IOCs are dead, long live the TTPs!

I turn it over to you [Applause]

[Music]

you change any one thing so this is where you really need to focus your automation it's not that I own seeds are truly totally dead there is some but if you're gonna do any kind of automation project this where you want to focus on operations because by the time you cut and paste from an email into a firewall or your email blocks then IOC is long probably never so focus your automation take a human out of this piece of it if you said let me add your network in your host now I want a little bit further up the pyramid right this is a little bit harder for us to detect but if we can detect it this

level we're also causing the bad guy a little bit more pain so here we're looking forward to speak to you during the trip we had a rule that worked for like a year because the bad guys misspelled Mozilla bad guys so it was hard for them to change it because it was built into their tools they had to do some reconfiguring of their own tool in order to get rid of that misspelling so if they do something like that and we can protect it lasted for a year that's awesome because IP address might be good for two weeks and email address is good for a spam right you know couple hours so go ahead to the tool let's go up one more

step can we start attacking their tools so not only have they misspelled Mozilla and Asian strain can we detect their tools so here we're looking at yard integers because yarn is going to look at the execution of the program and detect how that flows that to change that is a massive so if we can start detecting that we will cause them a lot of pain because our end objective tomorrow the Lockheed Martin our objective is so that they can't action on America so let's try to protect their executables because we have taken away their ability to action on their objectives at that point again some of this is also distinctive communications protocols is there something in there

their protocol and then last one is of TTP's therapy so what is their behavior we heard this a couple times today or if I have they use specific tools sets or behaviorist if you guess and that's what we're looking for so this is going to be things like Finn seven likes to spear fish using Microsoft DEP okay that's a behavior so I can stop de execution which is usually through Microsoft seven Microsoft Project calling the man got ESP most of the time that's a behavior if I can detect that it doesn't matter what thin seven does if there's a better what spear fish they fattened in has my email filters I have detected the behavior and

blocked it at that point so this is where the minor attack framework comes in they map all of the behavior for us because otherwise we're going to be looking at blog post like this to try and pick all of this out ourselves so this is a real blog post there was from Talos they had the bottom of human stuff they have indicators maintains that had my key address we had the PowerShell they there was a work villages work like we had all those hatches they put it down we make it nice and easy at the very bottom of the article they say here your eye disease they have so post up in there so they had some

register fees that would be very hard for those bad guys to change so guess what I threw that into my protection stuff so I'm going to start looking for these registry keys but then at the very top of that when they had as in sentence that the document contains links to external files and it was buried inside that article but if you go to the minor attack page inside of their description it says processes such as command that's the behavior up

I can start working just with a minor website and start tracking there I'll behave yourself so how do we use it so what I'm going to do is pull up this is our online version so they have a tool out there or call

so the minor attack framework itself is just a web page so if I come here and say this is what it looks like it's just website with tools and tactics and techniques but they also have a tool called navigator where you can start mapping this in your own environment so when you pull it up first time let's say an interested in spearfishing and I know that our company does really good we have all the tools that we need is a tech spear fish I can start color coding needs to be free to say yes we have ever done and then if you say well I'm not sure what this - profile is right like no here read it out of your detection

so what you want to do it by route so let's say that I know that I am targeted by incest I can search for pin 7 it pulls it up left and it will highlight it I can select all of them you'll see that that one is highlighted I can also do

oh well so there's a lot of things that you can do with my heart a framework and I want to show you one more thing and this so this is not mine by the way this was done by Eddie Trotta Smith it's how this github site we went this as a training map or new sock people so everything in blue is kind of your foundational knowledge anything green you should start learning this seven you're a new sock employee me start learning how to do everything it's in green and then of course it goes up from there yellow one Fred and you start doing the stuff in red that's kind of your red team pentesting packs up that should

senior people i've looked at this and I tend to agree with how we classify everything so I think this is an excellent way and I've been using it when we get these hot people in to say how do you know what's your skill set where do I need to teach you do you know how to do this okay you know this I got this so this is training its Travis Smith and I'll make sure I get in the slides

so if you're interested big poster with all on the framework and stuff so I have a few of these you're interested come on back doors and I'm one of those so do you have any questions it's really all I had right the framework itself is fairly easy to understand it's trying to decide your use cases my project at work at the moment is trying to color code all of that you know where do we have coverage where do we have our gaps and this is going to be a multi month project for me but for us it seems again it's a good way for us to decide where our gaps are

how are the dryer that their mitres making actually updates new categories

[Music] I saw her tweet this morning

[Music]

that they're updating it so often that once I build a map how long is it going to be at before but it is just a JSON file in the backend so I I've actually been playing around with doing some Python programming to try to automatically update it just through a Python script

so our process which there - is one trust the lender which obviously none of us trust the vendor but we are looking through some of the vendor documentation and saying yes they're saying this piece of it our second step is we're just looking at each lump so we're doing Morrow's brought through area to say yes we've got blogs from our security device image in here our third step is do we have correlation rules and notable events to be some automatic either remediation are learning on those so for just for me out though I would obviously read some of the vendors up see with minor is starting to these so they are [Music] [Music]

[Music]

so I do not work for Rickon but they have a brother called Tommy supposin PowerShell if I phone remediate they have different different routes but yeah it will actually run through all the techniques I've heard good things about it purple team that they automate some of your purple team exercises and they connect in to a lots of tools we've got tied in with our spunk so we're just using that to kick off the tax and make sure that everything so it's letting us automate some of our local team exercises and let our red team our true red team focus on those things that can't be taught what's your perspective on incorporating

right so yes this is a very attacked focus but it will not cover everything so yeah we have other process other documents

it's not incorporated in my my project but there are other projects and it is being considered for the overall security it's not like this is going to be our be-all end-all back oh we covered everything on the attack so we're good nobody's ever gonna have that we know that sound and we know that you know there's this attack out there there's TTP's out there that haven't been operated into this yet so is this a replacement for our threat team no it's a supplement to our current team yes and again it's kind of like I said on the purple team this allows us to automate some of that purple team stuff this allows us to automate some of our threat

management stuff just if we know about it we should just go do it and make and monitoring stuff that it's that get rid of the law

we probably would have a lot is really good about sharing so I don't

you have a chart or color

[Applause]

you