Introduction: Challenges, Advantages and the Process of Mapping to ATT&CK®

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 24 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Welcome to MITRE ATT&CK for
00:00
Cyber Threat Intelligence Training.
00:00
This is Module 0, introducing the training.
00:00
I'm Adam Pennington, and I'll be
00:00
your instructor for this part of the training.
00:00
I lead MITRE ATT&CK and
00:00
created the first version of this course,
00:00
along with my former colleague, Kitty Nichols.
00:00
I've been around ATT&CK since
00:00
its initial creation and even
00:00
gathered much of the intelligence that was
00:00
used in ATT&CK's first version.
00:00
In my 12 years at MITRE,
00:00
I've been largely focused on
00:00
cyber threat intelligence and deception.
00:00
I've been both the defender in
00:00
the CTI analyst in multiple operations centers.
00:00
This module only has
00:00
one lesson where I'm introducing the training
00:00
itself and going over a little bit
00:00
about how ATT&CK can help with cyber threat intelligence.
00:00
This lesson has three objectives.
00:00
I'm first going to go over
00:00
the training goals for the overall course.
00:00
I'm going to review how
00:00
the training modules are laid out,
00:00
and then I'm going to get into a little bit about how
00:00
ATT&CK can help for cyber threat intelligence.
00:00
We have a number of goals that we're
00:00
hoping you'll take away from this course.
00:00
First is, why ATT&CK is
00:00
useful for cyber threat intelligence.
00:00
We want you to have some understanding of
00:00
why you might use it in the first place.
00:00
How to map to ATT&CK from
00:00
both narrative reporting and raw data.
00:00
How do you get the intelligence that you
00:00
have today into language of ATT&CK?
00:00
We want you to have an understanding of how
00:00
to store and display
00:00
ATT&CK-mapped data and what
00:00
you should consider when you're actually doing that.
00:00
We want you to have an understanding of how to perform
00:00
cyber threat intelligence analysis
00:00
using ATT&CK-mapped data.
00:00
Finally, taking that intelligence,
00:00
how to make defensive recommendations to your defenders.
00:00
You might notice that learning ATT&CK isn't in
00:00
here and we're assuming
00:00
some knowledge of ATT&CK in this course.
00:00
I'll get into some more resources
00:00
for learning about it in Module 1,
00:00
but you'll get a lot more out
00:00
of this course if you complete
00:00
our ATT&CK fundamentals training or another method of
00:00
learning about the structure and
00:00
contents of ATT&CK first.
00:00
The way the rest of this course is laid out,
00:00
we're currently in Module 0,
00:00
where I'm introducing the training
00:00
itself and I'll get into
00:00
a little bit about why ATT&CK is
00:00
useful for cyber threat intelligence in a moment.
00:00
In Module 1, I'll get into how to
00:00
map to ATT&CK from narrative reporting,
00:00
how to take the existing reporting you have today talking
00:00
about adversaries and add ATT&CK to it.
00:00
We'll then switch into mapping to ATT&CK from raw data.
00:00
How can you take your reporting from malware analysis,
00:00
your raw incident response data,
00:00
and turn that into ATT&CK as well?
00:00
Then move on in Module 3 into storing
00:00
and analyzing ATT&CK-mapped intelligence.
00:00
Once you have your intelligence leveraging ATT&CK,
00:00
how can we actually store and make sense of it,
00:00
be able to compare it,
00:00
look at it in intelligent ways?
00:00
Finally, we'll wrap up with making
00:00
ATT&CK-mapped data actionable and how to
00:00
give defensive recommendations to your defenders
00:00
from this ATT&CK-mapped intelligence.
00:00
Before getting into ATT&CK,
00:00
I wanted to take a moment to talk about
00:00
what is cyber threat intelligence,
00:00
since it's commonly misunderstood.
00:00
Sergio Caltagirone in a paper he wrote on
00:00
industrial control system intelligence
00:00
gave a definition we like.
00:00
"Threat intelligence is actionable knowledge and
00:00
insight on adversaries and their malicious activities,
00:00
enabling defenders and their organizations to reduce
00:00
harm through better security decision-making."
00:00
It's a great definition and
00:00
the only addition we might make to
00:00
that is that it's actual knowledge and insight,
00:00
but it's also the process of doing that.
00:00
From that definition, I'm going to talk about how
00:00
ATT&CK can help with cyber threat intelligence.
