This document discusses validating ATT&CK techniques using endpoint detection and response (EDR) telemetry. It describes how Red Canary analyzes EDR data to validate coverage of ATT&CK techniques. An automated workflow is used that involves deploying test infrastructure, running atomic red team tests, and analyzing results to identify any mismatches between expected and actual telemetry. Challenges with EDR telemetry quality and level of detail are also outlined. The key benefits of the approach are validating at scale and offloading detections from endpoints while providing behavioral context.
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...MITRE ATT&CK
From ATT&CKcon 4.0
By Olaf Harton, FalconForce
"Modern security teams have been engineering solid detections for a while now. All this great output also needs to be managed well.
* How can we make sure that the detections we have spent a lot of time developing are deployed and are running in production in the same way as they were designed?
* How can we assure our detection and prevention controls are still working and are detecting the attacks they have been designed to cover?
We will show how we have built a robust and flexible development and deployment process using cloud technnologies. This process allows us to quickly and easily implement new detection controls, test them across multiple environments, and deploy them in a controlled and consistent manner.
We will discuss how security teams can reap the benefits of using detection-as-code, and how this can help achieving a single source of truth for their detection logic. Adopting this approach enables teams to use automation and unit testing to manage and validate their detection controls across multiple environments and ensure proper documentation. By adopting a detection-as-code approach, teams can gain the confidence that comes from knowing that their detections and mitigations work as intended."
CISA usage of ATT&CK in Cybersecurity AdvisoriesMITRE ATT&CK
From ATT&CKcon 4.0
By James Stanley, CISA
"CISA's Adoption of the MITRE ATT&CK Framework
Over the past several years, CISA has worked to incorporate ATT&CK whenever applicable into our Cybersecurity Advisories and other cyber guidance. It has become the universal language for discussing how the adversary operates, and we leverage it for our stakeholders to respond to urgent events in real time, as well as detailed reports on subjects like our Red Team activities to give network defenders proactive guidance on how to harden their networks."
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKMITRE ATT&CK
From ATT&CKcon 4.0
By Nicole Hoffman and James Nutland, Cisco
How many times have you added MITRE ATT&CK techniques to the end of a report and thought you could be doing more? Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. Avast ye maties! Within this presentation, we are going to show analysts how they can use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking. Gone are the days of floundering about looking for information collected about a specific adversary or behavior. Gone are the days of wondering why the rum and context are always gone. Ahoy, me hearties! Hoist up the sails and prepare your sea legs for some swashbuckling adversary tales from the high seas where we will focus on the fickle commodity loader, Qakbot.
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK
From ATT&CKcon 4.0
By Ozan Olali, IBM Security
The Electronic Flight Bag (EFB) has become an indispensable tool in modern aviation, providing pilots with digital resources and critical flight information. However, the increased reliance on EFB systems running on operating systems, introduces various security challenges. In this session, a technical assessment approach with MITRE ATT&CK framework to perform a comprehensive threat analysis of an EFB solution, will be presented. The potential attack vectors and relation with the risks for business/ flight operations will be demonstrated.
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKMITRE ATT&CK
From ATT&CKcon 4.0
By Lauren Brennan, GuidePoint Security
Evaluating the maturity of your security operations program can be complex and challenging. From choosing the right framework to use, to understanding all aspects of how people, processes, and technologies can cohesively operate to grow your SOC, evaluating your security operations is crucial. This presentation will discuss how to evaluate your security operations program using the MITRE ATT&CK framework and talk about best practices for evaluations. We will explore how to identify gaps in your operations and improve your overall security posture with foundational activities. Attendees can expect to learn practical tips for leveraging the MITRE framework as well as actionable takeaways for evaluating and improving their own security operations.
From ATT&CKcon 4.0
By Andrew Northern, Proofpoint and Michael August Raggi, Google
"Join us for an enthralling exploration of Defense Evasion (TA0005) within the captivating realm of Hyrule. Prepare to immerse yourself in the intriguing history of shortcut (.lnk) abuse and its associated procedures, as we unveil and demonstrate an innovative and previously undisclosed sub-technique (proposed) of T1027 (Obfuscated Files or Information).
During this talk, we will go beyond theory and share real-world insights. Discover firsthand how publicly attributed APT actors have leveraged this new sub-technique in their attacks against government entities. Through captivating stories and in-depth observations, we will shed light on the techniques and procedures employed by these adversaries.
Levity and entertainment will be courtesy of timely and relevant bespoke Legend of Zelda memes playing upon the concept of the ""master hand ability"" gluing together bizarre elements to create surprisingly effective weapons, a concept that runs parallel to the discussion of abusing known Windows file types in unconventional ways.
Join us as we embark on this fascinating journey filled with knowledge, entertainment, and a touch of Legend of Zelda magic!"
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...MITRE ATT&CK
From ATT&CKcon 4.0
By Scott Roberts, Interpres Security
"Building threat intelligence is challenging, even under the most ideal circumstances. But what if you are even more limited in your resources? You are part of a small (but skilled) team, with high expectations, and people are relying on you to make business-critical decisions…all the time! What do you do in that situation? Turn a Toyota Tercel into a tank, of course.
