MITRE - ATT&CKcon, profile picture
Uploaded byMITRE - ATT&CKcon
PDF, PPTX961 views

MITRE ATT&CKcon Power Hour - November

1. MITRE ATT&CK provides a taxonomy of techniques used by cyber adversaries to help organizations understand the threats they face, improve detection, and increase response capabilities. 2. The presenters demonstrated how ATT&CK can be used to focus logging efforts, build a balanced security monitoring program, and evaluate new security tools based on their coverage of real-world attack techniques. 3. Tracking security program maturity against the ATT&CK framework over time can help reduce gaps, ensure priorities remain risk-based, and demonstrate progress to stakeholders.

Embed presentation

Download as PDF, PPTX
Welcome Follow the conversation on Slack @MITREattack attack.mitre.org
Allie Mellen Security Strategist, Office of the CSO Cybereason
Confidential Mapping the EventBot Mobile Banking Trojan with MITRE ATT&CK for Mobile Allie Mellen, Security Strategist, Office of the CSO
WHO AM I? ALLIE MELLEN Security Strategist Office of the CSO, Cybereason
● Why MITRE ATT&CK? ● Cybereason Nocturnus Mobile Malware Research ● Aligning to MITRE ATT&CK For Mobile ● How This Drives Future Alignment AGENDA
● Classification ● Purple Teaming ● Knowledge Sharing ○ Community ○ Internally ○ Partners ○ Customers ○ Business WHY MAP TO MITRE ATT&CK?
● Innovative Approach ● Important Target ● Clarity ● Communicate Value WHY MAP TO MITRE ATT&CK FOR MOBILE?
THREAT TYPE Banking Trojan NOCTURNUS RESEARCH: EVENTBOT TARGET INDUSTRY Financial ATTACK GOAL User Data IMPACTED GEO USA & Europe
EVENTBOT TARGETS: RECOGNIZE ANY OF THESE?
INITIAL ACCESS PERSISTENCE DEFENSE EVASION CREDENTIAL ACCESS DISCOVERY COLLECTION EXFILTRATION C2 T1476: Deliver Malicious App via Other Means T1402: App Auto- Start at Device Boot T1444: Masquerade as Legitimate Application T1412: Capture SMS Messages T1418: Application Discovery T1056: Input Capture T1532: Data Encrypted T1521: Standard Cryptographic Protocol T1461: Lockscreen Bypass T1508: Suppress Application Icon T1417: Input Capture T1426: System Information Discovery T1413: Access Sensitive Data in Device Logs T1437: Standard Application Layer Protocol T1407: Download New Code at Runtime T1409: Access Stored Application Data T1516: Input Injection MITRE ATT&CK FOR MOBILE TECHNIQUES
NOCTURNUS RESEARCH: EVENTBOT Unsuspecting User Downloads Application Masquerading as Legitimate INITIAL ACCESS CONTROL Gets Control of Accessibility Features, Begins to Run in the Background Collects Reconnaissance Information Like Device Info and the Names of Android Packages DISCOVERY COLLECTION Tracks the Device PIN and Collects Financial Information, Personal Data, Keystrokes, and Passwords Exfiltrates Collected Data to its C2 Server EXFILTRATION BYPASS Steals SMS Messages to Bypass 2FA
WHAT DOES THE FUTURE LOOK LIKE?
THANK YOU. QUESTIONS? allie@cybereason.com @hackerxbella
Q&A Jamie Williams Lead Cyber Adversarial Engineer MITRE
Anthony Randazzo Global Response Lead Expel
© 2020 Expel, Inc.© 2020 Expel, Inc. ATT&CKing the Cloud: Hopping Between the Matrices November 12, 2020 | Anthony Randazzo
© 2020 Expel, Inc. GetCallerIdentity ~ 1.5 years leading response @ Expel ▪ 12+ years of SecOps ▫ iSIGHT/FireEye ▫ Fortune 25 Detection & Response ▪ Disclaimer: not a cloud expert but frequent AWS D&R blog contributor ▪ Kids, LEGO, whiskey expel.io/blog
© 2020 Expel, Inc. Agenda ▪ ATT&CK for Cloud as we see it ▪ Defending the control plane ▪ Real world incident ▪ Other applications of ATT&CK for Cloud ▪ Takeaways
© 2020 Expel, Inc. So what exactly is ATT&CK for Cloud? Infra-as-a-Service Software-as-a-Service It’s a way to communicate how attackers are misusing or abusing cloud services!
© 2020 Expel, Inc. How is this different from Enterprise ATT&CK? Enterprise Matrices Cloud Matrices Very different attack surfaces!
© 2020 Expel, Inc. Control plane is primary attack surface...but wait there’s more! Control/Management Plane And many more...
© 2020 Expel, Inc. A shared responsibility... Source: AWS
© 2020 Expel, Inc. We have to protect this control plane, right? ▪ Informs our detection strategy for this cloud attack surface ▪ What do we detect? Where do we even start? ▪ How many AWS APIs are available in this control plane? Almost 10,000, you say?
© 2020 Expel, Inc. How'd we build detections? Using OSTs, of course! Source: Rhino Security Labs
© 2020 Expel, Inc. What did an attack look like? An unconventional coin miner...
© 2020 Expel, Inc. What did the ATT&CK look like? AWS [IaaS] Cloud
© 2020 Expel, Inc. What did the ATT&CK look like? Enterprise Linux
© 2020 Expel, Inc. More examples of hopping between matrices! ▪ AWS CLI access from multiple compromised keys > SSH access into EC2 ▪ boto3 SDK access of AWS SSM > sudo linux access (red team) ▪ SSRF exploitation > EC2 instance credential access to control plane ▪ RDS database ransom > used CloudTrail to identify when weak password change occured
© 2020 Expel, Inc. AWS mind map for investigations and incidents MITRE ATT&CK Tactics Sign up for an advanced copy of our cheat sheet and AWS mind map: http://expel.io/mindmap
