Casey Knerr
Casey Knerr is a cybersecurity engineer at MITRE and a member of the MITRE ATT&CK for Enterprise team, where she provides cloud expertise updating the ATT&CK knowledge base with novel defensive ideas and adversary techniques. Prior to joining MITRE, she worked as a penetration tester and completed a BSFS in Science, Technology, and International Affairs at Georgetown University and an MSc in Computer Science at the University of Oxford. Her specialties and interests include web development, web and cloud security, and international cyber policy. In her spare time, she can often be found flying stunt kites or playing Dungeons & Dragons.
Session
In 2019, ATT&CK - a free, globally accessible knowledge base of adversary tactics and techniques - released its Cloud Matrix to capture the increasing threats targeting organizations’ cloud-based technologies. Since then, we've discovered that behaviors easily mapped to techniques in "traditional" on-prem spaces don't always fit into the same neat boxes in the cloud.
For example, in a cloud environment, what distinguishes collection (in which the adversary gathers data of interest) from data exfiltration (in which the adversary steals data from the target network) - especially when adversaries can directly view and download sensitive information via the CLI or web console? What happens when traditional persistence methods, such as adding roles to users, end up also resulting in privilege escalation due to the complexity of cloud permissions? What is lateral movement in the cloud, and can it also exist within a tenant as well as between tenants, or between a tenant and a corresponding on-premises environment? And what distinguishes execution in the cloud from execution in a cloud-hosted instance?
Join two members of the ATT&CK for Cloud team for a group discussion as we try to work through these issues and determine how to better capture and ultimately defend against adversary behaviors in the cloud.