Analyzing Targeted Intrusions Through the ATT&CK Framework Lens [VIDEO]

The security community is quickly adopting the MITRE ATT&CK framework as a standard way to categorize adversary intrusion behavior. However, one of its potential limitations is a lack of historical intrusion data with enough detail to enable development of accurate and thorough threat modeling. The Crowdstrike® Falcon® OverWatch™ threat hunting team can help.

OverWatch regularly analyzes adversary behavior – and the level of detail in our malicious, targeted intrusion dataset is remarkable because of the valuable and extensive telemetry delivered by the Falcon endpoint protection platform, which OverWatch uses for threat hunting. As a result, we have accumulated  a massive, rich data library of malicious activity that can be applied to the ATT&CK model.

The Falcon OverWatch team has been evaluating all OverWatch targeted intrusion data through the lens of the ATT&CK framework since Jan. 1, 2018. As a senior strategic intrusion analyst for OverWatch, I recently presented at the MITRE ATT&CK Con event.  

In this video of my presentation, I share findings from the first half of the year, highlighting cases of unique adversary tactics, techniques and procedures (TTPs) the team observed. The results of this analysis provide a baseline from which we can better identify changes in threat actor TTP trends moving forward. Our results also deliver threat models that can more effectively compare TTPs among various adversary groups. This type of analysis clearly demonstrates the role CrowdStrike plays as a thought leader in understanding adversary behavior.

Additional Resources

Related Content