MITRE - ATT&CKcon, profile picture
Uploaded byMITRE - ATT&CKcon
1,019 views

MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan Kirillov, MITRE

The document summarizes the Cyber Analytics Repository (CAR), an openly available repository of ATT&CK-driven analytics maintained by MITRE. CAR contains analytics for detecting adversary tactics and techniques, mappings of analytics to sensors, and an exploration tool. Recent work has focused on increasing quality and usability by adding new analytics, converting analytics to a machine-readable format, and supporting multiple implementations. Future goals include expanding coverage of ATT&CK techniques, updating the data model and sensor coverage, and improving the analytic exploration tool. The document encourages contributions of new analytics to CAR.

Technology
Related topics:
MITRE ATT&CK Insights Cyber Threat Intelligence
In this document
Powered by AI

Introduction of CAR, an ATT&CK-driven repository for open-source analytics, providing a URL for access.

CAR includes a data model, structured formats (YAML), and Bro/Zeek analytics to enhance network detection.

As of October 2019, highlights CAR's coverage of ATT&CK techniques with a link to detailed information.

Plans for enhancing analytics and data models, addressing network details, and improving sensor coverage.

Encourages user contributions to CAR, acknowledging that 50% of new analytics were user-generated.

Provides essential CAR resources and contact details for further engagement and inquiries.

Embed presentation

©2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03621-8. MITRE | 1 | Cyber Analytics Repository Ivan Kirillov (too cool for Twitter) © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17 @MITREattack #ATTACKcon
| 2 | https://car.mitre.org/ © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
Cyber Analytics Repository (CAR) | 3 | ▪ ATT&CK-driven, actively maintained repository of open source analytics – Also includes a data model, mappings to sensors, and an exploration tool (CARET) ▪ Recent work has focused on increasing quality and usability – Adding new analytics – Converting analytics to a structured, machine-parseable format (YAML) – Supporting multiple implementations (e.g., Splunk, Sigma) for each analytic © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
CAR – But wait, there’s more! | 4 | ▪ BZAR: Bro/Zeek ATT&CK-based Analytics and Reporting – A set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol analyzers to detect several network-specific ATT&CK techniques ▪ Data model updates – Updates to process object model to account for newer analytics/EDR tools ▪ Tweaks to ATT&CK coverage for better accuracy © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
CAR – ATT&CK Coverage | 5 | As of October 2019 https://github.com/mitre-attack/car/blob/master/docs/car_attack/car_attack.json © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
CAR – Future Goals | 6 | ▪ New Analytics – Better coverage of top ATT&CK Techniques – Analytic “Building Blocks” ▪ Data Model Updates – More network-based modeling – especially Layer 7 – Updates based on Sysmon and other EDR tools ▪ Analytic “Baseball Cards” – Summary with critical info (description, coverage, techniques involved, etc.) ▪ Updates to Sensor Coverage – Site currently has Sysmon 3.2 (2016 says hi!) – YAML for sensors ▪ CARET Refactoring ▪ ATT&CK Coverage Redux – Per-implementation coverage & capturing ease of evasion © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
We want your analytics! | 7 | ▪ Submit an issue on GitHub: https://github.com/mitre-attack/car/issues ▪ Out of the new analytics we’ve added this year, 50% were user- contributed. Special thanks to: – Meric Degirmenci // IBM – Kaushal Parikh // Cyware Labs – Tony Lambert // Red Canary © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
CAR Resources | 8 | ▪ CAR Resources: – Main site: https://car.mitre.org/ – YAML-ized analytics: https://github.com/mitre-attack/car/tree/master/analytics – BZAR: https://github.com/mitre-attack/car/tree/master/implementations/bzar – And remember… © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
| 9 | attack@mitre.org @MITREattack #ATTACKcon Ivan Kirillov ikirillov@mitre.org © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17

More Related Content

PPTX
Purple Teaming with ATT&CK - x33fcon 2018
byChristopher Korban
 
PDF
ATT&CKing the Red/Blue Divide
byMITRE ATT&CK
 
PDF
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
byJorge Orchilles
 
PDF
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
byMITRE ATT&CK
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
PDF
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
byMITRE ATT&CK
 
