Back to resources

// Learning module · Black Hat USA 2019

MITRE ATT&CK: The Play at Home Edition

A page-by-page walkthrough of Katie Nickels (MITRE) and Ryan Kovar's (Splunk) talk on operationalizing MITRE ATT&CK — a fictional brewery, an Iranian threat group, and a complete intel → detect → emulate loop.

50 pages~45 min readIntermediateOriginal slides

// Dramatis personae

The Frothly cast

Grace HoppyCEO

Doesn't know if the company is defended.

Mallory KraeusenThreat Intel

Can't operationalize non-IOC intel.

Alice BluebirdNetwork Defender

Drowning in low-fidelity alerts.

Kevin LagerfieldRed Team

No shared language with blue.

// Page-by-page

The full 50-page walkthrough

  1. Page
    01
    Cover

    MITRE ATT&CK: The Play at Home Edition

    Presented by Katie Nickels (MITRE) and Ryan Kovar (Splunk).

    Framed as "America's all time favorite model" — a Battleship-style intro: for 2 players, average playtime 20 minutes, objective: sink all of your opponent's ships.

    Sample technique reference: T1100.

    Takeaway

    ATT&CK is a game two roles play together — a threat intel analyst and a defender.

  2. Page
    02
    Legal

    Forward-Looking Statements

    Standard Splunk disclaimer: statements reflect current expectations; actual results may differ; roadmap is directional and not contractual.

    Splunk trademarks acknowledged; © 2019 The MITRE Corporation. Approved for public release, distribution unlimited (19-01159-11).

  3. Page
    03
    System Owner/User Discovery (T1033)

    Meet Katie Nickels (@LiketheCoins)

    ATT&CK Threat Intelligence Lead at MITRE (@MITREattack).

    SANS Instructor for FOR578: Cyber Threat Intelligence.

    10+ years of experience in threat intel and network defense.

    Program Manager for Cyberjutsu Girls Academy.

    Baker of chocolate things · CrossFitter · Oxford comma believer.

    T1033
  4. Page
    04
    System Owner/User Discovery (T1033)

    Meet Ryan Kovar (@meansec)

    Principal Security Strategist at Splunk. MSc (Dist) Information Security.

    Minister of OODAlooping at Splunk.

    US/UK DoD/PubSec Nation State Hunting roles.

    Enough white in beard to speak authoritatively.

    Co-Creator of Boss of the SOC CTF. Hates printers and trilobites.

    T1033
  5. Page
    05
    Tooling note

    We use Splunk — but you don't have to

    The methods are portable. Splunk is the demo lens, not the requirement.

    Any SIEM, EDR or log-search tool can be aligned to ATT&CK the same way.

    Takeaway

    ATT&CK is a framework, not a product.

  6. Page
    06
    Agenda

    Three moves

    ♟ Let's tell a story.

    ♟ Oops, now I see where we went wrong.

    ♟ Pass go, collect 200 TTPs.

  7. Page
    07
    The core question

    You've heard of ATT&CK… but how do you actually use it?

    Rendered as a Snakes & Ladders board full of technique IDs — the gap between knowing ATT&CK exists and playing it well.

    Takeaway

    Awareness ≠ operationalization. This talk is about closing that gap.

  8. Page
    08
    Setup

    We want to tell you a story…

    A fictional company, four fictional characters, one very real workflow.

  9. Page
    09
    The company

    Frothly — Premium Quality craft brewery

    Four employees are about to have a very bad week. Meet them in the next slides.

  10. Page
    10
    Character 1

    Grace Hoppy — CEO

    "I don't really know how we are defended and it makes me uncomfortable."

    The business owner asking whether the security program actually works.

  11. Page
    11
    Character 2

    Mallory Kraeusen — Threat Intel

    "If it's not an IP, how do I use it?"

    Trapped in the world of atomic indicators, unsure how to translate threat reports into defender action.

  12. Page
    12
    Character 3

    Alice Bluebird — Network Defender

    "I'm drowning in meaningless alerts and my data isn't helping me!"

    Alert fatigue and low-fidelity signals are burying the real threats.

  13. Page
    13
    Character 4

    Kevin Lagerfield — Red Team

    "I'm not sure how I can help."

    A red teamer without a shared language to align his emulation with the blue team's detection work.

  14. Page
    14
    Inciting incident

    BREAKING NEWS — Beer tanker threatened

    Fictional headline on breakyourownnews.com: the "SS Hops and Ale" is threatened; hops prices plummet as consumers consider "Frosé all day" options.

    Geopolitical event sparks executive concern.

  15. Page
    15
    The CEO email

    "Iranians in my HOPS!" — from Grace

    Grace (CEO) emails Mallory (threat intel) at 8:47 PM.

    "I turned on HOPSNN and found out there is cyberwarfare! Hops prices are affected. I have a board meeting this week and I KNOW this is going to come up. I need you to find out how this will impact us and if they are going to come after us next and how we are defended."

    Takeaway

    Classic executive ask: are we defended against the threat in the news?

