Jason Keirstead - A Gentle Introduction to MITRE ATT&CK

introduction to mitre time coming from us from my against my name is JC Kirsten and I'm here to give what I call a gentle introduction letter attack what do I mean by gentle well so I'm going into this assuming you know nothing about it whatsoever I was just talking to gentleman earlier actually didn't know what he was so if you already know so first of all they might here even know what attack is so good because if everyone raised their hand for those of you who may not even know who mitre is mitered I'll just spend the couple's

mitre is there called a federally funded research development sign that states they do a lot of work for the Unites States but our government in terms of number of different things one of those a cypress tree so if you you know if you ever heard of the CDE CV vulnerabilities that's an alleged invention see they see that we they do a lot of work for NIST things like this I produced they worked they develop standards like stick they initially developed the standard flakes mixing taxi threat intelligence sharing that they're involved in a lot of work when it comes to cybersecurity information sharing and standards efforts they created a spring a couple years ago called attack which I'm going

to talk about today and I'm going to talk about what it is you know why you'd be interested cetera et cetera so how many of structure this talk I was wondering if I know something new it's good to start with the five W's who what when where and why and there's also the each in there that people sometimes forget the how which is very important so this is what we're going to talk with today ooh my first of all what's minor talk when and where would I use wider attack why is it advantageous why it's important and you know the break how can it break what are the things that you want to be aware of

so let's start with who I am why I'm here talk with you today my name is Jason here should have mentioned before I work for IBM security and I have since 2004 labs we later in acquired by IBM in 2011 a lot of folks here does a story over the years have been involved in a large number of different initiatives at IBM security and over the past few years I had the pleasure of falling into this role as the threat intelligence bubble for this standards across the IBM security business and in that role working with people from lighter or gonna stick some taxi you know standards I've presented in another different conferences when I stopping I'm also a

recently elected member of the orbit Records Melisa's which is the standards body that meets all these standards you know Street Stan they also standardize things like XML which I'm sure you've probably heard of and work on things like taxi I also want to give credit where credit's due for again sending the need of this presentation I want to acknowledge that both John wondering taking equals colleagues of like when I don't miner provide you some of the materials used in this talk so some of the graphics and some of the concepts and they you know when they presented this at Las Vegas besides Washington so what is minor attack what are we here talking that what is this thing so let

me start by Framing the problem that you know we all have a security practitioners what keeps you awake at night what do we go to sleep reading how effective are your defenses so in your environment in your network how effective are the things that you procured and the tools and techniques they can employ how effective are they actually going to be could you get tech the next friendly rabbit's world or brokeback hippo or whatever the next crazy name that so semantic require is going to come into the next event persistent threat if that happened in your environment could you actually detect it is the data all this data you're collecting in your security that logs flows stuff from your end

points you know stuff from your windows events your sequel server logs as though you're collecting all this data the most likely is it actually useful are you getting any value good of it do you have obvious gaps in your cyber security lines do you have overlapping control coverage so are you leaving yourself wide open in one section here environment and yet another section your environment you have three different tools and techniques they do the same thing you know when you're a small company you know this is less this is something that you've run into blast but as you start to grow when you start to get into enterprise you know it's extremely common that tools that you bought a couple of years

ago have been upgrading though they have capabilities that over a lot with the notably you have and you're doing the same thing three different ways and potentially introducing all this new data that your soft operator so to deal with this result so finally one part of the problem you know will this shiny new product from one of those vendors up in Milwaukee they're really help with your defenses you know the marketing says one thing but will it actually tell me if there's something I actually move so this is kind of the problem that we're trying to deal with when we talk about like attack and weapons attack let's try to answer that question what's surfacing what attack is not a

threat intelligence being full of eye disease to look for it's not an alert generator it's not something that says hey if you look for all these bad guys you're gonna find the next threat if you look for these URLs and a key addressing your environment you'll find a threat so send an alert on that stuff that's not what my third packet attack is also not a kill chain system that that lifecycle so do folks here in general no with cyber kill changes starts we folks so the cyber kill chain is and I'm going to graphic up on the next slide that shows what's known as the cyber kill chain it's essentially a series of into the series of things that

occur whenever an attacker above reaches a network and it starts with reconnaissance when they're trying to figure out having the internet environment moves into a number different phases including weaponization where they deploy something in your environment and there's persistence when they try to establish a foothold and keep that tool in your environment so it's it's this you know I don't want to go too much into the weeds of what the kill chain is because minor attacks on he'll change the point it's not trying to describe it into a high level like that and the reason why this attack seems for adversarial tactics techniques and common knowledge that's what the acronym means and what it is is it's a

globally accessible knowledge base created and curated by miner that attempts to catalogue all of the tactics techniques threat actors and malware and tools that are used in the wild today in the real world events and organize them organizes all that into an easily consumable model that anybody can adjust for read attack is based on real world in the wild observations of actual behavior so when Leiter initially created attack a couple years ago it was based on everything that their sock sees every day and mitre is a huge organization three or 40,000 employees so you know it's a very significant soft they have a very large cover gentle so all of the incidents they were seeing every day

they started cataloging them and creating this matrix of all the different techniques that have been using their progress so that's an important point it's based on real world this isn't theoretical it's constantly being updated but when it is updated it's being updated with the latest incidents that are coming up from different vendors

um the finally attack is it's focused on the adversary in the behaviors they present it's not based on the defender right so attack is interesting and and hopefully you'll you'll see why do the presentation the reason attack is so interesting is because it's not coming at it from our perspective it's coming at it from the attackers perspective right and if you really want to get ahead of the threat just shift your thinking and think like an attacker as opposed to thinking like a defender because the defender is always playing catch-up right the attacker is always always in the median position so you want to think more like an attacker and attackers it's all based around the

techniques that attackers use and the ways that they chain together you create for us so by thinking of the things that way you put yourself in a better position to create your defenses finally attacks community-driven and updated by minor so it's being continuously updated they updated at least ones quarter sometimes more often all of those data that backs attack you know like I said it's all free it's actually payable on github so you can check it out it's all encoded and Jake's on very easy doing two tools and create your own report on they have a very nice website let's even look through it and run searches intercourse for your operators and human readable format as well how attack

slated if you go to tackle website and take a look you're gonna see this this matrix this is basically how that looks when you when you're viewing in a spreadsheet form or other website it's a matrix that has various tactics as columns and I'm going to go don't try to read this brief make sure I go into what the topics are in a second each tactic has a list of what was called techniques below it and those techniques are no particular order so the ones at the top are any more important than the ones at the bottom they just kind of happens at the bottom of the white ones and these techniques so these you know in this

picture here that's very present every one of these table cells would be a technique and those are the things that attackers use to get into your environment and there are the things that you want to look for to try to catch to try to catch those attackers and create alerts around those also is part of the attack so these are all the different techniques that attackers use to in your environment as part of this as well I mentioned minor actually catalogs all of the node for a hacker groups intend campaign goosal in a while or what malware they use and how they map to these techniques so if you actually go and look at the

data that build this matrix there are over two hundred and eighty pieces of malware that are been catalogued and there are over 80 different adversaries that are catalogued so all the different threat groups that are going and watching these attacks you can actually go and find out what tools they used closest attacks and how those operating environment again all for free so I mentioned earlier to decipher kill chain and how attack is not a cyber kill chain but for folks who do not want to side with the change it's important to you know kind of briefly explain where things along the thread length thing so this blue arrow at the top represents what's called the cyber kill chain you

know again anything that ever reaches your network goes through this series of steps attacker first will be some kind of reconnaissance they'll then weaponize a piece of software that will then deliver that software to you somehow you know either sneakernet or go packing and find a breach or vulnerability and deliver that after they delivered that they'll try to excavate something right happen to exploit they'll try to control something right so once you've exploited a piece of software on an endpoint the next thing is you want to establish some type of control so you want to make yourself administrator and after they've executed control they'll try to execute their attack and then they'll try to maintain a little

