Analyzing Analytics
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
3 hours 16 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
>> Welcome to Lesson 4 Module 2 within
00:00
the ATT&CK-based SOC assessments training course.
00:00
In this lesson, we're going to talk about
00:00
how you can analyze analytics
00:00
to identify the ATT&CK techniques
00:00
they might be able to detect.
00:00
This lesson fits into the third phase of
00:00
our generic ATT&CK-based SOC assessment methodology,
00:00
and in particular, really breaks it down into
00:00
the analytics portion of the analyzed components phase.
00:00
This lesson has two primary learning objectives.
00:00
Number 1, after the lesson,
00:00
you should understand why analytics are
00:00
important with regards to the ATT&CK framework,
00:00
and number 2, you should know
00:00
how to analyze analytics to
00:00
identify the ATT&CK techniques
00:00
they might be able to detect.
00:00
To kick off this lesson,
00:00
we're going to talk a little bit about analytics,
00:00
somewhat generically.
00:00
Generally speaking, analytics are detection rules
00:00
that are designed to detect specific behaviors.
00:00
By contrast, signatures tend to hone
00:00
in on specific indicators or artifacts.
00:00
There is, of course, some nuance in those definitions.
00:00
You'll sometimes see people use
00:00
analytics and signatures interchangeably.
00:00
But for our purposes,
00:00
when we refer to analytics,
00:00
we're really hoping to
00:00
find those rules that are looking for behavior.
00:00
There often you'll find more of the IoC or
00:00
artifact base rules in place.
00:00
Functionally, an analytic
00:00
works relatively straightforwardly.
00:00
You ingest the data source,
00:00
you apply a filter to that data source,
00:00
and then if you match a condition,
00:00
you create an alert.
00:00
Here's an example data source
00:00
taken from the Cyber Analytic Repository.
00:00
When you look at it, that first line,
00:00
that's going to say, we're identifying all processes.
00:00
The second line says we're going to look for
00:00
specific processes that match this specific condition.
00:00
The third line is going to apply a separate filter that
00:00
looks for processes that match a third condition.
00:00
Then the fourth line is going to give you
00:00
that conditional output where you get
00:00
that intersection of lines 2 and 3,
00:00
and then the last line, line number
00:00
5, is going to just say,
00:00
hey output that last
00:00
conditional intersection that we found.
00:00
Why are analytics important for assessments?
00:00
Well, a lot of SOCs are
00:00
already running some kinds of analytics.
00:00
They might not be necessarily strictly behavior-based,
00:00
but even if they're artifact-based,
00:00
they might be able to pick up potential behavior.
00:00
Looking at these can allow us to potentially figure out
00:00
what gaps the SOC has
00:00
identified and where they've
00:00
been trying to fill things in.
00:00
Really from an assessment's perspective,
00:00
each analytic can potentially detect
00:00
an ATT&CK technique even if it is IoC or artifact-based,
00:00
and so if we map those custom analytics,
00:00
we can then create
00:00
a coverage map showing
00:00
some of what the SOC might be able to cover.
00:00
For those SOCs that already do that,
00:00
those that are using ATT&CK,
00:00
they were tying the ATT&CK framework,
00:00
or they're tying their analytics to
00:00
the techniques that they might detect, that's great.
00:00
You don't necessarily need to run through this process.
00:00
But if you're doing this for a SOC that isn't
00:00
yet tying their analytics to ATT&CK,
00:00
this is really a great opportunity to understand
00:00
how what you've previously been
00:00
doing relates to the ATT&CK framework,
00:00
really allowing you to understand
00:00
how your prior mindset maps
00:00
to adopting a threat and form defense.
00:00
We've come up with a process
00:00
that is relatively repeatable to
00:00
analyze analytics to understand
00:00
the techniques they might be able to detect.
00:00
First, you find the data source,
00:00
the analytic is keying off of.
00:00
Second, you'll try to determine in
00:00
words what each filter is doing.
00:00
This is important just because
00:00
when you're looking at analytics,
00:00
you'll often find like
00:00
different syntaxes, different formats,
00:00
and it's sometimes hard
00:00
to think about it in terms of code,
00:00
but easier to determine what it's doing
00:00
when you're thinking about it in words.
00:00
Then you'll look at that filter and
00:00
map any identifiers like strings or
00:00
numbers in that filter back to the ATT&CK framework.
00:00
Here you can look
00:00
up these identifiers in the ATT&CK framework
00:00
itself or consult third-party sources.
00:00
You can also look at metadata for clues.
00:00
Sometimes you'll get like a name
00:00
of an analytic and that can
00:00
help you understand what the SOC was going for there.
00:00
Then importantly, if you're looking for stuff,
00:00
and you don't find anything,
00:00
it's okay to ignore it.
