Security teams have more detection tools at their disposal than ever before, yet most are still struggling to find even the most basic malicious activity occurring in their environments. Building effective detection analytics requires realistic data and the ability to iterate quickly in a rapid analytic development cycle.
This talk introduces a full lifecycle attack simulation and analytics development environment featuring the MITRE ATT&CK framework and the Atomic Red Team project using Splunk and Splunk Phantom mapped to an imaginary APT group, Taedonggang.
It focuses on how security teams can use such a system to rapidly develop and share new detection analytics. Links to all components referenced in the talk are provided, including a cloud-based dataset that can act as a playground for users who want to see the results of the activity.
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity.
The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control.
DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control?
This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
Presentation slides presented by Cody Thomas and Christopher Korban at x33fcon 2018 about how to jumpstart your purple teaming with the MITRE ATT&CK framework, and accompanying Adversary Emulation Plans
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Katie Nickels, Director of Intelligence, Red Canary
Good analysts (and good human beings) change their minds based on new information. In this presentation, Katie will share how her perspectives on ATT&CK have changed since moving from ATT&CK team member to ATT&CK end-user. She will discuss how her ideas about coverage, procedures, and detection creation have evolved and why those perspectives matter. Katie will also share practical examples from observed threats to help explain the nuances of her perspectives. Attendees should expect to leave this presentation with a better understanding of how to handle challenges they’re likely to face when navigating their own ATT&CK journey.
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE - ATT&CKcon
Operationalizing the ATT&CK framework has enabled GE to deploy custom detection to evolving threat actor behaviors. By leveraging an in-house developed tool called TIAMAT (Tactical Intelligence Adversary Mapping and Analysis Tool) the ATT&CK framework is
incorporated into an end-to-end operational process from intelligence collection to customized detection deployment.
The designing of this new operational process is examined, and a use case presented of how examining a historical incident led to a new method of deploying detection based on ATT&CK and the detection of previously undiscovered activity. There is also a demo that walks the audience through the end-to-end process and explains TIAMATs capabilities.
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
Katie Nickels and Adam Pennington presented "Turning intelligence into action with MITRE ATT&CK™" at the FIRST CTI Symposium in London on 20 March 2019.
Offensive security and Ethical Hacking is about providing business value. One of the most efficient and effective ways to improve security is through Adversary Emulation Purple Team Exercises. Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement. In this talk, we will cover how to run a high-value adversary emulation through a Purple Team Exercise.
https://www.scythe.io/library/threatthursday-apt33
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
This talk presents a case study which demonstrates that we should consider the knowledge and wisdom contained within ATT&CK in all organizational security initiatives to make sure by fixing one thing we have not just created an opportunity.
The presentation shows how to leverage the analysis and classification of APT tactics and procedures (TTP) to guide research into new and novel techniques, specifically focusing on exfiltration and command and control.
DNS over HTTPS (DoH) aims to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Major web browsers such as Firefox are considering its implementation by default. But what could this possibly mean for exfiltration and command and control?
This session provides an end-to-end demo that shows DoH being implemented to provide full command and control in a popular attack simulation framework and discusses associated mitigations.
Presentation slides presented by Cody Thomas and Christopher Korban at x33fcon 2018 about how to jumpstart your purple teaming with the MITRE ATT&CK framework, and accompanying Adversary Emulation Plans
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Katie Nickels, Director of Intelligence, Red Canary
Good analysts (and good human beings) change their minds based on new information. In this presentation, Katie will share how her perspectives on ATT&CK have changed since moving from ATT&CK team member to ATT&CK end-user. She will discuss how her ideas about coverage, procedures, and detection creation have evolved and why those perspectives matter. Katie will also share practical examples from observed threats to help explain the nuances of her perspectives. Attendees should expect to leave this presentation with a better understanding of how to handle challenges they’re likely to face when navigating their own ATT&CK journey.
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE - ATT&CKcon
Operationalizing the ATT&CK framework has enabled GE to deploy custom detection to evolving threat actor behaviors. By leveraging an in-house developed tool called TIAMAT (Tactical Intelligence Adversary Mapping and Analysis Tool) the ATT&CK framework is
incorporated into an end-to-end operational process from intelligence collection to customized detection deployment.
The designing of this new operational process is examined, and a use case presented of how examining a historical incident led to a new method of deploying detection based on ATT&CK and the detection of previously undiscovered activity. There is also a demo that walks the audience through the end-to-end process and explains TIAMATs capabilities.
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
Katie Nickels and Adam Pennington presented "Turning intelligence into action with MITRE ATT&CK™" at the FIRST CTI Symposium in London on 20 March 2019.
Offensive security and Ethical Hacking is about providing business value. One of the most efficient and effective ways to improve security is through Adversary Emulation Purple Team Exercises. Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement. In this talk, we will cover how to run a high-value adversary emulation through a Purple Team Exercise.
https://www.scythe.io/library/threatthursday-apt33
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
Keynote de 8.8 Las Vegas 2020: https://www.8dot8.org/8-8-las-vegas/
La presentacion es una combinacion de mis presentaciones de Blackhat 2020 Arsenal - C2 Matrix y DEF CON Red Team Village de Adversary Emulation.
https://twitter.com/jorgeorchilles
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE - ATT&CKcon
USAA has utilized the MITRE ATT&CK framework as a unique means to map their current detection infrastructure and assess their ability to defend against the most relevant threats to their network. In this presentation they share some lessons learned during their journey with ATT&CK leading to identified best practices for workflow integration through team composition and custom tool development.
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jose Barajas and Stephan Chenette, AttackIQ
Every cybersecurity leader wants visibility into the health of their security program. Yet teams suffer with disparate data streams - CTI teams and the SOC often use separate Excel spreadsheets, an anachronistic practice - and silos constrain their ability to operate effectively. Enter the Jupyter notebook, an open-source computational notebook that researchers use to combine code, computing output, text, and media into a single interface. In this talk, we share three stories of how organizations use Jupyter notebooks to align ATT&CK-based attack flows to the security program, generating data about detection and prevention failures, defensive gaps, and longitudinal performance. By using Jupyter notebooks in this way, teams can better leverage ATT&CK for security effectiveness. It becomes less of a bingo card and more of a strategic tool for understanding the health of the program against big tactics (I.e., lateral movement), defensive gaps (I.e., micro-segmentation), and the team's performance.
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
From ATT&CKcon 3.0
By Brian Donohue, Red Canary
This presentation will highlight the Atomic Red Team project's efforts to define and increase the test coverage of MITRE ATT&CK techniques. We'll describe the challenges we encountered in defining what "coverage" means in the context of an ATT&CK-based framework, and how to use that definition to improve an open source project that's used by a diverse audience of practitioners to satisfy an equally diverse array of needs. The audience will learn how the Atomic Red Team maintainers standardize and categorize atomic tests, perform gap analysis to achieve deep technique-level coverage and broad matrix-level coverage, and quickly fill those gaps with new tests.
Threat Modelling - It's not just for developersMITRE ATT&CK
From ATT&CKcon 3.0
By Tim Wadhwa-Brown, Cisco
The purpose of this session will be to look at how you can take public information about threat actors, vulnerabilities, and incidents and use them to build better defenses, utilizing ATT&CK along the way to align your security organization to the people and assets that matter.
Stories are critical to how humans learn, so this session will leverage a story book approach to give the audience some ideas on approaches they could use. Tim will take the audience through 3 real world examples where he has leveraged ATT&CK to drive operational improvement. The premise of each story will be real, although some of the details will be apocryphal to protect the innocent.
One story will focus on defending a network, one will look at adversary detection, while the final one will look at responding to an active attack and in each case, Tim will guide the audience to think about the kinds of data sources that ATT&CK tracks, that they might call upon to achieve a successful outcome.
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
ATT&CK is valuable for those of us who are heads down in security day in and day out. But what about using ATT&CK to each college interns about security?
This presentation details how Tripwire used ATT&CK to build- out a new training regimen for summer interns. By going through and finding quick wins, Tripwire’s interns were actively engaged in learning about security. The detailed break downs of ATT&CK were greatly beneficial in helping teach security concepts to those who were not yet familiar with them. This session shows the program details and how you might be able to adapt it to your requirements.
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division
No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
From ATT&CKcon 3.0
By Lindsay Kaye and Scott Small, Recorded Future
Many organizations ask: "Where do I start, and where do I go next" when prioritizing implementation of behavior-based detections? We often hear "use threat intelligence!" but your goals must be qualified and quantified in order to properly prioritize the most relevant TTPs. A wealth of open-sourced, ATT&CK-mapped resources now exists, giving security teams greater access to both detections and red team tests they can implement, but intelligence (also aligned with ATT&CK), is essential to provide necessary context to ensure that detection efforts are focused effectively.
This session will discuss a new approach to the prioritization challenge, starting with an analysis of the current defensive landscape, as measured by ATT&CK coverage for more than a dozen detection repositories and technologies, and guidance on sourcing TTP intelligence. The team will then show how real-world defensive strategies can be strengthened by encompassing a full-spectrum view of threat detection, including the implementation of YARA, Sigma, and Snort in security appliances. Critically, alignment of both intelligence and defenses with ATT&CK enables defenders to move the focus of detection efforts to indications of malicious behavior before the final payload is deployed, where controls are most effective at preventing serious damage to the organization.
Hunting for Evil with the Elastic StackElasticsearch
Whether you are threat hunting or responding to a signature-based alert, learn how to use Elastic tools to tell the entire story and more efficiently root out adversaries in your environment.
See the video: https://www.elastic.co/elasticon/tour/2019/washington-dc/hunting-for-evil-with-the-elastic-stack
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour October 2020
By:
Aunshul Rege, Associate Professor, Temple University, @prof_rege
Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928
This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
Purple Team exercises are an efficient and effective method of adversary emulation leading to the training and improvement of people, process, and technology. Red Teams and Blue Teams work together in a live production environment, emulating a selected adversary that has the capability, intent, and opportunity to attack the target organization provided by Cyber Threat Intelligence. Purple Team exercises are ‘hands on keyboard’ exercises where Red and Blue teams work together with an open discussion about each attack procedure and how to detect and alert against it.
Purple Team Exercise Framework #PTEF: https://www.scythe.io/ptef
Ethical Hacking Maturity Model: https://www.scythe.io/library/scythes-ethical-hacking-maturity-model
Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
#ThreatThursday: https://www.scythe.io/threatthursday
#C2Matrix: https://thec2matrix.com/
Atomic Purple Team: https://github.com/DefensiveOrigins/AtomicPurpleTeam
SCYTHE Playbooks: https://github.com/scythe-io/community-threats
#ThreatHunting Playbooks: https://threathunterplaybook.com/introduction.html
VECTR: https://vectr.io/
Unicon: https://www.scythe.io/unicon2020
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
Presented at the inaugural SANS Purple Team Summit & Training event, this presentation covers performing a high value adversary emulation exercise in a purple team fashion (red and blue team sitting together throughout the entire engagement).
From ATT&CKcon 3.0
By Fred Frey and Jonathan Mulholland, SnapAttack
Atomic Red Team and Sigma are the largest open-source attack simulation and analytic projects. Many organizations utilize one or both internally for security controls validation or supplementing their detections and alerts. Building on the work from these two great communities, we smashed (scientific-term) the attacks and analytics together and applied data science to analyze the results. We'll describe our methodology and testing framework, show the real-world MITRE ATT&CK coverage and gaps, discuss our algorithms for calculating analytic similarity, identifying log sources for a technique, and determining the best analytics to deploy that maximizes ATT&CK coverage.
