Your Cyber Defense Game-Changer: MITRE D3FEND and How to Master It | Saba Bagheri

alrighty so for our next uh presenter will be SAA here which will be presenting uh your cyber defense game a game changer in might defend and uh how to master it which sounds very interesting and I'll uh leave it there and let her take it away and uh off you go okay no that's okay yeah hello everyone and hope you enjoy uh the conference um so far so today's presentation I want to talk about miter defend um framework uh probably I it's just for my own knowledge uh is there anyone uh in the room that in their organization has started implementing this framework okay okay so basically I just want to talk about this framework today because

it's a kind of new framework and it would help uh organization to structure this def their defenses but before I actually explain about this framework I want to introduce myself so my name is saeri and um it's I'm I'm actually it's been now 15 years that I'm working in the industry as a whole uh I used to work in software develop velopment and design and then had a career transition into cyber security I started my role as a cyber security researcher but then uh was involved in different project working as a consultant in cyber threat intelligence uh risk management did some uh security architecture work and at the moment I'm working for one of the

government Department in New svelt and uh in terms of my educational background I have a PhD on cyber security resilience and a few number of certification okay before I actually start specifically talking about mitor defend framework I want to share a story about an incident that happen a few years ago uh because I I I just believe that it is very important for us as cyber professional or those who are new the industry or a student thinking about coming to cyber security um uh field it is important to highlight the importance of having a good understanding of attackers behavior and then apply a structured approach to deal with those Behavior so back in May 2021 uh there was a large P fuel

pipeline in uh United States called Colonial pipeline they experienced a massive ransomware attack and uh the group that targeted them was called dark side and they were able to gain initial access to that environment using combination of fishing and exploiting vulnerabilties vulner exploitation method and as a result of that they uh once they gain access to their system they deployed ransomware they uh CP sensitive data and the whole operation shut down so as a result of that attack part of United States co uh coast East of the United States they experienced shortage in terms of the fuel consumption and uh Panic buying started and so the company faced a very tough situation they wanted to make decision should they pay run

someware group uh because they wanted to wait the cost of cuton against the ransomware payment which during that time was around 4.4 million at the end the company decided to pay the ransomware group because they had to regain access to their infrastructure that incident during that time raised a big question about companies uh cyber security measures and Readiness to deal with these types of ransomware attack and um specifically this attack shows how it it is challenging for for organization these days when they want to deal with a ransomware attack because it is important for organization to have a structur approach in defense using Frameworks like attack or defense which I'm going to talk uh during this

presentation today what this talk covers um I want to talk about miter defense but before I talk about miter defense I have to uh first explain about miter attack you may wonder why I need to explain the about MIT attack as well the answer is that in cyber security we cannot talk about defense before we know what we are defensing against M attack is the how and what of attackers and uh that's why I first talk about attack then talk about defend and um we'll give you an example of a few use cases that uh we can use to effectively use this framework okay monor attack basically help us to know the bad guys and uh it's

like a trusty GPS that can help us navigate TR complicated tread landscape and uh it's actually like a guide book including all information about attacker's behavior and imagine that you are a detective and you are working on a very complicated case you have couple of clues about past crimes when you put together these Clues you can um you know actually predict based on past crime that what might be might uh be that criminal group and what might they do next and this is exactly how MIT attack can help us because it shows us information about attacker behavior and uh what they might do next and how we can basically understand U their uh you know behavior

in our environment so miter attack based on the definition is a documented collection of information about malicious behaviors um advanced persistent tra group or ad or ransomware operators have shown in the real uh word incident or the real word attack it's a globally recognized framework attack stands for adversar tactic technique and common knowledge if you go through MIT attack website you will see this framework uh which at the top of the framework you can see different attackers tactic at the moment we have 14 tactic and Below each tactic you can see the list of techniques what is tactic and technique in uh miter attack framework so the tactic basically talks about the high level goals attackers try to achieve

