Jesse Griggs
Jesse Griggs is a Cyber Operations Lead at The MITRE Corporation and a member of the MITRE ATT&CK for Enterprise team focusing on improving the ATT&CK for Cloud knowledge base. He supports various projects providing threat hunting expertise on systems ranging from offline to cloud. Outside the lab, he likes to spend his time sailing or playing board games, though typically not at the same time.
Session
In 2019, ATT&CK - a free, globally accessible knowledge base of adversary tactics and techniques - released its Cloud Matrix to capture the increasing threats targeting organizations’ cloud-based technologies. Since then, we've discovered that behaviors easily mapped to techniques in "traditional" on-prem spaces don't always fit into the same neat boxes in the cloud.
For example, in a cloud environment, what distinguishes collection (in which the adversary gathers data of interest) from data exfiltration (in which the adversary steals data from the target network) - especially when adversaries can directly view and download sensitive information via the CLI or web console? What happens when traditional persistence methods, such as adding roles to users, end up also resulting in privilege escalation due to the complexity of cloud permissions? What is lateral movement in the cloud, and can it also exist within a tenant as well as between tenants, or between a tenant and a corresponding on-premises environment? And what distinguishes execution in the cloud from execution in a cloud-hosted instance?
Join two members of the ATT&CK for Cloud team for a group discussion as we try to work through these issues and determine how to better capture and ultimately defend against adversary behaviors in the cloud.