Open in app

Sign in

Write

Sign in

ATT&CKcon 2018: A Look Back

Adam Pennington
MITRE ATT&CK®
Published in
6 min readNov 16, 2018

Written by Adam Pennington & Katie Nickels

Just a couple of weeks ago, members of the ATT&CK community joined us at MITRE’s McLean headquarters for our first ever ATT&CKcon. Over 250 of you made the trek in person and close to 1,000 were attending via live-stream at our peak. Now that we’ve caught our breath from the whirlwind of excitement, we wanted to take a moment to recap some of what we saw and heard from two days of talks, panels, Q&A discussions, debates while sipping a few Panic ATT&CKs, giant matrices with pins in them, and follow-up surveys. We’ve posted links to all of the talk videos as well as slides where we have speaker permission on the ATT&CK website.

Given that we were putting something like this on for the first time, we had no idea what to expect when we put out the ATT&CKcon CFP back in July. Luckily for us the community delivered, and we were overwhelmed with the quality and quantity of the talk proposals we received — 60 proposals for just 17 talk slots (either 30 minutes or 15 minutes), making for an acceptance rate of around 28%. Our lightning (5 minute) talk submissions were competitive as well with 12 submissions for 5 slots.

John Lambert giving the keynote address. (Photo by Andy Cleavenger)

John Lambert, Distinguished Engineer and General Manager of Microsoft’s Threat Intelligence Center, gave the inaugural keynote presentation for ATT&CKcon. We’ve appreciated the feedback and support that John has given us and many others in the community over the years, and his keynote was closely aligned with that spirit. John’s key message may be best described by the African Proverb he quoted: “If you want to go fast, go alone. If you want to go far, go together.” With each of his sections on community, organized knowledge, executable know-how, and repeatable analysis, John talked about the people, projects, and companies who are actively contributing to the information security community and how those contributions can be leveraged. One new term from the keynote was the “Githubification” of Infosec — working towards a goal of standardizing and sharing knowledge across the community in a way that is vendor-neutral as well as usable and repeatable by all defenders. John’s keynote can be viewed here.

We were pleased that this year’s ATT&CKcon speakers represented many facets of the ATT&CK community, including defenders, red teamers, intelligence analysts, and vendors. The community theme we heard in John’s talk carried over into several other speakers’ messages in terms of sharing tools, intelligence, and analytics. We were particularly excited to hear this theme since one of our goals in holding ATT&CKcon was to connect community members to each other to share ideas that help improve defenses.

Effective communication was another common thread, both in terms of using the language of ATT&CK itself as a communication tool as well as simplifying the technique language for communication with a broader audience. Some pieces of advice on working with ATT&CK carried over between multiple talks as well. One example was advising the audience not to worry about detecting every single technique in ATT&CK, with multiple strategies given for how to prioritize which techniques to implement. Another piece of advice we heard multiple times was to assess our own environments, figure out what’s working and what’s not, and determine where our own gaps lie.

We also heard important messages about the limitations of ATT&CK. Several speakers and panelists pointed out that while ATT&CK is useful, it is not all-encompassing and is not a solution for every problem in network defense — a point with which our team fully agrees. A common challenge we heard several times was with determining how much detection coverage you have of a technique and realizing the complexities of that coverage, which many teams struggle with.

There were many more key messages than we have room to capture, so we hope you’ll check out all the talks and slides yourself. If you missed catching the ATT&CKcon talks live, we encourage you to check out the videos and slides.

We were also happy to have the opportunity to receive feedback from the community about where you’d like to see us go with ATT&CK, whether we received it during extended Q&A sessions, directly from the stage, over cocktails, or via post-conference surveys. One of the most consistent feedback themes was around unevenness of the abstraction level across various techniques in Enterprise ATT&CK (some techniques are much broader than others). While this was already on our radar, and we’re hoping to address this with sub-techniques, we heard the feedback loud and clear and will weigh it heavily in our priorities. Some of the other themes we heard several times included requests for:

  • Cloud techniques and ATT&CK for Cloud (including a sad cloud slide)
  • Clearer, more structured ways to contribute data and techniques (and ways to track those contributions)
  • A road map and clear path for the future of the Cyber Analytic Repository (CAR)
  • Techniques covering intention to cause harm to a system (also known as “impacts,” “effects,” or the “Integrity and Availability” in the CIA Triad)

We’ve heard you, and we will have more to say in the coming months on each of these (hopefully within weeks in the case of CAR). Our goal is to make sure ATT&CK remains a useful resource for the community, and what you say matters to us.

Finally, we have some important results to announce.

When we put out the CFP, we asked each potential speaker what their favorite ATT&CK technique was. Coming out on top was Credential Dumping (T1003) with PowerShell (T1086) close behind (Navigator Layer).

During the conference itself, we asked attendees to stick pins into a giant ATT&CK matrix answering four different questions:

“What’s the least likely ATT&CK technique to be seen in the wild?”

Port Knocking (T1205) won by an almost 2–1 margin over the next highest technique, Hardware Additions (T1200). (Navigator Layer)

“With your ATT&CK-mapped detections, which ones generate the most false positives?”

This one was a near tie, with PowerShell (T1086) just edging out Valid Accounts (T1078). We found it interesting that PowerShell was a favorite technique of speakers, while also being one that generates a lot of false positives. (Navigator Layer)

“With your ATT&CK-mapped detections, which ones generated the most true positives?”

For this question we had our only tie, between Network Service Scanning (T1046) and Spearphishing Link (T1192). (Navigator Layer)

“What techniques keep you up at night?”

An enterprising attendee added the “Environmental” tactic to the matrix and its sole technique of “Meteor!!” (T¯\_(ツ)_/¯) beat out the competitors. A special mention goes to the “completely anonymous” attendee who added “Spicy Tweets” (T(⊙_⊙’)) technique (under the Command and Control tactic), which got a single vote. (Navigator Layer)

In closing…

We’d like to thank everyone who participated in this year’s ATT&CKcon both physically and virtually, with a special shout-out to our speakers and panelists. We are also grateful to the companies who were ATT&CKcon sponsors (AttackIQ, CrowdStrike, Endgame, McAfee, Red Canary, SafeBreach, Tripwire, and our reception sponsor Verodin). ATT&CKcon may be over, but we’re still interested in any questions, comments, criticisms, or concerns you might have and invite you to reach out via email (attack@mitre.org) or on Twitter (@MITREattack). This is just the beginning.

ATT&CK Matrix with Attendee Signatures and Push Pins

©2018 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 18–1528–29.

Conference
Information Security
Mitre Attack
Cybersecurity

--

--

Adam Pennington
MITRE ATT&CK®

Written by Adam Pennington

363 Followers
Editor for

MITRE ATT&CK Lead

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams