2024 Security BSides // Adam Pennington

[Applause] this has actually been kind of a busy morning the uh slight delay we we just uh added on there gave me enough time to release the next version of attack which we only do twice a year U from up front here so it's a lot of things going on this morning at once uh so I sat down with James and RJ a couple months ago at mabuka you know we were having a couple rounds of water of course and you know asking them you what what is it you'd like me to get into you know last time I came here two years ago I got into kind of some Advanced topics on doing cyber

deception so putting adversaries into really Advanced honeypots and we discussed sort of coming from the opposite direction so looking at some of the steps building into uh using something like a fancy framework so I wanted to get into a number of sort of easy steps free things things that you might be able to borrow from online for getting into something like attack and and I have to say my slide style is probably about as different as it could be from from mix today uh so that's me uh you can you know see me here on stage I run uh a framework called miter attack I've been with miter just as Mary said for 16 years uh miter is a not for-profit in

United States that that primarily runs what are called federally funded research and development centers but we also do a lot of open source and projects that are for the community my personal background is that I come from a focus on threat intelligence and deception you know what I was talking about last time I was here and you know I've been a past Defender I've spent time in socks I've actually I've worked directly with with Mick in the past in various spaces and I've been a threat and tell analyst and I've been involved with attack since it was an Excel spreadsheet if if you've seen attack before its Origins as an Excel spreadsheet are probably not very

shocking I also have you know some connection to Cayman Islands I coming down here for 18 years to to scuba dive usually a couple times a year and so I've done you know everything from decompression rebreather training down here and over 500 Dives in the Cayman that's today's Journey you know where where I want to take us today is I want to get into some starting points what are some of the things that we might want to do make sure we do before we get into fancy Frameworks and so this is going to be things that maybe we know we should be doing already but um you know some ways to to bring out make them

a little bit easier more accessible maybe some tradeoffs that may make some of the Security Professionals in the room winse but you know things that we can do to not make uh perfect the enomy of good I am going to get into uh what's this attack thing you know the uh word word the funny %on guessing decent number of people have heard the name before but get into some level setting and and sort of what what are some of the pieces we can get from there how do we plan our next moves how do we figure out what is it we want to do in our environments to to improve our security and once we've gotten down some of the

basics you know if we have everything working where can we go from there but let's start at the beginning so instead of immediately digging in to you know big big framework big um you know hundreds of options I wanted to get into a couple of security techniques that we should probably all be doing now I'm guessing most of you have heard of everything that's on here I don't think that I'm explaining these to you to the the first time but yeah so I sat down with a group of incident responders and I said to them you know if you could tell a small medium business or organization without a lot of resources what are five things that they

should be doing that might have prevented the last breach you saw and it actually came up with a pretty consistent list between the group which is antivirus data backup multiactor authentication software updates and user account management and I'm not going to be spending the whole rest of the talk getting into these these things that are are probably familiar to you but I do want to get into a few aspects in tradeoffs that might be worth considering in some of these familiar areas and so the first is antivirus so especially for those of us who have been in the security Community for a long time you know we know antivirus we you know probably had it in the 90s and

Norton and uh semantic you know was something we had to maybe buy at the store to to add to our new computer and the recommendation from the folks I talked to was still to install or enable antivirus software whereever wherever possible and so it's something that we used to do very consistently but it's maybe Fallen a little bit by the wayside uh but it still can catch a lot of basic threats there's a lot of crime wear there's a lot of malware you know and so we've seen demos the last two days of things that are getting around some of these protections but a lot of stuff doesn't there are a lot of old pieces of

malware or even just pretty recent where the signature has been updated floating around where antivirus can still save us and sometimes Advanced ones too you know there's a good chance that somebody else got it you got the new signature and if it stops it it it worked the the thing is this got a lot easier a number of years ago santivirus used to be something we had to buy we had to install it everywhere uh now we just have to not disable it and a lot of us and and even a lot of businesses uh have done this or have installed product s that have turned off Windows Defender uh but Microsoft started baking in a

pretty good antivirus uh starting in Windows 8 and it was it wasn't real full feature before then they were trying not to really compete with the other AVS but at this point it works and it works pretty well but you know it it needs to not be disabled to actually do anything and so do the you know uh little bit more and not by default consider turning on Cloud protection consider turning on its ability to actually check samples with the Microsoft cloud get a lot more current protection similarly I'm guessing most of you know that you should be backing up your data or all of you know you should be backing up your data and so

you know the recommendation is ensure all critical data is being backed up somewhere and a lot of organizations only get serious about backups the day after ransomware attack uh when they they find all their stuff is gone or in a lot of cases they find out that their backups never actually worked that the stuff they've been paying for doing for years uh wasn't really there and so at the very least make sure that anything you can't afford to lose is being backed up uh and so something that's a little bit more spicy and you know might uh might not be agreed with by by everybody in the room but you know especially talking with with some of my my peers on

this recommendation is that you know if you can't afford or can't get out the sort of gold standard data backup backing up to one drive Dropbox Google drive with multiactor authentication is still better than not doing anything it's not you know probably best it's not best practices it might not check off boxes for your Regulators but it is at least getting your data out there in a way you can access and ideally you know you should be working towards backups that are off-site versions and restricted from deletion multiactor authentication again I'm guessing most of you especially in your personal lives are already seeing this all over the place you know the SMS as you're getting from various apps as

