Closing the Gap vs Adversaries With Community Resources

uh so yeah I'm gonna be talking about leveraging Community Resources to basically close the gap against adversary so we're going to dive into into that um so before that I just wanted to do a quick who am I when I just notice the victee code you already know I'm a miter attack fan um so I'm really passionate about that project so clearly I'm a lead adversary emulation for title uh cybersite I just enjoy helping companies you know do do threat informed defenses uh and basically like that I really just explained to include this because I'm super proud to be from like born and raised in Puerto Rico so I just had that medication see you again I'll see them Puerto Rico is this because uh and then on the professional side I before coming to title cyber I was on the miter attack uh Team so I was doing all the things there but I'm mostly focus on technique research for Windows so I was helping them leave that effort and then on the side um I was also working with the the miter tag evaluations team so so the infamous simul maybe you see it around in Twitter like people would you see vendors claiming 100 coverage and all that um so yeah as part of that team I basically implementing the code that will run against um those different renders so yeah that's me in the beach so that's I would I prefer to be working from unfortunately it's not reality I'm currently living in the DMV area so hopefully one day um so yeah I'm gonna do a quick overview about this talk uh so we're gonna be the first thing we're gonna do we're just gonna be talking about uh what a third informed defense is then we're gonna dive into how miter attack basically empowers Defenders to do all all sort of cool things uh on the third and fourth defense side and we're also going to be discussing basically common pitfalls because I've I obviously I have a lot a lot of love for attack and I know what's a good thing about the framework is but I also know what like the pitfalls that people commonly uh follow so we're gonna touch those as well um and then we're gonna go into we're gonna be basically using uh um community resource to leverage other Community Resources so yay Community um and then we're gonna we're gonna be basically doing that to focus on different threats uh that you might care about uh and then we're gonna see how we can focus now that we basically Define the desserts that we care about we're going to be focusing on um what exactly about those the different threats um and now as well with the the common theme we're going to be using Community Resources for that um and then finally we're gonna show you how to expand your knowledge base so I say I'm going to touch about why that is important so I'm I'm gonna be uh talking about that a little bit later um so first as I just said we're going to be talking about threat informed defense so basically 300 form defense is it the ability uh uh the way to understand adversary tradecrafts so commonly known as techniques tactics and procedures or tactics techniques and procedures uh to basically effectively defend against those so you might already know what what tdps are um but we'll we'll talk a little bit more about those um so the the great thing about threat informed defense right it's just so many different threats um it's not like it's not a single company that can basically defending an against all threats so you need to focus your view on the thread side that might impact you so that's like a I think the the best use case for 34 defense is basically focusing on what you need to focus because otherwise we're just going to get overwhelmed then you're going to spend so much money that's not gonna be uh like valuable for your company so really all this is is make making sure that you're valuable for your organization um so that the the the way to do that is basically by doing thread profiles so you're basically profiling the adversary software groups campaigns all the basically the thread sites that are likely to Target you and your organization so we're gonna basically do a quick dive into that um and then the last thing here is like quickly expensing so ttps they don't evolve at the same scale that um like cves and iocs they do so for example activities they they're mostly used for gaining initial access so that's like literally one small part of what like the miter attack framework is trying to communicate it's like that's just like the initial exit but then there's so like a lot of other things to worry about so um and then the iocs is basically like signature based detection so you see this this up malware out there then AV will scan it and say okay this is malicious and then if that that exact same follower or some permutation of that file gets in and then you're you're your AV is going to say hey that's bad don't uh it's not gonna run right so basically the the TTP is gonna be focusing on basically the right side of that so what happens when um the CV is like like they get in via the CVS so the like they exploit and then when the iocs are not going to be like detected by uh your signature so it's basically that's why we need to focus in on Nana ttps um and then a little bit of History you're all probably seen this famous uh like pyramid the Pyramid of Pain by David Bianco I don't think it'll be like a TDP talk without this so I just had to include it um so essentially on the lowest part you'll have the hash values so this is basically the the most trivial detection point where is basically you know that the the specific file is going to generate a hash and then that you know that that has is malicious so that's like super easy okay no militias that's going to be and then essentially you're going up the the the pyramid until you get to the uh actually the gcps and so I basically I I I I I categorize like the from hash values to tools as like iocs I know there's like this is a huge debate um this is how I see it basically um the iocs are the ones that are actually like generating um you know information that's gonna help maybe like attribute what is uh or who is behind a specific tool for example um or I guess oh the what would the like um the network infrastructure is coming from like the main names IP addresses all that um but then what really is going to be is basically explain the behaviors that are actually happening on on these like environments or you're on your hosts specifically are what what we can call uh indicators of of attack and I don't know if like cross strike coined that term but I really like that basically the vision making this easy like iocs are focusing on attribution