Cyber Solutions Fest 2021: Level MITRE ATT&CK® Framework

  • Friday, 22 Oct 2021 8:30AM EDT (22 Oct 2021 12:30 UTC)
  • Speakers: Chloé Messdaghi, Greg Fischer, Om Moolchandani, Stefano Chierici, Maor Franco, Inbar Raz, Diana Kelley, Nicola Whiting, Alyssa Miller, Natasha Barnes, Seema Kathuria, Gordon Collins, Michael Gorelik, Amit Malik, Anthony Di Bello, Mark Alba, Robert Slocum, Sherri Thom, Cesar Rodriquez

You are entering Level MITRE ATT&CK® at the SANS Cyber Solutions Fest 2021. 

This full-day session will be led by Chloé Messdaghi and a lineup of top industry experts. Discover how you can empower security by using MITRE ATT&CK, how to have a resilient security team by mapping security control gap analysis with the framework, lessons learned while utilizing the framework, new aspects to the framework, and the latest developments for applying the framework to the cloud.

Download a copy of the presentations here!



Accurics_Logo_Transparent.pngAnomali-logo_lion-wordmark_RGB-color.pngCisco_Umbrella_Transparent.pngCyberGRX.pngHunters_Full_Logo.pngMorphisec-Logo-Horizontal_(RGB_-_Color_Black).pngopentext-logo.pngPentera LogoSymantec by Broadcom logosysdig_logo-black_with_tagline.pngTessian_Logo.pnguptycs_logo_2C_on-light_rgb.png

Agenda | 8:30 AM - 5:30 PM EDT

Timeline (EDT)

Session Details

8:30 AM

Kickoff & Welcome

Chloé  Messdaghi, SANS Chair

8:45 AM

Predicting the Next Attack: The Power of Cyber Threat Intelligence Together with MITRE ATT&CK

How TTPs help connect the dots between a sea of IoCs and the adversary groups behind them.

MITRE ATT&CK has practical and strategic applications across various security functions when security tooling and processes are mapped to the framework. Visualizing threats through the MITRE ATT&CK framework makes it easier for security practitioners to determine and communicate the highest priority threats they face and optimize actions to mitigate them. Gain a strategic advantage through key programmatic benefits of MITRE ATT&CK and combine tools for a more secure environment.

Greg Fischer, Sr. Director Product Solutions, Anomali

9:25 AM

Shifting ATT&CK Left to Enable Automated, Risk-Based Security Controls in Development

ATT&CK is most commonly used in runtime to identify and counter adversary actions, but did you know that it can also be used in development to manage risk even before insecure apps are deployed? This session explores an approach that leverages ATT&CK in development to establish automated guardrails in DevOps pipelines to identify risks such as policy violations and breach paths early, assess the risk and impact of exploit, prevent deployment of risks that exceed a threshold of risk defined by the security team, and provide development teams with a risk-based, prioritized list of necessary remediations. This will drive better security outcomes by enabling security teams to recognize the highest-risk findings and effectively communicate with development and operational teams.

Om Moolchandani. Co-founder & CTO, Accurics

10:05 AM


10:20 AM

Avoid Excessive IAM Permissions in the Cloud

Misconfigurations in IAM permissions in the cloud are by far the most used vector by attackers to compromise and expand their control over a hacked account. The cloud vendors offer hundreds of cloud IAM permissions to customers to fine-grain their access to the environment. However, do we have all the permissions granted updated and under control? Are we sure we are applying the least privileges principle to save us from potential compromise? Visibility across all permissions granted in our cloud environment is fundamental to be aware of what is in place and respond to over-privileged access.

In this session we will:

  • Explain the potential TTP using the MITRE ATT&CK Framework
  • Present a few real attack scenarios using IAM permission misconfigurations in cloud environments
  • Discover how to get visibility and quickly respond to misconfigurations in your environment

Stefano Chierici, Security Researcher, Sysdig

10:50 AM

Evalidate Your ATT&CK Readiness Against APT *.*

Endpoint controls are evaluated quarterly by MITRE Engenuity’s team against one of the most famous & sophisticated APT groups. From different tactics and techniques leveraged by the adversary and endpoint control’s ability to prevent and/or detect. But what if you can e-validate your control, against all MITRE ATT&CK tactics & techniques, automatically, on your data, continuously, in a safe by design approach. Would you do it…?!

Why "Evalidate" b/c I'm referring to the evaluate and validate (play of words). *.* in code means everything. not just APT28 and a short abstract

Maor Franco, Senior Director, Pentera

11:20 AM

Closing Threat Detection Gaps with Open XDR

Early and accurate detection of threats is still a challenge for security teams: hindered by an unfavorable Signal-to-Noise ratio, false positive alerts and lack of visibility, attacks are still being missed. Using multiple security domains, such as Endpoint, Cloud, and Identity also requires having in-house expertise in order to facilitate both domain-specific detection and complex, cross-domain attack detection, thereby avoiding detection-silos.

When trying to understand the nature and extent of attacks, the MITRE ATT&CK framework provides an abstraction layer that acts as a common language in the security community, unlike, for instance, the ambiguity of APT names coined by various vendors. Used correctly, the MITRE ATT&CK framework is an excellent baseline for early threat detection and response, as well as community-wide collaboration.

Hunters’ open Extended Detection and Response (XDR) solution extracts high-noise threat signals and alerts from existing security data, and automatically maps them to MITRE ATT&CK techniques across surfaces. The Hunters platform enables organizations to know, out-of-the-box and in real-time, what kind of threat coverage they have for their data sources and which detection capabilities they have for each data source mapped onto specific TTPs.

Join this session to learn:

  • How to close detection gaps with mapping techniques to the MITRE ATT&CK framework, including low visibility surfaces like Cloud platforms
  • How an Open XDR solution can enable organizations to detect entire attack kill chains in a timely manner
  • Attack chains and their progression in time represented by groups and sub-groups of ATT&CK techniques

Inbar Raz, VP Research, Hunters

11:50 AM


12:00 PM

Diversify and Conquer: Building and Managing Successful CyberTeams

Successful organizations know it's important to build diverse teams, but how can you ensure you're hiring from the most diverse pool? And once you've developed a diverse team how can you support inclusion and respect to keep that team effective and engaged? In this panel we bring together a group of experts in the cybersecurity field who represent a wide variety of backgrounds and approaches. Together we'll talk through dimensions of diversity including educational, experiential, racial, and neuro. And we'll share examples of how you and your organization can thrive with a powerfully diverse workforce.

Diana Kelley
, CTO & Co-Founder, Security Curve

Nicola Whiting
, Chief Strategy Officer, Titania Ltd
Alyssa Miller
, Business Information Security Officer (BISO), S&P Global
Natasha Barnes
, Associate Director in IT Internal Audit and Advisory, Protiviti
Seema Kathuria
, Senior Product Marketing Manager, Duo Security

1:00 PM

Afternoon Kickoff

Chloé Messdaghi, SANS Chair

1:10 PM

Neutralizing Breach Paths Early with Infrastructure as Code and ATT&CK

Threat modeling is a critical security activity that too often relies on manual interviews, assessments, and enforcement. With DevOps accelerating delivery of software, how can security teams effectively manage risk if they rely on manual processes? Do the same approaches that accelerate development also present opportunities to improve the scalability and efficiency of security?

This session demonstrates how security teams can leverage open source tools, Infrastructure as Code, and the MITRE ATT&CK framework, to build accurate threat models early in the development process, identify breach paths, and implement security controls to neutralize breaches before the app is ever deployed.

Om Moolchandani, Co-Founder & Chief Technology Officer, Accurics

1:30 PM

Actor-Based Gap Analysis and the MITRE ATT&CK Framework

One of the challenges with threat intelligence involves the lack of attribution and relevancy when compared to one’s environment. For example, it might be hard to synthesize the qualitative and quantitative threat intelligence being curated in context when reading an article or incident report. Even harder is trying to apply the intelligence to the MITRE ATT&CK Framework to determine whether the contents of the article represent an area in your security posture that is covered or needs to be addressed. This gap analysis is necessary for continuous reevaluation of your overall security posture, which provides for the perceivably unattainable “strategic intelligence” component of your CTI program. Join us for a walkthrough as we answer the question: Can we determine gaps in our security posture by evaluating the techniques a specific threat actor uses against us?

Gordon Collins, Product Manager, Anomali

1:50 PM

Are Mitigations Keeping up With the Explosion in ATT&CK Techniques Development?

As the techniques that threat actors leverage continue to evolve, it’s concerning to see that the tools defenders rely on to secure their organizations have not changed at the same pace. This is not a good indication of defenders’ abilities to secure their organizations over the long term, especially given their reliance on mitigation strategies that still lack protection against unknown threats.

Join Morphisec CTO Michael Gorelik as he examines the difference in changes between techniques and mitigations in the MITRE ATT&CK Framework, and the breach prevention steps you can take instead to ensure your infrastructure remains protected in the face of the ever-changing threat landscape.

