3 hours 16 minutes
welcome to Lesson five module to within the attack based stock assessments training course. In this lesson, we're going to talk about how you can quickly analyze tools to understand what parts of the attack framework they might be able to detect.
This lesson fits into the third phase or generic attack based assessment methodology.
It complements the previous lessons in that we've already looked at data sources and analytics, and on the last part of our technical analysis really is to focus on the tools the sock might be using.
This lesson has one primary learning objective.
After the lesson, you should be able to quickly map tools at kind of a high level, back to the attack framework.
To kick off this lesson, we're gonna talked kind of generically about tools.
You know when you think about it. Most socks rely on tools as really their primary sources of detection, be it passively detecting adversaries
performing active, you know, engaged human driven threat hunts via tool or just simply locking to ascend platform,
regardless of the socks, maturity,
understanding and knowing what their tool coverage is is very important that this lets you know where you currently stand with regards to how robust your defenses are. Then it also going to help inform you on how to acquire new tools based on where your your biggest needs are.
That said, analyzing tools and understanding their coverage. It's It's very hard.
Core functionality is often hard to evaluate objectively when doing a hands off assessment. You're not sitting down with the tool and, you know, kicking the tires on it. You're just kind of reading and looking at it from afar to try to clean what coverage might be.
When doing this, you often have to rely on written materials such as marketing material and realistically speaking. Marketing material is not always the same as what's deployed
oftentimes and doing a hands off assessment. You have to treat the tools of black box where what's going on under the hood is totally off limits.
That said, we've come up with a
relatively straightforward way to try to analyze tools by focusing on critical questions that you should ask about any tool you're looking at.
The first question is, where does the tool run
we're looking here at, like whether or not it's running on the endpoint? Whether or not it's a network appliance, and if so, is it monitoring like perimeter traffic? East west traffic. Is it an email gateway? You know, understanding where the tool run, where the tool runs can let you quickly understand
what part of the attack framework it might be able to detect.
The second question is, how does the tool actually detect things? These are things like, you know, doesn't use a static indicators have compromised. Is it looking at, say, you know, specific artifacts and adversary might leave behind? Is it dynamic and focusing on behaviors? Really, if you can understand the how you can better understand, you know, number one, if it even will detect behaviors
and number two kind of the fidelity of the detection it might have.
And the last question is what data sources is the tool monitoring. If we can map the tool to the data sources it's looking at, and then the data sources to the attack framework, we can understand what might be in scope with regards to detection.
So we're not going to walk through kind of an example. This is very, very high level and a little bit contrived, but but it's a good way to look at kind of those core critical questions.
So, for example, the first thing we're going to know is it sits on endpoints.
This is great. And when we see something like this, we can immediately conclude Hey, it's gonna likely have potential to detect almost any tactic. You know, aside from initial access, exfiltration, command and control, it might be able to pick up pick up on those three. But it's probably not as strong as a like a network based tool.
It uses mostly static detection.
This is bad, or it's usually a bad sign. It's likely not running any advanced analysis, and it will miss a lot. You know, when you hear a tool using static detection, I'm immediately thinking like MD five hashes specific I. O C s. You know, something that an adversary could could evade if they really wanted to.
Then we're going to talk about the data sources. This tool specifically monitors a variety of data sources, and first we're gonna say okay and monitors the Windows registry. That's a good data source, but, you know, ordinarily it's a good data source, but when you couple that with that, it's the tools using static detection.
You know, it's probably only going to pull techniques that always modify the same exact registry values
the file system this is
and okay, data source. But given that it uses static detection, there's likely no attack relevance.
You know, really? You know a static detection over the file system that says to me, Hey, this is likely, like looking for MD five hashes
Outlook inbox. That's
a bit of a different kind of data source. Um, a little unusual to monitor outlook inbox with static detection. Maybe it's looking for, like, known spammers or something like that.
But you know,
even though it's unusual, it could potentially pick up some interesting initial access vectors, say, like spearfishing
the outbound network connections.
This is something that you know, of course, could be good. It's always great to monitor outbound network connections, but it's likely monitoring, say, like bad ports or bad or else. And I P s, you know, really focusing on that static detection aspect
with all that said, you know, the conclusion here is that
this tool really isn't going to be all that strong around attack TTP s.
You might be able to detect some techniques that modify the registry and maybe some that have email related techniques. But on the whole, there's really not a lot of positive strength from a behavior based detection standpoint here.
You know, maybe it could detect a handful of techniques across different parts of the framework,
but really, it's likely that a sufficiently motivated adversary could avoid being detected by this tool.
So a couple of tips to to kind of help you if you if you're going about analyzing different tools.
Number one. Don't worry about pinpoint accuracy when assessing tools.
You know, we we we say this a lot during the the this this training course, but it's very important to make sure you're not overly focused on just that pinpoint accuracy feature. Even if you can just paint coverage at the tactical level, that's a win.
Read the vendor documentation.
Oftentimes it's you know, this kind of documentation to be filled with marketing speak, but it can still be useful sometimes, and even some vendors have some very useful, helpful, detail oriented documentation that can help you in analysis
as an alternative, reach out directly to the vendor. The vendor might have some resources already mapping their tools to attack or just be able to provide you, like on the right direction towards answering those critical questions.
Ask the sock how they use the tool.
This is something that we talk a little bit more about in less than 3.1. But you know, really, if you can talk to the sock because they use it on a day to day basis and can help you understand what its capabilities might be,
and then also look for already available analysis of the tool being like just customer reviews or blog post, you know, anything that speaks to what the tool might do, like outside of the vendor themselves, that can help you when you're trying to figure out what coverage might be.
And also, I note that you know, when possible, you can always leverage the attack evaluation results. Of course, the Attack Evils project only has some mapping for some tools. But if you do run into the tools where there is a mapping in the attack of Ailes Project, that can be super helpful during an assessment.
So what? I'm going to switch gears a little bit and kind of walk through a series of exercises
here. We've got kind of, you know, about a paragraph or so for a variety of different tools where we're gonna walk through and figure out, like, How do we analyze this tool, given just the short paragraph of what the tool does.
So feel free to pause the video, read over this description, and when you come back, we'll walk through how we look at it.
Okay, let's now kind of walk through our own solution towards analyzing this tool. This tool Moya uses AI to detect attacks that happened in real time. It's patented. There's no uncertainty. You know, there's a lot in here. Um, of course it is, you know, kind of written to be a little bit like a marketing blurb,
but there's a few things that do stick out.
First. We see that Moya like it, helps remove uncertainty from analysts as it monitors network traffic in real time. And then, if you look down a little bit further, you'll see that you attach Moya to your network for our first critical question. These two statements are super helpful
because they say to us, Hey, this is almost certainly monitoring internal network traffic,
maybe traffic going over the perimeter,
then the second thing that sticks out is that they have this line Here are threat intelligence teams updates Moyo's back end signature based quarterly.
Certainly good to have, you know, an updated backend database of signatures. But that use of signature base is kind of implying it's likely to be using as a static indicators.
When you take those two things together, your conclusion is, you know, maybe there's some strength with lateral movement. See to an exfiltration, you know, maybe because those are kind of in scope from words sitting, but it's really unlikely to be behavior based.
The use of AI might suggest some more, you know, static or signature based mechanisms around like exploit prevention. Possibly.
But generally speaking, you know, here we're probably gonna conclude that, Yeah, this might have some strength around the perimeter network traffic techniques, but its ability to detect behaviors really isn't that isn't going to be terribly strong.
So here's another example of this one. Is talent a little bit longer? You can see it's an offshoot, Amoia, but, you know,
positive video. Take a look. See what you think. And then when you get back, we'll kind of walk through our solution.
Okay? Welcome back. This one certainly is a lot more flavorful. Cybercrime, ransomware, crypto lockers, dark webs.
You know, everything is in here. It's It's certainly, um, you know, a little bit more. Um, you know, interesting. To read a little bit more marketing like,
you know, when you when? When you look at it, though, there's really one line that sticks out more than anything,
this line here says, Hey, point talent at where? Some. Some platform holds his process logs and let the tech do the work.
That's great tons of information. You're getting Number one, that it's processed logs and that's going to tell you it's running on the endpoint.
And then from a data source perspective, it's telling you, is looking at process monitoring.
There isn't a whole lot else to go off of here, so
you know it's hard to make a good conclusion. But from a positive perspective, you know, there is a lot of potential to detect things on endpoint specific tactics such as execution, privilege, escalation, you know, persistence.
You know, that's that's definitely a good thing But
from a downside perspective, there's just so many buzzwords in here that really it's hard to gauge the actual abilities. So this is one where maybe you want to talk to the sock a little bit more to see how they're using it, or maybe looks for some more reviews that speaking more depth about what this tool might be doing.
So our last one is a lot shorter. Um,
still a lot of interesting points in here feel free, positive video, and then you get back, we'll walk through the solution.
Welcome back. Um, we're not gonna walk to kind of how we look at this one. It's a lot shorter and has some good phrases in it. You know, that's monitoring key operating systems. You know it.
It's, um you know it. They actually say we're able to spot adversary behaviors when they happen. You know, definitely, you know, intended to be a little bit more focused on Hey, we really want to detect things.
So first we know that, you know, again, they say upfront, we're running on the endpoint. That's great. You know, a great thing to see. Um, you know, it's an endpoint tool you, you immediately kind of dial in on the tactics. You might be focusing on
this this phrase about monitoring key operating operating system resources. That's great. Um, you know,
likely, since you know we're kind of guessing Windows here, it's likely the Windows Registry, maybe file modification. At the least,
the methodology is harder to glean out. They do say they're looking for adversary behaviors when they happen. But they also say that the tool already knows the locations and the values which are most important to be looking for. So that kind of leans a little bit or not clean, but leans a little bit more towards like artifact based detection.
So when you put all of that together, it likely provides some coverage, some some reasonably okay coverage on private desk persistence and defensive Asian.
There is almost certainly gaps in coverage,
but it does have a little bit of strengths, and although it's not overtly strong with any single one technique,
this does have some positives. But a sufficiently motivated adversary can
pretty likely bypasses tools they wanted to.
So if you summary notes and takeaways to close out this lesson,
number one analyzing tools can be very hard to try to do this. You know, try to read the vendor documentation or reach out, reach out to them directly and also look online for prior analysis
wherever possible. Talk to people who have used the tool because it will always give you more information as well.
During analysis, always ask the following three critical questions.
Where does the tool run? How does it detect things and what data sources doesn't monitor? If you can answer these three questions, you're well on your way towards understanding how the tool might relate to the attack framework.
And then, lastly, just always keep in mind. If you can't analyze beyond the tactical level, that's totally okay.
Just if you know, painting the tactics alone, that's when and if you can do so, that's great.