2 hours 24 minutes
Welcome to Lesson 2.2. Identifying and researching behaviors.
We'll kick off the mapping process in this lesson by walking through some examples of how to recognize behaviors in raw data.
Next, we'll move on to step two. In researching the identified behaviors and this stuff, we're also going to talk about the need for multiple data sources and the types of data sources that may contribute to your research.
Step one. Finding the behavior. So walking through this data, we see a couple of commands captured by, says Mom
that are being run interactively via Commander XC by an adversary.
Next, we have some data from a couple of flows, and this is from malware being run in a sandbox environment.
And finally, there are some registry keys that we're seeing being added during an incident.
All of these commands are being run by an adversary,
and each of them is possibly a behavior.
Some of the flows can be behaviors that we're actually seeing from the piece of software itself and the registry keys being added can be either a behavior coming from the adversary or the software.
And so we're gonna be researching these potential behaviors over the next couple of slides,
our next step in the process of researching the behavior. And before we start looking into the potential behaviors that we just found in the raw data, I want to go into the analysis process for raw data a bit more,
depending on your Intel requirements that it kind of data. You're reviewing this step to mirror the approach to analyzing data and narrative reporting, but it can also present some different aspects.
As we discussed with the pros and cons of mapping from the two different sources. In the last lesson, raw data can require a deeper level of expertise in order to follow what's happening in a specific data type.
So this can require that an analyst has experience in looking at network packets and forensic data or understanding what different Windows commands do.
So as you're working with raw data, you may realize that supplementary data sources are needed for you to clean enough context to understand what the behavior is.
This might require further queries and leveraging your incident responders or collaborating with the analysts that are providing this data.
Also, in some cases, the research can be very straightforward you might be able to quickly find some relevant results and additional insights on your favorite search engine. Or you can search the attack website for a specific command. And often the description of the command will provide a good idea of what technique the behavior falls under.
Other times, it might be a little more difficult to determine a behavior, especially if a command line is complex and the content is sparse. In this case, unpacking the complexity by pulling in other data sources
And so you might have to use a sandbox, perform further file analysis or leverages search engine to pull in that extra insight into the technical details.
So as we just discussed, researching potential behaviors from raw data on the attack website can often give us an idea of what the behavior is
and where we could likely map it. For example, if you start searching through the attack website for it can fix slash all.
It appears in one technique, specifically under a procedure example for system network configuration discovery.
This provides a description of what's going on, and it can help us gain an understanding of what the adversaries goal is
you might have an assessment of what technique that behavior is going to map to and what tactic it aligns with,
but can also be a little more complex.
So the other command line that was in the data was running recycler dot x e, and there were also some command line flax, and we see something with a VSD X file. But there isn't necessarily enough detail right now.
So although we might be able to make an initial assessment of what one of the behaviors is,
somatic context is required at this step.
So we'll pull in and review another data source.
If we put this command into a sandbox and perform file analysis exists the the following output,
and it's likely looking more familiar. The output displays a banner that is showing us that this is a roar.
So an archive er,
at this point, we'll leverage a search engine for some additional research on the flags and to gain more insight into what's occurring.
After researching that dash hp, we can determine that it's being used to compress and encrypt the file.
Now for the final piece of the puzzle that VSD X file.
So we're going to leverage the search engine again, and from the first result, we can see that it's a video file.
So we know that a video file is not going to be coming out of a roar.
So this actually provides us with some valuable context to what's potentially happening
from our research. We can deduce that someone is likely pretending that this information is being compressed and encrypted as a Visio diagram.
This could be an attempt to exfiltrate data, but some further details would be beneficial for for our analysis, and we'll be discussing that in the next lesson.
So in less than 2.2, we walk through a couple of examples of identifying the behaviors in raw data.
We discuss how to research the behaviors, highlighting that in many cases multiple data sources are going to be required,
and the next lesson will discuss how to translate behaviors into tactics, techniques and sub techniques.
MITRE ATT&CK Defender™ (MAD) ATT&CK® SOC Assessments Certification Training
This course prepares you for the ATT&CK® Security Operations Center Certification. In this course, students ...
2 CEU/CPE Hours Available
Certificate of Completion Offered
MITRE ATT&CK Defender™ (MAD) ATT&CK® Fundamentals Badge Training
This course is the fundamental piece of the MITRE ATT&CK Defender™ (MAD) series where we ...
2 CEU/CPE Hours Available
Certificate of Completion Offered