SlideShare uma empresa Scribd logo

Introduction to MITRE ATT&CK

A
Arpan Raval

Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.

Dados e análise
1 de 31
Baixar para ler offline
1 MITRE ATT&CKTM FRAMEWORK Threat Intelligence Detection, Analytics & Hunting f Assessment & Engineering L Threat Emulation L G ARPAN RAVAL null Bangalore & OWASP Bangalore Meet 28th March 2020
WHOAMI ❖Arpan Raval ❖Senior Threat Analyst @Optiv Inc ❖DFIR and Threat Hunting ❖Twitter @arpanrvl ❖https://www.linkedin.com/in/arpanraval
Software p i CAR s Threat Actors Y ATT&CK MATRICES PRE ATT&CK MITRE Software observed in adversary behavior Adversaries observed in cyber Knowledgebase of developed analytics Observed TTPs
MITRE ATT&CKTM ▪MITRE •R&D focused, federally funded non-profit org ▪ATT&CK •Knowledge base of adversary’s behaviors collected based on real world observations and attacks •Describes and Categorize adversarial behavioral in different phases of attack cycle. •Common Language
CHALLENGING ANNOYING TOUGH! TRIVIAL PYRAMID OF PAIN Courtesy David J Bianco TOOLS TTP SIMPLE EASY
6 Tactical Behavioral ▪ Reactive Indicators of Compromise ▪ Doesn’t work for malware-free intrusions ▪ Point in time artifacts ▪ Proactive Indicators of Attack ▪ Defined by adversary's behavior ▪ Real time https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/
Matrix Tactic Enterprise 12 Mobile 13 ICS 11 Enterprise Mobile ICS Initial Access Initial Access Collection Execution Persistence Command and Control Persistence Privilege Escalation Discovery Privilege Escalation Defense Evasion Evasion Defense Evasion Credential Access Execution Credential Access Discovery Impact Discovery Lateral Movement Impair Process Control Lateral Movement Impact Inhibit Response Function Collection Collection Initial Access Command and Control Exfiltration Lateral Movement Exfiltration Command and Control Persistence Impact Network Effects Remote Service Effects MITRE Explained: Tactic 7 ▪Answers Why? for adversary’s actions. ▪Adversary’s objective behind an action ▪Represented by Columns in MITRE ATT&CK Matrix Example An adversary want to achieve credential access.
MITRE Explained: Technique 9 ▪Answers how? for adversary’s objective achievement. ▪Adversary used a technique to achieve an objective ▪Represented by individual cell in MITRE ATT&CK Matrix Matrix Technique PRE-ATT&CK 174 Enterprise 266 Mobile 79 ICS 81 Example Example: an adversary may dump credentials to achieve credential access.
MITRE Explained: Technique-Metainfo 10 ❖Tactic: Related MITRE Tactic ❖Platform: Required platform for a technique to work in. ❖Permissions Required: Lowest permission for an adversary to implement the technique ❖Effective Permissions: Permission an adversary achieves after successful implementation of the technique ❖Data Sources: Recommended data to be collection for detection of the technique
MITRE Explained: Procedure 11 ▪Answers what? for adversary’s technique usage. ▪Actual implementation of each technique. ▪Individual technique has a page for description, examples, sources, references. Example A procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim.
MITRE Explained: Sub Technique 13 ▪Sub-techniques are a way to describe a specific implementation of a technique in more detail. OS Credential Dumping ▪ LSASS Memory ▪ Security Account Manager ▪ NTDS ▪ DCSync ▪ Proc File System ▪ etc/passwd
MITRE Explained: Enumeration 14 Tactic Example Technique Obtaining Persistence via Windows Service Creation Privilege Escalation via Legitimate Credentials Reuse Defense Evasion via Office-Based Malware Credential Access via Memory Credential Dumping Discovery via Built-In Windows Tools Lateral Movement via Share Service Accounts Execution via PowerShell Execution Collection via Network Share Identification Exfiltration via Plaintext Exfiltration Impact via Data Encryption
Detection and Analytics Adversary Emulation and Red Teaming Threat Intelligence Assessment and Engineering MITRE ATT&CK Use Cases . T f d
Improve Detection & Visibility Capability with MITRE ATT&CK 21
PRIORITIZED MITRE ATT&CK SUBSETS 22 Let’s create our own prioritized MITRE ATT&CK Subset based adversarial TTPs based derived from any of these: ❖ Threat Intelligence ❖ Whitepapers ❖ Data Sources ❖ Ad-Hoc Requests Note: Matrix in upcoming slides are example matrix with dummy data for which not necessarily is true or to promote any tool/technology.