This project aims to:
- Bring a measurable testing rigor to community analytics to improve adoption
- Test every analytic against every attack, validating the true positive detection
- Understand the log sources required to detect specific attack techniques
- Apply data science to identify analytic similarity (reduce community duplication)
- Identify gaps between the projects' analytics without attack simulations; attack simulations without detections; missing or incorrect MITRE ATT&CK labels, etc
- Automate the process so insights can stay up to date with new attack/analytic contributions over time
- Share our analysis back to the community to improve these projects
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Ismael Valenzuela and Jose Luis Sanchez Martinez, Trellix
The Trellix team believes that creating and sharing compelling stories about cyber threats -with ATT&CK- is a powerful way for raising awareness and enabling actionability against cyber threats.
In this talk the team will share their experiences leveraging ATT&CK to disseminate Threat knowledge to different audiences (Software Development teams, Managers, Threat detection engineers, Threat hunters, Cyber Threat Analysts, Support Engineers, upper management, etc.).
They will show concrete examples and representations created with ATT&CK to describe the threats at different levels, including: 1) an Attack Path graph that shows the overall flow of the attack; 2) Tactic-specific TTP summary tables and graphs; 3) very detailed, step-by-step description of the attacker's behaviors.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
10(?) holiday gifts for the SOC who has everythingRyan Kovar
Automating your organization’s security operations is no longer optional. It’s essential. Increasing analyst productivity and decreasing response time can mean the difference between successfully containing an attack, and suffering a devastating breach. This talk will focus on
ten practical automation techniques—each implemented in either Python or PowerShell—
that extend the functionality of a popular commercial SIEM. Each technique will demonstrate how to automatically gather additional context on an alert, make configuration changes in an operational environment, or retrieve and analyze forensic evidence. Proof of concept code samples and live/recorded demonstrations will be provided.
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
Keynote de 8.8 Las Vegas 2020: https://www.8dot8.org/8-8-las-vegas/
La presentacion es una combinacion de mis presentaciones de Blackhat 2020 Arsenal - C2 Matrix y DEF CON Red Team Village de Adversary Emulation.
https://twitter.com/jorgeorchilles
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE - ATT&CKcon
USAA has utilized the MITRE ATT&CK framework as a unique means to map their current detection infrastructure and assess their ability to defend against the most relevant threats to their network. In this presentation they share some lessons learned during their journey with ATT&CK leading to identified best practices for workflow integration through team composition and custom tool development.
Landing on Jupyter: The transformative power of data-driven storytelling for ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jose Barajas and Stephan Chenette, AttackIQ
Every cybersecurity leader wants visibility into the health of their security program. Yet teams suffer with disparate data streams - CTI teams and the SOC often use separate Excel spreadsheets, an anachronistic practice - and silos constrain their ability to operate effectively. Enter the Jupyter notebook, an open-source computational notebook that researchers use to combine code, computing output, text, and media into a single interface. In this talk, we share three stories of how organizations use Jupyter notebooks to align ATT&CK-based attack flows to the security program, generating data about detection and prevention failures, defensive gaps, and longitudinal performance. By using Jupyter notebooks in this way, teams can better leverage ATT&CK for security effectiveness. It becomes less of a bingo card and more of a strategic tool for understanding the health of the program against big tactics (I.e., lateral movement), defensive gaps (I.e., micro-segmentation), and the team's performance.
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
From ATT&CKcon 3.0
By Brian Donohue, Red Canary
This presentation will highlight the Atomic Red Team project's efforts to define and increase the test coverage of MITRE ATT&CK techniques. We'll describe the challenges we encountered in defining what "coverage" means in the context of an ATT&CK-based framework, and how to use that definition to improve an open source project that's used by a diverse audience of practitioners to satisfy an equally diverse array of needs. The audience will learn how the Atomic Red Team maintainers standardize and categorize atomic tests, perform gap analysis to achieve deep technique-level coverage and broad matrix-level coverage, and quickly fill those gaps with new tests.
Threat Modelling - It's not just for developersMITRE ATT&CK
From ATT&CKcon 3.0
By Tim Wadhwa-Brown, Cisco
The purpose of this session will be to look at how you can take public information about threat actors, vulnerabilities, and incidents and use them to build better defenses, utilizing ATT&CK along the way to align your security organization to the people and assets that matter.
Stories are critical to how humans learn, so this session will leverage a story book approach to give the audience some ideas on approaches they could use. Tim will take the audience through 3 real world examples where he has leveraged ATT&CK to drive operational improvement. The premise of each story will be real, although some of the details will be apocryphal to protect the innocent.
One story will focus on defending a network, one will look at adversary detection, while the final one will look at responding to an active attack and in each case, Tim will guide the audience to think about the kinds of data sources that ATT&CK tracks, that they might call upon to achieve a successful outcome.
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
ATT&CK is valuable for those of us who are heads down in security day in and day out. But what about using ATT&CK to each college interns about security?
This presentation details how Tripwire used ATT&CK to build- out a new training regimen for summer interns. By going through and finding quick wins, Tripwire’s interns were actively engaged in learning about security. The detailed break downs of ATT&CK were greatly beneficial in helping teach security concepts to those who were not yet familiar with them. This session shows the program details and how you might be able to adapt it to your requirements.
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Hieu Tran, Threat Detection Team Lead FPT Cybersecurity Division
No matter how sophisticated and thorough your security precautions may be, you cannot assume your security measures are impenetrable. This is why you need a threat hunting program in place. But how can we implement a proper threat hunting program and run it efficiently? In this talk, we will uncover how to sharpen your threat hunting strategy by leveraging ATT&CK. Ultimately, we’ll be demonstrating how effectively employing the hunting methodology in the real-world battlefield, fighting against well-known cyber espionage actors who strongly focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia.