You can expect to learn about:

  • The rapid pace of evolution in the techniques threat actors use
  • The concerning lack of new mitigations designed to protect critical infrastructures
  • Breach prevention strategies that can improve your security against evasive, evolving attacks

Michael Gorelik, Chief Technology Officer, Morphisec
Matthew Delman
, Manager, Morphisec

2:20 PM

Combatting Ransomware with MITRE ATT&CK and Uptycs

Ransomware continues to dominate the threat landscape, affecting organizations of all sizes and industries. Ransomware variants use a diverse set of tactics and techniques described in the MITRE ATT&CK framework, targeting both Windows and Linux platforms. In this session, Amit Malik and Abhijit Mohanta from the Uptycs Threat Research team will show how the behavior of ransomware such as Ryuk and NotPetya maps to the ATT&CK framework. Join us to learn:

  • How ATT&CK mapping can help you to ensure detection coverage for ransomware and give crucial context to investigators
  • The techniques ransomware such as Ryuk and NotPetya use to establish persistence, escalate privileges, evade defenses, and more
  • Key EDR capabilities to look for when defending your macOS, Windows, and Linux machines from ransomware

Amit Malik, Head of Threat Intelligence & Research, Uptycs
Abhijit Mohanta
, Senior Security Researcher, Uptycs

2:50 PM

Scaling TTP-Based Detections to the Enterprise

TTP-based detections, such as expressed by the MITRE ATT&CK framework and leveraged by most Endpoint Detection & Response (EDR) solutions, have several advantages over yesterday’s IoC-based approach. However, many implementations suffer due to an over-reliance on mass-collections being required before data interrogation. This disconnect between where the data lives, and where detections are conducted present other challenges and limitations as well.

In this session, we will discuss:

  • Implementing a distributed endpoint detection & response architecture
  • TTP-driven threat hunting, digital forensics, and incident response (DFIR)
  • Accounting for different threat models, network challenges, and novel attack methods

Anthony Di Bello, Vice President, Strategic Development, OpenText

3:20 PM


3:35 PM

Navigating the Dark Corners of Social Engineering Attacks and How to Combat Advanced Phishing and Ransomware Surge

In recent years, attackers have successfully infiltrated organizations through highly sophisticated social engineering techniques that exploit human behavior and vulnerabilities, and lead to some of the worst data breaches in history.

In this fireside chat, we'll take you through some of the most sophisticated, real world email social engineering attacks found by Tessian’s Threat Intelligence Team, including spear phishing and vendor account takeover. See real-life examples of how these threats infiltrate organizations and how you can move your organization left of breach by stopping them early in the MITRE ATT&CK framework.

Robert Slocum, Director, Tessian
Sherri Thom, IT Director, Steward McKelvey

4:05 PM

MITRE ATT&CK Framework Panel

Organizations have adopted the MITRE ATT&CK framework to help manage cyber risks and increase the effectiveness of their security efforts. While most organizations recognize the value, many are unsure about which specific steps they should take to benefit from applying the MITRE ATT&CK framework fully.

Operationalizing telemetry and threat intelligence as part of the MITRE ATT&CK framework can also empower security teams and equip analysts with the context needed to detect malicious activity and make faster, more accurate decisions. This enables an organization to reduce investigation and remediation times while strengthening security posture to help prevent future attacks.

The focus of this panel will be on how to improve security by using MITRE ATT&CK, and how to increase resiliency by mapping security control gap analysis with the framework. It will explore lessons learned while utilizing the framework, new aspects to the framework, and the latest developments for applying the framework to the cloud.

Chloé Messdaghi
, SANS Chair

Om Moolchandani
, Co-Founder & Chief Technology Officer, Accurics
Cesar Rodriquez, Director of Engineering, Accurics
Greg Fischer, Sr. Director Product Solutions, Anomali

4:55 PM


Chloé Messdaghi, SANS Chair

Keynote: Diversify and Conquer

Turn diversity into power.

Joined by Nicola Whiting, Alyssa Miller, Natasha Barnes, and Seema Kathuria, Diana Kelley will lead this enlightening panel discussion and share how organizations can thrive with a powerfully diverse workforce.

Attend this engaging and thought-leading keynote by registering for a level on day 2 of SANS Cyber Solutions Fest 2021.

Level MITRE ATT&ACK® Framework with Chloé Messdaghi

Chloé Messdaghi will be leading Level MITRE ATT&ACK® this October! See what you can expect from attending this track.

Cybersecurity Solutions for Today's Challenges

The 2nd annual SANS Cyber Solutions Fest aims to connect cybersecurity professionals of all levels with the latest solutions, tools, and techniques to combat today's cybersecurity threats.

  • Featuring 4 unique levels: Threat Hunting & Intel, SOC & SOAR, MITRE ATT&ACK®, and Cloud Security
  • Network in real-time with over 30 sponsors and learn from top industry experts
  • Join interactive panel discussions, discover job opportunities, compete in games for multiple prizes, and more