© 2020 Expel, Inc. Takeaways ▪ With lots of attack surface in the cloud, understanding both cloud and enterprise ATT&CK will help. ▪ We need more information sharing! We don’t know nearly as much about attacks in the cloud than in an enterprise [Windows] environment. ▪ Cloud control planes are a target for automated attacks. This is the trend we’re observing today.
Q&A Jamie Williams Lead Cyber Adversarial Engineer MITRE
Matt Snyder Senior Threat Analytics Engineer VMWare
What’s a MITRE With Your Security? VMware’s Use of MITRE ATT&CK Matt Snyder November 2020
Sr. Threat Analytics Engineer • 15+ Years in IT/Security. • In 2013, I was on the Incident Response team during one the 1st major Credit Card breaches. • I’ve built many SecOps programs over the last 10 years. • I’ve been at VMware for 3+ years, and it’s a great place to work! Matt Snyder Speaker Introduction
Agenda Leveraging MITRE ATT&CK •What logs do you need for security monitoring? •How do you build balanced alerting? •Evaluating New Security Tools
Fundamental Flaw in Operationalizing Security Stuck in Survivor Bias mode… o Most companies’ security planning is done around breaches/incidents they or their peers in the industry have had. o This leads to target fixation and wasting resources. o Prevents proactive detection of new threats.
What logs do you need for Security Monitoring?
Log All The Things!!
Log All The Things!!
Now You Are Logging with Focus… By mapping our logging requirements with MITRE and CIS, we can articulate what we need, why we need it, and how to enable the proper level of logging. - Reduce the guess work - Minimize the impact on the service owners, no more back and forth or asking for more logs - Reduce gaps in logs that would allow and incident to go undetected - Help educate service owners to the threats out there
Typical Security Monitoring…
Building a Balanced Portfolio
Alerts with Meaning Allows you to see a clearer picture of what’s happening in your environment. - What tactics and techniques are being discovered - Able to better understand your risk profile and where compensating controls are needed - Test areas that no detections are being found - Gives you the freedom to do things like risk- based alerting, where you can take lower fidelity events and chain them together to see a much clearer picture of an attack.
Tracking Maturity and Growth Starting Out - Aligning with ATT&CK gives us targets to track against - Helps us set what is a priority and ensure that those priorities make sense - Allows you to see in one place where gaps exist.
Tracking Maturity and Growth Future Check-In - Over time, you can see your growth and evaluate how that matches your needs. - Help reduce scope creep in your alerting (ATT&CK are things that exist in the wild and not hypothetical) - Help track the work being done and ensure you aren’t stacking alerts in certain areas
Evaluating New SecurityTools As seen on tv…. - With ATT&CK, we can focus on specific deliverables that are measurable and based on real world attacks - Helps to identify those 1 hit wonder vendors that don’t offer a well-rounded portfolio
Questions? Thank you!
Q&A Jamie Williams Lead Cyber Adversarial Engineer MITRE
Jamie Williams Mike Hartley MITRE
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Mike Hartley @thecookiewanter PUTTING THE INTO ATT&CK Jamie Williams @jamieantisocial @MITREattack
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Active Scanning Acquire Infrastructure Valid Accounts Scheduled Task/Job Modify Authentication Process System Service Discovery Remote Services Data from Local System Data Obfuscation Exfiltration Over Other Network Medium Data Destruction Gather Victim Host Information Compromise Accounts Replication Through Removable Media Windows Management Instrumentation Valid Accounts Network Sniffing Software Deployment Tools Data from Removable Media Fallback Channels Data Encrypted for Impact Gather Victim Identity Information Compromise Infrastructure Hijack Execution Flow OS Credential Dumping Application Window Discovery Application Layer Protocol Scheduled Transfer Service Stop Gather Victim Network Information Develop Capabilities Trusted Relationship Software Deployment Tools Boot or Logon Initialization Scripts Direct Volume Access Input Capture Replication Through Removable Media Input Capture Proxy Data Transfer Size Limits Inhibit System Recovery Gather Victim Org Information Establish Accounts Supply Chain Compromise Create or Modify System Process Rootkit Brute Force System Network Configuration Discovery Data Staged Communication Through Removable Media Exfiltration Over C2 Channel Defacement Phishing for Information Obtain Capabilities Hardware Additions Shared Modules Event Triggered Execution Obfuscated Files or Information Two-Factor Authentication Interception Internal Spearphishing Screen Capture Firmware Corruption Search Closed Sources Exploit Public-Facing Application User Execution Boot or Logon Autostart Execution System Owner/User Discovery Use Alternate Authentication Material Email Collection Web Service Exfiltration Over