MITRE Attack Flow: Laying Foundations for Predictive Intelligence

Thank you very much for that beautiful introduction. You know, it's always a privilege when a student of yours actually introduces you. As a teacher, it actually feels you Pretty good. So, you know, for people who might go into teaching later on or like you shouldn't be interested, it'd be great if somebody who's your teacher would like to introduce you. But, uh, uh, thank you very much. If anybody has any question, why my name is Prashant Prashant, uh, ping me afterwards. I'll tell you the whole story behind how I was born and why I was in English. Um, but, uh, I have been associated with B-Sites Edmonton since the inception of B-Sites and, uh, You know,

always try to give back to the community what we learned over the years and it's a community effort. Nobody is protecting this. Everybody is sharing their knowledge. Let's just speak around. Today I'll be speaking about a little bit of a serious topic, to be honest. Last time, if anybody wants to go to YouTube and actually check my talk, it was about CyberCart2, how to make fun of cybersecurity using Cartoots. So if you want some laugh, go to my YouTube channel, YouTube talk about Blasters besides Today's one is around MICR, MICR and Actflow and the predictive intelligence around how to use MICR, what is MICR, and how to use that for the benefit of your organization

or for the work with you. This is by no means a original research. This is a research which I have worked in post collaboration with Center for Sight-Informed Defense from MICR. I'll speak to you what that is and the director of that, John Baker, who we work with to get this in front of you. By the way, if anybody has questions, I hope they'll have questions in the end. I'll try to make some time so that we can tackle that at that point. So,

my dear back below, I know it's the last talk of the day, so please bear with me and kudos to all of you who are standing by. John Baker, the co-founder and director of Cyber for FedInform.net and I work for Enric, by the way. that only the answer of the answer is, but the disclaimer of the talk is, any and all of your opinions of this talk is purely my own and as an author of my own and what we've done on this project. So yeah, we'll be talking about MITRE and we'll be talking about predictive intelligence. It's not about AI, by the way. I know AI is the part of the town. We talk

predictive intelligence, but from a different angle. So we'll speak about that. Those are my coordinates. I mean, I'm sure this slide will be presented or be shared later on. You can get me on as a good update as well. And I'm not a total social media geek, so bear with me. I'm still an old school.

So what is threat informed defense? You know, if you're also in cybersecurity, some of our, you know, our students in this area are seasoned professionals. When we talk about cybersecurity, generally we talk about cyber risk, right? End of the day, nothing is perfecting this war. Risk, we understand, or at least as I understand, is an equation which talks about prep. It talks about the vulnerabilities in the system. It talks about the possibility of those vulnerabilities to be able to hold it. Then it talks about the business in fact, to the organization. You can actually look at risk and cybersecurity from all these factors. And you can actually do research deep down into every of these factors. When we talk about vulnerability management, there's a whole field around it. Everybody

talks about it, right? People talk about impact as business continuity and disaster recovery. People talk about the likelihood of those vulnerabilities being exploited. That is again, vulnerability program. Threats are one another field where there is less attention, but can be focused more on it. So this whole idea from MITRE, which I'll speak to what MITRE as an organization is, is looking at your threats to an organization, what can your industry, and then filling the gaps and figuring out how your cybersecurity program So a threat-informed defense is focusing on those factors which can impact you from a threat-adversary standpoint, and then going from there. So we're not talking vulnerabilities. We're not talking about the impact of the system. We are focusing on the threat aspect and what we're doing.

