Identifying Techniques or Sub-Techniques

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 24 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> This is Module 1, Lesson 4,
00:00
ATT&CK mapping process:
00:00
identifying techniques or sub-techniques.
00:00
In this lesson, we have three objectives.
00:00
The first is to learn key strategies for
00:00
identifying techniques and sub-techniques.
00:00
We're going to go over some examples of
00:00
working with these strategies
00:00
with texture and actual report,
00:00
as well as some of the external resources that you
00:00
might use as you take a look at this.
00:00
Our overall hope is that you get out of this,
00:00
the ability to identify techniques and
00:00
sub-techniques in narrative reporting,
00:00
so step 4 of the process we gave in Lesson 1.
00:00
On to step 4. This is often
00:00
the hardest step in
00:00
the mapping process that we gave in the first lesson.
00:00
Techniques and sub-techniques are
00:00
not always easy to identify.
00:00
There are a lot of them in ATT&CK.
00:00
The process we've gone through so far in
00:00
the first few steps
00:00
is in order to try to make this better.
00:00
Also, some techniques may
00:00
appear in ATT&CK multiple times.
00:00
This is reflected throughout ATT&CK,
00:00
where an adversary may be trying to do one of
00:00
a couple of different things with a particular behavior.
00:00
For example, hijack execution flow and all of
00:00
its sub-techniques fall under persistence,
00:00
privilege, escalation, and defense evasion.
00:00
Because there are a couple of different reasons why
00:00
an adversary may actually use these behaviors.
00:00
Not every behavior that you're going to find in
00:00
every report is necessarily
00:00
a technique or sub-technique in ATT&CK.
00:00
It may be not a match with the tech scope.
00:00
It could be something outside
00:00
of the technical space that ATT&CK lives in,
00:00
it could be something more like just
00:00
providing indicators compromise to an analyst,
00:00
and not every behavior that could be mapped is
00:00
actually malicious activity by an adversary.
00:00
Contexts can be key for determining this and
00:00
taking a look at what it is
00:00
the adversary is trying to accomplish.
00:00
You can take a look at
00:00
tools that the adversary is using,
00:00
and isn't actually a hostile adversary usage.
00:00
Are they trying to meet one of those tactics in ATT&CK?
00:00
It's also true that not
00:00
every possible technique is documented.
00:00
One of the goals of ATT&CK is to describe seen
00:00
in the wild adversary behaviors, and so for that reason,
00:00
if it hasn't been given to us before from
00:00
threat intelligence reporting or contributed to ATT&CK,
00:00
it might not be an ATT&CK.
00:00
Now that said, if you are finding behaviors and reporting
00:00
that are coming from actual adversaries
00:00
and you're not finding them in ATT&CK,
00:00
might be a great opportunity to
00:00
contribute those to us
00:00
so they will be an ATT&CK in the future.
00:00
I'm going to get into three key strategies
00:00
that you can use in order to try to
00:00
find this specific technique and
00:00
sub-technique to map to an ATT&CK.
00:00
The first is to take what you've already been doing in
00:00
the previous steps and looking at
00:00
the list of techniques and
00:00
sub-techniques for the tactic or tactics you
00:00
previously identified because that'll
00:00
get you down to a much smaller portion of ATT&CK.
00:00
Get into a little bit of just searching
00:00
the attack.mitre.org website directly.
00:00
We have a lot of text in there,
00:00
and it may help you key in on
00:00
the specific technique or
00:00
sub-technique that you're looking for.
00:00
Finally, if that's not working,
00:00
taking a look at how ATT&CK actually is doing mappings.
00:00
We have thousands of examples in this point
00:00
of adversary behavior from reports map to ATT&CK.
00:00
Just taking a look at how
00:00
we're actually doing that ourselves.
00:00
Strategy 1, taking a look at the list of
00:00
techniques and sub-techniques in
00:00
the tactic that you previously identified.
00:00
As you take a look,
00:00
you're going to find that ATT&CK these days actually has
00:00
two levels of technique; techniques and sub-techniques.
00:00
Now, sub-techniques are just more specific techniques.
00:00
They have all the same fields,
00:00
the same properties as techniques.
00:00
But we recommend that as you're mapping to ATT&CK,
00:00
that you get down to the lowest level
00:00
of detail that you're able to.
00:00
That is, if there is
00:00
both a technique and a sub-technique that applies,
00:00
we recommend going down to the sub-technique.
00:00
Take a look at the behaviors in the given tactic.
00:00
It's going to give you a much smaller list of
00:00
techniques and sub-techniques then
00:00
you have looking at of all ATT&CK.
00:00
Now, this is even more true in something like
00:00
initial access or impact
00:00
where there's only a few techniques there,
00:00
but there's still quite a few there,
00:00
if you're looking at something like defense evasion.
00:00
As you go through, you can take a look at details
00:00
that are in the first paragraph of each of the reports.
00:00
Sometimes it may not make sense to go
00:00
all the way down to the sub-technique at first,
00:00
sometimes it may be that
00:00
it's fairly obvious what technique applies,
00:00
then you need to open it up, take a look,
00:00
and see if there are sub-techniques that actually match.
00:00
Other times, if something really
00:00
specifically maps to a given sub-technique,
00:00
you may be able to go directly to that level.
00:00
It may be that you're actually
00:00
working your way back up where you were
00:00
first able to identify a sub-technique directly,
00:00
and then work back up to the technique.
00:00
If that fails, if you're not finding what you're looking
00:00
for in the tactic that you
00:00
believe that the adversary was doing,
00:00
it might be worth looking
00:00
across the entire ATT&CK website.