Physical Medium Resource Hijacking Search Open Technical Databases Exploitation for Client Execution Account Manipulation Process Injection Exploitation for Credential Access Clipboard Data Multi-Stage Channels Network Denial of Service Search Open Websites/Domains Phishing External Remote Services Access Token Manipulation System Network Connections Discovery Lateral Tool Transfer Automated Collection Ingress Tool Transfer Exfiltration Over Web Service Endpoint Denial of Service Search Victim-Owned Websites External Remote Services System Services Office Application Startup Group Policy Modification Steal Web Session Cookie Taint Shared Content Audio Capture Data Encoding System Shutdown/Reboot Drive-by Compromise Command and Scripting Interpreter Create Account Abuse Elevation Control Mechanism Unsecured Credentials Permission Groups Discovery Exploitation of Remote Services Video Capture Traffic Signaling Automated Exfiltration Account Access Removal Browser Extensions Exploitation for Privilege Escalation Indicator Removal on Host Credentials from Password Stores Man in the Browser Remote Access Software Exfiltration Over Alternative Protocol Disk Wipe Native API Traffic Signaling Modify Registry File and Directory Discovery Remote Service Session Hijacking Data from Information Repositories Dynamic Resolution Data Manipulation Inter-Process Communication BITS Jobs Trusted Developer Utilities Proxy Execution Steal or Forge Kerberos Tickets Non-Standard Port Transfer Data to Cloud AccountServer Software Component Peripheral Device Discovery Man-in-the-Middle Protocol Tunneling Traffic Signaling Forced Authentication Archive Collected Data Encrypted Channel Pre-OS Boot Signed Script Proxy Execution Steal Application Access Token Network Share Discovery Data from Network Shared Drive Non-Application Layer ProtocolCompromise Client Software Binary Password Policy Discovery Rogue Domain Controller Man-in-the-Middle Browser Bookmark Discovery Data from Cloud Storage ObjectImplant Container Image Indirect Command Execution Virtualization/Sandbox EvasionBITS Jobs XSL Script Processing Cloud Service Dashboard Template Injection Software Discovery File and Directory Permissions Modification Query Registry Remote System Discovery Virtualization/Sandbox Evasion Network Service Scanning Process Discovery Unused/Unsupported Cloud Regions System Information Discovery Use Alternate Authentication Material Account Discovery System Time Discovery Impair Defenses Domain Trust Discovery Hide Artifacts Cloud Service Discovery Masquerading Cloud Infrastructure Discovery Deobfuscate/Decode Files or Information Signed Binary Proxy Execution Exploitation for Defense Evasion Execution Guardrails Modify Cloud Compute Infrastructure Pre-OS Boot Subvert Trust Controls Source: http://gph.is/1cEuQWX
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. History of PRE-ATT&CK • Initially released in 2017 • Separate matrix w/ 17 Tactics • Adversary behaviors leading to compromise • Example use cases: • Are there signs that an adversary might be targeting you? • Prioritize open-source intelligence gathering / sharing
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. The Long Con • In 2018 (v2) the Launch and Compromise Tactics were refactored into Initial Access
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Final Merge • Deprecated PRE-ATT&CK matrix for PRE Enterprise platform • 2 new Tactics • Criteria for inclusion: 1. Technical 2. Visible to some defenders 3. Evidence of adversary use
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Reconnaissance • Actively or passively gathering information that can be used to support targeting. • 10 Techniques & 31 Sub-techniques • Split into what & how
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Resource Development • Building, buying, or compromising resources that can be used during targeting • Infrastructure • Accounts • Capabilities • 6 Techniques & 26 Sub-techniques
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Technique Metadata • New PRE platform • New Pre-compromise Mitigation • ex: This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on... • Data sources and Detections relevant to potential Enterprise artifacts Source: https://i.pinimg.com/originals/71/6a/5b/716a5b5b8847470b77dde4a4b67f2a2b.gif
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Why? • Promote more adoption and contributions • More integration across spectrum of adversary behaviors Source: https://gph.is/g/Z5K7bQE
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Gone But Not Forgotten Previous versions (< v8) will retain the full matrix as well as individual techniques
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. How Can You Help? • Feedback and contributions! • New techniques + scoping of existing techniques • Documentation of potential detections and mitigations • Reported instances of adversary procedure examples Source: http://gph.is/2colVQl
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Special Thanks
Join our next session on December 11 Register now! https://na.eventscloud.com/ATTACKcon-november

