WEBVTT 00:00:03.760 --> 00:00:06.240 Welcome to the Azure Security Podcast, where 00:00:06.240 --> 00:00:08.759 we discuss topics relating to security, privacy, 00:00:09.039 --> 00:00:11.480 reliability, and compliance on the Microsoft 00:00:11.480 --> 00:00:16.140 Cloud Platform. Hey everybody, welcome to episode 00:00:16.140 --> 00:00:20.579 125. This week it's myself, Michael, and Mark. 00:00:21.000 --> 00:00:23.940 And our guest this week is Blake Strom, who's 00:00:23.940 --> 00:00:26.920 here to talk to us about MITRE ATT &CK. But before 00:00:26.920 --> 00:00:28.899 we get to our guest, why don't we take a little 00:00:28.899 --> 00:00:30.160 lap around the news. Mark, why don't you kick 00:00:30.160 --> 00:00:32.390 things off? A couple of different things I wanted 00:00:32.390 --> 00:00:35.770 to highlight. I've been working on this data 00:00:35.770 --> 00:00:38.750 security diagram to add to the Microsoft Cybersecurity 00:00:38.750 --> 00:00:42.969 Reference Architecture, or MCRA. And so I shared 00:00:42.969 --> 00:00:46.030 that out with the LinkedIn kind of socials world. 00:00:46.329 --> 00:00:49.070 So I'd love to get feedback on it, get your thoughts 00:00:49.070 --> 00:00:51.070 on it. And if it looks good or, hey, you forgot 00:00:51.070 --> 00:00:53.030 this or you didn't think about that, I'd love 00:00:53.030 --> 00:00:55.670 to get feedback on that. So that'll be going 00:00:55.670 --> 00:00:57.390 out in the next release, which does not have 00:00:57.390 --> 00:00:59.729 a date yet, but we'll leave it at soon. Now, 00:00:59.729 --> 00:01:00.770 there are a couple of things that sort of caught 00:01:00.770 --> 00:01:03.350 my eye is there was a great thing. It's like 00:01:03.350 --> 00:01:06.209 an eight or nine minute video on zero trust on 00:01:06.209 --> 00:01:09.390 Microsoft Mechanics. And it did a really good 00:01:09.390 --> 00:01:12.310 job, especially by Michael Magical. And it did 00:01:12.310 --> 00:01:13.969 a really good job of hovering sort of here's 00:01:13.969 --> 00:01:16.450 the theoretical concept, the architectural in 00:01:16.450 --> 00:01:18.689 a nice, quick, concise way. And then here's some 00:01:18.689 --> 00:01:20.750 technology and some demos. And here's how it 00:01:20.750 --> 00:01:23.579 actually becomes real. and kind of showing how 00:01:23.579 --> 00:01:26.760 that sort of concept of zero trust applies effectively 00:01:26.760 --> 00:01:31.799 to the new world of agents and AI and all that 00:01:31.799 --> 00:01:34.420 kind of stuff. So it's a really nice one to check 00:01:34.420 --> 00:01:37.840 out while worth it. And I also did an AI security 00:01:37.840 --> 00:01:40.180 talk, I don't know, sometime around a month or 00:01:40.180 --> 00:01:42.840 so ago, give or take. And so I released the slides 00:01:42.840 --> 00:01:44.939 for that. So I will pop a link in the news for 00:01:44.939 --> 00:01:46.920 that one so you can take advantage of that and 00:01:46.920 --> 00:01:48.579 sort of the way I'm thinking about that from 00:01:48.579 --> 00:01:52.079 an architecture strategy perspective. And I will 00:01:52.079 --> 00:01:55.200 be doing a fun talk in the not too distant future, 00:01:55.280 --> 00:01:58.180 besides in Tampa, on security as a team sport. 00:01:58.340 --> 00:02:00.620 But we're not playing like a team. So you can 00:02:00.620 --> 00:02:02.299 have a little bit of fun with that. Talk about 00:02:02.299 --> 00:02:04.180 roles, responsibilities, accountabilities, and 00:02:04.180 --> 00:02:06.420 some stuff for people to kind of manage their 00:02:06.420 --> 00:02:09.379 careers effectively and get more done as a team. 00:02:09.879 --> 00:02:13.009 So that's what I got. Back to you, Michael. All 00:02:13.009 --> 00:02:16.169 right, I've got a few items. First one for Azure 00:02:16.169 --> 00:02:20.430 Kubernetes Service, AKS, for node auto -provisioning 00:02:20.430 --> 00:02:24.669 now allows support for encryption host and disk 00:02:24.669 --> 00:02:27.789 encryption sets. I didn't even know that it didn't 00:02:27.789 --> 00:02:30.069 do this, but apparently it didn't do it, but 00:02:30.069 --> 00:02:33.469 now it does. Again, I do wish Sarah was here 00:02:33.469 --> 00:02:36.210 because this is her baby, AKS, but anyway, I'm 00:02:36.210 --> 00:02:39.449 covering it today. So yeah, so node auto -provisioning 00:02:39.449 --> 00:02:42.189 now supports encryption at host and disk encryption 00:02:42.189 --> 00:02:44.889 sets, and that is generally available. Next one 00:02:44.889 --> 00:02:47.330 in public preview, Azure Front Door Premium now 00:02:47.330 --> 00:02:51.210 supports Azure Private Link Origins in UAE North. 00:02:52.169 --> 00:02:55.330 So I want to spend just a couple of seconds on 00:02:55.330 --> 00:02:58.729 Azure Front Door. At Microsoft, we've been adding 00:02:58.729 --> 00:03:01.740 more front door support. in front of many services 00:03:01.740 --> 00:03:04.939 that you know and love within Azure to provide 00:03:04.939 --> 00:03:08.219 a very strong level of defense in front of these 00:03:08.219 --> 00:03:11.199 various services. If you have an application 00:03:11.199 --> 00:03:13.879 of your own that's at global scale, it's really 00:03:13.879 --> 00:03:16.219 worthwhile seriously considering Azure Front 00:03:16.219 --> 00:03:18.379 Door as literally the front door to your application 00:03:18.379 --> 00:03:20.759 because it provides so much benefit at a global 00:03:20.759 --> 00:03:23.340 scale. So that's in public preview, Azure Front 00:03:23.340 --> 00:03:26.659 Door Premium, and Azure Private Link in UAE North. 00:03:27.590 --> 00:03:30.090 Generally available, there is now support for 00:03:30.090 --> 00:03:33.030 AMD version 6 confidential VMs in more regions. 00:03:33.590 --> 00:03:35.430 I'm not going to rattle them all off, but a couple 00:03:35.430 --> 00:03:37.750 that come to mind are Canada Central, Norway 00:03:37.750 --> 00:03:41.449 East, France South, Australia East, and a few 00:03:41.449 --> 00:03:44.789 more. There will be more coming on stream as 00:03:44.789 --> 00:03:46.750 well, but this is great to see. Huge fan of confidential 00:03:46.750 --> 00:03:50.800 VMs, so it's great to see more coverage. Next, 00:03:50.879 --> 00:03:53.439 we have generally available the default rule 00:03:53.439 --> 00:03:57.060 set 2 .2 in WAF for Azure Application Gateway. 00:03:57.400 --> 00:04:00.780 This is basically just an incremental improvement. 