Welcome to Module three. Within the Attack based Stock assessments training course in this module, we're going to talk about how you can synthesize a full attack based stock assessment, going beyond, you know, smaller technical analysis towards something that really looks at the sock as a whole.
This module has one primary learning objective.
After the module, you should be able to put together the pieces to form a full attack based stock assessment and help us socks orient its operations towards adopting a threatened form of defense.
In addition, we have several secondary objectives.
After this module, you should be able to prepare, conduct and interpret the results from from sock interviews.
Additionally, you should know how to choose a heat map style as well as type to deliver results.
You should also be able to aggregate heat maps and interview results together, and lastly, after this module, you should understand the importance and types of recommendations for assessments.
With that, I will now turn it over to Clem will talk to us about how to conduct sock interviews.
Hello, welcome to my to attack defender
assessments and engineering
less than 3.1 interviewing staff.
The objectives of this lesson are to understand why interviews are important,
be able to prepare and conduct interviews with Socks staff
know how to process findings after an interview.
In this lesson, we will introduce the different types of interviews,
discuss the structure and preparation of the interview,
show you how to conduct the interview
and describe post interview activities.
The attack assessments are technical assessments usually focused on Gap analysis of the data collection, sensor grid and analytics.
Not everything is captured in documentation, manuals or dumps of configurations.
It is also important to understand the socks environment.
How is the sock organized?
What is the business model
Processes are in place,
what our technical or operational constraints to be aware of.
This section will explore how interviews can be used in conducting an assessment and provide some suggestions and guidelines to help the assessor team avoid common pitfalls.
four phases of the interview process.
First is to identify the type of interview to conduct.
Next is to prepare the interview.
Then one conducts the interview,
and finally you process the interview findings.
One type of interview is to gather context or to frame the engagement.
This is typically done with
perhaps the CSO or sock manager or the project lead.
you will discuss the background for the project,
the organizational context
and the priorities for the engagement.
The outcomes of that interview are to set expectations.
Define focus, identify deliverables
in technical interviews.
One then, of course, talks to technical staff, shift leads and various subject matter experts.
In his interviews, you'll discuss things such as network and IT, architecture,
operational processes and procedures.
Common outcomes for these interviews are tool usage,
technology deployment threats, detection details,
operational constraints and pain points that sock staff may encounter.
Preparing the interview. Who to talk to
stocks, of course, come in different shapes and sizes.
Smaller socks tend to have staff to wear multiple hats.
Artur socks tend to have staff who have one clear focus.
Spending on the focus of the engagement. Consider interviewing
Tier one Monitoring staff Possibly shift leads
Tier two analysts and or subject matter experts such as in malware or forensics.
Cyber threat into analysts,
Red teamers and cyber threat hunters
seem administrators and engineers.
You may also want to consider talking to groups outside of the sock as well,
such as the network firewall team desktop support,
IT server administration
Cloud Services Management.
These groups may well have important insights.
If some functions are outsourced, you may want to interview representatives from those service providers
preparing for the interview
When conducting the interview. One typically has one person assigned to lead the interview
and ask all the different questions and
focus the conversation.
It's important to have at least one designated note taker.
Other subject matter experts, of course,
But try not to gang up on the interviewee
in person or remote.
Ideally, you'd conduct the interviews all in person.
However, that is not always practical, particularly in days of covid
in person or remote.
It is good to conduct interviews in person, or at least have one person present with the interviewees.
you must do it all remotely, try to make use of your webcam if you can.
As you know, people get tired and socks are very busy, so respect their time and
your own energy levels, typically 45 minutes to 90 minutes
per session for each team suffices and be sure to take breaks in between sessions.
Preparing the interview, setting it up,
coordinating and scheduling.
It's good to identify a customer point of contact who can
help you work the details of scheduling.
You may also want to get admin support from your side For a large engagement.
Provide Rita heads for interviewers and interviewees.
It's good to do an initial data request if possible.
If available. Obtained a copy of Con Ops, work chart Role descriptions, et cetera.
