Spotting The Adversary Using The ATT&CK Matrix: A Practical Approach

okay my name is Pete I work at Connecticut a senior soybean choose an analyst I've been in this role for about two years just to note my views and opinions on my own and don't necessarily represent those my employer so my data what do I do got a number of roles and responsibilities so I'm a leading a team of analysts my primary responsibilities are analysis into our job incidents and escalating those to our clients capability development so disagree view in our colon detection capabilities identify any gaps in our lured him and then hunting these to mitigate these and the key thing is the adversity techniques so this is developing awareness of the TTP's what about guys

doing out there how will they exploit vulnerabilities bypass our detection methods and so on the final thing is the important part is to joining the mentor so I spend a lot of time with the journalists especially junior guys doing one to one meant to him so this could be anything for how to use the tools that we are or doing towards analysis etc doing assessments or they maintain and our awareness I believe bit on the career path so on and also one even CTF exercises so that's a good measure but that's being replaced by 24/7 lab access systems now so I work in a sock that's provided in 24/7 security monitor so we were a money

security service provider so we have a number of external clients that we monitor it's very much a frontline operations environment so we are dealing with real incidents and it can be quite visualize especially limit about a lot of clients instance happening or do we prioritize those instincts etc so there's been a lot of interest in the motor top matrix in the past year over to especially what it is out to adopt is pathway hon Tim used for validation etc and he seemed lots of mention of it in the previous slides and the presentations so I'm going to be covering the motor atop matrix from a more practical aspect I refused what my experience is of it more specifically on

Windows host I was using the system on configuration and I would not to use up or as part of security monitoring service so the reason for adopting system on the attack matrix really was to use the available features within Windows without actually introducing new technology and we just wanted to come over 16 implementation so the previous presentation covered a lot about the attack matrix principles and what it is the origins of it etc so I'm not going to cover too much in detail but I will provide some context of how we've used them well I was interested to know but Before we jump into the top matrix only six month come back I'm going to go back

to basics just say why do we need monitoring the need for it and some of the challenges that we face especially from a security analyst point of view and then I'll move on to the top matrix that will cover the deployment us vets and the focus a bit more on sis for some use cases that I've used to validator and then finally I'll cover the lessons identified and the opportunities and we're going to take this in the future so secluded to monitor doing intrusion analysis instant response they all have a need to capture or understand up to indigent IT systems so going back to absolute basics why do we need to monitor our systems what virtual we're

looking for etcetera so in this case yeah Bob Joyce you like the tailored access organization spot at the NSA his team responsible for advanced exploitation of IT systems gave over presentation the news next enigma conference a few years ago and is this basically given her an education to computers professionals and academics about how to keep people like him and his tea and other that acted out of a system so one of the key statements caught my eye was a bundle ID so is basically that there is a system administrator what she looks at unlocks understand what they mean understand how it applies to the context their system so at the end of the day an IT system is

providing some function or service we don't deploy a IOT system for fun of it so we've heard all of the CRA competency confidentiality integrity and availability so a system administrator or a network defender she'll be able to look at the locks be able to determine what impact it's having on any of those so if you stop that nopony's important but what do we lock so my why Jake is a sons instructor and he voiced his recommendation for Windows blogging I agree look what you come storagee cheap well there's a cost with everything and I think it was highlighted earlier on but the cuffs come B if you lock everything yeah he's probably stop clogging on the

network bandwidth what I stole his cheap but once he stopped up to and archiving backups and then all your processing and overheads in terms of processing update to the managing out and pause you know that starts becoming quite costly and it it could impact the end-user experience as well as the capturing team was lock data from the employ so quite often from my experience system administrators don't configured a lock sources properly and they don't provide the Colet locks so for example I provide the locks for the test environment or not environment and then we end up getting blind spots on the network so from a network defend the point of view if you cut too much locks you could end up

