MITRE ATT&CK Framework Panel Discussion
After you have watched this Webinar, please feel free to contact us with any questions you may have at general@anomali.com.
Transcript
.svg){kind=icon}
- That for today, which is this panel with Om, Greg and Chris.
Welcome wonderful panelists, and I am so honored and thankful to be able to moderate today's panel session.
So let's begin.
I think it's always best to have each one of you tell a little bit about who you are and what you do.
Probably could do a better job than myself.
So Om, let's start with you.
Everyone is familiar now with you, but let's hear it who you are and what you do.
- Sure.
Thank.
So well, this is now third time today that I'm tense.
So my name is Om Moolchandani, I'm co-founder CISO/CTO at Accurics, now part of Tenable.
And I've been in cyber security industry since last 15 plus years now.
And I have done a few startups in my past, but I've also been on the other side of the fence as CISO.
And dominantly, my career has been spent in practicing threat modeling and threat intelligence, most of my career is in that space.
But I have got an opportunity to practice other disciplines as well.
- I am definitely going to ask you some questions about how is your experience as a CISO versus now in a bit.
Chris, go ahead and introduce yourself.
- Hi, everybody.
My name is Chris Needs, I'm the VP of product management at Anomali.
I've been involved in the security business about 15 years as well, first as an intelligence analyst, later as a manager of a SOC or something like a SOC, and most of my career has been in product management.
So I've been building security technologies for practitioners for most of that time, and I think I'm probably the only one here with a background in anthropology.
And one of the things that I've found in my career is that background of sort of studying cultures and people and what have you, the subjectivity of all that has actually helped me a lot in understanding how practitioners use security technologies.
So happy to be on the panel today.
- Well, I'm glad to meet another person security that did anthropology.
I did anthropology and my undergrad.
Well, it was like a poly sci mix which had anthropology in it, but it really does help you understand human behavior of it, which we're definitely going to touch about the human element in the Mitre ATT&CK.
Cesar, why don't you introduce yourself.
- Hello, everyone.
My name is Cesar Rodriquez, I am director of engineering at Accurics, now part of Tenable.
And most of my career I spent helping organizations secure cloud environments in the military and financial industries.
I'm really excited to be part of the panel today and share some of our experiences with the tech.
- Well, it's a pleasure to meet you and pleasure to have you on here.
Greg.
- Hey, everybody.
We started out this morning, Chloe and I, now we're ending the day together.
I'm a senior director of product solutions here at Anomali.
I've been in the IT industry for 25 plus years in various disciplines, and infrastructure system administration security deployments cloud architecture.
And most recently, the past couple of years has been more focused on security directly, and I'm looking forward to today's discussions.
Excellent, Greg.
Full circle.
- Full circle.
- Everyone ready for your first question? Let's see if I can make you sweat.
No, I'm just kidding.
All right, let's go to the first one.
Tell me a little bit about briefly, your experience with Mitre both on an individual level and then also as an organization.
And I'm going to direct this question first to Greg, since you ended first.
- Sure.
That's good because I think this morning we had questions similar on Mitre but I don't think I got a good chance to answer from a personal note.
So spending as much time as I have in IT, I gravitate towards structure.
I mean, I spend time in IBM and Unisys, large companies with a lot of structured and disciplined approaches to process and problems.
So moving more into the security discipline, I was kind of in search of standard ways of taxonomies like STIX and TAXII, and that's when I discovered the Mitre framework.
Actually through the Mitre ingenuity's evaluations, where they were performing evaluations against EDR products on an annual basis.
And that really drew me into, hey, there's guys that are actually taking time to codify this structure sequence, the techniques and then build.
And this is probably the most appealing, important thing is not only building that standardized framework, but building a knowledge base and continuing to grow that knowledge base and attach more pieces of information to these tactics, techniques, and procedures.
So yeah, I was glad to quote unquote, "stumble upon it" a couple of years ago, and have enjoyed following its developments.
And our company has even gone as far as becoming part of the seated ingenuity participant or membership to help shape, and form, and develop future capabilities in Mitres framework.
- Excellent.
All right, Cesar.
Tell us a little bit.
- So for me, I've been following what Mitre has been doing ever since I started my career.
