This Thursday, March 7, 2019, I’ll be facilitating a Learning Lab titled Fine Tuning Your Cyber-Defense Technologies with the ATT&CK Framework at the 2019 RSA Conference in San Francisco, CA. This will be my fourth time speaking at RSA, and this will be my second time facilitating a learning lab, which I'm happy about. I really enjoy the learning labs at RSA. They are designed to be far different than other RSA sessions and events. Specifically, the learning labs have a maximum capacity of 64 people (eight tables with eight people per table), they are closed to the press and they are highly interactive. This gives attendees an opportunity to be open with their discussions around the lab’s topic and, with labs running 2-3 hours, there is plenty of time to dig in and learn more about the topic than in a normal conference presentation session.
What is the ATT&CK Framework?
ATT&CK is the Adversarial Tactics, Techniques, and Common Knowledge Framework. It was developed by MITRE based on a research project where they saw a need for a framework to address a few issues such as being able to focus on adversary behaviors, being able to supplement existing cyber lifecycle models, being able to apply the framework to real-world environments and being able to provide a common taxonomy for the community. ATT&CK is a curated knowledge base that provides knowledge describing behaviors, actions and processes in the form of Tactics and Techniques that a cyber adversary might utilize once initial access has been gained within an organization’s network. There are many good blogs describing ATT&CK. Particularly, my colleague Travis Smith has written extensively about ATT&CK. Links to his writings can be found in the reference section at the end of this post.
What will be happening in the Learning Lab?
The learning lab’s target audience are those who are not necessarily experts with the ATT&CK framework as well as those who would like to know more about the framework and how it can be used to increase an organization’s cybersecurity. I designed the lab around three main objectives:
- Understanding the MITRE ATT&CK framework and how it can be used
- Learning how to fine-tune cybersecurity technologies with ATT&CK
- Discovering how modern deception shifts the defender’s odds for the better and how deception can be coupled with ATT&CK
The learning lab will be broken into three main sections that will address these objectives. In the first part of the lab, we’ll start with a few pieces of motivational work related to David Bianco’s Pyramid of Pain, Lockheed Martin’s Intrusion Kill Chain and the so-called Unified Kill Chain. After this, we’ll dig right into the basics of the framework, how to use the framework and its associated tools and explore various use cases. The second part of the lab will be a deeper dive into some of the ATT&CK use cases with a focus on how an organization can fine-tune its cybersecurity using ATT&CK with respect to their people, processes and technologies. Last, in the third part of the lab, we will look into current trends in deception technology. I’ve done a little research in this area over the last two years developing technology which I refer to as dynamic deception. I want this part of the lab to be something unique with respect to ATT&CK, so we will discuss the idea of using ATT&CK and deception as a fine-tuning approach to cybersecurity. Each section of the lab will be highly interactive where attendees can discuss the topics we are talking about, and each section will have hands-on exercises. These exercises will be done via handouts. There’s just not enough time in a two-hour learning lab to have attendees set up laptops. However, I think we’ll have some fun with these hands-on exercises. I’m looking forward to attending RSA this year and facilitating a learning lab. Hope to see you there!
- The MITRE ATT&CK Framework: Initial Access
- The MITRE ATT&CK Framework: Execution
- The MITRE ATT&CK Framework: Persistence
- The MITRE ATT&CK Framework: Privilege Escalation
- The MITRE ATT&CK Framework: Defense Evasion
- The MITRE ATT&CK Framework: Credential Access
- The MITRE ATT&CK Framework: Discovery
- The MITRE ATT&CK Framework: Lateral Movement
- The MITRE ATT&CK Framework: Collection
- The MITRE ATT&CK Framework: Exfiltration
- The MITRE ATT&CK Framework: Command and Control