Time: 01:30 PM - 02:15 PM
We will present our project — Atomic Threat Coverage framework (https://github.com/krakow2600/atomic-threat-coverage), which allows to automatically generate actionable analytics, designed to combat threats (based on the MITRE ATT&CK adversary model) from Detection, Response, Mitigation and Simulation perspectives. This way Atomic Threat Coverage represents a Core of Security Operations Center, creating analytics database with all entities, mapped to all meaningful, actionable metrics, ready to use, ready to share and show to leadership, customers and colleagues.
There are plenty decent projects which provide analytics (or functionality) of specific focus (Sigma, Atomic Red Team, MITRE CAR). All of them have one weakness — they exist in the vacuum of their area. In reality everything is tightly connected — data for alerts doesn’t come from nowhere, and generated alerts don’t go nowhere. Each function, i.e. data collection, security systems administration, threat detection, incident response etc are parts of big and comprehensive process, implemented by multiple departments, which demands their close collaboration.
Sometimes problems of one function could be solved by methods of other function in a cheaper, simpler and more efficient way. Most of the tasks couldn’t be solved by one function at all. Each function is based on abilities and quality of others. There is no efficient way to detect and respond to threats without proper data collection and enrichment. There is no efficient way to respond to threats without understanding of which technologies/systems/measures could be used to block specific threat. There is no reason to conduct penetration test or Red Team exercise without understanding of abilities of processes, systems and personal to combat cyber threats. All of these require tight collaboration and mutual understanding of multiple departments.
In practice there are difficulties in collaboration due to:
- Absence of common threat model/classification, common terminology and language to describe threats - Absence common goals understanding
- Absence of simple and straightforward way to explain specific requirements
- Difference in competence level (from both depth and areas perspectives)
That’s why we decided to create Atomic Threat Coverage — project which connects different functions/processes under unified Threat Centric methodology (Lockheed Martin Intelligence Driven Defense® aka MITRE Threat-based Security), threat model (MITRE ATT&CK) and provide security teams an efficient tool for collaboration on one main challenge — combating threats.
Daniil is responsible for Threat Detection in Cindicator Security Operations Center (SOC) in Saint Petersburg, Russia. Before that he was leading Threat Detection team at Tieto SOC in Czech Republic. Daniil spent more than six years in Practical Computer Security and Network Monitoring domains. He holds OSCP, CCNP Security, GCFA and GNFA certifications. He had talks at x33fcon, Positive Hack Days, Security BSides, CONFidence, Amsterdam FIRST Technical Colloquium, EU MITRE ATT&CK community workshops, Code Europe, presenting Intelligence-Driven Defence approach implementation and MITRE ATT&CK operationalization. Daniil is also member of GIAC Advisory Board and creator of Atomic Threat Coverage project.
Mikhail leads BI.ZONE Security Operations Center (SOC) Automation team in Russia, Moscow. Before that he was responsible for automated security assessment and governance. Mikhail had talks at OWASP Russia, PHDays and Amsterdam FIRST Technical Colloquium, Positive Hack Days, speaking about implementation and MITRE ATT&CK operationalization and automated security assessment in large and highly distributed networks. He is also co-creator of Atomic Threat Coverage project.