Send a long interview questions beforehand for the interview is to digest.
Prepare yourself beforehand.
Build a list of questions you want to ask, but feel free to explore topics as they emerge.
If the interview is conducted in person, you may want to have one or two days available and a dedicated conference room for a drop in
conducting the interview.
Should he interview one or multiple, uh,
On the one hand, one can learn from inter team or intro team discussions.
On the other hand, one strong personality can tend to dominate a conversation.
Some things to keep in mind.
For example, bosses in the room may stifle free conversation.
You may notice disagreements between contractors or contractors and staff.
Whatever the case, make sure to present yourself as an ally
conducting the interview. What to expect.
Some organizations may be more compliance oriented versus threat oriented,
larger organizations with more discrete teams. Maybe siloed or disconnected
ups may have a limited view of the great organization
IT infrastructure, etcetera.
Smaller organizations, socks staff may wear multiple hats and be resourced constrained
There may be inconsistent deployments of sensors.
You may find their incomplete collection of data from different sources.
There may be different monitoring requirements for different business units or parts of the architecture.
Not all components may be fully integrated or monitored by the sock
organization, maybe transitioning to new products or solutions
connecting the interview, bias and perspective
Understand that both interviewers and interviewees have them
and try to understand the perspectives of the teams you talked to, as well as your own. Perspectives and biases
try to remain neutral, particularly when interviewees have differences of opinion among themselves.
Try not to ask leading questions or promote favorite solutions.
Conducting the interview. Starting off
Perhaps have the main POC at the organization perform introductions
If not, do the best you can. And remember, you're on their side.
Capture the attendees and their roles.
Sheriff The interview is your understanding of their function or the technology in question,
and that you want to confirm what you've learned so far,
identify gaps and strengths that they know of
and drove down into deeper topics.
Work off a list of prepared questions when you can,
you may find that you need to reframe questions for particular groups. Context
Different organizations may use different terms,
or even different teams may use different terms in the same organization.
This may be evident when people talk past each other.
Try to capture local jargon and terminology.
You may skip some questions if they are less relevant to the particular team you are interviewing.
When there is disagreement or ambiguity.
Probe further to identify the source or understand the competing viewpoints.
describe a recent incident.
How was that handled and to end What is your team's role in this event?
What first triggered response?
What will follow on activities?
Describe how new analytics are rolled out.
In other words, how they're developed, tested, documented, et cetera,
What are the pain points you encounter in process X?
What would you like to see? Automated
Peter Wrecked, asked specifically about attack techniques and tactics.
For example, what events or analytics would lead to detecting data? Exfiltration
Post interview. Hot wash. What to produce.
Assessor Teams should write up and compare notes.
Do this as soon as possible while they're fresh in your mind.
Notes. May be cleaned up and captured formally as an appendix or source material for narrative in a report,
Capture conflicting reports or opinions between different teams or between regular staff and management.
Try to capture those and understand their perspective.
Pursue follow up questions to help get to ground truth.
Specifically, identify attack related tidbits.
Are there any strengths, any particular gaps?
This is useful when compiling the final report.
Post Interview. Hot Wash. Typical outputs.
Typical outputs include
and to end process descriptions,
perceived strengths and gaps in capabilities.
such as it is very difficult to change a particular configuration in our environment.
Parties for threats, https or technical focus
follow on data requests. For example, if additional sensors or data sources are identified,
additional insights into the enterprise architecture and practices such as connectivity or outsourcing.
Which tools are really used versus shelf, where
summary and takeaways
interviews are important.
Not everything is captured in documentation.
Interview Process has four main steps.
Figuring out the type of interview you want to run.
Preparing the interview, conducting the interview and processing the interview findings.
There are two main types of interviews.
Context and technical.
When preparing, identify the teams, create questions and iron out logistics.
Be prepared when conducting the interview. But remember to be flexible,
always capture interview notes as soon as possible. After the interview,
Next up. Communicating using attack heat maps.