The Interpres Security threat intelligence team found itself in that exact situation. Wanting to leverage the MITRE ATT&CK catalog in creating a comprehensive and timely threat intelligence repository, the Interpres team built a series of tools, processes, and paradigms that we call Intelligence Engineering. In this talk, we’ll examine how we combined ATT&CK, STIX2, the Vertex Project’s open-source intelligence platform, Synapse, and custom code to deliver meaningful, rapid, verifiable intelligence to our customers. We’ll share lessons learned on automation, how to run multiple ATT&CK libraries side-by-side, and making programmatic intelligence delivery scalable and effective – just like building a tank out of an imported sedan."
Detection as Code, Automation, and Testing: The Key to Unlocking the Power of...MITRE ATT&CK
From ATT&CKcon 4.0
By Olaf Harton, FalconForce
"Modern security teams have been engineering solid detections for a while now. All this great output also needs to be managed well.
* How can we make sure that the detections we have spent a lot of time developing are deployed and are running in production in the same way as they were designed?
* How can we assure our detection and prevention controls are still working and are detecting the attacks they have been designed to cover?
We will show how we have built a robust and flexible development and deployment process using cloud technnologies. This process allows us to quickly and easily implement new detection controls, test them across multiple environments, and deploy them in a controlled and consistent manner.
We will discuss how security teams can reap the benefits of using detection-as-code, and how this can help achieving a single source of truth for their detection logic. Adopting this approach enables teams to use automation and unit testing to manage and validate their detection controls across multiple environments and ensure proper documentation. By adopting a detection-as-code approach, teams can gain the confidence that comes from knowing that their detections and mitigations work as intended."
CISA usage of ATT&CK in Cybersecurity AdvisoriesMITRE ATT&CK
From ATT&CKcon 4.0
By James Stanley, CISA
"CISA's Adoption of the MITRE ATT&CK Framework
Over the past several years, CISA has worked to incorporate ATT&CK whenever applicable into our Cybersecurity Advisories and other cyber guidance. It has become the universal language for discussing how the adversary operates, and we leverage it for our stakeholders to respond to urgent events in real time, as well as detailed reports on subjects like our Red Team activities to give network defenders proactive guidance on how to harden their networks."
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CKMITRE ATT&CK
From ATT&CKcon 4.0
By Nicole Hoffman and James Nutland, Cisco
How many times have you added MITRE ATT&CK techniques to the end of a report and thought you could be doing more? Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. Avast ye maties! Within this presentation, we are going to show analysts how they can use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking. Gone are the days of floundering about looking for information collected about a specific adversary or behavior. Gone are the days of wondering why the rum and context are always gone. Ahoy, me hearties! Hoist up the sails and prepare your sea legs for some swashbuckling adversary tales from the high seas where we will focus on the fickle commodity loader, Qakbot.
MITRE ATT&CK based Threat Analysis for Electronic Flight BagMITRE ATT&CK
From ATT&CKcon 4.0
By Ozan Olali, IBM Security
The Electronic Flight Bag (EFB) has become an indispensable tool in modern aviation, providing pilots with digital resources and critical flight information. However, the increased reliance on EFB systems running on operating systems, introduces various security challenges. In this session, a technical assessment approach with MITRE ATT&CK framework to perform a comprehensive threat analysis of an EFB solution, will be presented. The potential attack vectors and relation with the risks for business/ flight operations will be demonstrated.
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CKMITRE ATT&CK
From ATT&CKcon 4.0
By Lauren Brennan, GuidePoint Security
Evaluating the maturity of your security operations program can be complex and challenging. From choosing the right framework to use, to understanding all aspects of how people, processes, and technologies can cohesively operate to grow your SOC, evaluating your security operations is crucial. This presentation will discuss how to evaluate your security operations program using the MITRE ATT&CK framework and talk about best practices for evaluations. We will explore how to identify gaps in your operations and improve your overall security posture with foundational activities. Attendees can expect to learn practical tips for leveraging the MITRE framework as well as actionable takeaways for evaluating and improving their own security operations.
From ATT&CKcon 4.0
By Andrew Northern, Proofpoint and Michael August Raggi, Google
"Join us for an enthralling exploration of Defense Evasion (TA0005) within the captivating realm of Hyrule. Prepare to immerse yourself in the intriguing history of shortcut (.lnk) abuse and its associated procedures, as we unveil and demonstrate an innovative and previously undisclosed sub-technique (proposed) of T1027 (Obfuscated Files or Information).
During this talk, we will go beyond theory and share real-world insights. Discover firsthand how publicly attributed APT actors have leveraged this new sub-technique in their attacks against government entities. Through captivating stories and in-depth observations, we will shed light on the techniques and procedures employed by these adversaries.
Levity and entertainment will be courtesy of timely and relevant bespoke Legend of Zelda memes playing upon the concept of the ""master hand ability"" gluing together bizarre elements to create surprisingly effective weapons, a concept that runs parallel to the discussion of abusing known Windows file types in unconventional ways.
Join us as we embark on this fascinating journey filled with knowledge, entertainment, and a touch of Legend of Zelda magic!"