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
From ATT&CKcon 3.0
By Lindsay Kaye and Scott Small, Recorded Future
Many organizations ask: "Where do I start, and where do I go next" when prioritizing implementation of behavior-based detections? We often hear "use threat intelligence!" but your goals must be qualified and quantified in order to properly prioritize the most relevant TTPs. A wealth of open-sourced, ATT&CK-mapped resources now exists, giving security teams greater access to both detections and red team tests they can implement, but intelligence (also aligned with ATT&CK), is essential to provide necessary context to ensure that detection efforts are focused effectively.
This session will discuss a new approach to the prioritization challenge, starting with an analysis of the current defensive landscape, as measured by ATT&CK coverage for more than a dozen detection repositories and technologies, and guidance on sourcing TTP intelligence. The team will then show how real-world defensive strategies can be strengthened by encompassing a full-spectrum view of threat detection, including the implementation of YARA, Sigma, and Snort in security appliances. Critically, alignment of both intelligence and defenses with ATT&CK enables defenders to move the focus of detection efforts to indications of malicious behavior before the final payload is deployed, where controls are most effective at preventing serious damage to the organization.
Hunting for Evil with the Elastic StackElasticsearch
Whether you are threat hunting or responding to a signature-based alert, learn how to use Elastic tools to tell the entire story and more efficiently root out adversaries in your environment.
See the video: https://www.elastic.co/elasticon/tour/2019/washington-dc/hunting-for-evil-with-the-elastic-stack
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour October 2020
By:
Aunshul Rege, Associate Professor, Temple University, @prof_rege
Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928
This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
Purple Team exercises are an efficient and effective method of adversary emulation leading to the training and improvement of people, process, and technology. Red Teams and Blue Teams work together in a live production environment, emulating a selected adversary that has the capability, intent, and opportunity to attack the target organization provided by Cyber Threat Intelligence. Purple Team exercises are ‘hands on keyboard’ exercises where Red and Blue teams work together with an open discussion about each attack procedure and how to detect and alert against it.
Purple Team Exercise Framework #PTEF: https://www.scythe.io/ptef
Ethical Hacking Maturity Model: https://www.scythe.io/library/scythes-ethical-hacking-maturity-model
Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
#ThreatThursday: https://www.scythe.io/threatthursday
#C2Matrix: https://thec2matrix.com/
Atomic Purple Team: https://github.com/DefensiveOrigins/AtomicPurpleTeam
SCYTHE Playbooks: https://github.com/scythe-io/community-threats
#ThreatHunting Playbooks: https://threathunterplaybook.com/introduction.html
VECTR: https://vectr.io/
Unicon: https://www.scythe.io/unicon2020
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
Presented at the inaugural SANS Purple Team Summit & Training event, this presentation covers performing a high value adversary emulation exercise in a purple team fashion (red and blue team sitting together throughout the entire engagement).
From ATT&CKcon 3.0
By Fred Frey and Jonathan Mulholland, SnapAttack
Atomic Red Team and Sigma are the largest open-source attack simulation and analytic projects. Many organizations utilize one or both internally for security controls validation or supplementing their detections and alerts. Building on the work from these two great communities, we smashed (scientific-term) the attacks and analytics together and applied data science to analyze the results. We'll describe our methodology and testing framework, show the real-world MITRE ATT&CK coverage and gaps, discuss our algorithms for calculating analytic similarity, identifying log sources for a technique, and determining the best analytics to deploy that maximizes ATT&CK coverage.
This project aims to:
- Bring a measurable testing rigor to community analytics to improve adoption
- Test every analytic against every attack, validating the true positive detection
- Understand the log sources required to detect specific attack techniques
- Apply data science to identify analytic similarity (reduce community duplication)
- Identify gaps between the projects' analytics without attack simulations; attack simulations without detections; missing or incorrect MITRE ATT&CK labels, etc
- Automate the process so insights can stay up to date with new attack/analytic contributions over time
- Share our analysis back to the community to improve these projects
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Ismael Valenzuela and Jose Luis Sanchez Martinez, Trellix
The Trellix team believes that creating and sharing compelling stories about cyber threats -with ATT&CK- is a powerful way for raising awareness and enabling actionability against cyber threats.
In this talk the team will share their experiences leveraging ATT&CK to disseminate Threat knowledge to different audiences (Software Development teams, Managers, Threat detection engineers, Threat hunters, Cyber Threat Analysts, Support Engineers, upper management, etc.).
They will show concrete examples and representations created with ATT&CK to describe the threats at different levels, including: 1) an Attack Path graph that shows the overall flow of the attack; 2) Tactic-specific TTP summary tables and graphs; 3) very detailed, step-by-step description of the attacker's behaviors.
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
How to set up a Threat Hunting Team for Active Defense utilizing Cyber Threat Intelligence and how CTI can help a company grow and improve its security posture.
Effective Threat Hunting with Tactical Threat Intelligence
Similar to MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary to Create Better Detections, David Herrald and Ryan Kovar, Splunk
10(?) holiday gifts for the SOC who has everythingRyan Kovar
Automating your organization’s security operations is no longer optional. It’s essential. Increasing analyst productivity and decreasing response time can mean the difference between successfully containing an attack, and suffering a devastating breach. This talk will focus on
ten practical automation techniques—each implemented in either Python or PowerShell—
that extend the functionality of a popular commercial SIEM. Each technique will demonstrate how to automatically gather additional context on an alert, make configuration changes in an operational environment, or retrieve and analyze forensic evidence. Proof of concept code samples and live/recorded demonstrations will be provided.
