Closing the Gap vs Adversaries With Community Resources

uh so yeah I'm gonna be talking about leveraging Community Resources to basically close the gap against adversary so we're going to dive into into that um so before that I just wanted to do a quick who am I when I just notice the victee code you already know I'm a miter attack fan um so I'm really passionate about that project so clearly I'm a lead adversary emulation for title uh cybersite I just enjoy helping companies you know do do threat informed defenses uh and basically like that I really just explained to include this because I'm super proud to be from like born and raised in Puerto Rico so I just had that medication see you again I'll see them

Puerto Rico is this because uh and then on the professional side I before coming to title cyber I was on the miter attack uh Team so I was doing all the things there but I'm mostly focus on technique research for Windows so I was helping them leave that effort and then on the side um I was also working with the the miter tag evaluations team so so the infamous simul maybe you see it around in Twitter like people would you see vendors claiming 100 coverage and all that um so yeah as part of that team I basically implementing the code that will run against um those different renders so yeah that's me in the beach so that's I would

I prefer to be working from unfortunately it's not reality I'm currently living in the DMV area so hopefully one day um so yeah I'm gonna do a quick overview about this talk uh so we're gonna be the first thing we're gonna do we're just gonna be talking about uh what a third informed defense is then we're gonna dive into how miter attack basically empowers Defenders to do all all sort of cool things uh on the third and fourth defense side and we're also going to be discussing basically common pitfalls because I've I obviously I have a lot a lot of love for attack and I know what's a good thing about the framework is but

I also know what like the pitfalls that people commonly uh follow so we're gonna touch those as well um and then we're gonna go into we're gonna be basically using uh um community resource to leverage other Community Resources so yay Community um and then we're gonna we're gonna be basically doing that to focus on different threats uh that you might care about uh and then we're gonna see how we can focus now that we basically Define the desserts that we care about we're going to be focusing on um what exactly about those the different threats um and now as well with the the common theme we're going to be using Community Resources for that um and then finally we're gonna show you

how to expand your knowledge base so I say I'm going to touch about why that is important so I'm I'm gonna be uh talking about that a little bit later um so first as I just said we're going to be talking about threat informed defense so basically 300 form defense is it the ability uh uh the way to understand adversary tradecrafts so commonly known as techniques tactics and procedures or tactics techniques and procedures uh to basically effectively defend against those so you might already know what what tdps are um but we'll we'll talk a little bit more about those um so the the great thing about threat informed defense right it's just so many different threats

um it's not like it's not a single company that can basically defending an against all threats so you need to focus your view on the thread side that might impact you so that's like a I think the the best use case for 34 defense is basically focusing on what you need to focus because otherwise we're just going to get overwhelmed then you're going to spend so much money that's not gonna be uh like valuable for your company so really all this is is make making sure that you're valuable for your organization um so that the the the way to do that is basically by doing thread profiles so you're basically profiling the adversary software groups campaigns all the

basically the thread sites that are likely to Target you and your organization so we're gonna basically do a quick dive into that um and then the last thing here is like quickly expensing so ttps they don't evolve at the same scale that um like cves and iocs they do so for example activities they they're mostly used for gaining initial access so that's like literally one small part of what like the miter attack framework is trying to communicate it's like that's just like the initial exit but then there's so like a lot of other things to worry about so um and then the iocs is basically like signature based detection so you see this this up malware out there then AV

will scan it and say okay this is malicious and then if that that exact same follower or some permutation of that file gets in and then you're you're your AV is going to say hey that's bad don't uh it's not gonna run right so basically the the TTP is gonna be focusing on basically the right side of that so what happens when um the CV is like like they get in via the CVS so the like they exploit and then when the iocs are not going to be like detected by uh your signature so it's basically that's why we need to focus in on Nana ttps um and then a little bit of History you're all probably seen this famous uh

like pyramid the Pyramid of Pain by David Bianco I don't think it'll be like a TDP talk without this so I just had to include it um so essentially on the lowest part you'll have the hash values so this is basically the the most trivial detection point where is basically you know that the the specific file is going to generate a hash and then that you know that that has is malicious so that's like super easy okay no militias that's going to be and then essentially you're going up the the the pyramid until you get to the uh actually the gcps and so I basically I I I I I categorize like the from hash values to tools as like

