniques to ENGAGE Activities

Cyber Threat Intelligence

The ATT&CK Latin American APT Playbook

Cyber threat Intelligence and Incident Response by:-Sandeep Singh

Cyber Threat hunting workshop

Adversary Emulation - Red Team Village - Mayhem 2020

State of the ATT&CK

Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans

Similar to MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan Kirillov, MITRE

MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITRE

MITRE - ATT&CKcon

Cosmi cjuin sig2018

Charles Symons

How to build containerized architectures for deep learning - Data Festival 20...

Antje Barth

When it comes to AI data scientists/engineers tend to focus on tools. Though the data platform that enables these tools is equally important, it’s often overlooked. In fact, 90% of the effort required for success in ML is not the algorithm – it’s the data logistics. In this workshop we will talk about common architecture blueprints to integrate AI in your data centers and how the right data platform choice can make all the difference in launching your AI use case into production! Presented at Data Festival Munich, 2019.

Electric motor optimization

Scilab

"Automotive Vision Systems— Seeing the Way Forward," a Presentation from Stra...

Edge AI and Vision Alliance

For the full video of this presentation, please visit: https://www.embedded-vision.com/platinum-members/embedded-vision-alliance/embedded-vision-training/videos/pages/may-2019-embedded-vision-summit-riches For more information about embedded vision, please visit: http://www.embedded-vision.com Ian Riches, Executive Director for Global Automotive Practice at Strategy Analytics, presents the "Automotive Vision Systems— Seeing the Way Forward" tutorial at the May 2019 Embedded Vision Summit. It was not long ago that cameras were a rarity on all but luxury cars. In 2018, as many automotive cameras were shipped as were vehicles! Riches' presentation quantifies the likely future growth, and explores the applications and industry forces that are driving camera fitment. The automotive industry is also undergoing unprecedented change, with longstanding vehicle architectures and business models under threat. Riches' presentation therefore also looks at the wider automotive landscape as it impacts the embedded vision community, examining topics such as centralized vs. decentralized architectures and the impact of automated driving on the value chain.

An emulation framework for IoT, Fog, and Edge Applications

MoysisSymeonides

In this talk, we presented an emulation framework that eases the modeling, deployment, and large-scale experimentation of fog and 5G testbeds. The framework provides a toolset to (i) model complex fog topologies comprised of heterogeneous resources, network capabilities, and QoS criteria; (ii) abstractions for physical 5G infrastructure concepts such as radio units, edge servers, mobile nodes, user equipment, and node trajectories; (iii) deploy the modeled configuration and services using popular containerised descriptions to a cloud or local environment; (iv) experiment, measure and evaluate the deployment by injecting faults, adapting the configuration at runtime, real-time updates of the radio network (i.e., signal strength) and respective network QoS to test different “what-if” scenarios that reveal the limitations of service before introduced to the public. The framework has been used for studying the performance of Intelligent transportation services, Industrial IoT micro-service applications, geo-distributed deployments of big data engines, and many more. The presentation took place at Athens Demokritos Research Center organised by SKEL | The AI Lab video: https://www.youtube.com/watch?v=z37I1QVFabg

Cisco Connect Toronto 2018 network-slicing

Cisco Canada

ATT&CKing with Threat Intelligence

Christopher Korban

MITRE’s ATT&CK is a community-driven knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. By scoping the wide breadth of the MITRE ATT&CK matrix to focus initially on the techniques used by threat actors you specifically care about, you can help the defenders create more useful and impactful detections first. Once you start emulating the appropriate threat actors, you can practice your defenses in a scenario that’s more realistic and applicable without the need for an actual intrusion. The speakers are providing a process and a case study of APT3 - a China-based threat group - for how to go from finding threat intelligence, sifting through it for actionable techniques, creating emulation plans, discovering how to emulate different techniques... to actually operating on a network. They are also providing a beginning "cheat sheet" for this actor to give a starting point for red and blue teams to accomplish these techniques in their own environment without the need to build their own tooling.

IBM Power Systems Outlook and Roadmap

David Spurway

Is Linux ready for safety related applications?

