ATT&CK’ing it wrong - how to use ATT&CK effectively at an NZ scale
ATT&CK’ing it wrong is a primer on how to use ATT&CK effectively at an NZ scale. MITRE’s ATT&CK is the new framework that vendors, service providers and the industry writ large is coalescing around; but unless you drive it correctly you’re not going to get much value out of it.
- State of CTI in NZ (nascent) (vendor led)
- What ATT&CK is
- What ATT&CK isn’t (or shouldn’t be used for):
- Common pitfalls
- Mitigating against all the things
- Car Crash analogy
- How to operationalize ATT&CK data for common use cases:
- TTP coverage mapping
- Product Evaluations (Presales)
- Threat Actor mapping
- Report Writing (Blue + Red)
- “Adversary emulation” + Purple Teaming
- “Advanced” use cases:
Professional Abyss Gazer, Prince of Darkness™ & Disaster Tourist (IR Lead) – Hamish has been privileged enough to have run and worked on some large and complex DFIR engagements across APAC, seeing the absolute worst of the worst on the “how bad could it be” scale.