automation - sans institute...n et w ork d eni al of servi ce r esource h ijacki ng r untime d at a...
TRANSCRIPT
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 1 |
Automation
(or is it)
Who We Are
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 2 |
Sarah Yoder ( sarah__yoder)bull Cyber Security Engineerbull Cyber threat intelligence + red teamingbull Disneyland enthusiast Triathlete Chai Tea Fanatic
Jackie Laskybull Cyber Security Engineerbull Cyber threat intelligence + threat huntingbull Photographer Traveler Dog-lover
The Plan
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 3 |
How We Use CTI for ATTampCK
Our Automation Tool - TRAM
How This Can Help You
Challenges with Automation
The Future of TRAM httpswwwkristvcomnewslocal-newsfollow-the-yellow-brick-road-to-the-wizard-of-oz-movie-party
What does Cyber Threat Intelligence mean for ATTampCK
CTI forms the basis of ATTampCK
We help to organize CTI by keeping ATTampCK up-to-date
We develop ways to share or organize CTI
We show and provide ways to use CTI
| 4 |
Before We Got A ldquoBrain
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 5 |
Backlog of reports Analyst gets assigned report to read and review
Data is entered into ATTampCK
httpwwwlocgovexhibitsozimagesuc55jpg
The Yellow Brick Road Reporting rArr ATTampCK
1 Find open source threat reporting
bull APT groups software
2 Find behaviors in the report
bull Think ATTampCK structure
| 6 |
httpswwwhiclipartcomsearchclipart=goodbye+Yellow+Brick+Road
| 7 |
Defense Evasion
Defense Evasion
Discovery
Discovery
| Obfuscated Files or Information(T1027)
| Obfuscated Files or Information(T1027)
| File and Directory Discovery (T1083)
| VirtualizationSandbox Evasion (T1497)
| Data Encrypted for Impact (T1486) | Process Discovery (T1057)
| System Service Discovery (T1007)
httpsusakasperskycomaboutpress-releases2018_synack-doppelganging
Defense Evasion
Impact
Defense Evasion | Execution Guardrails (T1480)
Finding Behaviors in Finished Reporting
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
copy 2019 The MITRE Corporation All rights reserved Matrix current as of May 2019
Command and Control
Commonly Used Port
Communication Through Removable Media
Connection Proxy
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over Alternative Protocol
Exfiltration Over Physical Medium
Scheduled Transfer
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Lateral Movement
AppleScript
Application Deployment Software
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Credential Access Discovery
Network Sniffing
Account Manipulation Account Discovery
Bash History Application WindowDiscoveryBrute Force
Credential Dumping Browser Bookmark DiscoveryCredentials in Files
Credentials in Registry Domain Trust Discovery
Exploitation forCredential Access
File and Directory Discovery
Network Service Scanning
Forced Authentication Network Share Discovery
Hooking Password Policy Discovery
Input Capture Peripheral Device Discovery
Input Prompt Permission Groups Discovery
Kerberoasting Process Discovery
Keychain Query Registry
LLMNRNBT-NS Poisoningand Relay
Remote System Discovery
Security Software Discovery
Password Filter DLL System InformationDiscoveryPrivate Keys
Securityd Memory System Network Configuration Discovery
Two-Factor AuthenticationInterception
System Network Connections Discovery
System OwnerUserDiscovery
System Service Discovery
System Time Discovery
VirtualizationSandbox Evasion
Execution Persistence Privilege Escalation Defense Evasion
Scheduled Task Binary Padding
Launchctl Access Token Manipulation
Local Job Scheduling Bypass User Account Control
LSASS Driver Extra Window Memory Injection
Trap Process Injection
AppleScript DLL Search Order Hijacking
CMSTP Image File Execution Options Injection
Command-Line Interface Plist Modification
Compiled HTML File Valid Accounts
Control Panel Items Accessibility Features BITS Jobs
Dynamic Data Exchange AppCert DLLs Clear Command History
Execution through API AppInit DLLs CMSTP
Execution through Module Load
Application Shimming Code Signing
Dylib Hijacking Compiled HTML File
Exploitation for Client Execution
File System Permissions Weakness Component Firmware
Hooking Component Object ModelHijackingGraphical User Interface Launch Daemon
InstallUtil New Service Control Panel Items
Mshta Path Interception DCShadow
PowerShell Port Monitors DeobfuscateDecode Filesor InformationRegsvcsRegasm Service Registry Permissions Weakness
Regsvr32 Setuid and Setgid Disabling Security Tools
Rundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails
Service Execution bash_profile and bashrc Exploitation for Privilege Escalation
Exploitation for Defense Evasion
Signed Binary Proxy Execution
Account Manipulation
Authentication Package SID-History Injection File Deletion
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions ModificationBootkit Sudo Caching
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRccommon
Redundant Access NTFS File Attributes
Registry Run Keys Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgaumlnging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
RegsvcsRegasm
Regsvr32
System Firmware Rootkit
Systemd Service Rundll32
Time Providers Scripting
Windows Management Instrumentation Event
Subscription
Signed Binary Proxy Execution
Signed ScriptProxy ExecutionWinlogon Helper DLL
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
VirtualizationSandbox Evasion
Web Service
XSL Script Processing
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Remembering ATTampCK (therersquos a lot)
Tactics the adversaryrsquos technical goals
Te
ch
niq
ue
s
ho
w t
he
go
als
are
a
ch
iev
ed
| 8 |
Procedures Specific technique implementation
Trapped in a Time-Consuming Process
Too many reports not enough people
Human error
Training new team members
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 9 |
httpswwwpinterestcompin165788830002744446
Off to the Emerald Automation City
| 10 |
httpwwwinfosalonsgroupcom20180521start-sold-journey-yellow-brick-road
The ldquoMagicrdquo behind TRAM
| 11 |
1
Get Data
2
Clean amp Prepare Data
3
Train Model
Get Data
ndash ATTampCK procedure examples
ndash STIXTAXII data from ATTampCK
Clean amp Prepare Data
ndash Normalization
ndash Natural language processing
Build amp Train Models
ndash Python Logistic regression and supervised learning
ndash Count Vectorizer feature extraction cross validation etc
The ldquoMagicrdquo behind TRAM (Continued)
Test Data
ndash Submit a report via URL
ndash Models generate predictions on unseendata
Review Model Decision
ndash Accept or Reject the predictions
ndash Add in missing techniques
Feedback Loop
ndash Annotations are recorded and sent back to the database to build new models
ndash Reports can be exported
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 12 |
7
Feedback Loop
6
Review Model Decisions
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 13 |
Threat Report ATTampCK Mapper (TRAM) Demo
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 14 |
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
Who We Are
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 2 |
Sarah Yoder ( sarah__yoder)bull Cyber Security Engineerbull Cyber threat intelligence + red teamingbull Disneyland enthusiast Triathlete Chai Tea Fanatic