Driving Intelligence with MITRE ATT&CK: Leveraging Limited Resources to Build...MITRE ATT&CK
From ATT&CKcon 4.0
By Scott Roberts, Interpres Security
"Building threat intelligence is challenging, even under the most ideal circumstances. But what if you are even more limited in your resources? You are part of a small (but skilled) team, with high expectations, and people are relying on you to make business-critical decisions…all the time! What do you do in that situation? Turn a Toyota Tercel into a tank, of course.
The Interpres Security threat intelligence team found itself in that exact situation. Wanting to leverage the MITRE ATT&CK catalog in creating a comprehensive and timely threat intelligence repository, the Interpres team built a series of tools, processes, and paradigms that we call Intelligence Engineering. In this talk, we’ll examine how we combined ATT&CK, STIX2, the Vertex Project’s open-source intelligence platform, Synapse, and custom code to deliver meaningful, rapid, verifiable intelligence to our customers. We’ll share lessons learned on automation, how to run multiple ATT&CK libraries side-by-side, and making programmatic intelligence delivery scalable and effective – just like building a tank out of an imported sedan."
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingMITRE ATT&CK
From ATT&CKcon 4.0
By Pranusha Somareddy, Lark Health
"By aligning security controls with specific adversary techniques and tactics, organizations can gain a comprehensive understanding of their defensive capabilities. This mapping exercise serves as a vital step in identifying potential gaps and weaknesses within the security architecture. The evaluation of security maturity using the MITRE ATT&CK framework provides valuable insights into the effectiveness of existing controls, shedding light on areas that require improvement or further attention.
In this presentation, we will delve into practical strategies and real-world examples that showcase how organizations can successfully leverage the MITRE ATT&CK framework to enhance their security maturity. We will also explore key topics such as:
(i)Customizing security training and awareness programs based on roles and responsibilities
(ii)Conducting thorough assessments of incident response capabilities through the framework
(iii)Integrating threat intelligence derived from ATT&CK to continuously improve the security posture"
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSMITRE ATT&CK
From ATT&CKcon 4.0
By Marina Liang
"LABYRINTH CHOLLIMA is a prolific Democratic People's Republic of Korea (DPRK) nexus adversary focused on cyber espionage. They have been recently observed targeting FinTech (financial technology) companies in cryptocurrency revenue generation efforts. LABYRINTH CHOLLIMA has been associated with many high profile attacks, including the Sony Pictures Entertainment (SPE) breach, the WannaCry 2.0 global surge, and most recently, the 3CX supply chain compromise. Increasingly versed in cross-platform intrusions, LABYRINTH CHOLLIMA has been observed targeting macOS operating systems, and evolving their tactics, techniques, and tooling to keep in lockstep with the evolving security landscape.
This talk will deep dive into the interactive macOS intrusions Crowdstrike has attributed to LABYRINTH CHOLLIMA. We will delve into the adversary's macOS tradecraft, techniques to circumvent existing OS protections, and social engineering tactics, while showcasing how their mechanisms and tooling map to the MITRE ATT&CK kill chain, featuring some newly proposed MITRE techniques related to the Transparency, Consent, and Control (TCC) database."
From ATT&CKcon 4.0
By Matthew Mills, Nathaniel Beckstead, and Ryan Simon, Datadog
Cloud native computing has fundamentally changed traditional security methodologies and attack surfaces. This new architectural approach combines new operational tools and services like continuous integration, container engines, and orchestrators. Some organizations struggle to identify and respond to threats they specifically face when running cloud native workloads.
Perimeter-centric security evangelizes defense-in-depth or the onion model to implement different layers of defense. Cloud native security hyper-focuses on four unique layers: Cloud, Clusters, Containers, and Code.
Today's defenders have to look across several existing ATT&CK matrices including Linux Enterprise, Containers, Kubernetes, and IaaS to holistically evaluate and model threats or attack paths across the four distinct layers of cloud native workloads.
In conclusion, we will discuss some of the challenges facing threat modeling cloud native workloads, including showing how to leverage several different ATT&CK matrices to create a distinct Cloud Native Workload ATT&CK matrix. The creation of this matrix will help defenders take the guesswork out of identifying what tactics serve as potential threats against a cloud native workload in order to enhance their defensive baseline and detection coverage.
From ATT&CKcon 3.0
By Fred Frey and Jonathan Mulholland, SnapAttack
Atomic Red Team and Sigma are the largest open-source attack simulation and analytic projects. Many organizations utilize one or both internally for security controls validation or supplementing their detections and alerts. Building on the work from these two great communities, we smashed (scientific-term) the attacks and analytics together and applied data science to analyze the results. We'll describe our methodology and testing framework, show the real-world MITRE ATT&CK coverage and gaps, discuss our algorithms for calculating analytic similarity, identifying log sources for a technique, and determining the best analytics to deploy that maximizes ATT&CK coverage.
This project aims to:
- Bring a measurable testing rigor to community analytics to improve adoption
- Test every analytic against every attack, validating the true positive detection
- Understand the log sources required to detect specific attack techniques
- Apply data science to identify analytic similarity (reduce community duplication)
- Identify gaps between the projects' analytics without attack simulations; attack simulations without detections; missing or incorrect MITRE ATT&CK labels, etc
- Automate the process so insights can stay up to date with new attack/analytic contributions over time
- Share our analysis back to the community to improve these projects
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
Katie Nickels and Adam Pennington presented "Turning intelligence into action with MITRE ATT&CK™" at the FIRST CTI Symposium in London on 20 March 2019.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Threat Modelling - It's not just for developersMITRE ATT&CK
From ATT&CKcon 3.0
By Tim Wadhwa-Brown, Cisco
The purpose of this session will be to look at how you can take public information about threat actors, vulnerabilities, and incidents and use them to build better defenses, utilizing ATT&CK along the way to align your security organization to the people and assets that matter.