00:04:00.979 --> 00:04:05.520 It uses the OWASP core rule set 3 .3 .4 and allows 00:04:05.520 --> 00:04:08.340 protection from things like SQL injection, cross 00:04:08.340 --> 00:04:11.699 -site scripting, and so on and so forth. This 00:04:11.699 --> 00:04:14.409 actually... Again, it's just really a fine tuning 00:04:14.409 --> 00:04:18.490 of the current rule set. And it ships by default 00:04:18.490 --> 00:04:21.670 to what's called paranoia level number one, just 00:04:21.670 --> 00:04:24.410 to help reduce the chance that legitimate traffic 00:04:24.410 --> 00:04:26.649 is actually blocked. So look at that. It's good 00:04:26.649 --> 00:04:28.769 to see, nice to see just small improvements being 00:04:28.769 --> 00:04:30.649 made. Even small improvements can make a big 00:04:30.649 --> 00:04:35.180 difference over time. Still on the topic of WAF, 00:04:35.300 --> 00:04:38.699 Web Application Firewall, there's now Azure Application 00:04:38.699 --> 00:04:42.040 Gateway WAF Insights. This is now in preview. 00:04:42.980 --> 00:04:45.800 Essentially, it's just a better pane of glass 00:04:45.800 --> 00:04:49.420 looking at what is going on in the WAF when you're 00:04:49.420 --> 00:04:53.019 using it with Azure Application Gateway. And 00:04:53.019 --> 00:04:56.300 the last one is we now have in public preview 00:04:56.300 --> 00:04:58.759 some new security capabilities in Azure Monitor 00:04:58.759 --> 00:05:01.639 Pipeline. Most notably, and this is the one that 00:05:01.639 --> 00:05:04.709 I really sort of piqued my interest, was secure 00:05:04.709 --> 00:05:09.230 ingestion with TLS and mutual TLS. This is so 00:05:09.230 --> 00:05:11.209 important. It's incredibly important that you 00:05:11.209 --> 00:05:12.910 always authenticate both ends of a communication, 00:05:13.329 --> 00:05:15.509 whether that's a user, whether it's a process, 00:05:15.670 --> 00:05:17.170 whatever. It's so important that you actually 00:05:17.170 --> 00:05:20.050 authenticate both ends. So with mutual TLS, you're 00:05:20.050 --> 00:05:21.730 not just authenticating the server because normally 00:05:21.730 --> 00:05:24.449 TLS is used to do server authentication. But 00:05:24.449 --> 00:05:27.430 a lot of people don't realize that TLS can also 00:05:27.430 --> 00:05:29.910 do client authentication as well. And that's 00:05:29.910 --> 00:05:33.199 often referred to as mutual TLS. So now secure 00:05:33.199 --> 00:05:36.519 ingestion with Azure Monitor Pipelines now supports 00:05:36.519 --> 00:05:39.620 mutual TLS. So good to see. Great little roundup 00:05:39.620 --> 00:05:41.319 of sort of, you know, a big smattering of security 00:05:41.319 --> 00:05:43.620 improvements across the board. Always a good 00:05:43.620 --> 00:05:46.480 thing to see. All right. Now that we have the 00:05:46.480 --> 00:05:48.100 news out of the way, let's turn our attention 00:05:48.100 --> 00:05:52.040 to our guest. As I mentioned at the top, our 00:05:52.040 --> 00:05:54.439 guest this week is Blake Strom, who's here to 00:05:54.439 --> 00:05:57.779 talk to us about MITRE ATT &CK. Blake, welcome 00:05:57.779 --> 00:05:59.699 to the podcast. Would you like to take a moment 00:05:59.699 --> 00:06:02.139 and introduce yourself to our listeners? Yeah, 00:06:02.160 --> 00:06:05.579 thanks for having me. So I'm Blake Strom. I've 00:06:05.579 --> 00:06:10.060 been at Microsoft for almost six years now, mostly 00:06:10.060 --> 00:06:15.699 working in the XDR and SIEM cybersecurity research 00:06:15.699 --> 00:06:17.939 and development space, so building new capabilities 00:06:17.939 --> 00:06:22.500 and getting them to customers. So before I came 00:06:22.500 --> 00:06:24.879 to Microsoft, though, I was at MITRE for about 00:06:24.879 --> 00:06:28.199 seven years. Started the ATT &CK project, was 00:06:28.199 --> 00:06:30.040 working in a bunch of different areas related 00:06:30.040 --> 00:06:33.379 to ATT &CK at MITRE. And then my background before 00:06:33.379 --> 00:06:35.240 MITRE was actually at the National Security Agency. 00:06:35.399 --> 00:06:37.980 So I was there for about three years in cyber 00:06:37.980 --> 00:06:40.759 threat intel and defensive operations. To go 00:06:40.759 --> 00:06:42.399 into a little bit more detail, since a lot of 00:06:42.399 --> 00:06:46.220 people may not know. what MITRE is. So it's a 00:06:46.220 --> 00:06:50.360 nonprofit that was established back in 1958. 00:06:50.759 --> 00:06:52.600 So MITRE has been around for a very long time. 00:06:53.139 --> 00:06:57.019 But it's basically an organization that manages 00:06:57.019 --> 00:06:59.620 several federally funded research and development 00:06:59.620 --> 00:07:02.579 centers on behalf of the federal government. 00:07:02.800 --> 00:07:06.439 So these are entities that are set up for various 00:07:06.439 --> 00:07:09.209 reasons around the defensive sector. Homeland 00:07:09.209 --> 00:07:13.769 Security, several different other areas to basically 00:07:13.769 --> 00:07:16.209 focus research and developments in sort of an 00:07:16.209 --> 00:07:21.050 unbiased way that sort of a nonprofit is best 00:07:21.050 --> 00:07:23.730 suited for. So a lot of people recognize them, 00:07:23.769 --> 00:07:26.649 at least in the cybersecurity space, for CVE, 00:07:26.829 --> 00:07:29.209 Common Vulnerabilities and Exposures, CWE, Around 00:07:29.209 --> 00:07:32.269 Weaknesses, Enumeration, Sticks and Taxi. But 00:07:32.269 --> 00:07:35.649 they do a whole lot more actual developments 00:07:35.649 --> 00:07:38.779 and research on behalf of the governments. even 00:07:38.779 --> 00:07:42.300 to source selections of contracts across the 00:07:42.300 --> 00:07:45.540 defense industrial base. So they have quite a 00:07:45.540 --> 00:07:49.199 wide and expansive array of work that they do 00:07:49.199 --> 00:07:51.240 and capabilities across the federal government. 