SlideShare a Scribd company logo
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
MITRE
| 1 |
Update from the
MITRE ATT&CK Team
Adam Pennington
@_whatshisface
@MITREattack
© 2020 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 20-00841-4.
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 2 |
System Owner/User Discovery (T1033)
adamp$ whoami
• New Lead of MITRE ATT&CK
• 12 years with MITRE
• Focused on threat intel and deception
• Past defender and CTI analyst
• Part of ATT&CK since it was a spreadsheet with no &
• 11 years at Carnegie Mellon as student and researcher
• Certified decompression and rebreather diver
• Former live sound engineer
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 3 |
ATTACK Circa 2014
Persistence
Privilege
Escalation
Credential Access Host Enumeration Defense Evasion
Lateral
Movement
Command and
Control
Exfiltration
New service
Exploitation of
vulnerability
OS/Software
Weakness
Process
enumeration
Software packing RDP
Common
protocol, follows
standard
Normal C&C
channel
Modify existing
service
Service file
permissions
weakness
User interaction
Service
enumeration
Masquerading
Windows admin
shares (C$,
ADMIN$)
Common
protocol, non-
standard
Alternate data
channel
DLL Proxying
Service registry
permissions
weakness
Network sniffing
Local network
config
DLL Injection
Windows shared
webroot
Commonly used
protocol on non-
standard port
Exfiltration over
other network
medium
Hypervisor Rookit
DLL path
hijacking
Stored file
Local network
connections
DLL loading
Remote
vulnerability
Communications
encrypted
Exfiltration over
physical medium
Winlogon Helper
DLL
Path interception
Window
enumeration
Standard
protocols
Logon scripts
Communications
are obfuscated
Encrypted
separately
Path Interception
Modification of
shortcuts
Account
enumeration
Obfuscated
payload
Application
deployment
software
Distributed
communications
Compressed
separately
Registry run keys /
Startup folder
addition
Editing of default
handlers
Group
enumeration
Indicator removal
Taint shared
content
Multiple
protocols
combined
Data staged
Modification of
shortcuts
AT / Schtasks /
Cron
Owner/user
enumeration
Indicator blocking
Access to remote
services with
valid credentials
Automated or
scripted data
exfiltration
MBR / BIOS
rootkit
Operating system
enumeration
Pass the hash Size limits
Editing of default
handlers
Security software
enumeration
Scheduled
transfer
AT / Schtasks /
Cron
File system
enumeration
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction
Exploit Public-Facing
Application
Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment
Software
Automated Collection Communication Through
Removable Media
Data Compressed Data Encrypted for Impact
Local Job Scheduling Bypass User Account Control Bash History Application Window
Discovery
Clipboard Data Data Encrypted Defacement
External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed Component
Object Model
Data from Information
Repositories
Connection Proxy Data Transfer Size Limits Disk Content Wipe
Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark
Discovery
Custom Command and
Control Protocol
Exfiltration Over Other
Network Medium
Disk Structure Wipe
Replication Through
Removable Media
AppleScript DLL Search Order Hijacking Credentials in Files Exploitation of
Remote Services
Data from Local System Endpoint Denial of Service
CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network
Shared Drive
Custom Cryptographic
Protocol
Exfiltration Over Command
and Control Channel
Firmware Corruption
Spearphishing Attachment Command-Line Interface Plist Modification Exploitation for
Credential Access
File and Directory Discovery Logon Scripts Inhibit System Recovery
Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative
Protocol
Network Denial of Service
Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking
Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over
Physical Medium
Runtime Data Manipulation
Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation
Algorithms
Service Stop
Valid Accounts Execution through
Module Load
Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation
Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through
Removable Media
Screen Capture Fallback Channels Transmitted Data
ManipulationExploitation for
Client Execution
File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication
Hooking Component Object Model
Hijacking
LLMNR/NBT-NS Poisoning
and Relay
Remote System Discovery Shared Webroot Multi-hop Proxy
Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption
InstallUtil New Service Control Panel Items Password Filter DLL System Information
Discovery
Taint Shared Content Multi-Stage Channels
Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking
PowerShell Port Monitors Deobfuscate/Decode Files
or Information
Securityd Memory System Network
Configuration Discovery
Windows Admin Shares Remote Access Tools
Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor Authentication
Interception
Windows Remote
Management
Remote File Copy
Regsvr32 Setuid and Setgid Disabling Security Tools System Network
Connections Discovery
Standard Application Layer
ProtocolRundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails System Owner/User
Discovery
Standard Cryptographic
ProtocolService Execution .bash_profile and .bashrc Exploitation for
Privilege Escalation
Exploitation for
Defense EvasionSigned Binary
Proxy Execution
Account Manipulation System Service Discovery Standard Non-Application
Layer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery
Signed Script
Proxy Execution
BITS Jobs Sudo File Permissions
Modification
Virtualization/Sandbox
Evasion
Uncommonly Used Port
Bootkit Sudo Caching Web Service
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default
File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component Object
Model Hijacking
Hidden Users
Windows Management
Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote
Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removal
from ToolsXSL Script Processing Hypervisor
Kernel Modules
and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share Connection
RemovalRc.common
Redundant Access NTFS File Attributes
Registry Run
Keys / Startup Folder
Obfuscated Files
or Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgänging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust Provider
Hijacking
Regsvcs/Regasm
Regsvr32
System Firmware Rootkit
Systemd Service Rundll32
Time Providers Scripting
Windows Management
Instrumentation Event
Subscription
Signed Binary
Proxy Execution
Signed Script
Proxy ExecutionWinlogon Helper DLL
SIP and Trust Provider
Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
Virtualization/Sandbox
Evasion
Web Service
XSL Script Processing
4
Enterprise ATT&CK as of May 2020
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 5 |
Issues with ATT&CK in 2020
• Technique abstraction imbalance across knowledge base
• Some techniques broad: Masquerading
• Some techniques narrow: Rundll32
• Most common complaint over the past couple of years
• Techniques have a lot of depth to them
• Some don’t read beyond the name
• An analytic per technique may not make coverage “green”
• Technique overload
• Too many techniques!
