Analyzing ATT&CK®-Mapped Data

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

2 hours 24 minutes
Video Transcription
Now that you've learned a little bit about how to express and store attack, map, intel and information, we can move on to learning how to utilize an important tool for analyzing that data for a C. T. I analysis process. We call this tool the attack Navigator. The Attack Navigator is designed to provide basic navigation and annotation of the attack matrices. We're going to practice using it here.
Our objectives for less than 3.3 include learning how to review the attack, navigators, basic applications and features, as well as how to prioritize techniques from these different groups that we encounter.
Here we can see a navigator layer in which the group A B T 28 has been selected. What this does is it uses data currently mapped in the middle attack framework to show all the TTP is associated with a B T 28. The highlighted T GPS for a B T 28 are shaded in blue, and the sub techniques are shown in the collapse view.
Now this is a similar view to the previous slide. We just have selected the techniques and sub techniques for the group a P T. 29. Now
the sub techniques are also in the now in the expand abuse. They have a little three D depth to make it a little more clear that they're there.
Once we have these two independent layers and navigator, we can combine them to see which T DPS are shared between the two different threat groups. Here we can see the overlapping techniques between a. P. T. 28 a. P. T. 29.
This is useful for RCT analysis because it allows you to prioritize. Detection is based on multiple groups that are more likely to target your organization.
When you first open the attack Navigator tool, you're presented with a few options for how you can get started. You can either create a new layer by selecting the appropriate domain for your C. T. I needs. So that can be Enterprise Mobile or I C. S. And you can also add a specific version as well.
The other options you have are to open an existing layer from your system.
Um, you can also create another layer from other layers, and you can also create a customized navigator layer
to create a layer navigator. You simply go to the browser version of Navigator, and you're already presented with the window that has a new layer. To add things to the Slayer, you can click the select tool and find the preloaded threat groups in the middle Attacks site, where you can simply select the group that you want to be in the tool and will populate the associated tenis. So here will select a P. T. 28.
Once you've selected the group, you can add a background color. The button for that can be found under the technique Controls menu on the top right section. Keep the technique selected with the color that you've chosen here we've chosen red, and then you can also add a score under the technique controls Menu as well,
for this example, will enter score of one to indicate that the technique has been used by this particular group.
Once those steps are complete, we can rename the layer on the top left tab to make it easier for us to remember which group we're tracking here.
Now that we finished a Bt 28th layer, we can then open a new tab within Navigator and create an additional layer where you'll find the techniques for the Threat Group A B T. 29. So let's go ahead and do that. Now
we'll go ahead and repeat the same exact process that we did for a B T 28. So go ahead and select the techniques for ABC 29. Give it a different background color for those techniques and this time will select a different scoring number to differentiate between the two threat groups and their associated https. So here we can just enter a score of two.
This is probably the most complex, which is a little bit of an overstatement feature of the Navigator tool. We're going to create a third layer by opening a new tab and selecting the option create layer from other layers. This will allow us to utilize the two layers that we just made and create a single layer for RCT analysis.
In order to compare the techniques for these different layers, we must enter a simple equation to express the relationship between these two layers
that we just made.
We can simply type in a plus B to combine the scores. You can see the labels for the layer at the top left tab section. In case you need to reference,
we'll also want to edit the ingredient where you can set a low value of one and a high value, which is the combined techniques for these groups as three to create a coloring for a combined heat map layer.
When you're all finished with scoring and comparing the layers, you can then move on to determining what you want to do with the analysis.
You have many options for exporting your attack navigator layer.
The common uses for exporting are saving the file as Jason or Excel, so you can reload it and reuse that layer in the future. And also, you can export the Navigator layer as an SVG image file, where you'll share the coverage. Heat map with the rest of your team.
For the purposes of this, training will go ahead and export it as an image file so you can see like the little camera icon under the layer controls menu.
Before doing that, if you'd like to expand the sub techniques to show deeper coverage, you can go ahead and select that from the layer control menus as well.
And there you have it. We now have our combined coverage map for a P. T 28 a P. T. 29.
These are visualized here in the SVG image export feature.
To summarize what we've learned here, you should now be comfortable with mapping different threat groups in the attack Navigator tool comparing their T T. P. S as well as exporting your combined layer into a terrible image file.
Up Next