00:07:51.560 --> 00:07:53.839 So let's start with the basics because we've 00:07:53.839 --> 00:07:55.920 got a lot of listeners on our podcast, everyone 00:07:55.920 --> 00:07:58.560 from CISOs with lots of scars to people that 00:07:58.560 --> 00:08:00.220 are just entering the industry and trying to 00:08:00.220 --> 00:08:02.740 figure things out. Can you kind of baseline us 00:08:02.740 --> 00:08:06.600 on what is MITRE ATT &CK and kind of how did 00:08:06.600 --> 00:08:09.399 it come about? What was it intended for, if it 00:08:09.399 --> 00:08:12.000 was intended for anything? And just tell us the 00:08:12.000 --> 00:08:14.839 story of how this thing came to be and how it's 00:08:14.839 --> 00:08:18.939 evolved. Yeah, so ATT &CK as it is today is basically 00:08:18.939 --> 00:08:23.779 a knowledge base of cyber threat actor TTPs. 00:08:24.560 --> 00:08:28.310 And it's mostly focused on what... actors have 00:08:28.310 --> 00:08:31.009 actually been observed doing. So there's a big 00:08:31.009 --> 00:08:34.110 difference between what can be done and what 00:08:34.110 --> 00:08:36.750 is actually done. And I think that makes a really 00:08:36.750 --> 00:08:39.590 big difference when you talk about how to prioritize 00:08:39.590 --> 00:08:43.110 defenses against certain threats. Because you 00:08:43.110 --> 00:08:46.129 can go look at CVE or CWE and see a whole sort 00:08:46.129 --> 00:08:48.070 of enumeration of things that are possible, but 00:08:48.070 --> 00:08:50.549 they may not be things that attackers are actually 00:08:50.549 --> 00:08:54.789 using day to day. And a TTP is a tactic, technique, 00:08:54.909 --> 00:08:57.039 or procedure, correct? Correct. Yeah, attack 00:08:57.039 --> 00:09:02.200 techniques and procedures. And so the background 00:09:02.200 --> 00:09:05.740 of ATT &CK is kind of an interesting and long 00:09:05.740 --> 00:09:09.879 story. So there is quite a purpose behind how 00:09:09.879 --> 00:09:13.860 it was developed. So back in, I think it was 00:09:13.860 --> 00:09:18.700 2010, 2011, MITRE had started a research program 00:09:18.700 --> 00:09:22.200 under the premise that attackers will always 00:09:22.200 --> 00:09:27.179 find a way in. and so the the typical uh process 00:09:27.179 --> 00:09:30.700 of discovering iocs like malwares ips domains 00:09:30.700 --> 00:09:34.840 wasn't really working um and mitre being part 00:09:34.840 --> 00:09:37.220 of the defense industrial base working on behalf 00:09:37.220 --> 00:09:40.320 of the government of course they often get targeted 00:09:40.320 --> 00:09:45.059 by you know advanced threat actors and very persistent 00:09:45.059 --> 00:09:47.960 threats so they have sort of a vested interest 00:09:47.960 --> 00:09:50.000 in protecting themselves but also given mitre's 00:09:50.000 --> 00:09:52.389 charter to work in the public interest on behalf 00:09:52.389 --> 00:09:55.250 of the government, they also took this as an 00:09:55.250 --> 00:09:57.570 opportunity to figure out, okay, so what else 00:09:57.570 --> 00:10:01.990 can we do beyond IOCs to defend ourselves and 00:10:01.990 --> 00:10:05.330 defend the customers? Yeah, and IOCs being indicators 00:10:05.330 --> 00:10:09.350 of compromise, right? Right, yep. Yeah, so in 00:10:09.350 --> 00:10:13.029 the red team, you talked about TTPs. So TTPs, 00:10:13.029 --> 00:10:15.149 whenever we're doing a readout of an operation 00:10:15.149 --> 00:10:18.289 that the red team has performed, we always enumerate. 00:10:18.570 --> 00:10:21.809 the TTPs, like what things we actually did to 00:10:21.809 --> 00:10:24.570 actually go along the breach path until we got 00:10:24.570 --> 00:10:27.710 to our final objective. And a big part of what 00:10:27.710 --> 00:10:30.230 I do is learning from those TTPs, like how did 00:10:30.230 --> 00:10:33.350 that particular TTP eventuate, like how did it 00:10:33.350 --> 00:10:36.409 happen? And more importantly, what can we do 00:10:36.409 --> 00:10:38.690 moving forward to reduce the chance that that 00:10:38.690 --> 00:10:42.980 particular TTP will be used? So this project 00:10:42.980 --> 00:10:46.399 was called FMX. It was called the Fort Meade 00:10:46.399 --> 00:10:49.279 experiment because of the MITRE location that 00:10:49.279 --> 00:10:52.460 it was being conducted in. But basically, they 00:10:52.460 --> 00:10:56.159 were trying to figure out ways of sensing an 00:10:56.159 --> 00:10:59.299 internal network to discover the behaviors of 00:10:59.299 --> 00:11:02.179 the actors rather than the IOCs that were being 00:11:02.179 --> 00:11:04.399 left behind. And this is sort of at the very 00:11:04.399 --> 00:11:07.320 early days of the evolution of EDR and sort of 00:11:07.320 --> 00:11:09.320 like process monitoring and behavioral monitoring 00:11:09.320 --> 00:11:13.330 on networks. So things like Sysmon had not been 00:11:13.330 --> 00:11:16.129 developed yet. Companies like CrowdStrike were 00:11:16.129 --> 00:11:20.370 still in their infancy. And so there was a lot 00:11:20.370 --> 00:11:23.669 of internal developments of tools. So very Sysmon 00:11:23.669 --> 00:11:26.370 -like tool was developed to do process monitoring. 00:11:28.799 --> 00:11:32.340 We tried to use the most common host -based security 00:11:32.340 --> 00:11:35.059 systems at the time that were being used by our 00:11:35.059 --> 00:11:39.320 government sponsors. Was there something more 00:11:39.320 --> 00:11:41.919 that we can do and inform them to do with these 00:11:41.919 --> 00:11:45.019 systems? I think it was McAfee HVSS at the time. 00:11:45.629 --> 00:11:48.289 So we sensed this, or they set up this network 00:11:48.289 --> 00:11:51.889 to do the sensing and decided to do red team 00:11:51.889 --> 00:11:55.470 operations using some of the skills for the red 00:11:55.470 --> 00:11:58.629 team operators that were at the site from MITRE. 00:11:59.730 --> 00:12:02.620 So in a way it was like... trying to shift from, 00:12:02.659 --> 00:12:04.960 hey, we've got footprints of the last attack, 00:12:05.259 --> 00:12:07.100 look for guys with these footprints, which is 00:12:07.100 --> 00:12:10.220 kind of what an IOC is, to let's figure out their 00:12:10.220 --> 00:12:13.740 methods and the things that they do, their patterns 00:12:13.740 --> 00:12:16.039 over and over again kind of thing. Right. Yeah, 00:12:16.100 --> 00:12:18.960 that's a really good way to look at how the industry 00:12:18.960 --> 00:12:23.899 was starting to evolve at the time. And so I 00:12:23.899 --> 00:12:26.259 had actually joined MITRE at the beginning of 00:12:26.259 --> 00:12:29.659 2012. So this project had already started. And 00:12:29.659 --> 00:12:32.840 they had already done one sort of red team test 00:12:32.840 --> 00:12:35.200 where the red team sort of came up with their 00:12:35.200 --> 00:12:38.019 own plan, operated within this network, which 00:12:38.019 --> 00:12:41.259 was the actual MITRE environment. It was a live 00:12:41.259 --> 00:12:44.679 corporate network that we were allowed to operate 00:12:44.679 --> 00:12:47.740 in to sort of test the research hypothesis and 00:12:47.740 --> 00:12:52.100 ideas. And the blue team sort of came in and 00:12:52.100 --> 00:12:56.500 tried to discover the actions. And my first sort 00:12:56.500 --> 00:12:58.700 of assignment when I joined MITRE was, okay, 00:12:58.720 --> 00:13:01.240 try to figure out how to connect these two things 00:13:01.240 --> 00:13:04.240 together, like what the red team did and what 00:13:04.240 --> 00:13:07.940 the blue team found. And that was a very interesting 00:13:07.940 --> 00:13:10.100 process because one of the first things that 00:13:10.100 --> 00:13:12.600 I discovered was, hey, the red team isn't really 00:13:12.600 --> 00:13:16.480 using TTPs that are similar to known actors. 