SlideShare a Scribd company logo
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Putting MITRE ATT&CK™ into Action
with What You Have, Where You Are
| 1 |
Katie Nickels @likethecoins
MITRE ATT&CK @MITREattack
Sp4rkCon 2019
System Owner/User Discovery (T1033)
$whoami
 ATT&CK Threat Intelligence Lead at The MITRE Corporation
 SANS Instructor for FOR578 (Cyber Threat Intelligence)
 Experienced threat intel analyst and network defender (10 years)
 Public speaker and serial con attender
 Volunteer for Cyberjutsu Girls Academy
 Baker of chocolate things
 CrossFitter
 Oxford comma believer
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 2 |
“Do what you can, with what you have,
where you are.”
| 3 |
-Theodore Roosevelt
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Tough Questions for Defenders
 How effective are my defenses?
 Do I have a chance at detecting APT28?
 Is the data I’m collecting useful?
 Do I have overlapping tool coverage?
 Will this new product help my organization’s defenses?
| 4 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 5 |
What is
?
A knowledge base of
adversary behavior
 Based on real-world observations
 Free, open, and globally accessible
 A common language
 Community-driven
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
The Difficult Task of Detecting TTPs
Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
David Bianco’s Pyramid of Pain
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 6 |
Zooming in on the Adversary Lifecycle
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Enterprise ATT&CKPRE-ATT&CK
Mobile
ATT&CK
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 7 |
Breaking Down ATT&CK
Tactics: the adversary’s technical goals
Techniques:howthegoalsare
achieved
Procedures: Specific technique implementation
New!
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 8 |
Example Technique: New Service
| 9 |
Description: When operating systems boot up, they can start programs or applications called services that
perform background system functions. […] Adversaries may install a new service which will be
executed at startup by directly modifying the registry or by using tools. 1
Platform: Windows
Permissions required: Administrator, SYSTEM
Effective permissions: SYSTEM
Detection: • Monitor service creation through changes in the Registry and common utilities using
command-line invocation
• …
Mitigation: • Limit privileges of user accounts and remediate Privilege Escalation vectors
• …
Data sources: Windows registry, process monitoring, command-line parameters
Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, …
References: 1. Microsoft. (n.d.). Services. Retrieved June 7, 2016.
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Example Group: APT28
| 10 |
Description: APT28 is a threat group that has been attributed to the Russian government.1 2 3 4
This group reportedly compromised the Democratic National Committee in April
2016.5
Aliases: Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-
4127, TG-4127 1 2 3 4 5 6 7
Techniques: • Data Obfuscation 1
• Connection Proxy 1 8
• Standard Application Layer Protocol 1
• Remote File Copy 8 9
• Rundll32 8 9
• Indicator Removal on Host 5
• Timestomp5
• Credential Dumping 10
• Screen Capture 10 11
• Bootkit 7 and more…
Software: CHOPSTICK, JHUHUGIT, ADVSTORESHELL, XTunnel, Mimikatz, HIDEDRV, USBStealer,
CORESHELL, OLDBAIT, XAgentOSX, Komplex, Responder, Forfiles, Winexe, certutil 1 3 6
References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?.
Retrieved August 19, 2015.
…
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Who’s Contributing to ATT&CK?
 Alain Homewood, Insomnia Security
 Alan Neville, @abnev
 Anastasios Pingios
 Andrew Smith, @jakx_
 Barry Shteiman, Exabeam
 Bartosz Jerzman
 Bryan Lee
 Carlos Borges, CIP
 Casey Smith
 Christiaan Beek, @ChristiaanBeek
 Cody Thomas, SpecterOps
 Craig Aitchison
 Daniel Oakley
 Darren Spruell
 Dave Westgard
 David Ferguson, CyberSponse
 David Lu, Tripwire
 David Routin
 Ed Williams, Trustwave, SpiderLabs
 Edward Millington
 Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT
Centre
 Elia Florio, Microsoft
 Emily Ratliff, IBM
 ENDGAME
 Eric Kuehn, Secure Ideas
 Erye Hernandez, Palo Alto Networks
 Felipe Espósito, @Pr0teus
 FS-ISAC
 Hans Christoffer Gaardløs
 Itamar Mizrahi
 Itzik Kotler, SafeBreach
 Jacob Wilkin, Trustwave, SpiderLabs
 Jan Miller, CrowdStrike
 Jared Atkinson, @jaredcatkinson
 Jeremy Galloway
 John Lambert, Microsoft Threat Intelligence Center
 John Strand
 Josh Abraham
 Justin Warner, ICEBRG
 Leo Loobeek, @leoloobeek
 Loic Jaquemet
 Marc-Etienne M.Léveillé, ESET
 Mark Wee
 Matt Graeber, @mattifestation, SpecterOps
 Matt Kelly, @breakersall
 Matthew Demaske, Adaptforward
 Matthew Molyett, @s1air
 McAfee
 Michael Cox
 Mike Kemmerer
 Milos Stojadinovic
 Mnemonic
 Nick Carr, FireEye
 Nik Seetharaman, Palantir
 Nishan Maharjan, @loki248
 Oddvar Moe, @oddvarmoe
 Omkar Gudhate
 Patrick Campbell, @pjcampbe11
 Paul Speulstra, AECOM Global Security Operations
Center
 Pedro Harrison
 Praetorian
 Rahmat Nurfauzi, @infosecn1nja, PT Xynexis
International
 Red Canary
 RedHuntLabs (@redhuntlabs)
 Ricardo Dias
 Richard Gold, Digital Shadows
 Richie Cyrus, SpecterOps
 Robby Winchester, @robwinchester3
 Robert Falcone
 Romain Dumont, ESET
 Ryan Becwar
 Ryan Benson, Exabeam
 Scott Lundgren, @5twenty9, Carbon Black
 Stefan Kanthak
 Sudhanshu Chauhan, @Sudhanshu_C
 Sunny Neo
 Sylvain Gil, Exabeam
 Teodor Cimpoesu
 Tim MalcomVetter
 Tom Ueltschi @c_APT_ure
 Tony Lambert, Red Canary
 Travis Smith, Tripwire
 Tristan Bennett, Seamless Intelligence
 Valerii Marchuk, Cybersecurity Help s.r.o.