So keep that in mind. So what's a threat-informed defense type? A threat-informed defense cycle, just say, you know, it's starting. Give me to take pictures if you want, or I can share this slide after where there's probably no problem. It's about computing cyber threat we tell our adversaries and the tactics, techniques and procedures. I saw some calls today. Folks were talking about tactics and techniques in one of the talks going on this session. So there is whole concept of what the tactics are, what are some of the techniques we use and what are some of the procedures they go deep down to have you, right? So you look at those key things. You evaluate your defenses against those

TDPs, then you implement prevention and threat detection recipe, and then you go and evaluate whether they are validated from those TDPs, and you rinse the cycle. So you're focused on the threat, you're focused on their TDPs, and that's where the micro attack flow, which I'll be speaking to, plays a role, because it will tell you some of those TDPs or those threat actors even go deep into the name of those threat actors and goes deep down and then gives you an idea of what defense strategy you can involve. So what is threat informed defense? Threat informed defense is the lens through which you can understand your security posture. You can prioritize your cybersecurity program. You can use it for your architecture and

operations too. And if you're focused on threats on the adversaries, which can impact you and you do your, you derive your corner for there, and you can assess the effectiveness of security investments on your security. Right? So as I said, there is no silver bullet in cybersecurity. You have different ways of looking at it. Cyber threat informed defense is a way looking at it from a threat perspective and going on from there.

So introduction to MITRE. How many of you by the way have followed up this from MITRE or know another value? Oh, wow. You got a really good handle on this. So I guess maybe I'll skip it faster. So the attack framework from MITRE is basically a standard set of libraries. It's the way you can look at it where you have, they have looked at standard ways how these threat actors actually go about doing the trade draft, right? Like if you look at the, the Lockheed Martin Steel chain, you go from recon to exploitation and resistance and down into exfiltration, etc. So it's kind of a standard library the way I see it from how these threat actors impact your organization and

what are some of their techniques, techniques and procedures and the ways those deeper. So that helps. We used to have three, it's a little bit of a data slide. Now it has on fourth round. So ATT&CK has enterprise. It has the mobile support. It has the ICS framework, which is where I deal a lot in my organization. Industrial controls, operational technology, with the full gamut of things you can look into Microsoft EIS site. Now they have another one, which is right on, but that's on AI. They call it micro-atlas framework. So if anybody wants to Google it and take a look at it, you have those who are looking into cybersecurity for AI. look at

the MITRE hackers framework because it kind of gives you an idea how these set actors might work with these AI models, which we keep talking about, generative AI, large language models, et cetera. Great. So very quick, MITRE Enterprise talks about mostly Windows operating system, Linux, Cloud, Windows network, Mac OS, and et cetera. Can they talk about more on the infrastructure side and the cloud side, networking? that or the enterprise version of it is free. Then we'll check it out on Google. There's a whole page. You can look at who we are your threat actors to their impact. Attack for ICS is a very interesting one because I play in this space. ICS, industrial control, the operation methodology, focuses more on, if everybody knows what the CIA has,

it's not team intelligence agency or central intelligence agency, these are not three-letter words, this is compared to integrity, integrity, integrity, right? Mostly we focus on CIA. In the OT space, we focus on AIC. It's the availability, which is more important than the integrity and the content, right? You care less how this electricity is provided to you. You care more than it is provided to you and it's available to you for yourself. How it is done behind the scenes is the mechanics of it. But what is given to you is the availability gap, whether it is gas, whether it is water in your houses, whether it is power in your systems. So that's where critical infrastructure plays a role. And the impact of that, I can go on and on.

This is not the fact that this could be pretty impactful. Well, there are a lot of organizations and a lot of set actors to do that. But MITRE, it actually worked on ICS is another you know, framework which can speak to that for organizations who are in this space. So this is just an example of a miter that is simply on the end price point. Exactly. You have a whole chart right on the VCon. You do all the steps of what you can do in an organization. You can look at it online at www.biker.org. And it'll give you those examples. And as I said, it's a community-driven effort. It's a standard library of those TTPs which you can look at. Why I'm saying that,

what they're trying to do, what MIT is trying to do, is it is trying to put some structure and organization on how these adversaries and hackers actually go about. Because they have a great track, unless somebody really out of the blue. And actually, I'll give a case study on that out of the blue example. of somebody who has done so many things. There's a snake malware from FSP, Russian FSP organization, we've been talking about that later. But it gives you a structure of what these hackers and adversaries do. And then as defenders, we have to understand what are those two points? We can detect them. We can look at and contain them and stop them on the cross, right? I hope nobody's a hacker here,