Jackie Laskybull Cyber Security Engineerbull Cyber threat intelligence + threat huntingbull Photographer Traveler Dog-lover
The Plan
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 3 |
How We Use CTI for ATTampCK
Our Automation Tool - TRAM
How This Can Help You
Challenges with Automation
The Future of TRAM httpswwwkristvcomnewslocal-newsfollow-the-yellow-brick-road-to-the-wizard-of-oz-movie-party
What does Cyber Threat Intelligence mean for ATTampCK
CTI forms the basis of ATTampCK
We help to organize CTI by keeping ATTampCK up-to-date
We develop ways to share or organize CTI
We show and provide ways to use CTI
| 4 |
Before We Got A ldquoBrain
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 5 |
Backlog of reports Analyst gets assigned report to read and review
Data is entered into ATTampCK
httpwwwlocgovexhibitsozimagesuc55jpg
The Yellow Brick Road Reporting rArr ATTampCK
1 Find open source threat reporting
bull APT groups software
2 Find behaviors in the report
bull Think ATTampCK structure
| 6 |
httpswwwhiclipartcomsearchclipart=goodbye+Yellow+Brick+Road
| 7 |
Defense Evasion
Defense Evasion
Discovery
Discovery
| Obfuscated Files or Information(T1027)
| Obfuscated Files or Information(T1027)
| File and Directory Discovery (T1083)
| VirtualizationSandbox Evasion (T1497)
| Data Encrypted for Impact (T1486) | Process Discovery (T1057)
| System Service Discovery (T1007)
httpsusakasperskycomaboutpress-releases2018_synack-doppelganging
Defense Evasion
Impact
Defense Evasion | Execution Guardrails (T1480)
Finding Behaviors in Finished Reporting
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
copy 2019 The MITRE Corporation All rights reserved Matrix current as of May 2019
Command and Control
Commonly Used Port
Communication Through Removable Media
Connection Proxy
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over Alternative Protocol
Exfiltration Over Physical Medium
Scheduled Transfer
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Lateral Movement
AppleScript
Application Deployment Software
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Credential Access Discovery
Network Sniffing
Account Manipulation Account Discovery
Bash History Application WindowDiscoveryBrute Force
Credential Dumping Browser Bookmark DiscoveryCredentials in Files
Credentials in Registry Domain Trust Discovery
Exploitation forCredential Access
File and Directory Discovery
Network Service Scanning
Forced Authentication Network Share Discovery
Hooking Password Policy Discovery
Input Capture Peripheral Device Discovery
Input Prompt Permission Groups Discovery
Kerberoasting Process Discovery
Keychain Query Registry
LLMNRNBT-NS Poisoningand Relay
Remote System Discovery
Security Software Discovery
Password Filter DLL System InformationDiscoveryPrivate Keys
Securityd Memory System Network Configuration Discovery
Two-Factor AuthenticationInterception
System Network Connections Discovery
System OwnerUserDiscovery
System Service Discovery
System Time Discovery
VirtualizationSandbox Evasion
Execution Persistence Privilege Escalation Defense Evasion
Scheduled Task Binary Padding
Launchctl Access Token Manipulation
Local Job Scheduling Bypass User Account Control
LSASS Driver Extra Window Memory Injection
Trap Process Injection
AppleScript DLL Search Order Hijacking
CMSTP Image File Execution Options Injection
Command-Line Interface Plist Modification
Compiled HTML File Valid Accounts
Control Panel Items Accessibility Features BITS Jobs
Dynamic Data Exchange AppCert DLLs Clear Command History
Execution through API AppInit DLLs CMSTP
Execution through Module Load
Application Shimming Code Signing
Dylib Hijacking Compiled HTML File
Exploitation for Client Execution
File System Permissions Weakness Component Firmware
Hooking Component Object ModelHijackingGraphical User Interface Launch Daemon
InstallUtil New Service Control Panel Items
Mshta Path Interception DCShadow
PowerShell Port Monitors DeobfuscateDecode Filesor InformationRegsvcsRegasm Service Registry Permissions Weakness
Regsvr32 Setuid and Setgid Disabling Security Tools
Rundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails
Service Execution bash_profile and bashrc Exploitation for Privilege Escalation
Exploitation for Defense Evasion
Signed Binary Proxy Execution
Account Manipulation
Authentication Package SID-History Injection File Deletion
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions ModificationBootkit Sudo Caching
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRccommon
Redundant Access NTFS File Attributes
Registry Run Keys Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgaumlnging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
RegsvcsRegasm
Regsvr32
System Firmware Rootkit
Systemd Service Rundll32
Time Providers Scripting
Windows Management Instrumentation Event
Subscription
Signed Binary Proxy Execution
Signed ScriptProxy ExecutionWinlogon Helper DLL
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
VirtualizationSandbox Evasion
Web Service
XSL Script Processing
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Remembering ATTampCK (therersquos a lot)
Tactics the adversaryrsquos technical goals
Te
ch
niq
ue
s
ho
w t
he
go
als
are
a
ch
iev
ed
| 8 |
Procedures Specific technique implementation
Trapped in a Time-Consuming Process
Too many reports not enough people
Human error
Training new team members
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 9 |
httpswwwpinterestcompin165788830002744446
Off to the Emerald Automation City
| 10 |
httpwwwinfosalonsgroupcom20180521start-sold-journey-yellow-brick-road
The ldquoMagicrdquo behind TRAM
| 11 |
1
Get Data
2
Clean amp Prepare Data
3
Train Model
Get Data
ndash ATTampCK procedure examples
ndash STIXTAXII data from ATTampCK
Clean amp Prepare Data
ndash Normalization
ndash Natural language processing
Build amp Train Models
ndash Python Logistic regression and supervised learning
ndash Count Vectorizer feature extraction cross validation etc
The ldquoMagicrdquo behind TRAM (Continued)
Test Data
ndash Submit a report via URL
ndash Models generate predictions on unseendata
Review Model Decision
ndash Accept or Reject the predictions
ndash Add in missing techniques
Feedback Loop
ndash Annotations are recorded and sent back to the database to build new models
ndash Reports can be exported
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 12 |
7
Feedback Loop
6
Review Model Decisions
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 13 |
Threat Report ATTampCK Mapper (TRAM) Demo
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 14 |
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
The Plan
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 3 |
How We Use CTI for ATTampCK
Our Automation Tool - TRAM
How This Can Help You
Challenges with Automation
The Future of TRAM httpswwwkristvcomnewslocal-newsfollow-the-yellow-brick-road-to-the-wizard-of-oz-movie-party
What does Cyber Threat Intelligence mean for ATTampCK
CTI forms the basis of ATTampCK
We help to organize CTI by keeping ATTampCK up-to-date
We develop ways to share or organize CTI
We show and provide ways to use CTI