Stories are critical to how humans learn, so this session will leverage a story book approach to give the audience some ideas on approaches they could use. Tim will take the audience through 3 real world examples where he has leveraged ATT&CK to drive operational improvement. The premise of each story will be real, although some of the details will be apocryphal to protect the innocent.
One story will focus on defending a network, one will look at adversary detection, while the final one will look at responding to an active attack and in each case, Tim will guide the audience to think about the kinds of data sources that ATT&CK tracks, that they might call upon to achieve a successful outcome.
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
From ATT&CKcon 3.0
By Lindsay Kaye and Scott Small, Recorded Future
Many organizations ask: "Where do I start, and where do I go next" when prioritizing implementation of behavior-based detections? We often hear "use threat intelligence!" but your goals must be qualified and quantified in order to properly prioritize the most relevant TTPs. A wealth of open-sourced, ATT&CK-mapped resources now exists, giving security teams greater access to both detections and red team tests they can implement, but intelligence (also aligned with ATT&CK), is essential to provide necessary context to ensure that detection efforts are focused effectively.
This session will discuss a new approach to the prioritization challenge, starting with an analysis of the current defensive landscape, as measured by ATT&CK coverage for more than a dozen detection repositories and technologies, and guidance on sourcing TTP intelligence. The team will then show how real-world defensive strategies can be strengthened by encompassing a full-spectrum view of threat detection, including the implementation of YARA, Sigma, and Snort in security appliances. Critically, alignment of both intelligence and defenses with ATT&CK enables defenders to move the focus of detection efforts to indications of malicious behavior before the final payload is deployed, where controls are most effective at preventing serious damage to the organization.
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
Circle City Con 2019 and BSides SATX 2019
Abstract:
How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.
In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.
Brief introduction to DTrace technologies within OpenSolaris/Solaris 10 and DTrace probes within Apache, PHP and MySQL can provide end to end dynamic tracing of your Drupal based web site..
Evaluating and Enhancing Security Maturity through MITRE ATT&CK MappingMITRE ATT&CK
From ATT&CKcon 4.0
By Pranusha Somareddy, Lark Health
"By aligning security controls with specific adversary techniques and tactics, organizations can gain a comprehensive understanding of their defensive capabilities. This mapping exercise serves as a vital step in identifying potential gaps and weaknesses within the security architecture. The evaluation of security maturity using the MITRE ATT&CK framework provides valuable insights into the effectiveness of existing controls, shedding light on areas that require improvement or further attention.
In this presentation, we will delve into practical strategies and real-world examples that showcase how organizations can successfully leverage the MITRE ATT&CK framework to enhance their security maturity. We will also explore key topics such as:
(i)Customizing security training and awareness programs based on roles and responsibilities
(ii)Conducting thorough assessments of incident response capabilities through the framework
(iii)Integrating threat intelligence derived from ATT&CK to continuously improve the security posture"
Exploring the Labyrinth: Deep dive into the Lazarus Group's foray into macOSMITRE ATT&CK
From ATT&CKcon 4.0
By Marina Liang
"LABYRINTH CHOLLIMA is a prolific Democratic People's Republic of Korea (DPRK) nexus adversary focused on cyber espionage. They have been recently observed targeting FinTech (financial technology) companies in cryptocurrency revenue generation efforts. LABYRINTH CHOLLIMA has been associated with many high profile attacks, including the Sony Pictures Entertainment (SPE) breach, the WannaCry 2.0 global surge, and most recently, the 3CX supply chain compromise. Increasingly versed in cross-platform intrusions, LABYRINTH CHOLLIMA has been observed targeting macOS operating systems, and evolving their tactics, techniques, and tooling to keep in lockstep with the evolving security landscape.
This talk will deep dive into the interactive macOS intrusions Crowdstrike has attributed to LABYRINTH CHOLLIMA. We will delve into the adversary's macOS tradecraft, techniques to circumvent existing OS protections, and social engineering tactics, while showcasing how their mechanisms and tooling map to the MITRE ATT&CK kill chain, featuring some newly proposed MITRE techniques related to the Transparency, Consent, and Control (TCC) database."
From ATT&CKcon 4.0
By Matthew Mills, Nathaniel Beckstead, and Ryan Simon, Datadog
Cloud native computing has fundamentally changed traditional security methodologies and attack surfaces. This new architectural approach combines new operational tools and services like continuous integration, container engines, and orchestrators. Some organizations struggle to identify and respond to threats they specifically face when running cloud native workloads.
Perimeter-centric security evangelizes defense-in-depth or the onion model to implement different layers of defense. Cloud native security hyper-focuses on four unique layers: Cloud, Clusters, Containers, and Code.
