diff --git a/data/attackcon.json b/data/attackcon.json index d466d154f37..ce4c6841f6e 100644 --- a/data/attackcon.json +++ b/data/attackcon.json @@ -1,7 +1,7 @@ [{ "date": "October 2023", "title": "ATT&CKcon 4.0", - "description": "", + "description": "We are thrilled and express our gratitude to everyone who participated in ATT&CKcon 4.0!

This year we were privileged to have another range of speakers who shared their unique insights and experiences, further enriching the knowledge pool of our ATT&CK community. We invite you to continue to watch and share these insightful talks!

Click here to explore the talks from ATT&CKcon 4.0 on our YouTube playlist!", "banner_img": "/theme/images/attackcon4/ATTACKCON_4.0_banner.png", "sponsors_img_list": [ "/theme/images/attackcon4/analyst1.png", @@ -62,7 +62,7 @@ "organization": "Lacework, Inc" } ], - "description": "ATT&CK serves as the central language for CTI practitioners, Detection Engineers, Red Teamers, and more. Despite the benefit of having a central language, ATT&CK offers different levels of detail that might be useful for one team but not others. This paper points out some of these differences in the level of details available in ATT&CK, especially from the point of view of Detection Engineers, and focused on detection coverage.\n\nIn summary, while ATT&CK does not define the Procedure level of the TTP trinity, it is still useful to define the “Degrees of Freedom” an attacker has within a technique. Some techniques only have a limited number of possible Procedures, some techniques might have more, and others might be so open ended that they offer an unlimited number of possible procedures per technique. We examine this concept on both the Technique and Tactic levels and make the argument that techniques that have a high number of possible Procedures cannot be covered by Detection Engineers.\n\nAt the conference, we intend to release an ATT&CK Navigator layer to help Detection Engineers quickly filter out which Tactics and Techniques they need to focus on and which ones they simply cannot cover.", + "description": "ATT&CK serves as the central language for CTI practitioners, Detection Engineers, Red Teamers, and more. Despite the benefit of having a central language, ATT&CK offers different levels of detail that might be useful for one team but not others. This paper points out some of these differences in the level of details available in ATT&CK, especially from the point of view of Detection Engineers, and focused on detection coverage.

In summary, while ATT&CK does not define the Procedure level of the TTP trinity, it is still useful to define the “Degrees of Freedom” an attacker has within a technique. Some techniques only have a limited number of possible Procedures, some techniques might have more, and others might be so open ended that they offer an unlimited number of possible procedures per technique. We examine this concept on both the Technique and Tactic levels and make the argument that techniques that have a high number of possible Procedures cannot be covered by Detection Engineers.

At the conference, we intend to release an ATT&CK Navigator layer to help Detection Engineers quickly filter out which Tactics and Techniques they need to focus on and which ones they simply cannot cover.", "video": "https://www.youtube.com/watch?v=kgei3fsqNFw&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=5" }, { @@ -73,7 +73,7 @@ "organization": "Red Canary" } ], - "description": "Endpoint Detection & Response (EDR) telemetry offers defenders a powerful tool for catching threats. However, understanding how to validate ATT&CK technique coverage using EDR telemetry can be a challenge. As Detection Validation Engineers at a Managed Detection & Response (MDR) provider that ingests nearly a petabyte of endpoint telemetry every day, we’re in the unique and necessary position to analyze this telemetry at scale and validate its efficacy against common adversary tradecraft.\n\nAfter providing a brief introduction to EDR telemetry, we’ll discuss how to break ATT&CK techniques down to individual data components, perform functional tests, analyze the ways that specific actions translate to telemetry records, and compare this analysis across different EDR sensors. We’ll discuss the tooling we’ve built to assist us in running these tests and analyzing the resulting telemetry, and we’ll explain how security teams can improve their own functional testing efforts by creating an automated validation workflow. Finally, we’ll describe how this approach has enabled us to more effectively understand and use EDR telemetry, highlighting where this telemetry excels and fails at detecting ATT&CK techniques.", + "description": "Endpoint Detection & Response (EDR) telemetry offers defenders a powerful tool for catching threats. However, understanding how to validate ATT&CK technique coverage using EDR telemetry can be a challenge. As Detection Validation Engineers at a Managed Detection & Response (MDR) provider that ingests nearly a petabyte of endpoint telemetry every day, we’re in the unique and necessary position to analyze this telemetry at scale and validate its efficacy against common adversary tradecraft.

