## Diamond & ATT&CK Models: Why? Why Not? --- ## Diamond & ATT&CK Models BLUF: Let's envision the perfect tool for Diamond Model analysis. Is ATT&CK helpful? Is it necessary? --- ## Who am I? Why care? I'm now kind of a security dev, recovering DevSecOps impersonator. I'm passionate about security transparency, data, and open standards. - Off hours: [github.com/xee5ch](https://github.com/xeech) --- ## Problem 1: Stop Hacks? - Some attack, some defend. - How to minimize attack, improve defense? - Share info about attacks? - Share info about defense? - So, we share data? Not hard! --- ## Problem 2: Share Data? - Attackers and defenders are heterogenous. - True for systems attack or defending or analyzing either: - Multiple cultures, societies. - Multiple technologies, infrastructures. - So, we share data? Not hard! --- ## First Half of the Solution: ATT&CK - Developed by [MITRE](https://attack.mitre.org/) - Why? From [the source](https://medium.com/mitre-attack/att-ck-101-17074d3bc62), standardize describing: - Adversary behaviors - Lifecycle models that do fit - Real-world applicability - **Common ontology and taxonomy** --- ## First Half of the Solution: ATT&CK <img src="https://616c.net/dl/uagli0922.jpg"/> - Michael K in [LinkedIn post from September 18, 2022](https://www.linkedin.com/posts/activity-6977273291547774976-b_jY?utm_source=share&utm_medium=member_desktop) --- ## Second Half of the Solution: Diamond Model "An event, E, is formally defined as a labeled n-tuple where each element of the tuple is knowledge of a feature combined with an independent confidence value." - Betz, Caltagirone, Pendergast --- ## Second Half of the Solution: Diamond Model <img src="https://616c.net/dl/dmgd13.png"/> --- ## How Do They Connect? Neo4J! It's time for Neo4J!!! --- ## How Do They Connect? Neo4J! Neo4J Crash Course, skip to 22:56 for query examples <iframe width="853" height="480" src="https://www.youtube.com/embed/8jNPelugC2s?t=1376" title="Neo4j (Graph Database) Crash Course" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> --- ## How Do They Connect? Neo4J! - Superset and arbitrarily query data about: - Adversary - Victim - Infrastructure - Capability --- ## Diamond Queries, ATT&CK Tuples - ATT&CK gives us tons of labels for tuples - Events: [Tactics](https://attack.mitre.org/tactics/enterprise/), [Mitigations](https://attack.mitre.org/mitigations/) - Adversaries: [Groups](https://attack.mitre.org/groups/) - Capabilities: [Techniques](https://attack.mitre.org/techniques/enterprise/) - Infrastructure: [Data Sources](https://attack.mitre.org/datasources/), [Software](https://attack.mitre.org/software/) - Any label ontology works: - ATT&CK is wanted, not needed - Without it, we maybe reinvent wheels --- ## Sounds Great! Why Can't We Have It? - Hard for a variety of reasons: - Balkanization of data - Economics of information - Not complete coverage (I wrote papers on hacktivists, I know!) - Market inefficiences - Inequity between parties --- ## Sounds Great! Why Can't We Have It? - Hard for a variety of reasons: - Lack of information sharing - [Congressional Cyberspace Solarium Commission](https://ccti-tracker.pavak.org/) agrees - [DHS OIG](https://www.oig.dhs.gov/sites/default/files/assets/2022-08/OIG-22-59-Aug22.pdf) agrees - Industry people casually confirm this: --- ## Sounds Great! Why Can't We Have It? "Generally speaking, most Threat Intel feeds are productized by vendors. Takes a lot of work to curate them. Hard to justify giving that work away." - [Shawn Wells, CrowdStrike, LinkedIn post in September 2022](https://www.linkedin.com/posts/alexanderjstein_tweets-by-mitreattack-activity-6970946627062677504-6Sqd?utm_source=share&utm_medium=member_desktop) ---