MITRE Practical Use Cases

Подписаться 4,9 тыс.

Просмотров 19 тыс.

50% 1

Learn how to practical use the MITRE ATT&CK Framework. This video shows how to map out your detection and prevention capabilities using MITRE ATT&CK, DeTT&CT, and MITRE Navigator. It also demonstrates building a threat model against a given industry as well as applying adversary simulation tools.
Clarification - At 2:59 I mention converting the exported YAML to JSON. When doing so you will need to download the DeTTECT GitHub project and use its Python scripts to convert the YAML. An example command to do so would look like this (/opt/DeTTECT would be an example path to the GitHub download):
python /opt/DeTTECT/dettect.py ds -fd input/your_exported_yaml_data_source_file.yaml -l
Links referenced in video below.
0:50 DeTT&CT (github.com/rabobank-cdc/DeTTECT)
3:13 ATT&CK Navigator (mitre-attack.github.io/attack...)
6:28 Sigma Generic Signatures (github.com/Neo23x0/sigma)
11:42 MITRE ATT&CK (attack.mitre.org/)
16:40 Caldera (github.com/mitre/caldera)
16:50 Atomic Red Team (github.com/redcanaryco/atomic...)
Do not forget to subscribe to this channel for updates on future videos.
Looking for help improving your detection capabilities? Reach out to info@hasecuritysolutions.com or (217) 730-3007. We routinely implement SIEM and NSM solutions both commercial and open source.
Speaker: Justin Henderson, CEO H & A Security Solutions LLC
Justin is the co-founder of H&A Security Solutions, LLC, a company that deploys, maintains, and tunes SIEM, NSM, and other solutions for organizations. Justin also maintains one of the largest security onion deployments in the world with over 1200 network sensors. He is a passionate security architect and researcher whose experience in cybersecurity started at the age of thirteen when he began providing professional services to organizations. Justin was the 13th GSE to become both a red and blue SANS Cyber Guardian and holds over 60 industry certifications. As the author of SEC555 and co-author of SEC455 and SEC530, he’s able to bring his encyclopedia of IT knowledge into the classroom.
Follow Justin on Twitter @SecurityMapper at / securitymapper or using LinkedIn at / justinhenderson2014 .

Хобби

Опубликовано:

16 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 54

@FRITTY12348546 4 дня назад

Thank you so much for the content, seeing application is what helps me learn

@FRITTY12348546 4 дня назад

One thought is how do you apply it one model matrix system? Windows servers, linux servers other OS or applications or overall one model

@ehteramuddinmohammed3995 3 года назад

Magnificent!! Super cool high level details amazingly put. Thank you very much

@HASecuritySolutions 3 года назад

Thank you very much!

@enderst81 3 года назад

Great video, eagerly awaiting the next.

@HASecuritySolutions 3 года назад

More to come!

@sspoku 3 года назад

Great video and nice message at the end. I will definitely pay it forward!

@HASecuritySolutions 3 года назад

Awesome! Thank you!

@asklaha4856 3 года назад

Very nice video, very well done... would like to see more such short videos and learn.

@HASecuritySolutions 3 года назад

I will try my best. More to come soon.

@dougthebugwrx 3 года назад

brilliant thank you . Followed . one of the best explanations i have heard

@HASecuritySolutions 3 года назад

Glad it was helpful!

@MrNightowl1980 Год назад

This is a great video! Much appreciated

@ekremozdemir99 Год назад

This was really useful. Thank you.

@phogerman Месяц назад

That's a great video 👏

@nimaforoughi3008 2 года назад

Nice High Level talks are always beneficial for wrapping up your knowledge as I did here. Thanks H & A security solutions. Worth watching a couple of times...

@incoquinita 3 года назад

Great video! Thanks!!

@HASecuritySolutions 3 года назад

You're welcome!

@ajaykumarkk3293 2 года назад

Great video thank you!

@HASecuritySolutions 2 года назад

My pleasure!

@DihCabral 3 года назад

Brilliant indeed! Thanks

@HASecuritySolutions 3 года назад

Glad you liked it!

@treasajoshy9232 11 месяцев назад

Really good 👍

@Aleksandra1232 2 года назад

Thank you, this is very useful.

@HASecuritySolutions 2 года назад

You're welcome

@tradingmind4304 2 года назад

Very cool.

@HASecuritySolutions 2 года назад

Thank you

@qamar060 3 года назад

Amazing

@HASecuritySolutions 3 года назад

Thank you so much

@linuxlove1912 5 месяцев назад

Thanks

@mauriciozp84 11 месяцев назад

Thanks for taking the time and answering our concerns!! I am trying to learn a little bit about this framework, am wondering how would you map an EDR, which is a blackbox, like Falcon from Crowdstrike? Or which will be your approach, thanks man.