you log in and so you know twofold minimize public facing assets and add multiactor authentication to anything that does have to be out there and public facing and this can dramatically increase adversary uh difficulty and you know it's it's like um running away from a bear i' I'd say a shark but I know the Sharks here are pretty small but you know you just have to be faster than the guy next to you if if you're protection is a little bit better and gets the ransomware actor to go to the next person down the road you probably didn't just get ransomed and so again uh controversial for some people but uh you agreed with pretty much up and down the chain you

know ideally you'd be doing Hardware tokens things like pass keys but any form of multiactor authentication is better than nothing um you know Hardware tokens are the gold standard but don't not do it because SMS is all that you can really pull off and ideally consider moving to password list consider moving to things like pass keys for logging into your email and your external sites [Music] this this might actually be easier for a smaller organization than a larger one might might sound counterintuitive but it turns out that the large office suite vendors have turned this into uh almost one click to to turn it on and start getting it out to users you know where a

larger business would have to do kind of a complicated roll out so you know you might have written this off as something that's too complicated too expensive for your organization but it might be worth going back and taking a look especially if you're on like office or Google uh to see if you might be able to do this fairly easily another one that we've been hearing about forever uh update software and so you know regularly update operating systems and applications to fully patched versions again we we know this we know we should be doing this but you a large percentage of the initial access adversaries getting in in the first place place are still coming in

through vulnerabilities in browsers in email and public facing applications and so prioritize those if you aren't able to update quickly at least update the things that your adversaries are going after and again if if you can't be you know sort of perfect you've got updates coming out an hour after Microsoft Patch Tuesday it's still worth patching as quickly as you can even if it's not right away most vulnerabilities being used are not zero days a lot of vulnerabilities aren't even a we week old some of them are even you know a year too old and so it's not too late to uh to go back and actually update your systems and again ideally what you'd be doing is knowing

the inventory knowing the status of all of your systems having it centrally tracked know where that is and so that if you have a breach you can go back or if there's an alert coming out you sort of know where you sit and where you need to patch uh so finally the one that you might have not heard the term quite as often is user account management but this is still principles that you're probably somewhat familiar with and that is restrict admins to least privileges that they need have as few admins as possible and enable conditional access policies not everyone needs to be an admin and you see ransomware actors all the time take advantage of organizations

where every single person is an admin and they can just hop from computer to computer have full access to every file and go through and do whatever they want and this is another one that um you getting into uh user account management and a conditional access that might actually be easier for a smaller organization than a big one uh if you're using entra if using what what used to be called Azure ad uh for your authentication several years ago Microsoft started adding uh conditional access policies and what those are is you know if you log in from a strange place it's more likely to put you through hoops or a more privileged account you know it might push you more

often through things like multiactor authentication and so it's it's introducing conditions on how it's actually doing authentication and so there's a button mark Park security defaults that is not on by default on an account more than a few years old that one click may actually get you uh some of these protections and so as I've been going through all these I haven't mentioned these M numbers that have been appearing sort of on on every slide so M m1049 1043 M 1032 1051 1081 what's up with all these random numbers uh and so can can anyone tell me yeah so they're they're attack um mitigations so they're they're codes actually out of a miter attack and so

these are all M mitigations from the framework and so you normally we talk about sort of uh following practices and looking at sort of what's right for you but there are a few of these that you probably want to do before you start digging in so I I did want to start with doing a little bit of level setting before I start using attack um get into a little bit of the details of what's there you know where you might find certain pieces and so before I do that just show of hands how many people here have heard of attack before okay so a bit more than half how many people have actually used it much much smaller group so you know

want to get everybody a bit on the same page before I start digging into to using it to do a little bit more complicated stuff attack at its core uh we call a knowledge base it's like a Encyclopedia of adversary behaviors it talks about things that malicious actors have done in the real world in real intrusions so it's not things that only red teams have done or theoretical things we know are possible from vulnerabilities it's just things from threat intelligence things we know adversaries of done and we think there's some value to that we think that being able to prioritize on the known bad on the known knowns has some power and so it's based on these real

world observations that are seen in threat intelligence uh it's free open and globally accessible reason why they let me talk about it here is because it is not something you can buy there is no product here uh it is open source you can use it in your product and teaching however you want and lots of people have it's a Common Language so a lot of different threat intelligence companies use technique IDs that have attacked to talk about adversary behaviors as well as a number of governments so ncsc regularly uses it in Publications from the UK uh us NSA sisa you know all over the place uh you you see sort of attack coming out and so it's something you can

use to to Pivot into uh finally it's Community d driven so it is people like you and around the world who ping us when we've missed something people are pretty good about you know if if they find something missing in attack making sure we know uh as fast as possible and we do really appreciate that and so you know I talked about adversary behaviors as as attack space and so why is that we like to use this diagram from um a mix colleague David biano called the Pyramid of pain the Pyramid of pain describes how painful is it for an adversary to move away from us being able to block or prevent a particular indicator there's an

indicator of compromise and so at the very bottom of the pyramid we have hash values if I'm watching for the hash of one specific binary I change a bit in that file if my hash is any good that the hash just Chang completely and so the the signature is gone as we work up we get through IP addresses domain names things that are relatively easy for an adversary to buy a new one or just switch infrastructure through like their tooling you know it's kind of expensive to get brand new tools and we believe and David believes that the top of that pyramid is tactics techniques and procedures or ttps which is what fits in the tip of the pyramid