PPTX
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
byDigit Oktavianto
 
PDF
The ATT&CK Latin American APT Playbook
byMITRE ATT&CK
 
Purple Teaming with ATT&CK - x33fcon 2018
byChristopher Korban
 
ATT&CKing the Red/Blue Divide
byMITRE ATT&CK
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
byJorge Orchilles
 
Intelligence Failures of Lincolns Top Spies: What CTI Analysts Can Learn Fro...
byMITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
Grow Up! Evaluating and Maturing Your SOC using MITRE ATT&CK
byMITRE ATT&CK
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
byDigit Oktavianto
 
The ATT&CK Latin American APT Playbook
byMITRE ATT&CK
 

What's hot

PPTX
ATT&CKing with Threat Intelligence
byChristopher Korban
 
PDF
ATT&CK Updates- Defensive ATT&CK
byMITRE ATT&CK
 
PDF
How to Plan Purple Team Exercises
byHaydn Johnson
 
PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
PDF
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
byMITRE ATT&CK
 
PDF
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
byMITRE ATT&CK
 
PDF
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
byMITRE ATT&CK
 
PPTX
Leveraging MITRE ATT&CK - Speaking the Common Language
byErik Van Buggenhout
 
PDF
Mapping ATT&CK Techniques to ENGAGE Activities
byMITRE ATT&CK
 
PDF
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
byMITRE ATT&CK
 
PDF
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
byJamieWilliams130
 
PDF
Adversary Emulation and Red Team Exercises - EDUCAUSE
byJorge Orchilles
 
PDF
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
byMITRE - ATT&CKcon
 
PDF
Breach and attack simulation tools
byBangladesh Network Operators Group
 
PPTX
SOC: Use cases and are we asking the right questions?
byJonathan Sinclair
 
PDF
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
byMITRE - ATT&CKcon
 
ATT&CKing with Threat Intelligence
byChristopher Korban
 
ATT&CK Updates- Defensive ATT&CK
byMITRE ATT&CK
 
How to Plan Purple Team Exercises
byHaydn Johnson
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
byMITRE ATT&CK
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
byMITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
byMITRE ATT&CK
 
Leveraging MITRE ATT&CK - Speaking the Common Language
byErik Van Buggenhout
 
Mapping ATT&CK Techniques to ENGAGE Activities
byMITRE ATT&CK
 
One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK
byMITRE ATT&CK
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
byJamieWilliams130
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
byJorge Orchilles
 
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
byMITRE - ATT&CKcon
 
Breach and attack simulation tools
byBangladesh Network Operators Group
 
SOC: Use cases and are we asking the right questions?
byJonathan Sinclair
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
byMITRE - ATT&CKcon
 

Similar to MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan Kirillov, MITRE

PDF
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
byMITRE ATT&CK
 
PDF
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
PDF
ATT&CK Updates- ATT&CK's Open Source
byMITRE ATT&CK
 
PPTX
Detection Rules Coverage
bySunny Neo
 
PDF
Projects to Impact- Operationalizing Work from the Center
byMITRE ATT&CK
 
PDF
State of the ATT&CK May 2023
byAdam Pennington
 
PDF
MITRE ATT&CK Updates: Software - Jared Ondricek
byMITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: Software
byMITRE ATT&CK
 
PDF
Updates from The Center for Threat Informed Defense - Jon Baker
byMITRE ATT&CK
 
PDF
What's New with ATTACK for ICS?
byMITRE - ATT&CKcon
 
PPTX
How Data Analytics is Re-defining Modern Era in Cyber Security
bySaqib Chaudhry
 
PDF
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
byMITRE - ATT&CKcon
 
PDF
State of the ATT&CK 2024 - Adam Pennington
byMITRE ATT&CK
 
PDF
MITRE ATT&CK Updates: CTI - Path Forward - Joe Slowik
byMITRE ATT&CK
 
PDF
State of ATT&CK
byAdam Pennington
 
PDF
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CK framework and Managed XDR Position Paper
byMarc St-Pierre
 
