ATT&CKcon 2.0 Presentations and Sponsors

ATT&CK Threat Intelligence Lead Katie Nickels welcomes attendees and introduces the members of the ATT&CK team.

In the keynote from ATT&CKcon 2.0, Toni Gidwani from Google’s Threat Analysis Group presents "The Friends We Made Along the Way." The talk focuses on the purpose of intelligence, to create a decision advantage, and the partnerships that are necessary to achieve that purpose.

MITRE ATT&CK Lead Blake Strom updates the community on what’s new in ATT&CK since ATT&CKcon 2018 and some of what to expect in the coming year. This talk includes details on ATT&CK for Cloud, the new Impact Tactic, structured mitigations, and the upcoming shift to sub-techniques.

In October 2018, Nationwide began its MITRE ATT&CK journey. Nationwide looked at a number of different approaches to getting started, but it wasn’t until they prioritized efforts based on threat actors likely to target the finance/insurance industry that things started to click. Ultimately, Nationwide focused on 27 high concern threat actors targeting their industry, reducing the overall number of techniques from 240+ to 91. With this manageable chunk of techniques, Nationwide was able to test, analyze, and provide recommendations for improving its detection and mitigation capabilities. Nationwide is continuing to keep threat actor focus at the heart of its ATT&CK efforts, leading to prioritization of remediation actions, integration into penetration testing, and selection of security tools.

In a world of limited resources, organizations have to be strategic and meticulous in their planning and selection of security controls and the MITRE ATT&CK model has become an important piece for categorizing and understanding adversary techniques and contextualizing our own defenses. However, there still underlies a difficult question, where should organizations start and how should they prioritize their cybersecurity efforts? Join CIS as we explore our attempt to tackle this problem through the use of our community, content and real-world threat data collected as part of the Multi-State Information Sharing and Analysis Center (MS-ISAC). Participants should look forward to learning how to prioritize their security efforts and leverage the process for their own data and threats.

Community members continually ask, should I have detection capabilities across every technique in ATT&CK? This question inevitably leads to the same conclusion that not every technique is alertable and not all of them provide the same value for immediate detection. In this session we’ll discuss the concept of alertable detections using Linux ATT&CK techniques as a case study. We’ll introduce decision criteria we’ve learned through experience to illustrate the challenges, and we’ll recommend specific techniques that work well with an alert-driven workflow.

Updates from the ATT&CK Team's very own Jackie Lasky and Sarah Yoder covering Threat Report ATT&CK Mapping (TRAM).

It's the year 2019 and the internet has been around long enough to be filled with what seems to be "ancient" data. Digging through, classifying and analyzing everything sometimes makes you feel a lot like Indiana Jones searching for the right clues in a moving puzzle. But how could you move through the caves without getting buried under piles of data rubble? How might anyone revisit and study the data from the past to transform it into actionable information for the present? In this talk we are going to show you how a threat intel Indiana Jones analyst should tackle these issues in order to find the treasure of the Threat Library. We will show you how we used the MITRE ATT&CK Framework as our book of secrets for turning dusty old Internet artifacts into a library of actionable Threat Intelligence.

CrowdStrike’s OverWatch threat hunting team has continued to mature in its use of the ATT&CK framework to categorize and track targeted adversary behavior. This presentation will build on our talk from last year’s ATT&CKcon, where we shared tactic/technique trends and unique examples observed in the wild. Since that time, we have taken a number of steps to enhance our usage of ATT&CK, including:

• Mapping of hunting leads to ATT&CK techniques
• Based on that mapping, auto-tagging techniques used in any given intrusion observed in our data set
• For that intrusion, automatically extracting process data to easily create tables of TTP details (“ATT&CK Sightings”)
• Supplementing automated ATT&CK technique tagging by human analyst reviews
• Leveraging MISP’s API to build ATT&CK heat maps with an array of filters on demand

By using practices like those outlined above, we have been able to continue building what is likely the most comprehensive and detailed library of targeted intrusion data from the wild that is mapped to ATT&CK. As such, the presentation will also share significant trends and techniques from the intrusions we’ve analyzed over the past year.

The story of one man's crusade to convince the Senior Management of a fortune 500 company that security resources were needed beyond the perimeter, and the role ATT&CK played in those decisions. This talk documents the creation and persuasion required to create a successful threat hunting program at an enterprise level, and how the Mitre ATT&CK framework made this possible for one investigator, in his spare time, to prove the program's worth to senior management within 1 year of creation.

Updates from the ATT&CK Team's very own John Wunder covering ATT&CK Sightings.

Today many organizations are using Bro (newly named Zeek) for network security monitor as it provides a powerful network analysis framework. This presentation will describe how to leverage Zeek to report on ATT&CK TTPs, raw events and other detectable activities. Key take-aways include how to report on sightings and occurrences of ATT&CK TTPs and events providing both metrics and gap analysis to inform security operations teams on where their defense may require improvement.

