diff --git a/data/attackcon.json b/data/attackcon.json index b30412965b6..d466d154f37 100644 --- a/data/attackcon.json +++ b/data/attackcon.json @@ -27,7 +27,7 @@ } ], "description": "ATT&CKcon 4.0 Keynote", - "video": "", + "video": "https://www.youtube.com/watch?v=U1T0GHMSlWE&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=1", "slides": "https://www.slideshare.net/MITREATTACK/civil-society-pegasus-and-predator-what-sophisticated-spyware-means-for-us-as-defenders" }, { @@ -39,7 +39,7 @@ } ], "description": "Updates on what's going on with MITRE ATT&CK.", - "video": "", + "video": "https://www.youtube.com/watch?v=AQxBeUK0gis&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=2", "slides": "https://www.slideshare.net/MITREATTACK/mitre-attck-updates-state-of-the-attck-attckcon-40-edition" }, { @@ -51,9 +51,20 @@ } ], "description": "Evaluating the maturity of your security operations program can be complex and challenging. From choosing the right framework to use, to understanding all aspects of how people, processes, and technologies can cohesively operate to grow your SOC, evaluating your security operations is crucial. This presentation will discuss how to evaluate your security operations program using the MITRE ATT&CK framework and talk about best practices for evaluations. We will explore how to identify gaps in your operations and improve your overall security posture with foundational activities. Attendees can expect to learn practical tips for leveraging the MITRE framework as well as actionable takeaways for evaluating and improving their own security operations.", - "video": "", + "video": "https://www.youtube.com/watch?v=8qvP5uDB2wc&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=4", "slides": "https://www.slideshare.net/MITREATTACK/grow-up-evaluating-and-maturing-your-soc-using-mitre-attck" }, + { + "title": "Dealing with ATT&CK's Different Levels of Details", + "presenters": [ + { + "names": ["Tareq Alkhatib"], + "organization": "Lacework, Inc" + } + ], + "description": "ATT&CK serves as the central language for CTI practitioners, Detection Engineers, Red Teamers, and more. Despite the benefit of having a central language, ATT&CK offers different levels of detail that might be useful for one team but not others. This paper points out some of these differences in the level of details available in ATT&CK, especially from the point of view of Detection Engineers, and focused on detection coverage.\n\nIn summary, while ATT&CK does not define the Procedure level of the TTP trinity, it is still useful to define the “Degrees of Freedom” an attacker has within a technique. Some techniques only have a limited number of possible Procedures, some techniques might have more, and others might be so open ended that they offer an unlimited number of possible procedures per technique. We examine this concept on both the Technique and Tactic levels and make the argument that techniques that have a high number of possible Procedures cannot be covered by Detection Engineers.\n\nAt the conference, we intend to release an ATT&CK Navigator layer to help Detection Engineers quickly filter out which Tactics and Techniques they need to focus on and which ones they simply cannot cover.", + "video": "https://www.youtube.com/watch?v=kgei3fsqNFw&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=5" + }, { "title": "Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry", "presenters": [ @@ -63,7 +74,7 @@ } ], "description": "Endpoint Detection & Response (EDR) telemetry offers defenders a powerful tool for catching threats. However, understanding how to validate ATT&CK technique coverage using EDR telemetry can be a challenge. As Detection Validation Engineers at a Managed Detection & Response (MDR) provider that ingests nearly a petabyte of endpoint telemetry every day, we’re in the unique and necessary position to analyze this telemetry at scale and validate its efficacy against common adversary tradecraft.\n\nAfter providing a brief introduction to EDR telemetry, we’ll discuss how to break ATT&CK techniques down to individual data components, perform functional tests, analyze the ways that specific actions translate to telemetry records, and compare this analysis across different EDR sensors. We’ll discuss the tooling we’ve built to assist us in running these tests and analyzing the resulting telemetry, and we’ll explain how security teams can improve their own functional testing efforts by creating an automated validation workflow. Finally, we’ll describe how this approach has enabled us to more effectively understand and use EDR telemetry, highlighting where this telemetry excels and fails at detecting ATT&CK techniques.", - "video": "", + "video": "https://www.youtube.com/watch?v=eBzzkSkd7yU&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=6", "slides": "https://www.slideshare.net/MITREATTACK/tidying-up-your-nest-validating-attck-technique-coverage-using-edr-telemetry" }, { @@ -75,7 +86,7 @@ } ], "description": "", - "video": "", + "video": "https://www.youtube.com/watch?v=lTZo74mF50g&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=8", "slides": "https://www.slideshare.net/MITREATTACK/mitre-attck-updates-ics" }, { @@ -87,7 +98,7 @@ } ], "description": "LABYRINTH CHOLLIMA is a prolific Democratic People's Republic of Korea (DPRK) nexus adversary focused on cyber espionage. They have been recently observed targeting FinTech (financial technology) companies in cryptocurrency revenue generation efforts. LABYRINTH CHOLLIMA has been associated with many high profile attacks, including the Sony Pictures Entertainment (SPE) breach, the WannaCry 2.0 global surge, and most recently, the 3CX supply chain compromise. Increasingly versed in cross-platform intrusions, LABYRINTH CHOLLIMA has been observed targeting macOS operating systems, and evolving their tactics, techniques, and tooling to keep in lockstep with the evolving security landscape.\n\nThis talk will deep dive into the interactive macOS intrusions Crowdstrike has attributed to LABYRINTH CHOLLIMA. We will delve into the adversary's macOS tradecraft, techniques to circumvent existing OS protections, and social engineering tactics, while showcasing how their mechanisms and tooling map to the MITRE ATT&CK kill chain, featuring some newly proposed MITRE techniques related to the Transparency, Consent, and Control (TCC) database.", - "video": "", + "video": "https://www.youtube.com/watch?v=0bt56JzZp4s&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=9", "slides": "https://www.slideshare.net/MITREATTACK/exploring-the-labyrinth-deep-dive-into-the-lazarus-groups-foray-into-macos" }, { @@ -103,7 +114,7 @@ } ], "description": "Join us for an enthralling exploration of Defense Evasion (TA0005) within the captivating realm of Hyrule. Prepare to immerse yourself in the intriguing history of shortcut (.lnk) abuse and its associated procedures, as we unveil and demonstrate an innovative and previously undisclosed sub-technique (proposed) of T1027 (Obfuscated Files or Information).\n\nDuring this talk, we will go beyond theory and share real-world insights. Discover firsthand how publicly attributed APT actors have leveraged this new sub-technique in their attacks against government entities. Through captivating stories and in-depth observations, we will shed light on the techniques and procedures employed by these adversaries.\n\nLevity and entertainment will be courtesy of timely and relevant bespoke Legend of Zelda memes playing upon the concept of the \"\"master hand ability\"\" gluing together bizarre elements to create surprisingly effective weapons, a concept that runs parallel to the discussion of abusing known Windows file types in unconventional ways.\n\nJoin us as we embark on this fascinating journey filled with knowledge, entertainment, and a touch of Legend of Zelda magic!", - "video": "", + "video": "https://www.youtube.com/watch?v=u_XN7lZHtL4&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=10", "slides": "https://www.slideshare.net/MITREATTACK/lnk-tears-of-the-kingdom" }, { @@ -115,7 +126,7 @@ } ], "description": "How many times have you added MITRE ATT&CK techniques to the end of a report and thought you could be doing more? Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. Avast ye maties! Within this presentation, we are going to show analysts how they can use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking. Gone are the days of floundering about looking for information collected about a specific adversary or behavior. Gone are the days of wondering why the rum and context are always gone. Ahoy, me hearties! Hoist up the sails and prepare your sea legs for some swashbuckling adversary tales from the high seas where we will focus on the fickle commodity loader, Qakbot.", - "video": "", + "video": "https://www.youtube.com/watch?v=4JnFj-xdLEw&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=11", "slides": "https://www.slideshare.net/MITREATTACK/one-leg-to-stand-on-adventures-in-adversary-tracking-with-attck" }, { @@ -127,9 +138,20 @@ } ], "description": "", - "video": "", + "video": "https://www.youtube.com/watch?v=5cl3rnrt5nA&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=12", "slides": "https://www.slideshare.net/MITREATTACK/mitre-attck-updates-software" }, + { + "title": "The Art of Communicating ATT&CK to the CFO", + "presenters": [ + { + "names": ["Phil Davies"], + "organization": "Distilled Security" + } + ], + "description": "You have had a pen test, a red team or a threat intelligence report and drawn up a plan for remediation. You have been told you have 15 mins in front of the CFO in 48 hours! How do you show ,on one page, the connection between the techniques you are exposed and vulnerable to, the path of least resistance and the focused control changes required right now?\n\nHow will the CFO get the picture so the result is \"I get it, what do you need?\"\n\nUnderstanding ATT&CK as a practitioner is great with the current matrix but it is inaccessible to the CFO. But it doesn't have to be that way.