| 4 |
Before We Got A ldquoBrain
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 5 |
Backlog of reports Analyst gets assigned report to read and review
Data is entered into ATTampCK
httpwwwlocgovexhibitsozimagesuc55jpg
The Yellow Brick Road Reporting rArr ATTampCK
1 Find open source threat reporting
bull APT groups software
2 Find behaviors in the report
bull Think ATTampCK structure
| 6 |
httpswwwhiclipartcomsearchclipart=goodbye+Yellow+Brick+Road
| 7 |
Defense Evasion
Defense Evasion
Discovery
Discovery
| Obfuscated Files or Information(T1027)
| Obfuscated Files or Information(T1027)
| File and Directory Discovery (T1083)
| VirtualizationSandbox Evasion (T1497)
| Data Encrypted for Impact (T1486) | Process Discovery (T1057)
| System Service Discovery (T1007)
httpsusakasperskycomaboutpress-releases2018_synack-doppelganging
Defense Evasion
Impact
Defense Evasion | Execution Guardrails (T1480)
Finding Behaviors in Finished Reporting
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
copy 2019 The MITRE Corporation All rights reserved Matrix current as of May 2019
Command and Control
Commonly Used Port
Communication Through Removable Media
Connection Proxy
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over Alternative Protocol
Exfiltration Over Physical Medium
Scheduled Transfer
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Lateral Movement
AppleScript
Application Deployment Software
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Credential Access Discovery
Network Sniffing
Account Manipulation Account Discovery
Bash History Application WindowDiscoveryBrute Force
Credential Dumping Browser Bookmark DiscoveryCredentials in Files
Credentials in Registry Domain Trust Discovery
Exploitation forCredential Access
File and Directory Discovery
Network Service Scanning
Forced Authentication Network Share Discovery
Hooking Password Policy Discovery
Input Capture Peripheral Device Discovery
Input Prompt Permission Groups Discovery
Kerberoasting Process Discovery
Keychain Query Registry
LLMNRNBT-NS Poisoningand Relay
Remote System Discovery
Security Software Discovery
Password Filter DLL System InformationDiscoveryPrivate Keys
Securityd Memory System Network Configuration Discovery
Two-Factor AuthenticationInterception
System Network Connections Discovery
System OwnerUserDiscovery
System Service Discovery
System Time Discovery
VirtualizationSandbox Evasion
Execution Persistence Privilege Escalation Defense Evasion
Scheduled Task Binary Padding
Launchctl Access Token Manipulation
Local Job Scheduling Bypass User Account Control
LSASS Driver Extra Window Memory Injection
Trap Process Injection
AppleScript DLL Search Order Hijacking
CMSTP Image File Execution Options Injection
Command-Line Interface Plist Modification
Compiled HTML File Valid Accounts
Control Panel Items Accessibility Features BITS Jobs
Dynamic Data Exchange AppCert DLLs Clear Command History
Execution through API AppInit DLLs CMSTP
Execution through Module Load
Application Shimming Code Signing
Dylib Hijacking Compiled HTML File
Exploitation for Client Execution
File System Permissions Weakness Component Firmware
Hooking Component Object ModelHijackingGraphical User Interface Launch Daemon
InstallUtil New Service Control Panel Items
Mshta Path Interception DCShadow
PowerShell Port Monitors DeobfuscateDecode Filesor InformationRegsvcsRegasm Service Registry Permissions Weakness
Regsvr32 Setuid and Setgid Disabling Security Tools
Rundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails
Service Execution bash_profile and bashrc Exploitation for Privilege Escalation
Exploitation for Defense Evasion
Signed Binary Proxy Execution
Account Manipulation
Authentication Package SID-History Injection File Deletion
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions ModificationBootkit Sudo Caching
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRccommon
Redundant Access NTFS File Attributes
Registry Run Keys Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgaumlnging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
RegsvcsRegasm
Regsvr32
System Firmware Rootkit
Systemd Service Rundll32
Time Providers Scripting
Windows Management Instrumentation Event
Subscription
Signed Binary Proxy Execution
Signed ScriptProxy ExecutionWinlogon Helper DLL
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
VirtualizationSandbox Evasion
Web Service
XSL Script Processing
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Remembering ATTampCK (therersquos a lot)
Tactics the adversaryrsquos technical goals
Te
ch
niq
ue
s
ho
w t
he
go
als
are
a
ch
iev
ed
| 8 |
Procedures Specific technique implementation
Trapped in a Time-Consuming Process
Too many reports not enough people
Human error
Training new team members
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 9 |
httpswwwpinterestcompin165788830002744446
Off to the Emerald Automation City
| 10 |
httpwwwinfosalonsgroupcom20180521start-sold-journey-yellow-brick-road
The ldquoMagicrdquo behind TRAM
| 11 |
1
Get Data
2
Clean amp Prepare Data
3
Train Model
Get Data
ndash ATTampCK procedure examples
ndash STIXTAXII data from ATTampCK
Clean amp Prepare Data
ndash Normalization
ndash Natural language processing
Build amp Train Models
ndash Python Logistic regression and supervised learning
ndash Count Vectorizer feature extraction cross validation etc
The ldquoMagicrdquo behind TRAM (Continued)
Test Data
ndash Submit a report via URL
ndash Models generate predictions on unseendata
Review Model Decision
ndash Accept or Reject the predictions
ndash Add in missing techniques
Feedback Loop
ndash Annotations are recorded and sent back to the database to build new models
ndash Reports can be exported
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 12 |
7
Feedback Loop
6
Review Model Decisions
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 13 |
Threat Report ATTampCK Mapper (TRAM) Demo
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 14 |
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
What does Cyber Threat Intelligence mean for ATTampCK
CTI forms the basis of ATTampCK
We help to organize CTI by keeping ATTampCK up-to-date
We develop ways to share or organize CTI
We show and provide ways to use CTI
| 4 |
Before We Got A ldquoBrain
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 5 |
Backlog of reports Analyst gets assigned report to read and review
Data is entered into ATTampCK
httpwwwlocgovexhibitsozimagesuc55jpg
The Yellow Brick Road Reporting rArr ATTampCK
1 Find open source threat reporting
bull APT groups software
2 Find behaviors in the report
bull Think ATTampCK structure
| 6 |
httpswwwhiclipartcomsearchclipart=goodbye+Yellow+Brick+Road
| 7 |
Defense Evasion
Defense Evasion
Discovery
Discovery
| Obfuscated Files or Information(T1027)
| Obfuscated Files or Information(T1027)
| File and Directory Discovery (T1083)
| VirtualizationSandbox Evasion (T1497)
| Data Encrypted for Impact (T1486) | Process Discovery (T1057)
| System Service Discovery (T1007)
httpsusakasperskycomaboutpress-releases2018_synack-doppelganging
Defense Evasion
Impact
Defense Evasion | Execution Guardrails (T1480)
Finding Behaviors in Finished Reporting
