CERIAS Security Seminar Podcast CERIAS Security Seminar series video podcasts.
- Dave Henthorn, “Educating the Next Generation on the Challenges of Securing Critical Infrastructure”by CERIAS on July 14, 2021 at 5:30 pm
Cyberattacks on critical infrastructure such as power plants, dams, and chemical facilities are increasing in both intensity and sophistication, with attackers actively exploiting the cultural divide between the engineers who design and run these facilities and the cybersecurity people who protect them. At Rose-Hulman, we are building a multidisciplinary Critical Infrastructure Laboratory to bring these groups together with the goal of educating the next generation on the difficulties of designing and securing facilities vital to our national and economic security.
- Winn Schwartau, “Security is Probabilistic, Not Deterministic: Get Over It”by CERIAS on July 7, 2021 at 5:30 pm
Since the inception of computer/data/cyber/network securitysome fifty years ago, one recurring question has beset our industry: “How do wesecure it?” By its very nature, that question has propagated as a harmful meme,by implying that a binary deterministic answer is available, or even possible. This talk examines security through a non-deterministiclens, applying probabilistic and analogue functions to discover new approachesto defending anthro-cyber-kinetic systems.
- Neil Daswani, “Big Breaches: Cybersecurity Lessons For Everyone”by CERIAS on June 30, 2021 at 5:30 pm
This talk covers the key lessons learned and root causes from the biggest mega-breaches and the 9,000+ reported breaches over the past 15 years. By analyzing the histories, stories, and deep dives of breaches such as those at Target, JPMorganChase, OPM, Yahoo, Equifax, Facebook, Marriott, Capital One, and the SolarWinds hack, I will also lay the groundwork for a roadmap to recovery based on the root causes.
- Laura Thomas, “National Security Implications of Quantum Technology”by CERIAS on June 23, 2021 at 5:30 pm
Quantum technology will be transformational. When applied, quantum has the power to dramatically improve our society, as well as cause major disruptions on the national security and economic security fronts. This presentation will provide an overview of the fundamentals of quantum technology, to include the three major branches of quantum technology development: quantum computing, quantum sensing, and quantum networking. We will discuss use cases for each and explore where the technology stands today, its commercialization and hardware engineering challenges, and potential pathways for a quantum future.
- Ida Ngambeki, “Understanding the Human Hacker”by CERIAS on June 16, 2021 at 5:30 pm
Social Engineering is employed in 97% of cybersecurity attacks. This makes social engineering penetration testing an important aspect of cybersecurity. Social engineering penetration testing is a specialized area requiring skills and abilities substantially different from other types of penetration testing. Training for social engineering penetration testing as well as understanding what skills, abilities, and personalities make for good social engineers is not well developed. This mixed methods study uses surveys and interviews conducted with social engineering pen testers to examine their pathways into the field, what personality traits contribute to success, what skills and abilities are necessary and what challenges these professionals commonly face. The results are used to make recommendations for training.
- Neil Gong, “Secure Federated Learning”by CERIAS on June 9, 2021 at 5:30 pm
Federated learning is an emerging machine learning paradigm to enable many clients (e.g., smartphones, IoT devices, and edge devices) to collaboratively learn a model, with help of a server, without sharing their raw local data. Due to its communication efficiency and potential promise of protecting private or proprietary user data, and in light of emerging privacy regulations such as GDPR, federated learning has become a central playground for innovation. However, due to its distributed nature, federated learning is vulnerable to malicious clients. In this talk, we will discuss local model poisoning attacks to federated learning, in which malicious clients send carefully crafted local models or their updates to the server to corrupt the global model. Moreover, we will discuss our work on building federated learning methods that are secure against a bounded number of malicious clients.
- Leigh Metcalf, “The Gauntlet of Cybersecurity Research”by CERIAS on June 2, 2021 at 5:30 pm
Good research has scientific principles driving it. Analysts begin research with a goal in mind and at the same time, they need their research to have a solid foundation. This talk will cover common goals in cybersecurity research and also discuss common pitfalls that can undermine the results of the research. The talk will include many examples illustrating the principles.