More Related Content

PDF
When Insiders ATT&CK!
byMITRE ATT&CK
 
PDF
Sharpening your Threat-Hunting Program with ATTACK Framework
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
byMITRE - ATT&CKcon
 
PDF
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
byMITRE ATT&CK
 
PDF
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
byMITRE - ATT&CKcon
 
PDF
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
byMITRE - ATT&CKcon
 
PDF
State of the ATT&CK - ATT&CKcon Power Hour
byAdam Pennington
 
When Insiders ATT&CK!
byMITRE ATT&CK
 
Sharpening your Threat-Hunting Program with ATTACK Framework
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
byMITRE - ATT&CKcon
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
byMITRE ATT&CK
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
byMITRE - ATT&CKcon
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
byMITRE - ATT&CKcon
 
State of the ATT&CK - ATT&CKcon Power Hour
byAdam Pennington
 

What's hot

PDF
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
byAdam Pennington
 
PDF
Automation: The Wonderful Wizard of CTI (or is it?)
byMITRE ATT&CK
 
PPTX
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
byChristopher Korban
 
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
PDF
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
PDF
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
PDF
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
PDF
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
PDF
Mitre getting-started-with-attack-october-2019
byThang Nguyen
 
PDF
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
byMITRE - ATT&CKcon
 
PPTX
Purple Teaming with ATT&CK - x33fcon 2018
byChristopher Korban
 
PDF
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
byMITRE - ATT&CKcon
 
PDF
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
PDF
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
PDF
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
PDF
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
byGert-Jan Bruggink
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
byAdam Pennington
 
Automation: The Wonderful Wizard of CTI (or is it?)
byMITRE ATT&CK
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
byChristopher Korban
 
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
Mitre getting-started-with-attack-october-2019
byThang Nguyen
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
byMITRE - ATT&CKcon
 
Purple Teaming with ATT&CK - x33fcon 2018
byChristopher Korban
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
byMITRE - ATT&CKcon
 
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
ATT&CKcon Power Hour - ATT&CK-onomics - gert-jan bruggink
byGert-Jan Bruggink
 

Similar to MITRE ATT&CKcon Power Hour - November

PDF
Cyber Threat hunting workshop
byArpan Raval
 
PDF
Mitre ATT&CK by Mattias Almeflo Nixu
byNixu Corporation
 
PDF
MITRE-Module 1 Slides.pdf
byReZa AdineH
 
PDF
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
PPTX
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
byHarry McLaren
 
PDF
State of the ATT&CK May 2023
byAdam Pennington
 
PDF
Introduction to MITRE’s ATT&CK Framework.pdf
byseyohah504
 
PPTX
Leveraging MITRE ATT&CK - Speaking the Common Language
byErik Van Buggenhout
 
PDF
CTI Workshop Full Slides Workshop Full Slides.pdf
byseyohah504
 
PDF
State of the ATT&CK
byMITRE ATT&CK
 
PDF
Best practices fore MITRE EMERSON EDUARDO RODRIGUES
byEMERSON EDUARDO RODRIGUES
 
PDF
State of ATT&CK
byAdam Pennington
 
PDF
MITRE AttACK framework it is time you took notice_v1.0
byMichael Gough
 
PPTX
ATT&CKing with Threat Intelligence
byChristopher Korban
 
PPTX
Enterprise-MITRE-ATTandCK-Threat-Hunting _ Updated.pptx
byBheemeshChowdary2
 
PDF
MITRE ATT&CK framework and Managed XDR Position Paper
byMarc St-Pierre
 
PDF
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
byMITRE - ATT&CKcon
 
PDF
MITRE_ATTACK_Enterprise_11x17.pdf
byAisyiFree
 
PPTX
MITRE ATT&CK Triage Presentation 2024 3jlxksllslsslnxud
byjimihi8398
 
PPTX
ATT&CKing Threat Management
byAndy Piazza
 
Cyber Threat hunting workshop
byArpan Raval
 
Mitre ATT&CK by Mattias Almeflo Nixu
byNixu Corporation
 
MITRE-Module 1 Slides.pdf
byReZa AdineH
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
byHarry McLaren
 
State of the ATT&CK May 2023
byAdam Pennington
 
Introduction to MITRE’s ATT&CK Framework.pdf
byseyohah504
 
Leveraging MITRE ATT&CK - Speaking the Common Language
byErik Van Buggenhout
 
CTI Workshop Full Slides Workshop Full Slides.pdf
byseyohah504
 
State of the ATT&CK
byMITRE ATT&CK
 
Best practices fore MITRE EMERSON EDUARDO RODRIGUES
byEMERSON EDUARDO RODRIGUES
 
State of ATT&CK
byAdam Pennington
 
MITRE AttACK framework it is time you took notice_v1.0
byMichael Gough
 
ATT&CKing with Threat Intelligence
byChristopher Korban
 
Enterprise-MITRE-ATTandCK-Threat-Hunting _ Updated.pptx
byBheemeshChowdary2
 
MITRE ATT&CK framework and Managed XDR Position Paper
byMarc St-Pierre
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
byMITRE - ATT&CKcon
 