• The matrix is too big!
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 6 |
Our Solution: Sub-Techniques
• Released March 31st in beta
• Website
• STIX 2.0 (Not yet via TAXII)
• ATT&CK Navigator
• Crosswalks from pre sub-
techniques to sub-techniques
• Design & Philosophy paper
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 7 |
ATT&CK with Sub-Techniques Beta
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 8 |
What is a Sub-Technique?
• It’s a more specific technique
• Still describes behavior, but at a lower level
• Still intelligence driven, observed in the wild use
• Sub-techniques are not procedures!
• Procedures continue to be specific adversary implementation
• Sub-technique Initial coverage
• Enterprise
• Cloud
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 9 |
What Do Sub-Techniques Mean for ATT&CK?
• Large reorganization of information
• Initial release is same data, just new structure
• Fixes a lot of the abstraction issues
• More sustainable growth
• Reduction by 99 techniques
• Provides better framework for others to add to local copies
• Easier to convey complexity of techniques for coverage
• Opportunity to trim/refine
• Several techniques deprecated: hypervisor, etc.
• Higher level ideas broken out: masquerading
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 10 |
Credential Access
Brute Force
Forced Authentication
Input Capture
OS Credential Dumping
Unsecured Credentials
…
OS Credential Dumping
Sub-Techniques
Security Accounts Manager
LSA Secrets
Cached Domain Credentials
Proc Filesystem
…
Sub-Technique Example
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 11 |
New Technique Page – Pre-OS Boot
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 12 |
New Sub-Technique – System Firmware
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 13 |
New Matrix Visualizations
Side Layout Flat Layout
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 14 |
Things You Should Know About Subs
• ID Structure: T####.### - T[technique].[sub-technique]
• e.g. Pre-OS Boot: T1542; System Firmware: T1542.001
• Single parent from sub-techniques to technique
• Sub-techniques may have different tactics within a technique
• Not all techniques have a sub-technique
• Procedures mapped to sub-techniques where possible
• Ambiguous info goes to technique
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 15 |
Timeline for Sub-Techniques
• Beta of sub-techniques released March 31, 2020
• Currently in feedback/review period
• Feedback has been largely positive
• Accepting contributions for techniques/groups/software
• Will only be updating sub-technique version of ATT&CK
• On track for an early July 2020 release
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 16 |
Other Sub-Technique Information
Resources
• Sub-technique update log
• https://attack.mitre.org/beta/resources/updates/updates-march-2020/index.html
• Old ATT&CK to sub-technique crosswalk files:
• CSV: https://attack.mitre.org/docs/subtechniques/subtechniques-csv.zip
• JSON: https://attack.mitre.org/docs/subtechniques/subtechniques-crosswalk.json
• Updated ATT&CK Design and Philosophy paper:
• https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf
• ATT&CK mitre/cti GitHub repo for JSON STIX content:
• https://github.com/mitre/cti/tree/subtechniques
• ATT&CK Navigator sub-technique beta
• https://mitre-attack.github.io/attack-navigator/beta/
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 17 |
Mobile ATT&CK
Enterprise ATT&CK
PRE-ATT&CK
It’s just
On Deck After Sub-Techniques
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
Launch/Compromise -> Initial Access
| 18 |
2018
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
PRE’s Place in the Adversary Lifecycle
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Enterprise ATT&CKPRE-ATT&CK
| 19 |
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
PRE’s Place in the Adversary Lifecycle
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Enterprise ATT&CKPRE-ATT&CK
| 20 |
Intel
Planning
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
How do we scope techniques?
| 21 |
Technical
Visible to some defenders
Evidence of adversary use
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 22 |
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 23 |
Intelligence
Planning
(Out of
scope)
Reconnaissance
Resource
Development
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
Post-Merger Enterprise ATT&CK
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Enterprise ATT&CK
| 24 |
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 25 |
PRE-ATT&CK Merger Roadmap
• Reconnaissance and Resource Development tactics
• Technique development ongoing
• Next release after sub-techniques
• Currently slated for August 2020
• Looking at how to preserve the content of PRE-ATT&CK
• We’ve heard from people using “intel planning” for teaching
• Open to input
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 26 |
Other Upcoming ATT&CK Plans
• Revamp of ATT&CK data sources
• Planned initial release of source definitions to GitHub
• Technique coverage of network devices such as routers
• New ATT&CK training on defense and analytics
• Continue training series that started with CTI in January
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 27 |
ATT&CK Today
ATT&CK for ICS
ATT&CK
Evaluations
Cyber Analytics
Repository
ATT&CK-Based
SOC Assessments
PRE-ATT&CK
Mobile ATT&CK
ATT&CK TodayATT&CK
Sightings
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
ATT&CK Updates this Past Year
| 28 |
1 43 13 16 87
NEW
TACTIC
NEW
TECHNIQUES
NEW MOBILE
TECHNIQUES
NEW
GROUPS
NEW
SOFTWARE
41 87 16 67 92
NEW
MITIGATIONS
UPDATED
TECHNIQUES
UPDATED MOB
TECHNIQUES
UPDATED
GROUPS
UPDATED
SOFTWARE
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 29 |
ATT&CK for ICS – Released in Jan
Unique Adversary Goals Technology Differences Different Defenses
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6.