00:13:17.519 --> 00:13:20.340 And so that was, you know, in the reports, the 00:13:20.340 --> 00:13:23.539 very first version of this report was, you know, 00:13:23.799 --> 00:13:28.960 very device centric, trying to figure out exactly 00:13:28.960 --> 00:13:30.620 the right way to talk about what the right team 00:13:30.620 --> 00:13:33.519 did in sequence and how to relate that to the 00:13:33.519 --> 00:13:36.379 Splunk analytics and data that was being discovered 00:13:36.379 --> 00:13:38.740 by the blue team. It's fascinating to hear you 00:13:38.740 --> 00:13:41.100 say that because I've seen the same thing of 00:13:41.100 --> 00:13:44.279 like, it's such a different thought process of, 00:13:44.299 --> 00:13:47.429 you know, attacker and a red team side. versus 00:13:47.429 --> 00:13:50.970 the defenders frequently. And I know John Lambert 00:13:50.970 --> 00:13:54.649 has a famous quote around attackers think in 00:13:54.649 --> 00:13:57.830 graphs and defenders think in lists, right? And 00:13:57.830 --> 00:14:00.250 there's just so many other different elements 00:14:00.250 --> 00:14:03.049 to it of just that thought process of it's just 00:14:03.049 --> 00:14:05.629 a different set of objectives, right? As a defender, 00:14:05.769 --> 00:14:07.230 because there's a complexity in architecture 00:14:07.230 --> 00:14:09.309 and this and that, it often gets boiled down 00:14:09.309 --> 00:14:12.309 to just a checklist of compliance. And on the 00:14:12.309 --> 00:14:16.200 attacker side, it's just get the job done. Yeah, 00:14:16.240 --> 00:14:18.139 exactly. And it's really hard to bridge those 00:14:18.139 --> 00:14:21.120 two different mindsets. So I have two questions. 00:14:21.539 --> 00:14:25.139 The first question is, can you give us an overview 00:14:25.139 --> 00:14:28.059 of what actually is in MITRE ATT &CK? Like how 00:14:28.059 --> 00:14:30.320 it's broken up, what sort of data is in there? 00:14:30.620 --> 00:14:32.000 And the second one, which is really just the 00:14:32.000 --> 00:14:35.059 follow on, is if I was, you know, Jane or John 00:14:35.059 --> 00:14:39.080 security person in an organization, I mean, how 00:14:39.080 --> 00:14:43.289 would I use MITRE ATT &CK? yeah yeah so at the 00:14:43.289 --> 00:14:46.190 top level um when you go to the attack website 00:14:46.190 --> 00:14:49.269 you'll see basically what's considered the the 00:14:49.269 --> 00:14:51.809 attack matrix and so that's the organization 00:14:51.809 --> 00:14:56.919 of tactics which are Basically, the purpose of 00:14:56.919 --> 00:14:59.700 an adversary sort of conducting a technique, 00:14:59.860 --> 00:15:03.100 so that spans reconnaissance, initial access, 00:15:03.539 --> 00:15:06.820 persistence, defense evasion, credential access, 00:15:06.960 --> 00:15:10.320 and it goes all the way to impact or exfiltration. 00:15:10.759 --> 00:15:14.600 And in each row within those tactics are the 00:15:14.600 --> 00:15:17.549 various techniques. And those tend to be high 00:15:17.549 --> 00:15:21.049 level or sort of medium term buckets for how 00:15:21.049 --> 00:15:24.409 to organize the sub techniques. And so those 00:15:24.409 --> 00:15:26.929 are very specific ways that an actor would perform 00:15:26.929 --> 00:15:30.990 a technique to accomplish a tactic. And so what 00:15:30.990 --> 00:15:33.870 this provides is basically a common language 00:15:33.870 --> 00:15:38.409 or lingua franca between what an attacker would 00:15:38.409 --> 00:15:40.690 do, why they would do it. And then when you drill 00:15:40.690 --> 00:15:43.509 into the technique or sub technique level, the 00:15:43.509 --> 00:15:46.500 very detailed information on. how they're doing 00:15:46.500 --> 00:15:49.620 it, down to the specific platforms that they 00:15:49.620 --> 00:15:52.019 would use these techniques against, what procedure 00:15:52.019 --> 00:15:54.980 examples for real threat actors that have done 00:15:54.980 --> 00:15:57.500 this and have been reported out in the wild, 00:15:57.559 --> 00:16:00.059 and then any mitigation or detection strategies 00:16:00.059 --> 00:16:05.679 that one could imply to actually employ to do 00:16:05.679 --> 00:16:08.580 some sort of detection or mitigation against 00:16:08.580 --> 00:16:11.240 those techniques. So you had this internal research, 00:16:11.460 --> 00:16:15.480 and then it became... a essentially not quite 00:16:15.480 --> 00:16:18.399 a standard, but kind of a, just a de facto standard 00:16:18.399 --> 00:16:20.940 that everyone refers to and uses. Yeah. I'd love 00:16:20.940 --> 00:16:24.559 to hear like, you know, how that journey kind 00:16:24.559 --> 00:16:26.399 of went. Was it something that was just like 00:16:26.399 --> 00:16:29.220 an instant hit? Was it something that y 'all 00:16:29.220 --> 00:16:31.440 had to promote? I'm just kind of curious, you 00:16:31.440 --> 00:16:34.179 know, about that journey and, and, and how that, 00:16:34.200 --> 00:16:39.179 how that went. Yeah. So like many things, when 00:16:39.179 --> 00:16:41.940 they first get started, there's a lot of internal 00:16:41.940 --> 00:16:45.659 convincing. that this is something new and useful. 00:16:45.940 --> 00:16:48.659 So there was quite a bit of that in the early 00:16:48.659 --> 00:16:53.059 days within MITRE as we started to socialize 00:16:53.059 --> 00:16:56.480 it a bit. So a lot of people would sort of come 00:16:56.480 --> 00:16:57.879 out of the woodwork and say like, okay, this 00:16:57.879 --> 00:17:00.279 is already done in CWE. This is already sort 00:17:00.279 --> 00:17:02.840 of done in CVE. So we had to get really good 00:17:02.840 --> 00:17:05.140 about the story as to why we were doing these 00:17:05.140 --> 00:17:08.339 things. Really the big differentiator was sort 00:17:08.339 --> 00:17:10.460 of the attacker mindset that it was centered 00:17:10.460 --> 00:17:13.750 around. And the fact that we were focused on 00:17:13.750 --> 00:17:16.390 was this actually observes attacker activity. 