Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitre Att&ck Matrix RA PS...Trebuchet Font makes crazy ampersands but I was to lazy to change it.

Published byAmos Wilkerson Modified over 5 years ago

Similar presentations

Presentation on theme: "Mitre Att&ck Matrix RA PS...Trebuchet Font makes crazy ampersands but I was to lazy to change it."— Presentation transcript:

1 Mitre Att&ck Matrix RA PS...Trebuchet Font makes crazy ampersands but I was to lazy to change it

2 Docket More background at Lightning McSpeed ... or not...
More specifically: Use today Moving forward Avoiding Pitfalls Other (maybe?) interesting stuff

3 Engage Ludicrous Speed...Att&ck Background

4 Engage Ludicrous Speed...Att&ck Background
Not the Cyber Kill Chain (but you already knew this) Not CAR (Cyber Analytics Repository) {but CAR looks pretty cool} Not CAPEC (Common Attack Pattern Enumeration and Classification) {probably also cool & they are in the same github repo} Not CALDERA (An automated adversary emulation system) Not CASCADE (An automated investigation engine) Not Some other C name

5 Engage Ludicrous Speed...Att&ck Background
Basics: Perspective of the Attacker/Adversary Series of tactics, that the attacker wants to achieve Series of techniques per tactic Common Use Cases: Detections & Analytics TI Threat emulation / Red Teaming Assessment/Engineering

6 Engage Ludicrous Speed...Att&ck Background
Matrix or Matrices? PRE-ATT&CK Prevent an attack before the adversary has a chance to get in Enterprise All Platforms Linux macOS Windows Mobile Broken into 2 sub matrices: Device Access Network Effects

7 Engage Ludicrous Speed...Att&ck Background

8 Working w/ Att&ck Programmatically reference w/ STIX/TAXII
ATT&CK Navigator

9 STIX / TAXII Haven’t treaded here in practice, but here’s some more:
Intro: Usage All the raw JSON: attack/enterprise-attack.json Recommend Python Repo: (pip install stix2) Cyber Threat Intelligence Repository or ATT&CK and CAPEC in STIX 2.0 JSON

10 STIX / TAXII – b/c pics are nice

11 STIX / TAXII – b/c pics are nice

12 STIX / TAXII – b/c pics are nice

13 STIX / TAXII – b/c pics are nice

14 STIX / TAXII – b/c pics are nice

15 Att&ck Navigator Help Explore Att&ck knowledge base Multiple Layers
Multi-Select tool Assign Color or Score (and Ranges) Can create layers from existing layers navigator/enterprise/#

16 Att&ck Navigator - Example

17 How big is Att&ck? The have a blog They can be found on the twitters
They can be found on the twitters They have brainwashed enough to make money on their own con: They want You! ...or at least your input:

18 Use Today SOC Blue/IR Team Threat Intel Engineering Red Team
Essentially no current use Blue/IR Team Threat Intel Engineering Red Team Raising the bar again..... Just above no current use ;)

19 Tech Notes

20 Notes Nested inside Notebook is another tools section built out by technology / other themes

21 Links / References

22 Moving Forward Resource for Red Team Simulation
Vulnerability mapped to Att&ck Tactics Not for customers but for Red Team tracking of coverage/systemic areas of weakness Documentation for Pentest progression for specific application More utilization by other InfoSec areas/teams

23 Avoiding Pitfalls - Don’t Stay in the Matrix
#1 Don’t Assume All Techniques Are Equal ATT&CK techniques are specific and others are generic, so focus on what’s specific first, then increase your scope from there. #2 Don’t Try Building Alerts for Every Technique You don’t need to alert on every technique in the matrix, so focus on those techniques that are more readily detectable before moving on to the more complex ones. #3 Don’t Misunderstand Your Coverage Each technique contains boundless possibilities, so measure the efficacy of the techniques you can detect, not the unknown. #4 Don’t Stay in the Matrix Adversaries move faster than models, so you have to be proactive about finding ways to detect emerging threats. #5 Don’t Forget the Fundamentals ATT&CK is a great repository for adversarial behaviors, but you have to be careful not to lose track of fundamental security concepts like security awareness training, vulnerability management, and the principle of least privilege.

24 Other Stuff: Atomic Red Team
is-your-hunt-team.html Perhaps combining w/ Detection Lab for comparing/contrasting:

25 Other Stuff: CAR / CARET
CAR is a good starting point for many organizations and can be a great platform for open analytic collaboration -  but it isn’t the be-all/end-all for defending against the threats described by ATT&CK.

26 References Att&ck Overview Att&ck-Navigator Example Source References:
Att&ck-Navigator Example Source References: Attack Dudes Presentations and Stuff: technique-blue-technique Avoiding Pitfalls Other References: See throughout the presentation

Download ppt "Mitre Att&ck Matrix RA PS...Trebuchet Font makes crazy ampersands but I was to lazy to change it."

Similar presentations

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
INTERACTIVE ANALYSIS OF COMPUTER CRIMES PRESENTED FOR CS-689 ON 10/12/2000 BY NAGAKALYANA ESKALA.

INTERACTIVE ANALYSIS OF COMPUTER CRIMES PRESENTED FOR CS-689 ON 10/12/2000 BY NAGAKALYANA ESKALA.
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
Ali Alhamdan, PhD National Information Center Ministry of Interior

Ali Alhamdan, PhD National Information Center Ministry of Interior
Network security Product Group 2 McAfee Network Security Platform.

Network security Product Group 2 McAfee Network Security Platform.
Consistency in Reporting Data Breaches

Consistency in Reporting Data Breaches
ARAMA TECH D A T A P R O T E C T I O N P R O F E S S I O N A L S VISION & STRATEGY.

ARAMA TECH D A T A P R O T E C T I O N P R O F E S S I O N A L S VISION & STRATEGY.
ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.

ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,

ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.

Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.
The value of Cyber Defense Exercises 1. Purpose and objectives The aim is to improve information assurance in critical infrastructure by :  Better understanding.

The value of Cyber Defense Exercises 1. Purpose and objectives The aim is to improve information assurance in critical infrastructure by :  Better understanding.
King William High School. Cyber Security Curriculum 4 year high school curriculum Up to 5 technology certifications upon successful completion of each.

King William High School. Cyber Security Curriculum 4 year high school curriculum Up to 5 technology certifications upon successful completion of each.
Proactive Incident Response

Proactive Incident Response
Protect your Digital Enterprise

Protect your Digital Enterprise
Explaining Bitcoins will be the easy part: Email Borne Attacks and How You Can Defend Against Them Karsten Chearis Sales Engineer.

Explaining Bitcoins will be the easy part: Borne Attacks and How You Can Defend Against Them Karsten Chearis Sales Engineer.
Abusing 3rd-Party Services For Command And Control

Abusing 3rd-Party Services For Command And Control
Deployment Planning Services

Deployment Planning Services
Cisco Defense Orchestrator

Cisco Defense Orchestrator

Similar presentations

Ads by Google