The ATT&CK framework provides a standardized way for organizations to record and share attacker techniques used at each stage in attacker campaigns. Having and sharing this discrete, normalized attacker behavior is great, but these normalized bundles of incident events can also be used to identify areas of improvement in both incident response teams as well as by vendors who provide tools/solutions to triage and manage incidents.

This talk will introduce {attckr}: an R package and application that provides programmatic, command-line, and interactive tools to analyze and visualize incident ATT&CK metrics. Attendees will see real-life (i.e. using real, anonymized incident data) examples of how to look across an ATT&CK incident corpus to identify trends (or outliers), support the development of ATT&CK incident baseline metrics, and develop reports and visualizations to assist in communicating operational performance, threat event frequency & type distributions for risk analysis, and identification of strengths and weaknesses in detection capability.

MITRE ATT&CK has quickly become the industry standard for referencing techniques. All though the framework is a great and valuable asset it is still lacking actionable detail on may levels to most people. I've bridged that gap by building a relatively simple assessment toolkit to visualize your potential coverage from the data already present in your environment, your mitigative measures and your detection content. The toolkit will help you focus your efforts based on your data and your goal.

Richard Struse explores the concept of a threat-informed defense and talks about ways of moving the cyber security community forward.

State actors, private influence operators and grassroots groups are exploiting the openness and reach of the Internet to manipulate populations at a distance. They are extending a decades-long struggle for “hearts and minds” via propaganda, influence operations and information warfare, often in the form of coordinated incidents that are part of longer-timescale narrative-based campaigns.

The Credibility Coalition is an interdisciplinary community committed to addressing the proliferation and amplification of misinformation online, through transparent and collaborative research. Its MisinfoSec working group develops information security-based standards to promote a more formal and rigorous treatment of 1) detecting misinformation-based attacks and 2) devising methods to protect against misinformation-based attacks. Specifically, we have adapted and extended frameworks used to describe information security incidents, for use in ISACs, ISAOs and other groups sharing misinformation threats and responses.

In this talk, we discuss misinformation and why stage-based frameworks like ATT&CK are appropriate for it. We describe the AMITT (Adversarial Misinformation and Influence Tactics and Techniques) misinformation response framework and its roots in and deliberate compatibility with ATT&CK, its creation, relationships with other models, its components (including ways, means, and ends to achieve influence goals) and potential uses.

Attackers keep innovating their TTPs to circumvent established defenses, so gaining insight into attacker innovation is fundamental. Our Twitter feeds are saturated with helpful reports daily, but how does this relate to trends and developments within the threat ecosystem as a whole? Take a step back, relax and get an ATT&CK-based overview of 15 years TTP evolution to inform your defense.

This presentation will discuss ATT&CK techniques found in 950+ unique Windows malware families as part of an academic research project. With the malware harvested from an unbiased and reputable source, a representative view on 15 years of evolution in the malware field is ensured. For each ATT&CK tactic, the talk provides insight into trends and shifts in real-world adversary behavior. It will also highlight how a malware analysis automation pipeline can introduce biases into your CTI and based on that, best practices on how ATT&CK can be used to ensure CTI accuracy. This entertaining presentation provides practical takeaways that inform and help prioritize your threat defense.

Once upon a time there was a security expert with all kinds of ATT&CK data. There were Atomic tests, breach simulations, and metrics abound! Our hero knew he could mold the data to illustrate a story of triumph. He would deliver magnificent slides and graphs with color and shape that, even the dull c-suite would know he was great. This presentation will teach the audience how to torture ATT&CK data until it confesses. Manipulation of ordinal scales, dirty data, playing into biases, nothing is off limits if it makes us look good. Follow the advice here and you will be ready to tell tall tales with ATT&CK… or for the true hearted tell boring realistic stories.

Updates from the ATT&CK Team's very own Otis Alexander covering ATT&CK for ICS.

"How do we collect the right data for the detection of specific adversarial techniques?" That is a very important and common question for organizations planning on leveraging ATT&CK for their defensive strategy. One approach might be reading the data sources metadata available per each technique in the ATT&CK framework. That is a good first step, and it is already helping organizations to integrate the framework with their current security controls. However, as you go deeper into the specific recommended data sources per technique, it is very important to understand that not every technique variation requires the same data sources. In addition, there needs to be a way to validate if what we are collecting aligns with the data analytics being created. In this talk, we will share our current experiences contributing to the "Data Sources" section of ATT&CK framework and the Cyber Analytics Repository (CAR) project. We will show how to use pre-captured datasets from our open source project named Mordor to expedite simulation of adversarial techniques and validation of data analytics. In addition, we will show how we leverage Jupyter Notebooks to develop and test data analytics from projects like CAR to finish the validation process and provide recommendations.

