01:22 Presenter Introduction
02:47 What is ATT&CK?
04:22 “How do we describe what an adversary is doing in a way that we can communicate among all of these different teams.” -John
04:30 ATT&CK’s Core Philosophy
04:52 “One important aspect of this is that it is based on real world observation.” -John
06:46 “A lot of the content in ATT&CK actually comes from you all, it comes from the community.” -John
07:20 The ATT&CK Matrix
07:31 “Tactics are the core technical objectives. They are the things adversaries want to achieve when they attack us.” -John
08:24 How to use ATT&CK
08:30 Threat Intelligence
8:32 “We are already seeing organizations describing their threat intelligence in the context of ATT&CK.” -John
10:22 “One problem we have in cybersecurity is not knowing how durable our defenses are or how well protected we are.” -John
10:32 Adversary Emulation
10:38 “If you think you’re defended against credential dumping, why don’t we try it? Red Canary actually has a great framework for this that was made open-sourced called Atomic Red Team.” -John
12:48 Assessments & Engineering
12:58 “All the time I see people posting these ATT&CK heat maps of different things. That is a really great way of giving you a score card of how well you are doing.” -John
14:36 Detection & Hunting
14:38 “This is a huge part of what ATT&CK is being used for right now.” -John
14:55 Audience Question 1: How is this intended to be used?
15:10 “If we are speaking the same language, we can obviously work together a lot better as well.” -Phil
15:17 Audience Question 2: How does this differ from the Cyber Kill Chain framework?
15:36 “One of the things that ATT&CK tries to do is take the Cyber Kill Chain and the great work that has gone into that and take it down a level.” -John
17:15 Typical SOC Workflow
17:40 “One of the big challenges we’ve always had is that this technology is really loud. There are so many different detections you are going to have and so many alerts to handle. -Phil
20:00 Focusing on High Level Indicators
21:23 “You have to know what is normal in the environment before you can start specifying the anomalies.” -Phil
22:35 Focusing on Interesting Behaviors
23:02 “We’re not just describing the technical details of this, we’re actually putting in here what this detector does, and we are also including that ATT&CK category.” -Phil
23:23 “This is going to be a much more rich means of identifying that suspicious behavior.” -Phil
26:28 Threat Hunting Maturity Model
26:42 “You’ll see at each different stage of developing a hunting program, we’ve got two different things that we are doing. We have a level of automation and optimization. You’ll also see the second row at the bottom talks about how much data is collected on an ongoing basis.” -Phil
28:28 Maturity Over Time
28:34 “Almost any maturity model can be summed up as crawl, walk, run.” -Phil
28:46 Data Analysis Process
30:39 “A lot of the different threat intelligence that we link to from ATT&CK—and a lot of the threat intelligence that is out there—can really tell you a lot about what those hypotheses should be, and then frame them in a way you can execute on it.” -John
32:17 Build on What You Have Seen
33:50 “I like the idea of chaining detections together to understand that this isn’t only downloading something from a URL, it’s also invoking Mimikatz and all these other things.” -John
34:02 “Not every bad thing you see in the environment is the same degree of bad.” -John
36:08 Close The Loop: Tune As You Go
37:17 “You can’t get to speed and efficiency without doing a fantastic job at suppression.” -Rick
39:02 Measure Operational Impact
39:30 “One of the things that we have found with ATT&CK is that it does give you that scorecard in a way that is communicable to senior leadership and to others on your team.” -John
43:02 Questions and Answers
43:30 Question 1: Can you comment on how to deal with obfuscation of the command line?
44:33 “You’re going to need granularity on your suppression of those so you can actually find the evil when it pops up.” -Rick
46:03 Question 2: What is the best way to deal with when attackers use legitimate operation binaries?
46:11 “In conjunction with other behaviors, things look bad. We don’t always want to use a single detector. We want to get as many of those together as we possibly can.” -Phil
46:28 Question 3: How important is it for companies to understand their threat maturity model? What is the best way to get started to understand where you are today?
47:00 “The question is always where am I now? But more importantly, is where can I be tomorrow with X level of investment and time.” -John
48:35 Question 4: What are the best ways to identify lateral movement? Do you think blocking PowerShell and WMI solves your lateral movement problem?
48:48 “There are dozens of ways to move laterally and there is not going to be any one method that I think is going to be more or less effective across the board. It is going to be how comprehensive are your set of mechanisms for detecting lateral movement.” -Phil
49:28 “Blocking anything regardless of what the individual binaries or capabilities might be, isn’t necessarily going to be enough because attackers are creative.” -Phil
51:32 Question 5: What is a good place to start with ATT&CK?
52:09 “When you’re looking to demonstrate value with ATT&CK, I think the best thing to do is use a heat map.” -John
55:09 Question 6: What is the best way to get informed for when ATT&CK updates are made?
55:19 “Twitter is the best way.” -John
56:20 Question 7: What are recommendations for recording history to be able to look back?
57:10 “For the advanced attackers you should really just consider disposable, but that’s going to change minute to minute sometimes.” -Rick