00:17:16.809 --> 00:17:20.829 And so as it grew internally over time, as we 00:17:20.829 --> 00:17:24.549 were using ATT &CK for these red and blue team 00:17:24.549 --> 00:17:28.230 evaluations internally, I think it finally dawned 00:17:28.230 --> 00:17:30.789 on some of the research leaders and, of course, 00:17:30.849 --> 00:17:33.829 the CISO at the time within MITRE that this was 00:17:33.829 --> 00:17:36.769 something that was actually kind of unique and 00:17:36.769 --> 00:17:39.829 special and very much in line with what MITRE's 00:17:39.829 --> 00:17:43.680 mission was. So much so that it was something 00:17:43.680 --> 00:17:46.740 that they wanted to share with the world, basically, 00:17:46.740 --> 00:17:49.619 because it was so useful for us internally to 00:17:49.619 --> 00:17:51.819 test and evaluate our internal defenses that 00:17:51.819 --> 00:17:55.299 it didn't make sense to sort of keep this in 00:17:55.299 --> 00:17:58.140 -house. And so that started off the process of 00:17:58.140 --> 00:18:01.380 basically the internal reviews that had to happen, 00:18:01.579 --> 00:18:04.079 the pre -publication reviews that had to happen 00:18:04.079 --> 00:18:07.559 with sponsors, and then finally publishing it 00:18:07.559 --> 00:18:12.599 about two or three years after. We had started 00:18:12.599 --> 00:18:15.599 ATT &CK internally, and I think it was May 2015 00:18:15.599 --> 00:18:19.119 is when we first published it. Wow, it's only 00:18:19.119 --> 00:18:20.980 been 10 years. It's funny, like you get used 00:18:20.980 --> 00:18:22.440 to something and it just feels like it's been 00:18:22.440 --> 00:18:24.200 around forever. It's interesting because it's 00:18:24.200 --> 00:18:26.640 one of the few frameworks that directly addresses 00:18:26.640 --> 00:18:29.420 the attacker side, the red team side of the equation. 00:18:29.720 --> 00:18:32.279 So always been a big fan of that and kind of 00:18:32.279 --> 00:18:34.500 like, you know, we need to explore and define 00:18:34.500 --> 00:18:37.930 that space a lot better than we have. Love it. 00:18:38.089 --> 00:18:40.190 So this is just kind of like a curiosity question 00:18:40.190 --> 00:18:43.990 because like, you know, Michael and I have both, 00:18:44.069 --> 00:18:45.950 you know, are both history buffs and like love 00:18:45.950 --> 00:18:49.009 these origin story kind of things. I'm curious, 00:18:49.089 --> 00:18:50.470 like, is there anything that you kind of wish 00:18:50.470 --> 00:18:52.609 you did differently? Are you happy the way it 00:18:52.609 --> 00:18:55.450 works? Or is there some stuff that didn't, you 00:18:55.450 --> 00:18:57.509 know, land like the way you expected or thought 00:18:57.509 --> 00:19:00.150 it might? I'm just kind of curious on that one. 00:19:00.190 --> 00:19:02.130 And of course, you know, hindsight's 20 -20 and 00:19:02.130 --> 00:19:03.630 you always see things that you never saw in the 00:19:03.630 --> 00:19:05.450 moment. So I'm just, you know, more of a curiosity 00:19:05.450 --> 00:19:11.099 thing. Yeah, that's a good one. So I think one 00:19:11.099 --> 00:19:14.579 of the, you always have to start somewhere and 00:19:14.579 --> 00:19:16.940 there's never going to be a perfect solution 00:19:16.940 --> 00:19:19.640 right out of the gate. But I think one of the 00:19:19.640 --> 00:19:22.279 things that I feel like we should have done much 00:19:22.279 --> 00:19:26.839 earlier was to implement the sub technique concept 00:19:26.839 --> 00:19:30.720 because there was, as attack had evolved from 00:19:30.720 --> 00:19:33.960 its earliest state, which was I think 64 techniques 00:19:33.960 --> 00:19:36.890 to a point where it was, across multiple platforms 00:19:36.890 --> 00:19:39.869 and had hundreds of techniques. It became very 00:19:39.869 --> 00:19:43.349 difficult for somebody to figure out even where 00:19:43.349 --> 00:19:45.390 to start with it just because it was so big. 00:19:46.029 --> 00:19:48.670 So the sub -technique layer added a necessary 00:19:48.670 --> 00:19:53.630 sort of like evenness across how we would define 00:19:53.630 --> 00:19:55.690 things at a technique and sub -technique level 00:19:55.690 --> 00:19:58.009 that was missing. There's either too much detail 00:19:58.009 --> 00:20:00.789 or not enough detail in a lot of spaces. So I 00:20:00.789 --> 00:20:04.109 think that was the piece that was sorely needed 00:20:04.109 --> 00:20:07.230 for a long time. that we managed to implement 00:20:07.230 --> 00:20:11.569 right before I left MITRE. And that was one of 00:20:11.569 --> 00:20:13.650 the things I know we'll probably get to more 00:20:13.650 --> 00:20:15.329 of these questions, more of this type of question, 00:20:15.410 --> 00:20:16.990 maybe a little bit later, but that was one of 00:20:16.990 --> 00:20:19.410 the things that I absolutely had to do before 00:20:19.410 --> 00:20:22.289 I left was to get ATT &CK in a more stable state. 00:20:22.549 --> 00:20:24.650 You feel like an accountability to your baby. 00:20:24.809 --> 00:20:27.750 Yeah. Yes. Yeah, of course. I know that feeling 00:20:27.750 --> 00:20:30.089 well. I have a really stupid question. I have 00:20:30.089 --> 00:20:31.789 a really stupid question. It's talking about 00:20:31.789 --> 00:20:36.369 origins. Why is the second letter A in the word 00:20:36.369 --> 00:20:39.869 attack not a letter A? Why is it an N symbol? 00:20:40.390 --> 00:20:43.109 Oh my gosh. This always goes back to lawyers. 