In this talk we will discuss key traits of some of the largest and most successful security operations centers we’ve visited over the last two years. From automating tier-1 to integrating investigations into Slack channels, from curating toolchains to cutting out threat feeds, we’ll cover what’s working well and what challenges remain. Many industry verticals will be represented including financial services, multi-national conglomerates, entertainment, healthcare, energy, defense, technology, and dynamic internet startups.
The landscape of "threat hunting" has drastically changed due to the increase in TLS encrypted Internet traffic. The days of adversaries registering domains with their given names are gone and malicious actors increasingly use malware that takes advantage of TLS encryption to hide their tracks. Yet, even in this brave new world of altered TTPs, the adversaries leave clues that can expose their infrastructure. To find these clues, however, blue teams need to learn some new tricks.
Our talk focuses on expanding upon techniques that have been researched and presented on at various conferences by Mark Parsons, specifically, his methods for using TLS certificates to find malicious malware infrastructure. We will build upon Parsons' corpus of work and show how his approach to malware certificate hunting can be expanded upon to detect instances of PowerShell Empire servers that have self-generated SSL certs on port 443 and 8080. These certificates have a unique finger print that can be detected by leveraging tools like zmap/zgrep, python, and statistics/machine learning. The results of this research will show how network defenders can find previously unknown instances of malicious infrastructure communicating with their network and prevent them in the future. Finally, we will discuss our hypotheses creation, our code and techniques, methods of validation for verification, and release our tools and methodology for use by the community to explore other "hidden empires" of malware that may exist.
Smart Data Webinar: Advances in Natural Language ProcessingDATAVERSITY
Natural language processing (NLP) - once on the frontier of AI as a research topic with maddeningly low accuracy - is rapidly becoming a requirement for mainstream consumer and enterprise applications. Today, one can build a system that allows natural language text or speech input without knowing much more than a few API specs.
In this webinar we will cover the basics of speech recognition, semantic analysis for text analysis, and recent advances in natural language generation. Participants will learn how modern approaches have gone beyond counting words with statistical models to predicting speech the way people fill in sentences with context while listening. We will also present examples of commercially available NLP APIs to help participants experiment with NLP in their own applications.
The Hidden Empires of Malware with TLS Certified Hypotheses and Machine LearningRyan Kovar
The “threat hunting” landscape has drastically changed due to the increase in encrypted transport layer security (TLS) Internet traffic. The days of adversaries registering domains with their given names are gone, and malicious actors increasingly use malware that takes advantage of TLS encryption to hide their tracks. Yet, even in this brave new world of altered tactics, techniques, and procedures, adversaries leave clues that can expose their infrastructure. To find these clues, however, blue teams need to learn some new tricks. This talk focuses on expanding on techniques that have been researched and presented at various conferences by Mark Parsons, and specifically on his methods for using TLS certificates to find malicious malware infrastructure. We will build on Parsons’ body of work and show how his approach to malware certificate hunting can be expanded to detect instances of PowerShell Empire servers that have self-generated SSL certifications on port 443 and 8080. These certificates have a unique fingerprint that can be detected by leveraging tools like zmap/zgrep, python, and statistics/machine learning. The results of this research will show how network defenders can find previously unknown instances of malicious infrastructure communicating with their network and prevent them in the future. Finally, we will discuss our creation of hypotheses, codes and techniques, and methods of validation for verification. We’ll then release our tools and methodology for use by the community to explore other potential “hidden empires” of malware
Your adversaries continue to attack and get into companies. You can no longer rely solely on alerts from point solutions to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Leveraging Open Source Automated Data Science ToolsDomino Data Lab
The data science process seeks to transform and empower organizations by finding and exploiting market inefficiencies and potentially hidden opportunities, but this is often an expensive, tedious process. However, many steps can be automated to provide a streamlined experience for data scientists. Eduardo Arino de la Rubia explores the tools being created by the open source community to free data scientists from tedium, enabling them to work on the high-value aspects of insight creation and impact validation.
The promise of the automated statistician is almost as old as statistics itself. From the creations of vast tables, which saved the labor of calculation, to modern tools which automatically mine datasets for correlations, there has been a considerable amount of advancement in this field. Eduardo compares and contrasts a number of open source tools, including TPOT and auto-sklearn for automated model generation and scikit-feature for feature generation and other aspects of the data science workflow, evaluates their results, and discusses their place in the modern data science workflow.
Along the way, Eduardo outlines the pitfalls of automated data science and applications of the “no free lunch” theorem and dives into alternate approaches, such as end-to-end deep learning, which seek to leverage massive-scale computing and architectures to handle automatic generation of features and advanced models.
There are all these great blog posts about Deep Learning describing all that awesome stuff. - Is it all that easy? Let's check! This is part 2 of on ongoing series of adventures in Deep Learning for fun, research and business.
Alexander' professional career was always about digitalisation: starting from vinyl records in the nineties to to advanced data analytics nowadays. He's program chair of Europe's main Python conference EuroPython, one of the 25 mongoDB masters, organiser of PyConDE and a regular contributor to the tech community. He has spoken at many international conferences in Silicon Valley, New York, London, Florence or Paris. He's a partner at Königsweg (http://koenigsweg.com) consultancy for digitalisation, high-tech and data science where he consults enterprises on data matters and trains individuals in Python and AI.
This talk covers style transfer (making a picture look like painting), speech generation (like Siri or Alexa) and text generation (writing a story). In this talk describes the whole journey: A fun ride from the idea to the very end including all the struggles, failures and successes.
Steps covered:
- The data challenge: get the data ready
- Have it run on your Mac with PyTorch and an eGPU
- Creating a character-level language models with an Recurrent Neural Network
- Creating a text generator
- Creating artwork
- Data challenges and solutions in the non English NLP space
Intuition & Use-Cases of Embeddings in NLP & beyondC4Media
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2LZgiKO.