Today's defenders have to look across several existing ATT&CK matrices including Linux Enterprise, Containers, Kubernetes, and IaaS to holistically evaluate and model threats or attack paths across the four distinct layers of cloud native workloads.
In conclusion, we will discuss some of the challenges facing threat modeling cloud native workloads, including showing how to leverage several different ATT&CK matrices to create a distinct Cloud Native Workload ATT&CK matrix. The creation of this matrix will help defenders take the guesswork out of identifying what tactics serve as potential threats against a cloud native workload in order to enhance their defensive baseline and detection coverage.
From ATT&CKcon 3.0
By Fred Frey and Jonathan Mulholland, SnapAttack
Atomic Red Team and Sigma are the largest open-source attack simulation and analytic projects. Many organizations utilize one or both internally for security controls validation or supplementing their detections and alerts. Building on the work from these two great communities, we smashed (scientific-term) the attacks and analytics together and applied data science to analyze the results. We'll describe our methodology and testing framework, show the real-world MITRE ATT&CK coverage and gaps, discuss our algorithms for calculating analytic similarity, identifying log sources for a technique, and determining the best analytics to deploy that maximizes ATT&CK coverage.
This project aims to:
- Bring a measurable testing rigor to community analytics to improve adoption
- Test every analytic against every attack, validating the true positive detection
- Understand the log sources required to detect specific attack techniques
- Apply data science to identify analytic similarity (reduce community duplication)
- Identify gaps between the projects' analytics without attack simulations; attack simulations without detections; missing or incorrect MITRE ATT&CK labels, etc
- Automate the process so insights can stay up to date with new attack/analytic contributions over time
- Share our analysis back to the community to improve these projects
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
Katie Nickels and Adam Pennington presented "Turning intelligence into action with MITRE ATT&CK™" at the FIRST CTI Symposium in London on 20 March 2019.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Threat Modelling - It's not just for developersMITRE ATT&CK
From ATT&CKcon 3.0
By Tim Wadhwa-Brown, Cisco
The purpose of this session will be to look at how you can take public information about threat actors, vulnerabilities, and incidents and use them to build better defenses, utilizing ATT&CK along the way to align your security organization to the people and assets that matter.
Stories are critical to how humans learn, so this session will leverage a story book approach to give the audience some ideas on approaches they could use. Tim will take the audience through 3 real world examples where he has leveraged ATT&CK to drive operational improvement. The premise of each story will be real, although some of the details will be apocryphal to protect the innocent.
One story will focus on defending a network, one will look at adversary detection, while the final one will look at responding to an active attack and in each case, Tim will guide the audience to think about the kinds of data sources that ATT&CK tracks, that they might call upon to achieve a successful outcome.
It's just a jump to the left (of boom): Prioritizing detection implementation...MITRE ATT&CK
From ATT&CKcon 3.0
By Lindsay Kaye and Scott Small, Recorded Future
Many organizations ask: "Where do I start, and where do I go next" when prioritizing implementation of behavior-based detections? We often hear "use threat intelligence!" but your goals must be qualified and quantified in order to properly prioritize the most relevant TTPs. A wealth of open-sourced, ATT&CK-mapped resources now exists, giving security teams greater access to both detections and red team tests they can implement, but intelligence (also aligned with ATT&CK), is essential to provide necessary context to ensure that detection efforts are focused effectively.
This session will discuss a new approach to the prioritization challenge, starting with an analysis of the current defensive landscape, as measured by ATT&CK coverage for more than a dozen detection repositories and technologies, and guidance on sourcing TTP intelligence. The team will then show how real-world defensive strategies can be strengthened by encompassing a full-spectrum view of threat detection, including the implementation of YARA, Sigma, and Snort in security appliances. Critically, alignment of both intelligence and defenses with ATT&CK enables defenders to move the focus of detection efforts to indications of malicious behavior before the final payload is deployed, where controls are most effective at preventing serious damage to the organization.
The Hunter Games: How to Find the Adversary with Event Query LanguageRoss Wolf
Circle City Con 2019 and BSides SATX 2019
Abstract:
How do you find malicious activity? We often resort to the cliche, you know it when you see it, but how do you even see it, without drowning in data? MITRE’s ATT&CK knowledge base organizes adversary behavior into tactics and techniques, and orients our approach to endpoint data. It suggests questions that might be worth asking, but not a way to ask them. The Event Query Language (EQL) allows a security analyst to naturally express queries for IOC search, hunting, and behavioral detections, while remaining platform and data source agnostic.
In this talk, I will demonstrate the iterative process of establishing situational awareness in your environment, creating targeted detections, and hunting for the adversary in your environment with real data, queries, and results.
Brief introduction to DTrace technologies within OpenSolaris/Solaris 10 and DTrace probes within Apache, PHP and MySQL can provide end to end dynamic tracing of your Drupal based web site..