MITRE DETECTION MAPPING 23 MITRE Enumeration Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking WDATP Brute Force Elastic Account Discovery Elastic Windows Remote Management TBD Automated Collection UEBA Automated Exfiltration ZScaler Commonly Used Port ZScaler Valid Accounts UEBA Credential Dumping WDATP Application Window Discovery ZScaler COM and DCOM Elastic Clipboard Data WDATP Data Compressed ZScaler Communicatio n Through Removable Media Symantec DLP Spearphishing Attachment TBD Accessibility Features TBD Indicator Removal on Host WDATP Application Deployment Software Elastic Command Line WDATP Data Staged UEBA Data Encrypted Symantec DLP Spearphishing Link TBD AppInit DLLS WDATP Masquerading WDATP Credential Manipulation UEBA File and Directory Discovery UEBA Execution through API TBD Data from Local System UEBA Data Transfer Size Limits TBD Custom Command and Control Protocol Symantec DLPAppCert DLLs WDATP Decode File or Info TBD Pass the Ticket WDATP Graphic User Interface TBD Data from Network Shared Drive ZScaler Exfiltration Over Alternative Protocol ZScalerApplication Shimming TBD DLL Side- Loading WDATP Credentials in Files UEBA WDATP Process Discovery Elastic InstallUtil WDATP Custom Cryptographic Protocol ZScalerNew Service TBD Disabling Security Tools Elastic Input Capture WDATP Remote Desktop Protocol Elastic PowerShell WDATP No detection Detected, No validation Detected Key
DATA SOURCE MAPPING 24 MITRE Enumeration Data does not exist Data exists, not monitored Data exists analyzed and monitoredKey Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communicatio n Through Removable MediaSpearphishing Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLS Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolAppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
25 MITRE Enumeration Key
DETECTION MATURITY HEATMAP 26 MITRE Enumeration Limited Initial Stable Current InnovativeMaturity Key Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communicatio n Through Removable MediaSpearphishing Attachment Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLs Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control Protocol AppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
27 If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu -
Don’t Do This 28 ❖ Use Matrix as a Checklist to Create Alerts for everything ▪ Specific Technique – High Fidelity Alert ▪ Less Specific Technique – Data Enrichment ❖ Believe Matrix is every possible attack behavior ▪ Adversaries probably don’t report their own TTPs to MITRE ❖ Replace fundamentals with MITRE ATT&CK ▪ Term Does not found (404): MITRE COMPLIANT ❖ Make it Green if you detect one command of Technique ▪ There can be N number of procedure to implement a technique.
https://www.slideshare.net/attackcon2018/mitre-attckcon-20-threat-informed-defense-where-do-we-go-from-here-richard-struse-mitre
https://www.slideshare.net/attackcon2018/mitre-attckcon-20-threat-informed-defense-where-do-we-go-from-here-richard-struse-mitre
https://www.slideshare.net/attackcon2018/mitre-attckcon-20-threat-informed-defense-where-do-we-go-from-here-richard-struse-mitre
https://www.slideshare.net/attackcon2018/mitre-attckcon-20-threat-informed-defense-where-do-we-go-from-here-richard-struse-mitre
https://www.slideshare.net/attackcon2018/mitre-attckcon-20-threat-informed-defense-where-do-we-go-from-here-richard-struse-mitre
Together
ATT&CK is not juts a Framework, ATT&CK is community!
References and Awesome Resources 36 ▪ Indicators of Attack vs Indicators of Compromise ▪ https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise ▪ Using ATT&CK for Cyber Threat Intelligence ▪ https://attack.mitre.org/resources/training/cti/ ▪ MITRE ATT&CK Getting Started ▪ https://attack.mitre.org/resources/getting-started/ ▪ ATT&CK Con Talks ▪ https://attack.mitre.org/resources/attackcon/ ▪ ATT&CK 101 ▪ https://medium.com/mitre-attack/att-ck-101-17074d3bc62 ▪ ATT&CK Sub Technique Preview ▪https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a ▪ 2020 ATT&CK Roadmap ▪https://medium.com/mitre-attack/2020-attack-roadmap-4820d30b38ba
THANK YOU