| 30 |
ATT&CK for Cloud
for Cloud
Credit to Dave Herrald and Ryan Kovar
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
ATT&CK for Cloud
• 36 techniques
• Part of Enterprise ATT&CK
• Almost 100% community-
contributed techniques!
• Input from:
• A cloud service provider
• Red teams
• Threat analysts
• Detection analysts
| 31 |
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 32 |
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 33 |
Impact Tactic
Data Destruction
Data Encrypted for
Impact
DefacementDisk Content Wipe
Disk Structure Wipe
Endpoint DoS
Firmware Corruption
Inhibit System
Recovery
Network DoS
Resource Hijacking
Runtime Data
Manipulation
Service Stop
Stored Data
Manipulation
Transmitted Data
Manipulation
System
Shutdown/Reboot
Account Access
Removal
§ Attacks targeting availability and integrity
§ Ex: Ransomware, DoS, destruction
§ 16 techniques
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 34 |
Mitigations as an Object
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 35 |
Other ATT&CK Team Talks
• Today at 1830 CET/12:30 PM EDT
• ATT&CK Navigator Layer Scripts – Caleb Little
• Today at 1845 CET/12:45 PM EDT
• Technique Report ATT&CK Mapper: TRAM – Connor Magee
• Tomorrow at 1415 CET/8:15 AM EDT
• Bro/Zeek ATT&CK-based Analytics and Reporting: BZAR
Mark Fernandez
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
Thank you to the ATT&CK Community
| 36 |
•Alain Homewood, Insomnia Security
•Alan Neville, @abnev
•Alex Hinchliffe, Palo Alto Networks
•Alfredo Abarca
•Allen DeRyke, ICE
•Anastasios Pingios
•Andrew Smith, @jakx_
•Avneet Singh
•Barry Shteiman, Exabeam
•Bart Parys
•Bartosz Jerzman
•Brian Prange
•Bryan Lee
•Carlos Borges, @huntingneo, CIP
•Casey Smith
•Christiaan Beek, @ChristiaanBeek
•Christoffer Strömblad
•Cody Thomas, SpecterOps
•Craig Aitchison
•CrowdStrike Falcon OverWatch
•Cybereason Nocturnus, @nocturnus
•Daniel Oakley
•Darren Spruell
•Dave Westgard
•David Ferguson, CyberSponse
•David Lu, Tripwire
•David Routin
•Drew Church, Splunk
•Ed Williams, Trustwave, SpiderLabs
•Edward Millington
•Elger Vinicius S. Rodrigues, CYBINT Centre
•Elia Florio, Microsoft
•Elly Searle, CrowdStrike
•Emily Ratliff, IBM
•ENDGAME
•Eric Kuehn, Secure Ideas
•Erika Noerenberg, @gutterchurl, Carbon Black
•Erye Hernandez, Palo Alto Networks
•ESET
•Felipe Espósito, @Pr0teus
•Filip Kafka, ESET
•FS-ISAC
•Hans Christoffer Gaardløs
•Heather Linn
•Itamar Mizrahi
•Itzik Kotler, SafeBreach
•Ivan Sinyakov
•Jacob Wilkin, Trustwave, SpiderLabs
•Jan Miller, CrowdStrike
•Jannie Li, Microsoft (MSTIC)
•Jared Atkinson, @jaredcatkinson
•Jean-Ian Boutin, ESET
•Jeff Sakowicz, Microsoft (IDPM Services)
•Jeremy Galloway
•Jimmy Astle, @AstleJimmy, Carbon Black
•Johann Rehberger
•John Lambert, Microsoft (MSTIC)
•John Strand
•Josh Abraham
•Justin Warner, ICEBRG
•Jörg Abraham, EclecticIQ
•Kaspersky
•Lab52 by S2 Grupo
•Leo Loobeek, @leoloobeek
•Loic Jaquemet
•Lucas da Silva Pereira, @vulcanunsec, CIP
•Lukáš Štefanko, ESET
•Marc-Etienne M.Léveillé, ESET
•Mark Wee
•Martin Jirkal, ESET
•Martin Smolar, ESET
•Matias Nicolas Porolli, ESET
•Matt Graeber, @mattifestation, SpecterOps
•Matt Kelly, @breakersall
•Matthew Demaske, Adaptforward
•Matthew Molyett, @s1air
•McAfee
•Michael Cox
•Michal Dida, ESET
•Microsoft Threat Intelligence Center (MSTIC)
•Mike Kemmerer
•Milos Stojadinovic
•Mnemonic
•Netskope
•Nick Carr, FireEye
•Nik Seetharaman, Palantir
•Nishan Maharjan, @loki248
•Oddvar Moe, @oddvarmoe
•Oleg Kolesnikov
•Oleg Skulkin, Group-IB
•Omkar Gudhate
•Patrick Campbell, @pjcampbe11
•Paul Speulstra, AECOM
•Pedro Harrison
•Praetorian
•Prashant Verma, Paladion
•Rahmat Nurfauzi, PT Xynexis International
•Red Canary
•RedHuntLabs, @redhuntlabs
•Ricardo Dias
•Richard Gold, Digital Shadows
•Richie Cyrus, SpecterOps
•Rob Smith
•Robby Winchester, @robwinchester3
•Robert Falcone
•Romain Dumont, ESET
•Ryan Becwar
•Ryan Benson, Exabeam
•Sahar Shukrun
•Saisha Agrawal, Microsoft (MSTIC)
•Scott Lundgren, @5twenty9, Carbon Black
•Shailesh Tiwary (Indian Army)
•Shane Tully, @securitygypsy
•Stefan Kanthak
•Sudhanshu Chauhan, @Sudhanshu_C
•Sunny Neo
•Swetha Prabakaran, Microsoft (MSTIC)
•Sylvain Gil, Exabeam
•Tatsuya Daitoku, Cyber Defense Institute, Inc.
