Asia-Pacific ATT&CK Community Workshop

INFORM Your Defense!

Thursday, March 6 from 1:00 – 5:00 PM (SGT)

Mike Cunningham, R&D Program Manager, Center for Threat-Informed Defense

Threat-Informed Defense (TID) is the systematic application of a deep understanding of adversary tradecraft and technology to improve defenses. This workshop equips participants with the skills and tools needed to evaluate and enhance their team’s TID maturity. The session begins with an exploration of what TID is—and what it is not. Through interactive exercises, participants will identify practical examples of TID and assess how these align with their organization’s SOPs. Contact us to learn more about our threat-informed defense training opportunities.

Welcome and Opening Remarks

Friday, March 7 from 9:00 – 9:10 AM (SGT)

Suneel Sundar, Director, Research and Development, Center for Threat-Informed Defense

Manu Sareen, Director, Singapore Country Technology Head

Keynote Panel - Threat-Inform Your Organization

Friday, March 7 from 9:15 – 9:50 AM (SGT)

Jon Baker, Director, Center for Threat-Informed Defense

Derek Manky, Chief Security Strategist & Global VP Threat Intelligence, Fortinet

David West, Head of Cyber Threat Management, NAB

Mark Wee, Asia Pacific Red Team Manager, Citi

This panel is a unique opportunity to hear from security leaders from global organizations about the need for threat-informed defense, the challenges they have faced advancing threat-informed defense, and critical role of global collaboration to improve cyber defense. Our executive panelists will discuss the impact of threat-informed defense for their organizations. They will highlight key challenges they faced and how they addressed them as they embraced a threat-informed strategy. Finally, they will share their key recommendations for advancing threat-informed defense within and enterprise.

From Reports to Results: Turning MITRE ATT&CK Insights into Actionable Security Programs

Friday, March 7 from 9:50 – 10:10 AM (SGT)

Shaun Burger, Director of Cyber Assurance, Vectra Corporation

Red team projects provide critical insights into an organisation’s resilience against real-world adversarial tactics, but too often, their results are limited to point-in-time assessments or compliance checkboxes. This presentation focuses on transforming red team findings into actionable insights that drive meaningful change. By aligning outcomes with the MITRE ATT&CK framework, we’ll demonstrate how to move beyond traditional reporting to deliver measurable KPIs that influence long-term security strategies. Attendees will gain practical knowledge on mapping tactics, techniques, and procedures (TTPs) to ATT&CK, enabling them to highlight gaps, prioritise defences, and track progress effectively. The session will also explore methods to integrate these insights into security programs, improving operational decision-making and defensive postures.

Best Practices for Large-Scale Surveys Conducted Based on the M3TID Framework

Friday, March 7 from 10:10 – 10:30 AM (SGT)

Akira Urano, Senior Associate, PwC Consulting, LLC

In April 2024, MITRE released the Threat-Informed Defense framework and maturity assessment model. Originally, this was intended to measure the maturity of an organization’s defense based on threat intelligence, but we thought that by aggregating and analyzing maturity data from many organizations, we could clarify the actual state of Threat Intelligence utilization in Japan. This session will introduce the findings from a survey conducted by PwC Japan in June 2024 on the maturity of Threat-Informed Defense based on the M3TID framework among 200 companies in Japan. We will also share the significance of large-scale surveys and best practices for conducting them, guiding attendees so that they can immediately conduct large-scale surveys in their own countries after returning home.

SigmaGen: AI-Powered Sigma Rule Generation Aligned with MITRE ATT&CK for Enhanced Threat Detection

Friday, March 7 from 10:50 – 11:10 AM (SGT)

Giang Pham, Cloud Security Engineer, FPT Software

Tung Nguyen, Cloud Security Engineer, FPT Software

SigmaGen bridges the gap between threat intelligence and detection by using fine-tuned large language models to automate the generation of Sigma rules aligned with MITRE ATT&CK®. Processing unstructured threat intelligence, like security blogs and incident reports, SigmaGen extracts actionable insights and maps them to ATT&CK techniques, providing security teams with precise detection capabilities. In this session, I’ll introduce SigmaGen’s architecture, highlight its approach to mapping ATT&CK techniques dynamically, and showcase its impact on enhancing threat-informed defense. Attendees will learn practical methods for integrating ATT&CK-aligned Sigma rules into their SOC workflows, gain insight into automated rule updating, and see how AI can streamline threat detection and response.