imagine that attacker wants to um gain initial access to your environment uh or they already have access to your environment they want to privilege their escalation and technique so each tactics has couple of techniques techniques is the method being used by attacker to achieve that tactic and Below each T technique there are couple of sub technique which sub techniques is more detailed implementation or information about each technique so basically in MIT attack website you can search different group of advanced persistent threads or ransomware operator and when you search that group you will be shown the list of tactic or technique being used by these groups for example imagine Vol typhoon Vol typhoon is a Chinese

advanced persistent Trad groups and it is known for its cyber Espionage activities and it is usually used combination of tactic technique and sub technique and specifically this group is uh interested in targeting uh critical infrastructure and also government Department particularly in Australia and one of the tactic of this group is called credential access based on Mitra attack and credential access is talking about the method attackers using to access uh the US name password or API keys of uh you know systems or users and if you go through uh MIT attack website and search for credential access that highlighted there you can see there are different techniques under credential access so one of the techniques being used by this group is

called root forcing so brute forcing is basically is a method that um attackers use to guess passwords of the user and each technique as I did mention has some sub techniques and this group particularly use credential Staffing sub technique from Brute Force technique and credential Staffing is um the method attackers using stolen credentials legitimate credential from past incidents to try to access uh different uh users platform the platform that we used by the users because lots of users basically use the same um you know password to access different uh platform and this is basically how MIT attack can help us understand attacker tactic and technique so so far I explained about Mitra attack and how it

can be used as a guideline for us to understand attacker Behavior now that we understand uh the attacker Behavior then it's a time for us to know how we should defend against those behaviors so let's talk about miter defend so miter defend is like a cyber security toolkit it's like a knowledge uh you know gathered um in a framework format in a model format about what we should do as a cyber Defender and Defender stands for detection denial and disruption framework empowering Network defense and it's it the aim of this Matrix is standardize the language we use uh when we talk about effective cyber strategy and it's aim to make cyber security clearer and more

efficient and also provide some actionable items for Defenders and when actually this two Frameworks miter attack and miter defense Frameworks they complement each other uh because when you look at the privilege escalation in miter attack you can find defensive counter measures for privilege escalate for for sorry privilege restriction in defend Matrix before I further explain about uh mitor defend I need to just highlight a few point about this specific framework so miter defend um is a framework that is a great framework can help us identify the list of um defensive techniques but the reality is that this framework doesn't gives us guidance on how or which Technique we should priortize in our environment it is our

responsibility based on our own environment to make decision which one we should pick up also fighter defend is a maturing research project and its developers its creators are still adding defense action item into it but it's mature enough it is uh stable enough that you can use it to structure your defenses as a model to guide your defenses so how to use MIT defense framework so basically the first thing that you need to do uh is going through defend m.org webbsite and uh when you go there you you see the different Navigator and in this Navigator you can see the list of defend tactic at the top and uh defend techniques uh below each different tactic and it is um you know

um a little bit similar in terms of the structure that they have similar to mitor attack framework but obviously this framework is just talking about defense actions and uh we have at the moment seven uh tactic defense tactic in this framework um despite miter attack which has 14 uh attack tactic we have model which basically talk about what we want to defend against uh for example um when when it's talking about if you have your asset inventory or you have your software inventory hardening is talking about the list of defenses to harden your application it is before an attack happens and it's more around um you know um before you go uh you actually go your system uh live and and

also detection is the list of tactic which is talking about detecting a malicious behavior isolation is tactic to talk about um you know how you isolate your system once an attacker is there deception list of deceptive uh techniques for example you want to lure attackers or mislead them to guide them to an observed environment like a honey poot evict is when you want to remove attacker from your environment and reor when you want to restore it back uh yes restore your system back to the normal operation so defend Matrix is an interactive tool so it means that um at the left side of this Matrix there is a section called attack lookup if you go

to attack lookup search for a specific attack technique you will be shown the list of defensive actions or recommendation for that particular uh technique and at the right part of the framework you will see defend lookup it means that if you search for a specific defensive technique you will be shown list of um you know further or detail uh countermeasure or information about that particular technique let's go through put one example together to see how we should basically use these matrics um okay imagine that um imagine a company has a great sio the sio is always try to stay vigilant about the latest uh tread Trend and Theo recently read something about attackers using a particular technique