or behaviors uh and so behaviors are our habits they're how we operate and so you can see why it might be difficult for adversary to change behaviors adversaries are humans and creatures of beh of habit just like you and me so if you've got your routine where you get up in the morning you brush your teeth you go to work May having you disrupt a stage of that and sort of work in a completely different fashion is not going to be very comfortable and we see adversaries following the same sorts of patterns you know they might use different tooling they might come from different infrastructure but very often the last thing to change is how they

fundamentally operate and attack lives in that space uh so those of you who've seen attack before this is is probably kind of the view you have know these these cells are not meant to be big enough to to read on the screen but just sort of the the rough shape of it uh and so you know again looks like a spreadsheet we call it the attack Matrix across the top we have tactics which are the adversaries technical goals this is things like initial access an adversary is trying to get into my network or exfiltration they're they're sending data back to the Mother Ship underneath each of these we have a tax core uh piece which is TE techniques

and this is how the tactics are achieved and so instead of something like like initial access we would have something like fishing the adversary is sending a malicious email of some sort Within These we a number of years ago expanded into uh sub techniques we we spre spread out the techniques even further so instead of initial axis instead of fishing we have something like spear fishing attachment where uh an adversary is sending a email that has a piece of mare attached to it and finally tactics techniques we have procedures and procedures are what we call adversary specific implementations of a technique and so instead of initial access instead of fishing instead of spear fishing attachment we have level

detail of ap12 has sent emails of malicious office documents and PDFs attached so something you might be able to write a specific signature for behind each of these techniques and sub techniques the there's quite a bit of information uh it starts out with a English language description of how that technique is done from a adversary perspective what is it that they're doing how is it they go about it you know what are different variants on it we get into metadata on things like what operating systems this could take place on what kind of cloud environments as well as this technique ID uh so when I talked about attack as a common language that's the number that the various

governments that um the various public incident response firms are are using when they talk about adversary behaviors and they're linking it back to miter attack and so when you see that that little T with four numbers after it it could be a Target store number if you Google you'll sometimes find uh which Target store corresponds to a given attack technique but it's usually miter attack and so then under within that we have defensive options for what you might be able to do about that behavior starting with mitigations and so these are the things I started off the talk with getting into these M numbers uh these specific mitigations and how they apply to a given technique so how we could

actually do these in a way that possibly prevented that behavior or caused it not to have an impact I'm going to be focusing a bit less on it today but we also get it quite a bit into detections detections look at what sorts of data sources in your environment you need to be collecting to be able to potentially see a technique and then get into things like the analytics that you'd have to write and tips on writing those uh so I don't none of these give an example of this but we might have which Windows Event log you'd need which event ID and in some cases uh pseudo code for actual analytics you can plug

into your tool tools to be able to see it uh we have the procedures that I showed you earlier uh where we've got that intelligence and all of this is linked back to references so we we show work we link back to other sites where we originally got this information and there are over 3,000 references in attack today so where Mick talked earlier about sort of building off off prior work uh we try to show where we're doing that uh wherever we can so I'm not going to be using them as much today I'll get into them a little bit later but another thing that attack tracks is uh threat groups so this is both uh State groups ransomware groups

crime Weare groups uh but it gets into you know roughly how that group has operated in the past if it's well known what country it's from we'll include that we also get into what we call Associated group descriptions if you've worked with threat intelligence reporting around groups you've probably seen that a lot of different companies have different names for overlapping activity now that's natural they they each have their own profile it might not be exactly the same of who who the group is but it can make it a little bit harder to to link back and forth and so we try to get a lot of the names together that might go with a particular name so instead AP 29

we'd have like yum and uh Cozy Bear cozy Duke the Dukes Etc as as as you go through different companies uh we have the flip side of procedures so for each group we have which techniques are there we have similar Pages uh over 500 of them getting into different pieces of software and malware and what techniques are associated with those that different adversaries use and finally especially everything in the groups and software information has references back to the original open-source publicly available threat intelligence that you can find that from and so you can go out there you can check our work you can see if you agree with how we're linking the group names or we're adding the

techniques and if you think you're we're wrong please email us so how are people actually using this thing I'm only going to get into um a little bit of detail on some of these later I'm going to look at sort of a different way but the primary way that the community is using attack is really uh organizing detections so the most common thing is to be building up behavioral analytics so ways of looking for behaviors on various end systems throughout an Enterprise and building detections on those and looking at at sort of the coverage picture you know how many of these techniques how many of these behaviors have I been able to detect and how well and so you can see gaps can see

where there might be overlaps in some of the things we're doing a second most common is threat intelligence and so a lot of people use attack to track different threat groups exchange information on them talk about them and so you that's a pretty clearly second most common for us attack's original creation though was actually for red teamers it was for adversary emulation we created it internally as a framework for a red team to be able to plan out an operation that looked like an adversary you know followed some of the same behaviors as them and for the blue team to be able to come along later and compare notes they they needed a Common Language and so we we

thought that common language was useful internally and that that's why we released it out to the world uh finally Assessments in engineering so taking all of those components bringing them together and looking at how we want to fill gaps in our environment okay so let's say we've done those initial mitigations and we've done those five things I started with how can we pick our next move so let's start with what did those mitigations get us in the first place so you know where is our starting point and so again the text is too small here to to read I'm just showing the shape and the colors but this is the techniques in attack that those five mitigations