•Teodor Cimpoesu
•Tim MalcomVetter
•Tom Ueltschi @c_APT_ure
•Tony Lambert, Red Canary
•Travis Smith, Tripwire
•Tristan Bennett, Seamless Intelligence
•Valerii Marchuk, Cybersecurity Help s.r.o.
•Veeral Patel
•Vincent Le Toux
•Walker Johnson
•Wayne Silva, Countercept
•Ye Yint Min Thu Htut, DBS Bank
•Yonatan Gotlib, Deep Instinct
Individuals + orgs
contributing to
ATT&CK!
125 repository results
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4
| 37 |
attack@mitre.org
@MITREattack
Adam Pennington
@_whatshisface

More Related Content

PDF
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
PDF
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
PDF
Emulating an Adversary with Imperfect Intelligence
PDF
ATT&CK BINGO
PDF
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
PDF
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
PDF
Automation: The Wonderful Wizard of CTI (or is it?)
PDF
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Emulating an Adversary with Imperfect Intelligence
ATT&CK BINGO
Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Automation: The Wonderful Wizard of CTI (or is it?)
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...

What's hot (20)

PDF
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
PDF
Introduction to MITRE ATT&CK
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
PDF
State of the ATT&CK - ATT&CKcon Power Hour
PPTX
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
PDF
When Insiders ATT&CK!
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
PPTX
Purple Teaming with ATT&CK - x33fcon 2018
PDF
TA505: A Study of High End Big Game Hunting in 2020
PDF
Firewall buyers-guide
PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
PDF
Putting the PRE into ATTACK
PPTX
Defend Your Data Now with the MITRE ATT&CK Framework
PDF
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
PDF
MITRE ATT&CKcon Power Hour - November
PDF
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
PPTX
ATT&CKing with Threat Intelligence
PPTX
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
Introduction to MITRE ATT&CK
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
State of the ATT&CK - ATT&CKcon Power Hour
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans
When Insiders ATT&CK!
Threat-Based Adversary Emulation with MITRE ATT&CK
Purple Teaming with ATT&CK - x33fcon 2018
TA505: A Study of High End Big Game Hunting in 2020
Firewall buyers-guide
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting the PRE into ATTACK
Defend Your Data Now with the MITRE ATT&CK Framework
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
ATT&CKing with Threat Intelligence
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
Ad

Similar to Update from the MITRE ATT&CK Team (20)

PDF
State of the ATTACK
PDF
Getting Bear-y Cozy with PowerShell
PDF
State of the ATT&CK
PDF
Which Came First: The Phish or the Opportunity to Defend Against It
PPTX
Hunting for Cyber Threats Using Threat Modeling & Frameworks
PDF
MITRE_ATTACK_Enterprise_11x17.pdf
PDF
CALDERA-Automating-Adversary-Emulation.pdf
PPTX
Corporate Security Issues and countering them using Unified Threat Management...
PDF
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
PDF
MITRE-Module 1 Slides.pdf
PDF
MITRE ATT&CK Framework
PDF
Cloud Security Primer - F5 Networks
PPTX
Adversary Emulation - DerpCon
PPTX
Week Topic Code Access vs Event Based.pptx
PDF
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
PDF
RAZORPOINT SECURITY GLOSSARY
PDF
TechWiseTV Workshop: Encrypted Traffic Analytics
PDF
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
PDF
Cisco Connect 2018 Thailand - Telco service provider network analytics
PDF
Next Dimension and Cisco | Solutions for PIPEDA Compliance
State of the ATTACK
Getting Bear-y Cozy with PowerShell
State of the ATT&CK
Which Came First: The Phish or the Opportunity to Defend Against It
Hunting for Cyber Threats Using Threat Modeling & Frameworks
MITRE_ATTACK_Enterprise_11x17.pdf
CALDERA-Automating-Adversary-Emulation.pdf
Corporate Security Issues and countering them using Unified Threat Management...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
MITRE-Module 1 Slides.pdf
MITRE ATT&CK Framework
Cloud Security Primer - F5 Networks
Adversary Emulation - DerpCon
Week Topic Code Access vs Event Based.pptx
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
RAZORPOINT SECURITY GLOSSARY
TechWiseTV Workshop: Encrypted Traffic Analytics
Cisco Connect 2018 Thailand - Security automation and programmability mr. kho...