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
copy 2019 The MITRE Corporation All rights reserved Matrix current as of May 2019
Command and Control
Commonly Used Port
Communication Through Removable Media
Connection Proxy
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over Alternative Protocol
Exfiltration Over Physical Medium
Scheduled Transfer
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Lateral Movement
AppleScript
Application Deployment Software
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Credential Access Discovery
Network Sniffing
Account Manipulation Account Discovery
Bash History Application WindowDiscoveryBrute Force
Credential Dumping Browser Bookmark DiscoveryCredentials in Files
Credentials in Registry Domain Trust Discovery
Exploitation forCredential Access
File and Directory Discovery
Network Service Scanning
Forced Authentication Network Share Discovery
Hooking Password Policy Discovery
Input Capture Peripheral Device Discovery
Input Prompt Permission Groups Discovery
Kerberoasting Process Discovery
Keychain Query Registry
LLMNRNBT-NS Poisoningand Relay
Remote System Discovery
Security Software Discovery
Password Filter DLL System InformationDiscoveryPrivate Keys
Securityd Memory System Network Configuration Discovery
Two-Factor AuthenticationInterception
System Network Connections Discovery
System OwnerUserDiscovery
System Service Discovery
System Time Discovery
VirtualizationSandbox Evasion
Execution Persistence Privilege Escalation Defense Evasion
Scheduled Task Binary Padding
Launchctl Access Token Manipulation
Local Job Scheduling Bypass User Account Control
LSASS Driver Extra Window Memory Injection
Trap Process Injection
AppleScript DLL Search Order Hijacking
CMSTP Image File Execution Options Injection
Command-Line Interface Plist Modification
Compiled HTML File Valid Accounts
Control Panel Items Accessibility Features BITS Jobs
Dynamic Data Exchange AppCert DLLs Clear Command History
Execution through API AppInit DLLs CMSTP
Execution through Module Load
Application Shimming Code Signing
Dylib Hijacking Compiled HTML File
Exploitation for Client Execution
File System Permissions Weakness Component Firmware
Hooking Component Object ModelHijackingGraphical User Interface Launch Daemon
InstallUtil New Service Control Panel Items
Mshta Path Interception DCShadow
PowerShell Port Monitors DeobfuscateDecode Filesor InformationRegsvcsRegasm Service Registry Permissions Weakness
Regsvr32 Setuid and Setgid Disabling Security Tools
Rundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails
Service Execution bash_profile and bashrc Exploitation for Privilege Escalation
Exploitation for Defense Evasion
Signed Binary Proxy Execution
Account Manipulation
Authentication Package SID-History Injection File Deletion
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions ModificationBootkit Sudo Caching
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRccommon
Redundant Access NTFS File Attributes
Registry Run Keys Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgaumlnging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
RegsvcsRegasm
Regsvr32
System Firmware Rootkit
Systemd Service Rundll32
Time Providers Scripting
Windows Management Instrumentation Event
Subscription
Signed Binary Proxy Execution
Signed ScriptProxy ExecutionWinlogon Helper DLL
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
VirtualizationSandbox Evasion
Web Service
XSL Script Processing
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Remembering ATTampCK (therersquos a lot)
Tactics the adversaryrsquos technical goals
Te
ch
niq
ue
s
ho
w t
he
go
als
are
a
ch
iev
ed
| 8 |
Procedures Specific technique implementation
Trapped in a Time-Consuming Process
Too many reports not enough people
Human error
Training new team members
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 9 |
httpswwwpinterestcompin165788830002744446
Off to the Emerald Automation City
| 10 |
httpwwwinfosalonsgroupcom20180521start-sold-journey-yellow-brick-road
The ldquoMagicrdquo behind TRAM
| 11 |
1
Get Data
2
Clean amp Prepare Data
3
Train Model
Get Data
ndash ATTampCK procedure examples
ndash STIXTAXII data from ATTampCK
Clean amp Prepare Data
ndash Normalization
ndash Natural language processing
Build amp Train Models
ndash Python Logistic regression and supervised learning
ndash Count Vectorizer feature extraction cross validation etc
The ldquoMagicrdquo behind TRAM (Continued)
Test Data
ndash Submit a report via URL
ndash Models generate predictions on unseendata
Review Model Decision
ndash Accept or Reject the predictions
ndash Add in missing techniques
Feedback Loop
ndash Annotations are recorded and sent back to the database to build new models
ndash Reports can be exported
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 12 |
7
Feedback Loop
6
Review Model Decisions
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 13 |
Threat Report ATTampCK Mapper (TRAM) Demo
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 14 |
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
Before We Got A ldquoBrain
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 5 |
Backlog of reports Analyst gets assigned report to read and review
Data is entered into ATTampCK
httpwwwlocgovexhibitsozimagesuc55jpg
The Yellow Brick Road Reporting rArr ATTampCK
1 Find open source threat reporting
bull APT groups software
2 Find behaviors in the report
bull Think ATTampCK structure
| 6 |
httpswwwhiclipartcomsearchclipart=goodbye+Yellow+Brick+Road
| 7 |
Defense Evasion
Defense Evasion
Discovery
Discovery
| Obfuscated Files or Information(T1027)
| Obfuscated Files or Information(T1027)
| File and Directory Discovery (T1083)
| VirtualizationSandbox Evasion (T1497)
| Data Encrypted for Impact (T1486) | Process Discovery (T1057)
| System Service Discovery (T1007)
httpsusakasperskycomaboutpress-releases2018_synack-doppelganging
Defense Evasion
Impact
Defense Evasion | Execution Guardrails (T1480)
Finding Behaviors in Finished Reporting
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
copy 2019 The MITRE Corporation All rights reserved Matrix current as of May 2019
Command and Control
Commonly Used Port
Communication Through Removable Media
Connection Proxy
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over Alternative Protocol
Exfiltration Over Physical Medium
Scheduled Transfer
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Lateral Movement
AppleScript
Application Deployment Software
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Credential Access Discovery
Network Sniffing
Account Manipulation Account Discovery
Bash History Application WindowDiscoveryBrute Force
Credential Dumping Browser Bookmark DiscoveryCredentials in Files
Credentials in Registry Domain Trust Discovery
Exploitation forCredential Access
File and Directory Discovery
Network Service Scanning
Forced Authentication Network Share Discovery
Hooking Password Policy Discovery
Input Capture Peripheral Device Discovery
Input Prompt Permission Groups Discovery
Kerberoasting Process Discovery
Keychain Query Registry
LLMNRNBT-NS Poisoningand Relay
Remote System Discovery
Security Software Discovery
Password Filter DLL System InformationDiscoveryPrivate Keys