 Veeral Patel
 Vincent Le Toux
 Walker Johnson
 Ye Yint Min Thu Htut, Offensive Security Team, DBS
Bank
 Yonatan Gotlib, Deep Instinct
| 11 |
89 individuals and orgs!
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
ATT&CK Use Cases
Threat Intelligence
processes = search Process:Create
reg = filter processes where (exe == "reg.exe" and parent_exe
== "cmd.exe")
cmd = filter processes where (exe == "cmd.exe" and
parent_exe != "explorer.exe"")
reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and
reg.hostname == cmd.hostname)
output reg_and_cmd
Detection
Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control
Accessibility Features Accessibility Features Binary Padding Brute Force Account Discovery
Application Deployment
Software
Command-Line Automated Collection Automated Exfiltration Commonly Used Port
AppInit DLLs AppInit DLLs
Bypass User Account
Control
Credential Dumping
Application Window
Discovery
Exploitation of
Vulnerability
Execution through API Clipboard Data Data Compressed
Communication Through
Removable Media
Basic Input/Output System
Bypass User Account
Control
Code Signing Credential Manipulation
File and Directory
Discovery
Logon Scripts Graphical User Interface Data Staged Data Encrypted
Custom Command and
Control Protocol
Bootkit DLL Injection Component Firmware Credentials in Files
Local Network
Configuration Discovery
Pass the Hash PowerShell Data from Local System Data Transfer Size Limits
Custom Cryptographic
Protocol
Change Default File
Handlers
DLL Search Order Hijacking DLL Injection
Exploitation of
Vulnerability
Local Network Connections
Discovery
Pass the Ticket Process Hollowing
Data from Network Shared
Drive
Exfiltration Over
Alternative Protocol
Data Obfuscation
Component Firmware
Exploitation of
Vulnerability
DLL Search Order Hijacking Input Capture Network Service Scanning Remote Desktop Protocol Rundll32
Data from Removable
Media
Exfiltration Over Command
and Control Channel
Fallback Channels
DLL Search Order Hijacking Legitimate Credentials DLL Side-Loading Network Sniffing
Peripheral Device
Discovery
Remote File Copy Scheduled Task Email Collection
Exfiltration Over Other
Network Medium
Multi-Stage Channels
Hypervisor Local Port Monitor Disabling Security Tools
Two-Factor Authentication
Interception
Permission Groups
Discovery
Remote Services Service Execution Input Capture
Exfiltration Over Physical
Medium
Multiband Communication
Legitimate Credentials New Service
Exploitation of
Vulnerability
Process Discovery
Replication Through
Removable Media
Third-party Software Screen Capture Scheduled Transfer Multilayer Encryption
Local Port Monitor Path Interception File Deletion Query Registry Shared Webroot
Windows Management
Instrumentation
Peer Connections
Logon Scripts Scheduled Task File System Logical Offsets Remote System Discovery Taint Shared Content
Windows Remote
Management
Remote File Copy
Modify Existing Service
Service File Permissions
Weakness
Indicator Blocking on Host
Security Software
Discovery
Windows Admin Shares
Standard Application Layer
Protocol
New Service
Service Registry
Permissions Weakness
Indicator Removal from
Tools
System Information
Discovery
Windows Remote
Management
Standard Cryptographic
Protocol
Path Interception Web Shell Indicator Removal on Host
System Owner/User
Discovery
Standard Non-Application
Layer Protocol
Redundant Access Legitimate Credentials System Service Discovery Uncommonly Used Port
Registry Run Keys / Start
Adversary Emulation
Assessment and Engineering
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 12 |
That’s Great…But How Can I Actually Use It?
 How you use ATT&CK depends on where your team is
 ATT&CK can be useful for any level of sophistication
 Let’s dive into key use cases:
– Detection
– Assessment and Engineering
– Threat Intelligence
– Adversary Emulation
| 13 |
idownloadblog.com
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Detection – How ATT&CK Can Help
 Improve focus on post-exploit activity (in addition to perimeter defenses)
 Move toward detecting adversary TTPs in addition to indicators
 Organize detections to enable:
– Finding gaps in coverage
– Tracking improvement over time
| 14 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Detection
 Look at others’ behavioral analytics and choose a few to implement
 Adapt them to your environment (tuning needed!)
 Check out these repositories to get started:
– Cyber Analytics Repository: https://car.mitre.org/
– Endgame EQL Analytics Library:
https://eqllib.readthedocs.io/en/latest/analytics.html
– Threat Hunter Playbook: https://github.com/Cyb3rWard0g/ThreatHunter-
Playbook
– Sigma: https://github.com/Neo23x0/sigma
– Atomic Threat Coverage: https://github.com/krakow2600/atomic-threat-
coverage
| 15 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Detection - An Example Analytic
| 16 |
https://car.mitre.org/analytics/CAR-2013-03-001
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Detection
 Look at what techniques you may be able to detect based on data you’re
already collecting
 Host-based data is useful, but consider network data too (e.g. Bro/Zeek)
 Example data sources associated with ATT&CK techniques:
– Windows registry
– Process monitoring
– Command-line parameters
– Network intrusion detection system
– and more…
| 17 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Detection
 Choose one data source and write your own analytics
 Use our script help you pull the data sources from ATT&CK:
https://github.com/mitre-attack/attack-scripts/tree/master/scripts
| 18 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Detection
 Assess your detection coverage across ATT&CK
