Exploring 5 Techniques from the MITRE ATT&CK Cloud Matrix Specific to O365

Presented by

Randy Franklin Smith, Dan Kaiser, Brian Coulson, Sally Vincent

About this talk

MITRE isn’t resting on their laurels with ATT&CK; they keep making it better. ATT&CK now includes cloud-specific content, and I don’t mean just generalized cloud guidance. Just like how ATT&CK has specific Techniques for Windows and Linux, ATT&CK’s cloud matrix defines Techniques specific to Office 365, Azure, AWS, Google, and others. It also covers most of the same Tactics found in the original ATT&CK matrix, including: - Initial Access: Get into your network - Persistence: Maintain their foothold - Privilege Escalation: Gain higher-level permissions - Defense Evasion: Avoid being detected - Credential Access: Steal account names and passwords - Discovery: Figure out your environment - Lateral Movement: Move through your environment - Collection: Gather data of interest to their goal - Exfiltration: Steal data The only ones missing at this time are: - Execution: Run malicious code - Command and Control: Communicate with compromised systems to control them - Impact: Where the adversary tries to manipulate, interrupt, or destroy your systems and data. In addition, MITRE’s cloud matrix already has over 40 different documented Techniques, and in this real training for free ™ event, Randy Franklin Smith of Ultimate Windows Security will provide an overview of the matrix and show you how it fits into the overall ATT&CK framework. Then, members of LogRhythm’s Threat Research team — Brian Coulson, Dan Kaiser, and Sally Vincent — demonstrate how you can use the following 5 cloud Techniques to identify anomalies in an Office 365 environment: - T1114: Email Collection - T1534: Internal Spearphishing - T1098: Account Manipulation - T1136: Create Account - T1192: Spearphishing Link Watch this on-demand technical session for the latest ways to protect your cloud resources with MITRE ATT&CK.

Related topics:

More from this channel

Upcoming talks (3)
On-demand talks (196)
Subscribers (67624)
LogRhythm helps busy and lean security operations teams save the day—day after day. There’s a lot riding on the shoulders of security professionals—the reputation and success of their company, the safety of citizens and organizations across the globe, the security of critical resources—the weight of protecting the world. LogRhythm helps lighten this load. The company is on the frontlines defending against many of the world’s most significant cyberattacks and empowers security teams to navigate an ever-changing threat landscape with confidence. As allies in the fight, LogRhythm combines a comprehensive and flexible security operations platform, technology partnerships, and advisory services to help SOC teams close the gaps.