After providing a brief introduction to EDR telemetry, we’ll discuss how to break ATT&CK techniques down to individual data components, perform functional tests, analyze the ways that specific actions translate to telemetry records, and compare this analysis across different EDR sensors. We’ll discuss the tooling we’ve built to assist us in running these tests and analyzing the resulting telemetry, and we’ll explain how security teams can improve their own functional testing efforts by creating an automated validation workflow. Finally, we’ll describe how this approach has enabled us to more effectively understand and use EDR telemetry, highlighting where this telemetry excels and fails at detecting ATT&CK techniques.", "video": "https://www.youtube.com/watch?v=eBzzkSkd7yU&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=6", "slides": "https://www.slideshare.net/MITREATTACK/tidying-up-your-nest-validating-attck-technique-coverage-using-edr-telemetry" }, @@ -97,7 +97,7 @@ "organization": "Independent Researcher" } ], - "description": "LABYRINTH CHOLLIMA is a prolific Democratic People's Republic of Korea (DPRK) nexus adversary focused on cyber espionage. They have been recently observed targeting FinTech (financial technology) companies in cryptocurrency revenue generation efforts. LABYRINTH CHOLLIMA has been associated with many high profile attacks, including the Sony Pictures Entertainment (SPE) breach, the WannaCry 2.0 global surge, and most recently, the 3CX supply chain compromise. Increasingly versed in cross-platform intrusions, LABYRINTH CHOLLIMA has been observed targeting macOS operating systems, and evolving their tactics, techniques, and tooling to keep in lockstep with the evolving security landscape.\n\nThis talk will deep dive into the interactive macOS intrusions Crowdstrike has attributed to LABYRINTH CHOLLIMA. We will delve into the adversary's macOS tradecraft, techniques to circumvent existing OS protections, and social engineering tactics, while showcasing how their mechanisms and tooling map to the MITRE ATT&CK kill chain, featuring some newly proposed MITRE techniques related to the Transparency, Consent, and Control (TCC) database.", + "description": "LABYRINTH CHOLLIMA is a prolific Democratic People's Republic of Korea (DPRK) nexus adversary focused on cyber espionage. They have been recently observed targeting FinTech (financial technology) companies in cryptocurrency revenue generation efforts. LABYRINTH CHOLLIMA has been associated with many high profile attacks, including the Sony Pictures Entertainment (SPE) breach, the WannaCry 2.0 global surge, and most recently, the 3CX supply chain compromise. Increasingly versed in cross-platform intrusions, LABYRINTH CHOLLIMA has been observed targeting macOS operating systems, and evolving their tactics, techniques, and tooling to keep in lockstep with the evolving security landscape.

This talk will deep dive into the interactive macOS intrusions Crowdstrike has attributed to LABYRINTH CHOLLIMA. We will delve into the adversary's macOS tradecraft, techniques to circumvent existing OS protections, and social engineering tactics, while showcasing how their mechanisms and tooling map to the MITRE ATT&CK kill chain, featuring some newly proposed MITRE techniques related to the Transparency, Consent, and Control (TCC) database.", "video": "https://www.youtube.com/watch?v=0bt56JzZp4s&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=9", "slides": "https://www.slideshare.net/MITREATTACK/exploring-the-labyrinth-deep-dive-into-the-lazarus-groups-foray-into-macos" }, @@ -113,7 +113,7 @@ "organization": "Google" } ], - "description": "Join us for an enthralling exploration of Defense Evasion (TA0005) within the captivating realm of Hyrule. Prepare to immerse yourself in the intriguing history of shortcut (.lnk) abuse and its associated procedures, as we unveil and demonstrate an innovative and previously undisclosed sub-technique (proposed) of T1027 (Obfuscated Files or Information).\n\nDuring this talk, we will go beyond theory and share real-world insights. Discover firsthand how publicly attributed APT actors have leveraged this new sub-technique in their attacks against government entities. Through captivating stories and in-depth observations, we will shed light on the techniques and procedures employed by these adversaries.\n\nLevity and entertainment will be courtesy of timely and relevant bespoke Legend of Zelda memes playing upon the concept of the \"\"master hand ability\"\" gluing together bizarre elements to create surprisingly effective weapons, a concept that runs parallel to the discussion of abusing known Windows file types in unconventional ways.\n\nJoin us as we embark on this fascinating journey filled with knowledge, entertainment, and a touch of Legend of Zelda magic!", + "description": "Join us for an enthralling exploration of Defense Evasion (TA0005) within the captivating realm of Hyrule. Prepare to immerse yourself in the intriguing history of shortcut (.lnk) abuse and its associated procedures, as we unveil and demonstrate an innovative and previously undisclosed sub-technique (proposed) of T1027 (Obfuscated Files or Information).

