Red Team Village - All of the Threats

Cite

DEF CON

Brown, Tim (Wadhwa-)

Formal Metadata

Title

Red Team Village - All of the Threats

Subtitle

Intelligence, modelling, simulation and hunting through an ATT&CKers lens

Title of Series

DEF CON Safe Mode

Number of Parts

374

Author

Brown, Tim (Wadhwa-)

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/49160 (DOI)

Publisher

DEF CON

Release Date

2020

Language

English

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

ATT&CK is a game changer and where it works, it can enable both blue and red teams to co-exist and work effectively together. However, what happens when it falls short and the threat intelligence and hypotheses don't exist? How do you build threat intelligence and threat hunt hypotheses from first principles. What do attackers on UNIX do when bitcoin miners aren't their motivation? I’ll go into: * The target I chose and why – we have ~40 years’ experience looking at UNIX from an offensive standpoint, why wouldn't attackers * Building a collection worksheet and the information you'll need to track * Figuring out what TTPs the bad guys are using to attack UNIX when no-one has documented them previously – faced with a lack of DFIR reports, how do you validate your hypotheses * Working out whether your customer is exposed and why this matters * Translating concepts we see in the wild into things our customer can consume * What this means for users of ATT&CK