The SOC Counter ATT&CK

Tech 2 (801A) October 9, 2019 10:15 am - 11:15 am Feedback     

Bookmark and Share

Mathieu Saulnier

The goal of the talk is to answer a few questions we often see or hear : “ATT&CK is nice and all, but how do I (we) get started?”, “How can I (we) detect those TTP?”, “Why use the ATT&CK Framework?”, etc. The ATT&CK Framework from Mitre is the new honest in the InfoSec world. There’s a lot of Open Source projects that use it, commercial products have started using it to show what TTP they cover, it even has its own conference: ATT&CKcon.

The talk will start with an overview of the ATT&CK Framework covering its history and evolution. I will spend some time discussing the ATT&CK Enterprise Navigator and explain, using concrete examples, how we can use it to get started with ATT&CK. The main points covered here will be: preliminary assessment; how to track your progress and coverage both in automated detection and hunting; provide metrics and KPI to management. I will then present a few key Open Source projects that use ATT&CK and help us in various aspects of detection, hunting, automation and even CI/CD. To conclude I will go through some concrete examples of how we build some of our detection (incident tickets) for specific TTP and even contribute back to the Framework with some additional ways of using a specific technique.