– Consider starting with one tactic and expanding from there
– Choose a “coverage rating” that works for you:
 1-5 based on quality or number of detections
 Low, Medium, High based on confidence you would detect that behavior
 Remember you’ll never get to 100% or “perfect” coverage!
| 19 |
Credit: Kyle Rainey and
Red Canary
https://redcanary.com/bl
og/avoiding-common-
attack-pitfalls/
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Detection
| 20 |
ATT&CK Navigator
https://github.com/mitre-attack/attack-navigator
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Assessment and Engineering – How ATT&CK Can Help
 Drive decisions about what you collect (and buy) based on visibility
– Where are your gaps?
– What other tools can you choose?
– Will they help you build more effective defenses?
 Help you move toward a broader view of security beyond just detection
 Increase awareness of where you may need to accept risk
– What can’t you detect or mitigate?
| 21 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Assessment and Engineering
 Collect one log source that will improve your ATT&CK visibility
– Especially if you’re struggling to write many detections
 Places to start (that cost nothing but time):
– Windows Event Logs
 Malware Archaeology Cheat Sheets (including ATT&CK):
https://www.malwarearchaeology.com/cheat-sheets/
 NCSC Logging Made Easy: https://github.com/ukncsc/lme/
– Sysmon
 SwiftonSecurity sysmon-config:
https://github.com/SwiftOnSecurity/sysmon-config
| 22 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Assessment and Engineering
 Assess your ATT&CK coverage map beyond just detection
 What can you mitigate?
– Can you mitigate with tools?
– Can you mitigate with policies? (People and process matter too!)
 What can’t you detect or mitigate?
– May need to accept risk
| 23 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 24 |
Assessment and Engineering
Supply Chain Compromise?
Spearphishing Attachment?
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Assessment and Engineering
 Plan out your tool and log acquisition strategy based on coverage
 Determine what techniques your current logs and tools detect and
mitigate
– Review documentation for the tool
– Ask the vendor
– Validate tool output
 Consider what changes you could make to your environment
– Should you change configurations of an existing tool?
– Should you acquire a new tool?
– What gaps would that tool help you fill?
 Examine your security budget and plan for the best use of resources
| 25 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 26 |
Assessment and Engineering
New Windows Logs Collected
New EDR Tool: 2020
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Threat Intelligence – How ATT&CK Can Help
 Use knowledge of adversary behaviors to help inform
defenders
 Structuring threat intelligence with ATT&CK allows us to…
– Compare behaviors
 Groups to each other
 Groups over time
 Groups to defenses
– Communicate in a common language
 Across teams in your organization
 Across organizations
| 27 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Threat Intelligence
 Choose one threat group you care about
 Look at existing ATT&CK techniques the group uses
– Many threat intelligence teams and vendors map to ATT&CK
– https://attack.mitre.org/groups/
| 28 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Threat Intelligence
 Make recommendations to your defenders on how to detect
and mitigate the group’s techniques
| 29 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Threat Intelligence
 Map your threat intelligence to ATT&CK
– Start with one group or software sample
– Use an incident write-up or an intelligence report
 Consider how you can store the intel
– Excel, Threat Intelligence Platform, other?
 Start at the tactic level
 Use existing website examples
 Take it as a learning experience
 Work as a team
 Use it to make detection and mitigation recommendations to defenders
– Based on adversaries that have targeted you
| 30 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Mapping ATT&CK Techniques
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-
and-strong-an-analysis-of-royalcli-and-royaldns/
Scripting (T1064)
Registry Run Keys / Startup Folder (T1060)
Command-Line Interface (T1059)
Process Discovery (T1057)
Remote System Discovery (T1018)
System Network Connections Discovery (T1049)
System Information Discovery (T1082)
System Network Configuration Discovery (T1016)
Credential Dumping (T1003)
Pass the Ticket (T1097)Input Capture (T1056)
Email Collection (T1114)
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 31 |
Threat Intelligence
 Map more of your own threat intelligence to ATT&CK
– Incident response data
– Threat intel subscriptions
– Real-time alerts
– Historic reporting
 Prioritize frequently used techniques
– Remember any ATT&CK-mapped data has biases:
https://www.slideshare.net/KatieNickels/first-cti-symposium-turning-intelligence-into-action-with-mitre-attck
– You’re prioritizing known adversary behavior over the unknown
 Use and share your intel!
– Track adversary changes
– Compare groups to each other – across your org and others
| 32 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
APT28 Techniques*
| 33 |
*from open source
reporting we’ve mapped
Initial
Access
Execution Persistence
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Collection Exfiltration
Command
and Control
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
APT29 Techniques
| 34 |
Initial
Access
Execution Persistence
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Collection Exfiltration
Command
and Control
