SlideShare a Scribd company logo

ATT&CK Updates- ATT&CK for mac/Linux

M
MITRE ATT&CK

This document discusses the development of ATT&CK frameworks for macOS and Linux. It notes that these operating systems are increasingly important targets but have less reporting and visibility than Windows. The author leads the effort to create ATT&CK matrices for macOS and Linux techniques. They reviewed over 230 techniques in the first year and made over 50 updates. The document highlights differences in macOS and Linux and lessons learned about developing the frameworks through community involvement. It outlines the roadmap to complete macOS coverage in 2022 and Linux Enterprise coverage in late 2022.

1 of 16
Download to read offline
Cat Self ATT&CK for mac/Linux Lead @coolestcatiknow Lunch with a sprinkle of ATT&CK The story of MacOS & Linux’s second comeback ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28.
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. Cat Self •Former Artist •Military Intelligence Veteran •Red Teamer, Threat Hunter @Target •Lead macOS & Linux ATT&CK @MITRE @coolestcatiknow
Why ATT&CK for macOS & Linux ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
What is different about macOS? • Built in hardware security (Notarization) • Opt-in Programs (Gatekeeper, Sandbox) • Mic drop hardware changes • Local Admin for everyone! ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
What is different about Linux? • Not built for the everyday user (terminal) • FroYo Flavor Distros • Open-source community driven • Infrastructure verses endpoint • IOT, cloud, or Linux??? ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
What do they have in common? • Reporting is sparce • Linux reporting is often highly sensitive (servers) • Focus on vulnerabilities verse actor’s keyboard commands ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
What does “done” look like? Done is better than perfect ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
Hindsight 2021 Our Goal Be a “goto” resource for macOS & Linux Our Metrics • At least 232 out of 385 sub- techniques reviewed • Edited 52+ (updates, citations, new techniques) ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
ATT&CK in the Wild - Kerberos ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
ATT&CK in the Wild – Hidden Users ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. Spring 2022 Fall 2021 @coolestcatiknow
ATT&CK in the Wild – Hidden Users ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. Detections @coolestcatiknow
Some Lessons Learned If I want to go fast, I’ll go by myself. If I want to go far, we’ll go together. ~African Proverb ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
Slack ATT&CK #Att&ckingQuestions Mondays • #linux_attack • #macOS_attack ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706- 28. April 25th Release Complete macOS October 2022 Complete Linux Enterprise macOS & Linux Initiative Roadmap @coolestcatiknow ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28.
Better Together ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. https://attack.mitre.org attack@mitre.org @mitreattack Cat Self @coolestcatiknow

More Related Content

ATT&CK Updates- ATT&CK for mac/Linux

  • 1. Cat Self ATT&CK for mac/Linux Lead @coolestcatiknow Lunch with a sprinkle of ATT&CK The story of MacOS & Linux’s second comeback ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28.
  • 2. ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. Cat Self •Former Artist •Military Intelligence Veteran •Red Teamer, Threat Hunter @Target •Lead macOS & Linux ATT&CK @MITRE @coolestcatiknow
  • 3. Why ATT&CK for macOS & Linux ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
  • 4. What is different about macOS? • Built in hardware security (Notarization) • Opt-in Programs (Gatekeeper, Sandbox) • Mic drop hardware changes • Local Admin for everyone! ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
  • 5. What is different about Linux? • Not built for the everyday user (terminal) • FroYo Flavor Distros • Open-source community driven • Infrastructure verses endpoint • IOT, cloud, or Linux??? ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
  • 6. What do they have in common? • Reporting is sparce • Linux reporting is often highly sensitive (servers) • Focus on vulnerabilities verse actor’s keyboard commands ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
  • 7. What does “done” look like? Done is better than perfect ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
  • 8. Hindsight 2021 Our Goal Be a “goto” resource for macOS & Linux Our Metrics • At least 232 out of 385 sub- techniques reviewed • Edited 52+ (updates, citations, new techniques) ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
  • 9. ATT&CK in the Wild - Kerberos ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
  • 10. ATT&CK in the Wild – Hidden Users ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. Spring 2022 Fall 2021 @coolestcatiknow
  • 11. ATT&CK in the Wild – Hidden Users ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. Detections @coolestcatiknow
  • 12. Some Lessons Learned If I want to go fast, I’ll go by myself. If I want to go far, we’ll go together. ~African Proverb ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
  • 13. Slack ATT&CK #Att&ckingQuestions Mondays • #linux_attack • #macOS_attack ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
  • 14. ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706- 28. April 25th Release Complete macOS October 2022 Complete Linux Enterprise macOS & Linux Initiative Roadmap @coolestcatiknow ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28.
  • 15. Better Together ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. @coolestcatiknow
  • 16. ©2022 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 21-00706-28. https://attack.mitre.org attack@mitre.org @mitreattack Cat Self @coolestcatiknow