MITRE ATT&CK Driven Threat Hunting Automated by Local LLM

Friday, March 7 from 11:10 - 11:30 AM (SGT)

Jun Miura, Researcher, Fujitsu Defense & National Security Limited

Toshitaka Satomi, Researcher, Fujitsu Defense & National Security Limited

Eri Miura, Fujitsu Defense & National Security Limited

Threat hunting is a proactive approach for identifying undetected threats within an organization’s environment, and there are various proposed ways to perform. In this presentation, based on the concept of Summiting the Pyramid, MITRE ATT&CK driven threat hunting is proposed. One of the goals of the threat hunting is to automatically generate Sigma rules for hunting particular TTPs in MITRE ATT&CK, which is achieved by Large Language Model (LLM) and Retrieval-Augmented Generation (RAG). The speaker provides the results, know-how and tips obtained by developing the application in the presentation.

Accelerating Identification of ATT&CK Techniques in Threat Intelligence Reports

Friday, March 7 from 11:30 – 11:50 AM (SGT)

Sareena Karapoola, Senior Technical Manager, NEC Corporation

Takahiro Kakumaru, NEC Corporation

NEC has constantly endeavored to leverage MITRE ATT&CK to enhance threat intelligence. Since 2020, NEC regularly analyze emerging threat reports to glean cyber threat intelligence, including Indicators of Compromise (IOCs) and attack patterns. We also identify novel techniques, sub-techniques, software, groups and campaigns, and propose our findings as recommendations to MITRE ATT&CK Framework. Till date, 53 recommendations from NEC have been published in ATT&CK Framework from version 9-16. The instrumental tool enabling our analysis and submission is the Threat Report ATT&CK Mapper (TRAM), which we have extensively customized to align to our specific operational needs. The TRAM automates mapping of threat reports to ATT&CK techniques, reducing human effort in analysis and validation. However, the limited capability of SciBERT model to predict 50 techniques alone, resulted in significant human efforts to validate the mapping of the 200+ frequently observed techniques in threat reports. Hence, to improve the efficiency of mapping while also catering to a larger set of techniques, we have implemented a GPT-2 based model to map sentences to ATT&CK Techniques. We observe that GPT-2 outperformed SciBERT in multi-label classification, achieving an accuracy of 78.4% in predicting 236 techniques, as compared to 32.3% in SciBERT.

ATT&CKLens: Visualizing and Predicting Cyber Threats with AI

Friday, March 7 from 11:50 AM – 12:10 PM (SGT)

Shankar Murali, Associate Vice President, Standard Chartered Bank

Krishna Chaitanya Yeleswarapu, Senior Manager, Standard Chartered Bank

The ATT&CK LENS framework introduces an innovative approach to cybersecurity analysis by leveraging advanced artificial intelligence (AI) for dynamic visualization and exploration of the MITRE ATT&CK framework. Designed to address the growing complexity of cyber threat data, ATT&CK LENS enables cybersecurity professionals to analyze and visualize relationships between threat actors, malware, campaigns, and their associated techniques and tactics with unprecedented ease and precision.

Leveraging the MITRE ATT&CK Framework for Deception-Based Active Cyber Defense

Friday, March 7 from 12:10 - 12:30 PM (SGT)

Rajendra Arcot Gopalakrishna, Co-Founder, Acalvio Technologies Inc

This presentation explores a novel application of the MITRE ATT&CK framework in enabling Deception-Based Active Cyber Defense (ACD) as part of a threat-informed defense strategy. Specifically, it delves into how the MITRE ATT&CK knowledge base can be utilized to guide the strategic deployment of deception artifacts such as honey accounts and honeytokens to hasten threat detection and rapid mitigation capabilities.

MITRE ATT&CK Roadmap

Friday, March 7 from 1:30 pm - 1:50 PM (SGT)

Lauren Lusty, Lead Cyber Operations Engineer, MITRE

Maturing Threat Informed Adversary Emulation with ATT&CK

Friday, March 7 from 1:50 – 2:10 PM (SGT)

Crys Tan, Adversary Emulation Lead, Citi

Threat-informed defence is an increasingly important topic that addresses the importance of making efficient use of defenders’ resources in world where cyber attacks are happening more frequently. While much of the emphasis have been placed on defensive measures, it is equally important to assess the defences in deployed to ensure they work as they promise. Attendees will leave with practical knowledge on applying an adversary emulation approach to red teaming, understanding its value, and integrating it with existing offensive security programs for a robust threat detection strategy.

