If you’re thinking of starting a security conference, let me give you one piece of advice:
- Don’t do it.
There is an imaginary subset of our industry that I half-jokingly call the cybersecurity conference industrial complex, and its output includes more keynotes, briefings, and talks than there are minutes in the year.
Despite this, the MITRE Corporation decided to roll the dice on its own trade show last year, launching a conference dedicated singularly to the ATT&CK™ framework. Contrary to the cynical generalization in the opening sentence of this blog, ATT&CKcon was great last year, and it proved that you can still add value to the wildly overcrowded field of security conferences.
How ATT&CKcon got it right
This is certainly an oversimplification, but ATT&CKcon seemed to work for three basic reasons:
- It kept its focus narrow.
- It limited attendance to a few hundred people.
- It live-streamed the event.
You simply can’t compete with the general interest, infosec mega-cons like RSA and Black Hat. Regional conferences used to make sense, but that market is saturated in most places, especially here in the DC area—and thanks in large part to BSides everywhere else. If you want to put on a good conference, then you have to find a niche at this point, which is exactly what MITRE is doing.
ATT&CKcon’s focus is narrow and space is limited, which fosters conversation among a relatively small number of people with similar interests. More practically, MITRE took this vast and indefinite thing—the ATT&CK framework—and created an environment where its proponents could offer very concrete advice on how to use it. While everyone seems to appreciate ATT&CK conceptually—both as a glossary of threat terminology and as a crude representation of the threat landscape—many security teams struggle with getting from the point where they think ATT&CK might be helpful to the point where it actually is. And ATT&CKcon is one of the best resources for making that jump, whether you attend it live or watch it online.
On the docket
There isn’t much information available about the talks at ATT&CKcon—other than names and titles—but we do happen to know a good deal about three of the presentations. So here’s a somewhat detailed overview of those three of the talks.
Prioritizing Data Sources for Minimum Viable Detection
For every ATT&CK technique in the matrix, MITRE has included a list of corresponding data sources that provide the visibility necessary to observe a given technique. These data sources are probably the most important part of MITRE ATT&CK. Without them, ATT&CK is a taxonomy of threats that offers us a very useful vernacular for communicating about attacks. However, the data sources allow us to draw a clear line between the threats we face and the visibility that we need to actually observe, detect, and combat those threats. To that point, Keith is going to look at the data sources that have been most useful to Red Canary for detection and visibility. He will also enumerate the data sources that turn up most often across the entire ATT&CK matrix, offering guidance on which tools—open source and otherwise—security teams can use to gain the visibility they need.
Alertable Techniques for Linux Using ATT&CK
Tony plans to discuss the ATT&CK techniques that security teams should focus on when they are building detection capabilities for Linux systems. Getting down to a more practical level, he’ll also examine very specific queries that you can run against your Linux fleet, some that provide pretty reliable alerting out of the gate, others that can work as alerts with a bit of tuning and care, and a few that might provide useful context but are horrible as alerts. Overall, Tony plans to make the case for how security teams can establish good detection coverage on Linux, while performing manual investigations and hunting to root out any additional threats.
A Love Song for Heat Maps
I’ll be giving a short lightning talk on how security teams can take their internal security data and turn it into external resources, so that everyone can make better decisions about the tools they build, buy, and sell.
The rest of the talks
In the spirit of doing this the easy way, I’ve copied a couple tables from the ATT&CKcon page, so you can see the entire agenda.