ATT&CKcon 3.0 Presentations and Sponsors

ATT&CKcon 3.0 Keynote. Read the accompanying blog post as well.

When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.

The Trellix team believes that creating and sharing compelling stories about cyber threats -with ATT&CK- is a powerful way for raising awareness and enabling actionability against cyber threats.In this talk the team will share their experiences leveraging ATT&CK to disseminate Threat knowledge to different audiences (Software Development teams, Managers, Threat detection engineers, Threat hunters, Cyber Threat Analysts, Support Engineers, upper management, etc.).They will show concrete examples and representations created with ATT&CK to describe the threats at different levels, including: 1) an Attack Path graph that shows the overall flow of the attack; 2) Tactic-specific TTP summary tables and graphs; 3) very detailed, step-by-step description of the attacker's behaviors.

Having ATT&CK to identify threats, prioritize data sources, and improve security posture has been a huge step forward for our industry, but how do we actualize those insights for better detection and alerting? By shifting to observations of behavior over one-to-one direct alerts, noisy datasets become valuable treasure troves with ATT&CK metadata. Additionally, we can begin to look at detection and threat hunting on behavior instead of users or systems. In this presentation, Haylee will discuss the shift in mindset and the nuts and bolts of detections that leverage this metadata in Splunk, but the concept can be applied with custom tools to any valuable security dataset.

As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.

Since it's inception in 2015, the ATT&CK framework has achieved widespread adoption, with recent studies suggesting over 80 percent of companies using the framework for cyber security. Over the last seven years, a variety of use cases has been explored with different measures of success. In this presentation, Gert-Jan will explore applying the ATT&CK framework in scenario-based defense. When adopting a scenario approach, security teams collaborate to fuse their understanding of certain situations into scenarios. For example, addressing different hypotheses that can be explained to leadership and specialist teams alike. This approach requires more than "just" breaking down everything into tactics, techniques, and procedures. Some stakeholders might not understand that. For example, some might want to tell a good story about adversaries while others want to translate their understanding of intrusions into a sequential pattern. The objective of this talk is to explore how the granularity of the framework supports creation of scenarios, the limitations in the current approach to ATT&CK when building scenarios across different stakeholders, and addressing potential areas the "language of ATT&CK" can evolve towards over the next 5 years.

Many organizations ask: "Where do I start, and where do I go next" when prioritizing implementation of behavior-based detections? We often hear "use threat intelligence!" but your goals must be qualified and quantified in order to properly prioritize the most relevant TTPs. A wealth of open-sourced, ATT&CK-mapped resources now exists, giving security teams greater access to both detections and red team tests they can implement, but intelligence (also aligned with ATT&CK), is essential to provide necessary context to ensure that detection efforts are focused effectively.
This session will discuss a new approach to the prioritization challenge, starting with an analysis of the current defensive landscape, as measured by ATT&CK coverage for more than a dozen detection repositories and technologies, and guidance on sourcing TTP intelligence. The team will then show how real-world defensive strategies can be strengthened by encompassing a full-spectrum view of threat detection, including the implementation of YARA, Sigma, and Snort in security appliances. Critically, alignment of both intelligence and defenses with ATT&CK enables defenders to move the focus of detection efforts to indications of malicious behavior before the final payload is deployed, where controls are most effective at preventing serious damage to the organization.

Every cybersecurity leader wants visibility into the health of their security program. Yet teams suffer with disparate data streams - CTI teams and the SOC often use separate Excel spreadsheets, an anachronistic practice - and silos constrain their ability to operate effectively. Enter the Jupyter notebook, an open-source computational notebook that researchers use to combine code, computing output, text, and media into a single interface. In this talk, we share three stories of how organizations use Jupyter notebooks to align ATT&CK-based attack flows to the security program, generating data about detection and prevention failures, defensive gaps, and longitudinal performance. By using Jupyter notebooks in this way, teams can better leverage ATT&CK for security effectiveness. It becomes less of a bingo card and more of a strategic tool for understanding the health of the program against big tactics (I.e., lateral movement), defensive gaps (I.e., micro-segmentation), and the team's performance.

The MITRE ATT&CK framework has improved many areas within the infosec workflow. But many of these select areas are those that are relatively isolated from the tactical operations faced every day by lower or mid-tier analysts. When faced with alert fatigue and an ever-growing number of data sources, the impact of ATT&CK can become esoteric to non-existent. In this presentation experts from Siemplify propose the problem be looked at like an orchestra with its dozens of instrument types. Without a conductor to guide each section there would only be noise, but with the conductor leading, beautiful symphonies can now be played. The Siemplify team plan to show how a SOAR platform can be that conductor using the ATT&CK framework as its sheet music, and turn the constant noise into a threat intel driven security program.

Since the release of MITRE ATT&CK, vendors and governmental bodies have begun mapping their security blogs, whitepapers, and threat intel reports to ATT&CK TTPs, which is incredible! Vendors have then begun mapping their detections to those mapped TTPs, which is even more awesome! What is not awesome is dissecting a piece of prose for all of the specific embedded ATT&CK technique IDs and then mapping them to your detections to determine coverage. Over the last year, the team at Splunk has spent more time doing this than they would like to admit, so they wrote a tool to do it for them and want to share it with the world. Join the Splunk team as they tell the world about ATT&CK Detections Collector (ADC). ADC is an open-source python tool that will allow you to extract MITRE technique IDs from a third-party URLs and output them into a file. If you use Splunk, the team even maps them to their existing (previously mapped) detection corpus. They even added the ability to export them into a navigator json for fun, profit, or (at least) better visualization!