resistance so they'll try to take their their endpoint that they've taken control over and maintain their that will run it by you know putting stuff in the registry or putting hidden renaming ex-pupil they're objecting malware inside the existing software so that the next time you read that it was believers but that's a silent go team attackers focus very much on the right-hand side of that so attack doesn't focus on the Recon and weaponize phases of the kill chain so you're not going to find anything attack about you know scanning or you know probing networks or doing a brute-force attempt or social engineering stuff like that they focus very much on this a second the second thing they do have the thing

though called pre attack which mitre is working on I would say it's an earlier stage of evolution an attack attack is coming very widely adopted the process understanding space worldwide while pre attack is so these here are the different tactics that are not gonna tact and how they categorize themselves but the blurry table that are showing earlier these are the column headers of that date so there's a tactic called initial access that's basically how somebody initially gets into an environment execution how they go they run their attack persistence how do they take this how do they take their their exploit and they can persistent on the endpoints that it will live across multiple logins in privilege escalation

so that's a tactic around you know I come in as a nobody user and I want to assume the credential program user administrator defense evasion how do I hide the fact that I'm in this environment how do I make myself invisible to your dependents prudential access once i'm in the end point how do I get access to potentials for other users so like instead of moving laterally across your entire discovery how do I discover what assets you have so I can decide where I want to go next how do i point into baby circumcised lateral movement so that's what that's what I just mentioned about how once you come in and establish a foothold at one

point you want to start to move laterally into these other servers and systems to try to gather more information collection so once you move laterally and you have access to all these databases and wonder on you know you've actually got to collect that information and exfiltrated a you know that actually requires some thought because you're trying to the vague defenses at the same time we're trying to collect all this

and then command and control so once you've done all these things vesicle traded your information you want to establish a commanding control channel back to home base that you know I can launch another attack in the future doing the IRC Twitter Facebook reddit there's many different so all these tactics right there's there's dozens of different techniques that attackers use for each of these things and that's what the tag is the attack framework is about taking these tactics that everybody uses and then cataloging all the different techniques that they can use to do ET and the reason you want to do that so what are what does a technique could look like if you actually go and you drill in on one

of those little table Styles this is the implications behind it um so you'll have you know the name of the technique a high-level description of what it's what the technique is so in this example here we're going through the new service technique so as an attacker you go in you exploit something that was already gained a foothold you probably want to one of the methods of persistence is to install a new service windows give it a name that probably nobody won't attack the description of the technique platforms affected you know that can go through Windows iOS Linux different operating systems there's permissions required and effective permissions which are different right or they can be different so can install new service you

need administrator assisted progression here the effective permissions after you've done that or the system like services running the system level um they go into how to detect this technique how to mitigate the technique in your environment the date books the data sources that you use to do that detection and then once again examples of all the different threat actor groups that have used this technique while and again briefly bring up that picture that I had a while ago so that table all those table cells every single one of them has this level of detail behind so I mentioned as well that they also counted the groups and software that lenders these techniques so if you

drill into the group you can see what the name of the group is what the description of that group is or what they've done in the past so in this case we've got maybe t28 group then compromise the Denver DNC they're the group the comments with DNC they've also been involved in a lot of other activities if you look the end of the aliases you can see that this group which miner is calling in 1528 there's known in the wild line a whole slew different names so if you see an article of that fancy there or directors or 27th or something all of these different aliases are referring to this group so basically what miner is trying

to do here is catalog and normalize all the information across all the defense cyber security companies so fire I I believe I believe fire rifle one accomplice man today they're the ones that first detected it and they need it if you go to look at semantics semantics threat reports they probably have a different one for and officer Dobby admires probably a better name or as well you probably call it I manage something what mitre is trying to do is normalize all this so that you know when you get these reports when you're working the news and you're trying to trace down with happening in environment you can alter the common language right because you know inside your community and who

you're collaborating with you know you might have different tools right you may work with different vendors and you don't want to have a lack of the common language inhibitor is you're trying to collaborate finally they also on rate that your software so this is an example of chopstick so chopstick is the software that's used by the threat group is a piece of malware these are all the techniques that chopstick confuse them so it's used to obviously data it's got a proxy in it it's got a little coffee in it eleven is one deal to persistent self capturing obviously there's pretty bad piece of software you don't apply the right so part of attack attack if

