Finding and Researching the Behavior

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
2 hours 24 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:02
this is module. One lesson to attack. Mapping, process, finding and researching the behavior.
00:11
This lesson. We have three objectives
00:15
going to discover how to find behaviors. That's step one of the attack mapping process I gave in the previous lesson.
00:23
We're going to learn how to research behaviors. That's step two of the mapping process I gave.
00:29
And finally, I'm going to go into some narrative reporting so that we can see some example behaviors.
00:37
So step one of our process, finding the behavior
00:42
you're going to want to look in your reporting for what the adversary or software does during the steps of the compromise.
00:50
As you look through your reporting, you're going to want to focus on pre compromise initial compromise and pros compromise details.
00:57
So you're going to want to take a look at how the adversary actually behaved through different parts of their intrusion.
01:03
So things like how they gained their initial access to a system, how they moved around between systems and how they actually did the compromise of the victim network systems.
01:15
Oftentimes, this is going to be verbs
01:19
so used create installed
01:23
things that are narrative reporting that describe a behavior in things that the adversary actually did.
01:34
This isn't going to be absolutely everything. In a report, there's information and reporting that may not be useful for attack mapping
01:42
information that doesn't describe details about adversary behavior.
01:48
Oftentimes that's found in places like static malware analysis. So talking about hashes or very specific details of how about a piece of Mao was compiled
02:00
infrastructure registration information. So what I. P address an adversary used is not going to be an attack behavior
02:10
industry victim targeting information.
02:14
So the fact that an adversary went after power, utilities or educational institutions
02:22
that exact who is the targeting is not a attack behavior.
02:31
So let's take an example report. This comes from a fire I report called Operation Double Tap. It's a couple of years old now, but it's still useful for looking at behaviors.
02:45
So the first thing we're going to be doing here is starting to look for those verbs looking for those descriptions of the things that the adversary is doing for.
02:55
We're talking about successful exploitation
03:00
we're talking about, uses the Windows Command command at Eggs E. So I see who am I?
03:06
We're talking about creates persistence by creating the following scheduled task
03:13
establishes a socks five connection to 192157198.1 oh three
03:21
sends the socks five connection request. And so each of these are behaviors. There are things that the adversary is doing,
03:29
and they're starting places for us to be able to look for attack tactics and techniques.
03:36
Some of these might even be multiple behaviors, at least as we get towards the language of attack.
03:42
So we don't just have establishes a connection.
03:45
We also have using TCP port. And each of these are things that, as we go through our process, will be able to turn into attack tactics and techniques.
03:58
So once we have identified the behaviors we've gone through, we figured out where those verbs are where those things that our adversary actions,
04:06
we need to research the behavior we want to understand what is the adversary is doing now? This may be something that you can skip. You can cheat this maybe activity that you already understand. You understand? You know what the adversary was trying to do.
04:21
But if there are unfamiliar adversary software behaviors,
04:26
you need to get into and look at a little bit more of what the adversary was doing.
04:31
So, for example, you may want to examine details about network protocols that were used. Some of attack is leveraging OSC models. So looking at things like application layer
04:45
looking at capabilities that things have, uh, what's the assigned port number? Is it a common services in an uncommon service?
04:54
What is it normally used for?
04:57
Is the adversary going up against a specific tool? So things like samba or remote desktop
05:04
as you go through this, collaborate with your own organization? Different people are going to have understanding of different behaviors.
05:11
People are just going to have different skill sets
05:14
and absolutely leverage external resources. Search engines are your friend.
05:19
Understanding core behaviors will help you with these next steps. But not just that. It also enhances analytic skills. It will make you a better analyst.
05:30
So let's take a couple of the behaviors we identified in that original report.
05:34
We said the adversary used socks proxy.
05:38
Okay, so maybe we aren't familiar with socks.
05:41
Uh, we google it, we find it in Wikipedia
05:45
and we find this information here.
05:47
Socks is an Internet protocol.
05:49
Okay,
05:51
go through it socks performs layer five of the EC model. The session layer
05:57
that's a little bit unusual. So layer five is not a layer that most things run on.
06:03
Okay, so we see it's a proxy. We see it's layer five. So we've got at least a little bit more information on what Socks is.
06:15
So similarly, we said that they were using Port 1913.
06:19
Well, you know, we think we you know, we know ports. We know TCP IP, but
06:25
maybe we haven't heard of 1913 before.
06:28
So maybe this is not a port that we've come through another analysis
06:32
so we can hunt for this as well. So this is a database out there of common ports with different services called speed Guide. We look up Port 1913 and we find that it's for service called arm ADP.
06:48
I've never heard of arm ADP and you know, when we created this, I talked to my other instructor, Katy. She had never heard of arm ADP.
06:57
And so, you know, this is not this is not a common service. This is not a common port.
07:02
And that's going to be useful knowledge for us as we go forward.
07:11
So in summary, I've covered a couple of things going through this lesson.
07:15
I've talked a little bit about what some of the guidelines are for places where you're likely to be able to do useful mapping and looked at tips for finding behaviors.
07:26
I talked about why it's a little bit important to understand these behaviors and and some of how you can start doing research on behaviors themselves.
07:34
We also took a look at a narrative report
07:38
and some of the behaviors that are coming out of even just a small piece of text.
Up Next
MITRE ATT&CK Defender™ (MAD) ATT&CK® Cyber Threat Intelligence Certification Training

This course prepares you for the ATT&CK® Cyber Threat Intelligence Certification, and provides hands-on instruction in mapping narrative reporting and raw data to ATT&CK®, efficiently storing and expressing the mapped intelligence, and operationalizing the intelligence through actionable recommendations to defenders.

Instructed By