iocs I know there's like this is a huge debate um this is how I see it basically um the iocs are the ones that are actually like generating um you know information that's gonna help maybe like attribute what is uh or who is behind a specific tool for example um or I guess oh the what would the like um the network infrastructure is coming from like the main names IP addresses all that um but then what really is going to be is basically explain the behaviors that are actually happening on on these like environments or you're on your hosts specifically are what what we can call uh indicators of of attack and I don't know if like cross strike coined that

term but I really like that basically the vision making this easy like iocs are focusing on attribution known malicious and then Behavior assist really um what is happening on on and really on on the on the like the full chain and that's why um before that I just want to say so tools are actually implementing the the procedures so the TTP the p in that is the procedure so the tools are actually implemented in the procedure so the tools are themselves are not um creating the behavior like they're not generated here so the tool is actually running a specific behavior and then that is what is known as set this up so I just want to I think it's like a

super clear way for me to understand this um and then that then came a miter attack so I think like just going back David Bianco the appear was created in 2013 and I think the miter attack framework was also created in 2013 because it's really like look at that it's huge it's it's impossible really to to communicate what really is happening so there's going to be on the top side you're going to be you see the tactics so the adversary goals and then below that you see the techniques which is basically how the adversaries are achieving those goals and then if you dive into the actual technique then you'll have the procedures for the the describing how

like certain software and groups are actually implementing um those procedures so a quick histories I just mentioned 2013 that was the creation of miter attack um because it's basically it's a great a way to reduce you know the friction between between teams basically it's extremely powerful as a Common Language common uh taxi Adam I don't know how to say the word taxi taxonomy thank you yeah English sorry uh and basically they create back on the language to to get all the teams inside of a security company working together and then talking the same language because then from the blue side you understand um what you need to defend against and then you know basically the specific

thing like that the tactic technique probably don't need to dive too much into this because probably mostly know it but it's basically everyone wins when when uh the team is using this in this framework because it's just going to help reduce that friction and and just you know time is is really crucial when you're reeling against adversary so you gotta use your time as efficient as you can and then let's go let's have into the common pitfalls really the it's really important so attack is based on real world observations so it's only it's gonna only gonna be able to capture what is reported out there so it's only going to be what are like actual

companies are reporting uh or blogs or or Security Professionals really who are actually doing the analysis now we're reversing on all the specimens so at all it all depends on the community to to be uh really impactful and useful so uh yeah it's it's a really important uh thing because without the community we're not going to go anywhere further because then people are just going to come play on Twitter because then like the techniques are not an attack but if it can be contribute back to the knowledge spend then it's going to be uh worth it so again it's not going to be a silver bullet you can have um you can have a hundred percent

coverage and it's really not true because there's so many procedures that it's not going to be not going to be probable for you to be detecting um all the specific procedures so it's really about thinking instead of thinking about coverage think think about it as confidence so what is my confidence level uh for detecting a particular technique that is implementing implemented by group X software C really you have to get you gotta dive specifically into those groups and software uh and that's going to help you inform what the your actual like coverage is because if you know what the procedures are then now it's a little bit more one-on-one and of course when you're creating detections for

those specific procedures you you really want to try to be as broad as possible obviously the goal here is to not have too many pulse positives so uh whenever you're creating your that detection you've got to think about okay this this the text is going to detect this procedure but is it gonna like detect that different procedure and if you're able to answer that question and all of a sudden that detection is going to be super important and valuable for your organization um and then let's dive into the the initial part of the threat profiling here so basically miter attack as I said they provide the language to describe the techniques and procedures but they also

have the the connections between you know groups campaigns and software and how they relate to techniques and procedures um so what we did uh is basically added a bunch of metadata to help folks that are starting off with their trip Pro their profiles understand really what are like the threats that could be impacting me so for example like motivations suspect attribution uh observe sectors and countries um and all that that into that a little bit later so basically now we have a way to understand what are the my direct threats um so obviously you're going to see this is the the best one who's gonna know who is actually targeting you because you have evidence on your Telemetry and so

