Threat Detection and Hunting for 5 of the Most Common MITRE ATT&CK Techniques: Connection Proxy, Service Execution, Exfiltration, Masquerading, Drive-by Compromise

Webinar Registration

In this technical real training for free session, we will take 5 techniques from the MITRE ATT&CK framework, and demonstrate how to use them to detect and respond to threats.

The MITRE ATT&CK framework is quickly becoming a focal point in the security world — and for good reason. This framework provides a consistent, industry-wide standard on which you can assess the effectiveness of your security monitoring and alerting capabilities. If you are new to ATT&CK, check out my earlier webinar that introduces the framework and discusses how to align and enrich your security monitoring efforts with it:     https://www.ultimatewindowssecurity.com/webinars/register.aspx?id=1534

In this webinar, we will build on the last webinar and get deep into application. We will zero in on using the MITRE ATT&CK framework to focus and prepare your threat detection capabilities.

Here are the 5 techniques we’ve selected, based off the tactic prevalence:

ID

Name

Tactic

Data Sources

T1090

Connection Proxy

Command and Control

Process use of network, Process monitoring, Netflow/Enclave netflow, Packet capture

T1048

Exfiltration Over Alternative Protocol

Exfiltration

User interface, Process monitoring, Process use of network, Packet capture, Netflow/Enclave netflow, Network protocol analysis

T1036

Masquerading

Defense Evasion

File monitoring, Process monitoring, Binary file metadata

T1189

Drive-by Compromise

Initial Access

Packet capture, Network device logs, Process use of network, Web proxy, Network intrusion detection system, SSL/TLS inspection

T1035

Service Execution

Execution

Windows Registry, Process monitoring, Process command-line parameters

 

We’ll explore each one of these techniques with you, highlighting how the attackers use them and how you can detect them. We will discuss which logs you need to be collecting, what audit policy needs to enabled, and what you need to look for in those logs.

These 5 techniques each come from a different Tactic category in ATT&CK, and relate to different phases in an attack’s lifecycle. Mature threat detection and response requires that you have capabilities across the threat lifecycle, from initial access through command and control and into exfiltration.

We’ll then pivot to Dan Kaiser and Brian Coulson from our sponsor, LogRhythm, who will demonstrate how to use each of these techniques with an actual SIEM. Brian and Dan are part of a large project at LogRhythm Labs in which they are aligning MITRE ATT&ACK with their SIEM platform.

When coupled with a SIEM solution, the MITRE ATT&CK framework allows you to effectively test your security monitoring environment against attack techniques to validate that your technology and rules are truly working and alert you to the right anomalous behavior.

To this end, LogRhythm Labs is developing a MITRE ATT&CK module designed to detect and alert to anomalous behavior on a per-technique basis. With the LogRhythm MITRE ATT&CK module, you can ensure that you’re catching critical threats that hit your network.

In this real time training for free session, you’ll learn:

  • How to incorporate ATT&CK to work in your environment
  • Building out practical, technical threat detection
  • How to use SIEM technology and logs for threat hunting

Please join us for this real training for free event.

 

First Name:   
Last Name:   
Work Email:  
Phone:  
Organization:  
Country:    
State:  
Job Title:
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.

 

 

Additional Resources