tossing you seem by overwhelming it locks and then the Corsa seems to earth to capture then I lose easy near real-time capability so you can mitigate this somewhat by tuning the endpoints what locks you collect him and to get the right balance between a collecting light level of locks to support an instant response but there are a lot of factors when it comes into play by monitoring environments especially when dealing with disconnected users poor comms etc so we need to log events about our to get the balance right so we lock in the relevant items so analyst or system administrator go back to him and we play and understand what's being captured the number of frameworks

out there that define a critical security controls such as Sun stop 20 there's some lucky control ships good practice guide number 13 I provided guidance on what I went to capture and you can use that to check your local sources to make sure you he kept in our events but sometimes frameworks on enough sometimes the vendors of the appliances don't log all the activity that you need to capture so you ever think out the box and explore the data sources and other issue system administrators they use default locking policy just stay out of the box and that might not capture all the events that you need to capture there is some help the NCRC have provided a really helpful

resource called locking made easy it's a set up based on configuration profiles for windows systems that provide recommended GPOs system on comfy etc there's a presentation about this later on today I recommend you attending that so I'm going to be focused on the my to atop matrix on sis month so so I thought about security monitor weekly walk while you might need it and the approaches to lock him so I'm now going to be talking about wildlife monitoring and discuss what we're trying to achieve using their top matrix and then I could be incorporated a part of a monitoring solution so so much of our enterprise now is becoming more interconnected so we've seen traditional activities such

as using on-premises email all the way up to uses during system administration and so on but a boundaries change them the third party external services cloud based stuff is such a compliance checks order the checks are becoming more evident but for the security analysts my war anniversary behavior is getting harder to detect especially if they leverage multiple techniques as part of an interesting escalation were finding that the client operational security team the system that we monitor are demanding more contextual information about the incident how did the attack occur what is the likely impact etc so a good security analyst in my opinion should we maintain an awareness or threat adversary' tactics this will help no good from bad the

example know what window speeches look like legitimate use of those features so is PowerShell base64 encoding good behavior so the parameter pane I always refer to this in a space when I'm discussing with this clear analyst mother should be aiming for so there's a lot of emphasis on IO sees we've mentioned earlier on IOC can be discarded entire infrastructure of evil software components we developed it's expensive for the adversary what is doable what is hard is we create in a TTP's this is effectively the trade club early adversity operates changing this requires significant investment and new skills new approaches to attacks so this is effectively rebuild in a new team we put potentially new people and new skill

sets well this is where someone like my to attack matrix comes into play after she's focused at the TTP level so to understand TTP's ideally threat intelligence force support this knowledge but as highlighted earlier on and what I'm gonna say is up at the moment T are of course very heavily focused on IOC s we are getting more context around those I have seized a bursary to operate and etc oh another reason why I'm not getting the full detail is so they could beat up the evidence wasn't captured it's probably incident or it not locked or not observed or it could be have certain information being will help of this ongoing investigations etc so simply

focusing on Windows endpoints just looking at a clean build of Windows tab 32-bit version we can see from this illustration of a lot of yep seized dealers and a few calm files and this doesn't include the Program Files folder or there are the custom installed applications so why am i bringing this up so following the first few point of view why build tools when you can use living offline techniques or exploit the windows features on the operating system what the fundamental question is if we've got all of these components are we got Windows host on our network where do we focus our attention where do I fly or Ataris everything we do what techniques do is focus on and how do we do this in

a consistent manner so the previous presentation titled the Mott to top plane weapon for hunting gave an excellent introduction to this and it covered a lot about prioritization so just quickly go through the sort of micro type matrix being gaining popularity in the last year or so but it came to my attention at least 18 months ago probably a bit longer and I've been using this for a variety of purposes so point number one as a learning resource so to develop situational awareness of very TTP's it was a good point of reference well doc you made against a PT's number two Emily in university we generally some of those techniques he says love to gain insight what gets generated in

locked files what gets generated on the host and that's really useful for validating detection especially if God exists in controls in place and then number three was a testing vendor solutions so then Jesus story tinkle fittingly my turret up major that matrix or the profiles etc so we flipped out and started phones to fire him so it's a good way to do a little bit of validation to understand the coverage well going back to the pyramid of pain the atop framework of eyes focus on a very tasty piece so he made himself the really good reference and it's been continually updated with new TTP's and references so talked about what the challenges are and what we're trying to