MITRE ATT&CK^® is more than a glossary of security terminology that offers us a common language to communicate about threats. While each technique includes a description, it also includes a list of the requisite data sources necessary to observe an adversary leveraging that technique—transforming ATT&CK from a nebulous collection of definitions into a practical tool for improving detection coverage. However, in the same way that you can’t simply build alerts for every technique, you can’t gain access to every data source. How do you effectively prioritize data sources so that you are getting the best returns on your visibility investments?

Updates from the ATT&CK Team's very own Mike Long covering controls mapping.

As a research-oriented cybersecurity company that regularly discloses detailed analyses of cyberattacks to clients and/or the public, the introduction of MITRE ATT&CK as a common language to describe adversary techniques and tactics was certainly welcome.

We’ll begin our presentation by introducing exactly how and why we started using ATT&CK, providing examples of mappings in our research publications, as well as the role it plays in enhancing our EDR solutions. We’ll also describe our experience with contributing to the ATT&CK knowledge base.

The main part of the talk will be example-driven. Having played a key role in analyzing some of the most significant cyberattacks in history, we’ll go over the most interesting tactics, techniques, and procedures (TTPs) of the adversaries, mapping them to ATT&CK.

Specifically, we’ll analyze the TTPs of Sednit (a.k.a. APT28), the group reportedly responsible for the Democratic National Committee hack that affected the US 2016 elections, and Telebots (a.k.a. Sandworm), the group behind the first malware-driven electricity blackouts (BlackEnergy and Industroyer) and, the most damaging cyberattack ever (NotPetya).

Finally, we’ll conclude with our analysis of the current threat landscape and trends, and highlight how we anticipate it will shape ATT&CK going forward.

For the past year, Praetorian and Priceline have been working together to conduct a series of Purple Team exercises to improve Priceline’s Detection and Response. These exercises utilized tactics, techniques, and procedures (TTPs) from the MITRE ATT&CK framework to baseline Priceline’s telemetry and analysis capabilities. Praetorian leveraged their recently released Metasploit Framework fork to rapidly automate basic TTPs before working cooperatively with Priceline for more advanced tests.

Priceline then did the heavy lift of ingesting that data, prioritizing shortcomings, and making strategic and tactical decisions to improve their security program. Through the use of ATT&CK, they were able to trace specific lines of effort back to various TTPs. This traceability helped provide support for various decisions as well as facilitated with prioritization. ATT&CK also provided a common taxonomy when working with vendors when gaps in detection were identified. Finally, ATT&CK helped Priceline track improvements through later rounds of testing to help measure the effectiveness of various improvements.

Updates from the ATT&CK Team's very own Ivan Kirillov covering CAR and analytics.

How do you decide where to allocate your security resources and budget? Maybe you've got seasoned security professionals making decisions based on experience and intuition, maybe your decisions are driven by insurance or compliance requirements, or maybe they're completely arbitrary. Whatever the case, we can all associate ATT&CK techniques and data sources with the events we prevent, detect, or respond to. This talk will explore how security professionals can turn their internal security data into community intelligence that enumerates the threats that occur most often, enabling us all to establish data-based priorities that guide the way we spend our money and time—whether we’re buying, developing, or selling security tools.

Vendors often showcase dashboards with 3D rotating globes, animated bar graphs, and enough colors to fill a Crayola 64 pack. In this talk, I'll show how a simple dashboard of dull, boring, non-flashy, inanimate DATATABLES can be used (along with ATT&CK and a decent intel requirements process) to help analysts stay focused.

In this lightning talk, I'll present in the field observations of what elements of ATT&CK organizations can put into action at each maturity level of their security program to start or continue to incorporate and operationalize the MITRE ATT&CK framework.

My talk will be a 5 minute introduction to the concept of applying game theory to our use of Att&ck in predicting adversary actions. I am currently designing a poker style card game along these principles and would like to show off what I have so far.

Tracking and measuring coverage against the ATT&CK framework can be a challenging task. This lighting talk will introduce Att&ck2Jira, a tool that leverages Jira and the Att&ck navigator that can help blue teams automate this effort. No more spreadsheets!

CTI today = static solutions of yesterday. STIX currently adequately supports today’s requirements. What is if we could operationalize attacks (ATT&CK) with it?

Intel-driven Purple Teaming can enhance simulated attacks by using ATT&CK to create real-time tactical information on current threat actor behaviors, as well as validate existing detections and identify gaps in coverage. This lightning talk will be a snapshot into an ad-hoc side project that showed you don’t need a big report or a lot of man hours to ask some interesting questions; you just need a little spontaneity, a single TTP, and of course, ATT&CK.

Providing a quick survey of execution guardrails, environmental keying, and announcing the 2019 nominees for best in-the-wild adversary use of guardrailing.

Updates from the ATT&CK Team's very own Adam Pennington covering PRE-ATT&CK integration.

ATT&CK Threat Intelligence Lead Katie Nickels and ATT&CK Lead Blake Strom wrap up the conference and share the results of the ATT&CKcon 2.0 Birds of a Feather sessions.