Groups and Software

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
1 hour
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:00
>> Welcome to Module 1,
00:00
lesson 7 Groups and Software.
00:00
In this lesson, we will define and
00:00
explore what are ATT&CK groups and software,
00:00
identify the information provided by
00:00
ATT&CK about these groups and software,
00:00
and finally, building appreciation for
00:00
how these groups and software fit into the ATT&CK model.
00:00
As you recall from lesson 4,
00:00
ATT&CK techniques and sub-techniques
00:00
have a wealth of metadata.
00:00
In this lesson, we'll use the procedure examples of
00:00
section to pivot to groups and software.
00:00
As you remember, ATT&CK
00:00
breaks down the tactics, techniques,
00:00
and procedures of adversaries
00:00
and define these procedures as
00:00
specific implementations or ways that have
00:00
a series of executed techniques or sub techniques.
00:00
These specific examples are
00:00
populated on each page of our technique,
00:00
as well as on the page of groups and
00:00
software which we'll explore later in this lesson.
00:00
As you can see from the example below,
00:00
these procedure examples describe the groups or software,
00:00
specifically how they've executed
00:00
a specific technique or sub-technique.
00:00
While these procedures are
00:00
populated on a technique page,
00:00
we can also view these from
00:00
the perspective of a whole group or software.
00:00
ATT&CK defines groups as
00:00
related intrusion activity tracked by a common name.
00:00
Anyone who's read publicly
00:00
available intelligence knows that there's
00:00
various terms related to groups such as intrusion sets,
00:00
threat actors or campaigns
00:00
and ATT&CK rolls all these
00:00
together into what we call groups.
00:00
Groups are objects in the ATT&CK model
00:00
and are assigned a unique identifier.
00:00
As you can see from example below, each group has a name,
00:00
a short description, as well as
00:00
other various metadata such as aliases.
00:00
Defined software as the tools or
00:00
malware used by an adversary during intrusion.
00:00
Similar to groups, these software are objects in
00:00
the ATT&CK model and have their own
00:00
unique identifier as well.
00:00
ATT&CK software pages also have their own name,
00:00
a short description, and various
00:00
other metadata including aliases.
00:00
Here's an example of a group page, in this case,
00:00
we're looking at the group APT38.
00:00
From here this view, we can see
00:00
the short description but if we scroll down that page,
00:00
we can also see the techniques
00:00
and sub techniques mapped to APT38,
00:00
as well as the software used by this group based on
00:00
publicly available reporting already
00:00
mapped within the ATT&CK framework.
00:00
With that, we've reached
00:00
our knowledge check for lesson 7.
00:00
True or false; there are
00:00
potentially many procedures for a given technique.
00:00
Please pause the video and take a second to
00:00
think of the correct answer before proceeding.
00:00
In this case, the answer is true.
00:00
As we saw from the example from the technique,
00:00
there are potentially many procedures for how
00:00
each given technique can be
00:00
implemented by a specific group or software.
00:00
In summary, ATT&CK groups represent
00:00
the name clusters of intrusion activity,
00:00
whereas software represents the tools
00:00
or malwares used by these actors.
00:00
For both groups and software,
00:00
ATT&CK provides descriptions and aliases,
00:00
as well as what techniques and sub-techniques have been
00:00
mapped based on
00:00
publicly reported intelligence from these threats.
00:00
Finally, techniques are
00:00
mapped to groups and software via
00:00
procedure examples or the specific ways
00:00
that techniques have been performed by these adversaries.
Up Next