How Techniques and Sub-Techniques are Being Used

00:00

This is module for lesson to research how techniques and sub techniques are being used and defensive operations for dealing with them.

00:12

So I have two objectives for this lesson.

00:15

Hopefully that you learn the approach for identifying how techniques and sub techniques are being used in relevant situations.

00:22

An understanding of how to research the associated defensive options for those techniques and sub techniques.

00:34

So research how techniques and sub techniques are used.

00:38

This is important in creating our defensive recommendations.

00:42

If we're taking a cyber threat intelligence approach, I want to make sure that the defensive recommendations we eventually come up with a line up with what the adversaries are actually doing.

00:53

This is getting down to the procedure level of how a technique is being used by an adversary.

01:00

So it's really important that as we create our defensive recommendations, if they actually overlap with what an adversary is doing, because it's entirely possible

01:10

that there are ways of doing a technique that have no relevance to how our adversaries are actually doing them.

01:17

So let's start with taking a look at the reporting that we pulled these techniques from the first place.

01:23

This is the A p. T 39 report

01:26

where

01:27

a P 39 leverages spear phishing emails with malicious attachments and or hyperlinks.

01:34

This is leading up to user execution both of malicious link and malicious attachment.

01:38

Okay, so spear fishing

01:42

going back to cobalt kitty

01:46

spear phishing emails. Links to malicious sites are weaponized word documents.

01:49

Okay, again, our user execution is coming from spearfishing,

01:56

so that's at least in the examples that we're looking at. It looks like spear fishing is going to be pretty important. Let's take a look at some broader examples.

02:06

This is the user execution technique page on Attack,

02:12

a P T. 32 spear phishing emails

02:15

empty 33 spear phishing emails, spear phishing emails,

02:22

links to your all hosting, malicious content,

02:24

emails, emails, spearfishing. And if you go through the rest of the procedure, examples in user execution. There's a theme here, over and over and over again. The way that adversaries are getting people to click on stuff is spearfishing, so whatever we do, it looks like it's going to be really important that it

02:45

is able to deal with spearfishing.

02:51

So when we know that we need to be able to deal with spearfishing. How do we pull together some of our options for dealing with user execution?

03:00

There are a lot of different sources out there that provide defensive information. It's index to attack. It's part of the value of putting your intelligence into attack in the first place.

03:12

I'll go through a few examples of where you can get data from attack itself.

03:16

So things like our data sources, uh, detection. We list mitigations on each technique. And then there are a lot of references on each technique and sub technique, which may have their own recommendations for how to deal with something.

03:32

We have our own analytic repository called the Car or Cyber Analytics repository, where we have specific analytics that are linked to a number of attack techniques for how to detect them in something like a SIM.

03:46

There are a number of other free resources out there, though that we have no role with that have taken attack, have mapped to it, have given a bunch of defense of recommendations just as a couple of examples of ones you can leverage for free Roberto Rodriguez threat hunter playbook,

04:02

Tommy threat coverage. But there are a number of other resources out there that are linked to attack these days.

04:12

And this is just a starting list. Absolutely. Supplement with your own research. Take a look at how technique looks in your own environment, the footprint it leaves

04:21

and how it is that you actually see it in your sensing

04:28

getting into some specific examples from attack.

04:31

So this is the high level technique user execution.

04:35

The first thing we told you to look at was data sources. And so this has all the data sources that are in the sub techniques

04:44

as well as the parent technique itself. So this suggests you might be able to look at in a virus process. Command line parameters process monitoring

04:51

as ways of seeing this activity.

04:56

You can also get into some of the specific data sources that might be useful to a sub technique. So taking a look at things like Web proxy

05:06

or some of the same text data sources that are going to be relevant to the parent.

05:16

Another section we suggested looking at his mitigations.

05:19

And so these are different ways of potentially stopping the activity from happening in the first place,

05:26

not just being able to detect it but prevent it.

05:30

So things like application control you may be able to only allow specific executed is that you're aware of to run in your environment, so things coming in from the outside via spearfishing wouldn't run.

05:44

It ranges from different technical sources, both network and host, based to things like user training,

05:51

teaching your users to identify spear, phishing emails, maybe a wave to keep them from clicking on them. Since that's the most common way they're coming in the door.

06:04

We also have given some ways to detect this activity,

06:09

so to be able to tell that it's happening at some different level.

06:14

So things like looking at the command line arguments, looking at how files are executed on a given system,

06:19

seeing things like compression applications being used to unpack unwrapped various pieces of malware coming in

06:27

using things like antivirus did just detect Mauer in the first place as well as other types of endpoint network sensing.

06:39

Mention the references on each of these pages to,

06:43

and so the different user execution pages have a ton of different references, coming both from procedure examples

06:50

as well as from the description of the technique itself.

06:56

And so each of these may have its own recommendations for how to actually detect the activity going on.

07:04

So taking these together and looking at some of the other resources that we mentioned, uh, we're starting to build up a list of defensive options, different things that we can do to have an impact on this adversary.

07:18

So, pulling from these sources, we've gathered user training,

07:23

got application control, stopping the execution of running block unknown files and transits to stop it at the email. Their network intrusion protection systems

07:33

file detonations, so putting it in the sandbox, executing and seeing how it runs.

07:39

If you dig into some of the external resources, you'll find that there are a couple different ways you can monitor command line arguments so you can enable and watch Windows Event Log 46 88. You can install system on on systems.

07:53

You can put antivirus on the various systems as well as more advanced endpoint sensing.

08:03

So in summary,

08:03

we have reviewed approach for identifying how techniques and sub techniques are being used in relevant use cases, so that we can later make sure that our defensive recommendations match up with our adversaries.

08:18

You're taking a look at some of the different places where you can pull in associated defensive options,

08:24

using attack techniques and sub techniques as a data as a starting point.

08:30

These are everything from attack data sources, detection, mitigations, references