Download as PDF, PPTX
![72 November 2018Edit Presentation Title in [Insert Tab > Header & Footer] |
Pre-automated intelligence processing](https://image.slidesharecdn.com/2018mitreattckconmacmullansherenco-181116142304/75/MITRE-ATT-CKcon-2018-Summiting-the-Pyramid-of-Pain-Operationalizing-ATT-CK-Emma-MacMullan-and-Justin-Sherenco-General-Electric-7-2048.jpg)
Uploaded byMITRE - ATT&CKcon
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK, Emma MacMullan and Justin Sherenco, General Electric
The document discusses the operationalization of the ATT&CK framework to enhance cybersecurity detection and response through improved inter-team collaboration and automation. Key points include the importance of breaking down silos between Intel and CIRT teams, leveraging behavioral-based detection, and utilizing metadata for better analytic outcomes. The outcomes suggest a substantial increase in alert accuracy with a noted 124% higher true positive rate from ATT&CK alerts.
In this document
Powered by AI
Introduction to the presentation's theme: operationalizing ATT&CK and its confidentiality.
Introduction of the presenters, Justin Sherenco and Emma MacMullan, their roles and experiences at General Electric.
Discussion on the Pyramid of Pain, emphasizing behavioral detection and automation of traditional indicators.
Key takeaways on breaking down silos in intelligence and incident response for better detection using ATT&CK.
Highlighting the process of tagging behaviors in intelligence and outlining the original ATT&CK process.
Presentation of Tiamat, an in-house tool designed for end-to-end operationalized use of ATT&CK.
Overview of Tiamat-enabled operational processes focusing on intelligence ingestion and QA.
Methodologies for creating detections based on behavioral data and associated tools.
Exploration of Tactics, Techniques, and Procedures (TTPs) alongside hypotheses behind behaviors.
Insights on leveraging metadata for coverage assessment and operationalization of ATT&CK for improved alerts.
Closure of presentation with contact details of the presenters for further engagement.
More Related Content
Similar to MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK, Emma MacMullan and Justin Sherenco, General Electric
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK, Emma MacMullan and Justin Sherenco, General Electric
- 1. Confidential. Not tobe copied, distributed, or reproduced without prior approval. Summiting the Pyramid of Pain: Operationalizing ATT&CK
- 2. Bios 2 Justin Sherenco Senior StaffIncident Responder General Electric ü 8 years at GE Working in IT for 18 years, 13 years in direct security and #DIRF responsibilities ü In the summer you’ll find me and the family at state parks About me Emma MacMullan Staff Cyber Intelligence Analyst General Electric ü 2 years at GE Specializing in Chinese actor intellectual property theft, PO for TIAMAT ü Training to run my 3rd half marathon, lover of kayaking and international travel About me
- 3.
- 4. Behavioral based detection Automationof traditional indicators The Pyramid of Pain Hash Values Tools Network/Host Artifacts Domain Names IP Addresses TTP 4http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
- 5. Intelligence Driven Defense(IDD) and ATT&CK 5 Key Takeaways 1 Intel and CIRT need to break out of siloed operations àAn automated platform can ensure continuity among teams throughout the wing-to-wing process 2 ATT&CK àAn ATT&CK operational workflow serves as a common language between CIRT and Intel and drives better detection Intel CIRT OSINT collection Actor tracking and malware analysis IOC processing Detection creation Incident/alert response Ad hoc
- 6. Tagging behaviors whilecollecting intelligence 6
- 7. 72 November 2018EditPresentation Title in [Insert Tab > Header & Footer] | Pre-automated intelligence processing
- 8. 8 Original end-to-end ATT&CKprocess
- 9.
- 10. Tiamat: an in-houseend-to-end ATT&CK tool 10
- 11.
- 12.
- 13.
- 14.
- 15.
- 16. Behavioral based detection Automationof traditional indicators Content development Hash Values Tools Network/Host Artifacts Domain Names IP Addresses TTP 16http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
- 17. Signature VS Behaviors 17 Signature Alert •Critical • High • Medium • Low Behavior Meta • Tactic • Technique • Campaign • Fidelity Analytics • Temporal • Cluster • Other Alert • Critical • High • Medium • Low
- 18. Tools and datasources 18
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25. 25 What can themetadata tell us about our coverage?
- 26. 26 What can themetadata tell us about our tools? Confidence profiles Determine tools abilities to detect on MITRE data sources Vendor X
- 27. There’s always valuein the metadata… 25 Key Takeaways 1 Operationalization àIntegrated cross-team operations breaks down siloes and enables better communication, leading to higher fidelity alerts and better detection 2 Intelligence driven defense àIntelligence can drive and support the creation of detection tailored to behavioral trends observed in the wild 3 Value in the metadata àHosting cross-team operations in a single tool allows for more complex analysis and a better understanding of behavioral coverage and threat trends What can the operationalization of ATT&CK enable? Behavioral coverage and capabilities analytics ATT&CK alerts have a 124% higher true positive rate 124% In progress: actor tracking and prioritization
- 28.