MITRE ATT&CK 108: My favourite talks from MITRE’s ATT&CKCON 3.0

TutorialsAtt&ck

If you are reading this blog post via a 3rd party source it is very likely that many parts of it will not render correctly. Please view the post on signalscorps.com for the full interactive viewing experience. In this post I end the tutorial series with some real world examples of how ATT&CK is being used from the most recent ATT&CKCON. Note: this tutorial is written for MITRE ATT&CK version 11.0 (published on 2022–04–24). Some of the concepts discussed are not correct for other versions of ATT&CK.

MITRE’s ATT&CKcon (v3.0) returned to an in-person event at their headquarters in McLean, Virginia, a little over a month ago (March 29 and 30), and was in-part the inspiration for my last two posts; MITRE ATT&CK 101, and MITRE ATT&CK 102.

It is also a celebration of the recent release of version 11 of ATT&CK.

There was a great list of speakers, including many old colleagues, talking about a range of topics centered on how the ATT&CK framework is leveraged.

You can watch all the talks on-demand here (sign up required). Here are four of my favourites.

Knowledge for the Masses: Storytelling with ATT&CK!

By Ismael Valenzuela and Jose Luis Sanchez Martinez

Creating and sharing compelling stories about cyber threats (with the help of ATT&CK) is a powerful way for raising awareness to enable action against cyber threats.

In this talk Ismael and Jose share their experiences leveraging ATT&CK to disseminate threat knowledge to different audiences by captivating them with a story (Software Development teams, Managers, Threat detection engineers, etc.).

Watch on-demand.

Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interactive Intrusion Campaigns

By Jason Wood and Justin Swisher

Security teams need tools and processes that allow the mapping of hands-on adversary tradecraft.

Jason and Justin show how their threat hunting team uses MITRE ATT&CK to understand and categorise adversary activity over time.

Watch on-demand.

It’s Just a Jump to the Left (of Boom): Prioritizing Detection Implementation with Intelligence and ATT&CK

By Lindsay Kaye and Scott Small

A wealth of open-sourced, ATT&CK-mapped, detections and intelligence now exists for security teams.

Lindsay and Scott show how real-world defensive strategies can be strengthened by encompassing a full-spectrum view of this data to ensure that detection efforts are prioritised and focused effectively (with the help of ATT&CK).

Watch on-demand.

Threat Modelling: It’s Not Just for Developers

By Tim Wadhwa-Brown

Most intel teams take public information about threat actors, vulnerabilities, and incidents (and use them to build better defenses).

Tim takes the audience through 3 real world examples where he leveraged such data and how he used ATT&CK information (particularly data sources) to achieve a successful outcome.

Watch on-demand.

CONGRATULATIONS!

You have made it to the end of this short course.

Whilst there is a little more to ATT&CK than covered in these posts, you now have enough to start putting the framework to work, whether you are a red, blue, or purple teamer.

Here are some useful links to bookmark following this course, some I have covered, some I have not, that you I find useful when working with MITRE ATT&CK:

  • The MITRE ATT&CK website is very useful for looking up Objects in the framework
  • MITRE recently release a new Chrome browser extension. ATT&CK Powered Suit, for Object lookups which saves you jumping between tabs
  • Use the Navigator is great for modelling ATT&CK Tactics and Techniques
  • TRAM for automation of assigning ATT&CK to raw intelligence
  • And the Workbench for extending ATT&CK:
  • A less known product from MITRE is ATT&CK Flow, designed to help defenders easily understand how attackers compose and execute on ATT&CK techniques
  • MITRE are also running a pilot of a new initiative called ATT&CK Sightings. ATT&CK Sightings aims to be a central collection of reported sightings of Techniques from the ATT&CK community

If you have any questions about the content in this tutorial, please do not hesitate to drop us a message on Discord.

ATT&CK Certification (Virtual and In Person)

The content used in this post is a small subset of our full training material used in our ATT&CK training.

If you want to join a select group of certified ATT&CK professionals, subscribe to our newsletter below to be notified of new course dates.

Similar Posts You Will Enjoy Reading…

Originally published at https://www.signalscorps.com on July 24, 2022.

--

--

I help early stage cyber-security companies to build products that make users go; “Wow! That’s what I need!”. https://www.himynamesdave.com/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
David G

I help early stage cyber-security companies to build products that make users go; “Wow! That’s what I need!”. https://www.himynamesdave.com/