Jay Alammar talks about the concept of word embeddings, how they're created, and looks at examples of how these concepts can be carried over to solve problems like content discovery and search ranking in marketplaces and media-consumption services (e.g. movie/music recommendations). Filmed at qconlondon.com.
Jay Alammar is VC and ML Explainer at STVcapital. He has helped tens of thousands of people wrap their heads around complex ML topics. He harnesses a visual, highly-intuitive presentation style to communicate concepts ranging from the most basic intros to data analysis, interactive intros to neural networks, to dissections of state-of-the-art models in Natural Language Processing.
Presentation from the North Texas ISSA July 2015 Lunch and Learn meeting: Advanced Threat Hunting
Similar to MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary to Create Better Detections, David Herrald and Ryan Kovar, Splunk (20)
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour January 2021
By Valentine Mairet, Security Researcher, McAfee
The MITRE ATT&CK framework is the industry standard to dissect cyberattacks into used techniques. At McAfee, all attack information is disseminated into different categories, including ATT&CK techniques. What results from this exercise is an extensive repository of techniques used in cyberattacks that goes back many years. Much can be learned from looking at historical attack data, but how can we piece all this information together to identify new relationships between threats and attacks? In her recent efforts, Valentine has embraced analyzing ATT&CK data in graphical representations. One lesson learned is that it is not just about merely mapping out attacks and techniques used into graphs, but the strength lies in applying different algorithms to answer specific questions. In this presentation, Valentine will showcase the results and techniques obtained from her research journey using graph and graph algorithms.
From MITRE ATT&CKcon Power Hour January 2021
By Adam Pennington, ATT&CK Lead, MITRE
Adam leads ATT&CK at The MITRE Corporation and collected much of the intelligence leveraged in creating ATT&CK’s initial techniques. He has spent much of his 12 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon’s Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has presented and published in a number of venues including FIRST CTI, USENIX Security and ACM Transactions on Information and System Security.
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by AdversariesMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour January 2021
By Gert-Jan Bruggink, Defensive Specialist, FalconForce
Adversaries are humans as well. They have objectives, deadlines and resources for programming.
In a sense, very similar to corporations grounded in the economics of effort vs time vs results. Now understanding techniques is one thing, taking it a step further and understanding what the economic impact is of using certain techniques is another. Developing tools takes time. For example, developing a custom process injection module might take days or weeks to develop, where using an open source tool could prevent extensive development costs incurred.
This talk explores the economic considerations for defending against techniques used by adversaries. It explores fundamental considerations all referenced to MITRE’s ATT&CK framework. The objective of this talk is to inspire defensive strategies designed to impact cost incurred by adversaries to perform compromises.
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour January 2021
By Daniel Wyleczuk-Stern, Senior Security Engineer, Snowflake
Cyber security is inherently a function of risk management. Risk management is the identification, evaluation, and prioritization of risks followed by the effort to reduce those risks in a coordinated and economical manner (thanks wikipedia!). In this talk, Daniel will be going over some strategies for measuring and prioritizing your cyber risks using MITRE ATT&CK. He'll discuss some lessons learned in atomic testing of techniques vs attack chaining as well as what to measure and how to make decisions with that data.
Using ATTACK to Create Cyber DBTS for Nuclear Power PlantsMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Jacob Benjamin, Principal Industrial Consultant Dragos, INL, & University of Idaho
Design Basis Threat (DBT) is concept introduced by the Nuclear Regulatory Commission (NRC). It is a profile of the type, composition, and capabilities of an adversary. DBT is the key input nuclear power plants use for the design of systems against acts of radiological sabotage and theft of special nuclear material. The NRC expects its licensees, nuclear power plants, to demonstrate that they can defend against the DBT. Currently, cyber is included in DBTs simply as a prescribed list of IT centric security controls. Using MITRE’s ATT&CK framework, Cyber DBTs can be created that are specific to the facility, its material, or adversary activities.
Helping Small Companies Leverage CTI with an Open Source Threat MappingMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Valentina Palacín, Sr. Cyber Threat Intelligence Analyst
No one can deny the tremendous impact that ATT&CK had on the cybersecurity industry, nor the usefulness of having a good Threat Library at your disposal. But the question Valentina gets asked over and over by people from small companies is always the same: “How could I leverage threat intelligence using ATT&CK with limited time and resources?” And so far, there hasn't been a good answer. That’s why she decided to come up with the Threat Mapping Catalogue (TMC), a tool that combines the power of the mappings already available in the ATT&CK website, TRAM and the ATT&CK Navigator, to better process, consume and incorporate new mappings while organizing them around different categories.
From MITRE ATT&CKcon Power Hour December 2020
By Otis Alexander, Principal Cybersecurity Engineer, MITRE
Otis Alexander is a Principal Cyber Security Engineer at the MITRE Corporation and has worked in the areas of security engineering and research, analytic development, and adversary modeling and emulation. Otis is a co-creator of ATT&CK for ICS and has been leading the project since its inception. He also leads an effort to bring MITRE ATT&CK Evaluations to ICS security vendors providing anomaly and threat detection solutions. He advocates for network and host visibility in operational technology environments to increase the situational awareness of defenders.
From MITRE ATT&CKcon Power Hour November 2020
By:
Jamie Williams, Lead Cyber Adversarial Engineer, MITRE
Mike Hartley, Lead Cybersecurity Engineer, MITRE
In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020 Jamie Williams and Mike Hartley from MITRE discuss the process for merging PRE-ATT&CK and adding two new tactics to Enterprise ATT&CK – Reconnaissance and Resource Development.