potentially were able to stop or or cause from being being a problem from us and so this isn't bad this is actually a pretty good portion of the map uh if we're doing those five things we're doing them well there's a lot of the various techniques and attack that we may have already been able to stop and now you might be looking at at how much weight is here too especially in in some of the the ends on it but not everything in attack is mitigable not everything in attack that we describe can be stopped we describe what adversaries do without worrying about uh is is there potentially defensive solution it's it's a knowledge base and so you actually don't want to

mitigate or detect some of the things that are in attack uh and so some of the things in attack are common um administrator actions that adversaries also do that if you mitigate and stop your Enterprise will break uh and so you probably want to look a little bit carefully before trying to color in that that cover coverage map all with green which might see in some marketing slides out there and so how do we pick our next technique you know we've got some that we Maybe cover so far you know figuring out if we're there so what are some lower budget ways that we might be able to use as some easy buttons that we

might have uh into this this framework work and so I'm going to look at three different starting points the the first is looking from a tools perspective what can your current tools already do so I've already bought it it's already in my network how going I be able to change it and expand it to be able to see more of what's going on a second approach I'm going to look at is threat intelligence how can I try to be where my adversaries are that I know about and the third is looking at from a red team perspective you know where are our red teams being successful and how can I prevent those actions and then briefly get into you

know implementing the mitigations that come out of those techniques so let's start with a tool approach so I haven't really dug into the full list of mitigations I've looked at the the couple that you know I put up on the beginning there are actually 43 different ones in attack it's not a huge number but each of those can be a considerable amount of effort and so a couple of the ones I've already talked about are up here on the screen but so a tool approach is looking at what mitigations your current tools might accom might be able to accomplish so you know looking at what the range from what I'm currently able to prevent to what I

might be able to prevent uh and so you know this sounds simple but actually does potentially require some leg work and mapping out uh which techniques your current configuration can prevent and so we do try to give you some information that might help with this so within each of these mitigations we get into uh which techniques that mitigation might prevent and ways that it would need to be configured roughly uh to do that and so you should be able to go through look at those techniques and take a look at how those align to uh the given mitigation and so how might you find out uh what else you can actually do once you figured out your current stance well

some these aren't all that sexy so read a documentation you know I I I know we don't enjoy that um but if it was done well it was was put there for a reason and often talks about features in tools that we've forgotten that we even bought you know we we paid the money don't realize it can necessarily do it when all else fails ask the vendor their salesperson is sure to be happy to tell you the things that you can do with their Tool uh you know and obviously check but verify but you know so go back make make sure that's true make sure it works but um you often the vendor is happy to fill this in and we've put out

free training on our website it's on YouTube on some ways to do this called attack based sock assessment ments and so methodology for sort of gathering information on what your tools and your organization can do and so from there you can look at what changes would help you you know what is it that you can do which of these features are practical with a given tool um do you actually have coverage with what you've already bought and you know is it time to finally look into uh buying something new but you know by all means take a look at what you already have before you just instantly start looking at vendor promises for for what you can buy to fix

the next problem a second approach I'm going to go into is looking at a threat intelligence approach this is you know unsurprisingly the intro I gave earlier sort of the one closest to my heart but you know looking at what are adversaries that you care about or should be caring about doing already you know it isn't necessarily what an adversary is going to do tomorrow but it's at least having an idea of of where we stand compared to what we already know uh and so in choosing a threat group that you might care about probably the the best place to start is one that targets organizations like yours now if if you have a sophisticated enough

threat intelligence organization to know which adversaries Target you specifically obviously start there and if you have your own Intelligence on what they're doing again use that you know a lot of the resources I'm showing are open- Source publicly available threat intelligence which is um you know not necessarily as as good as some what you can pay for but often is and so attack has some information on this you can search through you can look through things like uh targeted countries and industries we somewhat intentionally don't pull that out into metadata though because we don't think our listing is all that complete uh and so a resource that I'm guessing a lot of people in the room might not be familiar

with though is the Thai government uh I'm guessing guessing a lot of people weren't expecting as as my next Source uh and this used to be called the uh taier it's now the electronic transactions development agency and they've done an incredible job at pulling together information from the internet from a lot of different knowledge bases including attack and codifying it um they're pretty they're relatively good at showing their work and so they also have a lot of references in them you can see what they're doing uh but one of the things they've done is they've taken all the information they can get a hold of and looked at things like the victim sector uh and they have a large set of sectors

here it's about 20 of them and so for example uh this is targeting the hospitality sector you can see you know there's some um State actors in here there's a lot of uh different um a lot of different crime Weare going back to yesterday you've got some different North Korean activity in here too but so some starting points on adversaries you might care about and so once you picked an actor you know at least if you're going to leverage attack for this next step would be looking at what behaviors they've actually done in the wild now I'm cheating a little bit here in using ap28 they're a state group where there's been a ton of reporting and so we know a lot

of behaviors from them uh and has the downside of sort of lighting up um almost too much stuff to think about but it it does give an example of an adversary that's built up a lot of attack techniques uh and so you can do this from your own threat intelligence we've put out training on how to uh be able to map this information how to build it up but we've put out a ton of this for free as well um we've spent the last nine years mapping open source threat intelligence reports to attack and listing the techniques that we see there and so from our groups pages on attack you can get a lot of that for

free and again if your adversary is already doing something it's probably good to know what your stance is against it you know if it's somebody that you think might be coming for you sounds obvious but it it is a place to start rather than sort of staring into the void at at kind of this huge never-ending list I do some suggestions though as you look for that and that is to focus on sort of the early winds to look you attack is not strictly ordered techniques tactics happen in by adversaries in sort of various order as they come to them but it is roughly left to right and so that left side of the Matrix is really