Breached by borderless adversaries: Cyber threat actors in the Asia-Pacific

Friday, March 7 from 2:10 – 2:30 PM (SGT)

Abhijith B R, Founder, Adversary Village

Cyber Threat Actors Targeting Asia-Pacific’s Cyber space explores the invisible yet relentless cyber adversaries focusing on the Asia-Pacific region. This talk delves into the evolving techniques, tactics, and case studies involving groups actively attempting to breach the region’s cyber ecosystem. We’ll discuss the offensive strategies employed by these malicious actors, examining how they adapt their approaches to evade traditional cybersecurity defenses. From advanced persistent threats and supply chain compromises to zero-day exploits, these sophisticated groups leverage cutting-edge methods to infiltrate critical infrastructure.

Unmasking MSC Files: A Deep Dive into Emerging APT Tactics and Advanced Weaponization

Friday, March 7 from 2:30 – 2:50 PM (SGT)

Douglas Santos, Director, Threat Intelligence, Fortinet

As the cyber threat landscape evolves, so do the techniques of Advanced Persistent Threats (APTs). With Microsoft Office macros increasingly disabled, threat actors have shifted to novel delivery methods. Among these, Microsoft Common Console (MSC) files have emerged as a potent tool for malware delivery and persistence in Windows environments yet they remain underexplored. By attending this session, security researchers, malware analysts, and threat analysts will gain essential knowledge of this emerging threat vector. You’ll leave equipped with the tools and insights needed to counter evolving APT tactics and strengthen your defenses against these advanced threats.

The Zombie App-ocalypse: Game Theory for Disrupting Dormant and Orphaned Cloud Identities

Friday, March 7 from 9:15 – 9:50 AM (SGT)

Joshua Bahirvani, Senior Security Researcher, Microsoft

Shaleen Dev P.K., Senior Security Researcher, Microsoft

Advanced Persistent Threats (APTs) like Midnight Blizzard and Antique Typhoon underscore why identity has become the new security perimeter in today’s cloud landscape. As organizations shift from legacy systems to hybrid and multi-cloud environments, managing Identity and Access Management (IAM) grows increasingly complex, especially with Non-Human Identities (NHIs) such as application identities, service accounts, and automated agents. Mismanaged NHIs can act like White Walkers in the cloud: dormant or orphaned, yet retaining elevated permissions, persistent credentials, and long-lived certificates that adversaries can exploit. This talk presents a framework for detection, posture, and most importantly phased disruption of NHIs to limit threat actors access while minimizing impacts on users and business operations.Attendees will be guided through this epic narrative of cloud attack surface with accompanying open-source resources from the above example to implement plus a sprinkle of memes and a season ending cliffhanger everyone wanting more.

TIEing Threats Together: Applying the Technique Inference Engine to enhance detections

Friday, March 7 from 3:35 – 3:55 PM (SGT)

Raymond Schippers, CISO, Huntabil.IT

A compromise rarely occurs in isolation - they are due to attack chains leading to impacts. Understanding these relationships is crucial for effective threat detection and prevention. This talk introduces the practical application of MITRE Engenuity’s Technique Inference Engine (TIE) as a powerful tool for defensive teams to shift left of impact in their detection strategy. We’ll demonstrate how TIE’s graph-based analysis of ATT&CK techniques can illuminate the most likely paths attackers take to achieve specific objectives. By working backwards from potential impacts, security teams can map out probable attack chains and their associated techniques, enabling more comprehensive detection coverage where it matters most.

Unlocking the Power of Threat Intelligence Infused Detections in the SOC

Friday, March 7 from 3:55 – 4:15 PM (SGT)

Ray Huang, Senior Security Architect, Cisco Splunk

Detection Engineering, it is a tedious yet necessary process in any Security Operations needed to upkeep the efficacy and validity of detections. This is such that any triggered detections are worth investigating and not just bogging analysts down into a sea of false positives. 2 great inputs that can contribute to detections of higher efficacy are Cyber Threat Intelligence and Proactive Threat Hunting. In this talk track, we will deep dive into these 2 key traits. We will also discuss how LLM can be used to predict MITRE ATT&CK techniques from advisories that can contribute to discovery of available detections that can be operationalised.

Updates from the Center for Threat-Informed Defense

Friday, March 7 from 4:15 – 4:35 PM (SGT)

Jon Baker, Director, Center for Threat-Informed Defense

Closing

Friday, March 7 from 4:35 – 4:50 PM (SGT)

Suneel Sundar, Director, Research and Development, Center for Threat-Informed Defense