Ambiguous Techniques: Determining Malice Through Context

In the evolving landscape of cybersecurity, defenders face the challenge of distinguishing malicious activities from benign ones, particularly when dealing with ambiguous techniques--those whose observables lack sufficient clarity to determine intent with certainty. This talk will delve into the groundbreaking work of the Ambiguous Techniques (AT) project, which has developed a robust methodology for identifying and analyzing these techniques. Attendees will gain insights into the project's innovative approach, including the use of co-occurring technique research, chain-level contextual analysis, and the development of actionable analytics. Participants will learn how to apply the AT methodology to their own detection engineering processes, enabling them to reduce false positives and enhance analytic efficiency. The session will highlight key deliverables, such as published analytics in open-source repositories and technical documentation that provides guidance for distinguishing malicious from benign activities. Real-world examples of analytics, including those targeting discovery and impact techniques, will be showcased to illustrate practical applications. Key Takeaways: - Understand the concept of ambiguous techniques and their implications for cyber defense. - Learn how to incorporate detection engineering guidance into analytic development processes. - Explore actionable analytics that reduce false positives and improve visibility into adversary behaviors. - Discover how to leverage AT findings to inform future defensive posturing, capability acquisition, and attack chain trend analysis. By the end of the session, attendees will be equipped with actionable strategies to enhance their organization's defensive capabilities, supported by the AT project's methodologies and tools. This talk is a must-attend for cybersecurity professionals seeking to stay ahead in the fight against increasingly sophisticated threats.