Recomendados

MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon IntroMITRE ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 

Recomendados

MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon IntroMITRE ATT&CK
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...Priyanka Aash
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 

Mais conteúdo relacionado

Mais procurados

MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkTripwire
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterMITRE ATT&CK
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE - ATT&CKcon
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 

Mais procurados (20)

MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Defend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK FrameworkDefend Your Data Now with the MITRE ATT&CK Framework
Defend Your Data Now with the MITRE ATT&CK Framework
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Projects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the CenterProjects to Impact- Operationalizing Work from the Center
Projects to Impact- Operationalizing Work from the Center
 
Application Security
Application SecurityApplication Security
Application Security
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 

Semelhante a Introduction to MITRE ATT&CK

(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...Priyanka Aash
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
MITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfAisyiFree
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Getting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellGetting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellJamieWilliams130
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamAdam Pennington
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks Tripwire
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesNCCOMMS
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesPriyanka Aash
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItJamieWilliams130
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKAdam Pennington
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat Security Conference
 

Semelhante a Introduction to MITRE ATT&CK (20)

(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
(SACON) Wasim Halani & Arpan Raval - Practical Threat Hunting - Developing an...
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
MITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdf
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Getting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellGetting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShell
 
Update from the MITRE ATT&CK Team
Update from the MITRE ATT&CK TeamUpdate from the MITRE ATT&CK Team
Update from the MITRE ATT&CK Team
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansEvolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks Hunting for Cyber Threats Using Threat Modeling & Frameworks
Hunting for Cyber Threats Using Threat Modeling & Frameworks
 
CSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri DiogenesCSF18 - Incident Response in the Cloud - Yuri Diogenes
CSF18 - Incident Response in the Cloud - Yuri Diogenes
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven Methodologies
 
Which Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against ItWhich Came First: The Phish or the Opportunity to Defend Against It
Which Came First: The Phish or the Opportunity to Defend Against It
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
 
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
BlueHat v18 || Tales from the soc - real-world attacks seen through azure atp...
 

Último

April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysismanisha194592
 
Generative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusGenerative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusTimothy Spann
 
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779Delhi Call girls
 
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...shivangimorya083
 
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Delhi Call girls
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfRachmat Ramadhan H
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxolyaivanovalion
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxJohnnyPlasten
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Researchmichael115558
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxfirstjob4
 
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecureCall me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecurePooja Nehwal
 
Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023ymrp368
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxolyaivanovalion
 
Edukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFxEdukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFxolyaivanovalion
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxolyaivanovalion
 
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceBDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceDelhi Call girls
 

Último (20)

April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysis
 
Generative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusGenerative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and Milvus
 
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
Best VIP Call Girls Noida Sector 22 Call Me: 8448380779
 
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
 
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptx
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Research
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptx
 
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecureCall me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
 
Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023Data-Analysis for Chicago Crime Data 2023
Data-Analysis for Chicago Crime Data 2023
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptx
 
Edukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFxEdukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFx
 
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls CP 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptx
 
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort ServiceBDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
BDSM⚡Call Girls in Mandawali Delhi >༒8448380779 Escort Service
 

