Communicating with ATT&CK®

00:00

Welcome to Lesson two, Module three. Within the Attack based Stock Assessments Training course. In this lesson, we're going to discuss how you can use the attack framework to communicate results from an attack based stock assessment.

00:14

This lesson fits into the compiled results phase of our generic assessment methodology and in particular is kind of a precursor for compiling results here. In order to actually come up with the final heat maps. Heat map looks like you need to choose a heat map that you're going to be presenting to the sock at the end of the SS.

00:36

We have three primary learning objectives for this lesson.

00:39

Number one. You should walk away understanding the types of heat maps that you can present.

00:44

Number two. You should understand and know the trade offs with a different heat map styles and number three. You should ultimately be able to choose the right type in style heat map for a given context and assessment,

00:59

so a heat map ultimately has three primary ingredients. When you're when you're coming up with how to construct a heat map to communicate your message,

01:07

the first one is the scope,

01:10

including the right tactics and displaying or hiding sub techniques. This is very important. You might have run through an assessment and done the assessment over all the tactics, every single sub technique, everything but the final heat map that you present. Maybe it doesn't need to show everything. Maybe it only shows a portion that you specifically want to highlight.

01:30

Or maybe it does show everything, if you can get it all to convey the right and the right heat map.

01:36

The second key thing is the measurement abstraction. This is mainly either categorical or quantitative.

01:42

What are the buckets and what he scores? Measure.

01:45

This is slightly different than scoping from

01:48

in the prior module. In that really you're choosing how you wanna bucket things or how you want to present things at the abstract level.

01:57

And then, lastly, the color scheme.

01:59

It's very important to choose the right colours to convey your message, and we'll give you a couple of examples of good color schemes as well as those that might not get the message across quite as easily.

02:12

So here's an example. Heat map from that was inspired by some work we did, you know many years ago, This heat map is super useful to me, at least because I can look at it and I can say Oh, no confidence, low confidence, some confidence or high confidence of detection. Those are my red, orange, yellow and green.

02:30

And then in grey, I've got this other category of some static detection might be might be possible. Or maybe I'm not looking at things behaviorally. But maybe I'm just, you know, my sock is doing a great job of looking at things like from an IOC perspective. And this seems okay and even great at first glance. But the reality is, it's really not that great of a heat map.

02:50

It has too many categories that can really make a confusing for readers. And for consumers of the heat map, it's really easy to get lost in the labels here.

02:59

Remember, when you're going through an assessment, your task is to paint broad strokes, and your heat map should convey that ultimately

03:07

instead, make sure to settle on something that conveys the right information at the right layer. I know it's smaller, but in the lower right hand corner this is the same heat map. But instead of using

03:17

instead of using the low in orange and the red. And no, we've replaced those with just a low confidence of detection in white. We've also changed the gray for static detection to this kind of like see through yellow that shows it's just a little bit different than some confidence of detection.

03:37

Just making these two changes totally changes the face of the heat map.

03:42

A lot of the content is still there. There's less with regards to know and low, but

03:46

most of the information is still being presented.

03:51

Regardless of your use case for attack, you know it's always important. Regardless of the use case of the assessment, it's always important to have a good scoring scheme, always defined categories that are relevant to your domain and, when possible, avoid mixing category types.

04:08

Confidence in likelihood. You know that

04:10

that that's a good example of something that where you say, you know, hey, I have confidence of detection and the likelihood of it being executed. You know, it makes a lot of sense when you think about it, but in practice it's hard to combine things when you're combining these kinds of categories.

04:25

Always know your audience to leadership, wants the big picture. Where's your Where's the socks? Staff? They need to focus on details for actually implementing changes.

04:34

Always choose good color schemes. We'll talk more about that later. Be the gradient Discreet. What colors you use et cetera. And lastly, metrics can be great

04:44

if you're using metrics as part of your assessment or what you're delivering. But particularly with the final heat map you produce, it's imperative to always have a good justification for your numbers and your categories.

04:57

Here's another example. Heat map. It's a little simpler. We've only got three categories. Low summer high confidence of detection.

05:02

This here map looks functionally great, but in practice it's really got a problem.

05:09

When people look at this heat map, they see a lot of flashing lights. They see the color red, and that color Red says, Hey, this is a problem.

05:17

Ultimately, Red often communicates the wrong message. People see it, and they they'll often assume it's saying like, Hey, look here. This is a huge problem. You got to fix this right away, glaring red error. You got to solve this,

05:30

and really, you should use red sparingly. Use it only as needed to call attention to specific areas that need to be focused on only when something really is a glaring gap or a critical issue. That's when you use red

05:45

instead, whenever you're coming up with the heat map, trying to settle on maybe a softer color palette.

05:49

This heat map replaces red with white, and it conveys the exact same message. But for many, it's easier to digest because because you're not coming in there and saying, Hey, huge, glaring problem, you're coming in and saying Hey, here's a heat map.

06:02

This does a great job to position the results as

06:06

less antagonistic.

06:09

These are areas of improvement, not areas where you failed.

06:13

Thinking more abstractly, even outside of assessments. Always be cautious when using red on a heat map. I know it makes the most sense to say problem is red, but

06:23

sometimes you often get You can get into trouble using the wrong colors

06:30

and then being realistic. Heat maps are not in and of themselves

06:33

well, strict. They're they're great, they're they're easy to understand. Their tangible, a straightforward They're useful to tons of people. But there are a couple of gotchas when you're working with them.

06:44

Number one coverage. Execution doesn't always align with attack, execution in practice

06:48

techniques and detection or technique, execution and the corresponding detection. Those can vary, and there can be ambiguity between the two and then per technique detection. That's not always the right level of abstraction. That's why we like to recommend that when you're coming up with an attack by stock assessment, don't just turn over a heat map,

07:09

but always include a paragraph or two that described the trends.

07:13

Because when you just look at the technique level, you don't often get the right impression of coverage.

07:18

Coverage is also not static. What's green or well covered today that can easily change

07:25

change tomorrow. Attacker, https and the defender practices those rotate Attackers change their stuff all the time. From a defensive perspective, what we did this month might be different next month.

07:36

Ultimately, don't ignore what you cover today.

07:40

Just because it's green now doesn't mean it'll be green in the future.

07:44

Then, lastly, always remember, attack Heat maps are almost always approximate. If you're doing this as a third party, always make sure the sock you're working with, make sure they understand and know this.

07:56

We're doing this in the house. Make sure your colleagues understand as well.

08:01

So we're not going to walk through a couple of example heat maps and just kind of throw some commentary

08:05

here. We've designed these exercises. I'm again. You pause the video,

08:11

we'll go through each answer because the video and hear your task is to look at this heat map,

08:16

come up with a couple of comments, maybe maybe score it a little bit and then try to figure out the right audience, be it a Cisco executive board, socks, leadership or sock Engineers Try to figure out who might be best to use this heat map, and in some cases your answer might be nobody. So pause the video. We'll get back to it in just a second.

08:35

Okay, let's not walk through what we think of this heat map and

08:39

really using those three ingredients. So those three things to look after heat maps that there's a few things to see.

08:46

Scooping wise, this is all tactics. There's no sub techniques

08:48

from a measurement abstraction perspective.

08:52

We've got an interesting scheme being used. We have detection and mitigation where each are distinct. I have low detection and low mitigation, low detection and some mitigation, and so on and so forth.

09:03

There are categories, but there are nine of them, which is relatively on the higher side. And the colour scheme is I I just use the phrase hodgepodge to describe it. It's almost random. It's just there's no real rhyme or reason to what the colors mean.

09:18

Ultimately, the conclusion is that this map is just It's really hard to use and understand if someone had to use it. There might be utility for sock engineers just because it does give you a good level of detail when you think about it from a theoretical perspective.

09:33

But the way that detail is conveyed makes it hard to understand and hard to put into practice.

09:41

Here's another heat map name, exercise. Try to choose an audience, pause the video and then we'll walk through a solution.

09:50

Okay,

09:50

let's now kind of analyze this one a little bit more detail.

09:54

Um, here we kind of use the three key ingredients. From a scoping perspective, we have all tactics, no sub techniques,

10:01

measurement, abstraction.

10:03

This has a small number of categories here. We have unlikely to be detected or mitigated some likelihood and high likelihood.

10:09

And then we've combined detection of mitigation, which which has pros and cons to it.

10:15

The color scheme is super simple. I I know if you've been following along in the course you've seen, this is our favorite color scheme, so that that's definitely a positive.

10:24

Ultimately, the conclusion of that is that this is

10:26

really useful at the abstract level. It's great for leadership, and maybe some engineers might benefit from it. Really. The reason there is a distinction between leadership and engineering here is that by combining detection and mitigation were really painting a very broad stroke. You know, it's really a big picture of what things look like, and it might be harder for engineers who'd rather say, Hey,

10:48

is this detected or is it mitigated? And there's not much ambiguity or there's not much differentiation here.

10:56

Here's the last one. It's

10:58

one of the same as before. Choose an audience and then we'll walk through it.

11:05

Okay,

11:05

so let's not walk through this one again. It's very similar as before, we're looking at detection and mitigation.

11:11

Looking at the 33 areas we focus on scoping is the same. All tactics, no sub techniques here are abstraction is again combining detection and mitigation. But here we're now using some sort of quantitative scheme. We don't see the numbers here, but we know that they're underneath it.

11:26

And then the color scheme is a relatively straightforward gradient. Green means a high ability to detect or mitigate, and white means no ability to detect or mitigate.

11:37

Our conclusion is that this provides a reasonably good, actionable level of detail.

11:41

It's really useful across multiple layers. Leadership can understand big picture from it, but sock personnel might benefit the most. Just because it gets into a little bit more detail than the previous example, which was. Just hire some now because I'm using a gradient. You know, I I see a little bit more nuance in my coverage.

12:01

We still have the downside of not having differentiation between

12:07

detection and mitigation, but we think that that's kind of offset by that increased kind of differentiation between the techniques themselves. So ultimately, just about most people could use this, and maybe sock engineers have a little bit more advantage using the CMAP. Of course, a lot of this is indeed interpret up to interpretation.

12:26

The ultimate point is to make sure that when you're crafting these,

12:30

you think about the audience and how they're going to receive it.

12:35

Some closing commentary A lot of our examples just focus on primary techniques. Some techniques are definitely things you can include. But if you look at this chart here, you can see that including all of them

12:46

well, from a communication perspective, it's really not great.

12:50

Sub technique Information is useful, but it can be harder to visualize some strategies you can employ for

12:56

including sub techniques. In your visualizations are one visualizing a subset of sub techniques you've looked at maybe only a small few that you think are most relevant and then let the sock No, you've hit a few. Others

13:07

also know your audience.

13:09

You know, looking at sub techniques is great,

13:13

really, for engineers and at the lower level, including them for leadership, that might be a little bit harder. It might be too much, too much detail. Of course, that depends on the sock you're working with,

13:24

but ultimately, as long as you know your audience, you'll get a better feel for how much detail and how many sub techniques do you think are worth, including then. Lastly,

13:33

if you do end up throwing out visualization of some of the sub techniques, you've still done the analysis. So keep that sub technique information in a in an appendix or in another form, you can always consider turning over to heat maps, one big picture, abstract one and then one more detail that dives in more

13:52

so a few summary points and takeaways to close out this lesson.

13:54

Number one, he perhaps have three important facets. The scope, which is the parts of attack to include the measurement abstraction, which is really what scores you present. And the colour scheme, which dictates how your scoring is presented.

14:09

You're heatmap delivery strategy ultimately depends on your audience.

14:13

My experience. Leadership tends to prefer the simpler, easier to digest charts or as technical staff can make more use of the details at nuance.

14:22

Everybody still can use all almost all heat maps, provided that they are conveyed in a way that's digestible. But there tends to be a little bit more biased between who you're talking to

14:31

avoid. Red. This is a silly, simple recommendation, but it can go a long way towards really making it sure you can effectively communicate your message