Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitre Att&ck Matrix RA PS...Trebuchet Font makes crazy ampersands but I was to lazy to change it.

Similar presentations


Presentation on theme: "Mitre Att&ck Matrix RA PS...Trebuchet Font makes crazy ampersands but I was to lazy to change it."— Presentation transcript:

1 Mitre Att&ck Matrix RA PS...Trebuchet Font makes crazy ampersands but I was to lazy to change it

2 Docket More background at Lightning McSpeed ... or not...
More specifically: Use today Moving forward Avoiding Pitfalls Other (maybe?) interesting stuff

3 Engage Ludicrous Speed...Att&ck Background

4 Engage Ludicrous Speed...Att&ck Background
Not the Cyber Kill Chain (but you already knew this) Not CAR (Cyber Analytics Repository) {but CAR looks pretty cool} Not CAPEC (Common Attack Pattern Enumeration and Classification) {probably also cool & they are in the same github repo} Not CALDERA (An automated adversary emulation system) Not CASCADE (An automated investigation engine) Not Some other C name

5 Engage Ludicrous Speed...Att&ck Background
Basics: Perspective of the Attacker/Adversary Series of tactics, that the attacker wants to achieve Series of techniques per tactic Common Use Cases: Detections & Analytics TI Threat emulation / Red Teaming Assessment/Engineering

6 Engage Ludicrous Speed...Att&ck Background
Matrix or Matrices? PRE-ATT&CK Prevent an attack before the adversary has a chance to get in Enterprise All Platforms Linux macOS Windows Mobile Broken into 2 sub matrices: Device Access Network Effects

7 Engage Ludicrous Speed...Att&ck Background

8 Working w/ Att&ck Programmatically reference w/ STIX/TAXII
ATT&CK Navigator

9 STIX / TAXII Haven’t treaded here in practice, but here’s some more:
Intro: Usage All the raw JSON: attack/enterprise-attack.json Recommend Python Repo: (pip install stix2) Cyber Threat Intelligence Repository or ATT&CK and CAPEC in STIX 2.0 JSON

10 STIX / TAXII – b/c pics are nice

11 STIX / TAXII – b/c pics are nice

12 STIX / TAXII – b/c pics are nice

13 STIX / TAXII – b/c pics are nice

14 STIX / TAXII – b/c pics are nice

15 Att&ck Navigator Help Explore Att&ck knowledge base Multiple Layers
Multi-Select tool Assign Color or Score (and Ranges) Can create layers from existing layers navigator/enterprise/#

16 Att&ck Navigator - Example

17 How big is Att&ck? The have a blog They can be found on the twitters
They can be found on the twitters They have brainwashed enough to make money on their own con: They want You! ...or at least your input:

18 Use Today SOC Blue/IR Team Threat Intel Engineering Red Team
Essentially no current use Blue/IR Team Threat Intel Engineering Red Team Raising the bar again..... Just above no current use ;)

19 Tech Notes

20 Notes Nested inside Notebook is another tools section built out by technology / other themes

21 Links / References

22 Moving Forward Resource for Red Team Simulation
Vulnerability mapped to Att&ck Tactics Not for customers but for Red Team tracking of coverage/systemic areas of weakness Documentation for Pentest progression for specific application More utilization by other InfoSec areas/teams

23 Avoiding Pitfalls - Don’t Stay in the Matrix
#1 Don’t Assume All Techniques Are Equal ATT&CK techniques are specific and others are generic, so focus on what’s specific first, then increase your scope from there. #2 Don’t Try Building Alerts for Every Technique You don’t need to alert on every technique in the matrix, so focus on those techniques that are more readily detectable before moving on to the more complex ones. #3 Don’t Misunderstand Your Coverage Each technique contains boundless possibilities, so measure the efficacy of the techniques you can detect, not the unknown. #4 Don’t Stay in the Matrix Adversaries move faster than models, so you have to be proactive about finding ways to detect emerging threats. #5 Don’t Forget the Fundamentals ATT&CK is a great repository for adversarial behaviors, but you have to be careful not to lose track of fundamental security concepts like security awareness training, vulnerability management, and the principle of least privilege.

24 Other Stuff: Atomic Red Team
is-your-hunt-team.html Perhaps combining w/ Detection Lab for comparing/contrasting:

25 Other Stuff: CAR / CARET
CAR is a good starting point for many organizations and can be a great platform for open analytic collaboration -  but it isn’t the be-all/end-all for defending against the threats described by ATT&CK.

26 References Att&ck Overview Att&ck-Navigator Example Source References:
Att&ck-Navigator Example Source References: Attack Dudes Presentations and Stuff: technique-blue-technique Avoiding Pitfalls Other References: See throughout the presentation


Download ppt "Mitre Att&ck Matrix RA PS...Trebuchet Font makes crazy ampersands but I was to lazy to change it."

Similar presentations


Ads by Google