ATT&CKcon 5.0

MITRE has a long history of working and contributing in cyber, beginning in the 1970s when cybersecurity was not even a word in the dictionary. Hear from Wen Masters, vice president of cyber technologies, MITRE, on the history of cyber at MITRE, and learn how MITRE is tackling the future technologies like AI and post-quantum cryptography in the cyber threat landscape.

Keynoting at ATT&CKcon 5.0, Allie Mellen, principal analyst, Forrester Research, discusses the human aspects of security analysts, noting we're not short of people wanting to be in this field, we're short people with the right skills to stay in this field.

ATT&CK Lead Adam Pennington discusses the latest changes in MITRE ATT&CK and what's coming down the pike for the framework.

This planet is under attack, and we have brought you here to save it. Within this presentation, we will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as we take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics, and procedures. We will equip the audience with actionable insights and tracking recommendations to proactively defend against future attacks. Join us in this epic journey to strengthen your defenses and protect your organization from the growing menace of Akira ransomware. Together, let’s harness the power of ATT&CK to defeat villains and ensure a safer world for all!

The MITRE ATT&CK Framework has significantly evolved over the last ten years and its impact on cybersecurity teams is paramount. Likewise, the cyber threat intelligence (CTI) and detection engineering (DE) domains have matured in its principles and outcomes. ATT&CK influences CTI and DE practices by allowing varied cybersecurity teams to communicate tradecraft in a singular language, track and prioritize security threat coverage, and assess threat actor capabilities. However, integrating and maximizing modern ATT&CK use cases in preexisting CTI and DE programs without many resources can be a challenging overhaul. In this presentation, we will discuss the arc of CTI's and DE's evolution due to the prevalence of ATT&CK. We will explore how it can be integrated in cybersecurity programs by providing specific use cases on gap analysis, threat actor prioritization, and blue team tools like VirusTotal and AttackIQ. Finally, we will provide recommendations on building and automating CTI and DE practices that incorporate ATT&CK regardless of resource strain. After attending this talk, attendees will understand how to identify, prioritize, and implement new opportunities to incorporate ATT&CK in CTI and DE programs, impacting the effectiveness of these practices for their respective organizations.

Marcelle Lee, principal information security engineer, Equinix, deep dives on the practical application of MITRE ATT&CK in a corporate environment -- from research to break down TTPs to better understand threats to security controls gap analysis to better identify where gaps may exist based on identified TTPs.

ATT&CK Defensive Lead Lex Crumpton discussed the latest mitigations added for defenders, the work by the Center for Threat-Informed Defense on sensor mappings to ATT&CK, and new SPL analytics to make it easier for defenders to optimize their detection engineering processes.

A core tenet of threat intelligence is the idea that different threats affect different organizations. However, an organization’s industry alone is rarely a key factor in predicting the threats they are likely to face. We know this because we used the North American Industry Classification System (NAICS) to categorize more than 1,000 organizations into sectors and analyzed the disparity in ATT&CK technique abuse and threat prevalence between them. In this talk, we will leverage hundreds of petabytes of data from realized threats to describe the nuanced differences in detection data that do exist between organizations in different industries. We will also explain why those differences likely exist, and we will explore explore the factors within organizations that are better predictors of threat exposure than industry or sector alone. By attending this talk, you will gain a better understanding of: - ATT&CK technique and threat trends across the 20 primary NAICS sectors - factors within organizations that play an important role in differentiating the threats they face - how to think about an organization’s industry or sector during the threat modeling process - the predominance of advantageous adversaries in the threat landscape

