// Learning module · Black Hat USA 2019
MITRE ATT&CK: The Play at Home Edition
A page-by-page walkthrough of Katie Nickels (MITRE) and Ryan Kovar's (Splunk) talk on operationalizing MITRE ATT&CK — a fictional brewery, an Iranian threat group, and a complete intel → detect → emulate loop.
// Dramatis personae
The Frothly cast
Doesn't know if the company is defended.
Can't operationalize non-IOC intel.
Drowning in low-fidelity alerts.
No shared language with blue.
// Page-by-page
The full 50-page walkthrough
- Page01Cover
MITRE ATT&CK: The Play at Home Edition
Presented by Katie Nickels (MITRE) and Ryan Kovar (Splunk).
Framed as "America's all time favorite model" — a Battleship-style intro: for 2 players, average playtime 20 minutes, objective: sink all of your opponent's ships.
Sample technique reference: T1100.
TakeawayATT&CK is a game two roles play together — a threat intel analyst and a defender.
- Page02Legal
Forward-Looking Statements
Standard Splunk disclaimer: statements reflect current expectations; actual results may differ; roadmap is directional and not contractual.
Splunk trademarks acknowledged; © 2019 The MITRE Corporation. Approved for public release, distribution unlimited (19-01159-11).
- Page03System Owner/User Discovery (T1033)
Meet Katie Nickels (@LiketheCoins)
ATT&CK Threat Intelligence Lead at MITRE (@MITREattack).
SANS Instructor for FOR578: Cyber Threat Intelligence.
10+ years of experience in threat intel and network defense.
Program Manager for Cyberjutsu Girls Academy.
Baker of chocolate things · CrossFitter · Oxford comma believer.
T1033 - Page04System Owner/User Discovery (T1033)
Meet Ryan Kovar (@meansec)
Principal Security Strategist at Splunk. MSc (Dist) Information Security.
Minister of OODAlooping at Splunk.
US/UK DoD/PubSec Nation State Hunting roles.
Enough white in beard to speak authoritatively.
Co-Creator of Boss of the SOC CTF. Hates printers and trilobites.
T1033 - Page05Tooling note
We use Splunk — but you don't have to
The methods are portable. Splunk is the demo lens, not the requirement.
Any SIEM, EDR or log-search tool can be aligned to ATT&CK the same way.
TakeawayATT&CK is a framework, not a product.
- Page06Agenda
Three moves
♟ Let's tell a story.
♟ Oops, now I see where we went wrong.
♟ Pass go, collect 200 TTPs.
- Page07The core question
You've heard of ATT&CK… but how do you actually use it?
Rendered as a Snakes & Ladders board full of technique IDs — the gap between knowing ATT&CK exists and playing it well.
TakeawayAwareness ≠ operationalization. This talk is about closing that gap.
- Page08Setup
We want to tell you a story…
A fictional company, four fictional characters, one very real workflow.
- Page09The company
Frothly — Premium Quality craft brewery
Four employees are about to have a very bad week. Meet them in the next slides.
- Page10Character 1
Grace Hoppy — CEO
"I don't really know how we are defended and it makes me uncomfortable."
The business owner asking whether the security program actually works.
- Page11Character 2
Mallory Kraeusen — Threat Intel
"If it's not an IP, how do I use it?"
Trapped in the world of atomic indicators, unsure how to translate threat reports into defender action.
- Page12Character 3
Alice Bluebird — Network Defender
"I'm drowning in meaningless alerts and my data isn't helping me!"
Alert fatigue and low-fidelity signals are burying the real threats.
- Page13Character 4
Kevin Lagerfield — Red Team
"I'm not sure how I can help."
A red teamer without a shared language to align his emulation with the blue team's detection work.
- Page14Inciting incident
BREAKING NEWS — Beer tanker threatened
Fictional headline on breakyourownnews.com: the "SS Hops and Ale" is threatened; hops prices plummet as consumers consider "Frosé all day" options.
Geopolitical event sparks executive concern.
- Page15The CEO email
"Iranians in my HOPS!" — from Grace
Grace (CEO) emails Mallory (threat intel) at 8:47 PM.
"I turned on HOPSNN and found out there is cyberwarfare! Hops prices are affected. I have a board meeting this week and I KNOW this is going to come up. I need you to find out how this will impact us and if they are going to come after us next and how we are defended."
TakeawayClassic executive ask: are we defended against the threat in the news?