One of my first projects when I graduated out of college was evaluating security tools.
So I use some of the Mitres, other tools like CW to see what are different security tools given me in terms of seeing the ease and seeing which one was best for that.
And since then, I've been following Mitre.
And what really attracted me to the ATT&CK framework was that before there was something like that, you heavily relied on the knowledge of security teams to do threat modeling, and it was always a reliance on the experts on how to do this.
And the Mitre makes it more accessible for people that might not be in this world to understand what attackers think about.
And you can use that as a tool to help people understand what are the possible attacks to a system, and then create mitigations for those attacks from the beginning without having to heavily rely on an expert telling you what is going to happen versus not.
- Thanks.
Chris.
- Yeah, when I started in cybersecurity it was all about IOCs.
That's all anybody cared about, that's all anybody was trying to-- I shouldn't say.
That's not what they cared about, but that was the rage, right? That's what everybody was talking about.
And it dawned on me soon enough that we're looking at the wrong thing.
All this atomic focus that does solve some problems, but these attacks are originated by humans, by attackers with behaviors.
And sure, bots.
You can argue that bots aren't human, but they're created by humans, right? So anyway, it comes back to humans and their behavior.
This goes back to probably what I was saying earlier about anthropology.
I don't know if I was naturally attracted to it for that reason.
But I remember going to my boss at the time and I said, hey, what's the deal with TTPs? We should be able to do more with the structure around TTPs.
And at the time I said, Oh, no.
It's all so variable, it's just so complicated.
Don't ever-- know that's not a thing.
And I kind of listen to him.
And I said, OK, well, I'm not going to pursue it.
And then soon enough I started hearing about Mitre ATT&CK.
I'm like, Oh, that could have been the thing that I wanted to pursue, right? But that was a personal side of it.
Back to the reality, though, Mitre is doing a much better job than I ever could developing something like this.
I mean, it's been such a great multi chapter story of what Mitre have been doing over the last 10 years or so.
And like Greg, I'm attracted to the structure that ATT&CK provides.
And I'm attracted to the formality of the taxonomy because it's not only concise, but it's also comprehensive.
And so that allows you to do so much in most parts of the security functions in an organization.
In other words, there's a lot of value to what you can do with Mitre ATT&CK in most functions of the security organization.
So I feel like there's just so much potential with it.
I think we've seen some of that potential get born out already.
And as Greg mentioned, we're involved in some of the research aspects with Mitre on some of the next gen stuff, and I think we're going to see a lot of neat things happening in the future.
Om.
- What was that? - Your turn to answer the question.
Right.
So you know much like how Cesar mentioned, my career also started with a lot of association with Mitre.
Back in 2007, Mitre had a lot of standards and technologies that they were providing for the community from all open vulnerability assessment language to escape security content automation protocol.
Of course, those days Mitre was all about XML.
Everything that they would publish would be XML and I've spent years processing Mitre's excess XML based formats.
And fast forward somewhere around between 2015 and '18 while I was a practicing CISO, I stumbled upon Mitre for slightly different purpose than what Greg and Chris are stating.
And of course, that is a valid use case, but my purpose was slightly different.
As a practitioner, I was using Mitre more for solving a different problem from CISO's perspective.
A lot of people today ask that what should CISOs do, what should they do on day zero, right? And my recommendation always is a goal study, what is Diamond Model and use Mitre ATT&CK framework.
A lot of people don't understand what I'm talking about and then when they spend time, they understand.
So I was using Mitre ATT&CK framework actually as a knowledge base as Greg said, for understanding the adversary groups and their capabilities because I was mostly involved in critical infrastructure between 2014 and '18.
And critical infrastructure you don't have a lot of time, and you also don't have a lot of money to start protecting your things.
So what I started doing was, I started understanding what are those adversaries on day zero that could potentially attack the organization that I'm working for.
So I did profiling my organization and its technology stack using Diamond Model.
And then I started using databases or knowledge based like Mitre ATT&CK framework which started telling me that, OK, you know what, these are the groups, this Lazarus group, X Y Z group, which is actually demonstrating an appetite to attack a company like for which I was working.