MITRE_ATTACK_Enterprise_11x17.pdf
byAisyiFree
 
MITRE ATT&CK Triage Presentation 2024 3jlxksllslsslnxud
byjimihi8398
 
ATT&CKing Threat Management
byAndy Piazza
 

More from MITRE - ATT&CKcon

PDF
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
PDF
State of the ATTACK
byMITRE - ATT&CKcon
 
PDF
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
byMITRE - ATT&CKcon
 
PDF
ATTACKing the Cloud: Hopping Between the Matrices
byMITRE - ATT&CKcon
 
PDF
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
PDF
What's New with ATTACK for ICS?
byMITRE - ATT&CKcon
 
PDF
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
byMITRE - ATT&CKcon
 
PDF
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
byMITRE - ATT&CKcon
 
PDF
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
byMITRE - ATT&CKcon
 
PDF
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
PDF
What's New with ATTACK for Cloud?
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
byMITRE - ATT&CKcon
 
PDF
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
byMITRE - ATT&CKcon
 
PDF
Starting Over with Sub-Techniques
byMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
State of the ATTACK
byMITRE - ATT&CKcon
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
byMITRE - ATT&CKcon
 
ATTACKing the Cloud: Hopping Between the Matrices
byMITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
What's New with ATTACK for ICS?
byMITRE - ATT&CKcon
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: ATT&CK Coverage Assessment from a Data Perspective; Olaf...
byMITRE - ATT&CKcon
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
byMITRE - ATT&CKcon
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
byMITRE - ATT&CKcon
 
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
What's New with ATTACK for Cloud?
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
byMITRE - ATT&CKcon
 
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: From Susceptible to ATT&CK - A Threat Hunting Story; Chr...
byMITRE - ATT&CKcon
 
Starting Over with Sub-Techniques
byMITRE - ATT&CKcon
 

Recently uploaded

PDF
Лист Енергетичного співтовариства, December 12, 2025
byНаціональна комісія, що здійснює державне регулювання у сферах енергетики та комунальних послуг
 
PDF
Digital government and citizen engagement.pdf
byzsuzieana
 
PPTX
Tracking Progress on Monitoring, Evaluation, and Learning for National Adapta...
byNAP Global Network
 
PDF
Tired of messy cables during video shoots?
byVideocast Technology
 
PPTX
RBIS-Presentation-2025-07-24-2025 manual.pptx
byGizelleTabilin
 
PPTX
Sashastra Seema Bal (SSB) Presentation.pptx
byDhirajKumar572762
 
PPTX
Enhanced_Future_Ready_Workforce_Viksit_Bharat_PPT.pptx
byp9745542
 
PPTX
Code on Wages 2019.pptx for all the empl
byDeepaliBhat6
 
PPTX
Code on Wages 2019.pptx for employees and
byDeepaliBhat6
 
PPTX
Chapter 1oneGlobal trend. power point presentation
bydessiea134
 
PPTX
BLOOD TRANSFUSION physiology and pathology .pptx
byggdharra
 
PDF
UNEP Global Environment Outlook_7 - Full Report
byEnergy for One World
 
PPTX
Barangay Alang sa Kalinaw ug Kaluwasan Presentation.pptx
byEphraimSaarenas1
 
PPTX
Did America’s GDP Improve After Trump Returned?
byKritika Chauhan
 
PDF
UNEP Global Environment Outlook : GEO7-Key-Messages
byEnergy for One World
 
PDF
UNDP World Inequality Report 2026 Full Report
byEnergy for One World
 
Лист Енергетичного співтовариства, December 12, 2025
byНаціональна комісія, що здійснює державне регулювання у сферах енергетики та комунальних послуг
 
Digital government and citizen engagement.pdf
byzsuzieana
 
Tracking Progress on Monitoring, Evaluation, and Learning for National Adapta...
byNAP Global Network
 