- Gary McGraw, “Security Engineering for Machine Learning”by CERIAS on May 26, 2021 at 5:30 pm
Machine Learning appears to have made impressive progress on many tasks including image classification, machine translation, autonomous vehicle control, playing complex games including chess, Go, and Atari video games, and more. This has led to much breathless popular press coverage of Artificial Intelligence, and has elevated deep learning to an almost magical status in the eyes of the public. ML, especially of the deep learning sort, is not magic, however. ML has become so popular that its application, though often poorly understood and partially motivated by hype, is exploding. In my view, this is not necessarily a good thing. I am concerned with the systematic risk invoked by adopting ML in a haphazard fashion. Our research at the Berryville Institute of Machine Learning (BIIML) is focused on understanding and categorizing security engineering risks introduced by ML at the design level. Though the idea of addressing security risk in ML is not a new one, most previous work has focused on either particular attacks against running ML systems (a kind of dynamic analysis) or on operational security issues surrounding ML. This talk focuses on the results of an architectural risk analysis (sometimes called a threat model) of ML systems in general. A list of the top five (of 78 known) ML security risks will be presented.
- Steven Furnell, “Cybersecurity Skills – Easy to say, harder to recognise?”by CERIAS on April 28, 2021 at 8:30 pm
There is no doubt that cybersecurity has risen up the agenda in terms of visibility and importance. Everybody wants it. But do they really know what they want? What does cybersecurity include, and to what extent do qualifications and certifications that claim to cover it actually do so? This talk examines what cybersecurity means in terms of the contributing topics, and in particular how these topics can end up looking substantially different depending upon what source we use as our reference point. The discussion then proceeds to examine how this has knock-on impacts in terms of the qualifications and certifications that may be held by our current and future workforce. All are labelled as ‘cybersecurity’, but to what extent are they covering it, and how can those that need support tell the difference?
- Ira Winkler, “You Can Stop Stupid: Human Security Engineering”by CERIAS on April 21, 2021 at 8:30 pm
While users are responsible for initiating 90%+ of losses, it is not their fault. The entire system is what enables the losses, and the entire system must be designed to prevent them. Drawing lessons from safety science, counterterrorism, and accounting, this presentation details how to expect and stop user initiated loss.
- Yimin Chen, “Delving into differential privacy and anomaly detection: a meta-learning perspective”by CERIAS on April 14, 2021 at 8:30 pm
In this talk, we explore security and privacy related to meta-learning, a learning paradigm aiming to learn ‘cross-task’ knowledge instead of ‘single-task’ knowledge. For privacy perspective, we conjecture that meta-learning plays an important role in future federated learning and look into federated meta-learning systems with differential privacy design for task privacy protection. For security perspective, we explore anomaly detection for machine learning models. Particularly, we explore poisoning attacks on machine learning models in which poisoning training samples are the anomaly. Inspired from that poisoning samples degrade trained models through overfitting, we exploit meta-training to counteract overfitting, thus enhancing model robustness.
- Tawei (David) Wang, “The Invisible Risks: An Empirical Analysis on Data Sharing Activities and Systemic Risk among the Data Brokers”by CERIAS on April 7, 2021 at 8:30 pm
Data brokers are the major players in the market of collecting, selling, and sharing online user information. Although their practices have raised tremendous privacy concerns, their data collection and sharing activities are still under the veil. The growth of adverse cybersecurity incidents toward the data brokers has led the regulators, including California and Vermont, to require the data brokers to register and disclose their activities. This paper analyzes the leaked information on the dark web to analyze the data sharing and collection activities among the data brokers. In specific, we cluster the data brokers based on their data collection activities given by their product description to quantify the activity proximity. Next, we empirically examine how activity proximity leads to co-occurrence on the leaked information in the dark web. We further discuss the deterrence effect of the data broker registration on information leakage. Our study contributes to cybersecurity assurance and risk assessment literature by unveiling the shadowy data-collecting and data-sharing market.
- Frederick Scholl, “Cybercrime: A Proposed Solution”by CERIAS on March 31, 2021 at 8:30 pm
Modern cybercrimes are responsible for $400B dollars of losses on an annual basis. Headlines appear regularly announcing major breaches. Yet few people and businesses understand what happened in such incidents and how to avoid being a victim themselves. The security industry does provide analyses of breach statistics, but effective preventative measures can be lost in the numbers. Virtually all breaches result from technology failure combined with people failure. This presentation will look at actual recent cybercrimes in order to document what happened and what could have prevented that incident. Who carried out the breach? What did they do? What was taken? How could it have been stopped? What was the story behind the breach? Attack types include ransomware, business email compromise, intellectual property theft and breach of Personally Identifiable Information. By being more familiar with current successful threats and breaches you will: · Be able to avoid high risk activities, if possible · Be able to be better prepared to stop such an attack against you or your organization · Be able to optimize security spending and resources for actual attack patterns This presentation is designed for both security professionals and business professionals who want to better secure their assets and processes against the increasing number of cyber criminals.