Securityd Memory System Network Configuration Discovery
Two-Factor AuthenticationInterception
System Network Connections Discovery
System OwnerUserDiscovery
System Service Discovery
System Time Discovery
VirtualizationSandbox Evasion
Execution Persistence Privilege Escalation Defense Evasion
Scheduled Task Binary Padding
Launchctl Access Token Manipulation
Local Job Scheduling Bypass User Account Control
LSASS Driver Extra Window Memory Injection
Trap Process Injection
AppleScript DLL Search Order Hijacking
CMSTP Image File Execution Options Injection
Command-Line Interface Plist Modification
Compiled HTML File Valid Accounts
Control Panel Items Accessibility Features BITS Jobs
Dynamic Data Exchange AppCert DLLs Clear Command History
Execution through API AppInit DLLs CMSTP
Execution through Module Load
Application Shimming Code Signing
Dylib Hijacking Compiled HTML File
Exploitation for Client Execution
File System Permissions Weakness Component Firmware
Hooking Component Object ModelHijackingGraphical User Interface Launch Daemon
InstallUtil New Service Control Panel Items
Mshta Path Interception DCShadow
PowerShell Port Monitors DeobfuscateDecode Filesor InformationRegsvcsRegasm Service Registry Permissions Weakness
Regsvr32 Setuid and Setgid Disabling Security Tools
Rundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails
Service Execution bash_profile and bashrc Exploitation for Privilege Escalation
Exploitation for Defense Evasion
Signed Binary Proxy Execution
Account Manipulation
Authentication Package SID-History Injection File Deletion
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions ModificationBootkit Sudo Caching
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRccommon
Redundant Access NTFS File Attributes
Registry Run Keys Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgaumlnging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
RegsvcsRegasm
Regsvr32
System Firmware Rootkit
Systemd Service Rundll32
Time Providers Scripting
Windows Management Instrumentation Event
Subscription
Signed Binary Proxy Execution
Signed ScriptProxy ExecutionWinlogon Helper DLL
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
VirtualizationSandbox Evasion
Web Service
XSL Script Processing
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Remembering ATTampCK (therersquos a lot)
Tactics the adversaryrsquos technical goals
Te
ch
niq
ue
s
ho
w t
he
go
als
are
a
ch
iev
ed
| 8 |
Procedures Specific technique implementation
Trapped in a Time-Consuming Process
Too many reports not enough people
Human error
Training new team members
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 9 |
httpswwwpinterestcompin165788830002744446
Off to the Emerald Automation City
| 10 |
httpwwwinfosalonsgroupcom20180521start-sold-journey-yellow-brick-road
The ldquoMagicrdquo behind TRAM
| 11 |
1
Get Data
2
Clean amp Prepare Data
3
Train Model
Get Data
ndash ATTampCK procedure examples
ndash STIXTAXII data from ATTampCK
Clean amp Prepare Data
ndash Normalization
ndash Natural language processing
Build amp Train Models
ndash Python Logistic regression and supervised learning
ndash Count Vectorizer feature extraction cross validation etc
The ldquoMagicrdquo behind TRAM (Continued)
Test Data
ndash Submit a report via URL
ndash Models generate predictions on unseendata
Review Model Decision
ndash Accept or Reject the predictions
ndash Add in missing techniques
Feedback Loop
ndash Annotations are recorded and sent back to the database to build new models
ndash Reports can be exported
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 12 |
7
Feedback Loop
6
Review Model Decisions
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 13 |
Threat Report ATTampCK Mapper (TRAM) Demo
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 14 |
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
The Yellow Brick Road Reporting rArr ATTampCK
1 Find open source threat reporting
bull APT groups software
2 Find behaviors in the report
bull Think ATTampCK structure
| 6 |
httpswwwhiclipartcomsearchclipart=goodbye+Yellow+Brick+Road
| 7 |
Defense Evasion
Defense Evasion
Discovery
Discovery
| Obfuscated Files or Information(T1027)
| Obfuscated Files or Information(T1027)
| File and Directory Discovery (T1083)
| VirtualizationSandbox Evasion (T1497)
| Data Encrypted for Impact (T1486) | Process Discovery (T1057)
| System Service Discovery (T1007)
httpsusakasperskycomaboutpress-releases2018_synack-doppelganging
Defense Evasion
Impact
Defense Evasion | Execution Guardrails (T1480)
Finding Behaviors in Finished Reporting
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
copy 2019 The MITRE Corporation All rights reserved Matrix current as of May 2019
Command and Control
Commonly Used Port
Communication Through Removable Media
Connection Proxy
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over Alternative Protocol
Exfiltration Over Physical Medium
Scheduled Transfer
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Lateral Movement
AppleScript
Application Deployment Software
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Credential Access Discovery
Network Sniffing
Account Manipulation Account Discovery
Bash History Application WindowDiscoveryBrute Force
Credential Dumping Browser Bookmark DiscoveryCredentials in Files
Credentials in Registry Domain Trust Discovery
Exploitation forCredential Access
File and Directory Discovery
Network Service Scanning
Forced Authentication Network Share Discovery
Hooking Password Policy Discovery
Input Capture Peripheral Device Discovery
Input Prompt Permission Groups Discovery
Kerberoasting Process Discovery
Keychain Query Registry
LLMNRNBT-NS Poisoningand Relay
Remote System Discovery
Security Software Discovery
Password Filter DLL System InformationDiscoveryPrivate Keys
Securityd Memory System Network Configuration Discovery
Two-Factor AuthenticationInterception
System Network Connections Discovery
System OwnerUserDiscovery
System Service Discovery
System Time Discovery
VirtualizationSandbox Evasion
Execution Persistence Privilege Escalation Defense Evasion
Scheduled Task Binary Padding
Launchctl Access Token Manipulation
Local Job Scheduling Bypass User Account Control
LSASS Driver Extra Window Memory Injection
Trap Process Injection
AppleScript DLL Search Order Hijacking
CMSTP Image File Execution Options Injection
Command-Line Interface Plist Modification
Compiled HTML File Valid Accounts
Control Panel Items Accessibility Features BITS Jobs
Dynamic Data Exchange AppCert DLLs Clear Command History
Execution through API AppInit DLLs CMSTP
Execution through Module Load
Application Shimming Code Signing
Dylib Hijacking Compiled HTML File
Exploitation for Client Execution
File System Permissions Weakness Component Firmware
Hooking Component Object ModelHijackingGraphical User Interface Launch Daemon
InstallUtil New Service Control Panel Items
Mshta Path Interception DCShadow
PowerShell Port Monitors DeobfuscateDecode Filesor InformationRegsvcsRegasm Service Registry Permissions Weakness
Regsvr32 Setuid and Setgid Disabling Security Tools
Rundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails
Service Execution bash_profile and bashrc Exploitation for Privilege Escalation
Exploitation for Defense Evasion
Signed Binary Proxy Execution
Account Manipulation
Authentication Package SID-History Injection File Deletion
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions ModificationBootkit Sudo Caching
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRccommon
Redundant Access NTFS File Attributes
Registry Run Keys Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgaumlnging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
RegsvcsRegasm
Regsvr32
System Firmware Rootkit
Systemd Service Rundll32
Time Providers Scripting
Windows Management Instrumentation Event
Subscription
Signed Binary Proxy Execution
Signed ScriptProxy ExecutionWinlogon Helper DLL
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
VirtualizationSandbox Evasion
Web Service
XSL Script Processing
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Remembering ATTampCK (therersquos a lot)
Tactics the adversaryrsquos technical goals
Te
ch
niq
ue
s
ho
w t
he
go
als
are
a
ch
iev
ed
| 8 |
Procedures Specific technique implementation
Trapped in a Time-Consuming Process
Too many reports not enough people
Human error
Training new team members
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 9 |
httpswwwpinterestcompin165788830002744446
Off to the Emerald Automation City
| 10 |
httpwwwinfosalonsgroupcom20180521start-sold-journey-yellow-brick-road
The ldquoMagicrdquo behind TRAM
| 11 |
1
Get Data
2
Clean amp Prepare Data
3
Train Model
Get Data
ndash ATTampCK procedure examples
ndash STIXTAXII data from ATTampCK
Clean amp Prepare Data
ndash Normalization
ndash Natural language processing
Build amp Train Models
ndash Python Logistic regression and supervised learning
ndash Count Vectorizer feature extraction cross validation etc
The ldquoMagicrdquo behind TRAM (Continued)
Test Data
ndash Submit a report via URL
ndash Models generate predictions on unseendata
Review Model Decision
ndash Accept or Reject the predictions
ndash Add in missing techniques
Feedback Loop
ndash Annotations are recorded and sent back to the database to build new models
ndash Reports can be exported
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 12 |
7
Feedback Loop
6
Review Model Decisions
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 13 |
Threat Report ATTampCK Mapper (TRAM) Demo
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 14 |
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
| 7 |
Defense Evasion
Defense Evasion
Discovery
Discovery
| Obfuscated Files or Information(T1027)
| Obfuscated Files or Information(T1027)
| File and Directory Discovery (T1083)
| VirtualizationSandbox Evasion (T1497)
| Data Encrypted for Impact (T1486) | Process Discovery (T1057)
| System Service Discovery (T1007)
httpsusakasperskycomaboutpress-releases2018_synack-doppelganging
Defense Evasion
Impact
Defense Evasion | Execution Guardrails (T1480)
Finding Behaviors in Finished Reporting
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
copy 2019 The MITRE Corporation All rights reserved Matrix current as of May 2019
Command and Control
Commonly Used Port
Communication Through Removable Media
Connection Proxy
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over Alternative Protocol
Exfiltration Over Physical Medium
Scheduled Transfer
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Lateral Movement
AppleScript
Application Deployment Software
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Credential Access Discovery
Network Sniffing
Account Manipulation Account Discovery
Bash History Application WindowDiscoveryBrute Force
Credential Dumping Browser Bookmark DiscoveryCredentials in Files
Credentials in Registry Domain Trust Discovery
Exploitation forCredential Access
File and Directory Discovery
Network Service Scanning
Forced Authentication Network Share Discovery
Hooking Password Policy Discovery
Input Capture Peripheral Device Discovery
Input Prompt Permission Groups Discovery
Kerberoasting Process Discovery
Keychain Query Registry
LLMNRNBT-NS Poisoningand Relay
Remote System Discovery
Security Software Discovery
Password Filter DLL System InformationDiscoveryPrivate Keys
Securityd Memory System Network Configuration Discovery
Two-Factor AuthenticationInterception
System Network Connections Discovery
System OwnerUserDiscovery
System Service Discovery
System Time Discovery
VirtualizationSandbox Evasion
Execution Persistence Privilege Escalation Defense Evasion
Scheduled Task Binary Padding
Launchctl Access Token Manipulation
Local Job Scheduling Bypass User Account Control
LSASS Driver Extra Window Memory Injection
Trap Process Injection
AppleScript DLL Search Order Hijacking
CMSTP Image File Execution Options Injection
Command-Line Interface Plist Modification
Compiled HTML File Valid Accounts
Control Panel Items Accessibility Features BITS Jobs
Dynamic Data Exchange AppCert DLLs Clear Command History
Execution through API AppInit DLLs CMSTP
Execution through Module Load
Application Shimming Code Signing
Dylib Hijacking Compiled HTML File
Exploitation for Client Execution
File System Permissions Weakness Component Firmware
Hooking Component Object ModelHijackingGraphical User Interface Launch Daemon
InstallUtil New Service Control Panel Items
Mshta Path Interception DCShadow
PowerShell Port Monitors DeobfuscateDecode Filesor InformationRegsvcsRegasm Service Registry Permissions Weakness
Regsvr32 Setuid and Setgid Disabling Security Tools
Rundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails
Service Execution bash_profile and bashrc Exploitation for Privilege Escalation
Exploitation for Defense Evasion
Signed Binary Proxy Execution
Account Manipulation
Authentication Package SID-History Injection File Deletion
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions ModificationBootkit Sudo Caching
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRccommon
Redundant Access NTFS File Attributes
Registry Run Keys Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgaumlnging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
RegsvcsRegasm
Regsvr32
System Firmware Rootkit
Systemd Service Rundll32
Time Providers Scripting
Windows Management Instrumentation Event
Subscription
Signed Binary Proxy Execution
Signed ScriptProxy ExecutionWinlogon Helper DLL
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
VirtualizationSandbox Evasion
Web Service
XSL Script Processing
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Remembering ATTampCK (therersquos a lot)
Tactics the adversaryrsquos technical goals
Te
ch
niq
ue
s
ho
w t
he
go
als
are
a
ch
iev
ed
| 8 |
Procedures Specific technique implementation
Trapped in a Time-Consuming Process
Too many reports not enough people
Human error
Training new team members
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 9 |
httpswwwpinterestcompin165788830002744446
Off to the Emerald Automation City
| 10 |
httpwwwinfosalonsgroupcom20180521start-sold-journey-yellow-brick-road
The ldquoMagicrdquo behind TRAM
| 11 |
1
Get Data
2
Clean amp Prepare Data
3
Train Model
Get Data
ndash ATTampCK procedure examples
ndash STIXTAXII data from ATTampCK
Clean amp Prepare Data
ndash Normalization
ndash Natural language processing
Build amp Train Models
ndash Python Logistic regression and supervised learning
ndash Count Vectorizer feature extraction cross validation etc
The ldquoMagicrdquo behind TRAM (Continued)
Test Data
ndash Submit a report via URL
ndash Models generate predictions on unseendata
Review Model Decision
ndash Accept or Reject the predictions
ndash Add in missing techniques
Feedback Loop
ndash Annotations are recorded and sent back to the database to build new models
ndash Reports can be exported
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 12 |
7
Feedback Loop
6
Review Model Decisions
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 13 |
Threat Report ATTampCK Mapper (TRAM) Demo
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 14 |
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
Impact
Data Destruction
Data Encrypted for Impact
Defacement
Disk Content Wipe
Disk Structure Wipe
Endpoint Denial of Service
Firmware Corruption
Inhibit System Recovery
Network Denial of Service
Resource Hijacking
Runtime Data Manipulation
Service Stop
Stored Data Manipulation
Transmitted Data Manipulation
copy 2019 The MITRE Corporation All rights reserved Matrix current as of May 2019
Command and Control
Commonly Used Port
Communication Through Removable Media
Connection Proxy
Custom Command and Control Protocol
Custom Cryptographic Protocol
Data Encoding
Data Obfuscation
Domain Fronting
Domain GenerationAlgorithms
Fallback Channels
Multiband Communication
Multi-hop Proxy
Multilayer Encryption
Multi-Stage Channels
Port Knocking
Remote Access Tools
Remote File Copy
Standard Application Layer Protocol
Standard Cryptographic Protocol
Standard Non-ApplicationLayer Protocol
Uncommonly Used Port
Web Service
Exfiltration
Automated Exfiltration
Data Compressed
Data Encrypted
Data Transfer Size Limits
Exfiltration Over OtherNetwork Medium
Exfiltration Over Commandand Control Channel
Exfiltration Over Alternative Protocol
Exfiltration Over Physical Medium
Scheduled Transfer
Collection
Audio Capture
Automated Collection
Clipboard Data
Data from InformationRepositories
Data from Local System
Data from Network Shared Drive
Data from Removable Media
Data Staged
Email Collection
Input Capture
Man in the Browser
Screen Capture
Video Capture
Lateral Movement
AppleScript
Application Deployment Software
Distributed ComponentObject Model
Exploitation ofRemote Services
Logon Scripts
Pass the Hash
Pass the Ticket
Remote Desktop Protocol
Remote File Copy
Remote Services
Replication Through Removable Media
Shared Webroot
SSH Hijacking
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows RemoteManagement
Credential Access Discovery
Network Sniffing
Account Manipulation Account Discovery
Bash History Application WindowDiscoveryBrute Force
Credential Dumping Browser Bookmark DiscoveryCredentials in Files
Credentials in Registry Domain Trust Discovery
Exploitation forCredential Access
File and Directory Discovery
Network Service Scanning
Forced Authentication Network Share Discovery
Hooking Password Policy Discovery
Input Capture Peripheral Device Discovery
Input Prompt Permission Groups Discovery
Kerberoasting Process Discovery
Keychain Query Registry
LLMNRNBT-NS Poisoningand Relay
Remote System Discovery
Security Software Discovery
Password Filter DLL System InformationDiscoveryPrivate Keys
Securityd Memory System Network Configuration Discovery
Two-Factor AuthenticationInterception
System Network Connections Discovery
System OwnerUserDiscovery
System Service Discovery
System Time Discovery
VirtualizationSandbox Evasion
Execution Persistence Privilege Escalation Defense Evasion
Scheduled Task Binary Padding
Launchctl Access Token Manipulation
Local Job Scheduling Bypass User Account Control
LSASS Driver Extra Window Memory Injection
Trap Process Injection
AppleScript DLL Search Order Hijacking
CMSTP Image File Execution Options Injection
Command-Line Interface Plist Modification
Compiled HTML File Valid Accounts
Control Panel Items Accessibility Features BITS Jobs
Dynamic Data Exchange AppCert DLLs Clear Command History
Execution through API AppInit DLLs CMSTP
Execution through Module Load
Application Shimming Code Signing
Dylib Hijacking Compiled HTML File
Exploitation for Client Execution
File System Permissions Weakness Component Firmware
Hooking Component Object ModelHijackingGraphical User Interface Launch Daemon
InstallUtil New Service Control Panel Items
Mshta Path Interception DCShadow
PowerShell Port Monitors DeobfuscateDecode Filesor InformationRegsvcsRegasm Service Registry Permissions Weakness
Regsvr32 Setuid and Setgid Disabling Security Tools
Rundll32 Startup Items DLL Side-Loading
Scripting Web Shell Execution Guardrails
Service Execution bash_profile and bashrc Exploitation for Privilege Escalation
Exploitation for Defense Evasion
Signed Binary Proxy Execution
Account Manipulation
Authentication Package SID-History Injection File Deletion
Signed Script Proxy Execution
BITS Jobs Sudo File Permissions ModificationBootkit Sudo Caching
Source Browser Extensions File System Logical Offsets
Space after Filename Change Default File Association
Gatekeeper Bypass
Third-party Software Group Policy Modification
Trusted Developer Utilities Component Firmware Hidden Files and Directories
User Execution Component ObjectModel Hijacking
Hidden Users
Windows Management Instrumentation
Hidden Window
Create Account HISTCONTROL
Windows Remote Management
External Remote Services Indicator Blocking
Hidden Files and Directories Indicator Removalfrom ToolsXSL Script Processing Hypervisor
Kernel Modules and Extensions
Indicator Removal on Host
Indirect Command Execution
Launch Agent Install Root Certificate
LC_LOAD_DYLIB Addition InstallUtil
Login Item Launchctl
Logon Scripts LC_MAIN Hijacking
Modify Existing Service Masquerading
Netsh Helper DLL Modify Registry
Office Application Startup Mshta
Port Knocking Network Share ConnectionRemovalRccommon
Redundant Access NTFS File Attributes
Registry Run Keys Startup Folder
Obfuscated Filesor Information
Re-opened Applications Port Knocking
Screensaver Process Doppelgaumlnging
Security Support Provider Process Hollowing
Shortcut Modification Redundant Access
SIP and Trust ProviderHijacking
RegsvcsRegasm
Regsvr32
System Firmware Rootkit
Systemd Service Rundll32
Time Providers Scripting
Windows Management Instrumentation Event
Subscription
Signed Binary Proxy Execution
Signed ScriptProxy ExecutionWinlogon Helper DLL
SIP and Trust Provider Hijacking
Software Packing
Space after Filename
Template Injection
Timestomp
Trusted Developer Utilities
VirtualizationSandbox Evasion
Web Service
XSL Script Processing
Initial Access
Drive-by Compromise
Exploit Public-Facing Application
External Remote Services
Hardware Additions
Replication Through Removable Media
Spearphishing Attachment
Spearphishing Link
Spearphishing via Service
Supply Chain Compromise
Trusted Relationship
Valid Accounts
Remembering ATTampCK (therersquos a lot)
Tactics the adversaryrsquos technical goals
Te
ch
niq
ue
s
ho
w t
he
go
als
are
a
ch
iev
ed
| 8 |
Procedures Specific technique implementation
Trapped in a Time-Consuming Process
Too many reports not enough people
Human error
Training new team members