if you are to insane. But you at least have an understanding of that tradecraft of what these adversaries do, whether they're testers, or even hackers in the industry. And you look at defense and you shore up your defense support. So this is an example of the micro-atmosphere work. It's pretty new, finally. So what is it for its work? Like, I will secretly, if anybody interested in AI and cybersecurity for AI, to take a look at the atmosphere work, right? I mean, we take, you know, AI is all about prompting, or it's about quoting the model, or it's about you know, bias with the model or hallucination, etc. There are many other ways you can actually,

in fact, the EIA phase and develop my own models that are coming in the industry. So it is something to look forward to. Hopefully it will have its days as it's go by and gets more mature as it's go by. In fact, if anybody wants to research, I can give you a topic of research, think me afterwards if you want to do research. It's a beautiful thing. You can attack Atlas framework. You're ICS just to control system and can marry it and have a very good resource on that path. Nobody has a reason on using AI in operational and quality in this. They're still focused on the AI and the IT screen. We're talking about

language model. It is time to figure out how they can help us in the IT space. There's a lot to happen on the OT space and we think that's all that. But maybe that's for some other people. So for defenders like us, right, the pyramid of pain. Has anybody seen the pyramid of pain? Okay. So the pyramid of pain is pretty much like, you know, hash values, IPI versus domain names. Like as analysts, you want to look at these IOCs. You want to create detection recipes, whether it's in your scene, whether it's in your SOAR, XDR, EDR, et cetera. But it's a large effort, right? Generally, AI is trying to help you in that space. But again, you need to have human intelligence going forward to that. You've got

to go out the chain. You've got to make it hard for the adversaries to attack your environment. That's where the knowledge of micro, that's where the knowledge of the rules and DDPs coming to play. Because now you have that structure, you know how they follow the chain and all you can break them in the chain and make it harder for them, right? Somebody made a comment. I can read it again. Most of the hackers in the back guys will go out with the low hanging numbers. It's just like, you know, there's a lion, there are two people. One talks to you, the other says, what are you going to do? The lion just went after

you said, I'm going to run fast with that. Right? So it's just, you need to make it so harder for these adversaries that you are not the safe goal. Maybe they go after somebody else. And so you make it harder for them to go after you. That's what this whole idea of using attack, of figuring out how to defend yourself based on these TDPs play a role. So in a nutshell, I talked about MITRE. I talked about its three domains, ICS, Enterprise, Mobile. I talked about Catalyst. If anybody wants to know more, by all means, go to their website. They have a Slack channel. If you want to subscribe to the Slack channel, it is free. You can go and be part of the conversation if

you have to on not just the certain form of defense, but all things MITRE. If you want to research, if you want to be part of their community, take a project as a student in this space, by all means, check it out. So what am I going to talk about? I mean, we talked about MITRE. We talked about, you know, what's going on. I'm going to talk about three research areas happening in MITRE, which is out of the press, something you are interested to know. So

what is happening in this case is the sightings ecosystem. This is research number one. What they're doing here is the problem is You have so many TDPs, so many trade actors, so many adversaries.

So they're telling this community driven that they went out and said, if you organize it, you're one in desk. Tell us what you see. Give us your, give us some of the anonymized data with data ingesting. will make it more specific for your industry and that will form a site. What kind of siteings are happening in the industry, whether it's the E-FIDAC, whether it is ACRs, which is that's on the E-T, right? And then you structure according to that. If I go in the gas sector, I'd be targeted by, let's say, Sandborn, which is one of the Russian actors. So I'm being Phanonymous Sudan, DDoS actor. I know some of their tactics for me as a

procedure, so I can create my defenses accordingly. I don't have to be the elsewhere of the world if I'm an adult in order, I guess. That makes sense. That's what this research is about. There's a page, there's a micro page. I think there's a one as well on this, if I'm not mistaken. Go check it out. But it speaks to the sitings ecosystem. What is happening? What kind of things are happening in the industry and where you can learn from. An example of that is the