HKG18-TR14 - Postmortem Debugging with CoresightLinaro
Session ID: HKG18-TR14
Session Name: HKG18-TR14 - Postmortem Debugging with Coresight
Speaker: Leo Yan
Track: Training
★ Session Summary ★
For most cases we can easily debug with kernel's oops dumping info, but sometimes we need to know more information for program execution flow before the issue happens. So we can rely on two tracing methods to reproduce the program execution flow, one method is using software tracing which is kernel's pstore method; another method is to rely on Coresight hardware tracing, this method also can avoid extra workload introduced by tracing itself. Coresight has provided two mechanisms for Postmortem debugging, one method is Coresight CPU debug module so we can extract CPU program counter info, this is quite straightforward to debug CPU lockup issue; Another is Coresight panic kdump, we connect kernel kdump mechanism to extract Coresight tracing data so we can reproduce the last execution flow before panic (even hang issue with some tweaking in kernel). This session wants to go through these topics and demonstrate the debugging tools on 96boards Hikey in 25 minutes session.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/hkg18/hkg18-tr14/
Presentation: http://connect.linaro.org.s3.amazonaws.com/hkg18/presentations/hkg18-tr14.pdf
Video: http://connect.linaro.org.s3.amazonaws.com/hkg18/videos/hkg18-tr14.mp4
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2018 (HKG18)
19-23 March 2018
Regal Airport Hotel Hong Kong
---------------------------------------------------
Keyword: Training
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...Amazon Web Services
“Infrastructure as Code” has changed not only how we think about configuring infrastructure, but about the infrastructure itself. AWS has been at the core of this movement, enabling your infrastructure teams to benefit from software engineering best practices such as CI/CD, automated testing, and repeatable deployments. Now that you have mastered the art of managing your infrastructure as code, it’s time to leverage these same lessons for monitoring and metrics. In this session, we dive into how you can leverage tooling such as AWS, Terraform, and Datadog to programmatically define your monitoring so that you that you can scale your organizational observability along with your infrastructure, and attain consistency from local development all the way through production.
Session sponsored by Datadog, Inc.
Антон Наумович, Система автоматической крэш-аналитики своими средствамиSergey Platonov
В докладе будет рассмотрена система контроля качества с помощью снятия и анализа крэшдамп-файлов (применительно в первую очередь к системе Windows). Будет представлена архитектура и инструментарий для организации автоматического сбора и анализа крэшдамп-файлов, снимаемых в момент возникновения проблем в приложениях (падения, зависания, превышение потребления ресурсов – памяти, файловых дескрипторов и т.д.)
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak PROIDEA
Speaker: Andrzej Dyjak
Language: English
In recent years security industry started to grow fond of Apple’s iOS and OS X platforms. This talk will cover one of XNU's flagship debugging utilities: DTrace, a dynamic tracing framework for troubleshooting kernel and application problems on production systems in real time. It will be shown how it can be used in order to ease various tasks within the realm of dynamic binary analysis and beyond.
CONFidence: http://confidence.org.pl/
RSA 2018: Adventures in the Underland: Techniques against Hackers Evading the...Paula Januszkiewicz
Cybercrime is a very lucrative business not just because of the potential financial return, but because it’s quite easy to get away with it. Sometimes hackers get caught, but most of the time they still run free. When it comes to operating systems and after-attack traces, it is not that bad as all traces are gathered in one place—your infrastructure.
Even though hackers use techniques to remain on the loose, it is possible by using forensic techniques to gather evidence in order to demonstrate what actually happened. During this super intense session, Paula demonstrated techniques used by hackers to hide traces and forensic techniques that indicate how these activities were performed. Extremely technical session!
WMQ Toolbox: 20 Scripts, One-liners, & Utilities for UNIX & Windows T.Rob Wyatt
The pipe symbol is your command-line friend. If you string together the right combination of utility programs it is possible to automate really useful administrative tasks, and if you can do it on one line you get to wear the Wizard's hat around the office as an added bonus. So whether you want to become a scripting wizard and impress your friends, or just want to get stuff done, this session is for you.
Similar to Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry (20)
Dealing With ATT&CK's Different Levels Of DetailMITRE ATT&CK
From ATT&CKcon 4.0
By Tareq AlKhatib, Lacework, Inc
"ATT&CK serves as the central language for CTI practitioners, Detection Engineers, Red Teamers, and more. Despite the benefit of having a central language, ATT&CK offers different levels of detail that might be useful for one team but not others. This paper points out some of these differences in the level of details available in ATT&CK, especially from the point of view of Detection Engineers, and focused on detection coverage.
In summary, while ATT&CK does not define the Procedure level of the TTP trinity, it is still useful to define the “Degrees of Freedom” an attacker has within a technique. Some techniques only have a limited number of possible Procedures, some techniques might have more, and others might be so open ended that they offer an unlimited number of possible procedures per technique. We examine this concept on both the Technique and Tactic levels and make the argument that techniques that have a high number of possible Procedures cannot be covered by Detection Engineers.
At the conference, we intend to release an ATT&CK Navigator layer to help Detection Engineers quickly filter out which Tactics and Techniques they need to focus on and which ones they simply cannot cover."
Automating testing by implementing ATT&CK using the Blackboard ArchitectureMITRE ATT&CK
From ATT&CKcon 4.0
By Jeremy Straub, NDSU Cybersecurity Institute
This presentation will briefly summarize work that we've done regarding implementing the ATT&CK framework as a rule-fact-action network within a Blackboard Architecture, allowing the ATT&CK framework to enable security testing automation. The presentation will start with a quick summary of the concept behind this and then present a few implementation examples.
