Implementing TTPs Overview

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 5 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:00
>> Hello, and welcome to Module 4,
00:00
implementing adversary TTPs.
00:00
We're going to kick things off with Lesson
00:00
4.1, implementing TTPs overview.
00:00
Let's talk about Module 4's objectives.
00:00
First, we're going to explain
00:00
the purpose of TTP implementations.
00:00
Next, we're going to list key lab components so you
00:00
understand what resources are needed
00:00
to implement TTPs in a controlled manner.
00:00
Finally, we will discuss and
00:00
apply the TTP implementation process.
00:00
Now this module is built into two lessons and four labs.
00:00
As we go forward,
00:00
you'll learn that implementing
00:00
adversary TTPs is
00:00
inherently a hands-on technical activity.
00:00
Therefore, we offer these labs so you can gain
00:00
practical skills and
00:00
experience implementing adversary TTPs.
00:00
For the remainder of this lesson,
00:00
we're going to talk about what exactly
00:00
is a TTP implementation.
00:00
We'll then explore the different lab components you need
00:00
to safely develop and implement adversary TTPs.
00:00
Now we know that fundamentally,
00:00
we practice adversary emulation
00:00
to assess and improve cybersecurity,
00:00
but a very significant part of
00:00
adversary emulation is implementing
00:00
TTPs that are representative of real-world threats.
00:00
Stated differently, TTP implementations are
00:00
really what forms the substance of adversary emulation.
00:00
It's our TTPs that provide us a trusted
00:00
means to execute adversary behaviors.
00:00
They also enable us to tune network defenses around
00:00
adversary behaviors as opposed to
00:00
potentially fragile indicators of compromise.
00:00
The key takeaway here is that implementing TTPs is how
00:00
we start to actualize
00:00
adversary emulation as a discipline.
00:00
We talked about why we implement TTPs.
00:00
But what exactly is
00:00
a TTP implementation and what does it look like?
00:00
Very simply, a TTP implementation is
00:00
a procedure for executing
00:00
one or more adversary techniques.
00:00
Furthermore, TTP implementations include
00:00
all resources needed to
00:00
execute the TTPs in a production environment.
00:00
For example, your binaries,
00:00
any needed scripts, commands,
00:00
syntax, and so on.
00:00
Now this slide provides
00:00
an example of a TTP implementation.
00:00
You can see that it includes mappings to attack.
00:00
It also lists the CTI this TTP is based on.
00:00
We also list the require tool,
00:00
nbtscan, which in this case
00:00
is used for performing net bios scans.
00:00
Finally, this includes the procedure
00:00
with command-line syntax and an example.
00:00
This is a fairly complete example
00:00
of a TTP implementation.
00:00
However, I do want to add that this is not
00:00
a particularly rigid format.
00:00
You'll see that many projects actually have
00:00
their own formats or ways of presenting this information.
00:00
You can see some different examples by
00:00
looking at other projects, for example,
00:00
Atomic Red Team by Red Canary,
00:00
Mitre's Caldera framework and
00:00
even sites community threats,
00:00
just so you can see some alternate examples.
00:00
Now we understand what
00:00
a TTP implementation should look like.
00:00
But what resources do we need to
00:00
actually build and implement TTPs?
00:00
At a minimum, you need a lab environment
00:00
with test systems and necessary software.
00:00
This is because we're going to be
00:00
developing and testing cyber attacks.
00:00
You don't want to be doing this development
00:00
in a production network.
00:00
Otherwise, you will likely start breaking
00:00
things and will absolutely get into trouble.
00:00
Now, a good adversary emulation environment
00:00
generally consists of three key components.
00:00
We have the attack platform,
00:00
which is basically our system that
00:00
contains needed red team and development tools.
00:00
We have our analysis platform,
00:00
and this is the system that
00:00
contains forensics tools needed to
00:00
analyze our TTPs behaviors and artifacts.
00:00
Finally, we need test systems in which we can
00:00
actually deploy and execute our TTPs against.
00:00
Those are the three key lab components.
00:00
I'll add that a single component
00:00
can occupy multiple roles.
00:00
For example, your analysis platform
00:00
can easily also doubled as a test system,
00:00
likewise, for the attack platform.
00:00
Finally, your lab systems can certainly be physical on
00:00
real hardware or virtual using
00:00
a hypervisor like VirtualBox or VMware.
00:00
These days you'll probably see that virtual labs are
00:00
probably more convenient and also more cost-effective.
00:00
That's what we'll be focusing on when we talk about
00:00
implementing our own labs as part of this module.