you thought about you know a signature to detect chopstick its affair what are the things that chopstick does in your environment and how could you detect those so it's been moving up a level as opposed to you know looking for fascism looking for at keys one of the thing so now that we know what attack is really when we would you use it what what is this useful for so there's you know there's a lot of different ways you can use attack I'm going to focus on the three most common use cases that people use it for protection measuring defense and evaluating tools so first detection and analytics who here recognizes this picture anybody here know this purchase okay

this picture you know it's it's been around since 2013 so it's very well known in the cyber security industry it's called the pure headed home it was developed by a guy named Dave Bianco who's one of the thoughtful years in China in terms of threat intelligence both water they've created this this idea of a pyramid point where if you're an attacker and you're you're trying to get into someone's environment there's a level of pain that you incur as people start to defend against you right and that pain involves what's the most easy thing for you to change so if I'm an attacker and I'm attacking you and you started detecting what the easiest way that can invade your detection right

it depends on what you're detecting if fine out of a piece of mountain five piece of malware right and I use that malware to exploit people well how easy and the reason the way they're detecting is because the you know their antivirus is detecting Faja any time I see this execute alert anytime there's XQ all my powers useless now right well how easy is it for me to evade that how easy is it for me in change of box all I got to do is like change the screen and where you can pause it now the fire house is different now don't look into technical right so that's an extremely trivial for an attacker to

evade that defense next level of IP addresses you know it's a little bit harder to launch my attack from different entities but nowadays is pretty easy right with cloud AWS Azure the free accounts I can go and sign up for a free a on us account spin up a be ever launched an attack and probably like under five minutes right with with automation so it's pretty easy to switch IP addresses now don't little bit a little bit harder than polishes that you so pretty the main names okay now I'm starting to get a little bit difficult right so domain names as a command and control if you're detecting if I have a domain name and the domain name

used for command and control back to my barber it's a little bit harder for me to change that rapidly right because I gotta go register new domains I got paid for them most of the time things of that nature so it's a little bit harder but if you're an advanced crafter is actually not that difficult because you can buy domains and very cheaply now [Music]

it's hurt but you know it's still fairly low next level up we're getting into things that are already networking host artifacts so if I had a piece of malware it's really hard to hide the way that it operates on the network right so that command and control channel it may be really easy for me to change the domain is talking to it's harder for me to change the traffic that the signature of the traffic that is going into because it is part of the number itself you know so that's hard to change it's getting a little bit easier with encryption ality but it's still harder tools TTP's these are extremely difficult to change because this is basically how my threat

activity operates lady what does what's the role while it's the tool that magic using the environment what's DTP TTP's the technique and procedure that I'm using to get into your environment right I'm using this vulnerability then taking this offer the point and in the reaching of this one it's the whole signature of my activity I think that's not something that I can probably change so if you hear detections are detecting TTP's oh well you know I'm probably screwed because I can go and change IP addresses and file hashes and domain the cows come home be are still gonna detect them right and that's because you're not looking for these these are terminal things you're looking for my

behavior right so in an actual attack and how you use this for detection your analytics analytics are what we is the name of the thing that we use to look for a technology so a technique something like that remote access an analytic that would look for that technique would be something like the above it would be soit say you're looking for Windows logs that started with that our login type of the low interactive that's the type of log that windows creates when someone opens an RDP session to Windows box if you're if you create an analytic that looks for that you know this is very basic but that would be an example of an analytic

looking for technique and that technique would be access again very very basic example you'd want to have a whole bunch of parameters around not ready to blank list of people you know we're supposed to be there well many of these analytics that you want to use detective needs an attack they're very high level general purpose on purpose and the result of false positives if you just go blanketly look for all these things so it's not as simple as I want to go and started looking for all these different techniques and because this create alarms but wazoo what you really want to look for as you try to look at these paintings are chains and and the way you can do that

it depends like when you're talking about before minor has actually encoded all the different thread groups and the techniques that they use so you can actually go and start creating analytics that look for chains of techniques and once you start to see a pattern well I'm not just seeing an RDP logon I'm seeing an RDP logon followed by this other type of event that I know that this ver Africa used to establish persistent and then I've seen this other type of mysterious network activity owed to the domain I've ever seen before which matches the command control channel typing when she expects us to change that behavior you can now have the comments that you was that you know what