Tired of messy cables during video shoots?
byVideocast Technology
 
RBIS-Presentation-2025-07-24-2025 manual.pptx
byGizelleTabilin
 
Sashastra Seema Bal (SSB) Presentation.pptx
byDhirajKumar572762
 
Enhanced_Future_Ready_Workforce_Viksit_Bharat_PPT.pptx
byp9745542
 
Code on Wages 2019.pptx for all the empl
byDeepaliBhat6
 
Code on Wages 2019.pptx for employees and
byDeepaliBhat6
 
Chapter 1oneGlobal trend. power point presentation
bydessiea134
 
BLOOD TRANSFUSION physiology and pathology .pptx
byggdharra
 
UNEP Global Environment Outlook_7 - Full Report
byEnergy for One World
 
Barangay Alang sa Kalinaw ug Kaluwasan Presentation.pptx
byEphraimSaarenas1
 
Did America’s GDP Improve After Trump Returned?
byKritika Chauhan
 
UNEP Global Environment Outlook : GEO7-Key-Messages
byEnergy for One World
 
UNDP World Inequality Report 2026 Full Report
byEnergy for One World
 

MITRE ATT&CKcon Power Hour - November

  • 1.
    Welcome Follow the conversationon Slack @MITREattack attack.mitre.org
  • 2.
    Allie Mellen Security Strategist,Office of the CSO Cybereason
  • 3.
    Confidential Mapping the EventBotMobile Banking Trojan with MITRE ATT&CK for Mobile Allie Mellen, Security Strategist, Office of the CSO
  • 4.
    WHO AM I? ALLIEMELLEN Security Strategist Office of the CSO, Cybereason
  • 5.
    ● Why MITREATT&CK? ● Cybereason Nocturnus Mobile Malware Research ● Aligning to MITRE ATT&CK For Mobile ● How This Drives Future Alignment AGENDA
  • 6.
    ● Classification ● PurpleTeaming ● Knowledge Sharing ○ Community ○ Internally ○ Partners ○ Customers ○ Business WHY MAP TO MITRE ATT&CK?
  • 7.
    ● Innovative Approach ●Important Target ● Clarity ● Communicate Value WHY MAP TO MITRE ATT&CK FOR MOBILE?
  • 8.
    THREAT TYPE Banking Trojan NOCTURNUSRESEARCH: EVENTBOT TARGET INDUSTRY Financial ATTACK GOAL User Data IMPACTED GEO USA & Europe
  • 9.
  • 10.
    INITIAL ACCESS PERSISTENCE DEFENSE EVASION CREDENTIAL ACCESS DISCOVERYCOLLECTION EXFILTRATION C2 T1476: Deliver Malicious App via Other Means T1402: App Auto- Start at Device Boot T1444: Masquerade as Legitimate Application T1412: Capture SMS Messages T1418: Application Discovery T1056: Input Capture T1532: Data Encrypted T1521: Standard Cryptographic Protocol T1461: Lockscreen Bypass T1508: Suppress Application Icon T1417: Input Capture T1426: System Information Discovery T1413: Access Sensitive Data in Device Logs T1437: Standard Application Layer Protocol T1407: Download New Code at Runtime T1409: Access Stored Application Data T1516: Input Injection MITRE ATT&CK FOR MOBILE TECHNIQUES
  • 11.
    NOCTURNUS RESEARCH: EVENTBOT UnsuspectingUser Downloads Application Masquerading as Legitimate INITIAL ACCESS CONTROL Gets Control of Accessibility Features, Begins to Run in the Background Collects Reconnaissance Information Like Device Info and the Names of Android Packages DISCOVERY COLLECTION Tracks the Device PIN and Collects Financial Information, Personal Data, Keystrokes, and Passwords Exfiltrates Collected Data to its C2 Server EXFILTRATION BYPASS Steals SMS Messages to Bypass 2FA
  • 12.
  • 13.
  • 14.
    Q&A Jamie Williams Lead CyberAdversarial Engineer MITRE
  • 15.
  • 16.
    © 2020 Expel,Inc.© 2020 Expel, Inc. ATT&CKing the Cloud: Hopping Between the Matrices November 12, 2020 | Anthony Randazzo
  • 17.
    © 2020 Expel,Inc. GetCallerIdentity ~ 1.5 years leading response @ Expel ▪ 12+ years of SecOps ▫ iSIGHT/FireEye ▫ Fortune 25 Detection & Response ▪ Disclaimer: not a cloud expert but frequent AWS D&R blog contributor ▪ Kids, LEGO, whiskey expel.io/blog
  • 18.
    © 2020 Expel,Inc. Agenda ▪ ATT&CK for Cloud as we see it ▪ Defending the control plane ▪ Real world incident ▪ Other applications of ATT&CK for Cloud ▪ Takeaways
  • 19.
    © 2020 Expel,Inc. So what exactly is ATT&CK for Cloud? Infra-as-a-Service Software-as-a-Service It’s a way to communicate how attackers are misusing or abusing cloud services!
  • 20.
    © 2020 Expel,Inc. How is this different from Enterprise ATT&CK? Enterprise Matrices Cloud Matrices Very different attack surfaces!
  • 21.
    © 2020 Expel,Inc. Control plane is primary attack surface...but wait there’s more! Control/Management Plane And many more...
  • 22.
    © 2020 Expel,Inc. A shared responsibility... Source: AWS
  • 23.
    © 2020 Expel,Inc. We have to protect this control plane, right? ▪ Informs our detection strategy for this cloud attack surface ▪ What do we detect? Where do we even start? ▪ How many AWS APIs are available in this control plane? Almost 10,000, you say?
  • 24.
    © 2020 Expel,Inc. How'd we build detections? Using OSTs, of course! Source: Rhino Security Labs
  • 25.
    © 2020 Expel,Inc. What did an attack look like? An unconventional coin miner...
  • 26.
    © 2020 Expel,Inc. What did the ATT&CK look like? AWS [IaaS] Cloud
  • 27.
    © 2020 Expel,Inc. What did the ATT&CK look like? Enterprise Linux
  • 28.
    © 2020 Expel,Inc. More examples of hopping between matrices! ▪ AWS CLI access from multiple compromised keys > SSH access into EC2 ▪ boto3 SDK access of AWS SSM > sudo linux access (red team) ▪ SSRF exploitation > EC2 instance credential access to control plane ▪ RDS database ransom > used CloudTrail to identify when weak password change occured
  • 29.
    © 2020 Expel,Inc. AWS mind map for investigations and incidents MITRE ATT&CK Tactics Sign up for an advanced copy of our cheat sheet and AWS mind map: http://expel.io/mindmap