called valid acon so the so became very worried reach out to cyber team hey cyber team what should we do so imagine that you are part of that cyber team and uh you actually got trained about M defense just recently so the first thing that you need to do is obviously if you do not know what valid account means you need to go through the MIT attack website the best place and find out information about valid accounts so basically valid accounts refers to the uh methods attackers using valid credential they already obtain through Pass incident or past data breaches and they use it for other attacks when you actually um understand exactly about valid accounts the next

thing is to understand what defensive counter measure are there so you go through miter defense in the attack lookup you you type valid account and and then you will be shown with the list of defensive action or defensive recommendation and usually in monor defense you find many defensive recommendations because they following defense indepth uh you know principle and um framework but I just uh picked up two of them to walk uh to explain about uh each of them separately account locking and multi Factor authentication so account locking imagine that you click on account locking um basically mitor defense framework gives a specific code for each defense item and Define that defense item and explain about how it works and

the considerations about that particular item uh for example in that case account locking is a process of temporarily uh disabling uh user access to its account based on the observed malicious activity and the next one is multiactor authentication the same scenario if you click on that one you will be shown a code for that particular item with further explanation and this is how you can use miter defend you actually use the list of recommendation send it to the sio and then that's the sio that needs to make that decision if they want to implement it or or not so so far explained about MIT attack MIT defend and yeah MIT Defan is really great and it can help us a lot but the

reality is that uh we in a word that the trade landscape is constantly changing constantly evolving we are dealing with sophisticated advanced persistent group or ransomware operator and some of them are being funded by other countries and it's really really hard for us to keep up with their tactics and techniques we cannot actually U you know go through each of these groups techniques and tactics in Mitra attack then find defensive actions in MIT defense and try to implement them it is really not possible another thing is that the budget is very limited for cyber security and the time is also Limited so what the solution is so the solution lies in um looking at whole these challenging environment from

trade intelligence perspective and by that I mean that you first need to understand what threat landscape is really applicable to your environment for example if you actually work in a financial or organization you may actually um find yourself being targeted or uh being concered by a different group of thre actors whereas if you work in a government corporation or government Department based on the data that you store you may actually see different groups of threat actors who are interested to Target your organization so the first thing is that you need to understand your enemies you need to understand who may be thinking about targeting you and the next thing is you need to after you understand your

enemies you need to find a way to understand what attack technique from these enemies are commonly being used because you cannot obviously just uh you know pick up all those techniques by these groups and then you should actually based on those common Behavior you should priortize your defenses and then Implement targeted defense meur let's go through another use case together um this is a fictional story um lately we have been hearing a lot about Mida and Ransom Hub ransomware groups causing trouble for Australian companies our so is in a hurry and ask a trade Intel team to figure out how we can solop these guys as soon as possible the tricky part we don't have a big budget

for fancy tools so we will need to get clever and find a smart local space to protect our so okay we don't have budget which is very common in all Organization for the Cyber team and whatever recommendation we need to uh provide to the size of which we should be um you know in a hurry and it should be done as soon as possible the time is limited so the first thing that you can do is knowing these two guys who are these two Ransom group okay look at of them uh Reid so Reider and someware group is a group that has emerged in April 2023 and uh this group is known for using a sophisticated and combination of

different tactic and technique and it's targeting different organization across the world and one of its um recent attack was an attack on access health system which as a result of that attack there the group requested $1.5 million from the victim I did some research about this group's um techniques so this is a um snapshot of the miter attack website so I put um the techniques which is being used by this group um of U randomware um you know operator I put them in yellow so these are the technique being used by this group let's go through the next one Ransom Hub okay Ransom Hub is a slightly newer ransomware group and it um has emerged

early this year and um is specifically known for using uh RAM someware as a service um you know kind of model and also targeting all different types of Industry across the word and since February 2024 it was responsive I for um attacking more than 200 organization across the world and so what I did I um spent some time again I found out the list of techniques being used by this group and so the areas in um green shows the techniques which been used by this group so now we have each of these group techniques attack techniques and we cannot actually go through each of these Techni and try to find out the way to stop them or uh mitigate the risk of um

you know these attack technique so what we need to do is we need to understand which of these techniques being commonly used by both groups so for that purpose I merged these two um matrics and you see there there are two different cells highlighted in red uh it shows the techniques commonly uh the the techniques commonly being used by both groups so our defense uh mechanism because our time is limited and we must priar our defensive actions uh our defense mechanism should focus on these two so the two of these techniques are exploit public facing application which in that technique um attackers Target uh public facing or Internet facing infrastructure of the victims find out

the vulnerabilities there and another technique is command and scripting interpreter where attackers uses uh command line interfaces or other scripting languages to run uh to do malicious activities and so your defensive um you know actions should focus on these two for exploit public uh facing application usually you need to find out what uh you know in the different reports of Trad intelligence what specific vulnerabilities uh have been reported which is specifically uh you know exploited by these two groups and then find out you if any of your environment you have something that uh is impacted by that vulnerability and you need to apply patches and the next one command and scripting interpreter this is a a specific um technique of

attacker if you go through MIT defend website there are lots of different defensive recommendation I just picked up two of them file Integrity monitoring uh you can actually put recommendation about this particular defensive actions and also local file permission for example you can actually restrict uh you know the access of running um a script um by different users he takeaways so in this uh presentation uh I try to explain about how we can set up a strong defensive strategies and there are three main point that I want to highlight the first thing is um the first step actually is to understand your enemies who may Target your organization and then you need to understand their behaviors the

technique and tactic that they are using which the best place to identify these uh behaviors is my attack website the next one is uh based on the observed behavior of attackers you need to uh put together a list of a structure defense uh and you can use miter defense because it gives you an structured approach to model your defense and last one is making sure that you prioritize your defensive based on the specific thread landscape that you have and uh I would like to um actually finish off my present ation um by a Cote from a SE and Napo it takes only 20 years to build a reputation and just a few minutes of cyber incident to ruin it so let's

ensure that these few minutes are met with a strong cyber U strategies and if you have any question

I thanks for the sharing um do you see any difference between the mro defense and AR Deber defense framework sorry what what principle the difference between the mro defense and up cyber defense framework cyber defense cyber def that's sorry yeah but it should be different because it's a very uh because I'm I'm not sure about that framework but um defend framework is exactly mapping between MIT attack behavior and then the counter measures for that specific behavior I'm not sure if that's if that's the same I don't think that it should

be yeah attackers Behavior but C framework do um they have more activities like threat Intellis or TR hunting and um H part or something else that that so that mean it's more approach than the it's very limited for uh maor defense okay that's go

to hi sabath it's really great talk um I've got a question about mitigations in the mitro attack framework you have ation against attack techniques is there a commonality between those in defend or is there is one inheritage from the other or pass the

other so your question is about the list of mitigation and detection that we have already in miter attack framework you your question okay it's a very good question I I'm happy that you asked that question so those um detection and M ation in miter attack framework is very general it's a high level guideline about what you need to do but miter defend is going very deep a very granular level of information very technical guideline about how you should Implement those stuff and also it even consider for example how you stop false positive alerts what consideration need to be there it's very technical detailed information which is different from that high level guideline in MIT attack but

that's a very good question thank

you thank you very much for the talk excellent um inside the defend framework I was really happy to see that there was stuff about recovery isolation Beyond just when we traditionally think of protection from your perspective how can we extend from Attack to defend into like the N cyber security framework so that we see the entire life cycle from you know protection into detection response and Recovery does defend cover that and and how does that map sorry you ask asking about NIS framework right the N CSS yes yeah as an extension from the MIT work okay so that's a very question good question again thanks for that so they actually in their blog uh they published a

mapping between n control item to miter defend framework I can show you in the website if you want after this presentation exactly they actually map it specifically map it between protect and if I'm not mistaken detect part of the uh n framework

awesome any other question going once going

twice all right thank you sub for that this is from bsides camera it's a little present for you there it's very uh succinct uh talk about for Defenders all right um that's the uh bit of a lunch break now until 1:30 and I'll see you all back in here then if you want to see the next toour thank you