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 9 |
httpswwwpinterestcompin165788830002744446
Off to the Emerald Automation City
| 10 |
httpwwwinfosalonsgroupcom20180521start-sold-journey-yellow-brick-road
The ldquoMagicrdquo behind TRAM
| 11 |
1
Get Data
2
Clean amp Prepare Data
3
Train Model
Get Data
ndash ATTampCK procedure examples
ndash STIXTAXII data from ATTampCK
Clean amp Prepare Data
ndash Normalization
ndash Natural language processing
Build amp Train Models
ndash Python Logistic regression and supervised learning
ndash Count Vectorizer feature extraction cross validation etc
The ldquoMagicrdquo behind TRAM (Continued)
Test Data
ndash Submit a report via URL
ndash Models generate predictions on unseendata
Review Model Decision
ndash Accept or Reject the predictions
ndash Add in missing techniques
Feedback Loop
ndash Annotations are recorded and sent back to the database to build new models
ndash Reports can be exported
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 12 |
7
Feedback Loop
6
Review Model Decisions
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 13 |
Threat Report ATTampCK Mapper (TRAM) Demo
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 14 |
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
Trapped in a Time-Consuming Process
Too many reports not enough people
Human error
Training new team members
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 9 |
httpswwwpinterestcompin165788830002744446
Off to the Emerald Automation City
| 10 |
httpwwwinfosalonsgroupcom20180521start-sold-journey-yellow-brick-road
The ldquoMagicrdquo behind TRAM
| 11 |
1
Get Data
2
Clean amp Prepare Data
3
Train Model
Get Data
ndash ATTampCK procedure examples
ndash STIXTAXII data from ATTampCK
Clean amp Prepare Data
ndash Normalization
ndash Natural language processing
Build amp Train Models
ndash Python Logistic regression and supervised learning
ndash Count Vectorizer feature extraction cross validation etc
The ldquoMagicrdquo behind TRAM (Continued)
Test Data
ndash Submit a report via URL
ndash Models generate predictions on unseendata
Review Model Decision
ndash Accept or Reject the predictions
ndash Add in missing techniques
Feedback Loop
ndash Annotations are recorded and sent back to the database to build new models
ndash Reports can be exported
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 12 |
7
Feedback Loop
6
Review Model Decisions
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 13 |
Threat Report ATTampCK Mapper (TRAM) Demo
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 14 |
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
Off to the Emerald Automation City
| 10 |
httpwwwinfosalonsgroupcom20180521start-sold-journey-yellow-brick-road
The ldquoMagicrdquo behind TRAM
| 11 |
1
Get Data
2
Clean amp Prepare Data
3
Train Model
Get Data
ndash ATTampCK procedure examples
ndash STIXTAXII data from ATTampCK
Clean amp Prepare Data
ndash Normalization
ndash Natural language processing
Build amp Train Models
ndash Python Logistic regression and supervised learning
ndash Count Vectorizer feature extraction cross validation etc
The ldquoMagicrdquo behind TRAM (Continued)
Test Data
ndash Submit a report via URL
ndash Models generate predictions on unseendata
Review Model Decision
ndash Accept or Reject the predictions
ndash Add in missing techniques
Feedback Loop
ndash Annotations are recorded and sent back to the database to build new models
ndash Reports can be exported
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 12 |
7
Feedback Loop
6
Review Model Decisions
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 13 |
Threat Report ATTampCK Mapper (TRAM) Demo
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 14 |
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
The ldquoMagicrdquo behind TRAM
| 11 |
1
Get Data
2
Clean amp Prepare Data
3
Train Model
Get Data
ndash ATTampCK procedure examples
ndash STIXTAXII data from ATTampCK
Clean amp Prepare Data
ndash Normalization
ndash Natural language processing
Build amp Train Models
ndash Python Logistic regression and supervised learning
ndash Count Vectorizer feature extraction cross validation etc
The ldquoMagicrdquo behind TRAM (Continued)
Test Data
ndash Submit a report via URL
ndash Models generate predictions on unseendata
Review Model Decision
ndash Accept or Reject the predictions
ndash Add in missing techniques
Feedback Loop
ndash Annotations are recorded and sent back to the database to build new models
ndash Reports can be exported
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 12 |
7
Feedback Loop
6
Review Model Decisions
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 13 |
Threat Report ATTampCK Mapper (TRAM) Demo
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 14 |
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
The ldquoMagicrdquo behind TRAM (Continued)
Test Data
ndash Submit a report via URL
ndash Models generate predictions on unseendata
Review Model Decision
ndash Accept or Reject the predictions
ndash Add in missing techniques
Feedback Loop
ndash Annotations are recorded and sent back to the database to build new models
ndash Reports can be exported
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 12 |
7
Feedback Loop
6
Review Model Decisions
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 13 |
Threat Report ATTampCK Mapper (TRAM) Demo
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 14 |
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 13 |
Threat Report ATTampCK Mapper (TRAM) Demo
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 14 |
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 14 |
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
Why Does This Matter
Easier to get started with ATTampCK
Streamline the workflow
Find techniques we forget about (or have never heard of)
Use reporting that is important to you
| 15 |
httptheconversationcomwizard-of-oz-why-this-extraordinary-movie-has-been-so-influential-108098
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
Overcoming Challenges
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 16 |
Prediction Accuracy
How do we look for techniques not in ATTampCK yet
Building automations can take away time from other work
httpswwwrankercomlistwicked-witch-margaret-hamilton-career
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
Is the Wizard of Automation real
Why is automating CTI hard to do
Augmenting CTI work to blend human analysis with AI
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 17 |
httpsmediagiphycommediaAEMyf9Oj6MpS8giphygif
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
Future of TRAM
Despite full automation not being the answer to all our problems development on TRAM is still on track
Finding the balance as we transition the workflow
We encourage and appreciate contributions from the community
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 18 |
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram
copy2019 The MITRE Corporation ALL RIGHTS RESERVED Approved for public release Distribution unlimited 19-01159-17
| 19 |
attackmitreorgattackmitreorgMITREattack
Sarah Yodersarah__yoder
Jackie Lasky
httpsgithubcommitre-attacktram