The sirens ecosystem, so they have six million plus sirens. They were normalized into 1.1 billion. This would be 29 seeds in 5.1. So that's the range of their research. And 184 of them were unique techniques. So you're not going all these. You're focused on certain of them. And often they have 15 techniques. Of those 15 techniques in attack flow, you can't see, read this word, but I'll read it to you. Most of us need to make sense of noise. Has anybody heard of living up the land? We live in a land. We are not living off the land, right? But living off the land, and I'll speak to that, is about using legitimate IT tools on your computers, at

least creative tools or otherwise, to create bad things for yourself. So you're not bringing in malware. You're not bringing in malware. You're using PowerShells of the world. You're using WMIC of the world, CSXX of the world, to try to create havoc and harm your organization. Because those are tools. They can be used in a jubilee. They can be used in a bathroom. So many of these techniques are letting off the land. And it mis-concrolls each two as part of that repurpose some of the basic controls you can put in. So instead of me worrying about all the CIS, top 20 controls or the NIST controls, let me just focus on what the research says. Let me just focus on what

the threat actors are doing and just do what is their minimum and prioritizing that towards the other act. Makes sense? Yes or yes. So it's the idea of that of Siding's ecosystem project.

This is just an example. If anybody wants to check it out, this is the LoLBAS. This is a website for reading the library. Anybody who is fantastic or hacker, they generally go on the website. There are scripts available. You can do this stuff, which is purely legit on your systems. You are not doing it in your list. As long as those tools are available on your environment, you can play these scripts. You can play it in your, you know, in your lab environment if you want to. So where do I start? Where do I personally align myself to defend as a defender in our organization? If you're working in SOC, you're working in incident response, or even as a leader, if you

want to make this as an area of work. Research too is the top attack techniques. We talked about sightings ecosystem. Now we're talking about the top attack techniques. So what they're doing is they're looking at major techniques, which have what's called Tremblin, what that means that people see Which attack are used to this specific technique? So if you know the attacker that's a sandboard is attacking water jet or a VT or you know, not, you know, they're using a certain technique over the world and you know that. You also know that they are using that specificity and you can decide that joke point that out of all the ways an adversary can come in, they're probably using one or two ways to then fan out in

your environment. I'll speak, I'll show you the map. If you can focus on that choke point and break it, whether they are successful in their lead to access, they will lose a lot of secret beyond that. So you've got to look at those choke points and then you look at the action and then you look at what they want the significant top techniques in the miter attacks. So defenders can focus on the adversary with areas that are most in the hardest effort on their security cost. So this is just an example. It won't float on the Microsoft website. You can go check that URL out there. Look what those dogs are at. You can play with them.

You can play with these, the lights, the one of them, which technique can go, what is the choke point. I can look at it and as well, say a standard dark side ransomware or whatever, and I can use their techniques and then play and see where do I have the choke point. where I can put my defense techniques. And I mean, just thinking about how it is, if you know your soap points, you can actually use the rate of AI, the edge detection recipes to focus on to look one in three cents. Yes, yes. Right. Because then you know exactly, okay, this fabric, I know it is running PowerShell and ESXX with the Lomatron lower.

I'm going to look at PowerShell and alert myself. You know, I literally took the pen testing exercise course for 36 hours in live last week as a couple of years ago. A beautiful thing the inspector said there is, it's not about the techniques and techniques of what the hackers use, it's about the capabilities. If they can literally go after you with team keywords to get access, they don't need to go after a CTE to get a shell on your box because you have team URL on your web. So you have to figure out, and the other thing they mentioned, these hackers or team testers or teamers, are only accurate as the first human eye is still in the environment. We need to figure out

how best we can defend ourselves. The concept of shift net, how far closer in the attack chain you can find, you can't find an attacker to reach on this. They're probably doing beyond and most of the same thing at the level which you may not even know. But when they hit you, if you can find the time that your organization wants to ask you,