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Comparing APT28 and APT29
| 35 |
Initial
Access
Execution Persistence
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Collection Exfiltration
Command
and Control
APT28
APT29
Both groups Prioritize!
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Comparing APT28 and APT29
| 36 |
Initial
Access
Execution Persistence
Privilege
Escalation
Defense
Evasion
Credential
Access
Discovery
Lateral
Movement
Collection Exfiltration
Command
and Control
Overlay known gaps
APT28
APT29
Both groups
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
1. Standard App Layer Protocol
2. Remote File Copy
3. System Information Discovery
4. Command-Line Interface
5. File and Directory Discovery
6. Registry Run Key/Startup Folder
7. Obfuscated Files or Information
8. File Deletion
9. Process Discovery
10.System Network Config Discovery
11.Credential Dumping
12.Screen Capture
13.Input Capture
14.System Owner/User Discovery
15.Scripting
16.Commonly Used Port
17.Standard Crypto Protocol
18.PowerShell
19.& 20 (tie!)
Masquerading and New Service
Top 20 Techniques from ATT&CK Group/Software Data
A starting point! Not representative of all adversary behavior
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 37 |
Adversary Emulation – How ATT&CK Can Help
 You think you know what you can detect and mitigate…
…but how can you be sure? Are there adversaries in your network?
 Enter red teamers!
 Use ATT&CK to organize your red team plans
 Move toward adversary emulation
– Subset of threat-based security testing
– Emulate the techniques of real adversaries
– Focus on the technique behaviors
| 38 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Adversary Emulation
 No red team? No problem!
 Defenders can try out red teaming tools to get your feet wet
– CALDERA: https://github.com/mitre/caldera
– Red Team Automation: https://github.com/endgameinc/RTA
– Metta: https://github.com/uber-common/metta
| 39 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Adversary Emulation
Red Canary’s Atomic Red Team (https://atomicredteam.io/)
| 40 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Adversary Emulation
 Use ATT&CK to mature what your red team is doing
– Have your team choose a different ATT&CK technique each week
– Discuss how you’d use different procedures to perform the behavior
– Bring in your threat intel analysts to talk about how adversaries are using it
– Communicate with your blue team in a common language
 Have your red team start emulating ATT&CK techniques themselves
– APT3 Adversary Emulation Plan:
https://attack.mitre.org/resources/adversary-emulation-plans/
| 41 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Adversary Emulation
APT3 Adversary Emulation Field Manual
| 42 |
Category Built-in Windows Cobalt Strike Metasploit Description
Discovery
T1082 ver shell ver Get the Windows OS version that's
T1082 set shell set get_env.rb Print all of the environment variables
T1033 whoami /all /fo list shell whoami /all /fo list getuid
Get current user information, SID,
domain, groups the user belongs to,
T1082
net config workstation
net config server
shell net config
workstation
Get computer name, username, OS
software version, domain information,
T1016 ipconfig /all shell ipconfig
ipconfig
post/windows/gather/en
Get information about the domain,
network adapters, DNS / WSUS
T1082
systeminfo [/s COMPNAME]
[/u DOMAINuser] [/p
password]
systemprofiler tool if no
access yet (victim
browses to website)
sysinfo, run winenum,
get_env.rb
Displays detailed configuration
information about a computer and its
operating system, including
T1012
reg query
"HKEY_LOCAL_MACHINESY
STEMCurrentControlSetContr
olTerminal Server" /v
fDenyTSConnections
shell reg query
"HKEY_LOCAL_MACHIN
ESYSTEMCurrentContro
lSetControlTerminal
Server" /v
reg queryval -k
"HKEY_LOCAL_MACH
INESYSTEMCurrentC
ontrolSetControlTermi
nal Server" -v
Check for the current registry value
for terminal services, if it's 0, then
terminal services are enabled. If it's
1, then they're disabled
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Adversary Emulation
 Develop your own adversary emulation plan
 Choose an adversary that is important to you
 Use ATT&CK to communicate findings and drive defenders to improve
 More info on developing plans:
– ATT&CK Evaluations Methodology: https://attackevals.mitre.org/methodology/round1/scope.html
– Threat-based Purple Teaming with ATT&CK: https://www.youtube.com/watch?v=OYEP-
YAKIn0&index=3&list=PL7ZDZo2Xu332XUiwFHB5X-tXfqIwVkg5l&t=0s
– ATT&CKing the Status Quo: Threat-Based Adversary Emulation with MITRE ATT&CK:
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536260992.pdf
| 43 |
Gather
threat intel
Extract
techniques
Analyze &
organize
Develop
tools
Emulate the
adversary
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
Bringing it All Together
| 44 |
*Disclaimer: will not really make you
invincible against adversaries
Threat intel: what techniques do our adversaries use?
Detection: what can we detect?
Assessment & Eng: how can we improve?
Adversary Emulation: does our security hold up?
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
pixelartmaker.com
Takeaways
 ATT&CK can help you create a threat-informed defense,
no matter if you’re or
 Do what you can, with what you have, where you are:
– Detection
– Assessment and Engineering
– Threat Intelligence
– Adversary Emulation
 Choose a starting point that works for your team
| 45 |
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
| 46 |
https://attack.mitre.org
attack@mitre.org
@MITREattack
Katie Nickels
@likethecoins
© 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.

