My key takeaways
- ATT&CK is a framework, not a how to or step by step instruction
- How do we protect ourselves from techniques like Powershell used for attacks?
- deep technical knowledge <- hard to get for all 836 techniques mentioned in ATT&CK
- Identify technique coverage
- Build (SIEM) detections <- also hard to build
- PYATTCK and PSATTCK might be helpfull tools
- they make ATT&CK accessible on CLI
- this information can be used in other tools/scripts
jcritch — heute um 19:44 Uhr
so, how is this information the tools spit out actually useful?
How can it help me protect an enterprise?
NullMoniker — heute um 19:49 Uhr
If I’m not mistaken, a use case is this: you know (or have reason to suspect) your organization is being targeted by a particular threat actor. You look up open source info regarding their methods. You then use this tool to spit out a list of specific things you can do to help protect your org based on the threat actor’s TTPs