00:20:45.089 --> 00:20:48.880 That was a stylization. that was done basically 00:20:48.880 --> 00:20:51.980 because MITRE didn't want to try to copyright 00:20:51.980 --> 00:20:56.339 ATT &CK with the letter A in it just for reasons 00:20:56.339 --> 00:20:57.799 they thought it would be too difficult. So they 00:20:57.799 --> 00:21:00.519 asked us to stylize it a bit. And it was actually 00:21:00.519 --> 00:21:03.119 very helpful that they decided to push us to 00:21:03.119 --> 00:21:06.180 do that because it became very easy to figure 00:21:06.180 --> 00:21:09.299 out when people were using ATT &CK. And of course 00:21:09.299 --> 00:21:11.559 there's a lot of funny things that happen after 00:21:11.559 --> 00:21:14.279 that too because I've seen so many different 00:21:15.769 --> 00:21:19.009 like uh special characters that people have put 00:21:19.009 --> 00:21:22.009 i don't know on purpose or by accident like basically 00:21:22.009 --> 00:21:24.569 hold shift and hit any number of the the keys 00:21:24.569 --> 00:21:28.410 up there from like dollar signs uh asterisk or 00:21:28.410 --> 00:21:30.930 whatever like i've seen it all like it's it's 00:21:30.930 --> 00:21:33.329 pretty funny when people try to do attack that's 00:21:33.329 --> 00:21:35.910 like a whole gamut of things that show up there 00:21:35.910 --> 00:21:38.250 yeah but there is one other thing that i wanted 00:21:38.250 --> 00:21:40.829 to mention um that's sort of in the same realm 00:21:40.829 --> 00:21:43.329 of like what would you do differently i i don't 00:21:43.329 --> 00:21:45.910 think we can really answer that question without 00:21:45.910 --> 00:21:49.509 also mentioning the ATT &CK evaluations. That 00:21:49.509 --> 00:21:52.109 was one of sort of the offshoots that MITRE had 00:21:52.109 --> 00:21:54.910 done related to ATT &CK, but it's more MITRE 00:21:54.910 --> 00:21:59.910 being a third party sort of unbiased evaluator 00:21:59.910 --> 00:22:03.509 of endpoint detection and response systems using 00:22:03.509 --> 00:22:08.490 ATT &CK as sort of the benchmark. And so do you 00:22:08.490 --> 00:22:10.930 guys mind if I sort of go into a little bit of 00:22:10.930 --> 00:22:14.210 the story? Yeah, I'd love to hear it. We're history 00:22:14.210 --> 00:22:18.910 busted. MITRE had started using ATT &CK -based 00:22:18.910 --> 00:22:23.349 evaluations, like constructing an adversary -based 00:22:23.349 --> 00:22:28.549 plan from ATT &CK to evaluate EDR tools for several 00:22:28.549 --> 00:22:32.269 of the government sponsors across the defense 00:22:32.269 --> 00:22:37.529 and dark of. And so this became basically a program 00:22:37.529 --> 00:22:42.150 in and of itself because a lot of the... security 00:22:42.150 --> 00:22:45.069 vendors that we were working with basically saw 00:22:45.069 --> 00:22:48.470 this as the next sort of gen testing because 00:22:48.470 --> 00:22:50.789 there's like AV tests out there. I think there 00:22:50.789 --> 00:22:54.650 was SE labs at the time and the industry didn't 00:22:54.650 --> 00:22:57.710 really feel like they were capturing the essence 00:22:57.710 --> 00:23:01.190 of what an EDR product would use and tend to 00:23:01.190 --> 00:23:05.599 be more focused on antivirus detection. So we 00:23:05.599 --> 00:23:07.380 ended up doing something that MITRE had never 00:23:07.380 --> 00:23:09.440 done before because they typically only do these 00:23:09.440 --> 00:23:13.099 sorts of unbiased evaluations on behalf of sponsors 00:23:13.099 --> 00:23:16.039 to actually do this for the industry and create 00:23:16.039 --> 00:23:19.960 a whole program around it. And part of what was 00:23:19.960 --> 00:23:22.240 special with the earlier days of that program 00:23:22.240 --> 00:23:27.720 was we would actually work very closely with 00:23:27.720 --> 00:23:30.009 the vendors themselves. Because we were sort 00:23:30.009 --> 00:23:32.369 of operating under the mindset that we want to 00:23:32.369 --> 00:23:35.569 help them understand where their gaps are. And 00:23:35.569 --> 00:23:37.769 it isn't just something that they would contribute 00:23:37.769 --> 00:23:41.609 to and we would publish for sort of the industries 00:23:41.609 --> 00:23:44.690 to see and make more informed decisions about 00:23:44.690 --> 00:23:46.569 products. It was really helping the vendors themselves 00:23:46.569 --> 00:23:52.250 sort of raise the tide a bit on the products 00:23:52.250 --> 00:23:55.279 in the industry. And so that was really special 00:23:55.279 --> 00:23:59.240 at the time. And as the sort of evaluations evolved, 00:23:59.559 --> 00:24:02.619 so to speak, over time, I kind of feel like it 00:24:02.619 --> 00:24:04.640 lost some of that luster a little bit. And I 00:24:04.640 --> 00:24:06.799 don't want to be too hard on MITRE. Like there's 00:24:06.799 --> 00:24:09.460 very smart people that are driving this program 00:24:09.460 --> 00:24:13.339 still. They have really good ideas to bring a 00:24:13.339 --> 00:24:16.140 lot of the innovation back to it. But I think 00:24:16.140 --> 00:24:19.380 if you go talk to basically anybody who's been 00:24:19.380 --> 00:24:21.440 involved in this test from the vendor space. 00:24:22.130 --> 00:24:25.309 They've been very frustrated with the past few 00:24:25.309 --> 00:24:29.289 iterations of tests. And so I don't think that 00:24:29.289 --> 00:24:31.490 would be necessarily something that I would change, 00:24:31.589 --> 00:24:35.369 but it was something that very much sort of like 00:24:35.369 --> 00:24:39.519 weighs on me as one of the... people who started 00:24:39.519 --> 00:24:41.799 this whole process. I really want to see it evolve 00:24:41.799 --> 00:24:44.900 over time and get back to something that's more 00:24:44.900 --> 00:24:46.859 innovative, more special that people are getting 00:24:46.859 --> 00:24:48.740 value out of rather than just being sort of a 00:24:48.740 --> 00:24:51.599 marketing stunt that I think it's turned into. 00:24:52.119 --> 00:24:54.500 Yeah, it's a tough space because there's so much 00:24:54.500 --> 00:24:56.539 money on the line of how well did you do in this 00:24:56.539 --> 00:24:58.400 or that that the salespeople love and customers 00:24:58.400 --> 00:25:01.099 love to get to justify whatever their favorite 00:25:01.099 --> 00:25:04.099 tool is or whatever. It's a tough space because 00:25:04.099 --> 00:25:05.859 it's just there's so many competing interests 00:25:05.859 --> 00:25:10.079 that have so much power, right? I couldn't even 00:25:10.079 --> 00:25:12.099 imagine running a program like that. I'd have 00:25:12.099 --> 00:25:14.319 to have a very different style of personality 00:25:14.319 --> 00:25:19.460 to engage with people. I wanted to ask a couple 00:25:19.460 --> 00:25:22.319 more questions I wanted to cover here while we 00:25:22.319 --> 00:25:25.579 got you. You kind of hinted at it a little bit. 00:25:25.759 --> 00:25:28.059 I'm curious, how do you see people misinterpret 00:25:28.059 --> 00:25:31.200 or misuse it? Like I said, it's the only thing 00:25:31.200 --> 00:25:33.480 in that red team space that covers the attacker 00:25:33.480 --> 00:25:36.940 side, whether it's simulated or real. Do you 00:25:36.940 --> 00:25:39.099 see people stretching it into use cases where 00:25:39.099 --> 00:25:42.720 you're just like, no, it doesn't do that? I'm 00:25:42.720 --> 00:25:47.640 very curious about some of those elements. I 