Threat Detection and Hunting with MITRE ATT&CK

The MITRE ATT&CK framework is quickly becoming a focal point in the security world — and for good reason. This framework provides a consistent, industry-wide standard on which you can assess the effectiveness of your security monitoring and alerting capabilities. In this webinar, we will zero in on using the MITRE ATT&CK framework to focus and prepare your threat detection capabilities. Here are the 5 techniques we’ve selected, based off the tactic prevalence: T1090 -- Connection Proxy T1048 -- Service Execution T1036 -- Exfiltration T1189 -- Masquerading T1035 -- Drive-by Compromise We’ll explore each one of these techniques with you, highlighting how the attackers use them and how you can detect them. We will discuss which logs you need to be collecting, what audit policy needs to enabled, and what you need to look for in those logs.These 5 techniques each come from a different Tactic category in ATT&CK, and relate to different phases in an attack’s lifecycle. Mature threat detection and response requires that you have capabilities across the threat lifecycle, from initial access through command and control and into exfiltration. Dan Kaiser and Brian Coulson from, LogRhythm, will demonstrate how to use each of these techniques with an actual SIEM. Brian and Dan are part of a large project at LogRhythm Labs in which they are aligning MITRE ATT&ACK with their SIEM platform. When coupled with a SIEM solution, the MITRE ATT&CK framework allows you to effectively test your security monitoring environment against attack techniques to validate that your technology and rules are truly working and alert you to the right anomalous behavior. In this webinar, you’ll learn: 1. How to incorporate ATT&CK to work in your environment 2. Building out practical, technical threat detection 3. How to use SIEM technology and logs for threat hunting