So can you do things? So that's the idea of research two. Research three, what about the latest attack? What if I have a latest attack which is in the industry which I don't know about or I need to monitor and I have nothing to know? There's no research around it. So generally, if you look at them, they're atomic behaviors. That being look at, okay, there is an ingress tool, there's a PowerShell, or there's a PSXX running in there. These are atomic behaviors. As SOC analysts, we look at OVD. Okay, let's take PowerShell and block it at any one. Let's look at a melsass memory.band, let's block it at any one. We don't see how the adversaries actually connect to them. Because if you know how they connect the

dots with these top tech leads, Then we focus on the LSAS memory, which they probably got in the college show, and we got in one person, right? So you need to know how that flow happens. That's where the third research from MITRE plays a role, which is called attack flow. So attack flow basically is, if you can play with these, based on the micro-medicine, you can go after and see what kind of techniques the attackers play one after the other. So you can sequence them. And as you sequence them, it will tell you maybe some choke points which you can start. So there are three techniques, right? Sighting ecosystems, then we talk about top attack techniques based on prevalence

and choke point. And the third one we're talking about is about attack flows, which could be for the latest attack which is happening. of some adversary you know which has not been mapped out properly. So you can play with that and figure out how you do this. So those are the three. They have a lot of other research going on. Check out cyber threat informed defense. John Baker is always available on LinkedIn to be connected. I have connected with him online and they are happy to bring in researchers and organizations who would like to work with them in this field.

So this is just an example, you can create an actual for that and create a full source and that works through how you get managed those support of the environment. There's a GitHub page for that. There's also a center for thread in front of that project from my career. All right, so that's predictive intelligence, right? We saw three things. We saw attack flow, we saw why it isn't working and then we figured out This is not AI-wise, it is predictive intelligence in the sense, trying to train what we have during the regime, where you can take steps to focus and defend yourself. So that's the idea of predictive intelligence and the use of attack, micro attack framework to help your organizations. I know it seems like

a very niche topic, but I think it's time now to try to ingest this in our organization. Maybe even take baby steps. You don't have to follow everything to the T. As long as it is giving you structure, it is giving your defense teams base and means to look at what is important, use generative AI. Ask it. Okay, I have these co-pilot from Microsoft, let's say, as an example. Can you tell me what miter attack techniques are prevalent in my Azure infrastructure? Who are the adversaries based on miter attack flow who are prevalent in my infrastructure? It will walk you through and it will tell you. Adversary 1, 2, 3, 4 with these techniques is

our environment. Then you can look at, can you create me a defense recipe for this joke point, let's say a PowerShell script running for this adversary in my environment. So, you know, you can go on and on, try to put some structure in your defensive capabilities. Okay, so a case study on Nate Malver from Attack Twin Works. So Rajeeb Fupta, who was Triple CS director, came today in the morning, he gave it a really, really, really thought, by the way. Canada, Australia, USA, New Zealand, probably UK, gave an advisory. I think this is public information. This is clear. If anybody's interested, we're not including free. Snake Malware, Russian FSB, they have developed this malware, or an intelligence tool, or a surveillance tool, called Google Brows

since 2003. And they run what they call a secret plan, which is basically doing mass surveillance on the home on target content process, the GnC very hard to figure out. The beauty of this malware, and again, this research paper you can look into, is the fact that they have created a custom to reduce protocol as part of the TCP IP stack, which is literally looking at the stack itself. And I'll show you an example. If it's a snake related command and control, go and hit and do your action on objectives. If there is not a snake-related protocol, go do your normal TCP listening and do your application work. It's pretty neat, by the way. So this is an

example of it. Just to save this, there's an incoming packet which says, are my related to the snake command control system? Okay, do what we have to do. I'm not, okay, do your command processing, check out your application, and run your code. Standard work.