powerful prer potentially start stopping the beginning of an attack and so that's looking at what an adversary is doing in initial access execution Discovery persistence and credential access so the things that an adversary is often doing in the first couple minutes of an intrusion and not you know weeks months later or after they've already succeeded and sent data out the door and so if you've got one group well why not look at more than one and so potentially you can look at multiple groups that are either impacting you impacting your sector and again this is finding starting points this isn't finding everything you necessarily want to do everything an adversary could could ever do but some

priorities and so if I'm really concerned about AP 28 and 29 okay then a technique that both groups does is maybe a really good starting point to know where I'm at and so looking at the mitigations that go along with each of those it's so a little bit more resource intensive but you know I I know a number of organizations in this room have gotten into is taking a red team approach so you think you know what your tools do but why not find out if it's actually right and so setting a a red team loose to to find the gaps and so you know this isn't just having a a red team go in and you know

seeing if they can possibly get into your environment can they find that Ninja zero day that that you didn't patch against it's also having them test to see if the defenses you think are there actually work and so that may make it a little bit less fun for your red team but it can make the results a lot more powerful for you and again some free resources that you can use in here if you don't have like a standing red team you're looking to do some of this yourself on a smaller basis um a organization closely aligned with a attack called the center for threat formed defense has put out a number of adversary emulation plans and

so they've taken intelligence based on a number of adversaries across ransomware across state actors and built up uh step-by-step emulation plans to try to do some of the same activities as those actors and look somewhat like them to your defenses and mitigations uh miter has put out a free tool open source called Caldera actually was created by the same person who originally created attack that can act as a automated red teaming platform for free uh another one is atomic red team so Atomic red team originally started by Red Canary there are a number of uh contributors to it now and maintainers that are outside the company and it's open source and it's a number of small

easy activities each map to attack techniques that you know you can do from the comfort of your own keyboard and see what happens if they actually work if they're detected uh and these are not full-blown red teams you don't necessarily have to get your Cali Linux up this is maybe pop open Powershell copy paste a few commands and see if it sets off your alerts you probably don't do this without coordination with uh security team though if that isn't you and again prioritize what what didn't work so something you thought you were already mitigating you that's that's an obvious starting point but yeah with any of these the idea is once you've picked up techniques that

you've you've seen that you've got as priorities that you really want to be handling look at what sorts of mitigations you can do for those you know take the techniques go into each of the mitigations and look at what you can pull together and potentially build up a defense for that particular technique and so that's all been based though on on building up mitigations so sort of one little piece of of the defenses so say I've got that say I've got my starting points you know I've looked at a little bit I've started my priorities where can I go from here so I'm going to now go into detection which is um not necessarily something

that every organization is ready to do you know and again that might sound controversial to to some of the audience but mitigations are often a a more powerful starting point especially if you don't have a lot of resources you know detection can take a lot more to do a lot more to maintain and you know can be you still have to be able to respond when something happens with it but you know going through and doing this starting to build up detections from this can start to you know move you towards the right attack is focused on activities that happen inside a network after intrusion is already started and so it can just naturally move you to um

looking at those post exploit activities just by leveraging it in there again since attack is adversary behaviors it also pushes you towards that top of the Pyramid of pain and so it's not to say don't look at ioc's if somebody tells you an IP address that you know is about to come after your network Please block it um we we we do have people that they're like oh but it's not an attack like no no no no no you know use the things that work um and so like it attacks a big hammer if you've got these things that are lower on the Pyramid of pain and they're effective and they're timely use those two

please it also gives you a way to organize your defenses so as as you build up analytics as you build up these things watching these behaviors it gives you the way to look and see where you are a map where you can say you know I am here uh so I'm going to get into just the beginning steps of this rather than sort of fleshing it all out but you know there are some easy steps you can take in this too um free ones free free at least in terms of of resources and tools not necessarily your time of course and so starting with borrowing from others you know things that people put out there already

getting into figuring out what data you have in your your environment getting deeper into the detection and writing your own Analytics I'm not going to go all the way into that today but borrowing from others can be surprisingly powerful in the space a community has sprung up over the last decade of people sharing analytics so people talking about what's worked for them the sigma project does a ton of great work in this space they have thousands of analytics that are out there for free uh you can go you can download them you can use them in your environment they have converters so you know if you're a Splunk user you can uh take it convert Sigma to Splunk adjust

it to match your logs and use it in your environment uh we've been doing a lot of this ourselves too for for quite a while so miter launched something called the Cyber analytics repository actually before even attack came out we've integrated that into attack and we now have um well as of the release that just came out uh before I started speaking over 300 analytics in attack itself so where you can go to specific techniques find analytics and be able to implement them in your environment and there are other open- source freely available uh resources out there that you can just bring in use in your environment uh without having to to pay anyone going briefly touch on threat

intelligence as well so you know I talked a little bit about taking a threat intelligence approach already you know looking at the sort of prior ization with adversaries but you know the way we see people using attack for threat intelligence is as a way to gather information on a particular adversary and so it can let you you know speaking in a Common Language be able to compare what it is you're seeing be able to exchange data and it can give you a innumerable list of things to look at so attack only has about 500 techniques and sub techniques and that is not the range of the possible it can break down you know into s of the specific actions that have