Cisco Connect 2018 Thailand - Telco service provider network analytics
Next Dimension and Cisco | Solutions for PIPEDA Compliance
Ad

Recently uploaded (20)

PPTX
1. Introduction to Computer Programming.pptx
PDF
Mushroom cultivation and it's methods.pdf
PDF
Encapsulation theory and applications.pdf
PDF
Encapsulation_ Review paper, used for researhc scholars
PDF
A comparative analysis of optical character recognition models for extracting...
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
PPTX
Chapter 5: Probability Theory and Statistics
PDF
Web App vs Mobile App What Should You Build First.pdf
PDF
August Patch Tuesday
PDF
WOOl fibre morphology and structure.pdf for textiles
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
PDF
Assigned Numbers - 2025 - Bluetooth® Document
PPTX
cloud_computing_Infrastucture_as_cloud_p
PPTX
OMC Textile Division Presentation 2021.pptx
PDF
Hindi spoken digit analysis for native and non-native speakers
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
PDF
Unlocking AI with Model Context Protocol (MCP)
1. Introduction to Computer Programming.pptx
Mushroom cultivation and it's methods.pdf
Encapsulation theory and applications.pdf
Encapsulation_ Review paper, used for researhc scholars
A comparative analysis of optical character recognition models for extracting...
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
Digital-Transformation-Roadmap-for-Companies.pptx
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Accuracy of neural networks in brain wave diagnosis of schizophrenia
Chapter 5: Probability Theory and Statistics
Web App vs Mobile App What Should You Build First.pdf
August Patch Tuesday
WOOl fibre morphology and structure.pdf for textiles
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
Assigned Numbers - 2025 - Bluetooth® Document
cloud_computing_Infrastucture_as_cloud_p
OMC Textile Division Presentation 2021.pptx
Hindi spoken digit analysis for native and non-native speakers
Building Integrated photovoltaic BIPV_UPV.pdf
Unlocking AI with Model Context Protocol (MCP)

Update from the MITRE ATT&CK Team

  • 1. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. MITRE | 1 | Update from the MITRE ATT&CK Team Adam Pennington @_whatshisface @MITREattack © 2020 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 20-00841-4.
  • 2. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 2 | System Owner/User Discovery (T1033) adamp$ whoami • New Lead of MITRE ATT&CK • 12 years with MITRE • Focused on threat intel and deception • Past defender and CTI analyst • Part of ATT&CK since it was a spreadsheet with no & • 11 years at Carnegie Mellon as student and researcher • Certified decompression and rebreather diver • Former live sound engineer
  • 3. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 3 | ATTACK Circa 2014 Persistence Privilege Escalation Credential Access Host Enumeration Defense Evasion Lateral Movement Command and Control Exfiltration New service Exploitation of vulnerability OS/Software Weakness Process enumeration Software packing RDP Common protocol, follows standard Normal C&C channel Modify existing service Service file permissions weakness User interaction Service enumeration Masquerading Windows admin shares (C$, ADMIN$) Common protocol, non- standard Alternate data channel DLL Proxying Service registry permissions weakness Network sniffing Local network config DLL Injection Windows shared webroot Commonly used protocol on non- standard port Exfiltration over other network medium Hypervisor Rookit DLL path hijacking Stored file Local network connections DLL loading Remote vulnerability Communications encrypted Exfiltration over physical medium Winlogon Helper DLL Path interception Window enumeration Standard protocols Logon scripts Communications are obfuscated Encrypted separately Path Interception Modification of shortcuts Account enumeration Obfuscated payload Application deployment software Distributed communications Compressed separately Registry run keys / Startup folder addition Editing of default handlers Group enumeration Indicator removal Taint shared content Multiple protocols combined Data staged Modification of shortcuts AT / Schtasks / Cron Owner/user enumeration Indicator blocking Access to remote services with valid credentials Automated or scripted data exfiltration MBR / BIOS rootkit Operating system enumeration Pass the hash Size limits Editing of default handlers Security software enumeration Scheduled transfer AT / Schtasks / Cron File system enumeration
  • 4. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Drive-by Compromise Scheduled Task Binary Padding Network Sniffing AppleScript Audio Capture Commonly Used Port Automated Exfiltration Data Destruction Exploit Public-Facing Application Launchctl Access Token Manipulation Account Manipulation Account Discovery Application Deployment Software Automated Collection Communication Through Removable Media Data Compressed Data Encrypted for Impact Local Job Scheduling Bypass User Account Control Bash History Application Window Discovery Clipboard Data Data Encrypted Defacement External Remote Services LSASS Driver Extra Window Memory Injection Brute Force Distributed Component Object Model Data from Information Repositories Connection Proxy Data Transfer Size Limits Disk Content Wipe Hardware Additions Trap Process Injection Credential Dumping Browser Bookmark Discovery Custom Command and Control Protocol Exfiltration Over Other Network Medium Disk