In spite of early and frequent warnings not to shout “Bingo,” ATT&CK technique coverage continues to be touted by security products and is used by organizations and purchasers as the basis for evaluating security posture. In coverage-based assessments, having at least one detection rule for as many techniques as possible is prioritized over the depth or quality of detections. But why is this such a bad idea? To understand the implications of coverage-based assessments, we examine the ATT&CK technique annotations in four major endpoint detection rulesets: Carbon Black, Splunk, Elastic, and Sigma. We find that large regions of the Enterprise ATT&CK Matrix are unimplemented in all rulesets (53 Techniques), in part due to the fact that many techniques are unrealizable as endpoint detection rules. We go on to consider how consistently different rulesets apply technique annotations – even when attempting to detect the same malicious entity, products completely disagree about the appropriate ATT&CK technique annotations 51% of the time, while fully agreeing just 2.7% of the time. Put another way, “covering” one technique may not even suggest protection from the same threat across different products. These findings underscore the dangers of coverage-based ATT&CK assessments.

This presentation is a confession of a former FBI profiler who never used MITRE ATT&CK when applying cyber behavioral analysis to design approaches to behaviorally exploit attackers. This cyber deception practitioner’s presentation will share three lessons learned about designing behaviorally based cyber deception and influence campaigns against attackers and attack groups, demonstrating how MITRE ATT&CK could have guided the design of deception and influence campaigns to make them more plausible and more effective at driving attacker behaviors online. This presentation will reference ATT&CK’s historical archive on Volatile Cedar as an example. These confessional lessons learned suggests that MITRE ATT&CK can provide an instrumental design step in conceptualizing and materializing behaviorally based cyber deception and influence campaigns.

ATT&CK CTI Lead Joe Slowik, discusses the latest ATT&CK improvements to hit its cyber threat intelligence goals: capture the relevant threat landscape in a timely fashion, enhance coverage on additional geographics and e-crime actors, and leverage campaign objects for more accurate representation of how activity changes over time.

Before ATT&CK, defenders and intelligence analysts couldn't meaningfully compare notes, since different terms were used for different things, and there was no central repository of definitions to rely on. By providing a common taxonomy of TTPs, MITRE ATT&CK has allowed for the type of coordination, comparison, and collaboration that over the last decade has made defenders meaningfully better at tracking and stopping adversaries. In the world of cyber insurance, we face a similar problem. We lack common definitions and frameworks. When insurers wish to share data analysis or trends, the signals get confused. What is the difference between a ransomware claim, a phishing claim, and a malware claim? When does BEC involve a compromise versus simple impersonation fraud? These definitions matter when we use this data to inform risk profiles, control investments, insurance pricing, and business decisions. Property insurance doesn't confuse hurricanes and tornadoes, and neither should cyber insurance. In this talk we will outline the framework we've developed at Marsh McLennan to tackle this issue, and how we connect to and integrate MITRE ATT&CK. We hope to illuminate some issues, and provide a path forward to clarify the confusion.

Using ATT&CK and MITRE CTID’s StP Frameworks to Assess Threat Detection Resilience - A Guide to Evaluating Threat Detection Coverage. In today's evolving cybersecurity landscape, enhancing threat detection capabilities is crucial. This presentation introduces the practical application of MITRE CTID’s new Summitting the Pyramid (StP) framework to evaluate and improve threat detection resilience using the ATT&CK framework. The StP framework offers a robust methodology to enhance threat detection analytics by evaluating them against the adversary’s cost to evade. It addresses the common issue where many analytics depend heavily on specific tools or artifacts, making them susceptible to low-cost evasion techniques by adversaries. Our journey with StP will uncover its evolution and key concepts such as core ATT&CK techniques, core procedures, preexisting and TA-brought tools, and ephemeral IOCs. We will engage the audience in a poll on real-world threat detection rule bypass strategies. Applying the StP framework to ATT&CK, we'll demonstrate how to evaluate and improve threat detection rule resilience through case studies from real-world assessments. The session will illustrate how integrating the ATT&CK and StP frameworks creates a comprehensive threat risk map, enhancing the qualitative depth of ATT&CK coverage. Attendees will leave with practical knowledge on applying the StP framework, understanding its value, and integrating it with the ATT&CK framework for a robust threat detection strategy.

