Compiling a Final Heatmap Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
2 hours 51 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
welcome to part one of less than three module three within the Attack based Stock Assessments training course.
00:07
In this lesson, we're going to talk about how you can compile a final heat map is part of an attack based stock assessment.
00:15
This lesson fits into the fifth phase of our generic attack based stock assessment methodology. Here you set the rubric. You've done all the technical analysis of the socks components and you've interviewed staff. And now your task is to bring it all together into one single coverage chart that you can turn over to the sock
00:34
to help them understand where they stand.
00:37
This lesson has two primary learning objectives.
00:40
Number one. After the lesson, you should understand what's needed before compiling the final results and number two after the lesson. You should be able to aggregate heat maps and the interview results together,
00:55
so creating a final coverage chart ultimately boils down to three core steps.
00:59
Number one Create heat maps denoting what each analytic and each tool will be able to detect.
01:04
Here you're focuses primarily on the analytics and tools and less so on the data sources, which we'll talk about a little bit in the next lesson,
01:14
then aggregate the results from Step one, creating a combined heat map.
01:19
When you're doing this, always choose the highest score when looking at just tools and analytics.
01:23
And then, once you have that aggregated heatmap, augment the results using anything you discovered looking at policies and procedures as well as the interviews,
01:34
policies and procedures will
01:36
be helpful if you have them to help discuss how specific tools are used and what potential mitigations might be deployed. Interview results are, of course, helpful as well, because they also go into detail on tools. But they'll also provide other information that might speak to other strengths or even gas that they have in coverage.
01:55
And this process is useful, but we can also make it into a formula. Essentially, we'll start with the tool coverage, and the analytic coverage will add those together,
02:05
add in the positives from the interviews,
02:07
subtract out the negatives from the interviews and use that as our final result.
02:13
So what does that look like in practice here? We're gonna walk through an example where we're gonna aggregate tool coverage, analytic coverage and interview results.
02:22
In this example, we're going to use our go to rubric.
02:25
Where were you going? To use a heat map with low confidence of detection, some confidence and high confidence in white, yellow and green.
02:36
And then we're also going to focus on only a small subset of the attack matrix just to make it a little bit more visible.
02:44
Here on the screen, you can see a coverage chart for 21
02:47
as well as a coverage chart for tool to and from a process perspective. What we're going to do is take the top coverage chart,
02:55
add in what's
02:59
covered, additionally on the middle coverage chart and get a bottom chart that's gonna have everything put together.
03:06
So here to walk through what that looks like we're going to see Tool number two provides a lot of extra coverage on top of tool number one. In particular, we have we have coverage for enterprises communication
03:17
group policy modification, password spraying and credential
03:22
stuffing, all provided by 12 to that isn't covered at all within 21 So we know that in the aggregated coverage chart, those are going to be extra editions.
03:31
We can also see tool to providing some coverage of javascript, but this really isn't that important, because Tool one provides high confidence of detection.
03:42
When you put those together, you get in a little bit more enhanced coverage chart that effectively takes all of tool one and most of tool to together.
03:51
The next step is to bump this one up top. Use that as a running
03:55
heat map that work that we're going with and then add in the results from the analytics. Here we have the same exact process where we see that there is a lot of
04:03
extra things covered by analytics that haven't been covered by tool one or two or two, and we add those together into our aggregated heat map.
04:12
And one of the interesting things to note here is that you can see in the initial heat map with 21 into a two. By themselves. We have inter process communication scored as some coverage
04:23
where analytics has high confidence of detection for component, object model and dynamic data exchange
04:29
in the final heat map on the bottom, you can see that we've kept the some high high from 21 and two and analytics and more importantly, we haven't upgraded inter process communication This goes back to our previous lessons, where we discussed how to work with sub techniques and make sure we're not over abstracting or over inferring
04:50
just based on abstraction.
04:53
Now the next step is to take this aggregated heat map and add an interview results. And the way we'll do this is, well, look at the interview results as a series of bullet points where each bullet point provides an additional data point for us to augment. Our heat map from
05:10
the first one is from the red Team. They say that the sock never detects. When we escalate privileges
05:15
here, we're gonna downgrade that group policy modification coverage to low confidence of detection. Because this statement from the red team is very assertive, it's pretty good evidence that there's likely a gap there
05:29
in this example. We're, of course, going with low confidence, but you might might look at this and, depending on the context, say, Oh, that might be some confidence is a better fit.
05:40
The second statement is from the engineering team.
05:42
They say that they block all communications over nonstandard ports. This one's pretty straightforward and is good evidence for a mitigation being deployed. What we're going to do is go a little bit outside of our normal rubric and use orange to note in the bottom heat map. That nonstandard port is likely to be mitigated.
06:00
The detection team gives us another interesting piece of information. They say that they don't use tool one to detect lateral movement
06:09
here. You can see that now we've taken that that piece of information and we've downgraded the coverage for lateral tool transfer, which was originally high confidence of detection, but should be bumped down to low confidence. Given that that coverage was provided by 21
06:25
and lastly, another interesting one from the detection team. We struggle with all types of inter process communication.
06:32
This one is particularly interesting because of that modifier, all types of enterprises, communication. Instead of just saying we struggle with enterprises communication,
06:43
they're saying that they struggle with any type of it.
06:45
Because of this kind of broad wording that they've given us. We look at this and say, Oh, this isn't just a potential hit to inter process communication, but also all of its sub techniques since those are types of inter process communication.
06:59
Now, using that statement, we've downgraded component object model and dynamic data exchange from high confidence to some confidence.
07:06
And when you put all that together, you get this final composed heat map where essentially all we've done is walk through each each of the individual heat maps and put them together.
07:17
So we'll now go through a couple of different exercises.
07:23
Feel free to pause the video, see what you think on your own. These are intended to be examples, but you can always just kind of give it a shot on your own. See what you think, and then we'll we'll walk through it together.
07:35
Okay,
07:36
so now walk through what we think is a good solution here. This one's a pretty straightforward example. We just have to tools. They have a little bit of overlapping coverage, a little bit of different coverage. We're going to walk through the same process that we walk through in the previous example.
07:50
Here we start with tool one on the bottom. We just kind of copied that heat map, pasted it down below,
07:56
and we're just gonna walk through all of the things covered by two and two and added to the bottom heat map.
08:01
So here you can see tool to to supply chain compromise, and we have high confidence. There were tool. One only has low confidence will bump that up to high confidence
08:11
for these four in the middle, you can see we all have some confidence there.
08:15
We have low confidence for 21 to those in the final one are all upgraded to some confidence.
08:22
Under exfiltration. This one's a little more interesting.
08:24
Well, two provides high confidence of ex filtration of code repository into cloud storage. We're gonna directly copy that into the bottom one, but we're going to leave the primary technique as some confidence of detection.
08:37
And then, lastly, network denial of service is provided by Tool to, but it's shadowed by the coverage for 21
08:46
and that gives us the final heat map. That kind of brings everything together, just doing a little bit of aggregation there.
08:54
Here's another example that we can walk through again. It's feel free to pause the video. This one is more around interview results, so we'll start with this initial heat map up top. We have these four bullet points that we've gotten from the interviews, and the question is how would you modify that initial heat map to account for what we're being told during the interview stage?
09:13
So feel free, pause the video, and then we will dive back into the solution.
09:20
Okay?
09:22
Welcome back. Well, again, for for this one, we're going to walk through the same process we walk through before we're starting with the initial heat map on the bottom, and we're gonna walk through each of these bullet points individually.
09:31
So first
09:33
via the red team, we're getting them saying that systems are frequently unpatched and have vulnerabilities. This one immediately screams exploitation to me and you can see down on the bottom that that corresponds to privacy credential access and some lateral movement as well.
09:48
This one's interesting in that they say that the systems are frequently unpatched vulnerabilities. They don't say that this is
09:56
not detected well, or
09:58
it's always a problem. It's just
10:01
that this issue exists, and from that information, we think it's reasonable to conclude that the high confidence for pre vest and remote services
10:09
those should be downgraded a little bit to some confidence of detection.
10:15
The second bullet point we're getting from the engineering team that power shell is disabled on all of our windows. Endpoints. This one's pretty straightforward there, saying that effectively that we can't use power shell at all in
10:28
on our windows endpoints. And so power shell as a technique should be considered mitigated.
10:33
These last two are super interesting in that they kind of relate to each other.
10:39
The detection team is saying that they have high fidelity alerts for picking up cmd DT xz.
10:43
This says to us that we should maybe consider calling Windows Command Shell high confidence of detection.
10:50
However, the red team gives us the opposite.
10:54
They say, to get around the power shell block, we use the Windows shell. They're saying that using this technique is actually effective.
11:01
These two essentially cancel each other out. Maybe we could go a little bit more with the detection team and call it some confidence of detection. But just given these two here, it seems reasonable to err on the side of caution and assume that there is low confidence of detection there.
11:16
The other interesting thing to note is that from the red team, they actually acknowledge that there is the power shot block, giving further evidence that the engineering mitigation is being deployed successful. You
11:30
When you take all that together, you get this final heat map as your end result,
11:37
so a couple of summary points and takeaways to close out this lesson
11:39
number one to aggregate and create that final heat map, you should have the following
11:45
an analytic heat map showing analytic coverage. This is essentially just a heat map showing what the analytics cover
11:52
number two, a heat map for each relevant tool that you're looking at and number three, an understanding of any strengths and weaknesses that came out during the interviews.
12:03
Another summary point is that final coverage can easily be summarized in a relatively straightforward formula.
12:09
First, we have an aggregation step where we take the tool coverage, the analytic coverage and the interview positives and just bring those altogether taking whatever is the most covered or the highest
12:20
highest level of detection for each each technique.
12:24
Then, from there we have a subtraction step. We take that initial aggregate and then remove anything that came up as negatives during the interview.
12:35
And then, lastly, whenever there's disagreements, always make sure to choose higher coverage during aggregation and choose lower coverage during subtraction.
12:46
Lastly, there's one final point to take away. We've only really scratched the surface of how you do aggregation in this lesson in the next part of this lesson. Well, locks for how you do partial aggregation to start doing a little bit more complex
13:00
heat map aggregation.
Up Next
MITRE ATT&CK Defender™ (MAD) ATT&CK® SOC Assessments Certification Training

This course prepares you for the ATT&CK® Security Operations Center Certification. In this course, students should will gain a better understanding of how modern security operations can align with ATT&CK® and how to better their operations to leverage a threat-informed defense.

Instructed By