Structure Wipe Replication Through Removable Media AppleScript DLL Search Order Hijacking Credentials in Files Exploitation of Remote Services Data from Local System Endpoint Denial of Service CMSTP Image File Execution Options Injection Credentials in Registry Domain Trust Discovery Data from Network Shared Drive Custom Cryptographic Protocol Exfiltration Over Command and Control Channel Firmware Corruption Spearphishing Attachment Command-Line Interface Plist Modification Exploitation for Credential Access File and Directory Discovery Logon Scripts Inhibit System Recovery Spearphishing Link Compiled HTML File Valid Accounts Network Service Scanning Pass the Hash Data from Removable Media Data Encoding Exfiltration Over Alternative Protocol Network Denial of Service Spearphishing via Service Control Panel Items Accessibility Features BITS Jobs Forced Authentication Network Share Discovery Pass the Ticket Data Staged Data Obfuscation Resource Hijacking Supply Chain Compromise Dynamic Data Exchange AppCert DLLs Clear Command History Hooking Password Policy Discovery Remote Desktop Protocol Email Collection Domain Fronting Exfiltration Over Physical Medium Runtime Data Manipulation Trusted Relationship Execution through API AppInit DLLs CMSTP Input Capture Peripheral Device Discovery Remote File Copy Input Capture Domain Generation Algorithms Service Stop Valid Accounts Execution through Module Load Application Shimming Code Signing Input Prompt Permission Groups Discovery Remote Services Man in the Browser Scheduled Transfer Stored Data Manipulation Dylib Hijacking Compiled HTML File Kerberoasting Process Discovery Replication Through Removable Media Screen Capture Fallback Channels Transmitted Data ManipulationExploitation for Client Execution File System Permissions Weakness Component Firmware Keychain Query Registry Video Capture Multiband Communication Hooking Component Object Model Hijacking LLMNR/NBT-NS Poisoning and Relay Remote System Discovery Shared Webroot Multi-hop Proxy Graphical User Interface Launch Daemon Security Software Discovery SSH Hijacking Multilayer Encryption InstallUtil New Service Control Panel Items Password Filter DLL System Information Discovery Taint Shared Content Multi-Stage Channels Mshta Path Interception DCShadow Private Keys Third-party Software Port Knocking PowerShell Port Monitors Deobfuscate/Decode Files or Information Securityd Memory System Network Configuration Discovery Windows Admin Shares Remote Access Tools Regsvcs/Regasm Service Registry Permissions Weakness Two-Factor Authentication Interception Windows Remote Management Remote File Copy Regsvr32 Setuid and Setgid Disabling Security Tools System Network Connections Discovery Standard Application Layer ProtocolRundll32 Startup Items DLL Side-Loading Scripting Web Shell Execution Guardrails System Owner/User Discovery Standard Cryptographic ProtocolService Execution .bash_profile and .bashrc Exploitation for Privilege Escalation Exploitation for Defense EvasionSigned Binary Proxy Execution Account Manipulation System Service Discovery Standard Non-Application Layer ProtocolAuthentication Package SID-History Injection File Deletion System Time Discovery Signed Script Proxy Execution BITS Jobs Sudo File Permissions Modification Virtualization/Sandbox Evasion Uncommonly Used Port Bootkit Sudo Caching Web Service Source Browser Extensions File System Logical Offsets Space after Filename Change Default File Association Gatekeeper Bypass Third-party Software Group Policy Modification Trusted Developer Utilities Component Firmware Hidden Files and Directories User Execution Component Object Model Hijacking Hidden Users Windows Management Instrumentation Hidden Window Create Account HISTCONTROL Windows Remote Management External Remote Services Indicator Blocking Hidden Files and Directories Indicator Removal from ToolsXSL Script Processing Hypervisor Kernel Modules and Extensions Indicator Removal on Host Indirect Command Execution Launch Agent Install Root Certificate LC_LOAD_DYLIB Addition InstallUtil Login Item Launchctl Logon Scripts LC_MAIN Hijacking Modify Existing Service Masquerading Netsh Helper DLL Modify Registry Office Application Startup Mshta Port Knocking Network Share Connection RemovalRc.common Redundant Access NTFS File Attributes Registry Run Keys / Startup Folder Obfuscated Files or Information Re-opened Applications Port Knocking Screensaver Process Doppelgänging Security Support Provider Process Hollowing Shortcut Modification Redundant Access SIP and Trust Provider Hijacking Regsvcs/Regasm Regsvr32 System Firmware Rootkit Systemd Service Rundll32 Time Providers Scripting Windows Management Instrumentation Event Subscription Signed Binary Proxy Execution Signed Script Proxy ExecutionWinlogon Helper DLL SIP and Trust Provider Hijacking Software Packing Space after Filename Template Injection Timestomp Trusted Developer Utilities Virtualization/Sandbox Evasion Web Service XSL Script Processing 4 Enterprise ATT&CK as of May 2020
  • 5. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 5 | Issues with ATT&CK in 2020 • Technique abstraction imbalance across knowledge base • Some techniques broad: Masquerading • Some techniques narrow: Rundll32 • Most common complaint over the past couple of years • Techniques have a lot of depth to them • Some don’t read beyond the name • An analytic per technique may not make coverage “green” • Technique overload • Too many techniques! • The matrix is too big!
