October 16, 2019 MITRE ATT&CK
Brian Donohue

Data sources, Linux detection, and more at ATT&CKcon 2.0

MITRE’s ATT&CK-themed conference is in its second year, will be live-streamed, and is a great resource for anyone looking to incorporate the framework into their security program.

If you’re thinking of starting a security conference, let me give you one piece of advice:

  1. Don’t do it.

There is an imaginary subset of our industry that I half-jokingly call the cybersecurity conference industrial complex, and its output includes more keynotes, briefings, and talks than there are minutes in the year.

Despite this, the MITRE Corporation decided to roll the dice on its own trade show last year, launching a conference dedicated singularly to the ATT&CK™ framework. Contrary to the cynical generalization in the opening sentence of this blog, ATT&CKcon was great last year, and it proved that you can still add value to the wildly overcrowded field of security conferences.

How ATT&CKcon got it right

This is certainly an oversimplification, but ATT&CKcon seemed to work for three basic reasons:

  1. It kept its focus narrow.
  2. It limited attendance to a few hundred people.
  3. It live-streamed the event.

You simply can’t compete with the general interest, infosec mega-cons like RSA and Black Hat. Regional conferences used to make sense, but that market is saturated in most places, especially here in the DC area—and thanks in large part to BSides everywhere else. If you want to put on a good conference, then you have to find a niche at this point, which is exactly what MITRE is doing.

ATT&CKcon’s focus is narrow and space is limited, which fosters conversation among a relatively small number of people with similar interests. More practically, MITRE took this vast and indefinite thing—the ATT&CK framework—and created an environment where its proponents could offer very concrete advice on how to use it. While everyone seems to appreciate ATT&CK conceptually—both as a glossary of threat terminology and as a crude representation of the threat landscape—many security teams struggle with getting from the point where they think ATT&CK might be helpful to the point where it actually is. And ATT&CKcon is one of the best resources for making that jump, whether you attend it live or watch it online.

On the docket

There isn’t much information available about the talks at ATT&CKcon—other than names and titles—but we do happen to know a good deal about three of the presentations. So here’s a somewhat detailed overview of those three of the talks.

Prioritizing Data Sources for Minimum Viable Detection

Keith McCammon, Chief Security Officer, Red Canary

For every ATT&CK technique in the matrix, MITRE has included a list of corresponding data sources that provide the visibility necessary to observe a given technique. These data sources are probably the most important part of MITRE ATT&CK. Without them, ATT&CK is a taxonomy of threats that offers us a very useful vernacular for communicating about attacks. However, the data sources allow us to draw a clear line between the threats we face and the visibility that we need to actually observe, detect, and combat those threats. To that point, Keith is going to look at the data sources that have been most useful to Red Canary for detection and visibility. He will also enumerate the data sources that turn up most often across the entire ATT&CK matrix, offering guidance on which tools—open source and otherwise—security teams can use to gain the visibility they need.

Alertable Techniques for Linux Using ATT&CK

Tony Lambert, Detection Engineer/Intelligence, Red Canary

Tony plans to discuss the ATT&CK techniques that security teams should focus on when they are building detection capabilities for Linux systems. Getting down to a more practical level, he’ll also examine very specific queries that you can run against your Linux fleet, some that provide pretty reliable alerting out of the gate, others that can work as alerts with a bit of tuning and care, and a few that might provide useful context but are horrible as alerts. Overall, Tony plans to make the case for how security teams can establish good detection coverage on Linux, while performing manual investigations and hunting to root out any additional threats.

A Love Song for Heat Maps

Brian Donohue, Research Production Manager, Red Canary

I’ll be giving a short lightning talk on how security teams can take their internal security data and turn it into external resources, so that everyone can make better decisions about the tools they build, buy, and sell.

The rest of the talks

In the spirit of doing this the easy way, I’ve copied a couple tables from the ATT&CKcon page, so you can see the entire agenda.

Tuesday

Wednesday

Lightning talks

The event also includes a handful of five-minute-or-so lightning talks from Dan Cole of ThreatConnect, Stephan Chenette of AttackIQ, Bryson Bort of Scythe.io, Nick Carr of FireEye, Emma Macmullan of the Federal Reserve, Ivan Ninichuck, and Mauricio Velazco.

Can’t attend? No big deal

As is noted above, MITRE will be live streaming ATT&CKcon again this year, which is good because passes have long since sold out. You can pre-register for access to the live-stream here. MITRE is also hopeful that people will get together for their own ATT&CKcon watch parties, so if you can get a group together to watch, then consider letting MITRE know about it.

One last thing…

If you’re looking for additional ATT&CK-related resources, then you’ve come to the right place because we’ve got a bevy of it.

Consider subscribing to our blog and following us on Twitter as well because we’ll be at ATT&Ckcon live-tweeting. In all likelihood, we’ll probably write at least one article about the event afterward. If you’re going to be at the event in person, then definitely come by our booth and hello.

Finally, if you want to get an idea of what ATT&CKcon is all about straight from the source, then check out last year’s talks in this YouTube playlist that MITRE put together.

 

Researchers, Assemble! Why Red Canary is a Founding Sponsor of MITRE’s Center for Threat-Informed Defense

 

ATT&CK T1501: Understanding systemd service persistence

 

Debriefing ATT&CKcon 2.0: Five great talks at MITRE’s ATT&CK conference

 

Advanced persistence threats: to be a cybercriminal, think like a sysadmin