been seen in the past and make a threat group a little bit more manageable and it's so similar to what I was talking about mitigation sort of building up a broader threat intelligence program you often just want to start with one group start at the beginning and build up again just because it isn't an attack doesn't mean it isn't true um we we often see people limiting themselves to the framework they they'll go to our group's page and go oh well you know crowd strike says apt29 does this attack doesn't we only release twice a year um we might be behind I might not have had the resources to have somebody map that report and so if you've got solid data

that's out there or your own sources you know you've got your own Intel analysts that are saying that an adversary is doing something please listen to them you know there's a good chance that they're right and we're behind you know we we are a relatively small open- source project but so building up you know start with one threat group you care about I went into some of the strategies for for doing that earlier and start building up the techniques that that group uses and so you I've already shown a little bit from the the miter group pages but one of the benefits to a lot of governments a lot of threat intelligence firms now publish in

reports that include attack technique IDs is that there are a lot of other sources you can gather data from uh misp which is an open source threat intelligence platform has all sorts of what they call galaxies that pull in a lot of this information and then your commercial threat intelligence that you're already paying for from you know the big incident response vendors may have this stuff in it adversary emulation so this is you know looking at at Red teaming again but specifically red te teaming focused on looking like an adversary and so red teamers don't always like attack because we may make their red teaming sometimes a bit more boring you know it red team wants to go

out there and play with the new technique that just appeared at Defcon and some company telling them to to stick to attack is is sort of forcing them to do the old boring thing that might have some defenses against it but that can help you test out your defenses see what aligns see what actually works and doesn't that you think that you're doing and there's a lot of information in attack that a red team can use to uh make things easier the procedures I showed earlier can let red teams find specific things to imitate from various groups as well as there being a number of tools and resources out there already linked to attack and a lot of the uh red team

breach and attack simulation vendors already use attack technique IDs and their products if you're using those as well and so you know building out you don't have to go too expensive you know if you have the resources to bring in a professional full-fledged red team or you know a fancy breach and attack simulator great if you don't though there are open- Source tools that can help you get pieces of this can help you do little bits of testing out and these are some of the ones that I've already shown you so using things like Caldera Atomic red team to be able to try out at least some of the smaller pieces of you know what you could do with kind of a

larger vendor and so Tech's something that you can use to mature your red teams over time though you know they're they're not going to be able to use most of the techniques in a single intrusion it leaves them a lot more to work with uh we see a lot of organizations that with red teams use it as you know things like they'll have a technique a week that they're sort of learning about seeing how that they would use um look at the various procedures some techniques we have dozens and dozens of different adversaries that have done them and how each of those adversaries has done them and once again if you have the internal resources if you have the

internal threat Intel analyst use them you know if use your resources that you already have um and so you know a lot of them are probably already using attack to talk about these behaviors and and finally most important ly you know red teaming without working with the blue team without working with the Defenders is just sort of abusive you know you're just kind of beating up uh and so it really is important to to bring the blue team in the picture make this purple teaming and make this a team activity for actually making defenses better uh finally uh wrapping up with assessments and Engineering sort of pulling these pieces together you and so once I've I've looked at what I'm doing

in the detection space I've looked at what my adversaries are doing and how that compares and I've I've gone through and I've tested to see if the things that I thought were working actually did I can pull this together into a complete picture and start making informed decisions on what it is I want to work on next and so uh also looking at where it is that I might need to accept risk so there are techniques in attack that you are probably not resourcing to handle and so one that that maybe some of you are and some of you aren't is something like supply chain you know so a a adversary in a foreign country is

adding things into our products as they're they're coming into our mix especially if it's Hardware products we might not have the wherewithal to be able to inspect to look at our chips to get them under a microscope and so may be something where we have to accept risk there also things like firmware compromises where probably even larger portion of us really aren't set up to to see if that happens but again we don't judge we talk about what the adversaries are doing whether or not we think we can defend against it so you can use attack to track what you're doing now and compare which where you want to go from there and so again you know not it's not

sexy but the easiest way and often the best way to do this is to talk to people and so rather than you know trying to find some magic tool that's scanning and seeing what's there finding what's working ask your detection team what is it they can detect you know talk to your threat intelligence team what adversaries they're concerned about what they're seeing use your red team to see which of these things that you think are there works and how those adversary profiles that you're worried about actually line with your defenses and then pull those all together look at you know what you can defend and where you're getting apps are and so something like this where I'm

looking at you know what techniques to adversaries do what can we detective those um how can we improve so where are the gaps between what our adversaries are doing and what can we actually stop and then going back and using adversary emulation to make sure that everything we just figured out is actually true so I started this journey with getting into subit mitigations that we probably already all knew we were what we should be doing you know and so I'm I know I'm preaching to the choir a bit in talking about things like backups and software updates but it is important to remember that these little things can still actually prevent some really big intrusions and some high-end actors you

know in a lot of cases you just have to be faster than the or company next to you there are a lot of small steps that we can take there are things that can pull from a framework like attack that is really a little bit more focused towards you know larger companies big organizations to take off bite-sized chunks that we might be able to get into it and that's not just true of attack you know other Frameworks as well there can be approaches into where you're not trying to absorb everything at once but breaking it into manageable pieces and then finally you know as we get these things working as as stuff's actually coming together

