In this technical real training for free session, we will take 5 techniques from the MITRE ATT&CK framework, and demonstrate how to use them to detect and respond to threats.
The MITRE ATT&CK framework is quickly becoming a focal point in the security world — and for good reason. This framework provides a consistent, industry-wide standard on which you can assess the effectiveness of your security monitoring and alerting capabilities. If you are new to ATT&CK, check out my earlier webinar that introduces the framework and discusses how to align and enrich your security monitoring efforts with it: https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=1534
In this webinar, we will build on the last webinar and get deep into application. We will zero in on using the MITRE ATT&CK framework to focus and prepare your threat detection capabilities.
Here are the 5 techniques we’ve selected, based off the tactic prevalence:
|
ID
|
Name
|
Tactic
|
Data Sources
|
|
T1090
|
Connection Proxy
|
Command and Control
|
Process use of network, Process monitoring, Netflow/Enclave netflow, Packet capture
|
|
T1048
|
Exfiltration Over Alternative Protocol
|
Exfiltration
|
User interface, Process monitoring, Process use of network, Packet capture, Netflow/Enclave netflow, Network protocol analysis
|
|
T1036
|
Masquerading
|
Defense Evasion
|
File monitoring, Process monitoring, Binary file metadata
|
|
T1189
|
Drive-by Compromise
|
Initial Access
|
Packet capture, Network device logs, Process use of network, Web proxy, Network intrusion detection system, SSL/TLS inspection
|
|
T1035
|
Service Execution
|
Execution
|
Windows Registry, Process monitoring, Process command-line parameters
|
We’ll explore each one of these techniques with you, highlighting how the attackers use them and how you can detect them. We will discuss which logs you need to be collecting, what audit policy needs to enabled, and what you need to look for in those logs.
These 5 techniques each come from a different Tactic category in ATT&CK, and relate to different phases in an attack’s lifecycle. Mature threat detection and response requires that you have capabilities across the threat lifecycle, from initial access through command and control and into exfiltration.
We’ll then pivot to Dan Kaiser and Brian Coulson from our sponsor, LogRhythm, who will demonstrate how to use each of these techniques with an actual SIEM. Brian and Dan are part of a large project at LogRhythm Labs in which they are aligning MITRE ATT&ACK with their SIEM platform.
When coupled with a SIEM solution, the MITRE ATT&CK framework allows you to effectively test your security monitoring environment against attack techniques to validate that your technology and rules are truly working and alert you to the right anomalous behavior.
To this end, LogRhythm Labs is developing a MITRE ATT&CK module designed to detect and alert to anomalous behavior on a per-technique basis. With the LogRhythm MITRE ATT&CK module, you can ensure that you’re catching critical threats that hit your network.
In this real time training for free session, you’ll learn:
- How to incorporate ATT&CK to work in your environment
- Building out practical, technical threat detection
- How to use SIEM technology and logs for threat hunting
Please join us for this real training for free event.