Exploring Att&ck Matrix: Engage Ludicrous Speed
Dive into the world of the Mitre Att&ck Matrix, where crazy ampersands and Trebuchet Font cues you in on how to engage Ludicrous Speed and understand the basics of attacker/adversary tactics, techniques, and common use cases. Explore matrices, prevent attacks, and work programmatically with Att&ck using STIX/TAXII references.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Mitre Att&ck Matrix RA PS...Trebuchet Font makes crazy ampersands but I was to lazy to change it
Docket More background at Lightning McSpeed ... or not... More specifically: Use today Moving forward Avoiding Pitfalls Other (maybe?) interesting stuff
Engage Ludicrous Speed...Att&ck Background Not the Cyber Kill Chain (but you already knew this) https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html Not CAR (Cyber Analytics Repository) {but CAR looks pretty cool} https://mitre-attack.github.io/caret/#/ Not CAPEC (Common Attack Pattern Enumeration and Classification) {probably also cool & they are in the same github repo} https://capec.mitre.org/ Not CALDERA (An automated adversary emulation system) https://github.com/mitre/caldera https://github.com/mitre/brawl-public-game-001 Not CASCADE (An automated investigation engine) https://github.com/mitre/cascade-server Not Some other C name
Engage Ludicrous Speed...Att&ck Background Basics: Perspective of the Attacker/Adversary Series of tactics, that the attacker wants to achieve Series of techniques per tactic Common Use Cases: Detections & Analytics TI Threat emulation / Red Teaming Assessment/Engineering
Engage Ludicrous Speed...Att&ck Background Matrix or Matrices? PRE-ATT&CK Prevent an attack before the adversary has a chance to get in Enterprise All Platforms Linux macOS Windows Mobile Broken into 2 sub matrices: Device Access Network Effects
Working w/ Att&ck Programmatically reference w/ STIX/TAXII ATT&CK Navigator
STIX / TAXII Haven t treaded here in practice, but here s some more: Intro: https://attack.mitre.org/resources/working-with-attack/ Usage https://github.com/mitre/cti/blob/master/USAGE.md All the raw JSON: https://raw.githubusercontent.com/mitre/cti/master/enterprise- attack/enterprise-attack.json Recommend Python Repo: (pip install stix2) https://github.com/oasis-open/cti-python-stix2 Cyber Threat Intelligence Repository or ATT&CK and CAPEC in STIX 2.0 JSON https://github.com/mitre/cti
Att&ck Navigator Help Explore Att&ck knowledge base Multiple Layers Multi-Select tool Assign Color or Score (and Ranges) Can create layers from existing layers https://mitre-attack.github.io/attack- navigator/enterprise/#
How big is Att&ck? The have a blog https://medium.com/mitre-attack They can be found on the twitters https://twitter.com/mitreattack They have brainwashed enough to make money on their own con: https://attack.mitre.org/resources/attackcon/ They want You! ...or at least your input: https://attack.mitre.org/resources/contribute/
Use Today SOC Essentially no current use Blue/IR Team Essentially no current use Threat Intel Essentially no current use Engineering Essentially no current use Red Team Raising the bar again..... Just above no current use ;)
Notes Nested inside Notebook is another tools section built out by technology / other themes
Moving Forward Resource for Red Team Simulation Vulnerability mapped to Att&ck Tactics Not for customers but for Red Team tracking of coverage/systemic areas of weakness Documentation for Pentest progression for specific application More utilization by other InfoSec areas/teams
Avoiding Pitfalls - Dont Stay in the Matrix https://redcanary.com/blog/avoiding-common-attack-pitfalls/ #1 Don t Assume All Techniques Are Equal ATT&CK techniques are specific and others are generic, so focus on what s specific first, then increase your scope from there. #2 Don t Try Building Alerts for Every Technique You don t need to alert on every technique in the matrix, so focus on those techniques that are more readily detectable before moving on to the more complex ones. #3 Don t Misunderstand Your Coverage Each technique contains boundless possibilities, so measure the efficacy of the techniques you can detect, not the unknown. #4 Don t Stay in the Matrix Adversaries move faster than models, so you have to be proactive about finding ways to detect emerging threats. #5 Don t Forget the Fundamentals ATT&CK is a great repository for adversarial behaviors, but you have to be careful not to lose track of fundamental security concepts like security awareness training, vulnerability management, and the principle of least privilege.
Other Stuff: Atomic Red Team https://github.com/redcanaryco/atomic-red-team https://atomicredteam.io/testing https://cyberwardog.blogspot.com/2017/07/how-hot- is-your-hunt-team.html Perhaps combining w/ Detection Lab for comparing/contrasting: https://github.com/clong/DetectionLab
Other Stuff: CAR / CARET https://github.com/mitre-attack/car https://mitre-attack.github.io/caret/#/ CAR is a good starting point for many organizations and can be a great platform for open analytic collaboration- but it isn t the be-all/end-all for defending against the threats described by ATT&CK.
References Att&ck Overview https://attack.mitre.org/resources/getting-started/ https://www.youtube.com/watch?v=EsvUUCrbhIE Att&ck-Navigator Example https://www.youtube.com/watch?v=78RIsFqo9pM Source References: https://github.com/mitre/cti Attack Dudes Presentations and Stuff: https://www.slideshare.net/DanielWeiss24/one-technique-two-techniques-red- technique-blue-technique Avoiding Pitfalls Other References: See throughout the presentation
