“Why ATT&CK When You Can Defend?” (Mapping MITRE ATT&CK to the PCI DSS)

Join us on Thursday, June 25th, 2020 at 11:30 as Jeff Man discusses mapping MITRE ATT&CK to the PCI DSS.

MITRE ATT&CK^® seems to be the “next big thing”. Every time I hear about it I can’t help but wonder, “how do you prevent all these attacks in the first place? Shouldn’t that be the end game?” To that end, I set out to map all the recommended “Mitigations” for all the “Techniques” detailed in ATT&CK to see how many are already addressed by what is required in the Payment Card Industry Data Security Standard (PCI DSS). My hypothesis was all of them. The results were interesting and a little surprising, and I’m still trying to figure out how to best use the results and subsequently ATT&CK itself. I will present my findings in the briefing and hopefully generate a discussion about what to do with the results.

Jeff Man (@MrJeffMan) is an Information Security advocate, advisor, evangelist, international speaker, keynoter, host of Security & Compliance Weekly, a co-host on Paul’s Security Weekly, Tribe of Hackers, TOH Red Team, TOH Security Leaders, and currently serving in a Consulting/Advisory role for Online Business Systems. Nearly 40 years of experience working in all aspects of computer, network, and information security, including cryptography, risk management, vulnerability analysis, compliance assessment, forensic analysis, and penetration testing. Certified NSA Cryptanalyst. Previously held security research, management, and product development roles with the National Security Agency, the DoD, and private-sector enterprises and was part of the first penetration testing “red team” at NSA. For the past twenty-five years has been a pen tester, security architect, consultant, QSA, and PCI SME, providing consulting and advisory services to many of the nation’s best-known companies.