Professional Documents
Culture Documents
June 2019
•Who is MITRE?
•Why do we need ATT&CK?
•What is ATT&CK?
•How can I get ATT&CK?
•What can I use ATT&CK for?
•Additional tools
2 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
Who is MITRE
• Started life as a Collaboration with US Airforce and MIT in the 1940s
• MITRE was established in 1958
• Private, not-for-profit company
• Mission: dedication to solving problems for a safer world
• Currently Federally Funded Research and Development Centers (FFRDC)
Defence & Intelligence U.S. Courts
Cybersecurity Healthcare
Aviation Homeland Security
Civil Agency Modernisation
• IOCs lack context and difficult to determine intent from a single IOC
Copyright © 2018 Exabeam, Inc. All Rights Reserved..
What about TTPs?
90
80
70
60
50
40
30
20
10
Worldwide
Google Trends
3.7 ATT&CK•Object
Defines a taxonomy
Model Relationships for thinking and communicating knowledge of campaigns
Each high-level component of ATT&CK is related to other components in some way. The
• Publishes a data model
relationships described in the description fields in the previous section can be visualized in a
diagram:
• PRE-ATT&CK
• ATT&CK resembles Kill Chain, can be used to describe the adversary lifecycle
• Higher-fidelity insight to behavior in post-exploit phases, Enterprise Matrix. 12 vs 5
• Practical information for offensive and defensive security teams
• Iterative updates
• Data has been translated into STIX 2 format and published to a MITRE TAXII server.
– Good for machines and for custom uses. STIX 2 uses JSON so lots of options to parse.
– https://github.com/mitre/cti
– https://medium.com/mitre-attack/att-ck-content-available-in-stix-2-0-via-public-taxii-2-0-
server-317e5c41e214
17 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
What can I use ATT&CK for?
• Assessment and Engineering
– Assess your organization’s capabilities and drive engineering decisions like what tools or
logging you should implement.
• Detections and Analytics
– Help cyber defenders develop analytics that detect the techniques used by an adversary.
• The heat map should help with funding for new projects
threats%20with%20att%26ck-based-
analytics.pdf Develop/test
Focus on
in a realistic
behavior
environment
• Contains Five principals
• MITRE CAR (Cyber Analytics Repository) – Analytics techniques to run against data
• MITRE CASCADE – Automate investigation work for Blue Team
• Atomic Red Team by Red Canary – Test routines
– https://github.com/redcanaryco/atomic-red-team
• Exabeam Advanced Analytics – Small plug, will start tagging anomalies with
techniques. DGA Technique was added to ATT&CK by Exabeam. Behaviour Analytics
24 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
References
• MITRE ATT&CK™ : Design and Philosophy
– https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-
design-and-philosophy.pdf
• Finding Cyber Threats with ATT&CK-Based Analytics
– https://www.mitre.org/sites/default/files/publications/16-3713-finding-cyber-
threats%20with%20att%26ck-based-analytics.pdf
• MITRE ATT&CKcon 2018: How Did We Get Here?
– https://www.youtube.com/watch?v=u8Fnwb-
1kMg&list=PLkTApXQou_8JrhtrFDfAskvMqk97Yu2S2&index=2
• BG - ATT&CKing the Status Quo: Improving Threat Intel and Cyber Defense with
MITRE ATT&CK
– https://www.youtube.com/watch?v=p7Hyd7d9k-c
25 Copyright © 2019 Exabeam, Inc. All Rights Reserved.
More References
• MITRE Attack Navigator
– https://github.com/mitre-attack/attack-navigator
– https://mitre-attack.github.io/attack-navigator/enterprise/
• ATT&CK 101
– https://medium.com/mitre-attack/att-ck-101-17074d3bc62
• ATT&CK CON
– https://attack.mitre.org/resources/attackcon/