November 6, 2019 MITRE ATT&CK
Brian Donohue

Debriefing ATT&CKcon 2.0: Five great talks at MITRE's ATT&CK conference

MITRE put on its second annual ATT&CKcon last week, and, by nearly every measure (and according to everyone we’ve heard from), the ATT&CK-themed gathering was a great success.

Space is limited in the on-site auditorium in McLean where MITRE holds ATT&CKcon. Likewise, the nonprofit corporation known mostly for operating federally funded research centers can only sell so many tickets for its annual ATT&CK-themed conference. So instead of expanding into a bigger space—a move that would simultaneously make the conference less intimate but more accommodating—MITRE doubled-down on the live stream experience.

They brought in better cameras, which were placed upon a very impressive (and slightly intimidating) crane that allowed for more dynamic shooting. For the online audience, MITRE filled breaks between presentations with speaker interviews and other content that prevented viewers from staring at an ATT&CK logo while in-person attendees refilled on coffee, ate freshly baked cookies (the sponsored snacks were a nice touch), and talked about… well… ATT&CK.

However, beyond cosmetic and confectionary upgrades, the conference itself was, once again, great. And luckily for everyone who couldn’t attend or watch the live stream, every talk is available online.

Five Great Talks at ATT&CKcon

As with any conference, we were able to play closer attention to some talks than others. As such, this list almost certainly overlooks some super interesting talks that we missed, so definitely check out the streams for day one and day two in their entirety if you have time.

Keynote Address by Toni Gidwani

Toni Gidwani kicked things off with a keynote that tried to address the problems that ATT&CK is helping teams solve and the challenges teams face as they attempt to implement the framework. She would go onto explain that one of the fundamental uses of ATT&CK is to bridge the gap between threat intelligence, which tends to be diagnostic, and security operations, which seeks out prognostic information. In other words, ops teams want stable signals that are useful for detection, while intel teams have historically provided indicators of compromise (IoC) that are highly tactical, very specific, and ephemeral. More recently, intel teams have been increasingly expected to provide intelligence that is based on tactics, techniques, and procedures (TTP) as opposed to a list of IoCs. In the last two-or-so years, Gidwani explained, as MITRE ATT&CK’s popularity has grown, it’s helped facilitate this the conversion from IoC to TTP-based intel by normalizing the way we talk about adversary behaviors.

 

You can watch Toni’s ATT&CKcon couch interview with Jamie Williams here:

Using Threat Intelligence to Focus ATT&CK Activities by David Westin & Andy Kettell

David Westin and Andy Kettell explained how they used ATT&CK to prioritize collection and detection efforts—all part of an undertaking at Nationwide that they delightfully named “Project Squishy.” At first, they took something of an unfocused approach, testing each technique in depth before moving on to the next. However, about a year in, David, Andy, and the rest of their team started to realize that this approach wasn’t going to work. Ultimately, it was too slow, and, perhaps more importantly, it wasn’t compelling to leadership. They ended up refreshing their approach by examining a group of 27 prominent threat actors that are known to target Nationwide’s peers in the finance and insurance industry. Those threat actors, they eventually determined, are known to leverage 91 techniques. In this way, the security team at Nationwide was able to demonstrate the value of the ATT&CK framework in helping them identify the very specific threats that are most likely to affect their company.

 

You can watch David and Andy’s ATT&CKcon couch interview with Jamie Williams here:

Alertable Techniques for Linux using ATT&CK by Tony Lambert

Our very own Tony Lambert went in a completely different direction for his talk, exploring the handful of ATT&CK techniques that relate to Linux systems. Specifically, he examined the analytics that the Red Canary CIRT uses to alert on malicious behaviors across the Linux systems it monitors. Many security products in their default configuration, he said, generate a high volume of alerts that lack context—attempting to ensure that alerting won’t miss anything but also guaranteeing that analysts won’t be able to investigate everything. Good alerts, however, arise from significantly abnormal behavior and include important context that expedites investigation and informs response. More pragmatically, Tony described in detail how Red Canary is able to alert on certain adversary techniques in Linux, which analytics have yielded high-fidelity alerts, and which ones seemed like a good idea when they were implemented but merely led to false positives and wasted time.

 

You can watch Tony’s ATT&CKcon couch interview with Jamie Williams here:

Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate Your Data Analytics! by Roberto Rodriguez and Jose Luis Rodriguez

Roberto Rodriguez and Jose Rodriguez (yes, they are brothers!) opened their talk with a brief demo, translating the ATT&CK framework into Spanish as a way of illustrating how you can query ATT&CK via its public TAXII server to automatically gather a wide variety of information from the framework. From there, they began analyzing the data from the framework, pointing out that Implant Container Image was (at that time) the only enterprise ATT&CK technique without a corresponding data source, and that file monitoring, process monitoring, and process command line are most common data sources across the 266-some techniques in the matrix. It was a dense talk that’s hard to summarize, but the Rodriguez brothers detailed how they’ve broken overly broad data sources into what they call “sub data-sources” and how they’ve developed (and how you can use) a wide array of open-source tools that work with ATT&CK to test controls, model adversary behaviors, and validate analytics (to name a few things).

 

You can watch Roberto and Jose’s ATT&CKcon couch interview with Jamie Williams here:

Prioritizing Data Sources for Minimum Viable Detection by Keith McCammon

Our CSO Keith McCammon presented directly after the Rodriguez brothers, offering what he characterized as a higher-level look at MITRE ATT&CK’s data sources. He attempted to showcase the data sources that will provide visibility into the techniques that adversaries are most likely to leverage in the wild. In essence, Keith’s talk was about using the collective body of knowledge that ATT&CK represents to make thoughtful decisions about the data you’re collecting, the questions you’re asking of that data, and the processes, context, and expertise necessary to properly answer those questions. Minimum viable detection, he explained, is about putting yourself in position to detect most of the threats most of the time.

 

You can watch Keith’s ATT&CKcon couch interview with Jamie Williams here:

What’s Ahead?

Beyond talks from the community, the ATT&CK team itself gave various short presentations as well. For the most part, these talks announced or highlighted new elements or features of the framework.

ATT&CK Sightings

MITRE’s Principal Cybersecurity Engineer John Wunder gave a brief talk on an effort that MITRE is calling “ATT&CK Sightings.” Broadly speaking, MITRE is attempting to collect security data from the community, so that it can make determinations about the prevalence of each technique within the matrix. It sounds as if the objectives of Sightings are very similar to the objectives of our Threat Detection Report, albeit on a larger scale.

ATT&CK for ICS and Cloud

While we primarily focus on the enterprise variety of ATT&CK, there’s also been a Mobile ATT&CK matrix for a while now and, more recently, the team at MITRE added ATT&CK for Cloud. In the coming months, MITRE will also be adding an ATT&CK for ICS (industrial control systems), which Otis Alexander, a lead cybersecurity engineer at MITRE, described in a brief talk.

 

Researchers, Assemble! Why Red Canary is a Founding Sponsor of MITRE’s Center for Threat-Informed Defense

 

ATT&CK T1501: Understanding systemd service persistence

 

Data sources, Linux detection, and more at ATT&CKcon 2.0

 

Advanced persistence threats: to be a cybercriminal, think like a sysadmin

Subscribe to our blog