More Related Content

What's hot

Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...
MITRE ATT&CK
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
MITRE ATT&CK
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
Splunk
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
Priyanka Aash
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
MITRE ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
JamieWilliams130
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
MITRE ATT&CK
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
MITRE ATT&CK
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 

What's hot (20)

Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...It's just a jump to the left (of boom): Prioritizing detection implementation...
It's just a jump to the left (of boom): Prioritizing detection implementation...
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence Workshop
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CKATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
ATT&CK Metaverse - Exploring the Limitations of Applying ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 

Similar to Putting MITRE ATT&CK into Action with What You Have, Where You Are

MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
ReZa AdineH
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Adam Pennington
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Adam Pennington
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Robert Brandel
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE - ATT&CKcon
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Adam Pennington
 
Cyber security event
Cyber security eventCyber security event
Cyber security event
Tryzens
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
Adam Pennington
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
Lancope, Inc.
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
Brian Knopf
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast IFIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
ChereCheek752
 
MITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdf
AisyiFree
 
Certes webinar securing the frictionless enterprise
Certes webinar   securing the frictionless enterpriseCertes webinar   securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
Jason Bloomberg
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
Adam Pennington
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
CrowdStrike
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
Katie Nickels
 

Similar to Putting MITRE ATT&CK into Action with What You Have, Where You Are (20)

MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
Cyber security event
Cyber security eventCyber security event
Cyber security event
 
Emulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect IntelligenceEmulating an Adversary with Imperfect Intelligence
Emulating an Adversary with Imperfect Intelligence
 
Extending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the EndpointExtending Network Visibility: Down to the Endpoint
Extending Network Visibility: Down to the Endpoint
 
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
IoT_and_the_Impact_on_Security_Brian_Knopf_ISSA-OC_July-2014
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast IFIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
FIDO AUTHENTICATIONDEFINITION· Acronym FIDO stands for Fast I
 
MITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdf
 
Certes webinar securing the frictionless enterprise
Certes webinar   securing the frictionless enterpriseCertes webinar   securing the frictionless enterprise
Certes webinar securing the frictionless enterprise
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
 
CrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the IndicatorCrowdCasts Monthly: Going Beyond the Indicator
CrowdCasts Monthly: Going Beyond the Indicator
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
 

Recently uploaded

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
Pravash Chandra Das
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 

Recently uploaded (20)

HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 

Putting MITRE ATT&CK into Action with What You Have, Where You Are

  • 1. © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1. Putting MITRE ATT&CK™ into Action with What You Have, Where You Are | 1 | Katie Nickels @likethecoins MITRE ATT&CK @MITREattack Sp4rkCon 2019
  • 2. System Owner/User Discovery (T1033) $whoami  ATT&CK Threat Intelligence Lead at The MITRE Corporation  SANS Instructor for FOR578 (Cyber Threat Intelligence)  Experienced threat intel analyst and network defender (10 years)  Public speaker and serial con attender  Volunteer for Cyberjutsu Girls Academy  Baker of chocolate things  CrossFitter  Oxford comma believer © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1. | 2 |
  • 3. “Do what you can, with what you have, where you are.” | 3 | -Theodore Roosevelt © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 4. Tough Questions for Defenders  How effective are my defenses?  Do I have a chance at detecting APT28?  Is the data I’m collecting useful?  Do I have overlapping tool coverage?  Will this new product help my organization’s defenses? | 4 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 5. | 5 | What is ? A knowledge base of adversary behavior  Based on real-world observations  Free, open, and globally accessible  A common language  Community-driven © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 6. The Difficult Task of Detecting TTPs Source: David Bianco, https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html David Bianco’s Pyramid of Pain © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1. | 6 |
  • 7. Zooming in on the Adversary Lifecycle Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise ATT&CKPRE-ATT&CK Mobile ATT&CK © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1. | 7 |
  • 8. Breaking Down ATT&CK Tactics: the adversary’s technical goals Techniques:howthegoalsare achieved Procedures: Specific technique implementation New! © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1. | 8 |
  • 9. Example Technique: New Service | 9 | Description: When operating systems boot up, they can start programs or applications called services that perform background system functions. […] Adversaries may install a new service which will be executed at startup by directly modifying the registry or by using tools. 1 Platform: Windows Permissions required: Administrator, SYSTEM Effective permissions: SYSTEM Detection: • Monitor service creation through changes in the Registry and common utilities using command-line invocation • … Mitigation: • Limit privileges of user accounts and remediate Privilege Escalation vectors • … Data sources: Windows registry, process monitoring, command-line parameters Examples: Carbanak, Lazarus Group, TinyZBot, Duqu, CozyCar, CosmicDuke, hcdLoader, … References: 1. Microsoft. (n.d.). Services. Retrieved June 7, 2016. © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 10. Example Group: APT28 | 10 | Description: APT28 is a threat group that has been attributed to the Russian government.1 2 3 4 This group reportedly compromised the Democratic National Committee in April 2016.5 Aliases: Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group- 4127, TG-4127 1 2 3 4 5 6 7 Techniques: • Data Obfuscation 1 • Connection Proxy 1 8 • Standard Application Layer Protocol 1 • Remote File Copy 8 9 • Rundll32 8 9 • Indicator Removal on Host 5 • Timestomp5 • Credential Dumping 10 • Screen Capture 10 11 • Bootkit 7 and more… Software: CHOPSTICK, JHUHUGIT, ADVSTORESHELL, XTunnel, Mimikatz, HIDEDRV, USBStealer, CORESHELL, OLDBAIT, XAgentOSX, Komplex, Responder, Forfiles, Winexe, certutil 1 3 6 References: 1. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. … © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 11. Who’s Contributing to ATT&CK?  Alain Homewood, Insomnia Security  Alan Neville, @abnev  Anastasios Pingios  Andrew Smith, @jakx_  Barry Shteiman, Exabeam  Bartosz Jerzman  Bryan Lee  Carlos Borges, CIP  Casey Smith  Christiaan Beek, @ChristiaanBeek  Cody Thomas, SpecterOps  Craig Aitchison  Daniel Oakley  Darren Spruell  Dave Westgard  David Ferguson, CyberSponse  David Lu, Tripwire  David Routin  Ed Williams, Trustwave, SpiderLabs  Edward Millington  Elger Vinicius S. Rodrigues, @elgervinicius, CYBINT Centre  Elia Florio, Microsoft  Emily Ratliff, IBM  ENDGAME  Eric Kuehn, Secure Ideas  Erye Hernandez, Palo Alto Networks  Felipe Espósito, @Pr0teus  FS-ISAC  Hans Christoffer Gaardløs  Itamar Mizrahi  Itzik Kotler, SafeBreach  Jacob Wilkin, Trustwave, SpiderLabs  Jan Miller, CrowdStrike  Jared Atkinson, @jaredcatkinson  Jeremy Galloway  John Lambert, Microsoft Threat Intelligence Center  John Strand  Josh Abraham  Justin Warner, ICEBRG  Leo Loobeek, @leoloobeek  Loic Jaquemet  Marc-Etienne M.Léveillé, ESET  Mark Wee  Matt Graeber, @mattifestation, SpecterOps  Matt Kelly, @breakersall  Matthew Demaske, Adaptforward  Matthew Molyett, @s1air  McAfee  Michael Cox  Mike Kemmerer  Milos Stojadinovic  Mnemonic  Nick Carr, FireEye  Nik Seetharaman, Palantir  Nishan Maharjan, @loki248  Oddvar Moe, @oddvarmoe  Omkar Gudhate  Patrick Campbell, @pjcampbe11  Paul Speulstra, AECOM Global Security Operations Center  Pedro Harrison  Praetorian  Rahmat Nurfauzi, @infosecn1nja, PT Xynexis International  Red Canary  RedHuntLabs (@redhuntlabs)  Ricardo Dias  Richard Gold, Digital Shadows  Richie Cyrus, SpecterOps  Robby Winchester, @robwinchester3  Robert Falcone  Romain Dumont, ESET  Ryan Becwar  Ryan Benson, Exabeam  Scott Lundgren, @5twenty9, Carbon Black  Stefan Kanthak  Sudhanshu Chauhan, @Sudhanshu_C  Sunny Neo  Sylvain Gil, Exabeam  Teodor Cimpoesu  Tim MalcomVetter  Tom Ueltschi @c_APT_ure  Tony Lambert, Red Canary  Travis Smith, Tripwire  Tristan Bennett, Seamless Intelligence  Valerii Marchuk, Cybersecurity Help s.r.o.  Veeral Patel  Vincent Le Toux  Walker Johnson  Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank  Yonatan Gotlib, Deep Instinct | 11 | 89 individuals and orgs! © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 12. ATT&CK Use Cases Threat Intelligence processes = search Process:Create reg = filter processes where (exe == "reg.exe" and parent_exe == "cmd.exe") cmd = filter processes where (exe == "cmd.exe" and parent_exe != "explorer.exe"") reg_and_cmd = join (reg, cmd) where (reg.ppid == cmd.pid and reg.hostname == cmd.hostname) output reg_and_cmd Detection Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Accessibility Features Accessibility Features Binary Padding Brute Force Account Discovery Application Deployment Software Command-Line Automated Collection Automated Exfiltration Commonly Used Port AppInit DLLs AppInit DLLs Bypass User Account Control Credential Dumping Application Window Discovery Exploitation of Vulnerability Execution through API Clipboard Data Data Compressed Communication Through Removable Media Basic Input/Output System Bypass User Account Control Code Signing Credential Manipulation File and Directory Discovery Logon Scripts Graphical User Interface Data Staged Data Encrypted Custom Command and Control Protocol Bootkit DLL Injection Component Firmware Credentials in Files Local Network Configuration Discovery Pass the Hash PowerShell Data from Local System Data Transfer Size Limits Custom Cryptographic Protocol Change Default File Handlers DLL Search Order Hijacking DLL Injection Exploitation of Vulnerability Local Network Connections Discovery Pass the Ticket Process Hollowing Data from Network Shared Drive