  • 6. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 6 | Our Solution: Sub-Techniques • Released March 31st in beta • Website • STIX 2.0 (Not yet via TAXII) • ATT&CK Navigator • Crosswalks from pre sub- techniques to sub-techniques • Design & Philosophy paper
  • 7. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 7 | ATT&CK with Sub-Techniques Beta
  • 8. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 8 | What is a Sub-Technique? • It’s a more specific technique • Still describes behavior, but at a lower level • Still intelligence driven, observed in the wild use • Sub-techniques are not procedures! • Procedures continue to be specific adversary implementation • Sub-technique Initial coverage • Enterprise • Cloud
  • 9. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 9 | What Do Sub-Techniques Mean for ATT&CK? • Large reorganization of information • Initial release is same data, just new structure • Fixes a lot of the abstraction issues • More sustainable growth • Reduction by 99 techniques • Provides better framework for others to add to local copies • Easier to convey complexity of techniques for coverage • Opportunity to trim/refine • Several techniques deprecated: hypervisor, etc. • Higher level ideas broken out: masquerading
  • 10. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 10 | Credential Access Brute Force Forced Authentication Input Capture OS Credential Dumping Unsecured Credentials … OS Credential Dumping Sub-Techniques Security Accounts Manager LSA Secrets Cached Domain Credentials Proc Filesystem … Sub-Technique Example
  • 11. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 11 | New Technique Page – Pre-OS Boot
  • 12. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 12 | New Sub-Technique – System Firmware
  • 13. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 13 | New Matrix Visualizations Side Layout Flat Layout
  • 14. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 14 | Things You Should Know About Subs • ID Structure: T####.### - T[technique].[sub-technique] • e.g. Pre-OS Boot: T1542; System Firmware: T1542.001 • Single parent from sub-techniques to technique • Sub-techniques may have different tactics within a technique • Not all techniques have a sub-technique • Procedures mapped to sub-techniques where possible • Ambiguous info goes to technique
  • 15. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 15 | Timeline for Sub-Techniques • Beta of sub-techniques released March 31, 2020 • Currently in feedback/review period • Feedback has been largely positive • Accepting contributions for techniques/groups/software • Will only be updating sub-technique version of ATT&CK • On track for an early July 2020 release
  • 16. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 16 | Other Sub-Technique Information Resources • Sub-technique update log • https://attack.mitre.org/beta/resources/updates/updates-march-2020/index.html • Old ATT&CK to sub-technique crosswalk files: • CSV: https://attack.mitre.org/docs/subtechniques/subtechniques-csv.zip • JSON: https://attack.mitre.org/docs/subtechniques/subtechniques-crosswalk.json • Updated ATT&CK Design and Philosophy paper: • https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf • ATT&CK mitre/cti GitHub repo for JSON STIX content: • https://github.com/mitre/cti/tree/subtechniques • ATT&CK Navigator sub-technique beta • https://mitre-attack.github.io/attack-navigator/beta/
  • 17. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 17 | Mobile ATT&CK Enterprise ATT&CK PRE-ATT&CK It’s just On Deck After Sub-Techniques
  • 18. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 Launch/Compromise -> Initial Access | 18 | 2018
  • 19. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 PRE’s Place in the Adversary Lifecycle Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise ATT&CKPRE-ATT&CK | 19 |
  • 20. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 PRE’s Place in the Adversary Lifecycle Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise ATT&CKPRE-ATT&CK | 20 | Intel Planning
  • 21. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 How do we scope techniques? | 21 | Technical Visible to some defenders Evidence of adversary use
  • 22. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 22 |
  • 23. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 23 | Intelligence Planning (Out of scope) Reconnaissance Resource Development
  • 24. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 Post-Merger Enterprise ATT&CK Recon Weaponize Deliver Exploit Control Execute Maintain Enterprise ATT&CK | 24 |
  • 25. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 25 | PRE-ATT&CK Merger Roadmap • Reconnaissance and Resource Development tactics • Technique development ongoing • Next release after sub-techniques • Currently slated for August 2020 • Looking at how to preserve the content of PRE-ATT&CK • We’ve heard from people using “intel planning” for teaching • Open to input
  • 26. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 26 | Other Upcoming ATT&CK Plans • Revamp of ATT&CK data sources • Planned initial release of source definitions to GitHub • Technique coverage of network devices such as routers • New ATT&CK training on defense and analytics • Continue training series that started with CTI in January