During this talk, we will go beyond theory and share real-world insights. Discover firsthand how publicly attributed APT actors have leveraged this new sub-technique in their attacks against government entities. Through captivating stories and in-depth observations, we will shed light on the techniques and procedures employed by these adversaries.

Levity and entertainment will be courtesy of timely and relevant bespoke Legend of Zelda memes playing upon the concept of the \"\"master hand ability\"\" gluing together bizarre elements to create surprisingly effective weapons, a concept that runs parallel to the discussion of abusing known Windows file types in unconventional ways.

Join us as we embark on this fascinating journey filled with knowledge, entertainment, and a touch of Legend of Zelda magic!", "video": "https://www.youtube.com/watch?v=u_XN7lZHtL4&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=10", "slides": "https://www.slideshare.net/MITREATTACK/lnk-tears-of-the-kingdom" }, @@ -149,7 +149,7 @@ "organization": "Distilled Security" } ], - "description": "You have had a pen test, a red team or a threat intelligence report and drawn up a plan for remediation. You have been told you have 15 mins in front of the CFO in 48 hours! How do you show ,on one page, the connection between the techniques you are exposed and vulnerable to, the path of least resistance and the focused control changes required right now?\n\nHow will the CFO get the picture so the result is \"I get it, what do you need?\"\n\nUnderstanding ATT&CK as a practitioner is great with the current matrix but it is inaccessible to the CFO. But it doesn't have to be that way.\n\nPhil will chart the journey to improved visualization of ATT&CK techniques. He will show how the DNA of ATT&CK doesn’t just make ATT&CK accessible for all but that it can be beautiful!", + "description": "You have had a pen test, a red team or a threat intelligence report and drawn up a plan for remediation. You have been told you have 15 mins in front of the CFO in 48 hours! How do you show ,on one page, the connection between the techniques you are exposed and vulnerable to, the path of least resistance and the focused control changes required right now?

How will the CFO get the picture so the result is \"I get it, what do you need?\"

Understanding ATT&CK as a practitioner is great with the current matrix but it is inaccessible to the CFO. But it doesn't have to be that way.

Phil will chart the journey to improved visualization of ATT&CK techniques. He will show how the DNA of ATT&CK doesn’t just make ATT&CK accessible for all but that it can be beautiful!", "video": "https://www.youtube.com/watch?v=FJ8FdgEgYXw&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=13" }, { @@ -172,7 +172,7 @@ "organization": "CISA" } ], - "description": "CISA's Adoption of the MITRE ATT&CK Framework\n\nOver the past several years, CISA has worked to incorporate ATT&CK whenever applicable into our Cybersecurity Advisories and other cyber guidance. It has become the universal language for discussing how the adversary operates, and we leverage it for our stakeholders to respond to urgent events in real time, as well as detailed reports on subjects like our Red Team activities to give network defenders proactive guidance on how to harden their networks.", + "description": "CISA's Adoption of the MITRE ATT&CK Framework

