Center for Threat-Informed Defense:
Asia-PACific 2024 Event
Asia-Pacific ATT&CK Community Workshop
April 25-26, 2024
SINGAPORE | Online
We are grateful to our sponsors and everyone who participated in the 2024 Asia-Pacific ATT&CK Community Workshop.
2024 marked the inaugural event during which regional security operations practitioners and avid users of MITRE ATT&CK gathered in Singapore, to network, learn, and advance threat-informed defense through hands-on training and practitioner-led lighting talks.
Presenters from across the Asia-Pacific region shared their work related to ATT&CK whether it’s best practices, worst practices, or something completely different.
We invite you to watch and share these insightful talks!
Explore the talks from 2024 Asia-Pacific ATT&CK Workshop on our YouTube playlist.
PRESENTATIONS
CHANGING THE GAME THROUGH GLOBAL COLLABORATION
Jon Baker, Speaker
Join Jon Baker, Director and Co-Founder for the Center for Threat-Informed Defense as he outlines what threat-informed defense is, and how, working through a collaborative R&D model pulling on the ATT&CK framework, together, we are changing the game on the adversary through global collaboration.
ATT&CKING THE OPERATOR: DISRUPTING THE RANSOMWARE PARADIGM SHIFT
Speaker: Nick Lowe
Senior Director, Intelligence Services at Recorded Future, Recorded Future
The increasing frequency and severity of criminally motivated cyber attacks continues to surge as adversaries accelerate their operational tempo. As the barriers to entry for ransomware operators continue to lower, criminal adversaries increasingly favor extortion over encryption as their reliance on malware diminishes. With more and more ransomware intrusions involving no ransomware binary, defenders face a paradigm shift that necessitates a new approach to ransomware mitigation.
Learn how defenders can leverage the MITRE ATT&CK enterprise framework to focus defensive efforts to better understand and frustrate the human on the other side of the keyboard, stopping criminal adversaries in their tracks by proactively hunting operator behaviors, rather than malware.
HOW TO CONDUCT THREAT HUNTS WITHOUT A THREAT HUNT TEAM
Speaker: Jeremy Ang
Senior Threat Intelligence Analyst, ICE
In recent years, the cost and impact of security breaches are increasing while conversely the adversary breakout time is decreasing. To address the emerging cyber threats, organizations have started to adopt a more proactive approach to cyber defense: enter Threat Hunting. This talk covers details of the people, process and tools applied in an internal threat hunt initiative. By leveraging the MITRE ATT&CK framework, we share some quick wins that organizations with or without a threat hunting program can immediately implement within their environment.
PURPLE TEAMING WITH ATTACK FLOW
Speaker: Denise Tan
Red Team Analyst, Citi
Explore a new way of conducting purple teaming by incorporating MITRE CTID’s Attack Flow into your methodology. Shift from looking at TTPs in siloed test cases to looking at TTPs from an attack flow perspective. By examining gaps in the flow, defenders are better equipped to decide which parts of the attack campaign to prioritize their resources in to efficiently improve the organization’s security posture. The presentation showcases a sample attack flow based on an example purple team exercise which emulates a certain APT group.
M3ASURING THE THREAT: UNDERSTANDING AND IMPROVING DETECTION COVERAGE USING MITRE ATT&CK
Speaker: Raymond Schippers
Engineering Director – Threat Detection and Response, Canva
Speaker: Jasmina Zito
Cyber Threat Intelligence Lead, Canva
Raymond and his team have been exploring how to leverage ATT&CK to enable cyber threat intelligence that can drive threat detection coverage priorities. By using ATT&CK as a common language between various teams, they can measure their detection coverage, prioritize threat detection, and enhance reporting to the business. This approach has proven to be very effective in improving the measurability and performance of threat detection.
THE MAGIC OF CROSS PLATFORM THREAT DETECTION
Speaker: Till Jager
Collective Cyber Defense Customer Advocate, SOC Prime
Learn how the new Open-Source Language for Collective Cyber Defense “RootA” accelerates Threat Detection Engineering in the Light of Threat Informed Defense and how it complements existing approaches like SIGMA.
EVOLVING THREATS: KEEPING UP WITH THE CHAMELEONS
Speaker: Ye Yint Min Thu Htut
Offensive Security Specialist, DBS Bank
Adversary tactics, techniques, and procedures (TTPs) are constantly evolving. Simply validating and preventing their previously known techniques, based on past campaigns, might not be comprehensive. Identifying and tracking potential variant techniques has become essential, enabling us to go beyond covering known techniques. However, the task of identifying and tracking these variant techniques granularly presents challenges. This presentation discussed potential solutions and shared approaches to addressing these challenges.
[Provided for reference only. Shared Content Not Available]
SELECTIVE SIMULATION: TAILORING ATT&CK TECHNIQUES TO YOUR THREAT LANDSCAPE
Speaker: Guillaume Brodar
Cyber Threat Intelligence Lead, DBS Bank
The ATT&CK dataset provides an extensive list of TTPs that can be used to simulate the behavior of Threat Actors within a controlled environment and validate their associated preventive and detective measures.
This presentation argued that the number of TTPs present in the ATT&CK corpus and their technical implementation is too large to be covered efficiently and that there is thus a need for prioritization. It then introduced a scoring method that classifies the Threat Actors according to their intent and capabilities. This scoring serves as a basis to evaluate and rank the importance of each TTP deployed by the Threat Actors most susceptible to affect our organization.
The resulting classification is a list of TTPs that need to be prioritized for both Red and Blue Teams. A gap analysis of each side’s capacities will drive Purple teaming efforts on an iterative basis.
[Provided for reference only. Shared Content Not Available]
MITRE ATT&CK® ROADMAP
Speaker: Amy Robertson
ATT&CK Engagement Lead, MITRE
Join Amy Robertson, ATT&CK Engagement Lead, as she outlines the 2024 ATT&CK Roadmap to bolster broader usability and enhance actionable defensive measures for practitioners across every domain.
OPERATIONALIZING A DEDICATED CYBER ANALYTICS ENGINE (CAE) FOR ADVANCING ARTIFICIAL INTELLIGENCE THREAT-INFORMED DEFENSE
Speaker: Neo Lam
Partner, Cyber Detect & Response, Deloitte
AI-based methods can address the shortcomings of the rule-based detection methods and make threat-detection more robust and reliable. This presentation will share an example in training and operationalizing dedicated artificial intelligence (AI) model and a Cyber Analytics Engine (CAE) for threat -detection, which improves detection and response. To advance the Threat-Informed Defense, the model is trained to present the confidence level and probability for the detection of TTP. The use of AI models could reduce the risk from the known TTPs within MITRE ATT&CK framework and the unknowns.
[Provided for reference only. Shared Content Not Available]
GPT-POWERED MITRE ATT&CK COPILOT
Speaker: Steve Ng
Co-Founder and CEO, SporeX
This workshop explores the groundbreaking integration of Generative Pre-trained Transformer (GPT) technologies with the ATT&CK framework, highlighting its potential to revolutionize cybersecurity defense mechanisms, threat intelligence analysis, and incident response strategies. As cyber threats become increasingly sophisticated, leveraging advanced technologies like GPT to enhance the MITRE frameworks such as ATT&CK for enterprise, mobile, and ICS can significantly augment an organization’s ability to understand, predict, and mitigate cyber threats. The integration of AI and machine learning offers unprecedented opportunities for automating threat intelligence, enhancing decision-making processes, and developing more resilient cybersecurity postures.
ATT&CK SIMULATION – DEMOCRATIZING THE RED TEAM TOOLKIT FOR ALL DEFENDER
Speaker: Mitch Ryan
Security Solutions Architect, Splunk
In an era of constantly evolving cyber threats, it’s crucial to stay ahead of adversaries. Join Mitch as we explore how the blue team can use open-source toolkits that leverage MITRE ATT&CK to build a threat informed defense.
Attack Simulation democratizes the red-team process, giving all blue team defenders the ability to think like an attacker, applying simulated attacks to purpose built infrastructure. This builds organizational intelligence that helps understand, detect and defend against contemporary attacks.
Learn how to use open-source tools to simulate attacks, train your teams, learn security techniques, and apply an assume breach mindset, in the safety of a purpose-built isolated environment.
FURTHER POWERING UP ATT&CK POWERED SUIT WITH GENAI
Speaker: Toshitaka Satomi
Cyber Threat Intelligence Researcher, Fujitsu
ATT&CK Powered Suit (APS), is a groundbreaking browser extension designed for rapid access and utilization of the MITRE ATT&CK Knowledge Base. Join the tool’s initial developer, Toshitaka, as he begins by outlining the current status and functionalities of APS, highlighting its significance in the cybersecurity landscape. After sharing the development journey of APS, Toshitaka details the challenges encountered, the strategic decisions made, and the unique insights gained from the perspective of its creators.
Toshitaka, implemented the integration with OpenAI in the latest APS version and tried to validate whether his hypothesis was correct or not using the tool. Through this practice, he explains the practical applications of these capabilities, addresses the challenges they face, and provides recommendations for overcoming these obstacles.
Finally, Toshitaka explains the big picture of APS and AI as well as future research challenges.
APPLYING THREAT-INFORMED APPROACH FOR FIT-FOR-PURPOSE CYBERSECURITY TARGET MATURITY SETTING FOR ORGANISATIONS
Speaker: Ray Zhou
Lead Cyber Security Consultant, Ensign Infosecurity
Senior executives are challenged with a limited budget, talent shortages and increasing expectations by their organization’s stakeholders to do more for cybersecurity in the wake of recent high profile cybersecurity incidents. The common question for these executives that are accountable and responsible for cybersecurity is – Where to begin?
UPDATES FROM THE CENTER FOR THREAT-INFORMED DEFENSE
Speaker: Suneel Sundar
Director, Research and Development, Center for Threat-Informed Defense
The Center for Threat-Informed Defense released five new projects in the first quarter of 2024, and this momentum will carry through the calendar year. You can use the Center’s latest research to advance your understanding of insider threats, make data driven decisions about your defenses, search and explore a rich corpus of security capabilities mapped to MITRE ATT&CK®, and measure your threat-informed defense. Join Suneel Sundar, Center Director, Research & Development as he outlines the Center’s 2024 Roadmap.
SPONSORS
The Asia-Pacific Community Workshop was brought to you by the Center for Threat-Informed Defense and hosted by Citi Group, a Center for Threat-Informed Defense Research Partner with the generous support from the following Sponsors & Supporters