Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAG...

DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY

Building threat intelligence is challenging, even under the most ideal circumstances. But what if you are even more limited in your resources? You are part of a small (but skilled) team, with high expectations, and people are relying on you to make business-critical decisions…all the time! What do you do in that situation? Turn a Toyota Tercel into a tank, of course.

The Interpres Security threat intelligence team found itself in that exact situation. Wanting to leverage the MITRE ATT&CK catalog in creating a comprehensive and timely threat intelligence repository, the Interpres team built a series of tools, processes, and paradigms that we call Intelligence Engineering. In this talk, we’ll examine how we combined ATT&CK, STIX2, the Vertex Project’s open-source intelligence platform, Synapse, and custom code to deliver meaningful, rapid, verifiable intelligence to our customers. We’ll share lessons learned on automation, how to run multiple ATT&CK libraries side-by-side and making programmatic intelligence delivery scalable and effective – just like building a tank out of an imported sedan.

Scott J. Roberts

May 09, 2024
Tweet

More Decks by Scott J. Roberts

Other Decks in Technology

Transcript

  1. Scott J Roberts Head of Threat Research 2023-10-25 Leveraging Limited

    Resources to Build an Evolving Threat Repository Driving Intelligence with MITRE ATT&CK
  2. What Interpres Does Defense Readiness 01 Defense Surface Op1miza1on 02

    Prioritize Vulnerabilities 03 Stack & Product Ra1onaliza1on 04
  3. MITRE ATT&CK for Internal Customers Interpres is Intel driven from

    the core. Built originally on public threat intelligence data straight from mitre/cti. Needed custom threat data to keep up.
  4. Goals • Code First: git push or bust • Depth:

    Collection Requirements • Breadth: Collection Requirements • Speed: Automation • Accuracy: Automation & Manual Review • Compatibility: Output to STIX2
  5. STIX2 != ATT&CK && ATT&CK != STIX2 ATT&CK Tactics Techniques

    Groups Software Campaigns STIX2 Attack- Pattern Attack- Pattern Intrusion-Set Malware (Usually…) Campaigns ATT&CK to STIX2
  6. We want MITRE Intelligence & Interpres Intelligence… with as little

    duplication as possible! • Wherever possible we use MITRE ATT&CK Content  Exclusively using MITRE ATT&CK Techniques  Leverage MITRE ATT&CK Groups, Malware, Campaigns, & Relationships • Build custom Groups, Malware, Campaigns & Relationships  Based on internal research, RFIs, etc  More on that a bit later • Relationships are intelligently divided between MITRE/CTI & Intrepres/CTI • DANGER (But Available): All lookups prioritize Interpres/CTI
  7. Tooling is Limited • All content is code (STIX2) and

    created with code  Automated: Custom Automapper (Let computer do what computers are good at)  By Hand Creation & Curation: Jupyter Notebooks + STIX2 Library • Actively working on STIX2 Helper Library  Merging, Bulk Actions, etc  Testing Mapping Scenarios • Git is workflow management • Yes, we looked at Decider, TRAM, & ATT&CK Workbench
  8. The Future There are limitations of STIX2 Library & Jupyter

    Notebooks Synapse is code for Intelligence & Easier to Extend ConBnue leveraging STIX2 for CompaBbility & Tooling