What are the other ones? These are micro-adaptions. These were used in that. So there are some numbers here. I'll give you the slide if you're interested. You can click on that, go to micro and figure out what that snake malware did. It's pretty hard to find because the kind of techniques it is using, you know, look at it from this way. This is not off the shelf tool. They are building stacks. When you talk about internet, when you talk about ECB, they're actually building code in that layer to layer three protocol. And when you do that, it is pretty hard to find what's happening. Just like rootkits and kernels or rootkits and OSs, right? When they are going, it's pretty hard because their kernel hooks, you know, CrowdStrike

went after the Microsoft kernel because they opened it up and that your whole worldwide average, right? When it was open, they had some hooks, which was, which was CrowdStrike was allowed to. My whole idea of showing you this slide and the one after this is just to tell you, it just counts the number of micro techniques that particular matters. Let's count. Three there four five six seven eight, nine, ten, eleven, twelve, thirty, the kind of nation state adversaries we are against. I have never seen, and I may be Ross, I'm not an expert in MITRE by any means, but the fact that you have a malware of this nature, that these many MITRE TDPs being used, that

we've got to be worried. Now, hopefully they're not targeting normal citizens, they're targeting folks that are interested in, right? And the fact that these five eyes even found out this kind of behavior, of what the snake malware was doing in itself, VSM. So they put up all code vapor, you can go, it's pretty technical, pretty deep dive on how they used it. My whole purpose was to show you the fact that snake malware was pretty much hitting most of the TDP in the micro-damp block. I'm almost at the end of my presentation. So I've asked that in public event, So again, if you run the platform mindless, they have the RMG page. We've talked about three different researches on it. So, you know, I know we talk about and

we ingest some of these new knowledge in our environment. I will encourage you if you have time, if you want to be the cutting edge, you want to know what's happening, you know, for all good reasons, US definitely has a leg up in terms of what they do in cybersecurity for all reasons, right? So they have different organizations like CSUN, like Microsoft. They do this kind of research. So if you have time, please check out what MITRE does. There's another of their research, and it's probably not part of this topic. One of my friends, he was an incident commander with CISA. I don't know how many you know CISA is. It's one of their top agencies, cyber or personal

infrastructure theory. His name is Mark Riffle. He does pretty interesting research. They talk about nation state at the level which you and I probably wouldn't have for. I'll give you a small, small snippet. This is not to do anything. But just to give you an analysis, I have to find you a hand-painting. The onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded, the onboarded,

the onboarded, the onboarded, the onboarded, the onboarded I've been admitted for 17 years. You wouldn't believe 30% of North American oil and gas supply will come back. 30%. It's not small enough with 30 barrels of every 100 barrel used in the US and Manhattan, it goes from that power. And that hub is so critical for North American energy security. that there's a meat defense particle from Russia, if I'm not mistaken. They have the doctrine to say there was a World War III. They would drop nuclear bombs and that's perfect. So you and I live in a city which we previously found had no meaning for nuclear weapons. Great White North, capital of Alberta, who would

know about it. But to our adversities is much more than many.

And we don't realize that because sometimes you don't work in that deal. But oil and gas, you can go every degree and figure out oil and gas in the capital. This is where the money is made. And then government gets the royalty and health care gets the money and everybody. So almost pull up the run in the center of the world. So That's the criticality of the thing we're looking at. Yes, you got to worry about ransomware. Yes, we got to worry about inside threats. But we are also deep into nation state actors in what they're doing. Check out World Typhoon. There's a full congressional session in one hour. He has released. He's our director. Christopher Ray, FBI director.

General Zagerson, he was the NSA director at the F&M. He's retired now. And there's another director from Google when we started. So they did a Senate hearing on both. It's a Chinese product, not just cyber wise. They have people on the ground.

I was so amazed. You're right. They just started.

That's the kind of adversary we are looking at. Yes, you and I maybe, maybe, you know, are not that real here. But at some point, you know, the world is going to be fast and we have to get with it. So, yeah, that's pretty much that's just the references and useful resources for GitHub and web links. And then thank you very much for your attention.

Any questions, comments, feedback? Was it good, bad, ugly? Yeah, I got a thumbs up. Look at it. I'm sure my student took a thumbs up, so I'll leave it on the agency. Thank you very much, last presentation, but thanks for coming to B-side.