Financially motivated cyber-attacks thrive in emerging Latin American markets. However, there's room for locally grown threat actors operating in the cyber espionage field as well. During the last decade, this includes but is not limited to Blind Eagle, Puppeteer, Machete, Poseidon, and others. We also saw foreign operations targeting specific assets in Latin America, still connected to certain regional sources.Since the threat actors' origin, culture, and language is often different, it's not uncommon for tactics, techniques, and procedures (TTPs) to present marked differences. As a result of our regional expertise and experience, we created MITRE's ATT&CK play-by-play mappings to help other analysts understand regional actors. If you are interested in threat intelligence and what's going on in Latin America, this presentation is for you. Our work is based only on real-world attackers and their operations, including those not publicly known, such as COVID-19 Machete's targeted campaign.

When an adversary engages in a specific behavior, they are vulnerable to expose an unintended weakness. By looking at each ATT&CK technique, we can examine the weaknesses revealed and identify an engagement activity or activities to exploit this weakness.During the presentation we will see some real examples of how we can use different ATT&CK techniques in order to plan different adversary engagement activities.

Insider threats are some of the most treacherous and every organization is susceptible: it's estimated that theft of Intellectual Property alone exceeds $600 billion a year. Armed with intimate knowledge of your organization and masked as legitimate business, often these attacks go unnoticed until it's too late and the damage is done. To make matters worse, threat actors are now trying to lure employees with the promise of large paydays to help carry out attacks. These advanced attacks require advanced solutions, and we are going to demonstrate how we are using the MITRE ATT&CK framework to proactively combat these threats. Armed with these tactics and techniques, we show you how to build intelligent detections to help secure even the toughest of environments.

Social engineering (SE) is a technique used by cybercriminals to psychologically manipulate individuals into disclosing sensitive information and providing unauthorized access. Penetration testers are tasked with simulating targeted attacks on a company's system to determine any weaknesses in their environment. The 2021 Summer SE Pen Test Competition allowed students to experience SE pen testing in a safe and ethical way. Student teams were "hired" to conduct a SE pen test on the CARE Lab (run by the authors) and their employees (the authors themselves)! Teams had to use OSINT, phishing, and vishing in real-time to target the lab, develop attack playbooks, and map the techniques to the ATT&CK framework. This talk shares the application of ATT&CK in cybersecurity education. Specifically, it (i) focuses on how students map their SE attack playbooks to the ATT&CK framework, (ii) compares/contrasts SE techniques across various student groups: 6 graduate teams, 9 undergraduate teams, and 1 high school team, and (iii) how ATT&CK can be used for SE.

Atomic Red Team and Sigma are the largest open-source attack simulation and analytic projects. Many organizations utilize one or both internally for security controls validation or supplementing their detections and alerts. Building on the work from these two great communities, we smashed (scientific-term) the attacks and analytics together and applied data science to analyze the results. We'll describe our methodology and testing framework, show the real-world MITRE ATT&CK coverage and gaps, discuss our algorithms for calculating analytic similarity, identifying log sources for a technique, and determining the best analytics to deploy that maximizes ATT&CK coverage. This project aims to:
- Bring a measurable testing rigor to community analytics to improve adoption
- Test every analytic against every attack, validating the true positive detection
- Understand the log sources required to detect specific attack techniques
- Apply data science to identify analytic similarity (reduce community duplication)
- Identify gaps between the projects' analytics without attack simulations; attack simulations without detections; missing or incorrect MITRE ATT&CK labels, etc
- Automate the process so insights can stay up to date with new attack/analytic contributions over time
- Share our analysis back to the community to improve these projects

This presentation will highlight the Atomic Red Team project's efforts to define and increase the test coverage of MITRE ATT&CK techniques. We'll describe the challenges we encountered in defining what "coverage" means in the context of an ATT&CK-based framework, and how to use that definition to improve an open source project that's used by a diverse audience of practitioners to satisfy an equally diverse array of needs. The audience will learn how the Atomic Red Team maintainers standardize and categorize atomic tests, perform gap analysis to achieve deep technique-level coverage and broad matrix-level coverage, and quickly fill those gaps with new tests.

Adversaries target common cloud misconfigurations in container-focused workflows for initial access. Whether this is Docker or Kubernetes environments, Lacework Labs has identified adversaries attempting to deploy malicious container images (T1610) , mine Cryptocurrency (T1496), and deploy C2 agents. Defenders new to the container space may be unaware of the built-in capabilities popular container runtime engines have that can help defend against rogue containers being deployed into their environment. Attendees will walk away with an understanding of what these attack patterns look like based on honeypot data Lacework has gathered over the past year, as well as techniques on how to defend their own container focused workloads.

The purpose of this session will be to look at how you can take public information about threat actors, vulnerabilities, and incidents and use them to build better defenses, utilizing ATT&CK along the way to align your security organization to the people and assets that matter.Stories are critical to how humans learn, so this session will leverage a story book approach to give the audience some ideas on approaches they could use. Tim will take the audience through 3 real world examples where he has leveraged ATT&CK to drive operational improvement. The premise of each story will be real, although some of the details will be apocryphal to protect the innocent.One story will focus on defending a network, one will look at adversary detection, while the final one will look at responding to an active attack and in each case, Tim will guide the audience to think about the kinds of data sources that ATT&CK tracks, that they might call upon to achieve a successful outcome.