@jaikisan3393 2 года назад

Amazing insight!! Keep it up. May I know what those colors indicate when you upload JSON file to designer?

@HASecuritySolutions 2 года назад

The sigma colors of yellow, orange, and red represents how many rules cover a given technique. Yellow means one. Orange means 2. Red means 3+. For dettect imports, the shade of purple represents how much coverage you have by data source to technique. The darker the color the better the coverage

@jaikisan3393 2 года назад

@@HASecuritySolutions Many thanks for reply. How did you get those JSON files? Sorry I am new to this.

@HASecuritySolutions 2 года назад

@@jaikisan3393 No worries at all. The data source json files came from using the tool DeTTect which I cover here: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-EXnutTLKS5o.html and the alert json files come from the Sigma Generic Signatures project when using sigma2attack. I probably should make a video for Sigma :)

@mauriciozp84 11 месяцев назад

Thanks for the awesome explanation!! Quick question, around minute 4:00 you uploaded to the Navigator the JSON file of Sysmon, from where that file came from? Was that file generated by DeTTECT? How? That file clearly had more coverage than regular Windows logs, but am wondering how that mapping was done, thanks.

@HASecuritySolutions 11 месяцев назад

That file was created from using DeTTECT. I created a data source file stating I have built-in Windows channels, Sysinternals Sysmon coverage, and other Windows channels that there are common community rulesets such as from Sigma Generic Signatures. I then used the DeTTECT command-line script to convert it to a navigator JSON layer that I could upload to MITRE Navigator.

@mauriciozp84 11 месяцев назад

@@HASecuritySolutions Probably didn't explain myself right, but I was wondering how the YAML was created (the coverage), please correct me if I am wrong but if we want to include Sysmon as a data source in DeTTECT or any other data source we MUST go to the vendor documentation and manually identify which techniques they provide some coverage according to their capabilities and use that intel in DeTTECT, right? I was under the impression that maybe there is a repository with the most common data sources already mapped, it sounds more like a community project as there are so many data sources out there (just thinking out loud here sorry)

@HASecuritySolutions 10 месяцев назад

@@mauriciozp84 I think I understand your question now. For this, I did go to learn.microsoft.com/en-us/sysinternals/downloads/sysmon to look at all the event IDs generated and what they are for. Then, I map those to the corresponding MITRE Data sources which is what DeTTECT's data source list is based on (attack.mitre.org/datasources/). That builds the initial YAML file. To my knowledge, there is not a pre-provided list of software to data sources that you can use to build the YAML. However, while there are a ton of attack techniques in MITRE, there's currently only about 50 data sources. So doing the data source mapping does not take that long. For example, I can compare visibility from Sysmon vs an EDR's telemetry logs in about an hour just by mapping what logs I'm provided access to within MITRE Data Sources (within DeTTECT)

@mauriciozp84 10 месяцев назад

@@HASecuritySolutions Got it, I was afraid you will say it was a manual work XD, thanks for the time you took answering our concerns, great video man!!

@TheEggroll4321 Год назад

My use cases are not in yaml files they are just searches. Should I create them in yaml format and use sigma2attack to properly map them?

@gennarolosappio2766 Год назад

Hi, is there a way to guess which hacking group is attacking me via a phishing or password brute force attack?

@a.gouveia4950 2 года назад

Hi, you say you use to use another window to sum up the attacks. Can you elaborate on this?

@HASecuritySolutions 2 года назад

Mitre navigator let's you create layers. If you assign scores within each layer you can create a layer that combines our subtracts or compares one or more layers together

@dougthebugwrx 3 года назад

how do we go about taking sample data into DeTT&CT and run it from a VM should we not have real data to play around with or a real environment . Could you possibly do a more detailed video on DeTT&CT ? how do we take that YAML file to JSON using python script via DeTT&CT ? could you consider showing that process in a short video please

@HASecuritySolutions 3 года назад

I've had multiple requests for this so I think I'll make it happen. Stay tuned

@MrEmityushkin 2 года назад

@HASecuritySolutions 2 года назад

Thank you

@rv5080 3 года назад

great video yaml to json doesnt work

@HASecuritySolutions 3 года назад

For the YAML to JSON you'll need to use the DeTTECT tool from github.com/rabobank-cdc/DeTTECT. Example below: python /opt/DeTTECT/dettect.py ds -fd input/your_data_source.yaml -l Depending on the version of DeTTECT the command may change.

@rv5080 3 года назад

@@HASecuritySolutions You mean the DeTTECT editor. Followed your example in the video, saved yaml file then used a yaml to json tool. get this error WARNING: Uploaded layer version (1) does not match Navigator's layer version (4.1). The layer configuration may not be fully restored. Thanks for the assistance

@HASecuritySolutions 3 года назад

@@rv5080 Yes. You are correct. I'll update the video description to clarify my statement that the yaml to JSON is intended to come from the DeTTECT editor's python code.