Breach -> ATT&CK -> Osquery – Learning from breach reports to improve endpoint monitoring

Speakers: Guillaume Ross

Level: Fundamental, Lecture

Excerpt: Large breaches like SingHealth’s resulted in detailed public reports.
Using those, we will map portions of the attacks to ATT&CK, then see how to monitor for them using qsquery.
Though most of these public reports address breaches that touched Windows environments, we will translate the Windowsness into “what would that same technique look like on Mac?”.

Description: Though the news is a constant source of vague statements about breaches, we aren’t always exposed to great information about what happened so we can improve our defenses based on it.
In 2018, both the SingHealth (Singapore) and Equifax (USA) breaches resulted in significant, detailed reports.
In this talk, we will look at significant findings from these reports, convert them to Mac-equivalents, map them to the MITRE ATT&CK framework, in order to understand if our defenses are effective against those steps in the attack.
We will then chose a few a see how we can monitor our systems with osquery, a favorite tool of the MacAdmins community.

About the speaker

Guillaume Ross (Twitter: @gepeto42) – Principal Security Researcher – Uptycs & Caffeine Security

Guillaume is an experienced cyber security professional. He is currently the Principal Security Researcher at Uptycs, an osquery-at-scale company. He also provides security training through his company, Caffeine Security, as well as on Pluralsight.
With a background in IT and Security Architecture, he advises clients on their Information Security Programs as well as on technical topics such as threat modeling, mobile and cloud security, and dreams of well hardened, well designed, secure Active Directory deployments.
He has previously presented at multiple events such as AtlSecCon, NorthSec, Converge and BSidesLV and private events, and this is his third time at MacAdmins, after presenting some fun battle stories converted into practical experience with ex-coworker Jordan Rogers and giving an all-day workshop on various technical security topics.

This entry was posted in MacAdmins 2019 Sessions. Bookmark the permalink.