- Jack Daniel, “The Shoulders of InfoSec”by CERIAS on March 24, 2021 at 8:30 pm
The nature of cybersecurity and modern life is such that we feel pressured to run just to keep up, this leaves us no time to look back and reflect on how we got where we are as an industry and field of study, nor to learn about the people who led the way. In this presentation we will dig into the stories of some of the people who were foundational in the field we know call cybersecurity, some well-known, others obscure.
- Santiago Torres-Arias, “Practical software Supply Chain Security and Transparency”by CERIAS on March 17, 2021 at 8:30 pm
The software development process, or software supply chain, is quite complex and involves a number of independent actors. Due to this ever-growing complexity has led to various software supply chain compromises: from XCodeGhost injecting malware on millions of apps, to the highly-publicized SolarWinds Compromise. In this talk, Santiago will introduce various research challenges, as well as attempts from both Open Source and Industry — such as SigStore, CoSign and in-toto — to protect millions of users across the globe.
- Greg Akers, “SDN/NFV in the ICS, SCADA and Manufacturing World as a Cyber Security Tool”by CERIAS on March 10, 2021 at 9:30 pm
A discussion about where we are in the commercial SDN/NFV world today and where we are headed. What are the next generation threats beyond where we are today and how software definability may be a asset in the defender’s toolkit. Also looking at the intersection point between SDN/NFV and AI/ML. How this changes the defense calculus and alters the attack surface. What capabilities we need to develop in the practitioner, consumer and defender worlds.
- Randall Brooks, “Cyber Supply Chain Risk Management (SCRM) and its impact on information and Operational Technology (IT/OT)”by CERIAS on March 3, 2021 at 9:30 pm
In a growing interdependent market place,it is nearly impossible to develop every part or component in house. Electronics are nearly entirely manufactured offshore. Concerns have risen about the trust worthiness of electronics that may contain extra or potentially malicious functionality. Traditional supply chain risk management only deals with the suppliers ability to deliver a product on time and within budget. Cyber aspects focus on the trustworthiness of the product that was delivered. Those vendor that they themselves are procuring products, such as test systems,subtractive or additive manufacturing, are now concerned that the products they are producing are affected by Cyber Supply Chain Risk Management (C-SCRM).
- Caroline Wong, “Security Industry Context”by CERIAS on February 24, 2021 at 9:30 pm
Join Caroline Wong, Cobalt.io’s head of Security and People, for a unique perspective on the role of humans in cybersecurity.
- Cory Doctorow, “Technology, Self-Determination, and the Future of the Future”by CERIAS on February 17, 2021 at 9:30 pm
Self-determination is the key to human thriving; it’s also the enemy of both dictatorships and monopolies. It’s no coincidence that commercial imperatives of tech monopolies create the infrastructure for political oppression. The public-private-partnership from hell looks like this: companies install surveillance and other system of control to extract higher rents from their customers and ward off competitors. Then states seize that surveillance and control apparatus to gain and consolidate power. That’s the bad news. The good news is that it means that those of us fighting dictatorships have natural allegiances with those fighting monopolies — and vice versa.
- Levi Lloyd, “Securing the Software Supply Chain”by CERIAS on February 10, 2021 at 9:30 pm
In December 2020, FireEye discovered a supply chain attack against the SolarWinds Orion network management system. The impact of this event has caused the cybersecurity community to reevaluate how we think about threats coming from the software supply chain. At Lawrence Livermore National Laboratory we have been developing software assurance tools for many years to automate the analysis of software to enable asset owners and operators to make sound decisions about the software in their environments. In this presentation, I will describe this effort, talk about some of our tools, and discuss ways to mitigate future supply chain attacks.
- Steve Lipner, “Lessons Learned – Fifty Years of Mistakes in Cybersecurity”by CERIAS on February 3, 2021 at 9:30 pm
Over fifty years, I’ve led a lot of security projects that I thought would change the world. Many of them crashed and burned at great cost in money and reputation. There were some common threads including reliance on government claims about the market and on minimal secure systems built from scratch. This talk will describe some failures, some lessons learned the hard way, and how they paid off.