From MITRE ATT&CKcon Power Hour November 2020
By Matt Snyder, Senior Threat Analytics Engineer, VMware
The market for Security products is flooded with vendors offering all sorts of solutions, and organizations are spending a record amount of money defending their environments. Nevertheless, an increasing number of breaches are reported each year, resulting in organizations spending millions of dollars to remediate them. The Security industry responds with more products, all offering to stop the next breach, and the cycle continues. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Matt discusses what VMware is doing internally to address this fundamental flaw in the Security industry and how they are leveraging the MITRE ATT&CK framework to reshape how we think about security.
From MITRE ATT&CKcon Power Hour November 2020
By Anthony Randazzo, Global Response Lead, Expel
The team at Expel has been migrating to the cloud for the last 10 years, but as usual, security has lagged behind. Which means we don't have a comprehensive detection and response framework for cloud like we do with the Enterprise ATT&CK matrix. Cloud has evolved into a complex beast as technologies and concepts – like Infrastructure As Code, Containers, Kubernetes and so forth – have emerged. These new attack surfaces have been added that introduce additional challenges to detection and response in our cloud environments. We don't know what we don't know about attack life cycles in the cloud. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Anthony shares some interesting lessons learned so far when it comes to finding bad guys in the cloud.
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for MobileMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour November 2020
By Allie Mellen, Security Strategist, Office of the CSO, Cybereason
In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, Allie discusses how the Cybereason research team uses both MITRE ATT&CK and MITRE ATT&CK for Mobile to map and communicate new malware to the larger security community. Teams use the MITRE ATT&CK framework to share techniques, tactics, and procedures with their team and the community at large. This knowledge base has been incredibly beneficial for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. Many of these uses have centered around traditional endpoints like laptops and workstations. However, the MITRE ATT&CK team has also created a cutting-edge portion of their framework: MITRE ATT&CK for Mobile.
One of the most recent pieces of malware they have found is EventBot, a mobile banking trojan that targets Android devices and the financial services applications on them, including popular apps like Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase, paysafecard, and many more. In this talk, learn about this specific attack, intended targets, a timeline of the attack, and the MITRE ATT&CK for Mobile mapping. Learn why the Cybereason team map to MITRE ATT&CK and MITRE ATT&CK for Mobile and what benefits it has given them and their interactions with the community.
Transforming Adversary Emulation Into a Data Analysis QuestionMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour October 2020
By Matan Hart, Co-Founder & CEO Cymptom @machosec
Adversary emulation is commonly used to validate security controls and is considered one of the most popular use-cases for the ATT&CK framework. However, emulating adversary TTPs on production environments is often very limited in testing scope and frequency, and such practice may cause unwanted business disruption. In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Hart presents a different approach to testing controls against ATT&CK. He demonstrates how it is possible to provide data-based methods to evaluate the exploitability of ATT&CK techniques by gathering information from the network, endpoint, and services; this unique approach does not emulate any sort of malicious action, thus reducing the potential of causing business disruption to the minimum. Hart also outlines a new open-source guideline based on ATT&CK mitigations, that security teams can use to assess their security posture non-intrusively and at scale.
TA505: A Study of High End Big Game Hunting in 2020MITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour October 2020
By Brandon Levene, Head of Applied Intelligence Google, @seraphimdomain
Opportunistically targeted ransomware deployments, aka Big Game Hunting (BGH), have caused a distinct disruption in the mechanics of monetizing crimeware compromises. This strategy has become the “end game” for the majority of organized cybercrime organizations, and one effect of this shift is the increased emphasis on enterprise-level targets. In this talk from the MITRE ATT&CKCon Power Hour session on October 9, 2020, Levene walks us through research about how a specific BGH threat actor pursues entry points, gains its foothold, pivots, and deploys payloads to maximize their financial gains with minimal effort - and infrastructure! You’ll walk away with an understanding of the latest BGH TTPs seen in enterprise environments, and how they map to the ATT&CK framework so you can build this research into your threat detection strategy and enhance your defenses.
From MITRE ATT&CKcon Power Hour October 2020
By Jen Burns, Lead Cybersecurity Engineer, MITRE, @snarejen
Jen Burns is a Lead Cybersecurity Engineer at MITRE and the Lead for MITRE ATT&CK® for Cloud. She’s also a red team developer and lead for ATT&CK Evaluations, using her skills in software engineering and adversary emulation. Previously, she was a tech lead at HubSpot on the Infrastructure Security team where she focused on red teaming and building detections in the cloud environment. This presentation is from the MITRE ATT&CKcon Power Hour session held on October 9, 2020.
From MITRE ATT&CKcon Power Hour - October
By Brian Donohue, Security Evangelist, Red Canary, @thebriandonohue
In early 2018, Red Canary adopted MITRE ATT&CK as the common language that they would use to categorize threats, measure detection coverage, and communicate about malicious behaviors. In the intervening years, they’ve relied on the framework to develop open source tools like Atomic Red Team and help security teams prioritize their defensive efforts with blogs and our annual Threat Detection Report.
In early 2020, MITRE announced that ATT&CK would be expanding its original taxonomy of tactics and techniques to include sub-techniques. In the months that followed MITRE's announcement, Red Canary’s research, intelligence, and detection engineering teams painstakingly remapped their library of thousands of behavioral analytics to sub-techniques. In doing so, they improved their correlational logic, experimented with the idea of conditional technique mapping, and, unfortunately, rendered the 2020 Threat Detection Report out-of-date.
In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Brian discusses how refactoring for sub-techniques offered us the opportunity to apply all the lessons learned in more than two years of operationalizing ATT&CK. He also explores how Red Canary has remodeled its ATT&CK mapping to allow for added flexibility and human input and shows what happens when the Red Canary applied their new sub-technique mappings to the 2020 Threat Detection Report.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
MITRE ATT&CKcon 2018: From Automation to Analytics: Simulating the Adversary to Create Better Detections, David Herrald and Ryan Kovar, Splunk
1. From Automation to Analytics
Simulating the Adversary to Create Better Detections
MITRE ATT&CKcon
23-24OCT18
Dave Herrald and Ryan
Kovar @Splunk
Dave
Ryan
2. Disclaimer
During the course of this presentation, we may make forward looking statements
regarding future events or the expected performance of the company. I often lie.