Exfiltration Over Alternative Protocol Data Obfuscation Component Firmware Exploitation of Vulnerability DLL Search Order Hijacking Input Capture Network Service Scanning Remote Desktop Protocol Rundll32 Data from Removable Media Exfiltration Over Command and Control Channel Fallback Channels DLL Search Order Hijacking Legitimate Credentials DLL Side-Loading Network Sniffing Peripheral Device Discovery Remote File Copy Scheduled Task Email Collection Exfiltration Over Other Network Medium Multi-Stage Channels Hypervisor Local Port Monitor Disabling Security Tools Two-Factor Authentication Interception Permission Groups Discovery Remote Services Service Execution Input Capture Exfiltration Over Physical Medium Multiband Communication Legitimate Credentials New Service Exploitation of Vulnerability Process Discovery Replication Through Removable Media Third-party Software Screen Capture Scheduled Transfer Multilayer Encryption Local Port Monitor Path Interception File Deletion Query Registry Shared Webroot Windows Management Instrumentation Peer Connections Logon Scripts Scheduled Task File System Logical Offsets Remote System Discovery Taint Shared Content Windows Remote Management Remote File Copy Modify Existing Service Service File Permissions Weakness Indicator Blocking on Host Security Software Discovery Windows Admin Shares Standard Application Layer Protocol New Service Service Registry Permissions Weakness Indicator Removal from Tools System Information Discovery Windows Remote Management Standard Cryptographic Protocol Path Interception Web Shell Indicator Removal on Host System Owner/User Discovery Standard Non-Application Layer Protocol Redundant Access Legitimate Credentials System Service Discovery Uncommonly Used Port Registry Run Keys / Start Adversary Emulation Assessment and Engineering © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1. | 12 |
  • 13. That’s Great…But How Can I Actually Use It?  How you use ATT&CK depends on where your team is  ATT&CK can be useful for any level of sophistication  Let’s dive into key use cases: – Detection – Assessment and Engineering – Threat Intelligence – Adversary Emulation | 13 | idownloadblog.com © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 14. Detection – How ATT&CK Can Help  Improve focus on post-exploit activity (in addition to perimeter defenses)  Move toward detecting adversary TTPs in addition to indicators  Organize detections to enable: – Finding gaps in coverage – Tracking improvement over time | 14 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 15. Detection  Look at others’ behavioral analytics and choose a few to implement  Adapt them to your environment (tuning needed!)  Check out these repositories to get started: – Cyber Analytics Repository: https://car.mitre.org/ – Endgame EQL Analytics Library: https://eqllib.readthedocs.io/en/latest/analytics.html – Threat Hunter Playbook: https://github.com/Cyb3rWard0g/ThreatHunter- Playbook – Sigma: https://github.com/Neo23x0/sigma – Atomic Threat Coverage: https://github.com/krakow2600/atomic-threat- coverage | 15 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 16. Detection - An Example Analytic | 16 | https://car.mitre.org/analytics/CAR-2013-03-001 © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 17. Detection  Look at what techniques you may be able to detect based on data you’re already collecting  Host-based data is useful, but consider network data too (e.g. Bro/Zeek)  Example data sources associated with ATT&CK techniques: – Windows registry – Process monitoring – Command-line parameters – Network intrusion detection system – and more… | 17 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 18. Detection  Choose one data source and write your own analytics  Use our script help you pull the data sources from ATT&CK: https://github.com/mitre-attack/attack-scripts/tree/master/scripts | 18 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 19. Detection  Assess your detection coverage across ATT&CK – Consider starting with one tactic and expanding from there – Choose a “coverage rating” that works for you:  1-5 based on quality or number of detections  Low, Medium, High based on confidence you would detect that behavior  Remember you’ll never get to 100% or “perfect” coverage! | 19 | Credit: Kyle Rainey and Red Canary https://redcanary.com/bl og/avoiding-common- attack-pitfalls/ © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 20. Detection | 20 | ATT&CK Navigator https://github.com/mitre-attack/attack-navigator © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 21. Assessment and Engineering – How ATT&CK Can Help  Drive decisions about what you collect (and buy) based on visibility – Where are your gaps? – What other tools can you choose? – Will they help you build more effective defenses?  Help you move toward a broader view of security beyond just detection  Increase awareness of where you may need to accept risk – What can’t you detect or mitigate? | 21 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 22. Assessment and Engineering  Collect one log source that will improve your ATT&CK visibility – Especially if you’re struggling to write many detections  Places to start (that cost nothing but time): – Windows Event Logs  Malware Archaeology Cheat Sheets (including ATT&CK): https://www.malwarearchaeology.com/cheat-sheets/  NCSC Logging Made Easy: https://github.com/ukncsc/lme/ – Sysmon  SwiftonSecurity sysmon-config: https://github.com/SwiftOnSecurity/sysmon-config | 22 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 23. Assessment and Engineering  Assess your ATT&CK coverage map beyond just detection  What can you mitigate? – Can you mitigate with tools? – Can you mitigate with policies? (People and process matter too!)  What can’t you detect or mitigate? – May need to accept risk | 23 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 24. | 24 | Assessment and Engineering Supply Chain Compromise? Spearphishing Attachment? © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 25. Assessment and Engineering  Plan out your tool and log acquisition strategy based on coverage  Determine what techniques your current logs and tools detect and mitigate – Review documentation for the tool – Ask the vendor – Validate tool output  Consider what changes you could make to your environment – Should you change configurations of an existing tool? – Should you acquire a new tool? – What gaps would that tool help you fill?  Examine your security budget and plan for the best use of resources | 25 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 26. | 26 | Assessment and Engineering New Windows Logs Collected New EDR Tool: 2020 © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 27. Threat Intelligence – How ATT&CK Can Help  Use knowledge of adversary behaviors to help inform defenders  Structuring threat intelligence with ATT&CK allows us to… – Compare behaviors  Groups to each other  Groups over time  Groups to defenses – Communicate in a common language  Across teams in your organization  Across organizations | 27 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 28. Threat Intelligence  Choose one threat group you care about  Look at existing ATT&CK techniques the group uses – Many threat intelligence teams and vendors map to ATT&CK – https://attack.mitre.org/groups/ | 28 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 29. Threat Intelligence  Make recommendations to your defenders on how to detect and mitigate the group’s techniques | 29 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 30. Threat Intelligence  Map your threat intelligence to ATT&CK – Start with one group or software sample – Use an incident write-up or an intelligence report  Consider how you can store the intel – Excel, Threat Intelligence Platform, other?  