Introduction: Bringing ATT&CK® into the SOC

00:00

welcome to the attack based stock assessments training course within the Minor Attack Defender program. My name is Andy Applebaum, and I'm going to be your instructor for this course.

00:10

To introduce this course, we're going to talk about how you can bring attack into the sock.

00:15

Many organizations have some kind of enterprise network performing an operational or business need, as well as a security operation center or sock that's protecting that network.

00:25

Additionally, a lot of socks and organizations as a home have noticed the attack framework is this useful framework that they can use to try to adopt a threatened form defense.

00:35

Unfortunately, it's not always exactly clear how an organization can look to and use the attack framework and really adopt it into their day to day operations.

00:45

To try to solve this, we developed a methodology to conduct what we call attack based stock assessments.

00:51

Where, and we have an assessment team analyze a target stock environment

00:55

to try to come up with a detection heat map that shows where the socks, strengths and weaknesses lie.

01:00

Yeah,

01:02

this course is designed to show you how to get that detection heat map from looking at the sock as well as the attack framework itself.

01:11

Walking away from the course, you should know how to look at your sock and what you should look for, how to map things in your sock to attack and how to recommend changes to align with the attack framework.

01:21

We assume from a knowledge perspective that you walk into this course with a good understanding of the attack framework itself, as well as some knowledge on how to use the attack navigator.

01:30

We also note that this course is designed from really a generic point of view, where you should be able to use these lessons regardless of where you sit within a sock, as well as if you're using this course as a learning path towards conducting a third party attack based stock assessment.

01:47

This course has five primary learning objectives.

01:49

After the course, you should number one know how sock technologies can map to the attack framework.

01:56

Number two. You should know how to walk through an attack based stock assessment.

02:00

You should also walk away knowing how to interview sock personnel about the attack framework with regards to how it fits into their operations,

02:08

and number four you should be able to effectively communicate findings using attack.

02:14

Lastly,

02:15

after this course, you should understand how to recommend changes to align with the

02:20

with the attack framework.

02:23

This course is laid out into three modules

02:24

and the first module. We're going to present an overview of attack based stock assessments walking through why you should conduct an attack based stock assessment, a methodology for assessments and then how to frame and scope and assessment

02:38

and module to. We're going to cover how to do the technical analysis of analyzing sock components with the attack framework.

02:45

Here we'll cover how to set a coverage rubric,

02:46

how to work with data sources, how to analyze analytics and then how to dive deep into tooling to understand how tools map back to the attack framework

02:58

and then the last module, we'll we'll put it all together and synthesize attack based stock assessments.

03:04

Here we'll cover how to interview staff, communicate with attack,

03:07

combine a final heat map and then propose recommendations.

03:14

Well now shift gears and dive into Module one and present an overview of attack based stock assessments.

03:21

This module has five primary learning objectives.

03:23

Number one After the module you should understand the importance and types of sock assessments.

03:29

You should also know the general methodology of how to conduct an attack based stock assessment.

03:35

Additionally, you should walk away knowing how to determine if an attack based stock assessment is appropriate for a given stock.

03:42

You should also be able to properly message an attack based stock assessment for a sock that's considering running one. And then, lastly, you should walk away knowing how to properly scope an assessment around the attack framework.

03:57

Well, now dive into Lesson one within module one on why we should conduct attack based stock assessments.

04:03

Oftentimes, we like to present this slide where we cover the core attack use cases when we're discussing attack

04:10

here we talk about detection, threaten intelligence, adversary emulation and, of course, assessments and engineering.

04:15

Diving deeper into assessments, a big part and the reason why we want to run an assessment so that we can understand our detection gaps

04:25

here. What we're going to do is take the attack framework and color coded based on some sort of measure of our ability to detect or mitigate the techniques in the framework.

04:34

In this example, we've used green to highlight techniques. We have high confidence. We could detect yellow to highlight techniques. We have some confidence we could detect and then low to highlight those techniques. We have low confidence we would be able to detect,

04:50

and there's a lot of reasons why we want to do this.

04:54

Understanding where our gaps are and really knowledge of your detection gaps

04:58

affords you a lot of things that you can do to better your socks.

05:02

Number one. It allows you to communicate your capabilities with a common reference always going back to your heat map of where your current coverages.

05:11

You can also use a heat map like this to inform your tooling purchases for the biggest return on investment, making sure you're buying a tool that remediated gaps, as opposed to buying a tool that

05:20

can potentially detect things you're already detecting.

05:24

You can also use this kind of heat map to identify data sources that you need for more enhanced detection and building on that to develop analytics to target the highest impact threats, referring back to where your gaps are to identify what those high impact threats might be

05:41

Now, when it comes to identifying detection gaps, there's two primary ways to do so.

05:46

The first is something that's hands on. This is something like penetration testing, red teaming adversary emulation. Here, you want to execute the techniques in your environment and then record. If you detect them or not,

05:59

the other approaches. Hands off. There's no execution here, just overview and analysis.

06:04

Here you look at your tools, the processes, procedures, the analytics, everything that you're running in a way that's only hands off, and you map each to the attack framework.

06:15

A hands on approach is really great because it gives you pinpoint accuracy by executing a technique and observing. If you if you actually detected it, you get some very good confidence on well, whether or not you can detect the technique,

06:29

however, it is often time consuming as well as invasive when running a hands on assessment.

06:34

Hands off assessment is great because it is minimally invasive. You don't actually interface with any systems. You're only analyzing things.

06:43

However, this comes at the cost of accuracy were really you're only able to get some approximate coverage.

06:48

One of the things in the middle of the road with a hands off assessment is that you often get a variable time investment.

06:54

It's not always as time consuming as a hands on assessment, but it really depends on how you want to scope the assessment that you're running.

07:01

Generally speaking, you should use a hands on assessment if you're running a smaller scoped exercise and need pinpoint accuracy. This is really great for analytic refinement.

07:12

By contrast, we recommend using a hands off assessment. If you want to paint broad strokes of coverage and you want a fast turnaround, this is great for like high level architecture and engineering.

07:21

In this lesson, we're primarily going to talk about the bottom one on running a hands off assessment

07:28

so that we can. We can really focus on painting broad strokes of coverage.

07:33

So a few summary notes and takeaways to close out this lesson

07:38

assessments allow you to do a variety of things, including communicate capabilities with a common reference.

07:44

Informed tooling purchases for the biggest return on investment,

07:47

identify data sources that can best enhance your detection capabilities

07:51

and, lastly, building off of data sources to develop analytics that target the highest impact threats.

07:59

Additionally, you can run assessments either in a hands off or hands on mode

08:03

hands on can be costly and time consuming, but they do offer a very high accuracy.

08:09

Hands off, by contrast, can be fast and minimally invasive but aren't always perfectly accurate