Skip to content

Latest commit

 

History

History
68 lines (47 loc) · 2.24 KB

2018mitreattckconlundgren-181116142303.pdf.md

File metadata and controls

68 lines (47 loc) · 2.24 KB
  • = ATT&CK & OSQuery Scott Lundgren @5twenty9 72 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

MY PATH OPERATING SYSTEM DEVELOPER OFFENSIVE RESEARCHER PEN TESTER CHIEF ARCHITECT @ CARBON BLACK 73 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

BUT WHERE AM I COMING FROM? I BELIEVE ATT&CK IS A POSITIVE DEVELOPMENT. I WISH FOR SUSTAINED SUCCESS 74 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

WHAT IS THE TIMEFRAME? FUTURE 75 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

TEN MINUTES... GO!

  1. ASSERT A CHALLENGE 2. INTRODUCE OSQUERY 3. PROPOSE A CONVERSATION 76 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

THE COMBINATION OF TECHNICAL COMPLEXITY AND COMPETITIVE LANDSCAPE POSES A LONG-TERM THREAT TO THE ATT&CK FRAMEWORK 77 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

INTRODUCING OSQUERY 78 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

ASSERTION: ATT&CK NEEDS AN ECOSYSTEM · TESTING FRAMEWORKS ARE ABSOLUTELY THE FIRST STEP · REFERENCE DETECTION IMPLEMENTATIONS ARE THE NEXT 79 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

INTRODUCING OSQUERY · DEVELOPED BY FACEBOOK · ENDPOINT AGENT · OPEN-SOURCE · EXTENSIBLE · CROSS-PLATFORM 80 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

A SQL FRONT-END FOR ENDPOINT TELEMETRY · 226+ TABLES · ENDPOINT AGENT · OPEN-SOURCE · CROSS-PLATFORM

· arp_cache · listening_ports · logged_in_users · kernel_modules · rpm_packages · scheduled_tasks · bitlocker_info · autoexec · process_open_files · process_open_sockets

81 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

PROPOSING THE CONVERSATION 82 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

THREE-LEGGED STOOL ATT&CK FRAMEWORK

OPEN TESTING FRAMEWORK 83 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

OPEN REFERENCE DETECTIONS

EXISTING REFERENCE DETECTION IMPLEMENTATIONS FILIPPO MOTTINI, OLAF HARTONG, POLYLOGX 84 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

PUTTING FORWARD OSQUERY · OPEN · EXTENSIBLE · CROSS-PLATFORM · APPROACHABLE 85 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL

SELECT * FROM T1197;

THINK & CONVERSE 86 I © 2018 Carbon Black. All Rights Reserved. I CONFIDENTIAL