Workshop 1 - Knowledge is Power: Aligning Threat Intelligence to the MITRE ATT&CK Framework

Speaker: Mr. Michael Passaro


HKPC Building, 78 Tat Chee Avenue, Kowloon, Hong Kong
Date: 22 Oct 2019 (0.5 Day)


09:30 - 13:00
Non-member Fee
HK$1,900 (Early Bird: HK$1,800)
Member Fee for Organiser/Supporting Organisation HK$1,800 (Early Bird: HK$1,700)

Medium of Instruction


Nature & Objectives


  • Pull ATT&CK into Recorded Future
    • Lists
    • ATT&CK Identifiers
    • FINTEL
  • Use threat intelligence to analyze the ATT&CK TTPs of a list of threat actors OR an individual threat actor
    • Threat Actors Targeting Finance
    • APT28 via IOCs
  • Must automate the connection to simplify the manual analysis, dynamically update, and be flexible

Course Outline

  1. Pull ATT&CK into Recorded Future
    • The challenge in trying to automate this is that the tactics categories and associated submenus are mostly raw text data (i.e., not easily importable)
    • We can pull in raw text data in Recorded Future using Lists
      • Entities vs text matches - active choice/dilemma
    • IOCs automatically connected to ATT&CK Identifiers from Joe Sandbox submissions and Insikt Group research
    • Data can also be pulled from FINTEL like hunting packages and longer Inskit Group notes
  2. Analyze the ATT&CK TTPs of a List of Threat Actors
    • Pull a list of threat actors that we care about (we will use Finance industry for our presentation but can be done with any industry or custom list of threat actors)
    • Brief overview of how to construct the necessary queries
    • Brief overview of how to configure the timelines
    • Analyze a set of threat actors (10-20) and break their attacks down into different tactics categories within the framework
      • Note: We will use threat actors that have targeted the finance industry in the last two years for this section
      • Show how our group of threat actors have each utilized different tactics categories of the ATT&CK framework in their attacks over the last two years (Link:
        Note: We have five of the tactics categories currently imported to lists; will complete the remaining categories in the coming weeks)
      • Show comparison between select groups
      • We can gain insights about what these actors are doing either by manually reviewing the timeline or we can use RF’s signal strength in Table View to break all the data down quickly (e.g., categories of IOCs, attack vectors, malware, etc.)
      • This approach allows an organization to prioritize their resources into the areas/attack vectors that make sense given the intelligence about the threat actors
    • Analyze a single threat actor via IOCs
      • Instead of breaking down via the unstructured threat intelligence data available through mainstream news, security vendor reporting, etc. we will use the raw IOCs Recorded Future has seen in the last two years about APT28
      • Start by creating a list of the IPs; run similar query to above
      • This will show different information than above and can also uncover shared infrastructure between threat actors (Link:
  3. Flexibility and Dynamism
    • Ask members of the audience for some threat actors
    • Run the queries on the fly with the group of threat actors from the audience
    • Instantly see how the TTPs of the attackers mentioned fall into the tactics categories of the ATT&CK Framework
    • Evaluate current risk using the Recorded Future API
  4. Conclusions and Future Projects
    • Future ATT&CK Integrated projects in the works (hunting packages, threat actor profiles, threat vector profiles, etc.)
    • Questions

More Information Available at blog post here; although, our submission actually shows a lot of new information and techniques that have developed since the publication of this blog:

Who Should Attend

Threat intelligence professionals, cybersecurity researchers, information security analysts, cybersecurity analysts, security analysts, cybersecurity consultants, SOC analysts


Mr. Michael Passaro
Product Trainer
Recorded Future

Mr. Michael Passaro | Information Security Summit - Over the Horizon Cyber Security | align=

As a lawyer turned online educator turned cyber security geek, Mike has developed a unique perspective when it comes to security trainings. When he’s not flying around the world teaching cyber security skills, he’s analyzing the fastest way to level from 1-60 in vanilla WoW, guitar shredding to the latest melodic death metal tunes, or finding the best surf spots on a beach break. On a mission to help people become better cyber security professionals, Mike is focused on creating trainings where the answers aren’t necessarily important; but the thought process and techniques you used to get those answers is. Described by his therapist as “never boring,” Mike facilitates dynamic trainings featuring intelligent analogies, quirky stories, and old Simpsons quotes to help bring context and engagement to the content.

Copyright © 2020 Hong Kong Productivity Council. All Rights Reserved.