I can haz cake: Benefits of working with MITRE on ATT&CKMITRE ATT&CK
From ATT&CKcon 4.0
By Tim Wadhwa-Brown, Cisco
The purpose of this session will be to look at how the linux-malware repo came to take shape and how we've used it to inform our view on adversarial behaviour over the last couple of years. Since the original reason for staring this project was to look at Linux coverage in ATT&CK, we'll play back some of the interesting points and reflect on how they've affected ATT&CK itself.
ATT&CK’s Adoption in CTI: A Great Success (with Room to Grow!)MITRE ATT&CK
From ATT&CKcon 4.0
By Scott Small, Tidal Cyber
This metrics- and meme-based lightning session spotlights the success story that is the CTI industry’s impressive (and expanding) adoption of ATT&CK in their products. Using nearly 6 years’ worth of ATT&CK-mapped, public threat reports collected from government, vendor, & independent sources, we’ll show how the rate (and detail) of mapping has increased considerably, while showcasing (anonymized) examples of high-quality end-products, with the aim of inspiring further ATT&CK adoption in this important corner of the field.
Using ATT&CK to created wicked actors in real dataMITRE ATT&CK
From ATT&CKcon 4.0
By Simeon Kakpovi and Greg Schloemer, KC7 Foundation
"KC7 uses an experiential learning pedagogy to teach cybersecurity analysis to students of all levels, from elementary school all the way to industry professionals. In the KC7 experience, students analyze realistic cybersecurity data and answer a series of CTF-style questions that guide them through an investigative journey.
In order to generate authentic intrusion data, we create a fictional company that is attacked by cyber threat actors. The attributes and behaviors of these actors are defined via yaml configurations that are modeled based on MITRE ATT&CK categories and techniques. For example, we can granularly define what techniques an attacker uses for initial access or lateral movement, and how the actor explicitly uses those techniques.
Students that effectively analyze KC7 intrusion data can map the observed activity to the various stages of the MITRE ATTA&CK framework. Organizing actor definitions around the ATTA&CK framework allows KC7 to create a rich set of intrusion data in various permutations - and ensure that students are exposed to a diverse array of scenarios. A pleasant byproduct of this methodology is that students of MITRE ATT&CK can now study techniques contextually in data rather than just reading about them in reports."
Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stake...MITRE ATT&CK
From ATT&CKcon 4.0
By Alexandrea Berninger, Accenture
We live in a world where attention is scarce. And yet we need to communicate complex information effectively to a variety of audiences. This talk will discuss how to cut through the noise of information overload by using MITRE ATT&CK to reach your audience. It will use lessons I have learned from videography, combined with Cyber Threat Intelligence (CTI) to weave a story around how to think about communicating to your audience when gaining their focus is becoming increasingly difficult. Using current research into focus and attention spans, combined with trends in how people like to obtain information, this talk will recommend paths to building compelling stories with MITRE ATT&CK so that stakeholders can immediately gain value from threat intelligence reports without having to read a full long-form report.
Discussion on Finding Relationships in Cyber DataMITRE ATT&CK
From ATT&CKcon 4.0
By Stephen Johnson and Emma MacMullan, Capital One
Capital One is currently building a Security Graph to tie together various Cyber Teams and their data -- Controls, Objectives, Tools, and Countermeasures, Threats. It is an ambitious project that will help us identify gaps and focus our controls on the most likely and persistent threats. It is a work in progress that is using MITRE ATT&CK and D3FEND as a "lingua franca" to tie together the elements of the graph, so we have a common understanding across the enterprise.
The art of communicating ATT&CK to the CFOMITRE ATT&CK
From ATT&CKcon 4.0
By Phil Davies, Distilled Security
"You have had a pen test, a red team or a threat intelligence report and drawn up a plan for remediation. You have been told you have 15 mins in front of the CFO in 48 hours! How do you show ,on one page, the connection between the techniques you are exposed and vulnerable to, the path of least resistance and the focused control changes required right now?
How will the CFO get the picture so the result is ""I get it, what do you need?""
Understanding ATT&CK as a practitioner is great with the current matrix but it is inaccessible to the CFO. But it doesn't have to be that way.
Phil will chart the journey to improved visualisation of ATT&CK techniques. He will show how the DNA of ATT&CK doesn’t just make ATT&CK accessible for all but that it can be beautiful!"
Or Lenses and Layers: Adding Business Context to Enterprise MappingsMITRE ATT&CK
From ATT&CKcon 4.0
By Andrew Malone
Many use the ATT&CK matrix to map tool coverage across the environment. This blanket coverage is a good baseline but it can miss certain aspects of the enterprise's context like risk levels, organisational priorities, and industry specific threat intelligence. I want to discuss ways to layer these lenses on top of an enterprise mapping to make ATT&CK more relevant to the specific enterprise. If done right this can lead to more actionable metrics and reporting on improvements.
