Data Sources and Detections

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
1 hour
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:00
>> Welcome to Module 1,
00:00
Lesson 6 data sources and detections.
00:00
In this lesson, we will define and
00:00
explore what are attack data sources and
00:00
detections and appreciation for
00:00
the relationship between
00:00
these data sources and detections.
00:00
Finally, identify how data sources
00:00
and detections are applied to and can
00:00
be used by defenders relative to
00:00
specific techniques and subject needs.
00:00
As you recall from Lesson 4,
00:00
attack techniques and sub-techniques
00:00
have a wealth of many data.
00:00
In this lesson, we will explore
00:00
data sources and detections
00:00
and how defenders can use these values to
00:00
begin to detect adversary behaviors.
00:00
We will also explore updates and refinements to
00:00
the data sources methodology and
00:00
model as of attack Version 9.
00:00
Attack defines data sources as
00:00
the sources of information collected by sensing
00:00
or logging systems that we defenders can use to
00:00
identify adversary actions and techniques.
00:00
In short, you can think of this as where to collect data.
00:00
Historically, attack use data source
00:00
values such as process monitoring,
00:00
PowerShell logs, or packet capture to
00:00
point defenders to where
00:00
they need to collect information.
00:00
But as of attack Version 9,
00:00
we've updated this data source model to more
00:00
specifically and consistently capture
00:00
the exact data records of defenders.
00:00
For example, where we would have
00:00
previously used process monitoring we would now
00:00
list the data source as process to define
00:00
the need for information about
00:00
processes and our environment.
00:00
Building on that data source process,
00:00
we would add a data component to
00:00
specify what exact value or information
00:00
about a process we need to identify
00:00
the specific technique or sub-technique.
00:00
As you can see from the example on the right,
00:00
we would need process access other processes,
00:00
execution of API functions from a process,
00:00
as well as potentially creation of processes to
00:00
identify the credential
00:00
dumping LSASS memory sub-technique.
00:00
We hope that this model enables
00:00
us to more efficiently map from
00:00
the information captured within attack to
00:00
specific events and logs in their environment.
00:00
In the future, these data sources will be
00:00
full objects within the attack model but for now
00:00
they're linked to our GitHub where you can
00:00
read more about each data source and data component,
00:00
including definitions and mappings to
00:00
which specific platforms they are applied.
00:00
Building on data sources,
00:00
attack also provide detections,
00:00
which are high level analytic processes
00:00
or detection strategies that
00:00
we can use to identify techniques.
00:00
In short, detections provide
00:00
how to interpret the collected data.
00:00
If you go to any type of technique or
00:00
sub-technique you'll see how these values are applied.
00:00
Specifically as I said before,
00:00
data sources tell us what information we
00:00
should collect and what particular values are needed,
00:00
as well as detections telling us what to do with
00:00
that data and how to actually
00:00
analyze it to make sense of it,
00:00
to identify the specific behavior.
00:00
You'll also noticed there's a very intentional parallel
00:00
between the inputs and how to actually process the data.
00:00
Strictly data source is telling us what information goes
00:00
in and detection is telling us what to do with that data.
00:00
With that, we've reached the end of
00:00
Lesson 6 and our knowledge check.
00:00
Attack data sources tell us,
00:00
please pause the video for a moment and take a
00:00
second to think of the correct answer before proceeding.
00:00
This case, the correct response
00:00
was C. Attack data sources
00:00
tell us what data we should collect via sensors or logs.
00:00
With that we've reached the end of
00:00
Lesson 6 and our summary.
00:00
In conclusion attack data sources
00:00
tell us what data to collect.
00:00
Detections tell us how to analyze,
00:00
process, and make sense of that collected data.
00:00
Finally, these data sources and detections are applied
00:00
specifically to each technique
00:00
and sub-technique within attack.
Up Next