00:25:47.640 --> 00:25:50.500 think the biggest misconception of attack is 00:25:50.500 --> 00:25:56.000 that it's like a checkbox. It's more about the 00:25:56.000 --> 00:26:02.150 process of getting your network and up to a point 00:26:02.150 --> 00:26:04.410 where you can defend against these attacks and 00:26:04.410 --> 00:26:07.589 then continuing to evolve it because attackers 00:26:07.589 --> 00:26:10.109 are not static these techniques are not static 00:26:10.109 --> 00:26:12.289 they're always going to change over time and 00:26:12.289 --> 00:26:14.430 if you treat this as okay like i'm covered with 00:26:14.430 --> 00:26:17.109 attack i'm done like you're never going to be 00:26:17.109 --> 00:26:19.710 done you make it into a steady state where you 00:26:19.710 --> 00:26:22.170 have the the processes in place and you're understanding 00:26:22.170 --> 00:26:24.609 the updates to attack and understanding threats 00:26:24.609 --> 00:26:28.980 where you can uh better protect and better secure 00:26:28.980 --> 00:26:30.839 your environment but it's it's never going to 00:26:30.839 --> 00:26:33.680 be done and i think that's one of the misconceptions 00:26:33.680 --> 00:26:35.359 that a lot of people have especially when they 00:26:35.359 --> 00:26:38.259 first get started uh with attack that they treat 00:26:38.259 --> 00:26:40.819 it like a checkbox like okay i'm good now like 00:26:40.819 --> 00:26:43.059 i can tell my sees a little covered and then 00:26:43.059 --> 00:26:46.240 some catastrophic things happens uh like three 00:26:46.240 --> 00:26:48.299 months later and you know somebody's in the hot 00:26:48.299 --> 00:26:51.279 seat for uh for saying the wrong thing when they 00:26:51.279 --> 00:26:53.809 weren't actually covered And ATT &CK doesn't 00:26:53.809 --> 00:26:56.970 cover absolutely everything. So there's no sort 00:26:56.970 --> 00:26:59.289 of like guarantee that MITRE has covered all 00:26:59.289 --> 00:27:02.250 known techniques for everything. And so that's 00:27:02.250 --> 00:27:04.730 why it's more about the process of protecting 00:27:04.730 --> 00:27:06.569 yourself with something like ATT &CK rather than 00:27:06.569 --> 00:27:09.349 just checking all the boxes. Yeah, and there's 00:27:09.349 --> 00:27:10.910 a lot of nuance again between the difference 00:27:10.910 --> 00:27:13.450 in the way the red and blue teams think is, you 00:27:13.450 --> 00:27:16.369 know, the red team, this is a thing and there 00:27:16.369 --> 00:27:18.829 could be 17 variations of how I could execute 00:27:18.829 --> 00:27:21.670 it. And congratulations, you detected one of 00:27:21.670 --> 00:27:23.839 them. or your vendor says they detect one of 00:27:23.839 --> 00:27:27.980 them. What about the other 16 ways of doing it? 00:27:28.039 --> 00:27:32.460 Oh, those just slip past. What? It's just like 00:27:32.460 --> 00:27:35.519 that tricky area between the two. Yeah, definitely. 00:27:36.299 --> 00:27:39.500 We've definitely seen a lot of people take some 00:27:39.500 --> 00:27:43.400 creative ways of interpreting what attack means. 00:27:46.700 --> 00:27:50.279 Did you expect it to be this successful? Oh, 00:27:50.319 --> 00:27:55.539 no way. Yeah. No. And so one of our, I guess 00:27:55.539 --> 00:27:58.500 he was my manager at MITRE at the time, but he 00:27:58.500 --> 00:28:01.420 was sort of a really good thought leader in cyber 00:28:01.420 --> 00:28:04.839 within MITRE. His name was Todd Whitbold. And 00:28:04.839 --> 00:28:07.900 I don't think ATT &CK could have happened without 00:28:07.900 --> 00:28:11.680 his guidance, but actually really early on in 00:28:11.680 --> 00:28:14.599 the process of defining ATT &CK and getting sort 00:28:14.599 --> 00:28:17.480 of like the internal buy -in on it. He said something 00:28:17.480 --> 00:28:19.380 to me that I didn't believe at the time. He said, 00:28:19.440 --> 00:28:23.500 a few years down the road, I think MITRE is going 00:28:23.500 --> 00:28:25.420 to be known for one main thing, and that's going 00:28:25.420 --> 00:28:28.599 to be ATT &CK. And sure enough, he was right. 00:28:29.299 --> 00:28:32.299 Because when a lot of companies talk about ATT 00:28:32.299 --> 00:28:34.880 &CK, they refer to it as MITRE instead and not 00:28:34.880 --> 00:28:37.960 ATT &CK. So I think we were all a little bit 00:28:37.960 --> 00:28:41.859 shocked that it has gotten that much brand recognition. 00:28:41.960 --> 00:28:44.039 MITRE itself has gotten that much brand recognition 00:28:44.039 --> 00:28:47.500 just from this one. when MITRE has been around 00:28:47.500 --> 00:28:49.500 for so many years and has done so many things 00:28:49.500 --> 00:28:53.440 that this is the one that it's mostly recognized 00:28:53.440 --> 00:28:56.599 for. Yeah, you don't really hear about MITRE 00:28:56.599 --> 00:28:59.900 CVE or MITRE CWE, but MITRE ATT &CK just falls 00:28:59.900 --> 00:29:03.000 off the tongue. Yeah, for sure. So that kind 00:29:03.000 --> 00:29:07.940 of leads me to my last question. And it's more 00:29:07.940 --> 00:29:10.359 about you as a person because you spent seven 00:29:10.359 --> 00:29:14.130 years on it, as you mentioned. How do you move 00:29:14.130 --> 00:29:18.670 on to do something else? Because a long time 00:29:18.670 --> 00:29:21.210 ago, I was like the PKI guy in Microsoft support, 00:29:21.390 --> 00:29:23.970 and I kind of stopped that with Windows 2003. 00:29:24.109 --> 00:29:31.450 Yes, I'm that old. And so I'm curious, your experience 00:29:31.450 --> 00:29:33.269 from like, okay, now that I'm done with this, 00:29:33.309 --> 00:29:35.549 and now that I'm moving on, and I've closed out 00:29:35.549 --> 00:29:39.400 all the things I really wanted to do. Has it 00:29:39.400 --> 00:29:42.220 been challenging? How did you think about that? 00:29:42.259 --> 00:29:45.819 How did you go through that? Yeah, this is a 00:29:45.819 --> 00:29:48.180 really good question. So I am the type of person, 00:29:48.180 --> 00:29:52.359 for better or for worse, that needs to, at some 00:29:52.359 --> 00:29:54.900 point, move on to something else. So I don't 00:29:54.900 --> 00:29:57.640 know if it's like a sense of boredom per se, 00:29:57.740 --> 00:30:01.220 or just like, I need something new to learn about, 00:30:01.319 --> 00:30:05.539 to dive into. And I definitely started feeling 00:30:05.539 --> 00:30:09.630 that maybe about five years into ATT &CK. And 00:30:09.630 --> 00:30:13.430 so the attack certainly wasn't the only thing 00:30:13.430 --> 00:30:15.490 that I did at Miner. So I started this other 00:30:15.490 --> 00:30:18.910 project called Caldera, which is an automated 00:30:18.910 --> 00:30:21.190 adversary emulation system that was largely based 00:30:21.190 --> 00:30:25.890 on attack to try to give defenders a more realistic 00:30:25.890 --> 00:30:29.250 way of testing their network against the techniques 00:30:29.250 --> 00:30:32.009 when they may not have a red team or have the 00:30:32.009 --> 00:30:35.210 resources to do the red team. And I was really... 