My key takeaways
- ATT&CK is a framework, not a how to or step by step instruction
- How do we protect ourselves from techniques like Powershell used for attacks?
- deep technical knowledge <- hard to get for all 836 techniques mentioned in ATT&CK
- Identify technique coverage
- Build (SIEM) detections <- also hard to build
- PYATTCK and PSATTCK might be helpfull tools
- they make ATT&CK accessible on CLI
- this information can be used in other tools/scripts
Env
-
Provided by Wild West Hackin’ Fest
-
Speaker
additional links
- https://swimlane.github.io/attck/
- https://github.com/swimlane/pyattck
- https://github.com/swimlane/PSAttck
- https://www.thec2matrix.com/matrix
- https://github.com/redcanaryco/atomic-red-team
User comments
- https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html
-
jcritch — heute um 19:44 Uhr
so, how is this information the tools spit out actually useful?
How can it help me protect an enterprise?
NullMoniker — heute um 19:49 Uhr
If I’m not mistaken, a use case is this: you know (or have reason to suspect) your organization is being targeted by a particular threat actor. You look up open source info regarding their methods. You then use this tool to spit out a list of specific things you can do to help protect your org based on the threat actor’s TTPs