Alexander Much

MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE

MITRE - ATT&CKcon

Sensor Data Management & Analytics: Advanced Process Control

TIBCO_Software

Artificial Intelligence in Design Automation

s.rohit

Motivation behind this talk is to throw some light on use of machine intelligence in design automation; a topic that is largely absent from the media and academia. Machine Intelligence is advancing at a rapid pace and claim to this fame is that it is bound to enable an unprecedent degree of automation in every walk of life. Design automation, a field that has been automating semiconductor design for decades, continues to struggle successful applications of Machine Learning.

EB corbos and the L4Re microhypervisor: Open-source automotive safety

Alexander Much

Global ai conference nyc - oct 23 - 24 2017

Economic Strategy Institute

Meetup Spark UDF performance

Guilherme Braccialli

Haystack 2019 Lightning Talk - State of Apache Tika - Tim Allison

OpenSource Connections

Cisco Connect 2018 Indonesia - Delivering intent for data center networking

NetworkCollaborators

Diagnostic in Adaptive AUTOSAR

Bernhard Wagner

ApI first Microservices meetup

Oracle Developers

Similar to MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan Kirillov, MITRE (20)

MITRE ATT&CKcon 2.0: ATT&CK Updates - Controls Mapping; Mike Long, MITRE

Cosmi cjuin sig2018

How to build containerized architectures for deep learning - Data Festival 20...

Electric motor optimization

"Automotive Vision Systems— Seeing the Way Forward," a Presentation from Stra...

An emulation framework for IoT, Fog, and Edge Applications

Cisco Connect Toronto 2018 network-slicing

ATT&CKing with Threat Intelligence

IBM Power Systems Outlook and Roadmap

Is Linux ready for safety related applications?

MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE

Sensor Data Management & Analytics: Advanced Process Control

Artificial Intelligence in Design Automation

EB corbos and the L4Re microhypervisor: Open-source automotive safety

Global ai conference nyc - oct 23 - 24 2017

Meetup Spark UDF performance

Haystack 2019 Lightning Talk - State of Apache Tika - Tim Allison

Cisco Connect 2018 Indonesia - Delivering intent for data center networking

Diagnostic in Adaptive AUTOSAR

ApI first Microservices meetup

More from MITRE - ATT&CKcon

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Valentine Mairet, Security Researcher, McAfee The MITRE ATT&CK framework is the industry standard to dissect cyberattacks into used techniques. At McAfee, all attack information is disseminated into different categories, including ATT&CK techniques. What results from this exercise is an extensive repository of techniques used in cyberattacks that goes back many years. Much can be learned from looking at historical attack data, but how can we piece all this information together to identify new relationships between threats and attacks? In her recent efforts, Valentine has embraced analyzing ATT&CK data in graphical representations. One lesson learned is that it is not just about merely mapping out attacks and techniques used into graphs, but the strength lies in applying different algorithms to answer specific questions. In this presentation, Valentine will showcase the results and techniques obtained from her research journey using graph and graph algorithms.

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour January 2021 By Gert-Jan Bruggink, Defensive Specialist, FalconForce Adversaries are humans as well. They have objectives, deadlines and resources for programming. In a sense, very similar to corporations grounded in the economics of effort vs time vs results. Now understanding techniques is one thing, taking it a step further and understanding what the economic impact is of using certain techniques is another. Developing tools takes time. For example, developing a custom process injection module might take days or weeks to develop, where using an open source tool could prevent extensive development costs incurred. This talk explores the economic considerations for defending against techniques used by adversaries. It explores fundamental considerations all referenced to MITRE’s ATT&CK framework. The objective of this talk is to inspire defensive strategies designed to impact cost incurred by adversaries to perform compromises.

MITRE ATTACKcon Power Hour - January

MITRE - ATT&CKcon

Using ATTACK to Create Cyber DBTS for Nuclear Power Plants

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Jacob Benjamin, Principal Industrial Consultant Dragos, INL, & University of Idaho Design Basis Threat (DBT) is concept introduced by the Nuclear Regulatory Commission (NRC). It is a profile of the type, composition, and capabilities of an adversary. DBT is the key input nuclear power plants use for the design of systems against acts of radiological sabotage and theft of special nuclear material. The NRC expects its licensees, nuclear power plants, to demonstrate that they can defend against the DBT. Currently, cyber is included in DBTs simply as a prescribed list of IT centric security controls. Using MITRE’s ATT&CK framework, Cyber DBTs can be created that are specific to the facility, its material, or adversary activities.