achieve well how do we use the atop matrix in a way of detecting adversary's behavior so I used sis mom for the time being so this is part of the system turnoff suite developed by my person of its from Microsoft so I need this some of that was a fairly non intrusive or quiet increase readability up the endpoint so I had someone say why not just deploy Edie armed so because we're animus SP we don't necessarily have the ability to interrogate networks sort of be disheartened a receiver and if there is reason for that so different kinds of different infrastructure several different requirements and so on well I was a sis mom aegeon decreased Windows events and

using the resistant lock sources so we can integrate this using a get extra lock source without too much for the configuration a lot of monitoring solutions the other motivation is some Microsoft developed software component they actually maintained new features being outdated said to her so I recently I've been using system on version 9 but last year I was using version 8 that was a game changer in my view because some of the features are did was the ability to configure tax to specific observed events so before system version 8 I was trying to find the best method of mapping system on events to the top matrix techniques so one method with creating the muffins in the seam but I thought

this was a long approach it was kind of doing at the top and once all the locks are coming but in my view I think the lock event should be classified a close as possible to the lock sauce the other issue the seams of a lot of person who was any way to process in tag locks so this would introduce in it all ahead on closed system the looks and it could impact the performance of him so for example an audit lots of Windows Cisco snore ideas locks and so on when events get locked in there this is like a vendor ID or a splitter so on to indicate what that event is so that's

why I was trying to achieve so so once this one version 8 came out I started using the Swift on security system on comput to start tagging events but then someone else had the same idea with me so Chuck corresponding system on config file but expanded this using the tax feature so I used this at the basis of myself sorry Kristen modest in a little bit so you can see the use of tax sir probably bought a condition put a match there are a number of configuration parameters and system oh sorry using parent calling process the image name looking at registry keys etc you can exclude items as well so they affect the option filter for this e good

filter noise of SAP applications and so on but I copy other apps by safe I mean these applications such as anti viruses suffocation just naturally generate a lot of noise especially if they're up data or what you don't want to be doing is excluding safe applications that could be used legitimately or so it's a technique so it could be pop up a living off the lantern a so you need to be careful I did up a customized configuration but we use third-party components at different IVs lab forwarders and so on so this is a Pronovias not familiar with system on this is what this one of them looks like what this is got the attack

nature's clumping applied so when event comes in get sub-zero products this month a gem and it gets dumped into the Windows Event log so if you look in the Windows Event Viewer that's what you see on the left and so you can see the example there they split that with what's been told it is the system user discovery rule and they come online in correlates to the system info THC so that's free this is a application built in Windows that grabs the system information such a build on the detailed hardware configuration IP addresses etc that techniques been a mapped gonna see at up matrix web page on the bottom right so you can get order interesting

logically if she's well it's this moment but it's useful to do that map him so but how did it look like from a locking perspective so you can see on the bottom line so that's of all of them so it looks quite different what you see in the windows event so you get XML tags set them so the scene will use only a doubt box party moves just for plain vanilla Sh'ma what I want you to use for the top matrixyl features so it starting out the rules then I could exploit them so I have to generate my own father effectively so you can see on the top screen you can see the first one

of em it's pass now classified than the key attributes get put into a special event field so it's from a correlation point of view we can then start to correlate the hashes they can be used against intelligence feeds because start basically IOC Marco but then we can start build more complex rules by looking for sequences events are part of a wider TTP's and I look and is dangerous activity so there is another limitation that you might face it's just one of them you captured so much information in your tools might be limited and much information you can exploit so you so much me aware of are you based your correlation on now the classification itself is usually seen

specific so most Poor's warlock events into a classification that you can use our acquired a correlation so in this case so did a number utilities and applications up wicket where they've been classified post a service stop what the actual rule name the ideally you can see it there so just to recap this money is installed on the windows house and this is installed as a driver than as a service load it was up configuration file was such a event for not interested or interested Indonesia classify then the event took up to this part of the windows lock file and he's afforded to a centralized lock server along with all the other locks from all the other hosts and usually in typical

