Thursday, January 30, 2025
10:00 AM - 4:30 PM (EST)
Atlanta, GA - Workshop: Educational Challenge: Threat Hunting using MITRE ATT&CK™ TTPs to Identify Adversarial Behaviors

When: Thursday, January 30th, 2025
Where: Curiosity Labs
Address: 147 Technology Pkwy, Peachtree Corners, GA 30092

 

Workshop Description:

In today's cybersecurity landscape, many breaches go undetected by traditional security measures that purely hunt for threats based on IOCs such as hashes, IPs and domains. To effectively address this challenge, organizations need to adopt a proactive approach that involves hunting for threats based on the Tactics, Techniques and Procedures (TTPs) that threat actor’s use. TTPs are a more reliable way to identify adversary behavior as indicators such as hashes, IPs and domains are easy to change. In this workshop, participants learn how to use Fortinet analytics products to hunt for threats using TTPs.

Participants will assume the role of a security analyst and be asked to identify any undetected threats on AcmeCorp's network. To do this they will make use of MITRE ATT&CK™, which is a knowledge base of adversary behavior based on real-world observations.

The challenge is set up with several exercises set around the technical goals the adversary is trying to achieve (ATT&CK™ Tactics), for example, Initial Access, Persistence, Privilege Escalation, Command and Control. Participants will be asked to detect any techniques being used by an adversary to achieve these goals.

In this Fast Track attendees will gain hands-on experience developing and understanding the analytics needed to discover the techniques used by adversaries during a cyber security breach.

 

Participants who attend this workshop will:

  • Engage in an Educational challenge where participants will assume the role of a security analyst and be asked to identify any undetected threats on AcmeCorp's network. 
  • To do this participants will make use of Mitre ATT&CK™, which is a knowledge base of adversarial behavior based on real-world observations.
  • ATT&CK™ allows analysts to hunt for patterns of behavior rather than artifacts such as hashes, IPs, or Domains. Why is this important? Well, according to 'The Pyramid of Pain' by David Bianco, while it is very easy for attackers to change these artifacts it is much harder for them to change their Tactics, Techniques, and Procedures (TTPs). Therefore, TTPs are a more reliable way of identifying adversary behavior.
  • To do this participants will make use of Mitre ATT&CK™, which is a knowledge base of adversarial behavior based on real-world observations.

 

Agenda:

10:00 - 10:30 am – Check In

10:30 - 11:30 am – Theory

11:30 - 12:00 pm – Lab Begins

12:00 - 1:00 pm – Lunch (this will be a working lunch; however, participants are welcome to take breaks as needed)

1:00 - 3:00 pm – Lab Completion

3:00 - 4:30 pm – Happy Hour & Networking

 

Reminder: Please bring a laptop to participate in this Fast Track