Introduction to MITRE ATT&CK

  • 1. 1 MITRE ATT&CKTM FRAMEWORK Threat Intelligence Detection, Analytics & Hunting f Assessment & Engineering L Threat Emulation L G ARPAN RAVAL null Bangalore & OWASP Bangalore Meet 28th March 2020
  • 2. WHOAMI ❖Arpan Raval ❖Senior Threat Analyst @Optiv Inc ❖DFIR and Threat Hunting ❖Twitter @arpanrvl ❖https://www.linkedin.com/in/arpanraval
  • 4. MITRE ATT&CKTM ▪MITRE •R&D focused, federally funded non-profit org ▪ATT&CK •Knowledge base of adversary’s behaviors collected based on real world observations and attacks •Describes and Categorize adversarial behavioral in different phases of attack cycle. •Common Language
  • 6. 6 Tactical Behavioral ▪ Reactive Indicators of Compromise ▪ Doesn’t work for malware-free intrusions ▪ Point in time artifacts ▪ Proactive Indicators of Attack ▪ Defined by adversary's behavior ▪ Real time https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise/
  • 7. Matrix Tactic Enterprise 12 Mobile 13 ICS 11 Enterprise Mobile ICS Initial Access Initial Access Collection Execution Persistence Command and Control Persistence Privilege Escalation Discovery Privilege Escalation Defense Evasion Evasion Defense Evasion Credential Access Execution Credential Access Discovery Impact Discovery Lateral Movement Impair Process Control Lateral Movement Impact Inhibit Response Function Collection Collection Initial Access Command and Control Exfiltration Lateral Movement Exfiltration Command and Control Persistence Impact Network Effects Remote Service Effects MITRE Explained: Tactic 7 ▪Answers Why? for adversary’s actions. ▪Adversary’s objective behind an action ▪Represented by Columns in MITRE ATT&CK Matrix Example An adversary want to achieve credential access.
  • 8. MITRE Explained: Technique 9 ▪Answers how? for adversary’s objective achievement. ▪Adversary used a technique to achieve an objective ▪Represented by individual cell in MITRE ATT&CK Matrix Matrix Technique PRE-ATT&CK 174 Enterprise 266 Mobile 79 ICS 81 Example Example: an adversary may dump credentials to achieve credential access.
  • 9. MITRE Explained: Technique-Metainfo 10 ❖Tactic: Related MITRE Tactic ❖Platform: Required platform for a technique to work in. ❖Permissions Required: Lowest permission for an adversary to implement the technique ❖Effective Permissions: Permission an adversary achieves after successful implementation of the technique ❖Data Sources: Recommended data to be collection for detection of the technique
  • 10. MITRE Explained: Procedure 11 ▪Answers what? for adversary’s technique usage. ▪Actual implementation of each technique. ▪Individual technique has a page for description, examples, sources, references. Example A procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim.
  • 11.
  • 12. MITRE Explained: Sub Technique 13 ▪Sub-techniques are a way to describe a specific implementation of a technique in more detail. OS Credential Dumping ▪ LSASS Memory ▪ Security Account Manager ▪ NTDS ▪ DCSync ▪ Proc File System ▪ etc/passwd
  • 13. MITRE Explained: Enumeration 14 Tactic Example Technique Obtaining Persistence via Windows Service Creation Privilege Escalation via Legitimate Credentials Reuse Defense Evasion via Office-Based Malware Credential Access via Memory Credential Dumping Discovery via Built-In Windows Tools Lateral Movement via Share Service Accounts Execution via PowerShell Execution Collection via Network Share Identification Exfiltration via Plaintext Exfiltration Impact via Data Encryption
  • 14. Detection and Analytics Adversary Emulation and Red Teaming Threat Intelligence Assessment and Engineering MITRE ATT&CK Use Cases . T f d
  • 15. Improve Detection & Visibility Capability with MITRE ATT&CK 21
  • 16. PRIORITIZED MITRE ATT&CK SUBSETS 22 Let’s create our own prioritized MITRE ATT&CK Subset based adversarial TTPs based derived from any of these: ❖ Threat Intelligence ❖ Whitepapers ❖ Data Sources ❖ Ad-Hoc Requests Note: Matrix in upcoming slides are example matrix with dummy data for which not necessarily is true or to promote any tool/technology.
