Keeping CTI on Track: An Easier Way to Map to MITRE ATT&CK

Presented at BSidesDC 2019, Oct. 27, 2019, 10:30 a.m. (50 minutes)

Organizations across the globe are looking for ways to use MITRE ATT&CK TM in their environment, but are unsure how or where to start. Our team is constantly receiving requests to teach their analysts how to relate reports to ATT&CK; it's a time-consuming process with a steep learning curve. We get it, reading reports line-by-line to search for adversarial tactics, techniques, and procedures (TTPs) and then verifying if those behaviors align to documented TTPs in ATT&CK is challenging. As ATT&CK team members who do this daily, we thought that there has to be a better way. Using our ATT&CK experience, Python, Natural Language Processing (NLP), and some WebDev, we created the Threat Report ATT&CK Mapping (TRAM) tool to automatically extract TTPs from a prose report. So why should you care? Not only will this tool help the ATT&CK team keep our public repository of Groups and Software updated with the latest cyber trends and attacker methodologies, but it can help your internal organizations too. TRAM can analyze multiple reports, map them to ATT&CK, and provide insight to your overall threat landscape and security posture. This enables defenders to test whether current tools and procedures are effectively defending against their most common threats, while also allowing red teams to develop prioritized adversary emulation plans with these TTPs in mind. This talk will review our methodology, discuss our challenges, and demonstrate how you can use the tool for your own organization. With the open-source release of this tool, anyone can go from an ATT&CK zero to hero in no time!

Presenters:

• Sarah Yoder - Cyber Security Engineer at The MITRE Corporation
  Sarah Yoder is a Cyber Security Engineer for the MITRE Corporation. She enjoys furthering her red team skills and applying cyber threat intelligence to ATT&CK. Prior to joining MITRE, Sarah worked as an Exploit Analyst with the Department of Defense. Sarah received her M.P.A. in Public Administration and B.S. in Cybersecurity from California State University, San Bernardino (CSUSB).
• Jackie Lasky - Cyber Security Engineer at The MITRE Corporation
  Jackie Lasky is a Cyber Security Engineer at MITRE. She is a member of MITRE's ATT&CK team where she focuses on cyber threat intelligence. Prior to joining MITRE, she interned with the Department of Defense where she gained experience with malware analysis, data analytics, and machine learning. Jackie holds a B.S. in Computer Science from George Mason University.

Links:

• https://bsidesdc2019.busyconf.com/schedule#activity_5d16723cf9331b411a00010a

Similar Presentations:

• CHCon '20 (2020) / ATT&CK'ing it wrong - how to use ATT&CK effectively at an NZ scale
• BSidesLV 2019 / The SOC Counter ATT&CK
• Black Hat USA 2019 / MITRE ATT&CK: The Play at Home Edition