making sure that we're stepping back and improving our defenses as we do have the resources to actually be able to go in and do these things well and so that's me I'm fairly easy to find online um you know we just put out a bunch of social media about two minutes before my talk on the attack release that just came out today um and so happy to answer some questions okay I think since we have streaming online probably want to wait for a mic yes y hi Adam uh great first name my name is Adam also um first I just wanted to say that the the little blurb you had about making your red teams pick a different

attack every week is beautiful I think people forget that training red teams as part of their daily tasks is super important so I love you said that the question I have for you is um with this framework growing as it grows which is pretty quickly as it expands we get more you know more threat actors more um you know things added to it what's the strategy behind how you're going to keep it a living document do things fall off do things become diminished do some things grow in in prevalence and things like that that's actually a really hard question um so we have generally just been additive because um we recognize that um especially removing things like

techniques that you know have been baked into thousands of products uh become really painful and so the last time we did really significant um nip nips and talks to the framework was 2020 when we did sub techniques and we actually removed a bunch of information as a part of that and so we will deprecate occasionally techniques where we realize that we maybe leaned a little too far forward we added something to the framework that people aren't really seeing um like hypervisor breakout used to be part of attack it's something we know is possible red teams have succeeded on you know it's not a we've seen vulnerabilities that could lead to it but we don't really have adversary

intelligence that goes with it and so we remove that from Attack um but no and so we we've tried to do some stuff with um a something called campaigns to make our threat intelligence better reflect time Windows uh so campaigns are where we're taking apart our attack groups and splitting them into information that is over finite periods of time so that you can actually see that you know when we're talking about AP1 we're talking about activity that took place 10 years ago we haven't seen much of this group in a while and and going there I still need to figure out a better way though to um we're probably not going to um really get into

deprecating techniques but how to better handle groups that are really dead making it more obvious is you know it it is useful to know that you know this group did this thing 10 years ago but also knowing that you're not actually going to see them today they they haven't operated in quite a long time now we got a question back here hold up this one uh hi Adam sorry um start Mary's mic or curl out his mic uh I guess me um hey Adam um first of all huness says hi and we love you guys and we love the framework and it's immeasurably useful to us and our detection engineers and say hi to Joe

slowick uh for us uh and we miss him um so my question is with the new release and this was news to me I didn't realize that there was a release dropping um can you talk a little bit about some of the new changes specifically as it relates to the to the identity space Oh yeah um so it um it's it's funny I actually was just talking about this last week because we we had our own conference at con so to shifting mental gears a little bit back to that um so many of you may aware that Azure ad stopped existing as a name um I think a year and a half ago now uh and so attack has continued to

have a um a group something in it a platform called Azure ID and we we knew we had to do something about it and but we've been looking more carefully at the identity space instead of just um you know we switch the name to entra and we've realized that you know since we created Azure ID a lot of other players have become uh more common space so like OCTA is is all over the place in the identity management and so um we we just added um about about an hour ago the um identity platform um I'm flubbing on the name since it's it's only been out for for an hour we didn't call it identity

as a service but it's something close to that uh that looks at things that are actually Universal or happening across these multiple identity providers and so especially with us just adding it it's going to be a space where we're watching closely uh especially where adversaries have been really active in that space the last few years so especially like apt29 has done you know new stuff over and over again and so we're going to be looking at new techniques in that space very closely uh Adam uh in Years Gone by uh you know vendors were quick to position themselves on the gardener and Forester charts and uh you find today you talk to a vendor and they're quick to position

themselves on the miter test and where they fit um as decision makers how how much validation should we be putting and that and obviously from what you're saying miter is you know topnotch but you know uh they do make a great pitch to say hey we're we're number nine or we're number five or we're number 20 yeah I would definitely verify uh and so miter has has done some work in that space going back a number of years called attack evaluations that's in some very specific product spaces where they have worked with the um EDR xdr whatever Dr acronym you want to use vendors as well as um managed defense response providers to look at um taking red teams putting them

up against them and making them sort of show their evidence that they're able to see that and you know actually giving them uh sort of attack techniques how those organizations use that in marketing is one thing but miter also publishes all of the Raw results and so you can go you can actually see how these various things the red team did appeared in their consoles um and see you know sort of see that for yourselves uh and so I would absolutely verify but the other thing is um a lot of places and so something that we've been advising for a long long time is um I hopefully didn't use red and green in my presentation to describe

like techniques you can see and and uh don't see that's very intentional because almost everything is a shade of blue or gray or or something you know when when something says I detect a technique well you probably don't detect every way a technique is done you know there there's some adversary things that are so fundamentally done a specific way that yes that might be the case but often times you know you might have a product that there's one specific way that it might catch it and every other way it just drives through uh and so yeah it it is important to take a look uh there are some um organizations out there that um are are putting together

some maps from various vendors some of them are are verifying that some of them are not and so there are some places you might be able to to ver use as third parties but if you do have the resources to verify yourself absolutely would recommend it hi there um just going back to the concepts of red team and blue team uh like the Cayman Island is the typical size of organizations it's not they're not massive Enterprises you know like 5 to 50 or that kind of scope the resources required for red teams and blue teams are probably well in ADV excess of you know the uh the general uh kind of concepts for the typical Cayman Islands company so how do

how did you fit in that that concept of red team blue team for the businesses how does that work I me if if you really can't get there I there's a reason why I do have that later in sort of all the sequences that it is something that that requires more resources um more more care and feeding uh more money um to to get into but that's also why I've got some of those uh lighter weight resources you know things like um Atomic red team are not a red team they are things that a you know security practitioner can run on their own network and see you know a little piece of of something a red team could do um

