Download presentation
Presentation is loading. Please wait.
Published byAmos Wilkerson Modified over 5 years ago
1
Mitre Att&ck Matrix RA PS...Trebuchet Font makes crazy ampersands but I was to lazy to change it
2
Docket More background at Lightning McSpeed ... or not...
More specifically: Use today Moving forward Avoiding Pitfalls Other (maybe?) interesting stuff
3
Engage Ludicrous Speed...Att&ck Background
4
Engage Ludicrous Speed...Att&ck Background
Not the Cyber Kill Chain (but you already knew this) Not CAR (Cyber Analytics Repository) {but CAR looks pretty cool} Not CAPEC (Common Attack Pattern Enumeration and Classification) {probably also cool & they are in the same github repo} Not CALDERA (An automated adversary emulation system) Not CASCADE (An automated investigation engine) Not Some other C name
5
Engage Ludicrous Speed...Att&ck Background
Basics: Perspective of the Attacker/Adversary Series of tactics, that the attacker wants to achieve Series of techniques per tactic Common Use Cases: Detections & Analytics TI Threat emulation / Red Teaming Assessment/Engineering
6
Engage Ludicrous Speed...Att&ck Background
Matrix or Matrices? PRE-ATT&CK Prevent an attack before the adversary has a chance to get in Enterprise All Platforms Linux macOS Windows Mobile Broken into 2 sub matrices: Device Access Network Effects
7
Engage Ludicrous Speed...Att&ck Background
8
Working w/ Att&ck Programmatically reference w/ STIX/TAXII
ATT&CK Navigator
9
STIX / TAXII Haven’t treaded here in practice, but here’s some more:
Intro: Usage All the raw JSON: attack/enterprise-attack.json Recommend Python Repo: (pip install stix2) Cyber Threat Intelligence Repository or ATT&CK and CAPEC in STIX 2.0 JSON
10
STIX / TAXII – b/c pics are nice
11
STIX / TAXII – b/c pics are nice
12
STIX / TAXII – b/c pics are nice
13
STIX / TAXII – b/c pics are nice
14
STIX / TAXII – b/c pics are nice
15
Att&ck Navigator Help Explore Att&ck knowledge base Multiple Layers
Multi-Select tool Assign Color or Score (and Ranges) Can create layers from existing layers navigator/enterprise/#
16
Att&ck Navigator - Example
17
How big is Att&ck? The have a blog They can be found on the twitters
They can be found on the twitters They have brainwashed enough to make money on their own con: They want You! ...or at least your input:
18
Use Today SOC Blue/IR Team Threat Intel Engineering Red Team
Essentially no current use Blue/IR Team Threat Intel Engineering Red Team Raising the bar again..... Just above no current use ;)
19
Tech Notes
20
Notes Nested inside Notebook is another tools section built out by technology / other themes
21
Links / References
22
Moving Forward Resource for Red Team Simulation
Vulnerability mapped to Att&ck Tactics Not for customers but for Red Team tracking of coverage/systemic areas of weakness Documentation for Pentest progression for specific application More utilization by other InfoSec areas/teams
23
Avoiding Pitfalls - Don’t Stay in the Matrix
#1 Don’t Assume All Techniques Are Equal ATT&CK techniques are specific and others are generic, so focus on what’s specific first, then increase your scope from there. #2 Don’t Try Building Alerts for Every Technique You don’t need to alert on every technique in the matrix, so focus on those techniques that are more readily detectable before moving on to the more complex ones. #3 Don’t Misunderstand Your Coverage Each technique contains boundless possibilities, so measure the efficacy of the techniques you can detect, not the unknown. #4 Don’t Stay in the Matrix Adversaries move faster than models, so you have to be proactive about finding ways to detect emerging threats. #5 Don’t Forget the Fundamentals ATT&CK is a great repository for adversarial behaviors, but you have to be careful not to lose track of fundamental security concepts like security awareness training, vulnerability management, and the principle of least privilege.
24
Other Stuff: Atomic Red Team
is-your-hunt-team.html Perhaps combining w/ Detection Lab for comparing/contrasting:
25
Other Stuff: CAR / CARET
CAR is a good starting point for many organizations and can be a great platform for open analytic collaboration - but it isn’t the be-all/end-all for defending against the threats described by ATT&CK.
26
References Att&ck Overview Att&ck-Navigator Example Source References:
Att&ck-Navigator Example Source References: Attack Dudes Presentations and Stuff: technique-blue-technique Avoiding Pitfalls Other References: See throughout the presentation
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.