- Page16Extract the ask
The real question inside the email
Highlighted line: "I need you to find out how this will impact us…. are we defended?"
Mallory's job now is to translate a headline into a defensible answer.
- Page17Enter ATT&CK
How does Mallory find info on Iranian groups… and can ATT&CK help?
Framed as a Guess Who? board — narrow the field of adversaries by their observable attributes.
- Page18Discovery
Google → MITRE ATT&CK Groups page
Search: "Iranian threat groups".
Top result: attack.mitre.org/groups/ — MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations and also European and North American nations, mainly in telecommunications, government (IT services), and oil sectors.
Related groups listed: APT28, APT1, APT3, Threat Group-1314.
TakeawayATT&CK Groups is a curated, open, threat-actor knowledge base.
- Page19The catalog
Groups (ATT&CK)
A large table of tracked adversary groups with names, aliases and short descriptions — MuddyWater, OilRig, APT33, APT34, and dozens more.
- Page20Navigating attack.mitre.org
Site structure
Top-level nav: Matrices · Tactics · Techniques · Mitigations · Groups · Software · Resources · Blog · Contribute · Search.
Everything cross-links: a group page → techniques → mitigations → data sources.
- Page21Focusing in
OilRig?
Mallory zeroes in on OilRig — an Iranian threat group with public reporting relevant to Frothly's concern.
- Page22Group lookup
Groups → OilRig
Navigate the Groups section on attack.mitre.org to open the OilRig entry.
- Page23Group directory
The Groups list
Sidebar of tracked groups: admin@338, APT1, APT12, APT16, APT17, APT18, APT19, and many more — the encyclopedic breadth of ATT&CK's adversary tracking.
- Page24Group page — OilRig
OilRig — Techniques Used
Group page lists every technique OilRig has been observed using, with sourced references.
Example citation: Wilhoit, K. and Falcone, R. (2018, September 12). "OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government."
TakeawayEvery technique on a group page is backed by public reporting.
- Page25Group page — continued
OilRig — full technique inventory
Continued list of OilRig techniques with reference footnotes.
This inventory is the input to the next step: mapping to your own defensive coverage.
- Page26Zooming out
ATT&CK Matrix for Enterprise — but what's this ATT&CK thing?
The Enterprise matrix shows all tactics across the top and techniques as columns underneath.
Setup for the pivot: define ATT&CK itself before continuing.
- Page27Definition break
Matrix?
Prompt: understand what a matrix is before consuming it.
Tactics = the adversary's goal (why). Techniques = how they achieve it. The matrix crosses the two.
- Page28Definition (continued)
ATT&CK Matrix for Enterprise — anatomy
Columns = tactics (Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → Command and Control → Exfiltration → Impact).
Cells = techniques under each tactic.
- Page29Answering Grace
Mallory replies to Grace
Wed 7/24/2019 6:39 PM. Mallory summarises: Iranian groups exist, OilRig is a likely-relevant actor, and there is a public catalog of the techniques they use.
The reply reframes the CEO's question into something defenders can actually act on.
- Page30Reply — continued
"Grace, here's what we found"
Mallory forwards the OilRig technique list to Alice (network defender) as the next step.
This is the intel-to-defender handoff.
- Page31Handoff to defense
OilRig Indicators — email to Alice
Today, 9:54 PM. Mallory to Alice: link to https://attack.mitre.org/groups/G0049/ (OilRig).
Notice: no IPs, no hashes — a link to techniques.
TakeawayThe pivot from indicators to techniques starts with the group page URL.
- Page32Same content
Alice receives the OilRig link
Alice now has a URL representing an adversary's playbook — the input to detection engineering.
- Page33Alice's first reaction
Alice replies to Mallory
From: Alice Bluebird <abluebird@froth.ly>. Sent: Wed 2019-07-24 10:34 PM.
Alice checks her SIEM for the atomic indicators she's used to — IPs, hashes, domains — from the OilRig page.
Signature: "Alice, Network Defender Extraordinaire."
- Page34The revelation
"No hits… but what do we do now? What are these techniques?"
Alice searched for the traditional IOCs — nothing hit.
Now she has to figure out how to detect the *techniques* the group uses, not just the atomic artifacts.
TakeawayIOCs decay in days. Techniques persist for years.
- Page35The mental model shift
How does Alice stop hoarding indicators and start detecting techniques?
Illustrated as Hungry Hungry Hippos — every defender snapping at atomic marbles is doomed to lose.