  16. Page
    16
    Extract the ask

    The real question inside the email

    Highlighted line: "I need you to find out how this will impact us…. are we defended?"

    Mallory's job now is to translate a headline into a defensible answer.

  17. Page
    17
    Enter ATT&CK

    How does Mallory find info on Iranian groups… and can ATT&CK help?

    Framed as a Guess Who? board — narrow the field of adversaries by their observable attributes.

  18. Page
    18
    Discovery

    Google → MITRE ATT&CK Groups page

    Search: "Iranian threat groups".

    Top result: attack.mitre.org/groups/ — MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations and also European and North American nations, mainly in telecommunications, government (IT services), and oil sectors.

    Related groups listed: APT28, APT1, APT3, Threat Group-1314.

    Takeaway

    ATT&CK Groups is a curated, open, threat-actor knowledge base.

  19. Page
    19
    The catalog

    Groups (ATT&CK)

    A large table of tracked adversary groups with names, aliases and short descriptions — MuddyWater, OilRig, APT33, APT34, and dozens more.

  20. Page
    20
    Navigating attack.mitre.org

    Site structure

    Top-level nav: Matrices · Tactics · Techniques · Mitigations · Groups · Software · Resources · Blog · Contribute · Search.

    Everything cross-links: a group page → techniques → mitigations → data sources.

  21. Page
    21
    Focusing in

    OilRig?

    Mallory zeroes in on OilRig — an Iranian threat group with public reporting relevant to Frothly's concern.

  22. Page
    22
    Group lookup

    Groups → OilRig

    Navigate the Groups section on attack.mitre.org to open the OilRig entry.

  23. Page
    23
    Group directory

    The Groups list

    Sidebar of tracked groups: admin@338, APT1, APT12, APT16, APT17, APT18, APT19, and many more — the encyclopedic breadth of ATT&CK's adversary tracking.

  24. Page
    24
    Group page — OilRig

    OilRig — Techniques Used

    Group page lists every technique OilRig has been observed using, with sourced references.

    Example citation: Wilhoit, K. and Falcone, R. (2018, September 12). "OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government."

    Takeaway

    Every technique on a group page is backed by public reporting.

  25. Page
    25
    Group page — continued

    OilRig — full technique inventory

    Continued list of OilRig techniques with reference footnotes.

    This inventory is the input to the next step: mapping to your own defensive coverage.

  26. Page
    26
    Zooming out

    ATT&CK Matrix for Enterprise — but what's this ATT&CK thing?

    The Enterprise matrix shows all tactics across the top and techniques as columns underneath.

    Setup for the pivot: define ATT&CK itself before continuing.

  27. Page
    27
    Definition break

    Matrix?

    Prompt: understand what a matrix is before consuming it.

    Tactics = the adversary's goal (why). Techniques = how they achieve it. The matrix crosses the two.

  28. Page
    28
    Definition (continued)

    ATT&CK Matrix for Enterprise — anatomy

    Columns = tactics (Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → Command and Control → Exfiltration → Impact).

    Cells = techniques under each tactic.

  29. Page
    29
    Answering Grace

    Mallory replies to Grace

    Wed 7/24/2019 6:39 PM. Mallory summarises: Iranian groups exist, OilRig is a likely-relevant actor, and there is a public catalog of the techniques they use.

    The reply reframes the CEO's question into something defenders can actually act on.

  30. Page
    30
    Reply — continued

    "Grace, here's what we found"

    Mallory forwards the OilRig technique list to Alice (network defender) as the next step.

    This is the intel-to-defender handoff.

  31. Page
    31
    Handoff to defense

    OilRig Indicators — email to Alice

    Today, 9:54 PM. Mallory to Alice: link to https://attack.mitre.org/groups/G0049/ (OilRig).

    Notice: no IPs, no hashes — a link to techniques.

    Takeaway

    The pivot from indicators to techniques starts with the group page URL.

  32. Page
    32
    Same content

    Alice receives the OilRig link

    Alice now has a URL representing an adversary's playbook — the input to detection engineering.

  33. Page
    33
    Alice's first reaction

    Alice replies to Mallory

    From: Alice Bluebird <abluebird@froth.ly>. Sent: Wed 2019-07-24 10:34 PM.

    Alice checks her SIEM for the atomic indicators she's used to — IPs, hashes, domains — from the OilRig page.

    Signature: "Alice, Network Defender Extraordinaire."

  34. Page
    34
    The revelation

    "No hits… but what do we do now? What are these techniques?"

    Alice searched for the traditional IOCs — nothing hit.

    Now she has to figure out how to detect the *techniques* the group uses, not just the atomic artifacts.

    Takeaway

    IOCs decay in days. Techniques persist for years.

  35. Page
    35
    The mental model shift

    How does Alice stop hoarding indicators and start detecting techniques?

    Illustrated as Hungry Hungry Hippos — every defender snapping at atomic marbles is doomed to lose.

