Tweet
Tweet

Slide 1

Slide 1 text

Scott J Roberts Head of Threat Research 2023-10-25 Leveraging Limited Resources to Build an Evolving Threat Repository Driving Intelligence with MITRE ATT&CK

Slide 2

Slide 2 text

Scott J Roberts Head of Threat Research at Interpres

Slide 3

Slide 3 text

What Interpres Does Defense Readiness 01 Defense Surface Op1miza1on 02 Prioritize Vulnerabilities 03 Stack & Product Ra1onaliza1on 04

Slide 4

Slide 4 text

The Goal

Slide 5

Slide 5 text

MITRE ATT&CK for Internal Customers Interpres is Intel driven from the core. Built originally on public threat intelligence data straight from mitre/cti. Needed custom threat data to keep up.

Slide 6

Slide 6 text

Metrics for Threat Research at Interpres Depth Breadth Speed Accuracy

Slide 7

Slide 7 text

Goals • Code First: git push or bust • Depth: Collection Requirements • Breadth: Collection Requirements • Speed: Automation • Accuracy: Automation & Manual Review • Compatibility: Output to STIX2

Slide 8

Slide 8 text

The Problem (Well… 3!!!)

Slide 9

Slide 9 text

STIX2 != ATT&CK && ATT&CK != STIX2

Slide 10

Slide 10 text

We want MITRE Intelligence & Interpres Intelligence… with as little duplication as possible!

Slide 11

Slide 11 text

Tooling is Limited

Slide 12

Slide 12 text

The Solution

Slide 13

Slide 13 text

STIX2 != ATT&CK && ATT&CK != STIX2 ATT&CK Tactics Techniques Groups Software Campaigns STIX2 Attack- Pattern Attack- Pattern Intrusion-Set Malware (Usually…) Campaigns ATT&CK to STIX2

Slide 14

Slide 14 text

STIX2 != ATT&CK && ATT&CK != STIX2

Slide 15

Slide 15 text

We want MITRE Intelligence & Interpres Intelligence… with as little duplication as possible!

Slide 16

Slide 16 text

We want MITRE Intelligence & Interpres Intelligence… with as little duplication as possible! • Wherever possible we use MITRE ATT&CK Content  Exclusively using MITRE ATT&CK Techniques  Leverage MITRE ATT&CK Groups, Malware, Campaigns, & Relationships • Build custom Groups, Malware, Campaigns & Relationships  Based on internal research, RFIs, etc  More on that a bit later • Relationships are intelligently divided between MITRE/CTI & Intrepres/CTI • DANGER (But Available): All lookups prioritize Interpres/CTI

Slide 17

Slide 17 text

An Aside for a Good Name™

Slide 18

Slide 18 text

Tooling is Limited • All content is code (STIX2) and created with code  Automated: Custom Automapper (Let computer do what computers are good at)  By Hand Creation & Curation: Jupyter Notebooks + STIX2 Library • Actively working on STIX2 Helper Library  Merging, Bulk Actions, etc  Testing Mapping Scenarios • Git is workflow management • Yes, we looked at Decider, TRAM, & ATT&CK Workbench

Slide 19

Slide 19 text

Advantages of Intelligence As Code: CI Error

Slide 20

Slide 20 text

Advantages of Intelligence As Code: CI Error

Slide 21

Slide 21 text

Advantages of Intelligence As Code: Solutions as Code

Slide 22

Slide 22 text

Advantages of Intelligence As Code: CI

Slide 23

Slide 23 text

Advantages of Intelligence As Code: CI

Slide 24

Slide 24 text

The Future There are limitations of STIX2 Library & Jupyter Notebooks Synapse is code for Intelligence & Easier to Extend ConBnue leveraging STIX2 for CompaBbility & Tooling

Slide 25

Slide 25 text

Salvador Dali “Have no fear of perfection – you’ll never reach it.”

Slide 26

Slide 26 text

Thank you!

Slide 27

Slide 27 text

InterpresSecurity.com