Over the past several years, CISA has worked to incorporate ATT&CK whenever applicable into our Cybersecurity Advisories and other cyber guidance. It has become the universal language for discussing how the adversary operates, and we leverage it for our stakeholders to respond to urgent events in real time, as well as detailed reports on subjects like our Red Team activities to give network defenders proactive guidance on how to harden their networks.", "video": "https://www.youtube.com/watch?v=F581j2kSN7o&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=15", "slides": "https://www.slideshare.net/MITREATTACK/cisa-usage-of-attck-in-cybersecurity-advisories" }, @@ -211,7 +211,7 @@ "organization": "Lark Health" } ], - "description": "By aligning security controls with specific adversary techniques and tactics, organizations can gain a comprehensive understanding of their defensive capabilities. This mapping exercise serves as a vital step in identifying potential gaps and weaknesses within the security architecture. The evaluation of security maturity using the MITRE ATT&CK framework provides valuable insights into the effectiveness of existing controls, shedding light on areas that require improvement or further attention.\n\nIn this presentation, we will delve into practical strategies and real-world examples that showcase how organizations can successfully leverage the MITRE ATT&CK framework to enhance their security maturity. We will also explore key topics such as:\n\t(i)Customizing security training and awareness programs based on roles and responsibilities\n\t(ii)Conducting thorough assessments of incident response capabilities through the framework\n\t(iii)Integrating threat intelligence derived from ATT&CK to continuously improve the security posture", + "description": "By aligning security controls with specific adversary techniques and tactics, organizations can gain a comprehensive understanding of their defensive capabilities. This mapping exercise serves as a vital step in identifying potential gaps and weaknesses within the security architecture. The evaluation of security maturity using the MITRE ATT&CK framework provides valuable insights into the effectiveness of existing controls, shedding light on areas that require improvement or further attention.

In this presentation, we will delve into practical strategies and real-world examples that showcase how organizations can successfully leverage the MITRE ATT&CK framework to enhance their security maturity. We will also explore key topics such as:\n\t(i)Customizing security training and awareness programs based on roles and responsibilities\n\t(ii)Conducting thorough assessments of incident response capabilities through the framework\n\t(iii)Integrating threat intelligence derived from ATT&CK to continuously improve the security posture", "video": "https://www.youtube.com/watch?v=wc07D7FTgI4&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=18", "slides": "https://www.slideshare.net/MITREATTACK/evaluating-and-enhancing-security-maturity-through-mitre-attck-mapping" }, @@ -223,7 +223,7 @@ "organization": "KC7 Foundation" } ], - "description": "KC7 uses an experiential learning pedagogy to teach cybersecurity analysis to students of all levels, from elementary school all the way to industry professionals. In the KC7 experience, students analyze realistic cybersecurity data and answer a series of CTF-style questions that guide them through an investigative journey. \n\nIn order to generate authentic intrusion data, we create a fictional company that is attacked by cyber threat actors. The attributes and behaviors of these actors are defined via yaml configurations that are modeled based on MITRE ATT&CK categories and techniques. For example, we can granularly define what techniques an attacker uses for initial access or lateral movement, and how the actor explicitly uses those techniques.\n\nStudents that effectively analyze KC7 intrusion data can map the observed activity to the various stages of the MITRE ATT&CK framework. Organizing actor definitions around the ATT&CK framework allows KC7 to create a rich set of intrusion data in various permutations - and ensure that students are exposed to a diverse array of scenarios. A pleasant byproduct of this methodology is that students of MITRE ATT&CK can now study techniques contextually in data rather than just reading about them in reports.", + "description": "KC7 uses an experiential learning pedagogy to teach cybersecurity analysis to students of all levels, from elementary school all the way to industry professionals. In the KC7 experience, students analyze realistic cybersecurity data and answer a series of CTF-style questions that guide them through an investigative journey.

In order to generate authentic intrusion data, we create a fictional company that is attacked by cyber threat actors. The attributes and behaviors of these actors are defined via yaml configurations that are modeled based on MITRE ATT&CK categories and techniques. For example, we can granularly define what techniques an attacker uses for initial access or lateral movement, and how the actor explicitly uses those techniques.