00:00
We have a lot of text in ATT&CK that
00:00
is both describing the adversary behavior itself,
00:00
as well as a number of examples where we've mapped
00:00
adversary behavior already to specific techniques.
00:00
This can be things like just
00:00
using your favorite search engine
00:00
to search the attack.mitre.org website
00:00
using Control F keyword searches across
00:00
different lists of techniques looking for
00:00
text and the technique name itself.
00:00
You can also take a look at procedure level details.
00:00
In a lot of cases,
00:00
we may have mapped something that came from
00:00
very similar texts to
00:00
what you're looking for from the report you have,
00:00
and it can be worth trying specific command strings.
00:00
We have a lot of
00:00
example commands in ATT&CK at this point,
00:00
they may match up exactly
00:00
with what you're seeing and adversary do.
00:00
If that fails,
00:00
it may be worth backing up a step and taking
00:00
a look at how
00:00
we're actually mapping techniques to ATT&CK.
00:00
If you get into some of the groups and software pages
00:00
on ATT&CK or techniques
00:00
and looking at procedure examples,
00:00
you can actually see some of how
00:00
the ATT&CK team is
00:00
taking details from reporting and mapping them to ATT&CK.
00:00
It may be helpful to just take
00:00
a look at how we're doing it,
00:00
and it may be useful as a hint
00:00
to take another direction forward.
00:00
Let's get into some examples of
00:00
actually using some of these strategies.
00:00
In that report that we've looked
00:00
at in the previous lessons,
00:00
we had a couple of these phrases
00:00
in there that we've already highlighted.
00:00
Used email attachments,
00:00
created scheduled task, installed tools.
00:00
These are terms that you can search in
00:00
ATT&CK and you'll find directly
00:00
appearing in different techniques.
00:00
For example, used email attachments.
00:00
You'll find that directly in
00:00
phishing, spearphishing attachment,
00:00
which is sub-technique 1566.001.
00:00
If you'll look for create scheduled task,
00:00
you'll find scheduled task/job, T1053.
00:00
Now, if you then go in and look at
00:00
the sub-techniques of that technique,
00:00
look at the details around create scheduled task,
00:00
you'll find that you can probably get all the
00:00
way down to T1053.005.
00:00
Another level down. Installed tools.
00:00
Again, you'll find directly in
00:00
ingress tool transfer, T1105.
00:00
If I search for SOCKS5 in ATT&CK,
00:00
I may or may not find an appropriate matching technique.
00:00
But so if, for example,
00:00
I look for just SOCKS,
00:00
I come up right in non-application layer protocol,
00:00
where we describe SOCKS
00:00
as a non-application layer protocol.
00:00
It is directly in the technique description itself.
00:00
You also would have found it from
00:00
the specific tactics that you've gotten down into.
00:00
Again, it's a fairly direct finding.
00:00
Maybe you're just looking at cross technique lists.
00:00
One of the things we highlighted earlier was,
00:00
establishes a SOCKS5 connection using TCP port 1913.
00:00
Well, I want to see what using
00:00
port might actually be in ATT&CK.
00:00
We've already figured out that
00:00
that's command and control.
00:00
Let's take a look at our technique list.
00:00
If I look for port,
00:00
I come up with nonstandard port and port knocking.
00:00
If I get into the descriptions,
00:00
this is not port knocking.
00:00
Port knocking is when an adversary connects to
00:00
a series of specific numbered ports,
00:00
which opens a connection on the given system.
00:00
Now, nonstandard port on the other hand,
00:00
we had already taken a look at 1913.
00:00
We'd done some research.
00:00
We recognized that it was not a normal port to be using,
00:00
and this maps down to nonstandard port.
00:00
From this one little phrase,
00:00
we've actually been able to come up with two techniques;
00:00
non-application layer protocol, and nonstandard port.
00:00
Backing all the way back to
00:00
that piece of report that we started with here.
00:00
We've got this, establishes
00:00
a SOCKS5 connection using TCP port,
00:00
where we've come up with
00:00
tactics and techniques for that one little portion.
00:00
Now, for now, let's check.
00:00
Take a look through the rest of this,
00:00
and see what techniques you're able to identify.
00:00
Please pause the video, take a look,
00:00
see what you're able to find,
00:00
and in a minute, I'll give you what my answers would be.
00:00
Going back to the behaviors that
00:00
we highlighted earlier in the module,
00:00
we have a successful exploitation.
00:00
We've given a user system access on the machine.
00:00
This is privilege escalation,
00:00
exploitation for privilege escalation.
00:00
We had that the malware is using
00:00
command.exe in running a specific command.
00:00
Well, the command.exe part,
00:00
you'll find directly in command and
00:00
scripting interpreter Windows command shell,
00:00
and the command that's being run
00:00
is system owner/user discovery.
00:00
Again, we can find scheduled task jobs, scheduled task.
00:00
If we get into first the technique from
00:00
the specific phrase and then get into
00:00
the sub-technique that is Windows specific.
00:00
How did you do? Hopefully,
00:00
you've gotten some strategies out of this
00:00
for identifying techniques and sub-techniques.
00:00
We've taken a look at how we can actually apply those,
00:00
dig some of the information out of the ATT&CK website,
00:00
and some of the resources you might be able
00:00
to use for doing this.
00:00
We're giving you a little bit of practice,
00:00
identifying techniques and
00:00
sub-techniques in narrative reporting.
00:00
We'll get into some more practice
00:00
on doing that in a moment.
Up Next