Addressing Intelligence Gaps

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 5 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:00
>> Welcome to Lesson 2.6, addressing intelligence gaps.
00:00
During this lesson, we're going to
00:00
explore three key objectives.
00:00
We're going to start by explaining how
00:00
intelligence gaps adversely
00:00
affect adversary emulation activities.
00:00
Next, we will explore techniques and
00:00
approaches for filling intelligence caps.
00:00
Finally, we'll talk about best practices for
00:00
documenting intelligence gaps and CTI deviations.
00:00
At the end of this lesson, you'll be
00:00
prepared to address intelligence gaps
00:00
as you encounter them over the course of
00:00
your adversary emulation activities.
00:00
Now throughout this course,
00:00
we've emphasized that
00:00
adversary emulation is about executing
00:00
adversary TTPs based on
00:00
real-world observations and cyber threat intelligence.
00:00
Now if you practice adversary emulation long enough,
00:00
you will inevitably encounter intelligence gaps.
00:00
For example, you might be trying to emulate
00:00
an adversary exploiting uncommon systems.
00:00
Think like space technology,
00:00
maybe ICS, or even nuclear systems, generally,
00:00
that CTI is less widely available and
00:00
it often lacks details compared to more common systems,
00:00
such as your traditional Windows Enterprise.
00:00
Sometimes you'll find that you do have CTI,
00:00
but it lacks details on
00:00
specific TTP implementations that you are interested in.
00:00
You see this a lot in CTI articles.
00:00
As an example, you'll commonly read about how
00:00
an adversary might have used a Mimikatz variation.
00:00
These articles don't often go into detail
00:00
about how this Mimikatz variation was implemented,
00:00
how it was different,
00:00
and these forces you have to dig a little bit deeper.
00:00
To give one last example,
00:00
you might also encounter confusion
00:00
regarding adversary attribution.
00:00
To illustrate, if you were to review some of
00:00
the existing FIN7 and Carbanak reporting,
00:00
you'll find that some organizations
00:00
treat these as the same threat actors,
00:00
whereas others treat them as
00:00
separate and distinct groups.
00:00
This makes it difficult when you're trying to
00:00
focus on emulating a specific actor
00:00
of interest or you're emulating
00:00
FIN7 or Carbanak, it's hard to say.
00:00
The bottom line is that you will very
00:00
likely encounter intelligence gaps.
00:00
These gaps make it difficult to implement rigorous,
00:00
realistic adversary emulation plans.
00:00
Because fundamentally, how can we
00:00
emulate what we don't know?
00:00
We understand that intelligence gaps can
00:00
hinder realistic adversary emulation activities.
00:00
The next question is, what can we do about it?
00:00
Now, I would argue one of the first things you should
00:00
do is notify appropriate CTI staff.
00:00
This could be your own in-house CTI analysts,
00:00
if your organization has them,
00:00
or can mean reaching out to
00:00
the author of a particular CTI article.
00:00
Regardless, there's a lot of benefits to
00:00
reaching out to the appropriate CTI staff.
00:00
First, you might be able to get
00:00
an immediate answer to your question.
00:00
But more broadly, interacting with
00:00
CTI staff in this manner is fantastic for
00:00
the analysts because they give feedback that
00:00
helps them keep their intelligence requirements
00:00
up-to-date and useful.
00:00
Stated differently, if a CTI analyst
00:00
knows what specific things you care about,
00:00
they're likely include it in follow-on reporting.
00:00
Now you'll find that sometimes CTI articles lack
00:00
procedure-level details for
00:00
specific TTPs you're interested in.
00:00
As a common example,
00:00
you might read about an adversary
00:00
using an Office document for spearfishing,
00:00
but maybe the article doesn't have sufficient information
00:00
about how the Office document
00:00
was constructed and how it was weaponized.
00:00
In this scenario, you might consider
00:00
reaching out to your malware analysts if you have them.
00:00
Malware analysts can often provide
00:00
detailed technical reports that show
00:00
exactly how an adversary
00:00
TTP was implemented and how it works.