Students that effectively analyze KC7 intrusion data can map the observed activity to the various stages of the MITRE ATT&CK framework. Organizing actor definitions around the ATT&CK framework allows KC7 to create a rich set of intrusion data in various permutations - and ensure that students are exposed to a diverse array of scenarios. A pleasant byproduct of this methodology is that students of MITRE ATT&CK can now study techniques contextually in data rather than just reading about them in reports.", "video": "https://www.youtube.com/watch?v=I2shZqo_k2Y&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=19" }, { @@ -258,7 +258,7 @@ "organization": "FalconForce" } ], - "description": "Modern security teams have been engineering solid detections for a while now. All this great output also needs to be managed well.\n* How can we make sure that the detections we have spent a lot of time developing are deployed and are running in production in the same way as they were designed?\n* How can we assure our detection and prevention controls are still working and are detecting the attacks they have been designed to cover?\n\nWe will show how we have built a robust and flexible development and deployment process using cloud technnologies. This process allows us to quickly and easily implement new detection controls, test them across multiple environments, and deploy them in a controlled and consistent manner.\n\nWe will discuss how security teams can reap the benefits of using detection-as-code, and how this can help achieving a single source of truth for their detection logic. Adopting this approach enables teams to use automation and unit testing to manage and validate their detection controls across multiple environments and ensure proper documentation. By adopting a detection-as-code approach, teams can gain the confidence that comes from knowing that their detections and mitigations work as intended.", + "description": "Modern security teams have been engineering solid detections for a while now. All this great output also needs to be managed well.\n* How can we make sure that the detections we have spent a lot of time developing are deployed and are running in production in the same way as they were designed?\n* How can we assure our detection and prevention controls are still working and are detecting the attacks they have been designed to cover?

We will show how we have built a robust and flexible development and deployment process using cloud technnologies. This process allows us to quickly and easily implement new detection controls, test them across multiple environments, and deploy them in a controlled and consistent manner.

We will discuss how security teams can reap the benefits of using detection-as-code, and how this can help achieving a single source of truth for their detection logic. Adopting this approach enables teams to use automation and unit testing to manage and validate their detection controls across multiple environments and ensure proper documentation. By adopting a detection-as-code approach, teams can gain the confidence that comes from knowing that their detections and mitigations work as intended.", "video": "https://www.youtube.com/watch?v=dF4iAF4MiXw&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=23", "slides": "https://www.slideshare.net/MITREATTACK/detection-as-code-automation-and-testing-the-key-to-unlocking-the-power-of-detection-engineering" }, @@ -293,7 +293,7 @@ "organization": "Datadog" } ], - "description": "Cloud native computing has fundamentally changed traditional security methodologies and attack surfaces. This new architectural approach combines new operational tools and services like continuous integration, container engines, and orchestrators. Some organizations struggle to identify and respond to threats they specifically face when running cloud native workloads.\n\nPerimeter-centric security evangelizes defense-in-depth or the onion model to implement different layers of defense. Cloud native security hyper-focuses on four unique layers: Cloud, Clusters, Containers, and Code. \n\nToday's defenders have to look across several existing ATT&CK matrices including Linux Enterprise, Containers, Kubernetes, and IaaS to holistically evaluate and model threats or attack paths across the four distinct layers of cloud native workloads.\n\nIn conclusion, we will discuss some of the challenges facing threat modeling cloud native workloads, including showing how to leverage several different ATT&CK matrices to create a distinct Cloud Native Workload ATT&CK matrix. The creation of this matrix will help defenders take the guesswork out of identifying what tactics serve as potential threats against a cloud native workload in order to enhance their defensive baseline and detection coverage.", + "description": "Cloud native computing has fundamentally changed traditional security methodologies and attack surfaces. This new architectural approach combines new operational tools and services like continuous integration, container engines, and orchestrators. Some organizations struggle to identify and respond to threats they specifically face when running cloud native workloads.

Perimeter-centric security evangelizes defense-in-depth or the onion model to implement different layers of defense. Cloud native security hyper-focuses on four unique layers: Cloud, Clusters, Containers, and Code.

Today's defenders have to look across several existing ATT&CK matrices including Linux Enterprise, Containers, Kubernetes, and IaaS to holistically evaluate and model threats or attack paths across the four distinct layers of cloud native workloads.

In conclusion, we will discuss some of the challenges facing threat modeling cloud native workloads, including showing how to leverage several different ATT&CK matrices to create a distinct Cloud Native Workload ATT&CK matrix. The creation of this matrix will help defenders take the guesswork out of identifying what tactics serve as potential threats against a cloud native workload in order to enhance their defensive baseline and detection coverage.", "video": "https://www.youtube.com/watch?v=Q8GY8TYDklc&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=26", "slides": "https://www.slideshare.net/MITREATTACK/cloud-native-workload-attck-matrix" },