and so like you know going into sort of the simulators not going to save resources and money um you know that those are those can be just as expensive as a red team um but you know some of the the lower-end resources or maybe it is it is something that is beyond a lot of organizations um capability to do it is it is and um you know I serve the SM SMB space in the US in the US there's I like to say there's 5,000 Fortune 5,000 companies there's 30 million small businesses if we're just looking at small businesses that have a one employee or more 1 to 500 employees there's 8 million that's still 1,600

times the number of businesses as one Fortune 5,000 company so uh the concentration is is going to be a little different in the Cayman but it's going to be the same principle right so I think to Adam's point though you did a very good job of showing where where somebody can start on that I think your it resources in kayman do need to become more security aware because that's I I didn't see a lot of kman msps here right and that's kind of a call out your it folks need to be more security Savvy they don't have to be Adam but they do need to be more aware any other any other questions I'm sorry to jump on my house I think we

started a few minutes early so if we want to keep going in questions I'm able to before I start my question I just want to say um have you heard of the the exploit database exploit DB on the internet sure um so a question for attack then does it list exact exploits like what the exploit database does by name and then show you how to mitigate is the question uh no uh not much so uh most of attack actually doesn't link to exploits most of what's in attack is actually features not bucks um and so most of the behaviors that we list in attack are actually taking advantage of administrator functionality so things that Microsoft intentionally put in the

operating system for example but didn't intend an adversary to use uh and so like there there are pieces that require exploitation so you know some of the activities for for doing spear fishing uh we don't get into particular exploits uh we give some examples there's been some work from the common vulnerabilities and exposures team uh which is also miter cve uh which is similar to um vulnerability database to look at mapping some of those into particular attack techniques to maybe add attack techniques to cve as as stuff comes out but most vulnerable V abilities are never exploited by adversaries at least not that we ever ever see a vast majority and the vast majority of attack techniques don't

require an exploit to do there there are specific tactics that are exceptions to that so like credential access you're not really supposed to be able to dump creds on most systems it's like MIM cats is taking advantage of vulnerabilities in some cases or or other dumpers a privilege escalation you know is often taking advantage of not just administrative privileges but in some cases vulnerabilities as well but the vast majority of attack actually never links to to exploits um and so yeah we it's it's not a direction we' we'd really go in just because the um it's a a bit of a a mismatch between the two yeah would you say that attack is um geared towards windows or Linux or both

when you're comes to the mitigation specifically uh so the honest answer is Windows um I wish that wasn't the answer and actually I I gave a talk last week at our own conference talking about where do we go next that had a big sad Penguin on it um you know you know Tu crying on the screen and so attack is based on threat intelligence and so what we know adversar is doing incident response firms primarily talk about Windows and you know we've got a lot longer history in sort of seeing reporting in that space so attack originally was just Windows you know back in 2013 when the original techniques were being pulled into you know the greatest security tool there is

Excel um it was just windows and so but it's gone from there we added Mac and Linux back in 2018 um we've added a bunch of cloud platforms but the reporting in those spaces is nowhere near as strong and it's not as strong as the actual adversary activity is either there is more happening in the Linux space from adversaries than is making it into the types of reports that we're able to use in attack and so we're digging in behind the scenes we're working with vendors we're trying to get people to talk more about Linux but it's it's a challenge the Linux security Community is also very different than the Windows security community so Windows security Community

you have a lot of practitioners you have people that talk about how to secure networks how to look at various adversary activity and and sort of because they don't have you know access to the source code how do you actually work with it more as an administrator at Linux there's a much stronger community in software security so how do I write a secure kernel how do I you know get that last vulnerability out of that piece of Open Source software and the community of security administrators in Linux is just not as strong uh and and if anyone knows a good conference to go meet people that are are sort of in that space and and that hasn't um kind of

gone out of business we are very interested uh this has been a tough nut for us to crack and so no it you I I turned a fairly simple answer of Windows into a long answer but there's um a lot of reasons behind it and we'd like to fix them we we think Linux is extremely important we think it's being used by adversaries a ton especially where when I say cloud I say iot I say routers for the most part these days I mean Linux I'm gonna jump in with my own question here um you said you had added identity management platforms basically and has somebody serves the SMB none of my clients have a network right they're

all in cloud services they're all heavily relying on those kinds of things do you think that by adding these kinds of tax you will be able to better kind of help those smaller businesses identify and protect themselves yeah well we we found a pattern of sort of when we add spaces to attack it it gets onto a lot of organizations radar um fairly quickly yeah U that's we we take that very seriously uh in terms of thinking very hard before we go into to new spaces and trying to do it well that somewh took so long for us to go from Azure ad to an identity platform um you know we recognize that it's going to

cause um a lot of organ organizations that use attack as as a core to look more broadly at at um different structures they're using and so it's but we also want that you know we we want there to be a little bit more look especially where there has been a lot of adversary activity at more than just Azure ad at that's sort of the broader set of identity platforms great thank you any any more questions oh we're we're out of time Mary's like shut up car I think I'm between you and lunch now oh oh see I really quick ahead Adam if anyone wants any attack stickers I actually brought a bunch with me to

Cayman and I'm I'm happy to share so find me up at the front find me at lunch and i' I've got stickers fantastic thank you and with that let's break for lunch I believe we're in the same place we were in yesterday is that correct so out the doors to the right go