Building the ATT&CK pipeline for Linux
2024-12-14 , Clappy Monkey Track

ATT&CK is a game changer and where it works, it can enable both blue and red teams to co-exist and work effectively together. However, what do attackers on Linux do when bitcoin miners aren't their motivation? This talk looks at how the linux-malware repo came to take shape and how I've used it to inform both MITRE and Cisco's view on adversarial behaviour over the last three years.


The session will cover:

  • Introducing linux-malware - what is it and why might both red and blue want to pay attention?
  • Automating the TI pipeline - applying custom analytics to someone else's DFIR report?
  • What new threats should you worry about and why - Linux is unhackable, right?
  • Building better detections - how can you figure out whether you're exposed?

Takeaways will include:

  • A summary of the Linux threat landscape
  • Just because we're not looking for the bad guys, doesn't mean they're not there
  • Attackers will use the easiest TTP that gets them to a root prompt
  • If you're running adversary simulations, here are some non-Windows TTPs you should consider
  • If you're playing defence, this is how you develop behavioural IOCs and tools to leverage them

Tim joined Cisco as part of their acquisition of Portcullis for whom he worked for almost 12 years, primarily focussed on UK CNI. 8 years on, Tim has contributed to a number of Cisco’s services programmes relating to risk and compliance, secure development and threat-informed defense. In the last year, Tim has been focussed on developing Cisco's strategic response to the NIS2 Directive, DORA and the Telecom Security Act.

Outside of the customer driven realm of information assurance, Tim is also a prolific offensive researcher with papers on UNIX, Windows and web application security to his name. Tim is credited with publishing almost 150 vulnerability advisories and is a regular contributor to MITRE ATT&CK, acting as an SME for Linux techniques. Tim particularly like to bug hunt enterprise UNIX solutions.