ATT&CKing the threat intel sharing problem

Robert Lipovsky, Peter Stancik/ESET

As a research-oriented cybersecurity company that regularly discloses detailed analyses of cyberattacks to clients and/or the public, the introduction of MITRE ATT&CK as a common language to describe adversary techniques and tactics was certainly welcome. We will begin the presentation by introducing how exactly and why we started using ATT&CK knowledge base, providing examples of mappings in our research publications, as well as the role it plays in enhancing our EDR solutions.

We will then describe our experience with contributing to the knowledge base, highlighting both its strengths as well as its limitations. We will provide some tips for contributors on top of the official ATT&CK guidance.

The second part of the talk will also be example driven. Having played a key role in analyzing some of the most significant cyberattacks in history, we will walk through the most interesting tactics, techniques, and procedures from those attacks, mapping them to ATT&CK.

Specifically, we will analyze the TTPs of Sednit (aka APT28), the group reportedly responsible for the Democratic National Committee hack that affected the US 2016 elections, and Telebots (aka Sandworm), the group behind the first malware-driven electricity blackouts (BlackEnergy and Industroyer) and the most damaging cyberattack ever (NotPetya).

Finally, we will conclude with our analysis of the current threat landscape and trends, and highlight how we anticipate it will shape ATT&CK going forward.

November 7 at 11:20 - 11:40, Stage B

Robert Lipovsky is a Senior Malware Researcher for ESET, with 12 years’ experience in cybersecurity. He is responsible for threat intelligence and malware analysis and leads the Malware Research Team at ESET headquarters in Bratislava. He is a regular speaker at security conferences, including AVAR, RSAC, Black Hat USA, Virus Bulletin, and Hacktivity. He also teaches reverse engineering at the Slovak University of Technology – his alma mater, and at Comenius University. When not bound to a keyboard, he enjoys traveling, playing guitar and flying single-engine airplanes.

Peter Stancik is a Security Research Publication and Awareness Manager for ESET, with more than 10 years’ experience in cybersecurity. He leads an international team of security researches and security awareness specialists. He has spoken at numerous conferences and has helped shape the majority of ESET’s research presentations, ever since he joined ESET in 2011. His hobbies include photography, motorcycles and handicraft.