\n\nPhil will chart the journey to improved visualization of ATT&CK techniques. He will show how the DNA of ATT&CK doesn’t just make ATT&CK accessible for all but that it can be beautiful!", + "video": "https://www.youtube.com/watch?v=FJ8FdgEgYXw&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=13" + }, { "title": "Navigating the Attention Economy – Using MITRE ATT&CK to Communicate to Stakeholders at all Levels", "presenters": [ @@ -139,7 +161,7 @@ } ], "description": "We live in a world where attention is scarce. And yet we need to communicate complex information effectively to a variety of audiences. This talk will discuss how to cut through the noise of information overload by using MITRE ATT&CK to reach your audience. It will use lessons I have learned from videography, combined with Cyber Threat Intelligence (CTI) to weave a story around how to think about communicating to your audience when gaining their focus is becoming increasingly difficult. Using current research into focus and attention spans, combined with trends in how people like to obtain information, this talk will recommend paths to building compelling stories with MITRE ATT&CK so that stakeholders can immediately gain value from threat intelligence reports without having to read a full long-form report.", - "video": "", + "video": "https://www.youtube.com/watch?v=IrZfxkfOUd0&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=14", "slides": "https://www.slideshare.net/MITREATTACK/navigating-the-attention-economy-using-mitre-attck-to-communicate-to-stakeholders-at-all-levels" }, { @@ -151,9 +173,36 @@ } ], "description": "CISA's Adoption of the MITRE ATT&CK Framework\n\nOver the past several years, CISA has worked to incorporate ATT&CK whenever applicable into our Cybersecurity Advisories and other cyber guidance. It has become the universal language for discussing how the adversary operates, and we leverage it for our stakeholders to respond to urgent events in real time, as well as detailed reports on subjects like our Red Team activities to give network defenders proactive guidance on how to harden their networks.", - "video": "", + "video": "https://www.youtube.com/watch?v=F581j2kSN7o&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=15", "slides": "https://www.slideshare.net/MITREATTACK/cisa-usage-of-attck-in-cybersecurity-advisories" }, + { + "title": "10th Anniversary Panel", + "presenters": [ + { + "names": ["Brad Crawford"], + "organization": "Phylum" + }, + { + "names": ["Katie Nickels"], + "organization": "Red Canary" + }, + { + "names": ["Jen Miller-Osborn"], + "organization": "Cyberthreat Intelligence" + }, + { + "names": ["Blake Strom"], + "organization": "Microsoft" + }, + { + "names": ["Eric Sheesley"], + "organization": "Sony Group Corporation" + } + ], + "description": "Celebrating 10 years of ATT&CK", + "video": "https://www.youtube.com/watch?v=oGObE5BkdSE&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=17" + }, { "title": "Evaluating and Enhancing Security Maturity through MITRE ATT&CK Mapping", "presenters": [ @@ -163,9 +212,20 @@ } ], "description": "By aligning security controls with specific adversary techniques and tactics, organizations can gain a comprehensive understanding of their defensive capabilities. This mapping exercise serves as a vital step in identifying potential gaps and weaknesses within the security architecture. The evaluation of security maturity using the MITRE ATT&CK framework provides valuable insights into the effectiveness of existing controls, shedding light on areas that require improvement or further attention.\n\nIn this presentation, we will delve into practical strategies and real-world examples that showcase how organizations can successfully leverage the MITRE ATT&CK framework to enhance their security maturity. We will also explore key topics such as:\n\t(i)Customizing security training and awareness programs based on roles and responsibilities\n\t(ii)Conducting thorough assessments of incident response capabilities through the framework\n\t(iii)Integrating threat intelligence derived from ATT&CK to continuously improve the security posture", - "video": "", + "video": "https://www.youtube.com/watch?v=wc07D7FTgI4&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=18", "slides": "https://www.slideshare.net/MITREATTACK/evaluating-and-enhancing-security-maturity-through-mitre-attck-mapping" }, + { + "title": "Using ATT&CK to Create Wicked Actors in Real Data", + "presenters": [ + { + "names": ["Simeon Kakpovi", "Greg Schloemer"], + "organization": "KC7 Foundation" + } + ], + "description": "KC7 uses an experiential learning pedagogy to teach cybersecurity analysis to students of all levels, from elementary school all the way to industry professionals. In the KC7 experience, students analyze realistic cybersecurity data and answer a series of CTF-style questions that guide them through an investigative journey. \n\nIn order to generate authentic intrusion data, we create a fictional company that is attacked by cyber threat actors. The attributes and behaviors of these actors are defined via yaml configurations that are modeled based on MITRE ATT&CK categories and techniques. For example, we can granularly define what techniques an attacker uses for initial access or lateral movement, and how the actor explicitly uses those techniques.\n\nStudents that effectively analyze KC7 intrusion data can map the observed activity to the various stages of the MITRE ATT&CK framework. Organizing actor definitions around the ATT&CK framework allows KC7 to create a rich set of intrusion data in various permutations - and ensure that students are exposed to a diverse array of scenarios. A pleasant byproduct of this methodology is that students of MITRE ATT&CK can now study techniques contextually in data rather than just reading about them in reports.", + "video": "https://www.youtube.com/watch?v=I2shZqo_k2Y&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=19" + }, { "title": "MITRE ATT&CK Updates: New Ideas in Enterprise - Pushing the boundaries of ATT&CK's long-established scope", "presenters": [ @@ -175,7 +235,7 @@ } ], "description": "", - "video": "", + "video": "https://www.youtube.com/watch?v=rY81pNC_wHc&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=20", "slides": "https://www.slideshare.net/MITREATTACK/mitre-attck-updates-new-ideas-in-enterprise-pushing-the-boundaries-of-attcks-longestablished-scope" }, { @@ -187,7 +247,7 @@ } ], "description": "", - "video": "", + "video": "https://www.youtube.com/watch?v=PvnZNnCmNx4&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=22", "slides": "https://www.slideshare.net/MITREATTACK/attck-is-the-best-defense-emulating-sophisticated-adversary-malware-to-bolster-defenses" }, { @@ -199,7 +259,7 @@ } ], "description": "Modern security teams have been engineering solid detections for a while now. All this great output also needs to be managed well.\n* How can we make sure that the detections we have spent a lot of time developing are deployed and are running in production in the same way as they were designed?\n* How can we assure our detection and prevention controls are still working and are detecting the attacks they have been designed to cover?\n\nWe will show how we have built a robust and flexible development and deployment process using cloud technnologies. This process allows us to quickly and easily implement new detection controls, test them across multiple environments, and deploy them in a controlled and consistent manner.\n\nWe will discuss how security teams can reap the benefits of using detection-as-code, and how this can help achieving a single source of truth for their detection logic. Adopting this approach enables teams to use automation and unit testing to manage and validate their detection controls across multiple environments and ensure proper documentation. By adopting a detection-as-code approach, teams can gain the confidence that comes from knowing that their detections and mitigations work as intended.", - "video": "", + "video": "https://www.youtube.com/watch?v=dF4iAF4MiXw&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=23", "slides": "https://www.slideshare.net/MITREATTACK/detection-as-code-automation-and-testing-the-key-to-unlocking-the-power-of-detection-engineering" }, { @@ -211,7 +271,6 @@ } ], "description": "", - "video": "", "slides": "https://www.slideshare.net/MITREATTACK/mitre-attck-updates-state-of-the-cloud" }, { @@ -223,7 +282,7 @@ } ], "description": "Building threat intelligence is challenging, even under the most ideal circumstances. But what if you are even more limited in your resources? You are part of a small (but skilled) team, with high expectations, and people are relying on you to make business-critical decisions…all the time! What do you do in that situation? Turn a Toyota Tercel into a tank, of course.\nThe Interpres Security threat intelligence team found itself in that exact situation. Wanting to leverage the MITRE ATT&CK catalog in creating a comprehensive and timely threat intelligence repository, the Interpres team built a series of tools, processes, and paradigms that we call Intelligence Engineering. In this talk, we’ll examine how we combined ATT&CK, STIX2, the Vertex Project’s open-source intelligence platform, Synapse, and custom code to deliver meaningful, rapid, verifiable intelligence to our customers. We’ll share lessons learned on automation, how to run multiple ATT&CK libraries side-by-side, and making programmatic intelligence delivery scalable and effective – just like building a tank out of an imported sedan.", - "video": "", + "video": "https://www.youtube.com/watch?v=84IEmaiigLQ&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=25", "slides": "https://www.slideshare.net/MITREATTACK/driving-intelligence-with-mitre-attck-leveraging-limited-resources-to-build-an-evolving-threat-repository" }, { @@ -235,7 +294,7 @@ } ], "description": "Cloud native computing has fundamentally changed traditional security methodologies and attack surfaces. This new architectural approach combines new operational tools and services like continuous integration, container engines, and orchestrators. Some organizations struggle to identify and respond to threats they specifically face when running cloud native workloads.