Att&ck Matrix: Engage Ludicrous Speed

Dive into the world of the Mitre Att&ck Matrix, where crazy ampersands and Trebuchet Font cues you in on how to engage Ludicrous Speed and understand the basics of attacker/adversary tactics, techniques, and common use cases. Explore matrices, prevent attacks, and work programmatically with Att&ck using STIX/TAXII references.

• Att&ck Matrix
• Mitre
• Adversary Tactics
• Threat Emulation
• Red Teaming

milena Follow

Uploaded on Jul 30, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Mitre Att&ck Matrix RA PS...Trebuchet Font makes crazy ampersands but I was to lazy to change it

2. Docket More background at Lightning McSpeed ... or not... More specifically: Use today Moving forward Avoiding Pitfalls Other (maybe?) interesting stuff

3. Engage Ludicrous Speed...Att&ck Background

4. Engage Ludicrous Speed...Att&ck Background Not the Cyber Kill Chain (but you already knew this) https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html Not CAR (Cyber Analytics Repository) {but CAR looks pretty cool} https://mitre-attack.github.io/caret/#/ Not CAPEC (Common Attack Pattern Enumeration and Classification) {probably also cool & they are in the same github repo} https://capec.mitre.org/ Not CALDERA (An automated adversary emulation system) https://github.com/mitre/caldera https://github.com/mitre/brawl-public-game-001 Not CASCADE (An automated investigation engine) https://github.com/mitre/cascade-server Not Some other C name

5. Engage Ludicrous Speed...Att&ck Background Basics: Perspective of the Attacker/Adversary Series of tactics, that the attacker wants to achieve Series of techniques per tactic Common Use Cases: Detections & Analytics TI Threat emulation / Red Teaming Assessment/Engineering

6. Engage Ludicrous Speed...Att&ck Background Matrix or Matrices? PRE-ATT&CK Prevent an attack before the adversary has a chance to get in Enterprise All Platforms Linux macOS Windows Mobile Broken into 2 sub matrices: Device Access Network Effects

7. Engage Ludicrous Speed...Att&ck Background

8. Working w/ Att&ck Programmatically reference w/ STIX/TAXII ATT&CK Navigator

9. STIX / TAXII Haven t treaded here in practice, but here s some more: Intro: https://attack.mitre.org/resources/working-with-attack/ Usage https://github.com/mitre/cti/blob/master/USAGE.md All the raw JSON: https://raw.githubusercontent.com/mitre/cti/master/enterprise- attack/enterprise-attack.json Recommend Python Repo: (pip install stix2) https://github.com/oasis-open/cti-python-stix2 Cyber Threat Intelligence Repository or ATT&CK and CAPEC in STIX 2.0 JSON https://github.com/mitre/cti

10. STIX / TAXII b/c pics are nice

11. STIX / TAXII b/c pics are nice

12. STIX / TAXII b/c pics are nice

13. STIX / TAXII b/c pics are nice

14. STIX / TAXII b/c pics are nice

15. Att&ck Navigator Help Explore Att&ck knowledge base Multiple Layers Multi-Select tool Assign Color or Score (and Ranges) Can create layers from existing layers https://mitre-attack.github.io/attack- navigator/enterprise/#

16. Att&ck Navigator - Example

17. How big is Att&ck? The have a blog https://medium.com/mitre-attack They can be found on the twitters https://twitter.com/mitreattack They have brainwashed enough to make money on their own con: https://attack.mitre.org/resources/attackcon/ They want You! ...or at least your input: https://attack.mitre.org/resources/contribute/

18. Use Today SOC Essentially no current use Blue/IR Team Essentially no current use Threat Intel Essentially no current use Engineering Essentially no current use Red Team Raising the bar again..... Just above no current use ;)

19. Tech Notes

20. Notes Nested inside Notebook is another tools section built out by technology / other themes

21. Links / References

22. Moving Forward Resource for Red Team Simulation Vulnerability mapped to Att&ck Tactics Not for customers but for Red Team tracking of coverage/systemic areas of weakness Documentation for Pentest progression for specific application More utilization by other InfoSec areas/teams

23. Avoiding Pitfalls - Dont Stay in the Matrix https://redcanary.com/blog/avoiding-common-attack-pitfalls/ #1 Don t Assume All Techniques Are Equal ATT&CK techniques are specific and others are generic, so focus on what s specific first, then increase your scope from there. #2 Don t Try Building Alerts for Every Technique You don t need to alert on every technique in the matrix, so focus on those techniques that are more readily detectable before moving on to the more complex ones. #3 Don t Misunderstand Your Coverage Each technique contains boundless possibilities, so measure the efficacy of the techniques you can detect, not the unknown. #4 Don t Stay in the Matrix Adversaries move faster than models, so you have to be proactive about finding ways to detect emerging threats. #5 Don t Forget the Fundamentals ATT&CK is a great repository for adversarial behaviors, but you have to be careful not to lose track of fundamental security concepts like security awareness training, vulnerability management, and the principle of least privilege.

24. Other Stuff: Atomic Red Team https://github.com/redcanaryco/atomic-red-team https://atomicredteam.io/testing https://cyberwardog.blogspot.com/2017/07/how-hot- is-your-hunt-team.html Perhaps combining w/ Detection Lab for comparing/contrasting: https://github.com/clong/DetectionLab

25. Other Stuff: CAR / CARET https://github.com/mitre-attack/car https://mitre-attack.github.io/caret/#/ CAR is a good starting point for many organizations and can be a great platform for open analytic collaboration- but it isn t the be-all/end-all for defending against the threats described by ATT&CK.

26. References Att&ck Overview https://attack.mitre.org/resources/getting-started/ https://www.youtube.com/watch?v=EsvUUCrbhIE Att&ck-Navigator Example https://www.youtube.com/watch?v=78RIsFqo9pM Source References: https://github.com/mitre/cti Attack Dudes Presentations and Stuff: https://www.slideshare.net/DanielWeiss24/one-technique-two-techniques-red- technique-blue-technique Avoiding Pitfalls Other References: See throughout the presentation