  • 30.
    © 2020 Expel,Inc. Takeaways ▪ With lots of attack surface in the cloud, understanding both cloud and enterprise ATT&CK will help. ▪ We need more information sharing! We don’t know nearly as much about attacks in the cloud than in an enterprise [Windows] environment. ▪ Cloud control planes are a target for automated attacks. This is the trend we’re observing today.
  • 31.
    Q&A Jamie Williams Lead CyberAdversarial Engineer MITRE
  • 32.
    Matt Snyder Senior ThreatAnalytics Engineer VMWare
  • 33.
    What’s a MITREWith Your Security? VMware’s Use of MITRE ATT&CK Matt Snyder November 2020
  • 34.
    Sr. Threat AnalyticsEngineer • 15+ Years in IT/Security. • In 2013, I was on the Incident Response team during one the 1st major Credit Card breaches. • I’ve built many SecOps programs over the last 10 years. • I’ve been at VMware for 3+ years, and it’s a great place to work! Matt Snyder Speaker Introduction
  • 35.
    Agenda Leveraging MITRE ATT&CK •Whatlogs do you need for security monitoring? •How do you build balanced alerting? •Evaluating New Security Tools
  • 37.
    Fundamental Flaw inOperationalizing Security Stuck in Survivor Bias mode… o Most companies’ security planning is done around breaches/incidents they or their peers in the industry have had. o This leads to target fixation and wasting resources. o Prevents proactive detection of new threats.
  • 38.
    What logs doyou need for Security Monitoring?
  • 39.
    Log All TheThings!!
  • 40.
    Log All TheThings!!
  • 42.
    Now You AreLogging with Focus… By mapping our logging requirements with MITRE and CIS, we can articulate what we need, why we need it, and how to enable the proper level of logging. - Reduce the guess work - Minimize the impact on the service owners, no more back and forth or asking for more logs - Reduce gaps in logs that would allow and incident to go undetected - Help educate service owners to the threats out there
  • 43.
  • 44.
  • 45.
    Alerts with Meaning Allowsyou to see a clearer picture of what’s happening in your environment. - What tactics and techniques are being discovered - Able to better understand your risk profile and where compensating controls are needed - Test areas that no detections are being found - Gives you the freedom to do things like risk- based alerting, where you can take lower fidelity events and chain them together to see a much clearer picture of an attack.
  • 46.
    Tracking Maturity andGrowth Starting Out - Aligning with ATT&CK gives us targets to track against - Helps us set what is a priority and ensure that those priorities make sense - Allows you to see in one place where gaps exist.
  • 47.
    Tracking Maturity andGrowth Future Check-In - Over time, you can see your growth and evaluate how that matches your needs. - Help reduce scope creep in your alerting (ATT&CK are things that exist in the wild and not hypothetical) - Help track the work being done and ensure you aren’t stacking alerts in certain areas
  • 48.
    Evaluating New SecurityTools Asseen on tv…. - With ATT&CK, we can focus on specific deliverables that are measurable and based on real world attacks - Helps to identify those 1 hit wonder vendors that don’t offer a well-rounded portfolio
  • 49.
  • 50.
    Q&A Jamie Williams Lead CyberAdversarial Engineer MITRE
  • 51.
  • 52.
    ©2020 The MITRECorporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Mike Hartley @thecookiewanter PUTTING THE INTO ATT&CK Jamie Williams @jamieantisocial @MITREattack
  • 53.
    ©2020 The MITRECorporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Active Scanning Acquire Infrastructure Valid Accounts Scheduled Task/Job Modify Authentication Process System Service Discovery Remote Services Data from Local System Data Obfuscation Exfiltration Over Other Network Medium Data Destruction Gather Victim Host Information Compromise Accounts Replication Through Removable Media Windows Management Instrumentation Valid Accounts Network Sniffing Software Deployment Tools Data from Removable Media Fallback Channels Data Encrypted for Impact Gather Victim Identity Information Compromise Infrastructure Hijack Execution Flow OS Credential Dumping Application Window Discovery Application Layer Protocol Scheduled Transfer Service Stop Gather Victim Network Information Develop Capabilities Trusted Relationship Software Deployment Tools Boot or Logon Initialization Scripts Direct Volume Access Input Capture Replication Through Removable Media Input Capture Proxy Data Transfer Size Limits Inhibit System Recovery Gather Victim Org Information Establish Accounts Supply Chain Compromise Create or Modify System Process Rootkit Brute Force System Network Configuration Discovery Data Staged Communication Through Removable Media Exfiltration Over C2 Channel Defacement Phishing for Information Obtain Capabilities Hardware Additions Shared Modules Event Triggered Execution Obfuscated Files or Information Two-Factor Authentication Interception Internal Spearphishing Screen Capture Firmware Corruption Search Closed Sources Exploit Public-Facing Application User Execution Boot or Logon Autostart Execution System Owner/User Discovery Use Alternate Authentication Material Email Collection Web Service Exfiltration Over Physical Medium Resource Hijacking Search Open Technical Databases Exploitation for Client Execution Account Manipulation Process Injection