Start at the tactic level  Use existing website examples  Take it as a learning experience  Work as a team  Use it to make detection and mitigation recommendations to defenders – Based on adversaries that have targeted you | 30 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 31. Mapping ATT&CK Techniques https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive- and-strong-an-analysis-of-royalcli-and-royaldns/ Scripting (T1064) Registry Run Keys / Startup Folder (T1060) Command-Line Interface (T1059) Process Discovery (T1057) Remote System Discovery (T1018) System Network Connections Discovery (T1049) System Information Discovery (T1082) System Network Configuration Discovery (T1016) Credential Dumping (T1003) Pass the Ticket (T1097)Input Capture (T1056) Email Collection (T1114) © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1. | 31 |
  • 32. Threat Intelligence  Map more of your own threat intelligence to ATT&CK – Incident response data – Threat intel subscriptions – Real-time alerts – Historic reporting  Prioritize frequently used techniques – Remember any ATT&CK-mapped data has biases: https://www.slideshare.net/KatieNickels/first-cti-symposium-turning-intelligence-into-action-with-mitre-attck – You’re prioritizing known adversary behavior over the unknown  Use and share your intel! – Track adversary changes – Compare groups to each other – across your org and others | 32 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 33. APT28 Techniques* | 33 | *from open source reporting we’ve mapped Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 34. APT29 Techniques | 34 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 35. Comparing APT28 and APT29 | 35 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control APT28 APT29 Both groups Prioritize! © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 36. Comparing APT28 and APT29 | 36 | Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Exfiltration Command and Control Overlay known gaps APT28 APT29 Both groups © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 37. 1. Standard App Layer Protocol 2. Remote File Copy 3. System Information Discovery 4. Command-Line Interface 5. File and Directory Discovery 6. Registry Run Key/Startup Folder 7. Obfuscated Files or Information 8. File Deletion 9. Process Discovery 10.System Network Config Discovery 11.Credential Dumping 12.Screen Capture 13.Input Capture 14.System Owner/User Discovery 15.Scripting 16.Commonly Used Port 17.Standard Crypto Protocol 18.PowerShell 19.& 20 (tie!) Masquerading and New Service Top 20 Techniques from ATT&CK Group/Software Data A starting point! Not representative of all adversary behavior © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1. | 37 |
  • 38. Adversary Emulation – How ATT&CK Can Help  You think you know what you can detect and mitigate… …but how can you be sure? Are there adversaries in your network?  Enter red teamers!  Use ATT&CK to organize your red team plans  Move toward adversary emulation – Subset of threat-based security testing – Emulate the techniques of real adversaries – Focus on the technique behaviors | 38 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 39. Adversary Emulation  No red team? No problem!  Defenders can try out red teaming tools to get your feet wet – CALDERA: https://github.com/mitre/caldera – Red Team Automation: https://github.com/endgameinc/RTA – Metta: https://github.com/uber-common/metta | 39 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 40. Adversary Emulation Red Canary’s Atomic Red Team (https://atomicredteam.io/) | 40 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 41. Adversary Emulation  Use ATT&CK to mature what your red team is doing – Have your team choose a different ATT&CK technique each week – Discuss how you’d use different procedures to perform the behavior – Bring in your threat intel analysts to talk about how adversaries are using it – Communicate with your blue team in a common language  Have your red team start emulating ATT&CK techniques themselves – APT3 Adversary Emulation Plan: https://attack.mitre.org/resources/adversary-emulation-plans/ | 41 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 42. Adversary Emulation APT3 Adversary Emulation Field Manual | 42 | Category Built-in Windows Cobalt Strike Metasploit Description Discovery T1082 ver shell ver Get the Windows OS version that's T1082 set shell set get_env.rb Print all of the environment variables T1033 whoami /all /fo list shell whoami /all /fo list getuid Get current user information, SID, domain, groups the user belongs to, T1082 net config workstation net config server shell net config workstation Get computer name, username, OS software version, domain information, T1016 ipconfig /all shell ipconfig ipconfig post/windows/gather/en Get information about the domain, network adapters, DNS / WSUS T1082 systeminfo [/s COMPNAME] [/u DOMAINuser] [/p password] systemprofiler tool if no access yet (victim browses to website) sysinfo, run winenum, get_env.rb Displays detailed configuration information about a computer and its operating system, including T1012 reg query "HKEY_LOCAL_MACHINESY STEMCurrentControlSetContr olTerminal Server" /v fDenyTSConnections shell reg query "HKEY_LOCAL_MACHIN ESYSTEMCurrentContro lSetControlTerminal Server" /v reg queryval -k "HKEY_LOCAL_MACH INESYSTEMCurrentC ontrolSetControlTermi nal Server" -v Check for the current registry value for terminal services, if it's 0, then terminal services are enabled. If it's 1, then they're disabled © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 43. Adversary Emulation  Develop your own adversary emulation plan  Choose an adversary that is important to you  Use ATT&CK to communicate findings and drive defenders to improve  More info on developing plans: – ATT&CK Evaluations Methodology: https://attackevals.mitre.org/methodology/round1/scope.html – Threat-based Purple Teaming with ATT&CK: https://www.youtube.com/watch?v=OYEP- YAKIn0&index=3&list=PL7ZDZo2Xu332XUiwFHB5X-tXfqIwVkg5l&t=0s – ATT&CKing the Status Quo: Threat-Based Adversary Emulation with MITRE ATT&CK: https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536260992.pdf | 43 | Gather threat intel Extract techniques Analyze & organize Develop tools Emulate the adversary © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 44. Bringing it All Together | 44 | *Disclaimer: will not really make you invincible against adversaries Threat intel: what techniques do our adversaries use? Detection: what can we detect? Assessment & Eng: how can we improve? Adversary Emulation: does our security hold up? © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1. pixelartmaker.com
  • 45. Takeaways  ATT&CK can help you create a threat-informed defense, no matter if you’re or  Do what you can, with what you have, where you are: – Detection – Assessment and Engineering – Threat Intelligence – Adversary Emulation  Choose a starting point that works for your team | 45 | © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.
  • 46. | 46 | https://attack.mitre.org attack@mitre.org @MITREattack Katie Nickels @likethecoins © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 19-01159-1.