Mitre Att&ck Matrix

1. MitreAtt&ck Matrix RA PS...Trebuchet Font makes crazy ampersands but I was to lazy to change it

2. Docket • More background at Lightning McSpeed ... or not... • More specifically: • Use today • Moving forward • Avoiding Pitfalls • Other (maybe?) interesting stuff

3. Engage Ludicrous Speed...Att&ck Background

4. Engage Ludicrous Speed...Att&ck Background • Not the Cyber Kill Chain (but you already knew this) • https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html • Not CAR (Cyber Analytics Repository) {but CAR looks pretty cool} • https://mitre-attack.github.io/caret/#/ • Not CAPEC (Common Attack Pattern Enumeration and Classification) {probably also cool & they are in the same github repo} • https://capec.mitre.org/ • Not CALDERA (An automated adversary emulation system) • https://github.com/mitre/caldera • https://github.com/mitre/brawl-public-game-001 • Not CASCADE (An automated investigation engine) • https://github.com/mitre/cascade-server • Not Some other C name

5. Engage Ludicrous Speed...Att&ck Background Basics: • Perspective of the Attacker/Adversary • Series of tactics, that the attacker wants to achieve • Series of techniques per tactic • Common Use Cases: • Detections & Analytics • TI • Threat emulation / Red Teaming • Assessment/Engineering

6. Engage Ludicrous Speed...Att&ck Background Matrix or Matrices? • PRE-ATT&CK • Prevent an attack before the adversary has a chance to get in • Enterprise • All Platforms • Linux • macOS • Windows • Mobile • Broken into 2 sub matrices: • Device Access • Network Effects

7. Engage Ludicrous Speed...Att&ck Background

8. Working w/ Att&ck • Programmatically reference w/ STIX/TAXII • ATT&CK Navigator

9. STIX / TAXII • Haven’t treaded here in practice, but here’s some more: • Intro: • https://attack.mitre.org/resources/working-with-attack/ • Usage • https://github.com/mitre/cti/blob/master/USAGE.md • All the raw JSON: • https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json • Recommend Python Repo: (pip install stix2) • https://github.com/oasis-open/cti-python-stix2 • Cyber Threat Intelligence Repository or ATT&CK and CAPEC in STIX 2.0 JSON • https://github.com/mitre/cti

10. STIX / TAXII – b/c pics are nice

11. STIX / TAXII – b/c pics are nice

12. STIX / TAXII – b/c pics are nice

13. STIX / TAXII – b/c pics are nice

14. STIX / TAXII – b/c pics are nice

15. Att&ck Navigator • Help Explore Att&ck knowledge base • Multiple Layers • Multi-Select tool • Assign Color or Score (and Ranges) • Can create layers from existing layers • https://mitre-attack.github.io/attack-navigator/enterprise/#

16. Att&ck Navigator - Example

17. How big is Att&ck? • The have a blog • https://medium.com/mitre-attack • They can be found on the twitters • https://twitter.com/mitreattack • They have brainwashed enough to make money on their own con: • https://attack.mitre.org/resources/attackcon/ • They want You! ...or at least your input: • https://attack.mitre.org/resources/contribute/

18. Use Today • SOC • Essentially no current use • Blue/IR Team • Essentially no current use • Threat Intel • Essentially no current use • Engineering • Essentially no current use • Red Team • Raising the bar again..... • Just above no current use ;)

19. Tech Notes

20. Notes • Nested inside Notebook is another tools section built out by technology / other themes

21. Links / References

22. Moving Forward • Resource for Red Team Simulation • Vulnerability mapped to Att&ck Tactics • Not for customers but for Red Team tracking of coverage/systemic areas of weakness • Documentation for Pentest progression for specific application • More utilization by other InfoSec areas/teams

23. Avoiding Pitfalls - Don’t Stay in the Matrix https://redcanary.com/blog/avoiding-common-attack-pitfalls/ #1 Don’t Assume All Techniques Are Equal • ATT&CK techniques are specific and others are generic, so focus on what’s specific first, then increase your scope from there. #2 Don’t Try Building Alerts for Every Technique • You don’t need to alert on every technique in the matrix, so focus on those techniques that are more readily detectable before moving on to the more complex ones. #3 Don’t Misunderstand Your Coverage • Each technique contains boundless possibilities, so measure the efficacy of the techniques you can detect, not the unknown. #4 Don’t Stay in the Matrix • Adversaries move faster than models, so you have to be proactive about finding ways to detect emerging threats. #5 Don’t Forget the Fundamentals • ATT&CK is a great repository for adversarial behaviors, but you have to be careful not to lose track of fundamental security concepts like security awareness training, vulnerability management, and the principle of least privilege.

24. Other Stuff:Atomic Red Team • https://github.com/redcanaryco/atomic-red-team • https://atomicredteam.io/testing • https://cyberwardog.blogspot.com/2017/07/how-hot-is-your-hunt-team.html • Perhaps combining w/ Detection Lab for comparing/contrasting: • https://github.com/clong/DetectionLab

25. Other Stuff:CAR / CARET • https://github.com/mitre-attack/car • https://mitre-attack.github.io/caret/#/ • CAR is a good starting point for many organizations and can be a great platform for open analytic collaboration - but it isn’t the be-all/end-all for defending against the threats described by ATT&CK.

26. References • Att&ck Overview • https://attack.mitre.org/resources/getting-started/ • https://www.youtube.com/watch?v=EsvUUCrbhIE • Att&ck-Navigator Example • https://www.youtube.com/watch?v=78RIsFqo9pM • Source References: • https://github.com/mitre/cti • Attack Dudes Presentations and Stuff: • https://www.slideshare.net/DanielWeiss24/one-technique-two-techniques-red-technique-blue-technique • Avoiding Pitfalls • Other References: • See throughout the presentation