Sharpening your Threat-Hunting Program with ATTACK Framework

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.

Helping Small Companies Leverage CTI with an Open Source Threat Mapping

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Valentina Palacín, Sr. Cyber Threat Intelligence Analyst No one can deny the tremendous impact that ATT&CK had on the cybersecurity industry, nor the usefulness of having a good Threat Library at your disposal. But the question Valentina gets asked over and over by people from small companies is always the same: “How could I leverage threat intelligence using ATT&CK with limited time and resources?” And so far, there hasn't been a good answer. That’s why she decided to come up with the Threat Mapping Catalogue (TMC), a tool that combines the power of the mappings already available in the ATT&CK website, TRAM and the ATT&CK Navigator, to better process, consume and incorporate new mappings while organizing them around different categories.

What's New with ATTACK for ICS?

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour December 2020 By Otis Alexander, Principal Cybersecurity Engineer, MITRE Otis Alexander is a Principal Cyber Security Engineer at the MITRE Corporation and has worked in the areas of security engineering and research, analytic development, and adversary modeling and emulation. Otis is a co-creator of ATT&CK for ICS and has been leading the project since its inception. He also leads an effort to bring MITRE ATT&CK Evaluations to ICS security vendors providing anomaly and threat detection solutions. He advocates for network and host visibility in operational technology environments to increase the situational awareness of defenders.

Putting the PRE into ATTACK

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By: Jamie Williams, Lead Cyber Adversarial Engineer, MITRE Mike Hartley, Lead Cybersecurity Engineer, MITRE In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020 Jamie Williams and Mike Hartley from MITRE discuss the process for merging PRE-ATT&CK and adding two new tactics to Enterprise ATT&CK – Reconnaissance and Resource Development.

What's a MITRE with your Security?

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Matt Snyder, Senior Threat Analytics Engineer, VMware The market for Security products is flooded with vendors offering all sorts of solutions, and organizations are spending a record amount of money defending their environments. Nevertheless, an increasing number of breaches are reported each year, resulting in organizations spending millions of dollars to remediate them. The Security industry responds with more products, all offering to stop the next breach, and the cycle continues. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Matt discusses what VMware is doing internally to address this fundamental flaw in the Security industry and how they are leveraging the MITRE ATT&CK framework to reshape how we think about security.

ATTACKing the Cloud: Hopping Between the Matrices

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Anthony Randazzo, Global Response Lead, Expel The team at Expel has been migrating to the cloud for the last 10 years, but as usual, security has lagged behind. Which means we don't have a comprehensive detection and response framework for cloud like we do with the Enterprise ATT&CK matrix. Cloud has evolved into a complex beast as technologies and concepts – like Infrastructure As Code, Containers, Kubernetes and so forth – have emerged. These new attack surfaces have been added that introduce additional challenges to detection and response in our cloud environments. We don't know what we don't know about attack life cycles in the cloud. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Anthony shares some interesting lessons learned so far when it comes to finding bad guys in the cloud.

Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour November 2020 By Allie Mellen, Security Strategist, Office of the CSO, Cybereason In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, Allie discusses how the Cybereason research team uses both MITRE ATT&CK and MITRE ATT&CK for Mobile to map and communicate new malware to the larger security community. Teams use the MITRE ATT&CK framework to share techniques, tactics, and procedures with their team and the community at large. This knowledge base has been incredibly beneficial for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Many of these uses have centered around traditional endpoints like laptops and workstations. However, the MITRE ATT&CK team has also created a cutting-edge portion of their framework: MITRE ATT&CK for Mobile. One of the most recent pieces of malware they have found is EventBot, a mobile banking trojan that targets Android devices and the financial services applications on them, including popular apps like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more. In this talk, learn about this specific attack, intended targets, a timeline of the attack, and the MITRE ATT&CK for Mobile mapping. Learn why the Cybereason team map to MITRE ATT&CK and MITRE ATT&CK for Mobile and what benefits it has given them and their interactions with the community.