00:00
Now let's suppose maybe you don't have
00:00
on-staff malware analysts you can
00:00
draw from, what can you do then?
00:00
If you have the skills,
00:00
you can try to obtain
00:00
the original adversary malware and analyze it yourself.
00:00
In fact, I do this quite regularly.
00:00
The way this works is you'll usually have a CTI report.
00:00
Reports commonly list file hashes
00:00
that uniquely identify the malware
00:00
described in the report.
00:00
You can then take those file hashes and
00:00
query them against various malware databases.
00:00
I listed three malware databases on this slide.
00:00
These are all freely available,
00:00
but they do commonly require
00:00
some level of user registration.
00:00
The idea is once you have the malware file hashes,
00:00
you can query them against these different databases,
00:00
and if the malware sample is present,
00:00
you can often download the malware,
00:00
at which point you're free to study and detonate
00:00
the malware in the confines of
00:00
your own malware analysis lab.
00:00
Now by going through this process,
00:00
you'll be able to learn exactly how
00:00
a given TTP was implemented by the malware author.
00:00
This can be really useful
00:00
from an adversary emulation perspective.
00:00
Now please, exercise caution if you're considering doing
00:00
malware analysis on your own for
00:00
the purposes of adversary emulation.
00:00
Recognize that you are playing with fire.
00:00
You don't want to do this unless you
00:00
already have the requisite skills and
00:00
training for malware analysis
00:00
and reverse engineering respectively.
00:00
Having said all that,
00:00
malware remains an excellent source to help
00:00
fill CTI gaps when you encounter them.
00:00
Let's suppose you reached out to
00:00
your CTI and malware analysts
00:00
and you still have significant CTI gaps
00:00
, what can you do?
00:00
If you get to this point,
00:00
it's worth considering if you should
00:00
emulate a different threat actor.
00:00
Because remember, we can't emulate what we don't know.
00:00
If the CTI isn't there,
00:00
there's only so much you can do.
00:00
For the sake of discussion though,
00:00
we'll assume that you're sticking
00:00
with your chosen threat actor.
00:00
What do we do now to address these intelligence gaps?
00:00
Essentially, you're going to want to
00:00
document your intelligence gaps and also
00:00
any deviations and assumptions you may
00:00
make because of the lack of CTI.
00:00
This can allow you to fill in
00:00
gaps based on the CTI you do have,
00:00
while also drawing from
00:00
your own experience and project goals.
00:00
But documentation is key when you do
00:00
this because you will have to explain to
00:00
network owners why you implemented
00:00
TTPs that aren't reflected in available CTI.
00:00
If you fail to do this,
00:00
you can expect network owners will
00:00
challenge the fidelity of your results.
00:00
To that point, I encourage you to think hard about how
00:00
CTI deviations affect the rigor and
00:00
realism of your adversary emulation projects.
00:00
Remember that the more you deviate,
00:00
the greater the risk that
00:00
your methodology will not be perceived as real-world,
00:00
and this undermines everything you're trying
00:00
to do in adversary emulation.
00:00
That brings us to the Lesson 2.6 summary.
00:00
During this lesson, we discussed
00:00
how to address intelligence gaps.
00:00
We started by discussing how intelligence gaps make it
00:00
difficult to implement
00:00
a realistic adversary emulation plan.
00:00
We also explored how you can work with
00:00
your CTI malware analysts
00:00
to help fill in intelligence gaps.
00:00
Finally, we talked about what to
00:00
do in the absence of CTI,
00:00
which is to document your gaps,
00:00
deviations, and assumptions.
00:00
In that way, you can defend the realism
00:00
of your adversary emulation plans.
00:00
We're now at the end of Module 2,
00:00
researching adversary TTPs.
00:00
I hope you enjoyed it. Now if you feel like you're
00:00
ready to prove your mastery of this module's material,
00:00
please feel encouraged to visit
00:00
the Mitre Attack Defenders Skills Hub and earn
00:00
your researching adversary TTPs badge.
Up Next