Cyber@MITRE workshop for defenders: Learn to learn from our adversaries

Wednesday
 
27
 
November
12:40 pm
 - 
4:40 pm
Topic
Human Risk / Cyber Safety
Agenda
Sign in to add this session to your agenda
Add to My AgendaAdded to My Agenda
Location
Workshop Room 4
Theme
Cyber Security & Human Element

Speakers

Mark Perry

Mark Perry

Lead Applied Cyber Security Engineer
The MITRE Corporation
Stanley Barr

Stanley Barr

Senior Principal, Cyber Operations
The MITRE Corporation

Synopsis

Cyber adversaries are shapeshifters: notoriously intelligent, adaptive, and persistent. They learn from every attack, whether it succeeds or fails. They can steal personal data, damage business operations, or disrupt critical infrastructure. In this workshop, you will learn to learn from cyber adversaries, and have the opportunity to advance your skills as a defender beyond a compliance-centric model to one that is threat-informed. This workshop consists of a 90-minute seminar, followed by two 60-minute hands-on labs.

Through the lens of operationalizing adversary engagement, the seminar will help cyber defenders elevate their understanding of adversary tradecraft and technology and enabling resilient security operations. Attendees will learn what is available through MITRE’s open-source toolbox, and how to apply these capabilities in context of the following adversary engagement topics:

  • Know Thyself: What Are Your Organizational Strengths And Weaknesses?
  • Know Thy Enemy: Who Is Your Target Adversary?
  • Designing Your Engagements: What Should The Adversary See, Think, And Do?
  • Execute Your Operation
  • Understand How Your Raw Data Becomes Useful Intelligence
  • Gather Your Team

Workshop content will be an integrated overview of the globally available cyber capabilities:

  • MITRE ATT&CK®
  • MITRE CALDERA™
  • MITRE Engage™

Attendees will also learn when and how to integrate other methodologies, including:

  • CAPEC – A catalog of common attack patterns that helps users understand how adversaries exploit weaknesses in applications and other cyber-enabled capabilities.
  • CVE –The CVE® Program identifies, defines, and catalogs publicly disclosed cybersecurity vulnerabilities
  • Crown Jewel Analysis – Identify the cyber assets most critical to mission accomplishment—the "crown jewels"
  • Threat Susceptibility Assessment (TSA) – Understand the threats and associated risks to those crown jewel assets
  • Cyber Risk Remediation Analysis (RRA) – Select mitigation measures to prevent and/or fight through attacks

Lab #1: Caldera Demonstration

Instructors will present a scenario that a commercial or corporate entity may ask of a security team. In this scenario, a concerned organization is requesting a security team to develop a repeatable adversary emulation plan based on current cyber threat intelligence (CTI) for a specific advanced persistent threat (APT) that has been targeting the organization’s industry sector.

We will:

  • Create three cyber threat intelligence reports for this adversary detailing the tactics, techniques, and procedures (TTPs) attributed to them
  • Demonstrate how to develop an adversary emulation plan in Caldera utilizing the relevant TTPs described in the CTI reporting
  • Execute the new adversary emulation plan against the target machines and display the facts that Caldera collects during an operation, the outputs of all commands run, and the final report generated by the Debrief plugin.

Lab #2: Kingdom of Traitors: An Experiential Learning Game

Instructors will facilitate Kingdom of Traitors; gameplay is designed to encourage iterative learning. Students play multiple games to mature and refine their strategy. Discussions interspersed in gameplay are intended to relate game actions to the material covered in Lecture and Lab content.

Game Context available upon request (withheld from word count limits)

Prerequisites

The MITRE team is offering the following resources for people to review prior to coming to our workshop. The only requirement you may need to download is for the Caldera demo. If you plan to run the demos on your own computer please download all the files Caldera demo software folder mentioned below. There are several MITRE frameworks that we will discuss to varying depths. They are ranked in decreasing order of importance to the discussion. The remainder of the following materials are broken down into various categories. They will all mentioned at some point during the session. Do not feel you need to review many or even any of them. These are articles that we found interesting for varying reasons. Hopefully, you will find them of interest as well.

Caldera demo folder:

https://mitre.app.box.com/v/mitrecaldera/folder/268472780723

MITRE frameworks:

https://engage.mitre.org/

https://caldera.mitre.org/

https://attack.mitre.org/

https://d3fend.mitre.org/

Previous attacks on critical infrastructure:

https://www.cyber.gc.ca/sites/default/files/cyber-threat-activity-associated-russian-invasionukraine-e.pdf

https://money.cnn.com/2015/08/05/technology/aramco-hack/

https://en.m.wikipedia.org/wiki/Shamoon

https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/

Operations that have deception components:

The "#Macron leaks" operation: a post-mortem - Atlantic Council

https://apps.dtic.mil/sti/pdfs/ADA527328.pdf

Crystal ball of future threats:

https://media.defense.gov/2023/Apr/24/2003205865/-1/-1/1/07- AMONSON%20%26%20EGLI_FEATURE%20IWD.PDF

https://therecord.media/china-taiwan-critical-infrastructure-attacks-us-easterly

a. ©20XX The MITRE Corporation. ALL RIGHTS RESERVED

b. Approved for public release. Distribution unlimited 24-02005-2.

Back to Workshops

Acknowledgement of Country

We acknowledge the traditional owners and custodians of country throughout Australia and acknowledge their continuing connection to land, waters and community. We pay our respects to the people, the cultures and the elders past, present and emerging.

Acknowledgement of Country