Detection Coverage is a metric that evaluates how effectively an organization's detection capabilities align with threat actors' techniques, tactics, and procedures (TTPs). Manually assessing detection coverage against the MITRE ATT&CK matrix is time-consuming for organizations, especially considering the many security measures in use, such as SIEM, EDR, and more. Even if organizations attempt complex automation to generate detection coverage from all security products, the detections are not guaranteed to be accurate and up-to-date. This session addresses the issues mentioned above and presents how to perform continuous execution and validation with a minimal infrastructure via GitHub Actions and Docker containers to create a replicated lab environment where we execute atomic tests using Atomic Red Team, generate and send logs to a centralized logging infrastructure, and continuously validate them against Sigma detections. It also demonstrates the immense value of mapping attacks and detections against the MITRE ATT&CK Matrix and visualizes the results using the ATT&CK Navigator. These visualizations offer valuable insights into the organization's security posture, highlighting any missing detections. Furthermore, this talk will provide insights into the hurdles of utilizing Github Actions and Docker containers for threat hunting.

MITRE's Amy Roberston and Joe Slowik close out Day 1 of ATT&CKcon 5.0 and how best to use ATT&CK to better understand the adversary.

Mark Singer, CISA Threat Branch Chief, discusses how cyber is a team sport and dives into a few successful cases studies such as defending Ukraine from Russia.

Malware detectors analyzing the power side-channel have been demonstrated as an effective out-of-band defense for high-assurance embedded systems. Prior work has mainly targeted simple single-core systems focusing on the noisy exploit stages of an attack lifecycle. Such approaches do not scale to modern embedded multi-core platforms running parallel workloads. Detection performance is further exacerbated against inherently stealthy or deliberately evasive attack lifecycles. In this talk, we propose a novel lifecycle-aware power-based malware detector to defend complex multi-core embedded systems against evasive and non-evasive attack lifecycles. We briefly describe an ensemble of state-specific one-class detectors that are trained on different benign operating states and then combined to scale to complex benign scenarios. Next, we introduce the key realization that real-world attacks require a lifecycle of multiple stages to prime the attack, execute it, and perform post-exploit actions. By augmenting the ensemble detector with a lifecycle-aware hidden Markov model that captures general attack lifecycles, we greatly improve detection performance. We test our detector against attack lifecycles formed according to the MITRE ATT&CK matrix using various microarchitecture, software, and network actions and show our lifecycle-aware detector’s strong performance against attack lifecycles that have evaded traditional detectors.

AttackIQ's Rajesh Sharma and Shravan Ravi discuss how human-assisted intelligence agents can help in threat-informed defense.

Casey Knerr, ATT&CK Enterpise Lead, discusses the changes to ATT&CK based on indentity-as-a-service platforms.

We propose a framework where a set of entities (nodes) and the interactions between them (edges) is defined to form an Ontology. Once defined, we attempt to derive many of the concepts defined in ATT&CK, including Data Sources as edges between nodes; Techniques as one or more interactions between entities with some properties specified for the interactions or the entities; and Detections being similar to techniques with possibly different properties. We will also briefly give examples of how this system can be used to judge the strength of a detection rule in a manner similar to MITRE Engenuity’s “Submitting The Pyramid”. We will finally end the presentation with examples of how this framework can be used for Threat Modeling, especially with broader Techniques. At the conference, we intend to release a mapping of as many Techniques as we can to this Ontology framework as well as a list of “Environment-dependent Entities” for use in Threat Modeling.

Pop quiz: do you know what’s at the bottom of the page for every ATT&CK technique, group, software, and mitigation? (No cheating!) It’s a list of references: the cyber threat intelligence that underpins ATT&CK and provides valuable information about adversary tactics and techniques. Peel back that layer, though, and you’ll discover the history of ATT&CK and the broader cybersecurity landscape. In this talk, learn how to work programmatically with the data in ATT&CK, explore the references in ATT&CK through visualizations and analysis, and give back to the ATT&CK community through recommendations and calls-for-action.