- Scott Shackelford, “The Internet of Things: What Everyone Needs to Know”by CERIAS on January 27, 2021 at 9:30 pm
The Internet of Things (IoT) is the notion that nearly everything we use, from gym shorts to streetlights, will soon be connected to the Internet. Industry and financial analysts have predicted that the number of Internet-enabled devices will increase from 11 billion to upwards of 25 billion in coming years. Regardless of the number, the end result looks to be a mind-boggling explosion in Internet connected stuff. Yet, there has been relatively little attention paid to how we should go about regulating smart devices, and still less about how cybersecurity should be enhanced. Similarly, now that everything from refrigerators to stock exchanges can be connected to a ubiquitous Internet, how can we better safeguard privacy across networks and borders? This talk will explore these issues by pulling from the recently published book, ‘The Internet of Things: What Everyone Needs to Know.’ Our discussion will also be couched by the findings of a recent report for the Indiana Executive Council on Cybersecurity entitled, ‘State of Hoosier Cybersecurity 2020.’
- Adwait Nadkarni, “Building Practical Security Systems for the Post-App Smart Home”by CERIAS on January 20, 2021 at 9:30 pm
Modern end-user computing platforms such as smartphones (e.g., Android and iOS)and smart home systems (e.g., SmartThings and NEST) provide programmable interfaces for third-party integration, enabling expressive and popular functionality that is often manifested in applications, or apps. Thus, for the last decade, designing security systems to analyze apps for vulnerabilities or unwanted behavior has been a major focus within the security community. This approach has continued well into the smart home, with researchers developing systems inspired by lessons from Android security to inspect IoT apps developed for popular platforms such as SmartThings. However, emerging characteristics of smart home ecosystems indicate that IoTapps may not represent automation in real homes, and may even be unavailable in the near future. That is, while API misuse by third-party developers is an important problem, the approach of analyzing/instrumenting IoT apps may not offer an effective or sustainable solution. In this talk, I will describe the challenges for research in the backdrop of the unsuitability of IoTapps for practical security analysis, and motivate three alternate research directions. First, I will describe the need to develop an alternative artifact for security analysis that is representative of automation usage in the wild. To this end, I will introduce Helion, a system that uses statistical language modeling to generate natural home automation scenarios, i.e., realistic event sequences that are closely aligned with the real home automation usage in end-user homes,which can be used for security or safety analysis. Second, I will illustrate the need to improve the security of mobile companion apps, which often form the weakest link in smart home deployments, and the important position of security analysis/compliance tools in ensuring the development of secure companion apps. To this end, I will present the mSE framework, which automatically and rigorously evaluates static program analysis-based security systems using mutation testing. Our work on mSE (and its successor, MASC) culminated in the discovery of critical security flaws in popular tools such as FlowDroid, CryptoGuard, Argus, and Coverity that affect the reliability and soundness of their analysis. Finally, I will conclude the talk by describing our current efforts to build system-level defenses into IoT platforms that are agnostic to IoTapps, i.e., independent of their visibility or mutability, thereby potentially providing a lasting solution to API misuse by third-party developers.
- Lorrie Cranor, “Security and Privacy for Humans”by CERIAS on December 9, 2020 at 9:30 pm
Traditionally, security and privacy research focused mostly on technical mechanisms and was based on the naive assumptions that Alice and Bob were capable, attentive, and willing to jump through any number of hoops to communicate securely. However, about 20 years ago that started to change when a seminal paper asked “Why Johnny Can’t Encrypt” and called for usability evaluations and usable design strategies for security. Today a substantial body of interdisciplinary literature exists on usability evaluations and design strategies for both security and privacy. Nonetheless, it is still difficult for most people to encrypt their email, manage their passwords, and configure their social network privacy settings. In this talk I will highlight some of the lessons learned from the past 20 years of usable privacy and security research, and explore where the field might be headed.