  • 17. MITRE DETECTION MAPPING 23 MITRE Enumeration Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking WDATP Brute Force Elastic Account Discovery Elastic Windows Remote Management TBD Automated Collection UEBA Automated Exfiltration ZScaler Commonly Used Port ZScaler Valid Accounts UEBA Credential Dumping WDATP Application Window Discovery ZScaler COM and DCOM Elastic Clipboard Data WDATP Data Compressed ZScaler Communicatio n Through Removable Media Symantec DLP Spearphishing Attachment TBD Accessibility Features TBD Indicator Removal on Host WDATP Application Deployment Software Elastic Command Line WDATP Data Staged UEBA Data Encrypted Symantec DLP Spearphishing Link TBD AppInit DLLS WDATP Masquerading WDATP Credential Manipulation UEBA File and Directory Discovery UEBA Execution through API TBD Data from Local System UEBA Data Transfer Size Limits TBD Custom Command and Control Protocol Symantec DLPAppCert DLLs WDATP Decode File or Info TBD Pass the Ticket WDATP Graphic User Interface TBD Data from Network Shared Drive ZScaler Exfiltration Over Alternative Protocol ZScalerApplication Shimming TBD DLL Side- Loading WDATP Credentials in Files UEBA WDATP Process Discovery Elastic InstallUtil WDATP Custom Cryptographic Protocol ZScalerNew Service TBD Disabling Security Tools Elastic Input Capture WDATP Remote Desktop Protocol Elastic PowerShell WDATP No detection Detected, No validation Detected Key
  • 18. DATA SOURCE MAPPING 24 MITRE Enumeration Data does not exist Data exists, not monitored Data exists analyzed and monitoredKey Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communicatio n Through Removable MediaSpearphishing Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLS Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control ProtocolAppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
  • 20. DETECTION MATURITY HEATMAP 26 MITRE Enumeration Limited Initial Stable Current InnovativeMaturity Key Initial Access Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control External Remote Services DLL Search order Hijacking Brute Force Account Discovery Windows Remote Management Automated Collection Automated Exfiltration Commonly Used Port Valid Accounts Credential Dumping Application Window Discovery COM and DCOM Clipboard Data Data Compressed Communicatio n Through Removable MediaSpearphishing Attachment Accessibility Features Indicator Removal on Host Application Deployment Software Command Line Data Staged Data Encrypted Spearphishing Link AppInit DLLs Masquerading Credential Manipulation File and Directory Discovery Execution through API Data from Local System Data Transfer Size Limits Custom Command and Control Protocol AppCert DLLs Decode File or Info Pass the Ticket Graphic User Interface Data from Network Shared Drive Exfiltration Over Alternative Protocol Application Shimming DLL Side- Loading Credentials in Files Process Discovery InstallUtil Custom Cryptographic Protocol New Service Disabling Security Tools Input Capture Remote Desktop Protocol PowerShell
  • 21. 27 If you know neither the enemy nor yourself, you will succumb in every battle. - Sun Tzu -
  • 22. Don’t Do This 28 ❖ Use Matrix as a Checklist to Create Alerts for everything ▪ Specific Technique – High Fidelity Alert ▪ Less Specific Technique – Data Enrichment ❖ Believe Matrix is every possible attack behavior ▪ Adversaries probably don’t report their own TTPs to MITRE ❖ Replace fundamentals with MITRE ATT&CK ▪ Term Does not found (404): MITRE COMPLIANT ❖ Make it Green if you detect one command of Technique ▪ There can be N number of procedure to implement a technique.
  • 29. ATT&CK is not juts a Framework, ATT&CK is community!
  • 30. References and Awesome Resources 36 ▪ Indicators of Attack vs Indicators of Compromise ▪ https://www.crowdstrike.com/blog/indicators-attack-vs-indicators-compromise ▪ Using ATT&CK for Cyber Threat Intelligence ▪ https://attack.mitre.org/resources/training/cti/ ▪ MITRE ATT&CK Getting Started ▪ https://attack.mitre.org/resources/getting-started/ ▪ ATT&CK Con Talks ▪ https://attack.mitre.org/resources/attackcon/ ▪ ATT&CK 101 ▪ https://medium.com/mitre-attack/att-ck-101-17074d3bc62 ▪ ATT&CK Sub Technique Preview ▪https://medium.com/mitre-attack/attack-sub-techniques-preview-b79ff0ba669a ▪ 2020 ATT&CK Roadmap ▪https://medium.com/mitre-attack/2020-attack-roadmap-4820d30b38ba