WebinarsThreat hunting
Phil Hagen Rick McElroy John Wunder

How to use MITRE ATT&CK to mature your threat hunting program


Mature your threat hunting program with MITRE ATT&CK.

As one of the industry’s most comprehensive knowledge bases for adversary behavior, ATT&CK provides a structure for hunters to build their hypotheses and search for threats. Join experts from Red Canary, Carbon Black, and MITRE as they walk you through how to leverage the ATT&CK framework in your threat hunting operations.

This on-demand webinar covers:

  • What ATT&CK is and where it came from
  • How threat hunting fits into a SOC workflow
  • Using ATT&CK for directing threat hunting activities
  • Refining the threat hunting process

01:22 Presenter Introduction

02:47 What is ATT&CK?

04:22 “How do we describe what an adversary is doing in a way that we can communicate among all of these different teams.” -John

04:30 ATT&CK’s Core Philosophy

04:52 “One important aspect of this is that it is based on real world observation.” -John

06:46 “A lot of the content in ATT&CK actually comes from you all, it comes from the community.” -John

07:20 The ATT&CK Matrix

07:31 “Tactics are the core technical objectives. They are the things adversaries want to achieve when they attack us.” -John

08:24 How to use ATT&CK

08:30 Threat Intelligence

8:32 “We are already seeing organizations describing their threat intelligence in the context of ATT&CK.” -John

10:22 “One problem we have in cybersecurity is not knowing how durable our defenses are or how well protected we are.”  -John

10:32 Adversary Emulation

10:38 “If you think you’re defended against credential dumping, why don’t we try it? Red Canary actually has a great framework for this that was made open-sourced called Atomic Red Team.” -John

12:48 Assessments & Engineering

12:58 “All the time I see people posting these ATT&CK heat maps of different things. That is a really great way of giving you a score card of how well you are doing.”  -John

14:36 Detection & Hunting

14:38 “This is a huge part of what ATT&CK is being used for right now.”  -John

14:55 Audience Question 1: How is this intended to be used?

15:10 “If we are speaking the same language, we can obviously work together a lot better as well.” -Phil

15:17 Audience Question 2: How does this differ from the Cyber Kill Chain framework?

15:36 “One of the things that ATT&CK tries to do is take the Cyber Kill Chain and the great work that has gone into that and take it down a level.” -John

17:15 Typical SOC Workflow

17:40 “One of the big challenges we’ve always had is that this technology is really loud. There are so many different detections you are going to have and so many alerts to handle.  -Phil

20:00 Focusing on High Level Indicators

21:23 “You have to know what is normal in the environment before you can start specifying the anomalies.” -Phil

22:35 Focusing on Interesting Behaviors

23:02 “We’re not just describing the technical details of this, we’re actually putting in here what this detector does, and we are also including that ATT&CK category.” -Phil

23:23 “This is going to be a much more rich means of identifying that suspicious behavior.” -Phil

26:28 Threat Hunting Maturity Model

26:42 “You’ll see at each different stage of developing a hunting program, we’ve got two different things that we are doing. We have a level of automation and optimization. You’ll also see the second row at the bottom talks about how much data is collected on an ongoing basis.” -Phil

28:28 Maturity Over Time

28:34 “Almost any maturity model can be summed up as crawl, walk, run.” -Phil

28:46 Data Analysis Process

30:39 “A lot of the different threat intelligence that we link to from ATT&CK—and a lot of the threat intelligence that is out there—can really tell you a lot about what those hypotheses should be, and then frame them in a way you can execute on it.” -John

32:17 Build on What You Have Seen

33:50 “I like the idea of chaining detections together to understand that this isn’t only downloading something from a URL, it’s also invoking Mimikatz and all these other things.” -John

34:02 “Not every bad thing you see in the environment is the same degree of bad.” -John 

36:08 Close The Loop: Tune As You Go

37:17 “You can’t get to speed and efficiency without doing a fantastic job at suppression.” -Rick 

39:02 Measure Operational Impact

39:30 “One of the things that we have found with ATT&CK is that it does give you that scorecard in a way that is communicable to senior leadership and to others on your team.” -John

43:02 Questions and Answers

43:30 Question 1: Can you comment on how to deal with obfuscation of the command line?

44:33 “You’re going to need granularity on your suppression of those so you can actually find the evil when it pops up.” -Rick

46:03 Question 2: What is the best way to deal with when attackers use legitimate operation binaries? 

46:11 “In conjunction with other behaviors, things look bad. We don’t always want to use a single detector. We want to get as many of those together as we possibly can.” -Phil

46:28 Question 3: How important is it for companies to understand their threat maturity model? What is the best way to get started to understand where you are today?

47:00 “The question is always where am I now? But more importantly, is where can I be tomorrow with X level of investment and time.” -John

48:35 Question 4: What are the best ways to identify lateral movement? Do you think blocking PowerShell and WMI solves your lateral movement problem?

48:48 “There are dozens of ways to move laterally and there is not going to be any one method that I think is going to be more or less effective across the board. It is going to be how comprehensive are your set of mechanisms for detecting lateral movement.”  -Phil

49:28 “Blocking anything regardless of what the individual binaries or capabilities might be, isn’t necessarily going to be enough because attackers are creative.” -Phil 

51:32 Question 5: What is a good place to start with ATT&CK?

52:09 “When you’re looking to demonstrate value with ATT&CK, I think the best thing to do is use a heat map.” -John

55:09 Question 6: What is the best way to get informed for when ATT&CK updates are made?

55:19 “Twitter is the best way.” -John

56:20 Question 7: What are recommendations for recording history to be able to look back?

57:10 “For the advanced attackers you should really just consider disposable, but that’s going to change minute to minute sometimes.” -Rick

Testing visibility to develop an innovative threat hunting program
Becoming a leader: an inside look at an advanced threat hunting program
Q & A: How to Use the MITRE ATT&CK™ Framework to Mature Your Threat Hunting Program
Detection Déjà Vu: a tale of two incident response engagements