- Kimberly Ferguson-Walter, “Maximizing Cyber Deception to Improve Security: An Empirical Analysis”by CERIAS on December 2, 2020 at 9:30 pm
The threat of cyber attacks is a growing concern across the world, leading to an increasing need for sophisticated cyber defense techniques that leverage the defender’s “home field advantage”. We designed the Tularosa Study to understand how defensive deception, both cyber and psychological, affects cyber attackers. Over 130 professional red teamers participated in a network penetration test over two days in which both the presence of and explicit mention of deceptive defensive techniques were controlled. To our knowledge, this represents the largest study of its kind ever conducted on a skilled red team population. The design was conducted with a battery of questionnaires (e.g., experience, personality, etc.) and cognitive tasks (e.g., fluid intelligence, working memory, etc.), allowing for the characterization of a “typical” red teamer, as well as physiological measures (e.g., galvanic skin response, heart rate, etc.) to be correlated with the cyber events. Preliminary results support a new finding that the combination of the presence of deception and the true information that deception is present has the greatest effect on cyber attackers, when compared to a control condition in which no deception was used.Special PanelImmediately following Dr. Ferguson-Walter’s seminar, join CERIAS for a unique opportunity to hear six professionals from NSA — including two Purdue alumni — who will share their careers and experiences as cybersecurity researchers and practitioners. The panelists will describe opportunities for students and graduates, and answer questions from the audience about their work and life at NSA. [Note: Only US citizens are able to work at the NSA.]Topic: What is it like to work at the National Security Agency (NSA) Register in advance for this webinar: https://purdue-edu.zoom.us/webinar/register/WN_mRCKeiU9TbqNJNxcogddsA After registering, you will receive a confirmation email containing information about joining the webinar.Eric Bryant is currently serving as a Director of Cybersecurity Operations in the NSA/CSS Cybersecurity Operations Center (NCSOC). In this capacity, he is responsible for leading a diverse team working around the clock to prevent and eradicate cybersecurity threats to the nation. He also serves as NSA’s Academic Liaison to Purdue University, where he graduated with a degree in computer science and is an alumni of CERIAS. Dr. Josiah Dykstra is a Technical Fellow and Senior Executive in the Cybersecurity Collaboration Center of the National Security Agency. He holds a Ph.D. in computer science and previously served at NSA as a cyber operator and researcher. Dr. Dykstra is interested in cybersecurity science and how humans intersect with technology. He is the author of numerous peer-reviewed research papers and one book.Dr. Kimberly Ferguson-Walter is a Senior Research Scientist with NSA’s Laboratory for Advanced Cybersecurity Research where her research focuses on the intersection of computer security, artificial intelligence, and human behavior. She has been focused on adaptive cybersecurity at the NSA for the past ten years and is the lead for the Research Directorate’s deception for cyber-defense effort. She has a Ph.D. in computer science and is currently on joint-duty assignment to the Naval Information Warfare Center Pacific to perform collaborative research and facilitate strategic alignment and technology transfers.Natalie Janiszewski is a Higher Education Outreach Advocate with NSA’s office of Academic Engagement. Natalie brings over 25 years of educational experience to her role at NSA. She is responsible for maintaining strong relationships with academic institutions to influence curriculum and encourage activities in NSA’s mission-critical areas: science, technology. engineering, math, intelligence analysis, language and cybersecurity. Natalie taught classes in a graduate program for educational technology. Her passion lies in designing environments that facilitate durable, actionable learning for students. Joel Klasa graduated from Purdue in May 2020 with a degree in computer science and participated in the NSA co-op program throughout his time at Purdue. Upon graduation, he was hired into a development program at the agency and has a current focus of machine learning and artificial intelligence in cybersecurity.Dr. Celeste Lyn Paul is a senior researcher and technical leader at the National Security Agency. Her work has focused on a broad range of topics including emerging technologies, human factors in security, and more recently, securing cyberspace in outer space. 5:30pm EDT:
- Sivaram Ramanathan, “Improving the Accuracy of Blocklists by Aggregation and Address Reuse Detection”by CERIAS on November 18, 2020 at 9:30 pm
IP address blocklists are a useful source of information about repeat attackers. Such information can be used to prioritize which traffic to divert for deeper inspection (e.g., repeat offender traffic), or which traffic to serve first (e.g., traffic from sources that are not blocklisted). But blocklists also suffer from overspecialization — each list is geared towards a specific purpose — and they may be inaccurate due to misclassification or stale information. We propose BLAG, a system that evaluates and aggregates multiple blocklists feeds, producing a more useful, accurate and timely master blocklist, tailored to the specific customer network. BLAG uses a sample of the legitimate sources of the customer network’s inbound traffic to evaluate the accuracy of each blocklist over regions of address space. It then leverages recommendation systems to select the most accurate information to aggregate into its master blocklist. Finally, BLAG identifies portions of the master blocklist that can be expanded into larger address regions (e.g. /24 prefixes) to uncover more malicious addresses with minimum collateral damage. Our evaluation of blocklists of various attack types and three ground-truth datasets shows that BLAG achieves high specificity up to 99%, improves recall by up to 114 times compared to competing approaches, and detects attacks up to 13.7 days faster, which makes it a promising approach for blocklist generation. Although performance of blocklists can be improved, they need to be used carefully. Blocklists can potentially lead to unjust blocking to legitimate users due to IP address reuse, where more users could be blocked than intended. IP addresses can be reused either at the same time (Network Address Translation) or over time (dynamic addressing). We present two new techniques to identify reused addresses. We built a crawler using the BitTorrent Distributed Hash Table to detect NATed addresses and use the RIPE Atlas measurement logs to detect dynamically allocated address spaces. We then analyze 151 publicly available IPv4 blocklists to show the implications of reused addresses and find that 53–60% of blocklists contain reused addresses having about 30.6K–45.1K listings of reused addresses. We also find that reused addresses can potentially affect as many as 78 legitimate users for as many as 44 days.