PDF
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
byMITRE - ATT&CKcon
 
PDF
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
PPT
Computer-assisted reporting seminar for StatsCan
byGlen McGregor
 
MITRE ATT&CK Updates: State of the ATT&CK (ATT&CKcon 4.0 Edition)
byMITRE ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
ATT&CK Updates- ATT&CK's Open Source
byMITRE ATT&CK
 
Detection Rules Coverage
bySunny Neo
 
Projects to Impact- Operationalizing Work from the Center
byMITRE ATT&CK
 
State of the ATT&CK May 2023
byAdam Pennington
 
MITRE ATT&CK Updates: Software - Jared Ondricek
byMITRE ATT&CK
 
MITRE ATT&CK Updates: Software
byMITRE ATT&CK
 
Updates from The Center for Threat Informed Defense - Jon Baker
byMITRE ATT&CK
 
What's New with ATTACK for ICS?
byMITRE - ATT&CKcon
 
How Data Analytics is Re-defining Modern Era in Cyber Security
bySaqib Chaudhry
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - ICS; Otis Alexander, MITRE
byMITRE - ATT&CKcon
 
State of the ATT&CK 2024 - Adam Pennington
byMITRE ATT&CK
 
MITRE ATT&CK Updates: CTI - Path Forward - Joe Slowik
byMITRE ATT&CK
 
State of ATT&CK
byAdam Pennington
 
MITRE ATT&CKcon 2.0: ATT&CK Updates - Sightings; John Wunder, MITRE
byMITRE - ATT&CKcon
 
MITRE ATT&CK framework and Managed XDR Position Paper
byMarc St-Pierre
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
byMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
Computer-assisted reporting seminar for StatsCan
byGlen McGregor
 

More from MITRE - ATT&CKcon

PDF
State of the ATTACK
byMITRE - ATT&CKcon
 
PDF
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
byMITRE - ATT&CKcon
 
PDF
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
byMITRE - ATT&CKcon
 
PDF
Sharpening your Threat-Hunting Program with ATTACK Framework
byMITRE - ATT&CKcon
 
PDF
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
PDF
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
PDF
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
PDF
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
byMITRE - ATT&CKcon
 
PDF
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
PDF
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
PDF
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
PDF
ATTACKing the Cloud: Hopping Between the Matrices
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
byMITRE - ATT&CKcon
 
PDF
What's New with ATTACK for Cloud?
byMITRE - ATT&CKcon
 
PDF
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
PDF
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
PDF
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
PDF
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
byMITRE - ATT&CKcon
 
PDF
Starting Over with Sub-Techniques
byMITRE - ATT&CKcon
 
State of the ATTACK
byMITRE - ATT&CKcon
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
byMITRE - ATT&CKcon
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
byMITRE - ATT&CKcon
 
Sharpening your Threat-Hunting Program with ATTACK Framework
byMITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
byMITRE - ATT&CKcon
 
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
ATTACKing the Cloud: Hopping Between the Matrices
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
byMITRE - ATT&CKcon
 
What's New with ATTACK for Cloud?
byMITRE - ATT&CKcon
 
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
byMITRE - ATT&CKcon
 
Starting Over with Sub-Techniques
byMITRE - ATT&CKcon
 

Recently uploaded

PDF
MathML Core in WebKit
byIgalia
 
PPSX
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
PDF
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
PDF
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
PPTX
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
PDF
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PDF
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
PDF
WebXR in Android and Linux with OpenXR
byIgalia
 
PDF
Database Performance at Scale: The TL;DR
byScyllaDB
 
PDF
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
PDF
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
PDF
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
PDF
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
PDF
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
PDF
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
PDF
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 
MathML Core in WebKit
byIgalia
 
AppSec Role Based Training OWASP Global AppSec USA 2025-11-06
byRobert Grupe, CSSLP CISSP PE PMP
 
Cybersecurity in ASEAN and Singapore Columbia SIPA 2025.pdf
byBenjamin Ang
 
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
Career Blueprint - Future Career Vision & Success Stories - 2025 - Part 1
byDianaGray10
 
Revolutionizing SQL Database Design for the Modern Era.pdf
bySQL DBM
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
Career Blueprint: Mentor Tracks & Career Clinic - Part 2
byDianaGray10
 