Transforming Adversary Emulation Into a Data Analysis Question

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By Matan Hart, Co-Founder & CEO Cymptom @machosec Adversary emulation is commonly used to validate security controls and is considered one of the most popular use-cases for the ATT&CK framework. However, emulating adversary TTPs on production environments is often very limited in testing scope and frequency, and such practice may cause unwanted business disruption. In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Hart presents a different approach to testing controls against ATT&CK. He demonstrates how it is possible to provide data-based methods to evaluate the exploitability of ATT&CK techniques by gathering information from the network, endpoint, and services; this unique approach does not emulate any sort of malicious action, thus reducing the potential of causing business disruption to the minimum. Hart also outlines a new open-source guideline based on ATT&CK mitigations, that security teams can use to assess their security posture non-intrusively and at scale.

TA505: A Study of High End Big Game Hunting in 2020

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By Brandon Levene, Head of Applied Intelligence Google, @seraphimdomain Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises. This strategy has become the “end game” for the majority of organized cybercrime organizations, and one effect of this shift is the increased emphasis on enterprise-level targets. In this talk from the MITRE ATT&CKCon Power Hour session on October 9, 2020, Levene walks us through research about how a specific BGH threat actor pursues entry points, gains its foothold, pivots, and deploys payloads to maximize their financial gains with minimal effort - and infrastructure! You’ll walk away with an understanding of the latest BGH TTPs seen in enterprise environments, and how they map to the ATT&CK framework so you can build this research into your threat detection strategy and enhance your defenses.

Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By: Aunshul Rege, Associate Professor, Temple University, @prof_rege Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928 This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.

What's New with ATTACK for Cloud?

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By Jen Burns, Lead Cybersecurity Engineer, MITRE, @snarejen Jen Burns is a Lead Cybersecurity Engineer at MITRE and the Lead for MITRE ATT&CK® for Cloud. She’s also a red team developer and lead for ATT&CK Evaluations, using her skills in software engineering and adversary emulation. Previously, she was a tech lead at HubSpot on the Infrastructure Security team where she focused on red teaming and building detections in the cloud environment. This presentation is from the MITRE ATT&CKcon Power Hour session held on October 9, 2020.

Starting Over with Sub-Techniques

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour - October By Brian Donohue, Security Evangelist, Red Canary, @thebriandonohue In early 2018, Red Canary adopted MITRE ATT&CK as the common language that they would use to categorize threats, measure detection coverage, and communicate about malicious behaviors. In the intervening years, they’ve relied on the framework to develop open source tools like Atomic Red Team and help security teams prioritize their defensive efforts with blogs and our annual Threat Detection Report. In early 2020, MITRE announced that ATT&CK would be expanding its original taxonomy of tactics and techniques to include sub-techniques. In the months that followed MITRE's announcement, Red Canary’s research, intelligence, and detection engineering teams painstakingly remapped their library of thousands of behavioral analytics to sub-techniques. In doing so, they improved their correlational logic, experimented with the idea of conditional technique mapping, and, unfortunately, rendered the 2020 Threat Detection Report out-of-date. In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Brian discusses how refactoring for sub-techniques offered us the opportunity to apply all the lessons learned in more than two years of operationalizing ATT&CK. He also explores how Red Canary has remodeled its ATT&CK mapping to allow for added flexibility and human input and shows what happens when the Red Canary applied their new sub-technique mappings to the 2020 Threat Detection Report.

MITRE ATTACKCon Power Hour - December

MITRE - ATT&CKcon

MITRE ATT&CKcon Power Hour - November

MITRE - ATT&CKcon

MITRE ATTACKcon Power Hour - October

MITRE - ATT&CKcon

MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...

MITRE - ATT&CKcon

More from MITRE - ATT&CKcon (20)

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence

ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries

MITRE ATTACKcon Power Hour - January

Using ATTACK to Create Cyber DBTS for Nuclear Power Plants

Sharpening your Threat-Hunting Program with ATTACK Framework

Helping Small Companies Leverage CTI with an Open Source Threat Mapping

What's New with ATTACK for ICS?

Putting the PRE into ATTACK

What's a MITRE with your Security?

ATTACKing the Cloud: Hopping Between the Matrices

Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile

Transforming Adversary Emulation Into a Data Analysis Question

TA505: A Study of High End Big Game Hunting in 2020

Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research

What's New with ATTACK for Cloud?

Starting Over with Sub-Techniques

MITRE ATTACKCon Power Hour - December

MITRE ATT&CKcon Power Hour - November

MITRE ATTACKcon Power Hour - October

MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...