\n\nPerimeter-centric security evangelizes defense-in-depth or the onion model to implement different layers of defense. Cloud native security hyper-focuses on four unique layers: Cloud, Clusters, Containers, and Code. \n\nToday's defenders have to look across several existing ATT&CK matrices including Linux Enterprise, Containers, Kubernetes, and IaaS to holistically evaluate and model threats or attack paths across the four distinct layers of cloud native workloads.\n\nIn conclusion, we will discuss some of the challenges facing threat modeling cloud native workloads, including showing how to leverage several different ATT&CK matrices to create a distinct Cloud Native Workload ATT&CK matrix. The creation of this matrix will help defenders take the guesswork out of identifying what tactics serve as potential threats against a cloud native workload in order to enhance their defensive baseline and detection coverage.", - "video": "", + "video": "https://www.youtube.com/watch?v=Q8GY8TYDklc&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=26", "slides": "https://www.slideshare.net/MITREATTACK/cloud-native-workload-attck-matrix" }, { @@ -247,9 +306,20 @@ } ], "description": "The Electronic Flight Bag (EFB) has become an indispensable tool in modern aviation, providing pilots with digital resources and critical flight information. However, the increased reliance on EFB systems running on operating systems, introduces various security challenges. In this session, a technical assessment approach with MITRE ATT&CK framework to perform a comprehensive threat analysis of an EFB solution, will be presented. The potential attack vectors and relation with the risks for business/ flight operations will be demonstrated.", - "video": "", + "video": "https://www.youtube.com/watch?v=b0xwEDA6d98&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=27", "slides": "https://www.slideshare.net/MITREATTACK/mitre-attck-based-threat-analysis-for-electronic-flight-bag" }, + { + "title": "I Can Haz Cake: Benefits of Working with MITRE on ATT&CK", + "presenters": [ + { + "names": ["Tim Wadhwa-Brown"], + "organization": "Cisco" + } + ], + "description": "The purpose of this session will be to look at how the linux-malware repo came to take shape and how we've used it to inform our view on adversarial behaviour over the last couple of years. Since the original reason for staring this project was to look at Linux coverage in ATT&CK, we'll play back some of the interesting points and reflect on how they've affected ATT&CK itself.", + "video": "https://www.youtube.com/watch?v=PCw3Wa9GBP4&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=28" + }, { "title": "Updates from the Center for Threat-Informed Defense", "presenters": [ @@ -259,7 +329,7 @@ } ], "description": "", - "video": "", + "video": "https://www.youtube.com/watch?v=QrwJ1L_m438&list=PLkTApXQou_8If8_fwdCKVnwHr0WaEnfSH&index=29", "slides": "https://www.slideshare.net/MITREATTACK/updates-from-the-center-for-threatinformed-defense" }, { @@ -271,7 +341,6 @@ } ], "description": "", - "video": "", "slides": "https://www.slideshare.net/MITREATTACK/the-case-for-quishing" }, { @@ -283,7 +352,6 @@ } ], "description": "Capital One is currently building a Security Graph to tie together various Cyber Teams and their data -- Controls, Objectives, Tools, and Countermeasures, Threats. It is an ambitious project that will help us identify gaps and focus our controls on the most likely and persistent threats. It is a work in progress that is using MITRE ATT&CK and D3FEND as a \"lingua franca\" to tie together the elements of the graph, so we have a common understanding across the enterprise.", - "video": "", "slides": "https://www.slideshare.net/MITREATTACK/discussion-on-finding-relationships-in-cyber-data" }, { @@ -295,7 +363,6 @@ } ], "description": "If you tell me an attacker performed OS Credential Dumping, did they dump credentials with meterpreter, recompile mimikatz, or use a custom tool? The technique reference lacks a way to categorize how they performed the action and each type requires its own mitigation. In this talk, Ben Langirll will propose formal adjectives for ATT&CK techniques that map to adversary capabilities and how we can use them to optimize defensive choices.", - "video": "", "slides": "https://www.slideshare.net/MITREATTACK/adjectives-for-attck" }, { @@ -307,7 +374,6 @@ } ], "description": "This presentation will briefly summarize work that we've done regarding implementing the ATT&CK framework as a rule-fact-action network within a Blackboard Architecture, allowing the ATT&CK framework to enable security testing automation. The presentation will start with a quick summary of the concept behind this and then present a few implementation examples.", - "video": "", "slides": "https://www.slideshare.net/MITREATTACK/automating-testing-by-implementing-attck-using-the-blackboard-architecture" } ]