00:00
On this slide, we provide an example of
00:00
a minimal yet functional lab environment.
00:00
It includes two systems,
00:00
a Kali Linux virtual machine,
00:00
which in this case is used as the attack platform,
00:00
and also a Windows-based virtual machine,
00:00
which in this case can be used for
00:00
both your forensic analysis and also as
00:00
a test system in which to deploy your TTPs against.
00:00
I'll add that this lab environment is
00:00
essentially what we use in this course.
00:00
For example, if you've tried any of
00:00
our hands-on labs up to this point,
00:00
you might have seen that we have you
00:00
operating from a Kali Linux VM as
00:00
our tech platform and a Windows Server
00:00
VM as our both our forensics platform
00:00
and our test system.
00:00
This lab can be great if you're just trying
00:00
to get into adversary emulation and
00:00
maybe you don't have a lot of hardware or
00:00
resources that you might
00:00
need for a larger lab environment.
00:00
On this slide, we provide
00:00
an example of a robust lab environment.
00:00
This is representative of the types of labs we commonly
00:00
stand up at Mitre force
00:00
certain adversary emulation projects.
00:00
You'll see that it includes two attack platforms,
00:00
one Linux and one Windows.
00:00
You'll also see that it includes two analysis platforms.
00:00
You'll see Flare VM,
00:00
which is a Windows-based forensics platform
00:00
provided by FireEye,
00:00
and also Remnux,
00:00
which is a open source
00:00
Linux distro focused on malware analysis.
00:00
We also have a test network environment which
00:00
consists of a small Active Directory domain,
00:00
a Linux server, various clients,
00:00
and any other miscellaneous devices you
00:00
might want to include as part of an engagement.
00:00
Basically a lab like this gives you maximum utility.
00:00
Of course, it does require significantly more hardware
00:00
and compute resources than a small lab environment.
00:00
Now a quick story. One of the things I
00:00
did just as a hobbyist or enthusiast
00:00
is I wanted to stand up a lab like
00:00
this without having to spend exorbitant sums of money.
00:00
What I did is I purchased
00:00
a refurbished server from one of
00:00
the popular online refurbished computer stores.
00:00
I bought this refurbish server.
00:00
Basically it had 12 core CPU,
00:00
64 gigabytes of RAM,
00:00
and I paid about $300 US for it.
00:00
In this example, that was basically
00:00
enough compute resources for me to stand up
00:00
a lab environment that looks like this diagram,
00:00
and while $300 isn't necessarily cheap,
00:00
but it's definitely a lot more affordable than say,
00:00
a $10,000 enterprise server.
00:00
That's basically one option for you to consider if you're
00:00
wanting to scan up a robust lab environment on your own.
00:00
I'll also add that I find it's
00:00
a great exercise in itself to
00:00
try and build a lab like this,
00:00
you'll exercise a lot of sysadmin skills
00:00
that can be very useful in your day-to-day work.
00:00
Here's some additional lab tips.
00:00
First, if you're preparing for an engagement,
00:00
you want to try to create labs that
00:00
closely resembled the target network environment.
00:00
These are exceptionally useful
00:00
if later you need to test TTPs
00:00
that may be risky or
00:00
unstable in the production environment.
00:00
I'll also add that sometimes
00:00
network owners have their own dedicated test labs.
00:00
These can be great if you want to run high-risk TTPs like
00:00
encryption for impact without
00:00
harming the production environment.
00:00
You might also consider asking
00:00
the network owner for gold images,
00:00
basically their baseline for OS installations,
00:00
so you can get a more representative target
00:00
within your own lab environment.
00:00
Finally, I recommend making
00:00
copious use of virtual machines, snapshots.
00:00
Virtual machines snapshots give you
00:00
a lot of freedom to experiment
00:00
while still being able to revert
00:00
your VM to a trusted and clean state.
00:00
That brings us to the Lesson 4.1 summary.
00:00
During this lesson, we explained
00:00
that TTP implementations include
00:00
all procedures and resources
00:00
necessary to execute adversary behaviors.
00:00
We also explored the lab components
00:00
necessary for implementing TTPs.
00:00
These include an attack platform and
00:00
analysis platform and test systems.
00:00
In our next lesson,
00:00
we'll talk about how we can put these concepts to use by
00:00
exploring the TTP implementation process.
Up Next
Planning TTP Implementations (Lab 4.1 Overview)
10m
Planning TTP Implementations (Lab 4.1 Walkthrough)
30m
Implementing Adversary TTPs (Lab 4.2 Overview)
10m
Implementing Adversary TTPs (Lab 4.2 Walkthrough)
30m