00:00
A lot of analytics,
00:00
they might not map to specific behaviors.
00:00
Then for each technique that's
00:00
identified by a filter and analytic,
00:00
try to gauge coverage.
00:00
Really, you need to read
00:00
the ATT&CK page to help you gauge fidelity,
00:00
but part of this is also setting
00:00
a good coverage rubric
00:00
for how you want to gauge fidelity.
00:00
A couple of examples, something basic is like
00:00
this analytic is likely or unlikely to see the technique.
00:00
Something useful but simple is that high,
00:00
medium, or low confidence of
00:00
detection that we like to use.
00:00
Something more advanced is say quantitative.
00:00
This analytic provides 66 out of 100 detection coverage.
00:00
Let's now walk through an example
00:00
where we're doing a little bit of analysis.
00:00
This is another analytic
00:00
taken from the Cyber Analytic Repository.
00:00
Here we're going to see that first line.
00:00
We're going to see the processes that's
00:00
going to map to process monitoring.
00:00
This second line is the filter.
00:00
When you dive into, and you
00:00
put it in words, you're going to say,
00:00
this is returning all processes spawned by
00:00
regsvr32, but not itself.
00:00
It's again a little daunting when you first look at it,
00:00
but when you put it into words,
00:00
it's a little bit easier to understand.
00:00
When you look up regsvr32.exe
00:00
on the ATT&CK framework website,
00:00
you immediately see, this maps to regsvr32,
00:00
a specific sub technique.
00:00
Then when you read the ATT&CK page, you can see,
00:00
this is going to provide pretty good coverage of it.
00:00
Here's another analytic taken from the Sigma repository.
00:00
It's a little bit of
00:00
a different syntax as you can see here,
00:00
but we can walk through the same process.
00:00
Here we're going to look at these two lines and see,
00:00
this is referring to Sysmon EventID 13.
00:00
We'll consult the ATT&CKdatamap project to see
00:00
that that actually maps to a registry event,
00:00
and we can conclude that this maps to
00:00
a specific Windows registry data source.
00:00
For step 2, we're going to look
00:00
at these three lines here.
00:00
These are filters looking for
00:00
a specific Windows registry modifications,
00:00
and what we can do is look for
00:00
those specific registry entries
00:00
or actually these little identifiers here.
00:00
Here we've highlighted image file execution options
00:00
as one of the identifiers to look for,
00:00
and what's nice is you
00:00
put this into your ATT&CK framework,
00:00
and you can immediately find a technique,
00:00
the image file execution options injection sub technique.
00:00
>> When you read through the page, you'll find that it
00:00
provides some good coverage of it just because
00:00
that specific registry event
00:00
or a registry key is indeed named on the page.
00:00
Now, these two examples were pretty easy,
00:00
but sometimes things can get hard.
00:00
Let's look at this previous analytic
00:00
that we just analyzed and
00:00
then see what happens
00:00
>> if say we take out the first line.
00:00
>> Now, we've only got these bottom two lines to
00:00
look up when we're trying to
00:00
understand what technique this might detect.
00:00
Here, this gives us three potential identifier is
00:00
this ReportingMode, SilentProcessExit
00:00
and MonitorProcess.
00:00
Unfortunately, when you look each of
00:00
these up in the attack framework, you don't get anything.
00:00
They don't show up on any pages,
00:00
or at least in the attack search bar.
00:00
What we can do to fix this is to use Google.
00:00
It actually makes things a lot easier.
00:00
For SilentProcessExit, what we can do is do
00:00
a little bit more of an advanced search
00:00
on the attack website.
00:00
This provides a little bit more in-depth capabilities.
00:00
Here, we're going to take the SilentProcessExit string,
00:00
put it in quotes, and then restrict
00:00
our search just to the attack website itself.
00:00
When you do that, you see that
00:00
the image file execution
00:00
options technique comes up right away.
00:00
For ReportingMode, we can do the same thing,
00:00
but unfortunately nothing comes up.
00:00
Instead, we do a different query where we just do
00:00
a ReportingMode and then we put
00:00
the attack identifier next to it.
00:00
Now, we're just looking for the two together,
00:00
not necessarily just on the attack website.
00:00
Here, we can identify a website that indeed
00:00
does mention this string in
00:00
conjunction with the attack framework
00:00
and indeed it does point
00:00
to the image file execution option technique.
00:00
Now, walk through a couple of analytics
00:00
to do some mapping just as exercises.
00:00
Your task is to look at the analytic here,
00:00
try to figure out what technique
00:00
or techniques it might be able to detect.
00:00
Pause the video when you come back,
00:00
we'll walk through a potential solution. Welcome back.
00:00
For this analytic is fairly straightforward,
00:00
is from the cyber analytic repository.
00:00
You can see the URL in the upper right.
00:00
It's definitely not a complex one.
00:00
Here the first line is going to look at data sources.
00:00
We're going to see process monitoring again.
00:00
Our filter is looking for any exe
00:00
with cmd.exe as the match.
00:00
Then when you look up this string, this cmd.exe string,
00:00
in the attack website,
00:00
you get the Windows Command Shell sub technique.
00:00
Then you'll see when you read through
00:00
the page that it provides some coverage of it.
00:00
We say some coverage here just
00:00
because there's lots of false positives,
00:00
just because sometimes cmd.exe is used, not nefarious.
00:00
Now, what's interesting about
00:00
this exercise is you can look at this another way too.
00:00
When we look up cmd.exe in the attack website,
00:00
we actually see another entry for the CMD software.
00:00
This is also a valid solution to this problem as well.
00:00
In that what we can say is, oh,
00:00
if it maps to this software,
00:00
you might detect the software.
00:00
Then when you look up the software on the attack website,
00:00
you can see that it detects
00:00
basically half a dozen different other techniques.
00:00
Then you will say, okay, since we're only
00:00
looking at the software is executing them.
00:00
Again, it's more of
00:00
a maybe artifact based detection here.
00:00
We're going to provide maybe a little bit or
00:00
some coverage of some of these.
00:00
It really depends on
00:00
the context in which these techniques are being executed.
00:00
Here's another example. This one is
00:00
taken from the Sigma repository.
00:00
We've grayed out the URL
00:00
a little bit just because it gives it right away.
00:00
This one is a little bit more complex,
00:00
but feel free to take a look,
00:00
try to figure out which technique
00:00
this analytic might be able to detect.
00:00
Once we come back, we'll
00:00
walk through how we look at this and what
00:00
the solution might be. Welcome back.
00:00
We're going to walk through this one.
00:00
As you can see, right away,
00:00
we see category file event,
00:00
that one's going to map to file monitoring.
00:00
The filter is looking for any processes launched
00:00
from the scrcons.exe file.
00:00
It's very specific there.
00:00
That gives us really one main identifier,
00:00
that scrcons.exe identifier,
00:00
but when you look that up on the attack website,
00:00
you don't actually get any results.
00:00
We're going to use our more advanced searching technique
00:00
and look for it on Google,
00:00
but restricting our search to the attack website itself,
00:00
this does not produce anything.
00:00
We'll do our even more advanced search query.
00:00
That just do scrcons along with attack.
00:00
Here you can see a couple of hits.
00:00
The first one is this website from Palo Alto Networks.
00:00
It looks like an analytic.
00:00
When you look through the description
00:00
of it, you're going to see, oh,
00:00
the Windows Management Instrumentation
00:00
Standard event Consumer,
00:00
scrcorns.exe executed
00:00
a rare VB script or PowerShell script.
00:00
That immediately says to you, oh, hey,
00:00
this is some good evidence that this is
00:00
looking potentially for WMI.
00:00
Now, when you go and
00:00
you read the website for the technique,
00:00
you'll see that it might provide
00:00
some coverage or maybe low coverage,
00:00
but it does indeed map to the WMI technique.
00:00
Here is the URL of
00:00
the analytic if you want to go take a look on your own.
00:00
Summary notes and takeaways to close out this lesson.
00:00
Number 1, analytics or
00:00
detection rules designed to identify behaviors.
00:00
This isn't really the focus of
00:00
this lesson or of this course itself.
00:00
Generally, one of your takeaway should be to follow that
00:00
analytics are detection rules
00:00
designed to identify behaviors.
00:00
Many of your existing analytics
00:00
may already map to the attack framework,
00:00
including even some of your signatures.
00:00
To analyze them, you can
00:00
follow a relatively straightforward process.
00:00
Find the data sources keying off of.
00:00
Try to determine what
00:00
each filter is doing within the analytic.
00:00
Map all identifiers in
00:00
the filter to the attack framework,
00:00
either searching on the attack website
00:00
or using a search engine.
00:00
Then for each technique identified by a filter,
00:00
try to gauge coverage of that technique.
00:00
Then of course, record
00:00
any mappings for the analytics you analyze.
00:00
Lastly, keep in mind,
00:00
if you're doing this for the first time,
00:00
you might not have any good attack analytics.
00:00
That's totally okay.
00:00
A lot of socks when they're just getting started with
00:00
a threat based offense or threatened form defense.
00:00
They're still trying to toe the line of getting
00:00
into the more behavior-based detection approaches.
00:00
If you're looking at
00:00
your analytics and you don't quite have
00:00
anything keying off of
00:00
the attack framework, that's totally okay.
Up Next
Similar Content