  • 27. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 27 | ATT&CK Today ATT&CK for ICS ATT&CK Evaluations Cyber Analytics Repository ATT&CK-Based SOC Assessments PRE-ATT&CK Mobile ATT&CK ATT&CK TodayATT&CK Sightings
  • 28. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 ATT&CK Updates this Past Year | 28 | 1 43 13 16 87 NEW TACTIC NEW TECHNIQUES NEW MOBILE TECHNIQUES NEW GROUPS NEW SOFTWARE 41 87 16 67 92 NEW MITIGATIONS UPDATED TECHNIQUES UPDATED MOB TECHNIQUES UPDATED GROUPS UPDATED SOFTWARE
  • 29. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 29 | ATT&CK for ICS – Released in Jan Unique Adversary Goals Technology Differences Different Defenses
  • 30. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 19-01075-6. | 30 | ATT&CK for Cloud for Cloud Credit to Dave Herrald and Ryan Kovar
  • 31. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 ATT&CK for Cloud • 36 techniques • Part of Enterprise ATT&CK • Almost 100% community- contributed techniques! • Input from: • A cloud service provider • Red teams • Threat analysts • Detection analysts | 31 |
  • 32. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 32 |
  • 33. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 33 | Impact Tactic Data Destruction Data Encrypted for Impact DefacementDisk Content Wipe Disk Structure Wipe Endpoint DoS Firmware Corruption Inhibit System Recovery Network DoS Resource Hijacking Runtime Data Manipulation Service Stop Stored Data Manipulation Transmitted Data Manipulation System Shutdown/Reboot Account Access Removal § Attacks targeting availability and integrity § Ex: Ransomware, DoS, destruction § 16 techniques
  • 34. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 34 | Mitigations as an Object
  • 35. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 35 | Other ATT&CK Team Talks • Today at 1830 CET/12:30 PM EDT • ATT&CK Navigator Layer Scripts – Caleb Little • Today at 1845 CET/12:45 PM EDT • Technique Report ATT&CK Mapper: TRAM – Connor Magee • Tomorrow at 1415 CET/8:15 AM EDT • Bro/Zeek ATT&CK-based Analytics and Reporting: BZAR Mark Fernandez
  • 36. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 Thank you to the ATT&CK Community | 36 | •Alain Homewood, Insomnia Security •Alan Neville, @abnev •Alex Hinchliffe, Palo Alto Networks •Alfredo Abarca •Allen DeRyke, ICE •Anastasios Pingios •Andrew Smith, @jakx_ •Avneet Singh •Barry Shteiman, Exabeam •Bart Parys •Bartosz Jerzman •Brian Prange •Bryan Lee •Carlos Borges, @huntingneo, CIP •Casey Smith •Christiaan Beek, @ChristiaanBeek •Christoffer Strömblad •Cody Thomas, SpecterOps •Craig Aitchison •CrowdStrike Falcon OverWatch •Cybereason Nocturnus, @nocturnus •Daniel Oakley •Darren Spruell •Dave Westgard •David Ferguson, CyberSponse •David Lu, Tripwire •David Routin •Drew Church, Splunk •Ed Williams, Trustwave, SpiderLabs •Edward Millington •Elger Vinicius S. Rodrigues, CYBINT Centre •Elia Florio, Microsoft •Elly Searle, CrowdStrike •Emily Ratliff, IBM •ENDGAME •Eric Kuehn, Secure Ideas •Erika Noerenberg, @gutterchurl, Carbon Black •Erye Hernandez, Palo Alto Networks •ESET •Felipe Espósito, @Pr0teus •Filip Kafka, ESET •FS-ISAC •Hans Christoffer Gaardløs •Heather Linn •Itamar Mizrahi •Itzik Kotler, SafeBreach •Ivan Sinyakov •Jacob Wilkin, Trustwave, SpiderLabs •Jan Miller, CrowdStrike •Jannie Li, Microsoft (MSTIC) •Jared Atkinson, @jaredcatkinson •Jean-Ian Boutin, ESET •Jeff Sakowicz, Microsoft (IDPM Services) •Jeremy Galloway •Jimmy Astle, @AstleJimmy, Carbon Black •Johann Rehberger •John Lambert, Microsoft (MSTIC) •John Strand •Josh Abraham •Justin Warner, ICEBRG •Jörg Abraham, EclecticIQ •Kaspersky •Lab52 by S2 Grupo •Leo Loobeek, @leoloobeek •Loic Jaquemet •Lucas da Silva Pereira, @vulcanunsec, CIP •Lukáš Štefanko, ESET •Marc-Etienne M.Léveillé, ESET •Mark Wee •Martin Jirkal, ESET •Martin Smolar, ESET •Matias Nicolas Porolli, ESET •Matt Graeber, @mattifestation, SpecterOps •Matt Kelly, @breakersall •Matthew Demaske, Adaptforward •Matthew Molyett, @s1air •McAfee •Michael Cox •Michal Dida, ESET •Microsoft Threat Intelligence Center (MSTIC) •Mike Kemmerer •Milos Stojadinovic •Mnemonic •Netskope •Nick Carr, FireEye •Nik Seetharaman, Palantir •Nishan Maharjan, @loki248 •Oddvar Moe, @oddvarmoe •Oleg Kolesnikov •Oleg Skulkin, Group-IB •Omkar Gudhate •Patrick Campbell, @pjcampbe11 •Paul Speulstra, AECOM •Pedro Harrison •Praetorian •Prashant Verma, Paladion •Rahmat Nurfauzi, PT Xynexis International •Red Canary •RedHuntLabs, @redhuntlabs •Ricardo Dias •Richard Gold, Digital Shadows •Richie Cyrus, SpecterOps •Rob Smith •Robby Winchester, @robwinchester3 •Robert Falcone •Romain Dumont, ESET •Ryan Becwar •Ryan Benson, Exabeam •Sahar Shukrun •Saisha Agrawal, Microsoft (MSTIC) •Scott Lundgren, @5twenty9, Carbon Black •Shailesh Tiwary (Indian Army) •Shane Tully, @securitygypsy •Stefan Kanthak •Sudhanshu Chauhan, @Sudhanshu_C •Sunny Neo •Swetha Prabakaran, Microsoft (MSTIC) •Sylvain Gil, Exabeam •Tatsuya Daitoku, Cyber Defense Institute, Inc. •Teodor Cimpoesu •Tim MalcomVetter •Tom Ueltschi @c_APT_ure •Tony Lambert, Red Canary •Travis Smith, Tripwire •Tristan Bennett, Seamless Intelligence •Valerii Marchuk, Cybersecurity Help s.r.o. •Veeral Patel •Vincent Le Toux •Walker Johnson •Wayne Silva, Countercept •Ye Yint Min Thu Htut, DBS Bank •Yonatan Gotlib, Deep Instinct Individuals + orgs contributing to ATT&CK! 125 repository results
  • 37. ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 20-00841-4 | 37 | attack@mitre.org @MITREattack Adam Pennington @_whatshisface