Expressing and Storing ATT&CK®-Mapped Data

00:00

for less than 3.2 will be learning how to express and store attack mapped Intel.

00:06

Our objectives for less than 3.2 are to review methods for expressing and storing mapped Intel and to identify the most effective approach for your environment and requirements.

00:16

Here we have an example of a threat Intelligence report from the company anomaly.

00:20

This report discusses new malware and the different types of systems that it targets and what kind of behavior is exhibited by it.

00:26

The important part to notice here is that the report not only describes the new threat intelligence information in full text for human consumption, but they also provide links to the miter attacks site to their techniques for more of a machine and automated consumption path.

00:39

Placing the techniques at the end of the report is helpful for analysts not only consume this data, but to be able to take it and make it more actionable.

00:46

It also helps us standardize how we talk about specific malware behaviors so that we can help keep the community better equipped to understand different malware techniques. One caveat to point out is that this page hasn't been updated to reflect some techniques. So please confirm the actual technique IEDs with our official minor attack website.

01:03

This is an example of a threat intelligence report from McAfee, but they look at the operation go secret campaign

01:08

for the support. They list all the procedure examples from attack at the bottom of the report, just like we saw in the previous slide. But what we see here is that they also have an extra layer of detail where they explain how the adversary used these techniques within their campaign.

01:22

So this is very useful for a c. T. I. Now. So it's beyond just listing the techniques.

01:26

This is an example of a threat report from Crowdstrike. The main difference here is that they list the techniques at the beginning without the procedure examples. So this might be better for someone looking specifically for technique but not necessarily needing more of a procedure level detail. So they're just looking for the high level. What are the techniques observed here? We don't even know how they were used, but we just want to know which ones are here speaking, determine what's important for our CT analysis needs

01:51

the next report we're going to look at is a report from system.

01:53

Another way that threat intelligence reports were laid back to attack. Is that the highlight? The techniques within the report as they're identified? This is the most useful, as it easily helps the analysts understand which attack techniques are being shown and leads less way for confusion or misidentification of the techniques as you read and consume different threat intelligence reports.

02:13

And this is an example of expressing story attack map data from a Digital Shadows Threat Intelligence report

02:17

here. They not only have the attack technique and tactic, but they also include advice for mitigating the behavior once it's been detected. This is just an additional layer information to help for your c. T. I analysis. As you read through these reports

02:30

for this example of attack map data being expressed and stored, we see recorded future's way of visualizing the analyst workflow while being able to apply the attack framework to it.

02:38

They show the visualization of the execution of my dirty DPS for financial threat groups. They represent these attack techniques and software over a linear timeline, so the time stamps are included as well at the bottom, giving it lots of detail for analysts to consume, but in a more manageable way.

02:53

Another great research for expressing story. Attack map. Intel is Unit 42 Playbook Viewer

02:59

What they do here is a showcase, their threat. Intelligence reporting in an interactive Web page that links the attack techniques to indicators compromise. This sort of brings everything together full circle, from human readable text to machine readable content all in one platform.

03:13

Another example we have for expressing and storing attack map data is from the NCC Group on their threat report for a P. T. 15

03:19

here. We've highlighted the text much like you saw in your previous exercises, where the attack techniques exist. They didn't do this on their own, though, which will make it a lot harder to identify and correlate these techniques to the attack site. So this is a report. We got to do a little bit more work beyond just reading the Threat Intelligence report from the website

03:36

to summarize what we learned in less than 3.2. Let's review our main highlights.