Collaborative Development of Att&ck Analytics

  • Wednesday, 15 Nov 2017 3:30PM EST (15 Nov 2017 20:30 UTC)
  • Speaker: John Wunder

A group of organizations have kicked off work to develop and share cybersecurity analytics to detect ATT&CK techniques. Led by Bill Barnes from Pfizer and organized via MITRE's ATT&CK framework, the work consists of organizations picking a technique from ATT&CK, developing one or more analytics to detect that technique, and then sharing the analytic with the other participants. Participants get immediate operational benefits from their improved ability to detect malicious behavior, but the group is also documenting lessons learned and seeking to develop a repeatable methodology. The methodology will build on the ATT&CK methodology to allow organizations to identify gaps and understand how to get from where they are to where they want to be by developing their own analytics or sourcing analytics from others. It will discuss the transferability (or not) of analytics across organizations (due to differences in sensors, platforms, etc.), how to give feedback, and how to continually improve.

To learn more on the topic, join SANS for its Cyber Threat Intelligence Summit & Training in Bethesda, MD this January.'the two-day Summit features in-depth presentations by top experts and practitioners addressing specific analytical techniques and capabilities that can be utilized to generate and maintain cyber threat intelligence for your organization.