The document discusses the integration of the ATT&CK framework in enhancing cybersecurity data management, likening security data sources to an orchestra that needs a conductor for effective collaboration. It emphasizes the importance of automation in utilizing ATT&CK matrices to streamline incident response and reduce complexity, ultimately saving time during incidents. Additionally, it introduces tools like the ATT&CK workbench for managing and customizing ATT&CK data and highlights potential future developments in threat detection and management.

1. The ATT&CK Philharmonic

2. Disclaimer: All opinions expressed are those solely of the authors and do not
represent the official views or opinions of Google Cloud & Siemplify.

3. Ivan Ninichuck
Freelancer , Tech Writer,
ATT&CK and Elastic things.
Siemplify and Science
Fiction.
Andy Shepherd
SOC, MSSP,
PreSales, GCIH, used
SOAR to get married,
and other stuff
ATT&CK Task Force Presenters

4. The ATT&CK Task Force
Andrea Jendriskova
Arnaud Loos
Tal Reznikov
Raja Ali
Special thanks to all colleagues who also contributed ideas through various fun conversations!

5. What do you imagine when you think of all your
security data sources?

7. How security feels without
ATT&CK!

8. ● ATT&CK brings guidance, clarity and
direction. The Framework is the sheet
music that orchestra plays.
● TTPs, mitigations, groups, software and
data components provide order to the
chaos of information.

9. ● Like an orchestra security data
sources represent dozens of different
groups
● Even if they all play the same song,
does not mean they do it together
● An Orchestra still needs a Conductor

10. Users, Analysts and Management
SOAR
NSM
EDR/XDR
Email
SIEM
Authentication
Cloud
CTI
Mobile
IOT

11. How can the use of ATT&CK be automated?

12. Data Components: Pieces of the Rosetta Stone
Rosetta Stone from Egypt
Rice University
ATT&CK Matrices
Security Events
Data Components
Detections
● Relationships in the ATT&CK
Matrices can be used to automate
investigation
● Data components make it possible
to point automated queries directly
at the data needed by analysts
● Time is the ultimate calculation of
utility. By expanding known
relationships in ATT&CK we can
decrease the complexity of
automation. During an incident
complexity costs time more than
any other factor.

13. ATT&CK Workbench: A Ready Made Workshop
● CTID Project: https://github.com/center-for-threat-informed-defense/attack-workbench-
frontend
● Provides ability to manage, customize and share ATT&CK Stix Collections
● Perfect location to store additional data linked to our new Rosetta Stone
● Automation through built in REST API

14. How can we discover new ATT&CK relationships?

15. SOAR and ATT&CK: What is SOAR
Ingest
Playbook
Case View

16. SOAR and ATT&CK: Alert enrichment
Simple case level enrichment
Woop?

17. SOAR and ATT&CK: Case Grouping

18. SOAR and ATT&CK: Map case to ATT&CK
Auto grouped mapping to Mitre
Woop!

19. SOAR and ATT&CK: Case Grouping ATT&CK
Where is this
Tenant strong?

20. SOAR and ATT&CK: Case Grouping ATT&CK

21. SOAR and ATT&CK: Case Grouping ATT&CK
Exploring concept

22. SOAR and ATT&CK: Future?
Exploring concept

23. ATT&CK Sightings: Relationships to Build
● Multi-chained technique sightings
● Begin predicting what techniques are missing during cases
● Evaluate risk to observed technique chains
● Reduce the complexity for analysts to find where key data and management
to make key decisions

24. Alert -> Cases -> Sightings -> Action : Straw Poll
With Sightings results, should SOAR….?
● Give a % against each technique
● Recap mitigations
● Give simple example search syntax to get started hunting
● Tell you what logs to look for (but then why wasn’t that alert found)