I want to create an alert I want to learn or start investigating so you've got all these techniques now and you know you're all gonna go to the white website after and find out of it all these techniques and try to find ways to create what are the steps you need to go through if you're going to develop that analytics so the first is read the page and fully understand what they're talking about the table think about it from an adversary's perspective not the defender so again attacking all the adversaries perspective and you want to think like an attacker you don't want to think like the person is trying to defend the mystery water trying to

mentally separate in your head you know what would this look like if someone was using this thing in this technique that variously versus what does it look like if this is just happening in my environment that's a bit awkward next step is you can try it so does it do any of them in here practice rather routine exercises where you go and try to you know try to penetrate their environment micro time and and I'm going to get into that for the second note second of these days we talk you can use these tools created by red canary and any a great information they let you structure your red team activities a random under attack so that

when your red team create your ports to give to your blue team well this is how have you got in all of those things that the red team does can all be mapped back to techniques an attack and it lets the ripping the blue team speak this common language so that you can go and create your defenses a more structured way but while you're developing these analytics and using these tools you can use them to figure out okay if I go on and run red team automation against my environment what does that look like what what type of logs is windows spit out when I go run this specific technique from our TA to the what what we see only network

what they effectively do I see yes country could I you know can I write rules good either works look for that I search for that information finally you know you never want to start writing on it right now so you want to break your searches and your your sin or your you know elasticsearch cluster or wherever you're storing your log data Brendon rules red alerts try to narrow down the false positives and iterate and keep testing try to find a variety of ways it can use me not just the easiest way once you deploy your technique let's start looking for it if it gives false positive continuously to use case to so this is where we get new rather little

measuring your defense so once you've got defense is deployed and all these analytics does it take these techniques how do you measure them how do you improve them over time with structured framework and regular testing so the attack matrix combined with miters viewer right so another part of this is they have this old interactive viewer they'll let you view the elements in this table and color code and highlight them and shade them and if you combine the matrix with that viewer it creates a powerful tool that lets you report on your current defenses and reporting ever come of your revolution activities so you can create reports or management or right under coverage you can say here

are all the techniques that we know we're looking for right now and here the techniques where we know way of the ops and you give that to be first of all even greater force you're in there help you justify for decision second you can give that to your reading and your rectum you can use that to structure their exercises well you know we're going to go on testimonies week or maybe we're going to test them for we know he's not weak or what exercise what he says he can do we're going to exercise its dependency actually do they think and then after the red team activity has done attack let you create you know again it's over that common language

it lets you let your drinking blue team speak to each other in the common language and you can collaborate with your peers as well in industry and inside of your communities so attack again once everyone speak the common language so you can say you know we are ready next class today you know we found these problems you know you've been seen you know you've any ideas on how to get proven on these measuring defense so actually just mentioned so the blue team came out there got back to them

but in his case evaluating their tools so using a tag you can plan a structure of your product evaluations because you know in advance where they've been evaluating your feathers on you can use the framework of the structure to give reports to management you know more visual language that they understand you know sometimes it's like easier for the CSUN understanding sheet map version and you know interest in wire is actually recognized this part of the value and they've created this independent testing program has started rolling across the industry and you're actually so you can expect to see this stuff to permeate it's more a more attraction because you know it's a very easy way for people to

understand what true what their tools actually do right the cyber security of the market is enormous and there's hundreds of startups over here and the number of tools that overlap with each other and it's it's you know and getting through all the marketing sometimes it's really hard to understand actually does in the top reads a very well structured