Recently uploaded

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

Key Trends Shaping the Future of Infrastructure.pdf

Cheryl Hung

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Ramesh Iyer

In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.

Generating a custom Ruby SDK for your web service or Rails API using Smithy

g2nightmarescribd

Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Product School

Assuring Contact Center Experiences for Your Customers With ThousandEyes

ThousandEyes

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

Albert Hoitingh

DevOps and Testing slides at DASA Connect

Kari Kakkonen

UiPath Test Automation using UiPath Test Suite series, part 4

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap. The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies. Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques What will you get from this session? 1. Insights into SAP testing best practices 2. Heatmap utilization for testing 3. Optimization of testing processes 4. Demo Topics covered: Execution from the test manager Orchestrator execution result Defect reporting SAP heatmap example with demo Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Product School

The Future of Platform Engineering

Jemma Hussein Allen

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Tobias Schneck

As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other? Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

91mobiles

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Product School

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Recently uploaded (20)

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Key Trends Shaping the Future of Infrastructure.pdf

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Generating a custom Ruby SDK for your web service or Rails API using Smithy

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Assuring Contact Center Experiences for Your Customers With ThousandEyes

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024

DevOps and Testing slides at DASA Connect

UiPath Test Automation using UiPath Test Suite series, part 4

Mission to Decommission: Importance of Decommissioning Products to Increase E...

The Future of Platform Engineering

GraphRAG is All You need? LLM & Knowledge Graph

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Elevating Tactical DDD Patterns Through Object Calisthenics

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan Kirillov, MITRE

1. ©2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03621-8. MITRE | 1 | Cyber Analytics Repository Ivan Kirillov (too cool for Twitter) © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17 @MITREattack #ATTACKcon

3. Cyber Analytics Repository (CAR) | 3 | ▪ ATT&CK-driven, actively maintained repository of open source analytics – Also includes a data model, mappings to sensors, and an exploration tool (CARET) ▪ Recent work has focused on increasing quality and usability – Adding new analytics – Converting analytics to a structured, machine-parseable format (YAML) – Supporting multiple implementations (e.g., Splunk, Sigma) for each analytic © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

4. CAR – But wait, there’s more! | 4 | ▪ BZAR: Bro/Zeek ATT&CK-based Analytics and Reporting – A set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol analyzers to detect several network-specific ATT&CK techniques ▪ Data model updates – Updates to process object model to account for newer analytics/EDR tools ▪ Tweaks to ATT&CK coverage for better accuracy © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

5. CAR – ATT&CK Coverage | 5 | As of October 2019 https://github.com/mitre-attack/car/blob/master/docs/car_attack/car_attack.json © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

6. CAR – Future Goals | 6 | ▪ New Analytics – Better coverage of top ATT&CK Techniques – Analytic “Building Blocks” ▪ Data Model Updates – More network-based modeling – especially Layer 7 – Updates based on Sysmon and other EDR tools ▪ Analytic “Baseball Cards” – Summary with critical info (description, coverage, techniques involved, etc.) ▪ Updates to Sensor Coverage – Site currently has Sysmon 3.2 (2016 says hi!) – YAML for sensors ▪ CARET Refactoring ▪ ATT&CK Coverage Redux – Per-implementation coverage & capturing ease of evasion © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

7. We want your analytics! | 7 | ▪ Submit an issue on GitHub: https://github.com/mitre-attack/car/issues ▪ Out of the new analytics we’ve added this year, 50% were user- contributed. Special thanks to: – Meric Degirmenci // IBM – Kaushal Parikh // Cyware Labs – Tony Lambert // Red Canary © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

8. CAR Resources | 8 | ▪ CAR Resources: – Main site: https://car.mitre.org/ – YAML-ized analytics: https://github.com/mitre-attack/car/tree/master/analytics – BZAR: https://github.com/mitre-attack/car/tree/master/implementations/bzar – And remember… © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan Kirillov, MITRE

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan Kirillov, MITRE

Similar to MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan Kirillov, MITRE (20)

More from MITRE - ATT&CKcon

More from MITRE - ATT&CKcon (20)

Recently uploaded

Recently uploaded (20)

MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan Kirillov, MITRE