that that's obviously going to be your first point your first starting points focusing on who is targeting you and then after that you can focus on okay so I have maybe you have a subscription and then you can see what are um other you know cyber events that are occurring or incidents that are occurring around your industry and then your CSI my peers just got targeted by this specific um like ransomware maybe they're gonna be focusing on me because they were successful I guess like Zach peer which basically on my same level so then you can focus on those threats and then the last one is always You're gonna have unfortunately you're gonna have the

opportunistic threats which is basically the the threats that are just going to find a way and just randomly get get in so maybe they just have like a Spam campaign email campaign and then they hit one of your users boom then now they have access so that's unfortunate you always have to think about those as well but if you are are short on resources really you focus on Lily what's on uh like the closest to your radar which is like your direct threats and and your industry uh threats as well um so yeah that's basically break profiling in a nutshell uh yeah and props to to Scott small for creating this um and yeah yeah go for it go for it uh sorry no no

yeah fine um I've actually had this conversation with Scott awesome I'm not trying to put you on the spot yeah yeah that's the same question with someone else this morning um where did you come down on the notion that we over fetishize the targeted actor that most of the folks most organizations get Popeye are you know scanning jiggle in the door yes and they're ripping off whoever leaves the window open not you know apt-37 does not Target my company in lightness they could not get a less about me but if I got a web-facing server with 33.89 open I'm gonna get drafted right absolutely so how do you how do you

as someone whose company is built on the premise of credit informed events where you come down on the question of threat modeling when many organizations outside of say banking were the defense industry are are more likely by the volume to get hit by the guy on the outside like how do we plan resources yes okay so the question let me try to summarize the question no I think I have to like yeah I repeat it to the mic here um so the question was how do companies who are probably not going to be targeted by apt's focus on their threats is that a good summary yeah like if we're more likely to be hit by the opportunists yes

how has that change our track model and what we apply scarce resources to do exactly yeah so how to focus on your how to focus your scarce resources um when you're working with the threat profile so basically maybe you're not a big company and that in that use case because if you're a big company you're probably gonna have a like actual apt is targeting you but if you're like a small company you know they just like uh maybe you are um it's like I said it depends really because if you're a small super small company that might not even worse be worse than like Fair profiling it might not you might not even have money to

like buy tools um so let's say let's say yeah yeah that happens so let's say you have your small company you have some tools um You probably just who are focus on really on your your uh like attack surface making sure that you are removing that like the known Badness so patching it's I obviously I don't want to discourage patching like CVS and iocs are like 100 super important to to build build into your pipeline so that's like 30 30 from defense build this like Builds on top of that so it's really important to be uh like knowledgeable of what are your security holes of of course so really if you're working uh like focusing on that it's it's a little

patching really it's like it doesn't matter your thread profile you just got to make sure that your your patch student your your CVS are just like you know hopefully it or not super easy like yeah CBS because you're not patched um but like the email really that's you can have the best thing and then if they someone clicks on email then really doesn't matter but yeah it's super important though to your point you still have to worry about I think like ransomware that's uh known to be opportunistic in this few minute so I mean if if I'm a small company I have limited resources I'd probably focus on that on ransomware I'd say because it's

gonna be like the most impactful to my operation really because kind of like branding bad software no not at all unfortunately yeah that's just that's lit we can go back to to to the small part here that's just one cell and oh in this one so yeah I like that it's it's a hard problem that's that's why oh that's okay oh oh yeah absolutely yeah I definitely I've definitely seen that um so yeah let's uh let's go to the Community Edition here so that's this title cyber so basically minor attack is as built that awesome framework that's going to help Defenders and off offensive also practitioners talk in the same language so basically what we're

trying to do there's so like so many awesome resources out there they're like using miter tact as a common language and what we do what we're doing is basically creating a platform uh free for the community because obviously we're we want to improve the community as a whole and basically just package all those different awesome resources together and then that way we can do uh things like doing like over overlap analysis on like specific defenses so because for example we have elastic um this open source we have like uh Olaf Hortons like sysmon modulars configuration uploaded so all that out and I'll show that later um but basically it's a way to to show uh what you have available

um for a specific technique and you can dive deep into that and then all the things it's really awesome um so like the defensive and and testing Solutions is all in the product registry and then the analytics is um I really don't like this this word really but really analytics is um like it's some um so we're using currently at Sigma rules so they're unimplemented detection logic that you can then uh to like take and Implement in your specific security solution uh so that's basically it's going to be really impactful and helpful and and when you're trying to look at all the the things are available and then the last thing here and then all I'm going to