And their favorite attack techniques are X Y and Z, and these are the techniques which map to the technology stack that I'm using or my company is using.
Now let me go and first address the countermeasures do I have for them or not.
So instead of protecting myself against threats on day zero, I started going for a strategy that I want to protect myself against threat agents like am I Lazarus proof or not? So there was-- it was controversial.
Initially, I had to convince a lot of my peers as a practitioner I was new into the CISO world.
I was trying to bring a different element in the thought process.
But that is why I started using Mitre, only to later on understand that well, Mitre has a lot of different use cases.
It can be used a lot in the defense side of things, not necessarily just an offensive side of things.
So that's kind of has been my experience with Mitre.
I always do find that when we talk about Mitre ATT&CK, there's always a heavy focus on the red team side and never about the defense side.
It's one of those things I hope to take away of today.
One of the many takeaways today is that it's a purple team effort at the end of the day.
Next question I have for you all, how have you seen the framework utilized for cloud environments? And let's go with Chris.
- Well, I think with much of the evolution of ATT&CK and the different contexts or environments that it has grown to support over time, there's always a lag.
There's always a lag when before people really start picking up.
Vendors take a while to pick it up right, practitioners take a while to understand how to incorporate into their environments.
But certainly, with the increasing focus on the cloud, it's obviously-- and the attack surface created by the cloud, it's obviously become a really important part of what I think ATT&CK offers.
I think what we see or what I've seen personally is, again, that lag.
But I think also what is promised from the Mitre ATT&CK support of what is it containerized environments and like Azure, maybe others.
I think it's going to apply the same benefits, right? It's going to apply the same kind of taxonomy, the same kind of structure, it's going to bring the same kind of value to the party when it comes to cloud environments.
So I would expect to see it play as big of a role as anything going forward.
- All right, Cesar, go ahead.
- I think one of the benefits of using Mitre when thinking about threat modeling in your court environment is that you can go to the different tactics and techniques and then apply that to the shared responsibility model of the public clouds to see hey, for this particular attack that they make, what's my responsibility versus what's my cloud provider responsibility.
And then if it's my cloud provider responsibility, how am I shifting my risk to the cloud provider? Is my organization comfortable on doing that or not? So I think for cloud environments it provides a good framework to go through the exercise and to think about what are some of the risks that are now going to be the responsibility of your cloud provider versus your organization.
And then how is your risk model and threat model changing based on that.
- Greg.
- I like what Cesar had to say because he actually brought up a point that I haven't heard of since the advent of cloud a long time ago.
And part of the cloud assessment when you were migrating and lift and shift decisions was assessing who's taking ownership of the administrative and the risk.
And I knew that activity, from my experience, was something that you always had to identify but I actually had never heard anybody state using the Mitre framework in its cloud tactics and techniques and such, as a way of helping you articulate that risk.
So that's really good, and I'm glad to hear Cesar speak to that.
The other thing that we've witnessed, and I think most recently, right when in version 9 when there was a bit of a shift in an aggregation of the Azure and Google and the rest of the cloud techniques, and brought into the enterprise framework for almost like a simulated in there.
I think that made life a lot easier for the vendors to start.
It was almost a recognition that hey, these aren't two different environments, there's not on premise and cloud anymore, this is your environment.
Because everybody, thanks to COVID and that push where everybody got pushed to the cloud or accelerated to the cloud.
Now you have an environment that's comprised of both potentially only cloud or potentially cloud in on premise, so why wouldn't the Mitre framework accommodate and address both of those? And it does, and it's going to continue to expand.
And I think we're going to see a larger percentage of the-- because if you were to do an analysis of those tactics and techniques, the bulk of those are the big slice of the pie is down at the endpoint.
But I think we're going to see the slice of the pie for cloud start to grow more and more, right? And I'm looking forward to that.
- Chris, is there anything you want to add? - No, I think I would agree with Cesar's point and Greg.
Way to seize on it.
- All right.
How can the framework help prioritize remediation of security issues? Chris, do you want to begin? - I'm sorry, say that once more.
I apologize.
- Yeah, no problem how can the framework help prioritize remediation of security issues? - Right.
Well, one of the biggest problems I think is providing structure, like I suppose I said earlier.
And at the most basic level, identifying techniques can immediately say something about of the importance of a threat to your environment, right? So knowing whether adversary activity has to do with recon versus exfiltration.
Right there, off the bat, that tells you something about the relative priority of what you're looking at.
So at a really basic level that's something that I think contributes.
I think someone said, maybe Om said earlier, something about security coverage, right? And that whole concept I think is becoming quite popular, we support it here at Anomali.
And the idea there is Mitre ATT&CK can be used to build a security coverage map where security teams express their degree of protection or resilience against specific techniques.
And then they can visualize where the organization strong, where it's weak.
They can help prioritize what future initiatives, kind of like what Om was saying, to improve in those areas.
It also follows, I think, that the framework also then helps the team compare new intelligence against that security coverage.
So where new intelligence described in terms of Mitre ATT&CK techniques appears to align with weaknesses, that can then be factored in to how inbound intel is prioritized and managed and action.
- Om, what else would you like to add to it? - No, I mean, other than what Chris has already added, just a quick point that Mitre ATT&CK framework, it does provide capabilities around identifying TTPs and gives a structure to that.
But it has got a wonderful kill chain as well that can be used as a mapping.
Now when you do that, especially like early in the morning when I did the demo, how do you identify in cloud environments using Mitre's framework a kill chain? Now, when you do those kind of analysis and assessments, what you will be able to do is if you as an organization feel like you know what, I understand there is a TTP available for the adversaries on a database which is deeply buried in my network.
Then I'm going to prioritize that for remediation come whatsoever.
But the moment you can showcase that well, there is a full kill chain and connectivity available from exposure to exploitation and exfiltration for the database which could be an indirect kill chain.
It could be through sane cloud or EC2 instance expose to internet, and EC2 has an IM role which has an overly permissive role with it that can allow access to database, and say EC2 instance has an instance data service we want enabled, right? Now, there's a vulnerability ever found on that EC2 instance which can be remotely exploited, there's a complete kill chain available.
So out of the hundreds of TTPs that we are reporting and working, you could first focus on fixing a complete kill chain because that could cause you more damage than the other ones.
So ATT&CK's frameworks capability on mapping towards kill chain is a very strong capability, which allows you to then filter and see that, I want to just call all my exposures right now.
So tell me all my TTPs that are encouraging exposure, let me first go ahead and fix that.
And that technically should be the case also in a lot of organizations.
And then you start working towards fixing those TTPs, those assets which are deeply buried in your network.
Doesn't have exposure necessarily, you still have to fix them.
That's how you work it out.
- Greg you'd like to add on? Yeah I mean I like what Om said.
Because he hit on that point that when you walk into an environment, you know right away you're not going to be able to solve and protect everything.
So you're desperate for tools and frameworks that can help you prioritize and focus.
So the example that he gave is a really good one, right? I mean, if I'm seeing activity taking place past my perimeter defenses, then I've got a problem at the perimeter.
I mean, it's great that my EDR product is protecting me and this virus got stopped.
But wait a minute, how did that get in here? Where was the leak in my defenses, in my perimeter? So having a tool that can help you either trace back to that source or that can help you identify all the perimeter techniques associated in that kill chain and focus there.
Because that's going to be your first line of defense and then you can work your way inward.
Is there anything else? - So I think Om covered most of the use case of what I was thinking about, in terms of it's mainly now the ATT&CK framework helps you map the tactics and techniques to your potential security issues.
And that's based on the sensitivity of the environment, of the assets that you're trying to protect.
You can then prioritize either remediating an issue or accepting the risk of the issue.
If somebody is trying to do reconnaissance on your public website that is fully disconnected from your assets, then maybe that's something you can accept the risk and you don't have to do anything about that.
But if somebody's trying to do reconnaissance, for example, of one of your most sensitive assets and that's something that you want to prioritize, remediation for.
So that's some of the things that Mitre ATT&CK can help you do.
- Excellent.
What are the most basic use cases you have observed with customers? Cesar, go ahead.
- So for us, we're a cloud security company, so it's mainly that same use case.
So we see a lot of customers that want to understand how does their infrastructure as code, what are the issues within their infrastructure as code? And then within that, what are the issues that they actually need to fix? So because that's the main use case from people that get overwhelmed with a bunch of security issues from many different tools, and they don't know what needs to be fixed and what needs to be prioritized.
So for us our main use case is helping people prioritize those issues on things that actually are going to make an impact if you fix that issue within your whole architecture and infrastructure.
So that's the main use case that we try to solve.
And that's what we see.
- Om, what about you? - Well, I'm just afraid that Mitre framework should not become one of the sort of compliance standards.
Because whether we like it or not in 2021, we understand compliance is not security, right? So I'm seeing from a lot of corners that how much do you comply with Mite ATT&CK framework.
And I need to give education to people that this is one framework which doesn't care about compliance.
This is second or maybe third level detail, it's not about being compliant.
So one of the use cases that we come across is that where I think for the lack of kind of solving complexity for these organizations, sometimes these organizations demand that, can you give me a pie chart, can you give me bar graph against my ATT&CK framework? And that's when I have to come in and explain, well, I could but that is not what you want from Mitre, right? This is not another ISO or SOC 2 or GDPR.
So that's kind of-- I hope that with all the cut-throat competition that is going on in cybersecurity, I hope vendors will do the justice with ATT&CK framework.
And sometimes it happens, we compete with each other.
I mean, if one vendor comes up with a compliance dashboard for Mitre ATT&CK framework, everybody else will have to.
So that's in this case.
- You shouldn't have said that.
You should have said that, people are listening.
- Well, that's a reality.
- Yeah, you're right.
I mean, how do you quantify your coverage, right? And then how do you evaluate that quantification? I mean, it's a slippery slope it seems to me.
- Greg, anything to add.
- Yeah.
I pledge not to build a compliance dashboard in our product.
- I think like even the opening of today I was like, please understand.
It's not like compliance framework here like NIST, just pushing that out there.
Because it is, you're completely right on that front.
A lot of people they just see it as Oh, this is the compliance framework, right now.
All right, moving on to the next question.
What are some of the obstacles customers have basically expressed while using Mitre ATT&CK framework? Chris, you want to answer first? - Yeah.
I think the obstacles are the same thing that are the benefits in a sense.
It has to do with the scope and the evolution of Mitre, and all the dependency and all the hype.
So I mean, if we start at the beginning, think about learning these techniques.
What do they mean, how they are executed operationally.
It's easy to forget, I think, that many people in the hot seat are inexperienced, right? There is a learning curve.
And a while Mitre can provide the framework and they can evolve it, and vendors provide the tooling, operationalizing it, still going to be limited by the skills of the practitioner.
And there are a lot of new and inexperienced people in their role in the SOC or in related security functions.
And then similarly, the scope of the framework itself.
ATT&CK is now pretty multi-contextual, it's pretty advanced, there's a lot in there, and even more experienced practitioners, right? They have to parse through a number of techniques associated to name your APT.
APT 29, how many techniques are associated with that? Big bucket of them.
And so-- Now, it's actually quite a good problem to have, isn't it? You've got rich information, it's built into a smart taxonomy, and it's a widely available model and now you have to figure out how to work with it.
Well, that's a much better problem to have than any alternative, I think.
But nevertheless, it's kind of a barrier.
There's a learning curve and you have to kind of work with that.
And I think the last thing that's on my mind there is like versioning.
Mitre keeps rolling out new versions, we vendors have to keep up to speed.
We have to keep thinking about how we're going to integrate this, what about incompatibilities between like TTPs in a previous version and attack patterns in the next.
We've got to kind of keep moving with this.
And then I think also practitioners or security teams, they also have to kind of keep up on things.
So again, all of these are barriers-- they're not barriers or obstacles, they're challenges.
But at the same time, that's what's needed.
- Greg, anything to add? - Yeah.
I think those of us that have worked with customers that potentially we're introducing them to Mitre, to our products.
And you witness that learning curve, it's almost like watching the infant work their way through teenage years, and that you can almost expect what their next question is going to be.
So depending on the sophistication of the user, it's going to be what is Mitre? Is it a framework, is it a knowledge base, is it a workflow, is it a process.
So you get them through that.
And then once they understand that, then the next level of questions start coming up.
Well, how can I take this? I mean, this information's right here.
How can I just click on this and take it right over to there? You're like, Oh, OK.
So now you understand the knowledge and the power that's there.
And now the challenge is that operationalisation.
How do I move this? How can I take maybe a junior person with all this knowledge and bring it to them at the right points, and kind of navigate them through almost in a workflow of Mitre? So that's-- I think that's some of the challenges.
It depends on the level and the sophistication of the user.
But at the end of the day, everybody's just wanting to take all this great knowledge and take this framework, and just be able to click a button and move it through their security controls.
- Om, anything you want to add? - Just a quick thing.
I mean, most of the things Greg and Chris have already covered.
But I've had a very interesting encounter with one of the CISOs I was advising in personal capacity.
This person works for an e-commerce company.
And I kind of understood that the name ATT&CK or the framework's name ATT&CK is kind of confusing him.
And he was a little confused that it is about I can detect attacks from using this or something like that.
And then I helped him do a little bit of analysis on his environment and we figured that what, you have a technology stack that recently we have seen.
Like what Chris mentioned about APT 29.
It's funny, we were talking about it.
And you know he didn't get much value out of that kind of conversation.
But the moment I told him, yeah, you know what, I think you could get attacked by similar kind of adversaries like APT 29.
One other thing I told him was that-- ATP 29 actually is China based adversary group.
The moment I told him and he kind of recalled that his stock team had told him that they're experiencing a lot of malicious traffic generating from China.
And he said, you know what, I get it now.
Can you tell me all the adversary groups that actually belong to that region.
And I want to block all TTPs and their experts in.
And he kind of got it.
So it's more to do with defense, in my personal opinion, than actually attack.
The term attack is a connotation, which tells you that how you could be attacked.
But what you have to do with it as a defender is something that you have to learn out of it.
And I think Mitre have tried creating another framework defend.
And I think Greg was mentioning this morning that they folded now into something different.
But yeah, that has been my experience recently.
- Cesar, anything you would like to add? - Yeah.
Not really on this one.
I think it's like everyone said it's more about the learning curve and understanding how can you use the framework for the use cases that you're trying to solve, and how is that applicable.
- Excellent.
Let's move on to the next question.
What use cases are you discussing with more sophisticated users? And Cesar, I'm going to start with you.
- Yes, Chloe.
So for a personal use case was a few years ago, I was working on doing attack trees for a new technology that where the company was working for was trying to defend.
And it was a really interesting use case because our customers were asking like, how are you going to defend this and having a way to formally describe each of the defenses that we're trying to apply to the system.
Using a framework really helped us sell the solution.
And I think that's something that depending on your organization, it's going to be very valuable helping you articulate to your customers.
If you're trying to sell something, whether it's a security product or financial product or a military product, how are you defending that system? I think that really helps.
- Chris.
- Yeah, a couple of things come to mind.
Maybe not use cases exactly but like groups of ideas, maybe groups of use cases.
I think more and more security teams are maybe maturing, they're growing more sophisticated.
They're taking the long view on techniques used by adversaries.
And I suppose it isn't really anything new but the ATT&CK framework provides new opportunities, I think, to package up that long view in different and interesting ways.
For example, when my team regularly performs investigations against threats, and I want to get across investigation or a multi investigation view of the role that specific technique has played.
What are the patterns? How do I get a better understanding of persistent or recurring adversary behavior? How does that help drive my understanding of the strategic goals, motivations, intentions of the adversary? So you know that's coming up more and more.
And then also something that's coming up is the discussion or the interest in the transferability of Mitre ATT&CK profiling.
Security teams are coming to rely more and more on attack.
And of course, they want their tooling and their technologies to be able to maintain that context when transferring between tools, they're starting to rely on it.
If some content ends up in another tool downstream and that context isn't there, that creates problems.
So both of those are the patterns that I'm seeing.
- Greg, anything you want to add? - Yeah.
Just to kind of backpedal a bit.
This morning, I think the question was whatever happened to Shield? And I mentioned defend and I misquoted there.
I think Shield became Mitre engage, and defend as a separate initiative.
But to the question about the sophisticated users.
I love meeting with some of our more sophisticated users just because they'll be showing-- what happens is that the initial engagement with them is that they've got a problem with the product or they've got a request that it can do-- they're looking to do something.
So you get on the call with them and they start flying through the screens and this and that.
And then they get to the situation, see, I can't do this.
Like, OK.
But during that process, they showed you how they used your tool to do something that you never thought about, you never really had it in your mind.
And when you look, you're like, wait a minute, go back a couple of screens.
What are you doing there? And what we discovered was this gentleman was actually using-- he was basically trying to do-- using the tool to do predictive.
So he was he was taking the IOC mapping that we were providing them and then also tagging it with techniques which allowed him to recall behavior.
So he was basically building these small little 2, 3, 4 sequences of patterns and storing those and then alerting on them.
So whenever he saw a certain recon activity, he immediately knew that-- and again, because it's coming from a certain GOIP, and because it's got certain techniques on it, and because maybe it's a certain time of day, all of this stuff can be filtered and alerted, he's like, Oh, these guys are doing some recon activity, and there's a good chance in a couple of days I'm going to see credential stuffing.
So that was a sophisticated user that was doing something that we hadn't even designed in the system, and he was using our system to perform it.
- Wow.
So I'm going to say Om, anything to add? - Just a quick correction I just got pinged from my CISO friend, he's watching right now.
And APT 29 is Russian.
A group called the APT 21, which was the Chinese group.
So-- - I was hoping you get away with that, I guess not.
- So he's listening and he said, hey you, just called a wrong APT.
Yeah, no.
I think I agree with Chris and Greg.
I think they pretty much covered all the ways that we've been using framework.
And I guess, that's pretty much-- I mean, that I could have also said.
So, yeah.
- All right.
Let's get into the pandemic questions, because we have to ask some pandemic questions.
How has the pandemic changed the Mitre ATT&CK framework? - Has it changed the framework or has it changed the people's utilization of it? One of the key outcomes of the pandemic, of course, is that it's put everybody in their butts in their chairs at home, in front of their computers at home.
That means much more remote access, new cloud services.
It means in many cases some kind of drastically changed attack surface, I think.
Yeah, then you've got other patterns too.
A corresponding rise in ransomware, other trends in cybersecurity.
So I think it's fair to say it's become paramount to get your security house in order.
And so I don't think Mitre has changed because of this.
I think the communities need to probably use it as change, right? The pandemic has sort of cast a new light on the need for improved security across all these domains, right? And Mitre ATT&CK and the work that technology vendors are doing to support it, I think it is helping security teams then leverage all that structure, all that context that's so fundamental to better security operations.
So that's a long way of saying the pandemic makes initiatives like Mitre all the more important, because we need that structure, we need better defenses.
- Cesar, Om or Greg, anything to add to that? - I echo what Chris says that the Mitre framework didn't really change.
It's more the need for organizations to adopt it and use it because their threat model has changed.
And what you're trying to defend when everyone is in the office and in the same building, it's not the same as when everyone is remote.
So I think that's the big change there.
- Yeah.
I mean, I'll just add that I believe it did change the Mitre ATT&CK Con, right? We didn't get to have our in-person Mitre ATT&CK on last year.
So that was a big change for us.
But yeah, as far as the framework, I just echo what the rest of the team has said that I think when it comes to trying to help security professionals deal with the sophisticated attacks.
And when you talk about attacks that are taking in the taking place in the cloud, and taking place through virtualized environments and virtualized machines and networks, and then you add another sub-component of containers and container management.
I mean, the good old days of just being able to manage a bunch of physical assets with an endpoint protection product, and just keeping the controls and the attack domain in that space, those days are gone.
And now as these things have moved more to the cloud because of the pandemic, indirect relationship to pushing people at home and more cloud services and infrastructure use, now the attacks have become more sophisticated or in a more novel space that any kind of structure or framework that Mitre can bring to it is, again, helps them navigate, it helps them identify and prioritize.
- Anything you want to add to that? - No.
I pretty much agree.
I mean, Mitre framework has grown and has been there.
It's the other way around.
The pandemic kind of has forced us to think about democratizing cybersecurity more and more.
Cybersecurity has become need of common public now, it's no more just the requirement of enterprises.
So I guess that has caused a lot of different organizations to start considering using cybersecurity in a little different way.
And Mitre is helping.
Of course, ATT&CK Con didn't happen, that I agree.
That's an exciting event that we wait for.
But I'm sure there'll be things happening next year when we have most of the population is moving towards vaccination.
So I guess things will open up.
- Fingers crossed.
- Yeah, seriously.
What are customers asking for that they don't have today? - In terms of Mitre ATT&CK framework? - I would guess that's what the question's referring to? - Right.
- Yeah.
Like what could ATT&CK do for us tomorrow? It's doing certain things for us today, what can it do tomorrow for us? I mean, we at Anomali, we're hearing things from our customers that we've got ideas on where we might want to take it.
So maybe I'll just share some of those and we can-- maybe Greg you can help me with some of these.
And then, I don't know, maybe you guys at Accurics could maybe you have some ideas too.
I mean, one of the things that Greg and I talk about a lot is attack patterning.
There are opportunities to do more with relationships between multiple techniques used in an attack.
There are opportunities to do more with relationships between known techniques and other telemetry and intelligence, right? And then, of course, there's also probably opportunities to derive information about techniques from known information.
So all of that, Greg, as we've discussed, sometimes that could be leading to better attack patterning, and that better attack patterning could be helping drive new detection capabilities, new prediction capabilities for practitioners.
So that's one thing that comes to my mind.
There's also, what is it-- Oh, yeah.
The quantitative discussion.
We're talking about kind of a quantitative compliance thing earlier, and that's not what I'm bringing up now.
But I believe that there are opportunities to get away from the qualitative, where we are today.
We're qualitative, we're tagging, we're contextualizing, we're grouping techniques together, we're describing APT 29 in China-- no, in Russia with certain groups of these tags, these qualitative descriptions.
And that can get pretty cumbersome as we were talking about.
So I think that we could probably get more quantitative, more statistical, and that can lead to some pretty cool innovations using ATT&CK as the foundation, but doing more with it in the future.
So anyway, that's my two cents on that one.
- Greg, Om, Caesar.
Anything you want to add? - Yeah.
I mean, I'll follow up on to Chris to agree with him.
We've had-- And again, this is coming-- it comes in two forms.
I mean, one is the sophisticated user that sometimes knows more than we know about Mitre, and they're kind of pushing us to add capability or bring the recent version of version 10 that dropped is now built out the schema for data sources.
So I guarantee you the next week on calls with our customers, it will be like when are you going to have the data sources in your product so that I can use that information in my threat investigation and mitigation stuff? So there's those more sophisticated users to kind of push the envelope of really wanting us to do more with Mitre.
And then I think there's a whole other generation that's learning Mitre.
And in the process of learning it, they're identifying gaps in its functionality or new ways or new information that they want to pull into the knowledge base that's not there today, that the more sophisticated users have already worked a solution around and moved past.
So we get some questions out of some of our less sophisticated users that actually help us question the way we've implemented stuff or the way that the Mitre framework is bringing knowledge in.
So I'm seeing it from both areas and depending on the sophistication of the user.
I think Chris addressed some of the more novel stuff as far as pattern detection that were being asked for.
- My final question for everyone is what is one takeaway that you want every single attendee to know about Miter ATT&CK framework? We could go in circle-- You can start, whoever has it first.
- I'll go first.
Mitre ATT&CK framework is not about attack it's about defense.
So take that in mind.
- Yes, same here.
Think about how you can use it to-- before you're designing a system how can you use it to think about the security controls that you want to embed into what you're trying to build.
- Yeah.
No, go ahead Chris.
- Yeah.
I was just going to say, there's so many ways to get value out of a tax.
If you're one of those organizations looking to start leveraging it, start small, build from there.
It's like you're going to find the value, it's hard to go wrong.
- Yeah I'll try to simplify it down to one.
And it's that we often call it the Mitre ATT&CK framework.
But in my description of this to many people, I find myself saying this, the MItre ATT&CK framework, right? But I think the value to most or one of the values that's often overlooked are not discovered until later is that it's the Mitre ATT&CK knowledge base.
- Well, thank you all so much for being on this panel.