- Page36Technique catalog
Zoom into OilRig's technique list
Grid view of the specific techniques attributed to OilRig — the shortlist Alice will work through.
- Page37First technique in scope
T1057 — Process Discovery
Adversaries may attempt to get information about running processes on a system.
Data Sources: Process monitoring, Process command-line parameters.
CAPEC ID: CAPEC-573. ATT&CK Version: 1.0.
T1057TakeawayEvery technique page names the data sources you need to detect it.
- Page38Same page — continued
T1057 — practical detection anchors
Look for the process discovery commands themselves (tasklist, ps, Get-Process, wmic process).
Alert on unusual users or unusual parents running them.
T1057 - Page39Building a detection
Correlation Search: "Threat Activity Detected"
Search Name: Threat Activity Detected. App: Enterprise Security. Mode: Manual.
Search: `index=* (source="*WinEventLog:Security" OR EventCode=4688) Tasklist.exe`
Uses Windows Security event 4688 (process creation) to flag tasklist.exe.
T1057TakeawayOne technique → one narrow, high-signal SIEM search.
- Page40Guided mode variant
Same search, guided builder
Identical logic wired through the Splunk ES Guided mode form: same data source, same match, no manual SPL.
T1057 - Page41The scale problem
"41 techniques" — the loop that follows
Signature = 0
OilRigTechniques = 41
while Signature < OilRigTechniques:
print("Write or find more signatures")
Signature += 1
Alice can't stop at Process Discovery — she has 40 more to go.
Signature = 0 OilRigTechniques = 41 while Signature < OilRigTechniques: print("Write or find more signatures") Signature += 1TakeawayDetection engineering against a real actor is a repetitive, long-game effort.
- Page42Coverage claim
"We're good to go against OilRig, our #1 threat!"
Alice publishes a full coverage matrix for OilRig's techniques.
Hat-tip to Kyle Rainey and Red Canary for the mapping approach.
TakeawayCoverage without validation is a claim, not proof.
- Page43Bringing in red
How does Kevin test existing detections?
Illustrated as the Sorry! board — coverage on paper is not coverage in reality.
The red teamer's job: prove or disprove the blue team's claims.
- Page44The validation tool
Atomic Red Team
An open-source library of small, technique-scoped tests aligned to ATT&CK.
Each atomic is a runnable snippet that safely exercises one technique so blue can watch for the signal.
TakeawayAtomic Red Team lets Kevin fire one technique at a time and prove detection works.
- Page45Atomic test — T1057
T1057 Process Discovery — the atomic
Description mirrors ATT&CK.
Executor: sh. Payload:
ps >> #{output_file}
ps aux >> #{output_file}
Kevin runs the atomic on a target host; Alice's search should fire.
ps >> #{output_file} ps aux >> #{output_file}T1057 - Page46Windows equivalent
`tasklist` output on the target
Kevin runs `C:\> tasklist` — a large table of processes streams back (Image Name, PID, Session Name, Session#, Mem Usage).
This is the exact behavior the Windows 4688 detection is looking for.
T1057 - Page47The SIEM answers back
Notable event: "Threat Activity Detected"
Row in the Splunk ES notable event view — 8/4/19 · Critical · Endpoint · Threat Activity Detected · New · Risk Score 0.
Alice's correlation search fired on Kevin's atomic.
T1057TakeawayDetection validated end-to-end: red action → blue alert.
- Page48Result
Attacks detected!
The workflow closes the loop: intel identifies the actor → technique lookup → detection built → red team validates → blue team gets the alert.
- Page49This is fine
"We did all the things. This is fine. Everything is fine."
Four characters standing calmly in front of a fire — the classic "this is fine" meme.
Foreshadowing: coverage is never done. New techniques, new groups, new gaps.
- Page50Cliffhanger
More trouble in paradise… and then…
A line of black dominoes tipping over.
The scenario sets up the next chapter of the talk (beyond the 50-page extraction limit): what happens when the next incident lands and the framework is stress-tested.
// Course debrief
Six things to walk away with
- ATT&CK is the shared vocabulary between intel, blue and red.
- Group pages translate news headlines into a concrete technique inventory.
- Detections should be built against techniques, not just atomic indicators.
- Data sources on each technique page tell you exactly what telemetry to collect.
- Coverage without validation is a claim — Atomic Red Team turns it into proof.
- The workflow is a loop: intel → detect → emulate → measure → iterate.