security monitoring cell you have an agent or look folded on there that were forwarded on to see where it was all the obligation and pushes another layer of the locks than the sea we'll post those as well so if man event doesn't match a configuration technique that's been programmed in a config then we classify little cut tool so you can see here in the bottom lap he's no map him so could be various reason for them it could be hard it's a new application installed on there probably news or it could be a new feature what's been added to Windows so in service packs update there's always new applications being added so this is uncle dick get pass or a general

catch-all so the key thing to look out for for my absolute my own point of view to look out for a lot of these cuts all events my advice would be set up like an alarm so if you start getting too many so there's probably the features being used or in this case is because system is deployed on a host are sitting server was installed on the sequel agent exe and didn't feature in the config file it's a event number 18 in system on iris plate to a pipe connected from a client to the server or analysis of the application it is legit so it got white listed and effectively excluded in the config file but this is she usually

standard onboarding tuning activity you do lock sources you do that with any type not to sis mom you start getting a bunch they don't match and then they get caught by perhaps all it could be issues authorities as well and then you start looking for key attributes and start understanding the context so I'll know so the key resources that are used for deployment sis mom was a card era so doctor tool that I first came across early last year it's now on version 2 it's a recent belief and so it's developed by the same team paying over my to attack matrix the development team has significantly changed the platform I'm using the first release I'm

migrating to version 2 that came out to solve a month ago the atomic the canary get off he could speak quite a number of techniques as well which is in addition to the attack matrix flame work is long and it's good for validating a system on can pick correlation rules it said to him so how was my cell configured for all of this so a standalone environment for research so this was a lab environment was composed of windows server multiple windows clients such as version 710 32-bit 64-bit etcetera I didn't focus on specific build versions or and allow what the environment was purely used for experimental and concept and development so his Excel environment for winning

card era on against his lab liam's I didn't obviously set up in that environment but we didn't make use of secure Union to special ID up stop to correlate the airlocks and do a basic search and correlational year events I had a separate test investment environment that I'd to see mono so if representative of fields of production environment and so on well it didn't occur to installed on that so that environment spying or deploying testing a system on configuration be able to undertake some very basic level validation or the TTP's there's something he's living off the land techniques but what I couldn't do it was deploy any malware or do any destructive techniques that would have to take place on the

research environment the production environment we focus on with a client monitor the state ok clean to enhance the monitor not so he deploys system on an hour config on this environment why I only did that on a very small scale to start with as part of a pilot and we focused on some critical assets so these were jump boxes it was kind of ourselves so what was part not pilot I'm just she already interested in getting feedback from the system administrators from people who use those assets performance and also to understand the login into the seam so going back to my earlier point oh I don't wanna do it suppose this month everywhere I start getting thirty

which system on events I wanted to get a feel for I was like to put you know on some production house different types then see if I needed to know and he knows it said to him there was some limitations like the research lab and intestine and reference didn't have any part of life capability so very much the analyst gentleman in the event looking in there looks similar cleared it wasn't really stress testing the config or validating any correlation rules there was a fourth environment that was cell or a honeypot and that was just very very short period and that was pretty Morrison Windows host cell with RDP exposed and I was running sis mom and I

were just interested in see how that was being used in the wild so to speak just if you understand what type of people were using them and what they were trying to do on the host so generally this one is lightweight however you feel a really poor comp it or you're welcome extensively for certain activities or a ferocious extremely busy it can make system on one hop a little bit I've only ever had one instance of this is on one host and notice these they've some CPU spike attuned to come pick I reduced the need for confusing or the hush face and just focus on sha-1 but apart from that no other history did any other host so I've talked about what

system on is really what the attack matrix the configuration and deployment a little bit about the same integration so I'm not going to cover the validation on someone events get alerted some of the blind spots on some real-world usage so so back 18 months ago a bit longer started with caldera so the first tool that I used in conjunction with the attack matrix and so I'd literally deployed this on research lab and very much running our again some windows theorems and just educating your list these are types of techniques the sepal gets generated and so on this is a very basic example so the blue dot I'm since screen just shows one host that's represented by a blue circle so