touch that later is the community Spotlight which is a place where people can go and actually um contribute back to the community and bring some awesome like um technique sets that include information uh specifically to to whatever you're looking at and again we'll dive into into that later um so let's dive into the first uh thing that I want to show is basically threat profiling the the in the community Edition so it's basically all about identifying the metadata so we're gonna say uh in this case hopefully I don't touch the demo God so I I recorded a video um Yeah so basically that's it this is where you get to when you hit the page

you're gonna see um that's going to be the community Spotlight so if you're if you're part of the the community you're you'll you'll be able to contribute that and people will see your work um so for example lockpit a 3.0 that's not an attack so we just included that for for a quick win for people we might be interested in ransomware for example um and then we'll also have some other resources here for example like researching vets um developing for prep profile technique sets on this cover of vendor garbage and coverage yeah um and then we're gonna dive into this one we're gonna dive into groups so groups is basically the attack data but we're enriching that with metadata so

the first one is you're just gonna have the ability the way to basically search by groups and you can also look at the specific uh motivation um the suspect distribution so which are the the countries um that might be behind or sponsoring in this that that specific group um we'll also have like the sectors so if you're part of like the infrastructure or manufacturing whatever it is it's all we're gathering information from the open uh source and like basically just ATT attaching that to the groups make it easy uh and then yeah 133 groups as well it's available in attacks obviously um that's not not doesn't paint the whole picture it's really important to um add more on that so we're gonna go in

the spirit of the b-sides we're going to go and say we're going to be focusing on groups that'll have targeted uh United States and that's going to like obviously lower the amount of groups available here and then we're going to say we're a financial services company a big one so we're gonna say um that's going to be a way to filter down and the last one we're we're focusing on so that now we have 21 groups but then we want to focus on um Financial motivated groups so they're they're trying to go um Target your resources so now that you see it's like small a much smaller number of groups so now you can see

after we have this thing called add to a matrix so basically you'll see in in the label bar on top it's a way to to like Save State or what you're looking at so I'm just going to go ahead and add all them um and you can also see a more like expanded metadata as well but the cool thing is like whenever you have the label bar on the top you can keep that on your navigation so you can like dive into all the groups and get your like standard reminder awesome like minor tag awesome data like uh like Associated group so known groups that that have a different name by different organizations or like security producers

or CTI producers uh my mistakes so techniques you have this you'll have the software uh campaign so this one doesn't have a campaign behind it and then the references so basically you you'll have the the availability to to keep that uh State and look at all the the whatever you're trying to research for in a way that's basically easy to move around um so yeah we're trying to make make it easy to understand all the yeah let's um what's the confidence level uh for attribution like so we're using open like open source data so it's really uh we try to we focus on the ones that that were like basically added by attack so micro tie has like a high duration

basically level to to get those uh references in so we yeah when we're in miter tag or the miter attack team basically try to use like high availability uh and high confidence reports um so yeah sorry I think you may have visited this but are you um are you pulling the profile thing again from my or is this stuff like you and Scott and the other guys author yeah no we're we're bringing it we're bringing that information so minor attack they will give you the the Taps on the bottom but we're enriching uh the data ourselves uh yeah so that's gonna be a continuous process making sure that we if we see something new overboard we might we actually add the

new reference and that'll give us also the the additional metadata Fields here

okay um and then basically the last thing I just want to show so you can jump into the Matrix that we uh hate or we're scared to see uh and yeah there's a lot of techniques here um but it's still um uh if you can you can also talk really easily toggle bit be between like all techniques and just the techniques that are part of the labels so basically it's going to reduce the amount of techniques here um and then the other cool thing that I wanted to Showcase here um yeah so basically you'll see a bunch of overlaps so the colors below it's basically the overlap across the labels um and then the last thing I wanted to

show is you can actually save state so whatever you're working at the moment you can actually create a matrix so that means that you can just like forget about it and return it like one month later and say okay this is where I left off in my like knowledge base exploration but we're trying to make this a little bit more easy to track uh basically so the line we know like attack has a lot of data so we're making trying to make it easier for analysts and anyone who's like interested in looking at this data um so yeah and then you can close the Matrix and and then you can click you can clear all the labels and then you