Exploitation for Credential Access Clipboard Data Multi-Stage Channels Network Denial of Service Search Open Websites/Domains Phishing External Remote Services Access Token Manipulation System Network Connections Discovery Lateral Tool Transfer Automated Collection Ingress Tool Transfer Exfiltration Over Web Service Endpoint Denial of Service Search Victim-Owned Websites External Remote Services System Services Office Application Startup Group Policy Modification Steal Web Session Cookie Taint Shared Content Audio Capture Data Encoding System Shutdown/Reboot Drive-by Compromise Command and Scripting Interpreter Create Account Abuse Elevation Control Mechanism Unsecured Credentials Permission Groups Discovery Exploitation of Remote Services Video Capture Traffic Signaling Automated Exfiltration Account Access Removal Browser Extensions Exploitation for Privilege Escalation Indicator Removal on Host Credentials from Password Stores Man in the Browser Remote Access Software Exfiltration Over Alternative Protocol Disk Wipe Native API Traffic Signaling Modify Registry File and Directory Discovery Remote Service Session Hijacking Data from Information Repositories Dynamic Resolution Data Manipulation Inter-Process Communication BITS Jobs Trusted Developer Utilities Proxy Execution Steal or Forge Kerberos Tickets Non-Standard Port Transfer Data to Cloud AccountServer Software Component Peripheral Device Discovery Man-in-the-Middle Protocol Tunneling Traffic Signaling Forced Authentication Archive Collected Data Encrypted Channel Pre-OS Boot Signed Script Proxy Execution Steal Application Access Token Network Share Discovery Data from Network Shared Drive Non-Application Layer ProtocolCompromise Client Software Binary Password Policy Discovery Rogue Domain Controller Man-in-the-Middle Browser Bookmark Discovery Data from Cloud Storage ObjectImplant Container Image Indirect Command Execution Virtualization/Sandbox EvasionBITS Jobs XSL Script Processing Cloud Service Dashboard Template Injection Software Discovery File and Directory Permissions Modification Query Registry Remote System Discovery Virtualization/Sandbox Evasion Network Service Scanning Process Discovery Unused/Unsupported Cloud Regions System Information Discovery Use Alternate Authentication Material Account Discovery System Time Discovery Impair Defenses Domain Trust Discovery Hide Artifacts Cloud Service Discovery Masquerading Cloud Infrastructure Discovery Deobfuscate/Decode Files or Information Signed Binary Proxy Execution Exploitation for Defense Evasion Execution Guardrails Modify Cloud Compute Infrastructure Pre-OS Boot Subvert Trust Controls Source: http://gph.is/1cEuQWX
  • 54.
    ©2020 The MITRECorporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2.
  • 55.
    ©2020 The MITRECorporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. History of PRE-ATT&CK • Initially released in 2017 • Separate matrix w/ 17 Tactics • Adversary behaviors leading to compromise • Example use cases: • Are there signs that an adversary might be targeting you? • Prioritize open-source intelligence gathering / sharing
  • 56.
    ©2020 The MITRECorporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. The Long Con • In 2018 (v2) the Launch and Compromise Tactics were refactored into Initial Access
  • 57.
    ©2020 The MITRECorporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Final Merge • Deprecated PRE-ATT&CK matrix for PRE Enterprise platform • 2 new Tactics • Criteria for inclusion: 1. Technical 2. Visible to some defenders 3. Evidence of adversary use
  • 58.
    ©2020 The MITRECorporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Reconnaissance • Actively or passively gathering information that can be used to support targeting. • 10 Techniques & 31 Sub-techniques • Split into what & how
  • 59.
    ©2020 The MITRECorporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Resource Development • Building, buying, or compromising resources that can be used during targeting • Infrastructure • Accounts • Capabilities • 6 Techniques & 26 Sub-techniques
  • 60.
    ©2020 The MITRECorporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Technique Metadata • New PRE platform • New Pre-compromise Mitigation • ex: This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on... • Data sources and Detections relevant to potential Enterprise artifacts Source: https://i.pinimg.com/originals/71/6a/5b/716a5b5b8847470b77dde4a4b67f2a2b.gif
  • 61.
    ©2020 The MITRECorporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Why? • Promote more adoption and contributions • More integration across spectrum of adversary behaviors Source: https://gph.is/g/Z5K7bQE
  • 62.
    ©2020 The MITRECorporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Gone But Not Forgotten Previous versions (< v8) will retain the full matrix as well as individual techniques
  • 63.
    ©2020 The MITRECorporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. How Can You Help? • Feedback and contributions! • New techniques + scoping of existing techniques • Documentation of potential detections and mitigations • Reported instances of adversary procedure examples Source: http://gph.is/2colVQl
  • 64.
    ©2020 The MITRECorporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-02605-2. Special Thanks
  • 65.
    Join our nextsession on December 11 Register now! https://na.eventscloud.com/ATTACKcon-november