  36. Page
    36
    Technique catalog

    Zoom into OilRig's technique list

    Grid view of the specific techniques attributed to OilRig — the shortlist Alice will work through.

  37. Page
    37
    First technique in scope

    T1057 — Process Discovery

    Adversaries may attempt to get information about running processes on a system.

    Data Sources: Process monitoring, Process command-line parameters.

    CAPEC ID: CAPEC-573. ATT&CK Version: 1.0.

    T1057
    Takeaway

    Every technique page names the data sources you need to detect it.

  38. Page
    38
    Same page — continued

    T1057 — practical detection anchors

    Look for the process discovery commands themselves (tasklist, ps, Get-Process, wmic process).

    Alert on unusual users or unusual parents running them.

    T1057
  39. Page
    39
    Building a detection

    Correlation Search: "Threat Activity Detected"

    Search Name: Threat Activity Detected. App: Enterprise Security. Mode: Manual.

    Search: `index=* (source="*WinEventLog:Security" OR EventCode=4688) Tasklist.exe`

    Uses Windows Security event 4688 (process creation) to flag tasklist.exe.

    T1057
    Takeaway

    One technique → one narrow, high-signal SIEM search.

  40. Page
    40
    Guided mode variant

    Same search, guided builder

    Identical logic wired through the Splunk ES Guided mode form: same data source, same match, no manual SPL.

    T1057
  41. Page
    41
    The scale problem

    "41 techniques" — the loop that follows

    Signature = 0

    OilRigTechniques = 41

    while Signature < OilRigTechniques:

    print("Write or find more signatures")

    Signature += 1

    Alice can't stop at Process Discovery — she has 40 more to go.

    Signature = 0
    OilRigTechniques = 41
    while Signature < OilRigTechniques:
        print("Write or find more signatures")
        Signature += 1
    Takeaway

    Detection engineering against a real actor is a repetitive, long-game effort.

  42. Page
    42
    Coverage claim

    "We're good to go against OilRig, our #1 threat!"

    Alice publishes a full coverage matrix for OilRig's techniques.

    Hat-tip to Kyle Rainey and Red Canary for the mapping approach.

    Takeaway

    Coverage without validation is a claim, not proof.

  43. Page
    43
    Bringing in red

    How does Kevin test existing detections?

    Illustrated as the Sorry! board — coverage on paper is not coverage in reality.

    The red teamer's job: prove or disprove the blue team's claims.

  44. Page
    44
    The validation tool

    Atomic Red Team

    An open-source library of small, technique-scoped tests aligned to ATT&CK.

    Each atomic is a runnable snippet that safely exercises one technique so blue can watch for the signal.

    Takeaway

    Atomic Red Team lets Kevin fire one technique at a time and prove detection works.

  45. Page
    45
    Atomic test — T1057

    T1057 Process Discovery — the atomic

    Description mirrors ATT&CK.

    Executor: sh. Payload:

    ps >> #{output_file}

    ps aux >> #{output_file}

    Kevin runs the atomic on a target host; Alice's search should fire.

    ps >> #{output_file}
    ps aux >> #{output_file}
    T1057
  46. Page
    46
    Windows equivalent

    `tasklist` output on the target

    Kevin runs `C:\> tasklist` — a large table of processes streams back (Image Name, PID, Session Name, Session#, Mem Usage).

    This is the exact behavior the Windows 4688 detection is looking for.

    T1057
  47. Page
    47
    The SIEM answers back

    Notable event: "Threat Activity Detected"

    Row in the Splunk ES notable event view — 8/4/19 · Critical · Endpoint · Threat Activity Detected · New · Risk Score 0.

    Alice's correlation search fired on Kevin's atomic.

    T1057
    Takeaway

    Detection validated end-to-end: red action → blue alert.

  48. Page
    48
    Result

    Attacks detected!

    The workflow closes the loop: intel identifies the actor → technique lookup → detection built → red team validates → blue team gets the alert.

  49. Page
    49
    This is fine

    "We did all the things. This is fine. Everything is fine."

    Four characters standing calmly in front of a fire — the classic "this is fine" meme.

    Foreshadowing: coverage is never done. New techniques, new groups, new gaps.

  50. Page
    50
    Cliffhanger

    More trouble in paradise… and then…

    A line of black dominoes tipping over.

    The scenario sets up the next chapter of the talk (beyond the 50-page extraction limit): what happens when the next incident lands and the framework is stress-tested.

// Course debrief

Six things to walk away with

  • ATT&CK is the shared vocabulary between intel, blue and red.
  • Group pages translate news headlines into a concrete technique inventory.
  • Detections should be built against techniques, not just atomic indicators.
  • Data sources on each technique page tell you exactly what telemetry to collect.
  • Coverage without validation is a claim — Atomic Red Team turns it into proof.
  • The workflow is a loop: intel → detect → emulate → measure → iterate.
Note: This module covers the 50 pages extracted from the source deck. The original talk continues past the cliffhanger on page 50 — see the linked PDF for the full sequel.