SlideShare a Scribd company logo

Practical Application of MITRE ATT&CK: Real World Usage in a Corporate Environment - Marcelle Lee

M
MITRE ATT&CK

This document discusses the practical application of the MITRE ATT&CK framework in a corporate environment, specifically by Marcelle Lee at Equinix. It covers various aspects such as threat research, detection engineering, reporting, gap analysis, and the integration of ATT&CK into research tools, emphasizing a continual assessment of threats and the efficacy of security controls. The overall goal is to understand threats and improve security measures based on identified tactics, techniques, and procedures (TTPs).

Technology
Related topics:
mitre-att-ckMITRE ATT&CK Insights
1 of 11
Downloaded 40 times
1
2
3
Most read
4
5
6
Most read
7
8
9
10
11
Most read
PRACTICAL APPLICATION OF MITRE ATT&CK: REAL WORLD USAGE IN A CORPORATE ENVIRONMENT Marcelle Lee ATT&CKcon 5.0 22 October 2024
ABOUT MARCELLE • Principal InfoSec Engineer & Threat Research Lead @ Equinix • Cyberjutsu Board of Directors • Packet nerd • CTF builder and player • Career changer – a dozen or so years in cyber now • Mom of boys (grown and gone) and a couple of adoptees (grown and not gone), chickens, a dog, a cat, and some fish • @marcellelee on most socials
HOW WE USE ATT&CK AT EQUINIX • Research: breaking down TTPs to better understand the threat • Threat hunting and detection engineering: searching for TTPs in our systems • Reporting: sharing with stakeholders • Kill chain analysis: analyze breaches and attacks for lessons learned • Security controls gap analysis: identify where gaps may exist based on identified TTPs • Integration into research tools: mapping activity to the framework
RESEARCH • Research is driven by stakeholder priority intelligence requirements (mostly) • Continual cycle of identifying relevant TTPs used by threat actors and assessing corporate exposure • Source is typically OSINT, trusted third- parties, and internal telemetry • We want to know the details for each attack phase where possible
THREAT HUNTING AND DETECTION ENGINEERING • TTPs of interest are identified • Map to ATT&CK if not already done • Evaluate existing detection rules for coverage • Deploy additional rules as needed • Write customer rules to cover detection gaps
REPORTING • Analyzed TTPs are shared with stakeholders via internal intel reports
KILL CHAIN ANALYSIS • TTPs are analyzed and presented in kill chain format
SECURITY CONTROLS GAP ANALYSIS • Kill chain analysis is leveraged to assess security control coverage
INTEGRATION INTO RESEARCH TOOLS • Any.run example
INTEGRATION INTO RESEARCH TOOLS • VirusTotal example
QUESTIONS? Marcelle Lee marcelle@marcellelee.com

More Related Content

PDF
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
PDF
Process asset library as process improvement and knowledge sharing tool
Kobi Vider
 
PDF
Unit 6_Introduction_Phishing_Password Cracking.pdf
KanchanPatil34
 
PDF
Fish processing plant Sri Lanka
RusLanka Council
 
PDF
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE - ATT&CKcon
 
PPTX
Women in fisheries status,role and impact in future
Suchismita Prusty
 
PDF
Unit 3_Private Key Management_Protection.pdf
KanchanPatil34
 
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
Katie Nickels
 
Process asset library as process improvement and knowledge sharing tool
Kobi Vider
 
Unit 6_Introduction_Phishing_Password Cracking.pdf
KanchanPatil34
 
Fish processing plant Sri Lanka
RusLanka Council
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE - ATT&CKcon
 
Women in fisheries status,role and impact in future
Suchismita Prusty
 
Unit 3_Private Key Management_Protection.pdf
KanchanPatil34
 

Similar to Practical Application of MITRE ATT&CK: Real World Usage in a Corporate Environment - Marcelle Lee (20)

PDF
Birds of a Feather: The Evolution of Threat Actor Prioritization, Gap Analysi...
MITRE ATT&CK
 
PPTX
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
PDF
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
PPTX
PEARC17: Workshop on Trustworthy Scientific Cyberinfrastructure. Cybersecurit...
Florence Hudson
 
PDF
Using the MITRE ATT&CK framework to analyze real-world cyberattacks
lucytyrteos
 
PPTX
Cyber Threat Hunting Workshop
Digit Oktavianto
 
PPTX
My Keynote from BSidesTampa 2015 (video in description)
Andrew Case
 
PDF
KringleCon 3 Providing Value in Offensive Security
Jorge Orchilles
 
PPTX
CyberOps.pptx
AhmedRobaid1
 
PDF
PETRAS Hub Overview
IoTUK
 
PPTX
How To Turbo-Charge Incident Response With Threat Intelligence
Resilient Systems
 