so all that sounds great but like anything else there's challenges and pitfalls you have to watch it for if you're trying to leverage attack if you just go willy-nilly and try to roll this thing an attack could actually hurt your street program rather than help it so I'm going to go over some common challenges so the first tip fall is assuming all those techniques 34 so like I said there's this matrix of techniques there are no particular order in terms of matrix that it just kind of bolted on the bottom with new ones are discovered but they're they're not all equal right or treats them in people but they don't they're not right techniques an attack

on of any kind of severity rating in my opinion issue if some techniques are much much easier to the point than other to have the series and some are much more much more far-reaching consequences of others some techniques are like entire programming languages they actually call powershell a technique they you know that's you can do almost anything with PowerShell so the first gotcha is don't assume that all those things are people you should you know read through them understand what they're talking about and prioritize them with context relative to your apartment another red flag before I do is assuming they're covered because they can detect this technique in one scenario and this is the you know this

is the thing you have to watch it before with these heat maps so if you're viewing using letters tool to view your coverage or view your activity reports actually rather and you've got a whole bunch of the cells are green okay we're good we're green II know that just because you have a technique covered in one specific scenario does not mean that you will cover it for all future scenarios you you're never going to be in and maintain 100% coverage of any of the techniques level all of them it's a continual process they covered is best thought of as a continuum that's on a binary it's not am I covered everybody not it's a bit of a my more well covered

in this final another pitfall is assuming the you need alerts for every single technique so that that matrix is enormous and growing all the time you create alerts for all of those things you're just going to create false positives all over the place and your stocks going to be and many many techniques that positive uses as well so we're talking about load access right assistant administrator use IVP all the time you don't want to create an alert or tow so those are your feed rate so you know you want to evaluate these chains and groups of techniques if you can want to every as something progresses through the kill chain and you're seeing activity that is closer to

a TDP so you're seeing more and more of things that are adding up to that adversaries behavior that's what we want to learn and so those are some of the pitfalls that people run into mother volume of this stuff some of the challenges that that you're going to have are around evaluating examination chains so you know that they'll often require an increasing amount of data properly developing and these analytics you know needs data from there and data from network data from threat intelligence and you know collecting and marking all this information can be difficult it can be but one some Cooper thought there's can attack actually help of the problem right can you target your

data collection than the log sources you're collecting from using attack as you look at your coverage you know as you look your coverage in your environment now you have the structured way to go and look at how covered you actually are it can help you with things like you know what the logs are important and which ones are not as important how do i if i already have the tool that's deploying the network that gives me very good coverage of this technique do I really need all those logs also go over here with rules and create duplicate alerts right maybe my resources have better spent you know trying to take this other technique which I have no coverage for at all and

it's just as important finally community so you know hasn't been as journey and we start to develop these techniques you know it's very important that we did all communities around these things because it's you know no one company your environment can do this themselves people need to collaborate a share but there is a challenge around bridging this asymmetric information gap because people have a hesitancy to share analytics because they think that it's going to let them have this nice you know how they're defending themselves right I don't want to talk to you know I'm Bank a and I don't want to talk to baby you know I'm under attack coverage and a little excitement point because then thank DD

will know what tools are you using and maybe that information will get weak and then my adversaries won't know what tools and you know figure out ways to work around it you know what that's a this is a big problem we have in the industry today I think we have to you know this is something we're going to be continuing with working on anything in the industry how can we develop these things the trusted manner because you know our adversaries collaborate and build and sell all these tool kits in the marketplace we have to be able to do the exact same thing for X so that's that's pretty much my presentation today I have here a list of slew of resources

that I've been referring to throughout this presentation and these slides are not going online so you'll have links to all of this stuff there's an entire website here's a very cool tool called detection lot of the letter to the attack I mentioned a ton of brevity and an endgame either to you know very great open source tools to launch Benteen attacks against gen some cool playbook viewers for pow optimum for decart cyber war dog has some play books while so all these are our playbook viewers that way you view the lifecycle of

the time and then finally I'm there's a really cool thing those release couple weeks ago where someone has gone about all the oddity events in Linux to attack techniques you can go and take those audit the events and feed them into this this and this will tell you all the different techniques that products wanna and with that anyone have any questions questions of those attack or workers this

avetis are equal but infinite Cupid our notebooks what around by the time oh okay I think you so I think you're afraid if you care about books oh so Jupiter your notebooks are are there a data big data analytics framework that love you kind of like write Python code live and test it against datasets and there's a number of Jupiter notebooks that have been released that let you work on analytics turn it towards attack so when we're talking about these or talking about developing analytics you know the word analytic is a little bit of a loaded word because it can be as simple as looking for a Windows log or something more complicated like okay and

