Tracking attackers. Why attribution matters and how to do it

Yet again it is time for another edition of Sacred Cash Cow Tipping! Or, “Why do these endpoint security bypass techniques still work? Why?” The goal of this is to share just some of the ways Black Hills Information Security bypassed endpoint security in 2018. Unfortunately, these webcasts still seem to be needed because there is a prevalent attitude that it is somehow possible to get endpoint security with full synergy and it will be bulletproof and under a single pane of glass. All with cyber threat intelligence and A.I. sprinkled in with a bit of EDR magic to stop all attacks.

If you’re keeping even half an eye on the InfoSec news cycle, you know how big of a problem phishing is. The annual Verizon data breach found again this year that phishing was the leading way for malware to enter networks, with the average company reporting that 94% of detected malware came in via email. Thirty-two percent of confirmed breaches started with phishing, again the most common tactic. It makes sense, then, that so much security awareness content out there is focused on this threat. Some vendors make their business on it almost completely, with this trend extending to the phishing simulator emerging as a key selling point for those in the security awareness business.

This attempt went on to ask why the sender wouldn’t pay an “invoice” attached to the email. Our IT staff later confirmed this attachment carried a ransomware payload. Like the confusing influx of different Oreo flavors in recent years (cotton candy Oreos, really?), the variety of phishing email attempts has blossomed. The “shock and awe” method described above is not a new tactic, though the use of vulgarity seems to be a relatively new variation. Fake shipping confirmations. Tax-related W-2 requests. Emails requesting password resets for social media accounts, online banking, you name it. These are just a few ways scammers use social engineering to bypass technological safeguards and compromise sensitive data.

The MITRE ATT&CK framework is quickly growing in popularity as an effective method to get on the offense of threat detection and response. In this webinar, presenters go beyond definitions and demonstrate how to apply the MITRE ATT&CK framework to your security monitoring. Paul Asadoorian and Matt Alderman of Security Weekly provide an overview of the MITRE ATT&CK framework, discuss how to prioritize the capabilities of the framework, and review some of the existing open source tools for testing/mapping to MITRE.