can start fresh and do whatever you want to do but then the Matrix is still saved so you can come back to it if you want to um so let's let's go to the next one here um to let's see if this is a new one um looks like this one okay yeah so okay so now we're gonna go and and uh basically what I call some quick wins so finding gaps and essentially the the best way to find gaps is you have your threats on the left so the ones that we just like added basically um so it can be grew up software can basic and all that um and then you can also add whatever

your you have created before as well so basically those are gonna back to behaviors um so that's gonna be a way to say okay this um the specific threats are implementing all these behaviors in some way uh and then the then the the really neat thing is then you can add that uh Infamous detection coverage so basically you're you're being able to add um defensive tool and see really what we're trying to see you in this point is what we just want to see does it have a detection for this specific technique that's it we don't uh we're not worrying about the procedure variance at this point we just want to see does it have a

gap uh and then that's going to help us to like find that answer uh fairly quickly so let's let's do that um we have the of the groups that we're researching before and then I'm gonna go here and go to the product registry I just quickly show all the different products that we have there so we have like uh invoke Atomic attack IQ which bit so we have a bunch of different things um and now we're since we're in spirit of Community Resources although all this is for the community we're gonna go and find um Olaf so you can find you can filter down with by the detection type like capability types we did detection

types and then we're going to add system module of that configuration so that configuration basically just has a bunch of detections um the Implement and sysmon so now we now we can go back to the Matrix and now you'll see there's a bunch of uh the the circles it just means there's a bunch of overlap so we're gonna we're gonna start focusing on those as a visible by Powershell uh command shell or not surprised about those really commonly used and then there's also a scale task here um so we're gonna we're gonna remove but you can also hide that's another way to to remove that from the overall Matrix so we're gonna we're gonna go and and

focus on schedule tasks now because I I quickly like just noticed that whenever when when I added um system modular it didn't actually provide a detection for that so now we can dive into the analytics so the the unimplemented rules so now it's like okay for this technique the scale test technique there's a bunch of different rules so really what you want to do now is research your adversaries find the procedures go to these analytics and then find some overlap in like the procedure level and that's gonna give you some confidence really of uh what what you're implementing it's going to be uh directly targeted for that specific threat so let's start let's go to the next one

here I think this is the same video yeah I don't know what's going on doing that um yeah so I just wanted to do this uh this quick overview which I really I really enjoyed basically so we're tracking uh Rec Canary so every year they're publishing a a report and then they include their top techniques um so what we're doing is like aggregating them across the years and for example you'll you'll quickly see in the execution um command uh and script interpreter Powershell and I think Windows command so they all have hits so that means I get the adversaries are commonly using that across a year and really I'm not surprised by that because um that is uh like an execution a

technique but you can think about it as well as like like a tool per se so um it's commonly used by System administrators um it's really got to be hard really to protect so maybe if you have a detection for that uh that's gonna be enough for you so let's say you have a detection for Powershell um but then you you have a detection for the for one persistence so now when you see like Powershell then you see technique then you can infer okay this Powershell is actually malicious so you can go ahead and kill that like Powershell process so this is still important to be able to detect um even though you might not have have

like actual protection capabilities at the moment so yeah just like some some food for thought they just wanted to quickly um show that and then I mentioned obviously that attack is not enough right because there's so many different threats out there so we're gonna like now dive into this portion of the talk which is focusing on on making the knowledge base your own so um for for for uh for this demo sake I I went in and chose uh wizard spider uh and then I I did some research on it and and I basically went to the references look at all the techniques and then I was like actually I want to dive into the references and find more about this

specific uh adversary so uh like a good like anyone who who loves Google they can you can do Google Dorking so basically say wizard spider is actually cross right uh adversary so I'm going to um search for all the pages from crowdstrike that um include Witcher spider and then basically that that ended up me find like finding this um specific uh crowdstrike blog that is I think it's title for popular defensive evasion techniques so at this point now you just gotta find where the hell is this uh Spider in this report now you fought and you found it and then you're saying okay like okay they're mention this technique so uh run the l32 and they're also using

the attack name um under so sub technique undersigned binary proxy so I think it's now system binary proxy execution uh in the latest release or maybe the last one before that and and then awesome now we actually have the procedure that they use so that's going to be super important to understand um if if that procedure was not already like tagged in attack so now we can go back to the Matrix and see look at uh wizard spider uh and basically what we found is that they don't have run deal and and uh in The Matrix so none we just we just uncovered a gap basically in the knowledge base and then what you can do

is basically you can duplicate the group in your um in your um own account so yeah the account is for you to use you can create it so basically you can create a new uh it's a technique set it's going to basically copy over all the wizard spider techniques to your um technique set and then that's going to give you the the way the availability to just modify and add to that so you can go uh now there's we have the the way to add notes specifically to toilet techniques we're going to find run dll uh we know it's a sub technique under system binary proxy execution uh we're gonna add it and that's just

going to add that to be part of that like your own version of of wizard spider so again that's going to be like super important uh because then you're you're modifying uh you're probably more value that's what what's available and then you can hear you can add the procedure you can add the link whatever uh you you find that you need so yeah it's gonna it's gonna add that to you um and then whenever you come back to the to the Matrix uh you need to click on the draft now you'll see uh run dll as part of the um the Matrix uh but but it's only it's brought in by the the one the the

technique that you recently created no so that's going to be in your uh yeah it's going to be in your only your reviews um so yeah I'll I'll touch on that later but yeah but that's a great question um yeah so all the things that you do is you're going to be just personal to you and your account um and then we're gonna go ahead and remove the the old version of wizard spider because now we have the updated one um and then we're gonna do is we're gonna look at rundeola specifically and see what our things that we can do around this technique I mean this is uh like super commonly known technique but

for the demo sake I just wanted to just use one technique uh that'll be simple uh so basically run dll is a a technique that is used for defensive evasion so it's a uh LOL bin so living of the land binary that's brought in by windows by default so avatars are constantly using that so it's it's going to be important for us to be able to detect that or maybe maybe protect that so um we're gonna go here and then basically uh I just yeah that went really fast well basically we went into the techniques uh the the technique specific Windows let me just jump back because I just yeah I was distracted talking um whenever you click on a technique

it's going to give you this technique preview so I think that's nicely because it's just gonna keep you focused where you're looking at and it's going to provide all the the specific like products that has something that can help you defend or test against that specific technique um so as I mentioned then you can click on WE clicked on the specific vendor it's elastic and now we're finding the specific capabilities that are produced by elastic so like huge uh kudos to to elastic team they they actually they have all their um detection logic like for free out during it up so you can go here and look at the capability how it looks in our platform but really

where the the most important part is is um and they got actual GitHub repo where when you go into that link you can actually find um the specific information around that detection so you can you can actually even though you're not you don't have elastic you can go and find out use elastic as basically Sigma rules um because they have like they provide for feed the logic that you can Implement uh for for um your own detection so that's going to be another like a huge community resource um for sure so yeah moving things along uh it basically they had three different um the detections for the specific uh technique so really what we're going to

do is kind of we're going to find the one that's gonna be um like one of the closest to the procedure and I think the the last one that we saw basically initial child process sorry the initial style process of rundale l32 that's going to be a good one um so now after that we want to focus on okay so now we know how to detect it but how let's say we implemented that detection how do we actually test that and then we're going to bring in another um I wonder what happened there let's go um yeah so we're gonna we're gonna bring in atomic uh invoke Atomic so it's a free another free uh community resource uh by

atomic red team and then um they are basically providing a bunch of tests um specific uh scenarios for this run daily technique so really there's like tons of different things that you can look at so for example run deal with with control run Dilo I commonly another commonly used procedure so that's gonna probably gonna be a good one for you to test um but yeah so it's all about making sure that you have the tech some detection um the detection looks like it can perfect against or detect against the specific averages you're looking at but you can also test against it because if you don't test it really it doesn't you're going to find out in the moment

and if it if it doesn't pass the detection and then like the adversary you know my fast ads so it's all about defensive and that's you're gonna you're gonna have a bunch of different detections for that all the different techniques that you you care about yeah exactly yeah definitely going to test your your controls super important uh and then we're going back to uh the to that question basically we're asking um what happens when you add a technique so it's gonna it's gonna remain in your knowledge base but not not even not anyone else is gonna it's gonna gain from that so really what you want to do is first contribute back to attack because that's going to be uh it's gonna

