Analyzing ATT&CK®-Mapped Data

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 24 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Now that you've learned a little bit about how to
00:00
express in store ATT&CK mapped Intel and information,
00:00
we can move on to learning how to
00:00
utilize an important tool for
00:00
analyzing that data for our CTI analysis process.
00:00
We call this tool the ATT&CK Navigator.
00:00
The ATT&CK Navigator is designed to provide
00:00
basic navigation and annotation of the ATT&CK matrices.
00:00
We're going to practice using it here.
00:00
Our objectives for lesson 3.3
00:00
include learning how to review
00:00
the ATT&CK navigator's basic applications features as
00:00
well as how to prioritize techniques
00:00
from these different groups that we encounter.
00:00
Here, we can see a navigator layer in which
00:00
the group APT28 has been selected.
00:00
What this does is it uses data currently mapped in
00:00
the Mitre ATT&CK framework to show
00:00
all the TTP is associated with APT28.
00:00
The highlighted TTP is for APT28 are shaded in
00:00
blue and a sub techniques are showing the collapse view.
00:00
Now this is a similar view to the previous slide.
00:00
We just have selected the techniques and
00:00
sub-techniques for the group APT29 now.
00:00
The sub-techniques are also in
00:00
the now in the expanded view.
00:00
They have a little 3D depth to
00:00
make it a little more clear that they're there.
00:00
Once we have these two independent layers and navigator,
00:00
we can combine them to see which TTP's are
00:00
shared between the two different subgroups.
00:00
Here, we can see the overlapping techniques
00:00
between APT28 and APT29.
00:00
This is useful for our CTI analysis
00:00
because it allows you to prioritize
00:00
detections based on multiple groups
00:00
that are more likely to target your organization.
00:00
When you first open the ATT&CK navigator tool,
00:00
you're presented with a few options
00:00
for how you can get started.
00:00
You can either create a new layer by
00:00
selecting the appropriate domain for your CTI needs.
00:00
So that can be enterprise mobile or ICS
00:00
and you can also add a specific version as well.
00:00
The other options you have are to open
00:00
an existing layer from your system.
00:00
You can also create another layer from other layers
00:00
and you can also create a customized navigator layer.
00:00
To create a layer navigator,
00:00
you simply go to the browser version of Navigator
00:00
and you're already presented with
00:00
a window that has a new layer.
00:00
To add things to this layer,
00:00
you can click the "Select" tool and find
00:00
the pre-loaded threat groups from
00:00
the MITRE ATT&CK site where you can
00:00
simply select the group that you want to view in
00:00
the tool and it'll populate the associated techniques.
00:00
Here, we'll select APT28.
00:00
Once you've selected the group,
00:00
you can add a background color.
00:00
The button for that can be found under
00:00
the Technique Controls menu on the top right section.
00:00
Keep the technique selected with the color that you've
00:00
chosen here, which is in red.
00:00
Then you can also add a score
00:00
under the Technique Controls menu as well.
00:00
For this example, we'll enter a score of one to
00:00
indicate that the technique has been
00:00
used by this particular group.
00:00
Once those steps are complete,
00:00
we can rename the layer on the top-left tab to
00:00
make it easier for us to remember
00:00
which group we're tracking here.
00:00
Now that we finished APT28's layer,
00:00
we can then open a new tab within
00:00
navigator and create an additional layer.
00:00
We will find the techniques for the threat group, APT29.
00:00
Let's go ahead and do that now.
00:00
We'll go ahead and repeat the same exact process
00:00
that we did for APT28.
00:00
So go ahead and select the techniques for APT29,
00:00
give it a different background
00:00
color for those techniques.
00:00
This time, we'll select a different
00:00
scoring number to differentiate
00:00
between the two threat groups and their associated TTPs.
00:00
Here, we can just enter a score of two.
00:00
This is probably the most complex,
00:00
which is a little bit of an overstatement
00:00
feature of the navigator tool.
00:00
We're going to create a third layer by opening a new tab
00:00
and selecting the option create layer from other layers.
00:00
This will allow us to utilize the two layers that we just
00:00
made and create a single layer for our CTI analysis.
00:00
In order to compare
00:00
the techniques for these different layers,
00:00
we must enter a simple equation to express
00:00
the relationship between
00:00
these two layers that we just made.
00:00
We can simply type in a plus b to combine the scores.
00:00
You can see the labels for the layer at
00:00
the top-left tab section in case you need to reference.
00:00
We'll also want to edit the gradient where you can
00:00
set a low value of one and a high value,
00:00
which is the combined techniques
00:00
for these groups as three
00:00
to create a coloring for a combined heatmap layer.
00:00
When you're all finished with
00:00
scoring and comparing the layers,
00:00
you can then move on to determining what
00:00
you want to do with the analysis.
00:00
You have many options for exporting
00:00
your ATT&CK navigator layer.
00:00
The common uses for exporting or
00:00
saving the file as JSON or XML.
00:00
So you can reload it and reuse that layer in the future.
00:00
Also you can export the navigator layer as
00:00
an SVG image file where you'll
00:00
share the coverage heatmap with the rest of your team.
00:00
For the purposes of this training,
00:00
we'll go ahead and export it as an image file so you can
00:00
select the little camera icon
00:00
under the layer controls menu.
00:00
Before doing that, if you'd like to
00:00
expand the sub techniques to show deeper coverage,
00:00
you can go ahead and select that
00:00
from the layer control menus as
00:00
well. There you have it.
00:00
We now have our combined coverage map
00:00
for APT28 and APT29.
00:00
These are visualized here in
00:00
the SVG image export feature.
00:00
To summarize what we've learned here,
00:00
you should now be comfortable with
00:00
mapping different threat groups in
00:00
the ATT&CK navigator tool comparing their TTPs,
00:00
as well as exporting your combined layer
00:00
into a shareable image file.
Up Next