PDF
The DETER Project: Towards Structural Advances in Experimental Cybersecurity ...
DETER-Project
 
PDF
How To Turbo-Charge Incident Response With Threat Intelligence
Resilient Systems
 
PDF
Careers in Cyber Security
Deep Shankar Yadav
 
PDF
OpenText Threat Hunting Service
Marc St-Pierre
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 
PPTX
Proactive Approach to OT incident response - HOUSECCON 2023
Chris Sistrunk
 
PDF
Responsible AI & Cybersecurity: A tale of two technology risks
Liming Zhu
 
PDF
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
Pukhraj Singh
 
PPTX
Become a Leader in AI with an Artificial Intelligence Certification Course in...
atulboston17
 
Birds of a Feather: The Evolution of Threat Actor Prioritization, Gap Analysi...
MITRE ATT&CK
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
PEARC17: Workshop on Trustworthy Scientific Cyberinfrastructure. Cybersecurit...
Florence Hudson
 
Using the MITRE ATT&CK framework to analyze real-world cyberattacks
lucytyrteos
 
Cyber Threat Hunting Workshop
Digit Oktavianto
 
My Keynote from BSidesTampa 2015 (video in description)
Andrew Case
 
KringleCon 3 Providing Value in Offensive Security
Jorge Orchilles
 
CyberOps.pptx
AhmedRobaid1
 
PETRAS Hub Overview
IoTUK
 
How To Turbo-Charge Incident Response With Threat Intelligence
Resilient Systems
 
The DETER Project: Towards Structural Advances in Experimental Cybersecurity ...
DETER-Project
 
How To Turbo-Charge Incident Response With Threat Intelligence
Resilient Systems
 
Careers in Cyber Security
Deep Shankar Yadav
 
OpenText Threat Hunting Service
Marc St-Pierre
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 
Proactive Approach to OT incident response - HOUSECCON 2023
Chris Sistrunk
 
Responsible AI & Cybersecurity: A tale of two technology risks
Liming Zhu
 
The death of enterprise security as we know it - Pukhraj Singh - RootConf 2018
Pukhraj Singh
 
Become a Leader in AI with an Artificial Intelligence Certification Course in...
atulboston17
 
Ad

More from MITRE ATT&CK (20)

PDF
Next-Gen Threat-Informed Defense: Human-Assisted Intelligent Agents - Rajesh ...
MITRE ATT&CK
 
PDF
Using ATT&CK and MITRE CTID’s StP Frameworks to Assess Threat Detection Resil...
MITRE ATT&CK
 
PDF
Bridging the Gap: Enhancing Detection Coverage with Atomic Red Team, Sigma, a...
MITRE ATT&CK
 
PDF
SaaSy ATT&CK – Practical ATT&CK usage for SaaS-based Telemetry - Aaron Shelmire
MITRE ATT&CK
 
PDF
I'll take ATT&CK techniques that can be done for $1000, Alex. - Ben Langrill
MITRE ATT&CK
 
PDF
This is why we don’t shout “Bingo”: Analyzing ATT&CK Integration in Endpoint ...
MITRE ATT&CK
 
PDF
Every Cloud Has a Purple Lining - Arun Seelagan
MITRE ATT&CK
 
PDF
Confession: 3 Things I Wish I Knew About MITRE ATT&CK When I Was an FBI Profi...
MITRE ATT&CK
 
PDF
ATT&CKcon 5.0 Keynote - From Ticket Closers to Practitioners- How Great Secu...
MITRE ATT&CK
 
PDF
ATT&CKcon 5.0 Lightning Talks - Various Speakers
MITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: Defensive ATT&CK - Lex Crumpton
MITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: Enterprise - Casey Knerr
MITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: CTI - Path Forward - Joe Slowik
MITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: Software - Jared Ondricek
MITRE ATT&CK
 
PDF
State of the ATT&CK 2024 - Adam Pennington
MITRE ATT&CK
 
PDF
Sources of ATT&CK: A Bibliographic Journey through Enterprise ATT&CK - Robert...
MITRE ATT&CK
 
PDF
Updates from The Center for Threat Informed Defense - Jon Baker
MITRE ATT&CK
 
PDF
Go Go Ransom Rangers: Diving into Akira’s Linux Variant with ATT&CK - Nicole ...
MITRE ATT&CK
 
PDF
ATT&CK From Basic Principles - Tareq AlKhatib
MITRE ATT&CK
 
PDF
Lifecycle-Aware Power Side-Channel Malware Detection - Alexander Cathis
MITRE ATT&CK
 
Next-Gen Threat-Informed Defense: Human-Assisted Intelligent Agents - Rajesh ...
MITRE ATT&CK
 
