- This event has passed.
Making Magnets for Needles in Noisy Haystacks: Operationalizing ATT&CK with Risk Based Alerting – Haylee Mills
October 20, 2023 @ 1:00 pm – 1:50 pm MDT
MITRE ATT&CK helps us identify threats, prioritize data sources, and improve security posture, but how do we actualize those insights for better detection and alerting? We shift to alerts on aggregated behaviors over direct alerts, and make our noisy datasets into valuable treasure troves tagged with ATT&CK metadata. Let’s discuss the key features needed to implement this in any security toolset!
Operationalizing ATT&CK (5m)
I can’t make direct alerts for a lot of what ATT&CK identifies… my SOC would kill me. What do?!
Results of RBA Projects (5m)
Reduce alert volume by 50-90%, increased alert fidelity, cover huge swaths of ATT&CK
What is Risk Based Alerting (8m)
Rather than “high severity direct alert” and “alert nobody responds to”, shift to observations of behavior stored in buckets for each user or system, and only alert on buckets with interesting things.
Skeleton of a Risk Rule (4m)
Go over pieces of a not-alerting but observation-generating risk rule.
Security Metadata Enrichment (3m)
Example adding fields to IDS data.
Tweaking Scores by Object Attributes (3m)
Incorporating data about our objects to tweak levers up and down.
Alerting on ATT&CK (7m)
Now we build a rule that looks at risk events and discuss interesting alerting methods.
Rethinking Detection (13m)
Having AV, DLP, EDR, IDS, proxy, email, firewall, etc. speak this language is where we get so much more value. Discuss lenses for SOC, Fraud, Insider Threat, Machine Learning. Discuss: threat hunting queues – threat object/behavior alerting – capturing “zero risk” observations as forensics-lite
Wrap-Up (2m)
Reiterate how we save so much time on alert volume, investigation speed, and easier to develop content.
“Haylee went to school for 2D animation and worked in that industry for four years before 80 hour weeks and 40 hours of minimal pay crushed her soul and her dreams. During her quarter-life crisis living with her parents, she bicycled across the United States and dabbled in documentary film-making, aquaponics, and urban gardening. She ultimately wandered into information security as a career path thanks to a friend in the field who believed in her and dangled the starting pay for an information security analyst. Beyond the money, she quickly developed a passion for the craft as well as building pipelines for folks to achieve financial stability in this career.
She started as a SOC analyst working crappy alerts, made better alerts and an elegant investigation workflow in Splunk with Risk-Based Alerting as a Content Engineer, and finally moved to Splunk to evangelize and advise on RBA as a Security Strategist. In that time, she hosted regular classes with mentees and created a course on Twitch/Youtube to reach people interested in cybersecurity without a background in IT or Computer Science. In her spare time (lol), she works with the Cybersecurity Council of Arizona building infosec education pipelines, as social media staff for AZ’s premiere cybersecurity conference CactusCon, and on the Tempe Arts & Culture Commission to advise the City on arts development and preservation.”