that's a Windows host and I was a car dealer agent installed then the caldera server interacts with this agent to invoke various options so the screen started to server and when you run an operation it mimics the adversity behavior such as a human operator or any automated activity so Cardo is deployed on a research lab Sorority documentation says that it can be deployed on a production environment because it's got like an auto clean-up ability this particular release shipped with mimic up so mimicked artists credential dump him I wouldn't deploy on a production environment because I would probably trigger you're just a navy or the census there he could so just want him out of the box of history using code area

standard outer box windows no configuration not them if you fire one of a cutter network operations it's all done in two minutes and they the number of activities that happen you can see farmer screenshots if look at the applications clearly insist on locks hardly anything gets generated and he might not even see any events so so within that two minutes of the act what was being mimicked it conducted host and Network survey and his don't credentials we're not ready see now if he did tweak the locking policies you see some well what you're never going to see everything the born on the bottom left system one is is called conflicts or what it does it which stops the agent

which affects the UPS on behalf of cafeteria server in order to limit the options well if you look at the system on events you can see the more system on activity so if validating system on attack techniques in cardio is especially useful you can start to map events and your pollution details on the left with the system on event so you see in the windows event looks that issue starts a correlation between the activity and then you can start to do some tuning out as well if excessive noise so in the middle of screenshot you can see the system only uses discovery that I talked already about I use an assessment system on system info command

then on the bottom right you've got the command line interface so that's quite an interesting classification there's been a marked rule name online interface but if you look at the come online interview you can see that is trying to scan directories for word password and the titles so yes you could create specific rules I'm look for that kind of thing but it is you in the command function to do that directory and if you do came up with specific always where to start on the line to start looking for people searching for users computer names different language terms they it's a lot but it's not 100% Maps or from a system analysts point of view the activity did

look suspicious

validations color is fine to a certain point there are some limitations for example no pattern of life then this picks TTP eventually we just run out against technique to test against and unless you start developing your own at that point I decided to throw it on you pop start was deliberately insecure so I'll be poor or TP certains I use a common account names very weak passwords etc and I use one own accounts are being used and so on and then from this view of a number of attempts and several compromises also it was quite good to see see some activity in a system on and the attack makes it full for them so the

most common activity when hoster compromise and so on was the attempt to gain privilege escalation solos or just gotten all the accounts on the Box it kind of makes sense on why yes again there are hosts first thing you ought to do is get fitted escalation and two of things today we've attempts to dump innately local authority subsystem service getting stuff on memory and so on but then I saw a number of false positives switches SVC host interacting with the same place s so so you need little bit of tuning but it is useful then I still a lot of things such as a sailing up C theory tools so I thought oh gosh 10 8 oz sounds quite clever

partly it was a event and I was Microsoft dependent downloading updates and then restart the ATM so again tuning opportunity or it could get me thinking and I really legit FM could anniversary do that kind of thing so that was a command used to the bottom

not even one the honeypot for long because at the same time roughly the RDP vulnerability was disclosed so there was a lot of phone in cigar name everything happening so just shut it down or for sure awhile it was useful at the size larger some external validation interesting o'clock door the usernames and there's some interest in username between use such as Linda Debbie Tracy French version administrator and then I was some HVAC and other canister so it's quite interesting so queasy about so this is a tool that's been doing around for quite a while there is a he Lester Advisory squeeze on the top right it's a tool that's available on github and source code

provided and it's a tool not been used by those a PT's so again I thought would be good opportunities test see how close of a person sis mom and I was classified identity tap matrix so we have a server at the top screen the axe is a controller for I've seen the mark said to the client and the client is a payload that connects to the server so the initial operation on the Left doesn't reveal anything exciting under that process started the event we've been eating that classified you can see the file name Exe so that established connection connect it to the server so in terms of the more access a number of things do so that step was let's grab

some system information that he seemed to trigger any events at all squats poison Nam activity scene then they are thought alike before most shell that dick took an event and you can see the command access the technique name again the one process was invoked or interesting these and then I was followed by change code page utility that was invoked so doing a bit of malware analysis are confirmed that both of these commanders do get invoked by that feature so it's quite useful stop daisy-chaining events so what the the key thing is not succeed for a navy so good antivirus should just hope laser light being installed but like I said source codes out there people can download a tweak

change features of the scaler and so on but if I still using the same techniques what's been employed in a core the closer these could be indicators by using the command and change code page events so I started looking at Windows Features windows subsystem for Linux so really good feature enables due to one Linux kernel within Windows sis mom didn't detect any activity related to that feature kind of makes sense is looking for windows binary when there's always related activity but it's a blind spot because it was features enable you can do a lot of the Linux type features such as IP compare I asked on pick and so on the always goofy and I just want

trigger but the equivalent windows clones would that's one an individual going by the name is some boxes paper released several zero days back in May on get up in my opinion it should have been a bit more responsible disclosure on these well I just don't want it up or they deploy them so what interested me for my experience we have some clients who are monitoring requirements was like detecting zero day activity in my opinion I found I was kind of quite difficult to detect especially when he got an enterprise network but multitude of devices so it's not just about looking to 0 days on Windows so she could be future the backup device attempt them or

interestingly the top meters is based on a classification of known TTP's so this is fairly unknown I'm looking for see how this match against the known TTP's it will be interesting to see how this configuration worked so just for all information flows not familiar the exploit can see scheduled tasks using a legacy Windows Java object and effectively promotes a non admin to a system level village sorry to look at this escalation executing a payload so is the pushiest crate on the left if you see the scheduled tasks being invoked and then finally see the job completed or not would the third step shows to come on line interface rule then you can see this script has been invoked again

and the final thing you can see the top completed in step four and that would run the the user local TV escalation but it's not immediately clear what impact running our code is hat so you'd have to still call a against it'll lock sources well could see the two events come on interfaith a lot of activity should be enough to trigger but because a lot of these didn't get classified they would be affected clustered a catch-all you would have to go into that I know that kind of being someone that's pointing what happened if you discover all of these you've got a number of events were being classified to cut your promiscuity are listed should we start

documenting up star understand him what come on that was why it was wrong what impact that did I have and then they could start developing their TTP's and and then to start dating a convict and then it starts maturing what your cost if I and in cm but the good thing is Microsoft as much discipline ability so you know an issue so much this exploit but still useful techniques to look out for so if I'm doing all of this working out the use of system are applying the top matrix to and doing some validation so what were the pitfalls correlate in events mr. challenge him I'm still something that will develop him and the main issue

in maintaining balance anak took in too many false positives because a lot of these techniques use legitimate reason for it as well as a malicious youth so somebody we're not just using the real name but different if somebody have to believe seed well other forms of correlation is using nearly event classification slightly higher structure but it's doable the validation of the system on configuration done in quick succession so code area Krista Boehm within one or two minutes it generates all the adversity artifacts it done all the bad stuff in reality anniversary could be on the platform or the house or a lot longer they could do the initial compromised and maintain persistent then it could be days weeks months before

start exploiting all the vulnerabilities do a lot of activity so it could be slow burn activity the other weaker is ti cardio as a number of build profiles for actors in behaviour started developer own but then the Evoque block the TI I just didn't quite it was enough TTP's in order to mature the techniques that we're trying to do so deploying system on using a tap matrix TTP's in a one-step process are they not being highlighted earlier on it needs to be a continuous with view of TTP's and developer correlation will review the TR I moved him from most TTP's so there are a lot of different attack vectors features been added to windows all the

time and I attend shield up to new from the abilities and exploit so no shortcuts you need to continue to you more though make sure those understand the environment except to them what tre is getting better is moving away from IOC s and TTP storms coming more common now and tre force so you can see the fire starting to do mapping against TTP's and it's really good and it gives you a young Lister better insight of what iversity to use more techniques they're developing so it fits quite nicely with the pyramid I talked about earlier one so how good analysis is another one I was doing my things apart artifact analysis so it's more focused on the