WebXR in Android and Linux with OpenXR
byIgalia
 
Database Performance at Scale: The TL;DR
byScyllaDB
 
The Complete Crypto Airdrop Playbook: Strategies, Scams & Success Stories | 3...
by3verseTV
 
Do more with the HP Z2 Mini G1a
byPrincipled Technologies
 
Dr. Robert Krug - Specializes In Predictive Modeling
byDr. Robert Krug
 
Inclusive India_Samir_Dash_10 NOV_FINAL 2025.pdf
bySamir Dash
 
Analyze and Store Logs - RHCSA (RH124).pdf
byLinuxCert Guru
 
Manage Files Using CLI - RHCSA (RH124).pdf
byLinuxCert Guru
 
Manage Local Users and Groups - RHCSA (RH124)
byLinuxCert Guru
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Install and Update Software - RHCSA (RH124).pdf
byLinuxCert Guru
 
"Visual Guide to DSA: Big O Notation, Data Structures, and Algorithms Fundame...
byNusrat Gulbarga
 

MITRE ATT&CKcon 2.0: ATT&CK Updates - Cyber Analytics Repository (CAR); Ivan Kirillov, MITRE

  • 1.
    ©2019 The MITRECorporation. All rights reserved. Approved for public release. Distribution unlimited 18-03621-8. MITRE | 1 | Cyber Analytics Repository Ivan Kirillov (too cool for Twitter) © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17 @MITREattack #ATTACKcon
  • 2.
    | 2 | https://car.mitre.org/ ©2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
  • 3.
    Cyber Analytics Repository(CAR) | 3 | ▪ ATT&CK-driven, actively maintained repository of open source analytics – Also includes a data model, mappings to sensors, and an exploration tool (CARET) ▪ Recent work has focused on increasing quality and usability – Adding new analytics – Converting analytics to a structured, machine-parseable format (YAML) – Supporting multiple implementations (e.g., Splunk, Sigma) for each analytic © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
  • 4.
    CAR – Butwait, there’s more! | 4 | ▪ BZAR: Bro/Zeek ATT&CK-based Analytics and Reporting – A set of Bro/Zeek scripts utilizing the SMB and DCE-RPC protocol analyzers to detect several network-specific ATT&CK techniques ▪ Data model updates – Updates to process object model to account for newer analytics/EDR tools ▪ Tweaks to ATT&CK coverage for better accuracy © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
  • 5.
    CAR – ATT&CKCoverage | 5 | As of October 2019 https://github.com/mitre-attack/car/blob/master/docs/car_attack/car_attack.json © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
  • 6.
    CAR – FutureGoals | 6 | ▪ New Analytics – Better coverage of top ATT&CK Techniques – Analytic “Building Blocks” ▪ Data Model Updates – More network-based modeling – especially Layer 7 – Updates based on Sysmon and other EDR tools ▪ Analytic “Baseball Cards” – Summary with critical info (description, coverage, techniques involved, etc.) ▪ Updates to Sensor Coverage – Site currently has Sysmon 3.2 (2016 says hi!) – YAML for sensors ▪ CARET Refactoring ▪ ATT&CK Coverage Redux – Per-implementation coverage & capturing ease of evasion © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
  • 7.
    We want youranalytics! | 7 | ▪ Submit an issue on GitHub: https://github.com/mitre-attack/car/issues ▪ Out of the new analytics we’ve added this year, 50% were user- contributed. Special thanks to: – Meric Degirmenci // IBM – Kaushal Parikh // Cyware Labs – Tony Lambert // Red Canary © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
  • 8.
    CAR Resources | 8| ▪ CAR Resources: – Main site: https://car.mitre.org/ – YAML-ized analytics: https://github.com/mitre-attack/car/tree/master/analytics – BZAR: https://github.com/mitre-attack/car/tree/master/implementations/bzar – And remember… © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17
  • 9.
    | 9 | [email protected] @MITREattack #ATTACKcon IvanKirillov [email protected] © 2019 The MITRE Corporation. All rights reserved. Approved for public release. Distribution unlimited 18-03730-17