known malicious and then Behavior assist really um what is happening on on and really on on the on the like the full chain and that's why um before that I just want to say so tools are actually implementing the the procedures so the TTP the p in that is the procedure so the tools are actually implemented in the procedure so the tools are themselves are not um creating the behavior like they're not generated here so the tool is actually running a specific behavior and then that is what is known as set this up so I just want to I think it's like a super clear way for me to understand this um and then that then came a miter attack so I think like just going back David Bianco the appear was created in 2013 and I think the miter attack framework was also created in 2013 because it's really like look at that it's huge it's it's impossible really to to communicate what really is happening so there's going to be on the top side you're going to be you see the tactics so the adversary goals and then below that you see the techniques which is basically how the adversaries are achieving those goals and then if you dive into the actual technique then you'll have the procedures for the the describing how like certain software and groups are actually implementing um those procedures so a quick histories I just mentioned 2013 that was the creation of miter attack um because it's basically it's a great a way to reduce you know the friction between between teams basically it's extremely powerful as a Common Language common uh taxi Adam I don't know how to say the word taxi taxonomy thank you yeah English sorry uh and basically they create back on the language to to get all the teams inside of a security company working together and then talking the same language because then from the blue side you understand um what you need to defend against and then you know basically the specific thing like that the tactic technique probably don't need to dive too much into this because probably mostly know it but it's basically everyone wins when when uh the team is using this in this framework because it's just going to help reduce that friction and and just you know time is is really crucial when you're reeling against adversary so you gotta use your time as efficient as you can and then let's go let's have into the common pitfalls really the it's really important so attack is based on real world observations so it's only it's gonna only gonna be able to capture what is reported out there so it's only going to be what are like actual companies are reporting uh or blogs or or Security Professionals really who are actually doing the analysis now we're reversing on all the specimens so at all it all depends on the community to to be uh really impactful and useful so uh yeah it's it's a really important uh thing because without the community we're not going to go anywhere further because then people are just going to come play on Twitter because then like the techniques are not an attack but if it can be contribute back to the knowledge spend then it's going to be uh worth it so again it's not going to be a silver bullet you can have um you can have a hundred percent coverage and it's really not true because there's so many procedures that it's not going to be not going to be probable for you to be detecting um all the specific procedures so it's really about thinking instead of thinking about coverage think think about it as confidence so what is my confidence level uh for detecting a particular technique that is implementing implemented by group X software C really you have to get you gotta dive specifically into those groups and software uh and that's going to help you inform what the your actual like coverage is because if you know what the procedures are then now it's a little bit more one-on-one and of course when you're creating detections for those specific procedures you you really want to try to be as broad as possible obviously the goal here is to not have too many pulse positives so uh whenever you're creating your that detection you've got to think about okay this this the text is going to detect this procedure but is it gonna like detect that different procedure and if you're able to answer that question and all of a sudden that detection is going to be super important and valuable for your organization um and then let's dive into the the initial part of the threat profiling here so basically miter attack as I said they provide the language to describe the techniques and procedures but they also have the the connections between you know groups campaigns and software and how they relate to techniques and procedures um so what we did uh is basically added a bunch of metadata to help folks that are starting off with their trip Pro their profiles understand really what are like the threats that could be impacting me so for example like motivations suspect attribution uh observe sectors and countries um and all that that into that a little bit later so basically now we have a way to understand what are the my direct threats um so obviously you're going to see this is the the best one who's gonna know who is actually targeting you because you have evidence on your Telemetry and so that that's obviously going to be your first point your first starting points focusing on who is targeting you and then after that you can focus on okay so I have maybe you have a subscription and then you can see what are um other you know cyber events that are occurring or incidents that are occurring around your industry and then your CSI my peers just got targeted by this specific um like ransomware maybe they're gonna be focusing on me because they were successful I guess like Zach peer which basically on my same level so then you can focus on those threats and then the last one is always You're gonna have unfortunately you're gonna have the opportunistic threats which is basically the the threats that are just going to find a way and just randomly get get in so maybe they just have like a Spam campaign email campaign and then they hit one of your users boom then now they have access so that's unfortunate you always have to think about those as well but if you are are short on resources really you focus on Lily what's on uh like the closest to your radar which is like your direct threats and and your industry uh threats as well um so yeah that's basically break profiling in a nutshell uh yeah and props to to Scott small for creating this um and yeah yeah go for it go for it uh sorry no no yeah fine um I've actually had this conversation with Scott awesome I'm not trying to put you on the spot yeah yeah that's the same question with someone else this morning um where did you come down on the notion that we over fetishize the targeted actor that most of the folks most organizations get Popeye are you know scanning jiggle in the door yes and they're ripping off whoever leaves the window open not you know apt-37 does not Target my company in lightness they could not get a less about me but if I got a web-facing server with 33.89 open I'm gonna get drafted right absolutely so how do you how do you as someone whose company is built on the premise of credit informed events where you come down on the question of threat modeling when many organizations outside of say banking were the defense industry are are more likely by the volume to get hit by the guy on the outside like how do we plan resources yes okay so the question let me try to summarize the question no I think I have to like yeah I repeat it to the mic here um so the question was how do companies who are probably not going to be targeted by apt's focus on their threats is that a good summary yeah like if we're more likely to be hit by the opportunists yes how has that change our track model and what we apply scarce resources to do exactly yeah so how to focus on your how to focus your scarce resources um when you're working with the threat profile so basically maybe you're not a big company and that in that use case because if you're a big company you're probably gonna have a like actual apt is targeting you but if you're like a small company you know they just like uh maybe you are um it's like I said it depends really because if you're a small super small company that might not even worse be worse than like Fair profiling it might not you might not even have money to like buy tools um so let's say let's say yeah yeah that happens so let's say you have your small company you have some tools um You probably just who are focus on really on your your uh like attack surface making sure that you are removing that like the known Badness so patching it's I obviously I don't want to discourage patching like CVS and iocs are like 100 super important to to build build into your pipeline so that's like 30 30 from defense build this like Builds on top of that so it's really important to be uh like knowledgeable of what are your security holes of of course so really if you're working uh like focusing on that it's it's a little patching really it's like it doesn't matter your thread profile you just got to make sure that your your patch student your your CVS are just like you know hopefully it or not super easy like yeah CBS because you're not patched um but like the email really that's you can have the best thing and then if they someone clicks on email then really doesn't matter but yeah it's super important though to your point you still have to worry about I think like ransomware that's uh known to be opportunistic in this few minute so I mean if if I'm a small company I have limited resources I'd probably focus on that on ransomware I'd say because it's gonna be like the most impactful to my operation really because kind of like branding bad software no not at all unfortunately yeah that's just that's lit we can go back to to to the small part here that's just one cell and oh in this one so yeah I like that it's it's a hard problem that's that's why oh that's okay oh oh yeah absolutely yeah I definitely I've definitely seen that um so yeah let's uh let's go to the Community Edition here so that's this title cyber so basically minor attack is as built that awesome framework that's going to help Defenders and off offensive also practitioners talk in the same language so basically what we're trying to do there's so like so many awesome resources out there they're like using miter tact as a common language and what we do what we're doing is basically creating a platform uh free for the community because obviously we're we want to improve the community as a whole and basically just package all those different awesome resources together and then that way we can do uh things like doing like over overlap analysis on like specific defenses so because for example we have elastic um this open source we have like uh Olaf Hortons like sysmon modulars configuration uploaded so all that out and I'll show that later um but basically it's a way to to show uh what you have available um for a specific technique and you can dive deep into that and then all the things it's really awesome um so like the defensive and and testing Solutions is all in the product registry and then the analytics is um I really don't like this this word really but really analytics is um like it's some um so we're using currently at Sigma rules so they're unimplemented detection logic that you can then uh to like take and Implement in your specific security solution uh so that's basically it's going to be really impactful and helpful and and when you're trying to look at all the the things are available and then the last thing here and then all I'm going to touch that later is the community Spotlight which is a place where people can go and actually um contribute back to the community and bring some awesome like um technique sets that include information uh specifically to to whatever you're looking at and again we'll dive into into that later um so let's dive into the first uh thing that I want to show is basically threat profiling the the in the community Edition so it's basically all about identifying the metadata so we're gonna say uh in this case hopefully I don't touch the demo God so I I recorded a video um Yeah so basically that's it this is where you get to when you hit the page you're gonna see um that's going to be the community Spotlight so if you're if you're part of the the community you're you'll you'll be able to contribute that and people will see your work um so for example lockpit a 3.0 that's not an attack so we just included that for for a quick win for people we might be interested in ransomware for example um and then we'll also have some other resources here for example like researching vets um developing for prep profile technique sets on this cover of vendor garbage and coverage yeah um and then we're gonna dive into this one we're gonna dive into groups so groups is basically the attack data but we're enriching that with metadata so the first one is you're just gonna have the ability the way to basically search by groups and you can also look at the specific uh motivation um the suspect distribution so which are the the countries um that might be behind or sponsoring in this that that specific group um we'll also have like the sec