Presented at
Objective by the Sea version 5.0 (2022),
Oct. 6, 2022, 5:05 p.m.
(25 minutes).
ATT&CK offers a wide range of uses and application, but we as researchers know that not all TTPs translate verbatim from one platform to another. Using ATT&CK often requires a nuanced understanding of how technologies work under the hood, which can be especially challenging for macOS users. A common mistake is mapping based solely on the name of the technique (Apple Remote Desktop != Remote Services: Remote Desktop Protocol T1021.001 btw). \n\n Using Chinese-based adversaries and software, we break down examples of how Apple’s security mechanisms are supposed to work, walk through adversary behaviors inside the Apple ecosystem (mapping to ATT&CK), and identify the data sources to capture or hunt these behaviors. The increased macOS community participation in ATT&CK from the last OBTS (Thank you!!!) resulted in lots of updates to ATT&CK taking factors unique to macOS into account. Techniques covered highlight some of these contributions, new software additions, and call out significant data sources. \n\n As an extra bonus, comic strips are used as a visualization aid to illustrate how the macOS ecosystem works in order to better understand how these mechanisms are abused.
Presenters:
-
Cat Self
- Lead Adversary Emulation Engineer at The MITRE Corporation
Cat Self is an Adversary Emulation Engineer at The MITRE Corporation and works as the macOS ATT&CK Lead, researching macOS specific malware, advanced persistent threat actors, and techniques. Cat previously worked as an internal red team operator, threat hunter, and developer at Target Corporate. \n\n Cat is an Airborne Military Intelligence veteran with a passion for mentorship, researching all things Apple, and hiking mountains in foreign lands.
Links:
Similar Presentations: