Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY

Scott J. Roberts
May 09, 2024
Technology
0
7

DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY

Building threat intelligence is challenging, even under the most ideal circumstances. But what if you are even more limited in your resources? You are part of a small (but skilled) team, with high expectations, and people are relying on you to make business-critical decisions…all the time! What do you do in that situation? Turn a Toyota Tercel into a tank, of course.

The Interpres Security threat intelligence team found itself in that exact situation. Wanting to leverage the MITRE ATT&CK catalog in creating a comprehensive and timely threat intelligence repository, the Interpres team built a series of tools, processes, and paradigms that we call Intelligence Engineering. In this talk, we’ll examine how we combined ATT&CK, STIX2, the Vertex Project’s open-source intelligence platform, Synapse, and custom code to deliver meaningful, rapid, verifiable intelligence to our customers. We’ll share lessons learned on automation, how to run multiple ATT&CK libraries side-by-side and making programmatic intelligence delivery scalable and effective – just like building a tank out of an imported sedan.

Scott J. Roberts

May 09, 2024
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
Skynet the CTI Intern: Building Effective Machine Augmented Intelligence
sroberts
0
31
Exploring Threat Intelligence: Insights and Tools from Vertex Synapse
sroberts
0
2
Homemade Ramen & Threat Intelligence
sroberts
2
430
Introduction to Open Source Security Tools
sroberts
3
4.7k
Building Effective Threat Intelligence Sharing
sroberts
1
100
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
97
Crisis Communication for Incident Response
sroberts
1
290
Hipster DFIR on OSX - BSidesCincy
sroberts
3
3.1k
Community Intelligence & Open Source Tools
sroberts
5
1.1k

Other Decks in Technology

See All in Technology
データベース05: SQL(2/3) 結合質問
trycycle
0
110
拓展QA日常工作的邊界
line_developers_tw
PRO
0
650
汎用ポリシー言語Rego + OPAと認可・検証事例の紹介 / Introduction Rego & OPA for authorization and validation
mizutani
1
190
データ基盤を支える技術
chanyou0311
5
3k
SWC Transformerから見るTypeScript関数記述ベストプラクティス
fujiyamaorange
1
180
日本が誇るイタリアのダンスミュージック!? ユーロビートって何??
minorun365
PRO
2
230
OpenID Foundation updates
fujie
0
240
生成AIがもたらす変革 / GitHubGalaxy_CyberAgent
cyberagentdevelopers
PRO
2
180
QA経験のないエンジニアリング マネージャーがQAのカジュアル面談に出て 苦労していること・気づいたこと / scrum fest niigata 2024
yoshikiiida
2
680
From here to resilience - a travel guide
ufried
1
160
The depthes of profiling Ruby - RubyKaigi 2024
osyoyu
0
250
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
15
36k

Featured

See All Featured
How GitHub (no longer) Works
holman
305
140k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Writing Fast Ruby
sferik
622
60k
Automating Front-end Workflow
addyosmani
1357
200k
Ruby is Unlike a Banana
tanoku
96
10k
Documentation Writing (for coders)
carmenintech
60
4k
Building Adaptive Systems
keathley
32
1.9k
Testing 201, or: Great Expectations
jmmastey
30
6.4k
The Mythical Team-Month
searls
217
42k
Building an army of robots
kneath
300
42k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
41
4.5k
Designing for humans not robots
tammielis
247
25k

Transcript

  1. Scott J Roberts Head of Threat Research 2023-10-25 Leveraging Limited

    Resources to Build an Evolving Threat Repository Driving Intelligence with MITRE ATT&CK

  2. Scott J Roberts Head of Threat Research at Interpres

  3. What Interpres Does Defense Readiness 01 Defense Surface Op1miza1on 02

    Prioritize Vulnerabilities 03 Stack & Product Ra1onaliza1on 04

  4. The Goal

  5. MITRE ATT&CK for Internal Customers Interpres is Intel driven from

    the core. Built originally on public threat intelligence data straight from mitre/cti. Needed custom threat data to keep up.

  6. Metrics for Threat Research at Interpres Depth Breadth Speed Accuracy

  7. Goals • Code First: git push or bust • Depth:

    Collection Requirements • Breadth: Collection Requirements • Speed: Automation • Accuracy: Automation & Manual Review • Compatibility: Output to STIX2

  8. The Problem (Well… 3!!!)

  9. STIX2 != ATT&CK && ATT&CK != STIX2

  10. We want MITRE Intelligence & Interpres Intelligence… with as little

    duplication as possible!

  11. Tooling is Limited

  12. The Solution

  13. STIX2 != ATT&CK && ATT&CK != STIX2 ATT&CK Tactics Techniques

    Groups Software Campaigns STIX2 Attack- Pattern Attack- Pattern Intrusion-Set Malware (Usually…) Campaigns ATT&CK to STIX2

  14. STIX2 != ATT&CK && ATT&CK != STIX2

  15. We want MITRE Intelligence & Interpres Intelligence… with as little

    duplication as possible!

  16. We want MITRE Intelligence & Interpres Intelligence… with as little

    duplication as possible! • Wherever possible we use MITRE ATT&CK Content  Exclusively using MITRE ATT&CK Techniques  Leverage MITRE ATT&CK Groups, Malware, Campaigns, & Relationships • Build custom Groups, Malware, Campaigns & Relationships  Based on internal research, RFIs, etc  More on that a bit later • Relationships are intelligently divided between MITRE/CTI & Intrepres/CTI • DANGER (But Available): All lookups prioritize Interpres/CTI

  17. An Aside for a Good Name™

  18. Tooling is Limited • All content is code (STIX2) and

    created with code  Automated: Custom Automapper (Let computer do what computers are good at)  By Hand Creation & Curation: Jupyter Notebooks + STIX2 Library • Actively working on STIX2 Helper Library  Merging, Bulk Actions, etc  Testing Mapping Scenarios • Git is workflow management • Yes, we looked at Decider, TRAM, & ATT&CK Workbench

  19. Advantages of Intelligence As Code: CI Error

  20. Advantages of Intelligence As Code: CI Error

  21. Advantages of Intelligence As Code: Solutions as Code

  22. Advantages of Intelligence As Code: CI

  23. Advantages of Intelligence As Code: CI

  24. The Future There are limitations of STIX2 Library & Jupyter

    Notebooks Synapse is code for Intelligence & Easier to Extend ConBnue leveraging STIX2 for CompaBbility & Tooling

  25. Salvador Dali “Have no fear of perfection – you’ll never

    reach it.”

  26. Thank you!

  27. InterpresSecurity.com