Jared Ondricek is a Principal DevOps Engineer in the Software Engineering Innovation Center at MITRE. He manages the ATT&CK website, Navigator, Workbench, mitreattack-python package, public facing TAXII server, and other infrastructure in support of the MITRE ATT&CK team. The TAXI 2.0 server is retiring on Dec. 18, 2024, and users should move to TAXI 2.1. Jared also goes over the latest ATT&CK Navigator updates.

The ATT&CK Matrices have proven invaluable for Endpoint, Network, IoT and Cloud detection and threat research. As organizations adopt more SaaS software, and organizations gain visibility into their SaaS-estates, how can we apply ATT&CK to SaaS? In this talk we’ll share how the Abstract Security team has used ATT&CK to help drive threat research into SaaS attacks, and used ATT&CK to assist detection engineering of SaaS telemetry.

This talk presents how ATT&CK was used to fill gaps in cloud technique coverage during a recent purple team exercise. By emulating threat actor tactics in a simulated hybrid cloud environment, a joint team of incident responders and data scientists was able to discern strengths and deficiencies in cloud data sources and formulate detection logic for malicious behaviors. These outcomes were achieved by systematically mapping red team activities to ATT&CK and tracking blue team coverage using a purple team campaign management capability. As a result, cloud visibility gaps are being closed and ATT&CK-annotated detection rules operationalized to accelerate threat detection on critical networks.

Databases are ubiquitous, so much so there appears to be insufficient emphasis by the MITRE ATT&CK Framework on the Collection tactic regarding access of data from a database. The specific technique for “Collection” is “Data from an information repository”. Since databases are one of the two primary methods of storing data (in a database or a file), this tactic/technique should be considered more closely. Data does not exist in a vacuum. It is accessed/managed by applications in order to be useful. A key target of a hacker who wants to steal data is a database. There are many ways to collect such data – eavesdropping/man in the middle attacks of data in transit, capturing data at the point of collection (such as point of sale devices), exfiltrating files which contain sensitive data, etc. But the mother lode is the database. By watching how and what data is accessed from a database (as an “authorized” user) it is possible to determine whether such access constitutes an attempted data theft. This is the equivalent of catching a bank robber in the vault.

How "hard" is it to do a given ATT&CK technique? Are they all the same? Clearly Phishing is a lot easier than Hardware additions for initial access. How many ATT&CK techniques can be done within a budget of say $1000? Answering these questions is a powerful step towards knowing what kinds of threats you will face. Building on the ATTCKCon 4.0 Lightning Talk "Adjectives for ATT&CK", this presentation continues the work of organizing offensive techniques into levels of effort. This enables better training, prediction of adversary capabilities and imposing the maximum cost on threat actors.

Jon Baker of MITRE's Center for Threat-Informed Defense celebrates the Center's 5th anniversary, detailing what they've done, but also what new research is coming out to help cyber defenders.

Join Cat Self from the ATT&CK team as she interviews ATT&CKcon presenters to get a behind-the-scenes look into their backgrounds and key insights from their talks.

1. Recording - Adam Pennington, MITRE
2. Recording - Alexandrea Berninger and Brian Donohue, Red Canary
3. Recording - Apurva Virkud, Illinois Urbana-Champaign
4. Recording - Nicole Hoffman and James Nutland, Cisco Talos
5. Recording - Alex Cathis, The University of Texas at Austin
6. Recording - Ben Langrill, Optimizer
7. Recording - Jon Baker, MITRE
8. Recording - Rich Johnson, Thales TCT/Imperva
9. Recording - Robert Funches, CACI International
10. Recording - Rajesh Sharma and Shravan Ravi, AttackIQ
11. Recording - Tareq Alkhatib, Lacework

Amy Robertson and Joe Slowick of MITRE ATT&CK close out ATT&CKcon 5.0 with a thank you to the ATT&CK community for building up ATT&CK and helping them bring the latest threat-informed defense resources to countries that have the least amount of cyber resources and training.