Maybe this is a lie. Wik Alsø wik Alsø alsø wik Wi nøt trei a høliday in Sweden this
yër? See the løveli lakes The wøndërful telephøne system And mäni interesting furry
animals The characters and incidents portrayed and the names used in this
Presentation are fictitious and any similarity to the names, characters, or history of
any person is entirely accidental and unintentional. Signed RICHARD M. NIXON
Including the majestik møøse A Møøse once bit my Marcus... No realli! He was
Karving his initials on the møøse with the sharpened end of an interspace
tøøthbrush given him by Svenge – his brother-in-law – a Canadian dentist and star
of many Norwegian møvies: "The Høt Hands of an Canadian Dentist", "Fillings of
Passion", "The Huge Mølars of Horst Nordfink"... In addition, any information about
our roadmap outlines our general product direction and is subject to change at
any time without notice. Splunk undertakës no øbligation either to develøp the
features or functionality described or to include any such feature or functionality in
a future release.
3. - 25+ years IT and security
- Information security
officer, security architect,
pen tester, consultant, SE,
system/network engineer
- Former SANS Mentor
- Co-creator of Splunk Boss
of the SOC
Staff Security Strategist
@daveherrald
# whoami > Dave Herrald
CISSP, GIAC G*, GSE #79
4. • 19 years of cyber security experience
• Worked in US/UK Public Sector and DOD most recently
in nation state hunting roles
• Enjoys clicking too fast, long walks in the woods, and
data visualization
• Current role on Security Practice team focuses on
incident/breach response, threat intelligence, and
research
• Currently interested in automating methods to triage
data collection for IR analyst review.
• Also investigating why printers are so insubordinate
ಠ_ಠ
• Co-creator of Splunk Boss of the SOC
4
Principal Security Strategist
Minster of the OODAloopers
@meansec
# whoami > Ryan Kovar
CISSP, MSc(Dist)
6. Agenda
•Faking it till you make it (APT Style)
•A brief review of some new simulation tooling
•Simulating a realistic adversary with automation
•Developing New Detection Analytics
•Free stuff
17. 17
Not just a ”Flag” but personas and
infrastructure
18.
19. • Nation state sponsored adversary
• Located (+8.0 time zone)
• Uses Korean encoded language
• Uses Hancom Thinkfree Office
• European VPS servers
• Western innovative Brewers and
Home Brewing companies
• PowerShell Empire
• Spear phishing
• Seeking to obtain high end
Western Beers for production in
their breweries
• Documents with .hwp
suffix
• PS exec lateral movement
• YMLP
• Self signed
SSL/TLS certificates
• +8.0 hour time zone
• Korean fonts for English
• Korean text google
translated to English
• Naenara user agent string
A special thanks to
TAEDONGGANG STOUT
28. TL;DR
Splunk
Simulation Runner
Phantom
Adversary Simulation Playbook
Executes Atomic Red Team detection tests
Windows OSX Linux
Splunk UF Splunk UF Splunk UF
ATT&CK
Navigator
Splunk Security Analytics
Atomic Red Team App
Implements ATR in Phantom
ES CONTENT
UPDATE
29. TL;DR
Splunk
Simulation Runner
Phantom
Adversary Simulation Playbook
Executes Atomic Red Team detection tests
Windows OSX Linux
Splunk UF Splunk UF Splunk UF
ATT&CK
Navigator
Splunk Security Analytics
Atomic Red Team App
Implements ATR in Phantom
ES CONTENT
UPDATE
30. Use this Tooling to Develop New Detections
Splunk
Simulation Runner
Phantom
Adversary Simulation Playbook
Executes Atomic Red Team detection tests
Windows OSX Linux
Splunk UF Splunk UF Splunk UF
ATT&CK
Navigator
Atomic Red Team App
Implements ATR in Phantom
Analytic
Development
31. Thank You to Atomic Red Team
https://www.redcanary.com/atomic-red-team
Casey Smith
@subTee
45. • Nation-state sponsored adversary
• Located (+8.0 timezone)
• Compromised AWS EC2 instances
• Compromised Chinese hosts
• Western innovative Brewers
and Home Brewing companies
• Vulnerability scanning
• Amplification DoS attacks
• Crypto-coin mining
• Fondness for causing chaos
and disruption.
• Generates revenue via coin
mining on compromised hosts
• Aliases:
• 6HOUL@G3R
• CRYP70KOL5CH
• Known public Coinhive site key:
• swUaVm1xhugv49RmyEMucajPO8VPAUlS
A special thanks to
TAEDONGGANG LAGER
46.
47. Takeaways •Adversary simulation is
helpful for security analytic
development
•Tooling is increasingly
available
•Purple Team can be
realized
•We still haven’t solved cyber
•Cloud :’(
48. Free Tools
Splunk
Simulation Runner
Phantom
Adversary Simulation Playbook
Executes Atomic Red Team detection tests
Windows OSX Linux
Splunk UF Splunk UF Splunk UF
ATT&CK
Navigator
Splunk Security Analytics
Atomic Red Team App
Implements ATR in Phantom
ES CONTENT
UPDATE
▶ MITRE ATT&CK Navigator in a Splunk Dashboard
https://github.com/daveherrald/SA-attck_nav
▶ Simulation Runner App for Splunk
https://github.com/daveherrald/SA-advsim
▶ Adversary Simulation Playbook for Phantom
https://github.com/daveherrald/AdvSim
▶ Atomic Red Team App for Phantom
https://github.com/daveherrald/ART_Phantom
https://conf.splunk.com/conf-online.html?search=1244#/