From ATT&CKcon 4.0
By Benjamin Langrill, Security Optimizer
If you tell me an attacker performed OS Credential Dumping, did they dump credentials with meterpreter, recompile mimikatz, or use a custom tool? The technique reference lacks a way to categorize how they performed the action and each type requires its own mitigation. In this talk, Ben Langirll will propose formal adjectives for ATT&CK techniques that map to adversary capabilities and how we can use them to optimize defensive choices.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
1. Tidying up your Nest
Validating ATT&CK Technique Coverage
Using EDR Telemetry
2. Presenters
Jesse Brown
Senior Detection Validation
Engineer
@jessecbrown
Adam Ostrich
Senior Detection Validation
Engineer
Detection Validation Team
Understand how things should work
Make sure things work like they should
Make things work better
3. Outline
What is EDR telemetry?
How Red Canary works
Validation of ATT&CK techniques
Automated validation workflow
Lessons learned
4. Outline
What is EDR telemetry?
How Red Canary works
Validation of ATT&CK techniques
Automated validation workflow
Lessons learned
5. What is EDR Telemetry?
Cost of collection
(Time, CPU/memory/bandwidth)
Depth
of
coverage
EDR
Telemetry
Forensic
Images
Good for hunting
System
Logs
19. Outline
What is EDR telemetry?
How Red Canary works
Validation of ATT&CK techniques
Automated validation workflow
Lessons learned
20. Validate coverage across ATT&CK techniques
Break techniques down to data components
Data component Detects
Process creation procdump -ma lsass.exe lsass.dmp
Command execution Invoke-Mimikatz
Process access API calls to OpenProcess/MiniDumpWriteDump
Process access Crossproc (e.g. open process handle)
File modification File lsass.dmp written to disk
OS Credential Dumping: LSASS Memory (T1003.001)
23. End-to-end functional testing!
Run functional test
Report expected results
Compare expected results to actual results
Analyze/detect changes in results
24. Outline
What is EDR telemetry?
How Red Canary works
Validation of ATT&CK techniques
Automated validation workflow
Lessons learned
25. Scaling Validation with Automation
1) Spin up infrastructure
2) Run tests
3) Analyze results
27. Coalmine
Spin up infrastructure
○ Terraform and ansible
○ Creates/configures EC2 instances
Run tests
○ Atomic Red Team
https://github.com/redcanaryco/ansible-atomic-red-team
○ Atomic Test Harnesses
https://atomicredteam.io/atomic-test-harnesses
○ Vuvuzela
32. Telemetry Validation Lambda Function
Identify relevant engine data
Telemetry Profiling
Compare expected results
to engine data
Report results to S3 Splunk
API
33. Telemetry Validation Lambda Function
Identify relevant engine data
Telemetry Profiling
Compare expected results
to engine data
Report results to S3 Splunk
API
34. Telemetry Validation Lambda Function
Identify relevant engine data
Telemetry Profiling
Compare expected results
to engine data
Report results to S3 Splunk
API
35. Telemetry Validation Lambda Function
Identify relevant engine data
Telemetry Profiling
Compare expected results
to engine data
Report results to S3 Splunk
API
36. Valid
Skipped
Invalid
Splunk dashboard example
Field name Expected Found
process_command_lin
e
procdump -ma lsass.exe lsass.dmp procdump -ma lsass.exe lsass.dmp
process_md5 f2091c44d89789f689d98bc244358878 f2091c44d89789f689d98bc244358878
process_name procdump.exe procdump.exe
Field name Expected Found
process_sha1 db1ef4ce56820c93a3b7f1fdf36d3fffc7d1ec96
process_sha256 e4ea34a7c2b51982a6c42c6367119f34bec9aeb9a60937836540035583a5b3bc
Field name Expected Found
process_path C:Sysinternalsprocdump.exe DeviceHarddiskVolume1Sysinternalsprocdump.exe
process_pid 1528 1529
38. Outline
What is EDR telemetry?
How Red Canary works
Validation of ATT&CK techniques
Automated validation workflow
Lessons learned
39. Telemetry quirks
Signal/noise ratio different for each sensor
○ Lower quality telemetry (i.e. filemods & regmods) can be highly filtered
○ Filemod filtering by process, directory, and file type
File telemetry has inconsistent meaning/terminology
○ What is a filemod?
○ Creation vs. modification
40. Challenges of using EDR telemetry
Level of detail is limited
○ Limited insight into certain types of behaviors like API calls
○ Can’t use static binary signatures outside of a hash
○ Certain telemetry types are limited because they’re noisy
Example: Credential theft
○ Dumping lsass -> good telemetry
○ Application credential theft (e.g. browsers) -> limited/no telemetry
○ EDR sensors are good at generating alerts for this activity
41. Benefits of using EDR telemetry
Offloading detections from endpoints
○ Avoids limitations of analytics on endpoints
○ Highly scalable
○ Adversary can’t see alerts
Versatile representation of behavior
○ Captures context
○ Useful for correlation
42. Key takeaways
EDR telemetry balances signal/noise
Validating ATT&CK techniques using data components scales well
End-to-end functional testing
○ Provides a clear signal when there’s a problem
○ Captures nuances of techniques
Automation allows us to scale validation
Con: EDR telemetry provides a limited level of detail
Pro: EDR telemetry offloads detections from endpoints and
provides context around an alert
43. Questions?
Team blog series: The Validated Canary
Our validation philosophy
https://redcanary.com/blog/detection-validation/
Unearthing changes in our detection engine with Coalmine
https://redcanary.com/blog/coalmine/