be hitting uh everyone that uses miter attack so um that's a bigger impact there so after that uh you can also really you can contribute to us because like basically matter attack they work in intervals of six months so if you if you want to put out information faster you have to basically um just put it out there faster so are the community Spotlight could be a good a good way to just push content out uh faster um not have to wait for attack to do it but yeah definitely it's super important to contribute to attack 100 why doesn't it why is that built in by default because we're not oh let's say you're saying wine it's not being built book

it's like miter attack the ads or curate all everything that that people are giving them so it's really it I mean I I as Austin that would be to basically no yeah I saw something that would be to automate that process and just like boom you add a technique and then everyone gets that that would be amazing the problem is that it's it yeah quality control and then and like some Badness is going to get in in there so you don't really don't you don't want to like uh ship out a bad uh intelligence uh to anyone so yeah it's basically it's like quality control at that point um so yeah contribute to attack contribute to to to the community a

spotlight and also if you're a detection engineer continue back to Sigma they are they're awesome as well they they provide a free Logic for for anyone so if you're if you're fond of contributing to to detections and you're not really interested in like your CTR or whatever that could be another good Avenue to just continue back to the community um and decide that the last point so the community Spotlight on that this is what you'll see you'll see the techniques and then you'll see whoever created that specific content um so for example the reconary one is part of that and you can look at that uh today um yeah uh and then this is another example

so lock bit you'll have all the techniques here uh and then Scott is actually adding the procedure information so if you're interested in diving deep you can find the actual procedure there um and yeah that's really all I had um I just want to thank you all for for listening in and then if you want to follow me or connect I'm happy to connect back so yeah thank you all

yeah one of the things that I would love to see because you guys put out a lot of stuff on uh like concentration analysis on TTP yeah right the next step for me would be like it's okay if we see you know initial access to 60 by fishing in 20 by lock jamming whatever is he like the bags of the Box on how to respond so like part of our threat profile which you guys advocated right is the proof that it's never targeted us or our industry but they're ttp's overlap with so many that have that provide tax simulation or whatever they're they're a great kind of catch-all so my question is do you guys

see any kind of concentration not only the ttps because I know you guys published stuff about that but about me and by the way if you want to cover 60 of all the bad things going on this month just anyway this group for this skill change this set of minor techniques and you'll cover a lot of crown because like resource constraints my biggest problem is not my adversary yeah that's half the size it needs to yep yeah so the question is um how can we move past uh like tdps and focus and I not move past by TDP but basically focus on what is like the big like the overlap this month of like a

bunch of different threats yes um that I can action like hey everybody's getting in through yeah you know Excel um [Music] so here's what you did yeah right that's that's the secret how quickly are you actually able to act on it like

yeah yeah I mean I've seen like big big big companies not even do testing but that's like super scary right um so it's really all about what you can do at the moment so it's really all about what are your detections look like so you can have you can have a thousand detections um but they only detect one procedure um so really it's your coverage it's hard to know uh there so it's I mean overlap is really important as well don't get me wrong so you want to look at focusing on let's say like the top 10 threats around everyone you can find the techniques that um that Outback are the heavy heaters there and maybe if you

have like a testing solution focus on that that's like a great a way to just do test control obviously it's not going to be 100 accurate accurate because they're not looking at the specifics of what the adversaries are implementing but that's still going to provide value because you're testing on um like overlap there because I mean you might not detect that technique for specific by that adversary you might but you might be able to detect uh another technique by that episode by doing the same kind of like focusing on on the on the overlaps across so yeah I mean that's definitely something that we can definitely look at and I think it'll be interesting as well

yeah very good quick questions can you talk a little bit more about your business model this is smart yeah this question is how can you talk about business model Yeah so basically the communication is it's it's basically a way to get people motivated and using the the like attack in a way that's as useful uh and obviously we have an Enterprise Edition so people can um if they're interesting that has like a tons more functionality mechanisms like create your defenses to create a create your threat profiles and all that so yeah basically uh yeah family how Community is in an Enterprise Edition well good yeah appreciate it thank you so much [Applause]