I'm going to look for this firewall of behavior and the windows long or it can be okay I'm going to go and develop an algorithm in a Jupiter notebook that reads all of my log data for the past six months and runs it through this Python code tries to detect outliers and things like that that's also an analytic so we're not what I'm talking about Ana legs you know usually people are starting from the searches and will side in the basic use pieces as you start to get more advanced you're gonna want to look into things like cheaper notebooks and developing you know it's basically writing code you're writing code

and their questions

good question a lot of those preparing his presentation over the past week I actually you know and I was working through you know you always have those challenges in the presentation the ones day things because I'm okay I need to Rick a chopper maybe champa section I started thinking and writing and stuff and what I realized that that was a big problem in the time I actually reached over to John and I said you know are you guys thinking about this and so they have thought of them including seaberries the they they're challenged with the fact that it's very either older which things are more severe than others I suggested to them that they should at least think of it like a low

medium high you know some of this stuff is very obvious and they're going to think about it because I'm not the only one who probably got they are thinking I would say that you know as you go when you read up on the techniques and you know anyone who's moderately skilled yeah yeah well I mean so they do have so they do have a fairly good description right this this here is truncated so the description you know any individual technique when you go look at it under the tax site is a full web page there's a slew of information so don't assume that just cuz I've got this in this little table on the slide that that's

the level of information there's a lot for most of these techniques there's a very robust description very long description of how you can you know so I highly recommend going to the website attack that mitre before clicking into some of these things doing some reading if you're anything like me when I was first introduced this two years ago and I started reading through I was just like holy crap like how come no one has ever told you that this crazy repository of information that's all freely available it was very eye-opening right you know I find that as socks start to learn that there's more and more you know it's it's a it's a very very powerful set of information

no it's not so the question was so is there knowledge well there isn't is not so is there a knowledge base of analytic change so so there is time so like I mentioned they they they actually have all of the different thread after groups and all the different software and what techniques so you know you can kind of think of you know and you can see down here that group these techniques chopstick so you can kind of imagine if you had an analytic that detected some input captured and then you had a different one that was collecting you know and there was one of those you know your product is not really not suspicious did you see all of those

things occurring well now very likely that you're seeing it's more likely so that's what I mean when I talk about change is looking for multiple techniques other being used in sequence and again you know to re-emphasize like a lot of this stuff it's not a bad creating alarms on many addresses and flashes or alarms on some things but looking for the behavior and that's you know that's really where you want to be headed you want to be having further up that pyramid of pain

further up that pyramid of pain look anymore for the behaviour unless for the atomic indicators because atomic indicators are extremely extremely easy for adversaries to change you know I can't emphasize enough how the useless flashes overcoming their you know keep their still important people still use them in tools you know our own tools rolling I think possible time but you know you can actually go on virustotal if you go on virustotal and they haven't beat anybody go with this feed of the most recently submitted malware you can watch that right if you sit there and watch them out the amount that's being submitted the moderate are so that you can actually extract patterns and there's people who have done research on

this xing talks about it you can see the threat actors uploading their own stuff our school right like what they do is that they regular malware absolutely virustotal see all the engine to see if it detects and any engines and they just keep making subtle changes and reuploading it until none of them detected and then they can put right and yes the vendors see that - and they update their signatures and then the next day everyone's protected but during that window right between today and tomorrow you're wide open if all you're doing is looking at Bob Hodges and that's that's the challenge with these things is so easy to evade so easy to change right so

you want to move further and further off this pyramid to make your defenses more and more robust and that's you know an attacker goes way up here to top of it

questions

I think other time so the dollar question is then crushed so I'm uh I'm around fairly easy to hold on [Music] [Applause]