00:30:35.609 --> 00:30:38.750 more interested in in that project for a long 00:30:38.750 --> 00:30:42.150 time um but it got to a point where i just couldn't 00:30:42.150 --> 00:30:44.490 split my time between the two and i ended up 00:30:44.490 --> 00:30:47.630 giving like caldera to another person to lead 00:30:47.630 --> 00:30:49.910 so that i can focus on attack because that was 00:30:49.910 --> 00:30:53.630 sort of the more important thing to work on over 00:30:53.630 --> 00:30:56.309 over time so i made these series of sacrifices 00:30:56.309 --> 00:30:58.950 for for attack but it finally gets to a point 00:30:58.950 --> 00:31:02.789 where i needed to to move on to something else 00:31:02.789 --> 00:31:06.559 to get closer to operations again. And that's 00:31:06.559 --> 00:31:08.500 basically why I decided to come to Microsoft 00:31:08.500 --> 00:31:12.200 because of all the various like large amounts 00:31:12.200 --> 00:31:16.119 of data that we can leverage and all the interesting 00:31:16.119 --> 00:31:17.980 things that we can do to build new capabilities 00:31:17.980 --> 00:31:20.200 to actually counter these threats. So I got a 00:31:20.200 --> 00:31:21.900 little bit tired of talking about the threats 00:31:21.900 --> 00:31:24.240 and wanted to actually do something about them 00:31:24.240 --> 00:31:28.160 again. But it is really hard to step away from 00:31:28.160 --> 00:31:31.619 something like ATT &CK. because I had contacts 00:31:31.619 --> 00:31:34.380 out throughout the industry, was doing talks 00:31:34.380 --> 00:31:39.380 all the time, and I needed ATT &CK to be in a 00:31:39.380 --> 00:31:41.720 good spot before I could leave it. Hence the 00:31:41.720 --> 00:31:44.299 discussion a little bit earlier about the sub 00:31:44.299 --> 00:31:45.920 -techniques there. So that was one of the things 00:31:45.920 --> 00:31:48.579 that I knew I needed to do before I could feel 00:31:48.579 --> 00:31:50.279 comfortable stepping away. And then the second 00:31:50.279 --> 00:31:52.559 one was I needed to make sure that there was 00:31:52.559 --> 00:31:57.900 a lead capable of driving ATT &CK in the future. 00:31:58.490 --> 00:32:00.869 and still maintaining the same sort of principles 00:32:00.869 --> 00:32:05.710 that we had started when it began. And so Adam 00:32:05.710 --> 00:32:09.970 Pennington is the lead now. He was sort of, you 00:32:09.970 --> 00:32:13.710 know, he sat in the same room with me as ATT 00:32:13.710 --> 00:32:15.950 &CK was getting started. And so he was there 00:32:15.950 --> 00:32:18.049 along the way and then ended up playing a significant 00:32:18.049 --> 00:32:22.430 role. All right. So as Mark kind of alluded to, 00:32:22.490 --> 00:32:25.309 let's bring this episode to an end. So one of 00:32:25.309 --> 00:32:26.930 the questions, there's two questions we asked. 00:32:26.950 --> 00:32:29.829 So the first one is, what does a typical day 00:32:29.829 --> 00:32:32.650 in the life of Blake look like? Lots of meetings. 00:32:34.710 --> 00:32:40.150 So I've got a pretty large team. We engage with 00:32:40.150 --> 00:32:43.130 a lot of internal research stakeholders and product 00:32:43.130 --> 00:32:45.529 teams and engineering teams. So unfortunately, 00:32:45.750 --> 00:32:48.769 my day -to -day isn't really that interesting. 00:32:49.599 --> 00:32:52.500 It tends to be a lot of meetings, level setting, 00:32:52.779 --> 00:32:56.700 planning, check -ins for various projects and 00:32:56.700 --> 00:33:00.019 efforts that we're working on. But there are 00:33:00.019 --> 00:33:03.859 some exciting moments, especially when one of 00:33:03.859 --> 00:33:06.299 our research proof of concepts starts producing 00:33:06.299 --> 00:33:08.900 really good results and we start getting really 00:33:08.900 --> 00:33:11.559 good customer feedback and generating a lot of 00:33:11.559 --> 00:33:15.990 good interest around. and being able to celebrate 00:33:15.990 --> 00:33:19.569 that with the team tends to be the highlights 00:33:19.569 --> 00:33:24.829 of the days. Mostly it's just meetings. All right, 00:33:24.890 --> 00:33:26.509 so let's really bring this episode to an end. 00:33:26.549 --> 00:33:29.650 So if you had one thought to leave our listeners 00:33:29.650 --> 00:33:33.279 with, what would it be? Basically, you know, 00:33:33.279 --> 00:33:37.099 check out ATT &CK. If you have a role, whether 00:33:37.099 --> 00:33:41.400 it's offense, defense, or compliance, you just 00:33:41.400 --> 00:33:44.880 want to understand the threats of today a little 00:33:44.880 --> 00:33:47.880 bit better. There's lots of reasons to check 00:33:47.880 --> 00:33:50.359 it out and understand it and see how it applies 00:33:50.359 --> 00:33:53.660 to your day -to -day sort of work. Yeah, I guess 00:33:53.660 --> 00:33:55.539 ultimately, if you don't look at it, you don't 00:33:55.539 --> 00:33:56.660 know what's in there. And if you don't know what's 00:33:56.660 --> 00:33:57.819 in there, you don't know if it's going to be 00:33:57.819 --> 00:34:00.950 of use to you. So take a look. All right, so 00:34:00.950 --> 00:34:02.869 let's bring this episode finally to an end. Blake, 00:34:02.970 --> 00:34:05.049 thank you so much for joining us this week. Don't 00:34:05.049 --> 00:34:07.150 want to keep you away from your meetings. And 00:34:07.150 --> 00:34:09.289 to all our listeners, we hope you found this 00:34:09.289 --> 00:34:11.969 episode useful. Stay safe and we'll see you next 00:34:11.969 --> 00:34:13.889 time. Thanks for listening to the Azure Security 00:34:13.889 --> 00:34:17.449 Podcast. You can find show notes and other resources 00:34:17.449 --> 00:34:22.190 at our website, azsecuritypodcast .net. If you 00:34:22.190 --> 00:34:24.570 have any questions, please find us on Twitter 00:34:24.570 --> 00:34:28.840 at AzureSecPod. Background music is from ccmixter 00:34:28.840 --> 00:34:31.400 .com and licensed under the Creative Commons 00:34:31.400 --> 00:34:32.119 License.