Speakers
Synopsis
This session is designed for everyone. Whether you are a complete beginner struggling with technology, a seasoned cybersecurity professional or a decision-maker, this presentation has practical tools for everyone.
In the ever-evolving realm of IT/OT cybersecurity, understanding and mitigating threats proactively is the only path forward. MITRE’s ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) and D3FEND (Detection, Denial, and Disruption Framework Empowering Network Defence) frameworks provides an evolving approach to comprehend and counteract the Tactics, Techniques, and Procedures (TTPs) employed by threat actors. An approach aligned with the Pyramid-of-Pain’s purpose of increasing the adversaries’ cost of operations.
Although relatively new, these cybersecurity frameworks serve as a shared language guiding information security professional in both offensive and defensive strategies to fully map and understand the threat surface and protect systems and data assets.
ATT&CK has had such impact that it is officially used by the Cybersecurity and Infrastructure Security Agency (CISA) in their threat report “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to US Critical Infrastructure”, which was co-authored by ASD and ACSC. Using ATT&CK, the report explained and mapped the living-of-the-land (LOTL) TTPs of Volt-Typhoon; used to gain access in the US Critical Infrastructure for the last five years.
A major difference with other frameworks is that ATT&CK and D3FEND are constantly growing with the input of the cybersecurity community. Managed by MITRE, both frameworks grow by adding new attackers TTPs witnessed by information security professionals everywhere.
Securing Systems and Data Assets
The fast pace of change in cybersecurity can be overwhelming for those who try to keep up-to-date. The ATT&CK/D3FEND frameworks serve as a knowledge base of what’s actually happening in the field. It catalogues attackers and defenders TTPs and the common vulnerabilities they exploit, how to detect and mitigate them while providing a clear taxonomy of how such breaches can occur. ATT&CK allows to single out TTPs related to Advanced Persistent Threat (APT) groups that attack specific industries. By understanding these TTPs, information security professionals can proactively prioritise security measures to secure systems and data assets in their industry.
ATT&CK has four matrices:
- Enterprise matrix for Windows, Linux, and MacOS;
- Enterprise cloud matrix for AzureAD, Office365, GoogleWorkspace, SaaS, IaaS, Network, and Containers;
- Mobile matrix for Android&iOS; and
- ICS matrix for Industrial Control Systems.
In tandem, D3FEND complements ATT&CK by focusing on the defender's TTPs. It outlines a knowledge graph of cybersecurity countermeasures against ATT&CK’s TTPs. The emphasis is on a proactive security posture that not only detects threats but also prevents and responds to attacks effectively.
The-Future-is-Now
Looking forward, the cybersecurity landscape will undoubtedly continue to evolve, driven by advancements in technology and changes in attacker's TTPs. It is vital to understand the threat surface and being able to communicate it visually and verbally between front liners and different levels of management. This dual-framework approach ensures that organisations are not merely reactive but are also equipped to anticipate and neutralise threats before they manifest into breaches of systems and data assets.
