CYBERSEC 2022 uses cookies to provide you with the best user experience possible. By continuing to use this site, you agree to the terms in our Privacy Policy. I Agree

bg-inner

SESSION

09/22 14:45 - 15:15 Blue Team Forum

Why is MITRE Promoting the Engage Framework?

We are all very familiar with MITRE ATT&CK, which analyze the tactics and techniques of known real-world hacker attacks and provide guidance on methods of detection and mitigation. MITRE started independent evaluation of EDR technologies in 2018. It has helped the technologies improve steadily over the last few years to their current level of high maturity and sophistication. According to the evaluation results, many vendors can now detect 80%, 90% of the steps of simulated attacks, while the best performing vendor can even provide 100% coverage. Does this mean we are very safe against most attacks? Unfortunately the answer is negative because in MITRE’s evaluation of EDR, the steps of simulated attack are provided to the vendors in advance, and there is no noise at all in the evaluation environment. In real-world scenario, the defender will not know what the attackers will do, and when normal employee use computer and network, they become noise that the attackers can leverage to hide their operation. It become very difficult to use EDR to accurately detect the presence of attacker in real-time because the detection mechanism is similar to “looking for a needle in a haystack,” as quoted by MITRE and most EDR vendors. In general, if the activities of the attackers have signatures that EDR can recognize, or if their behaviors are just too obvious, then accurate real-time detection can be achieved, otherwise the huge amount of alerts generated by EDR are mainly used in post-mortem analysis instead of real-time detection. This is the main reason why MITRE is now promoting the new Engage Framework, an active defense thinking to engage with the attackers in real-time, detect their presence at very early stage of the security breach, and then either cut them off or confine them in controlled areas so that the defender can observe and analyze them. This very effective new defense thinking can be used to not only catch the attackers in action to prevent damage to enterprise, but also accumulate understanding and experience against the attackers in order to fortify our defense posture. 

LOCATION Taipei Nangang Exhibition Center, Hall 2 4F 4B LANGUAGE English
SESSION TOPIC Breach DetectionAdvanced Threat ProtectionRansomware

SPEAKER

Dr. Cheng Kun Wang

Researcher of Chung-Shan Institute of Science and Technology, Researcher of Telecom Labs., Chung-Hwa Telecom, Senior Consulting Engineer of Cisco System APAC, Senior Manager of Cisco System Japan, Senior Solution Architect of Cisco System Greater China, Technical Consultant of Attivo Networks.