Using ATT&CK and MITRE CTID’s StP Frameworks to Assess Threat Detection Resil...
MITRE ATT&CK
 
Bridging the Gap: Enhancing Detection Coverage with Atomic Red Team, Sigma, a...
MITRE ATT&CK
 
SaaSy ATT&CK – Practical ATT&CK usage for SaaS-based Telemetry - Aaron Shelmire
MITRE ATT&CK
 
I'll take ATT&CK techniques that can be done for $1000, Alex. - Ben Langrill
MITRE ATT&CK
 
This is why we don’t shout “Bingo”: Analyzing ATT&CK Integration in Endpoint ...
MITRE ATT&CK
 
Every Cloud Has a Purple Lining - Arun Seelagan
MITRE ATT&CK
 
Confession: 3 Things I Wish I Knew About MITRE ATT&CK When I Was an FBI Profi...
MITRE ATT&CK
 
ATT&CKcon 5.0 Keynote - From Ticket Closers to Practitioners- How Great Secu...
MITRE ATT&CK
 
ATT&CKcon 5.0 Lightning Talks - Various Speakers
MITRE ATT&CK
 
MITRE ATT&CK Updates: Defensive ATT&CK - Lex Crumpton
MITRE ATT&CK
 
MITRE ATT&CK Updates: Enterprise - Casey Knerr
MITRE ATT&CK
 
MITRE ATT&CK Updates: CTI - Path Forward - Joe Slowik
MITRE ATT&CK
 
MITRE ATT&CK Updates: Software - Jared Ondricek
MITRE ATT&CK
 
State of the ATT&CK 2024 - Adam Pennington
MITRE ATT&CK
 
Sources of ATT&CK: A Bibliographic Journey through Enterprise ATT&CK - Robert...
MITRE ATT&CK
 
Updates from The Center for Threat Informed Defense - Jon Baker
MITRE ATT&CK
 
Go Go Ransom Rangers: Diving into Akira’s Linux Variant with ATT&CK - Nicole ...
MITRE ATT&CK
 
ATT&CK From Basic Principles - Tareq AlKhatib
MITRE ATT&CK
 
Lifecycle-Aware Power Side-Channel Malware Detection - Alexander Cathis
MITRE ATT&CK
 
Ad

Recently uploaded (20)

PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
project resource management chapter-09.pdf
ssuser00e6e21
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
What is a Computer? Input Devices /output devices
GulJan8
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
WOOl fibre morphology and structure.pdf for textiles
Rajendrakumar868651
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
1 - Historical Antecedents, Social Consideration.pdf
tuazon2030627
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 

Practical Application of MITRE ATT&CK: Real World Usage in a Corporate Environment - Marcelle Lee

  • 1. PRACTICAL APPLICATION OF MITRE ATT&CK: REAL WORLD USAGE IN A CORPORATE ENVIRONMENT Marcelle Lee ATT&CKcon 5.0 22 October 2024
  • 2. ABOUT MARCELLE • Principal InfoSec Engineer & Threat Research Lead @ Equinix • Cyberjutsu Board of Directors • Packet nerd • CTF builder and player • Career changer – a dozen or so years in cyber now • Mom of boys (grown and gone) and a couple of adoptees (grown and not gone), chickens, a dog, a cat, and some fish • @marcellelee on most socials
  • 3. HOW WE USE ATT&CK AT EQUINIX • Research: breaking down TTPs to better understand the threat • Threat hunting and detection engineering: searching for TTPs in our systems • Reporting: sharing with stakeholders • Kill chain analysis: analyze breaches and attacks for lessons learned • Security controls gap analysis: identify where gaps may exist based on identified TTPs • Integration into research tools: mapping activity to the framework
  • 4. RESEARCH • Research is driven by stakeholder priority intelligence requirements (mostly) • Continual cycle of identifying relevant TTPs used by threat actors and assessing corporate exposure • Source is typically OSINT, trusted third- parties, and internal telemetry • We want to know the details for each attack phase where possible
  • 5. THREAT HUNTING AND DETECTION ENGINEERING • TTPs of interest are identified • Map to ATT&CK if not already done • Evaluate existing detection rules for coverage • Deploy additional rules as needed • Write customer rules to cover detection gaps
  • 6. REPORTING • Analyzed TTPs are shared with stakeholders via internal intel reports
  • 7. KILL CHAIN ANALYSIS • TTPs are analyzed and presented in kill chain format
  • 8. SECURITY CONTROLS GAP ANALYSIS • Kill chain analysis is leveraged to assess security control coverage
  • 9. INTEGRATION INTO RESEARCH TOOLS • Any.run example
  • 10. INTEGRATION INTO RESEARCH TOOLS • VirusTotal example