- Abhilasha Bhargav-Spantzel, “Fearless Computing”by CERIAS on November 11, 2020 at 9:30 pm
“Wouldn’t it be great if we could download anything, explore anything and build anything without the annoying feeling that you are going to get hacked?” This was a question from my kids, who are currently in elementary school. Have you experienced similar questions from kids and adults alike? Computing is becoming such an integral part of our lives, wouldn’t it be great to use compute resources fully for all aspects of our lives. This includes work, education, healthcare and finance; be creative and innovate without the constant fear of backlash? This is what we mean by fearless computing: where we investigate how the very design of compute has security and privacy features built into the design of the platform. We will also explore how through education and awareness we can help nurture the freedom of thought and innovation to not only protect ourselves but create a cyber talent that builds the next generation systems and solutions. Join us for a discussion on the technology and solutions that helps us work towards our vision for fearless computing.
- Kelley Misata, “Results from the Field: Cybersecurity in Nonprofits and Why it Matters”by CERIAS on November 4, 2020 at 9:30 pm
The last time you gave to a favorite charity, did you think about their cybersecurity? Do you sit on the board of a nonprofit? Are nonprofits using your cybersecurity solutions? The “wild” of the Internet and continually evolving threat landscape force nonprofits to defend themselves against intrusion and cyber-attacks. Breaking down the myths and assumptions about nonprofits’ cybersecurity, this session spotlights approaches and exciting results from local nonprofit organizations of all sizes. Join us with your favorite nonprofit in mind and walk away with new information about this overlook business sector and why it matters.
- Yoon Auh, “NUTS: eNcrypted Userdata Transit & Storage; Viewing Data as an Endpoint™ (DaaE) using Structured Cryptography”by CERIAS on October 28, 2020 at 8:30 pm
Can objects be truly secured independently without resorting to a massive central reference monitor? It’s a great question and we will discuss a solution to it called NUTS. During this talk, we’ll take data structures, message protocols and applied cryptography and toss them into the cauldron of reality, sprinkle in some DNA and data management to brew up some Security at the Data Perimeter towards crafting Data as the Endpoint. It sounds like a bad witch’s brew of epic proportions but once we cast the spell, you will see the integration of many CS/CISSP concepts you’ve learned over the years and new ways to use it. Our goal is to make sure that the private individual has the best applied cryptographic technologies at their disposal for free in an unobtrusive way. By the way, a nut is the only secure data structure we know of that can help mitigate insider threats in a purely cryptographic way independent of reference monitors. We’ll also show you how the NUTS Ecosystem can provide Alice with a ransom-ware resistant ‘hot’ system at home using just 2 computers.
- Jeff Man, “Why Attack When You Can Defend”by CERIAS on October 21, 2020 at 8:30 pm
MITRE ATT&CK® seems to be the“next big thing”. Every time I hear about it I can’t help but wonder, “how doyou prevent all these attacks in the first place? Shouldn’t that be the endgame?” To that end, I set out to map all the recommended “Mitigations” for allthe “Techniques” detailed in ATT&CK to see how many are already addressedby what is required in the Payment Card Industry Data Security Standard (PCIDSS). My hypothesis was all of them. The results were interesting and a little surprising, and I’m still trying to figure out how to best use the results and subsequently ATT&CK itself. I will present my findings in the briefing andhopefully generate a discussion about what to do with the results.