ATT&CKing with Threat Intelligence

Presented at The Circle Of HOPE (2018), July 20, 2018, 10 a.m. (60 minutes).

MITRE's ATT&CK is a community-driven knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary's life cycle and the platforms they are known to target. By scoping the wide breadth of the MITRE ATT&CK matrix to focus initially on the techniques used by threat actors you specifically care about, you can help the defenders create more useful and impactful detections first. Once you start emulating the appropriate threat actors, you can practice your defenses in a scenario that's more realistic and applicable without the need for an actual intrusion. The speakers are providing a process and a case study of APT3 - a China-based threat group - for how to go from finding threat intelligence, sifting through it for actionable techniques, creating emulation plans, discovering how to emulate different techniques... to actually operating on a network. They are also providing a beginning "cheat sheet" for this actor to give a starting point for red and blue teams to accomplish these techniques in their own environment without the need to build their own tooling.

Presenters:

  • Christopher Korban
    **Christopher Korban** (@ckorban) is a security engineer at MITRE and, over the past four years, has been working alongside the MITRE ATT&CK frameworks in many different ways. Having started his career at MITRE writing red and blue team tools, he currently leads the operational threat emulation effort within MITRE. Academically, Chris earned his M.S. in information security from Carnegie Mellon University and his B.S. in electrical engineering from the University of Texas at Austin.
  • Cody Thomas
    **Cody Thomas** (@its_a_feature_) works on the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework where he published the Mac and Linux techniques. He also performs threat-based adversary emulation operations to help blue teams create analytics for detecting malicious behaviors. Cody also develops red-team oriented security tools to help with adversary emulation. Before joining MITRE, Cody received his M.S. in information security from Carnegie Mellon University and his B.S. in electrical/computer engineering from the University of Texas at Austin.

Links:

Similar Presentations: