With so many possible threats, it might seem daunting to understand how we can learn from our previous incidents, or incidents experienced by other organisations. Traditionally when threat intelligence has been focused on Indicators of compromise (IOCs) it can seem a daunting task to know how to get all that information and put it to good use. The thing is, IOCs are not everything, IOCs are ephemeral. They have a shelf life, and that shelf life can be very short in some instances. So a defence plan that focuses on ingesting IOCs and blocking them will never increase the maturity of a detect and respond capability. This is why MITRE ATT&CK was developed.

“MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.”

This workshop will walk through the anatomy of an incident, from mapping incident stages to the ATT&CK tactics and techniques and then developing detection and mitigation strategies most relevant to that particular threat type.

You'll walk away with:

• How the MITRE ATT&CK matrix can be used to catalogue threat actor activities during an incident.
• How we can develop detection and mitigation strategies based on the techniques identified.
• How to use the ATT&CK Navigator

Technical level: low.

Aimed at people new to detection engineering, threat intelligence analysts SOC analysts etc.

‍