software side and a detailed view of the artifact it's useful to look at and you can do some basic correlation but again it's not a substitute for an AV so defensive measures system um provides no defensive measures at all however you can provide some harden them while restricting the config file so if you're very just call this our config file it could be a bit game over they could understand what you're looking for are you detecting it and so on there are some pitfalls to look out for as well such as poor configuration you end up excluding too much activity that you need to capture and even though using system on and so on other thing to look out for would be

change it to the system on driver or service state sort of its stopping and starting and effectively stop the feed by generally on all the hosts I've seen sis mom they've always been event generating some saw lessened identify don't expect a system on conflict to capture all the events like I said you'll get catch all you need to have a look at those the analysts need to be understanding what's be reported in those are developing hypotheses and so on however you didn't get enhanced visibility so reporting is part of an incident it's easier for the analyst to report back to the client and as I understand exactly what activity has happened now this fits them in terms of correlation rules keep

it simple focus on the operations don't tie them up actor techniques because artists will change that techniques a little bit or some of the techniques will always be fairly static weirdness you'll come across him I did so deployed on live house then I saw PowerShell scripts on him and it was just went in for infinity him let's stop come on check him see what ports are open and then it was clear in the ports and then just keep doing it and doing them initially I thought got some kind of weird behaviour I can kind of beacon in or is that something I was something him apparently it was a performance issue on the house it was an exchange

server apparently he's got a happy hooking the ports on the Rizal offices on the house so the system administrator deployed the power source where it was happened this fixes out their legitimate reason for doing it was a unless you're gonna get your system on look flooded with all this activity do you do have to do a bit of tuning blind spots if someone just used you some malware of a TV system or might not classify those events but you might be able to spot I don't Lea so for example lexical is used to get sister and privilege the next step might be to place user accounts so sis mama and the attack matrix might not

be useful for that but using a Windows security logs so don't concern yourself too much on the system unlocks going forward I'm in the process of grading system onto version 10 they provides DNS locking or the process of reporting on the original file name so game changer I'm not even seeing this functioned and easy off solutions either Swift on secure is released an updated system on config file so it provides mocking Tilly attack matrix TTP's as well so now we've got two convicts or Laughton's spoof on security verse revelation that is maturing so TR report yeah of teacher and TTP's and so on again somatic I've been just starting clearing them so for my retinas point of view

concluding slides through the security analyst perspective they taught matrix addition GameChanger it's invaluable so the security analyst is kind of moving more away from reactive to more productive understanding the events starting to be more threat aware understand what's happening in the environment the host and so on which makes the security in see an escalation more valuable to the client because we can provide more context detail the youngest still needs to understand the environment under standard I hosted deployed the configuration what was visible to what the critical of star and so on and I still recommend I exercising is done either from external pen testing so on just get the analyst to understand him we've covered all the techniques we need

to previous presentation talked about prioritization we're going through that same pain because my viewers are we shouldn't be going for zero positive would you need to capture stuff because there is legit activity although you shouldn't be getting a full coverage of the attack matrix because as mentioned earlier on some technical article to the environment you're trying to monitor so a basic level you should be able to detect order technics be news then next level should start prioritizing the techniques and then mapping that on to the operation it could leap off on an attack so last slide yeah somebody excellent references so I use most of his offices you should be familiar with the last item we see a detection lap so

if you really want to quickly spin up some virtual machines Windows Server host and so on then this eclipse won't do that there is a couple of other things I'm not included on there something called Sigma so they provide generic she clear t-wolves and I've been quite a useful resource for correlation as well you can start to use that for school money to environment start looking at what techniques should be looking for and if you're trying to get into the top meters or trying to get to honest up to speed on this then listen a couple of datasets out there so my tooth released her so called her up or we are WL is about three kick in size with his

11 kick version and I was a lot of data in there with a lot of bad activity so it's quite good chest though so thanks for listening that's me [Applause]