00:00
There is a couple of ways that we see that
00:00
ATT&CK can help with cyber threat intelligence.
00:00
You can use your knowledge of
00:00
adversary behaviors that you're
00:00
getting through ATT&CK to help inform defenders.
00:00
You can also structure threat intelligence with ATT&CK.
00:00
This allows us to do a couple of things.
00:00
We can do things like compare
00:00
behaviors between adversaries.
00:00
We can say one threat group does a specific thing and
00:00
other threat group does another set of
00:00
behaviors and look at them next to each other.
00:00
We can compare a single group over time.
00:00
We can say APT3 today is doing a particular behavior.
00:00
What did they look like a year or two ago?
00:00
How do they change over time?
00:00
We can also compare groups to defenses.
00:00
What is it that an adversary really care about does
00:00
and how well do our defenses stack up to that adversary?
00:00
It also lets us communicate in
00:00
a common language just to be able to talk to each
00:00
other using the same language to
00:00
talk about behavioral cyber threat intelligence.
00:00
When we say it allows you to communicate to defenders,
00:00
CTI analysts might currently be
00:00
saying this is what the adversary is doing.
00:00
The run key is Adobe Updater.
00:00
If they leverage ATT&CK,
00:00
they can point at a specific ATT&CK technique,
00:00
T1547.001, which is
00:00
Boot or Logon Autostart
00:00
Execution Registry Run Keys Startup Folder.
00:00
If the CTI analysts uses this common language,
00:00
it means that the defender has a lot of
00:00
resources they can look at to see
00:00
if they might be able to detect it and
00:00
how might they go about seeing this in the future.
00:00
We say that it allows
00:00
people to communicate with each other.
00:00
Existing reporting, we might have Company A
00:00
saying APT Lee is using AutoRun,
00:00
and Company B saying Fuzzy Duck used a run key.
00:00
If they both leverage ATT&CK,
00:00
they then have a common definition.
00:00
Again, this is T1547.001.
00:00
When both companies are using the same language,
00:00
it means that cyber threat intelligence consumers
00:00
understand what they mean by it.
00:00
In this lesson, we covered a couple of things.
00:00
I went over the training goals for the overall course.
00:00
I took a look at how the modules are
00:00
going to be laid out for the rest of it.
00:00
We also took a look at how ATT&CK can help with
00:00
cyber threat intelligence by
00:00
giving a common language instruction.
00:00
This is just the beginning of our journey on
00:00
working with ATT&CK for cyber threat intelligence,
00:00
and next up, I'll be getting into
00:00
how to map to ATT&CK from narrative reports.
00:00
This is Module 1,
00:00
mapping to ATT&CK from narrative reports.
00:00
This module, we have four high-level objectives.
00:00
First, to learn how to identify
00:00
behaviors in narrative reporting.
00:00
To understand how to translate those behaviors into
00:00
ATT&CK tactics techniques and sub techniques.
00:00
I want you to get
00:00
some practice mapping narrative reporting to ATT&CK.
00:00
I'm going to try to help you understand analysts and
00:00
source bias and learn how to hedge against these.
00:00
We've broken up this module into six lessons.
00:00
In this lesson, I'm going to be
00:00
getting into the challenges,
00:00
advantages, and the ATT&CK mapping process.
00:00
Next, we're going to get into finding in
00:00
research and behaviors and narrative reporting.
00:00
How to translate those behaviors you
00:00
find into ATT&CK tactics,
00:00
how to identify techniques and
00:00
sub techniques within those tactics from the reporting,
00:00
I'm going to give you
00:00
some practice mapping a narrative report to ATT&CK,
00:00
and finally, I'm going to get a bit into how to hedge
00:00
your biases that are likely
00:00
to happen throughout this process.
00:00
This is our first lesson in the module,
00:00
we're getting into the challenges, advantages,
00:00
and the process of mapping to ATT&CK.
00:00
This lesson have three objectives.
00:00
We'll help you understand
00:00
the prerequisites for ATT&CK mapping.
00:00
What is it you need to have in your toolkit and what
00:00
needs to be true about the reporting itself for
00:00
you to be likely to be able to map it to ATT&CK?
00:00
I'm going to get a little bit into
00:00
both the down and the upsides of mapping to ATT&CK.
00:00
Finally, I'm going to go over
00:00
the process that we're going to be using for the rest of
00:00
this module for mapping to narrative reporting.
00:00
In order to get started with ATT&CK,
00:00
there are a number of
00:00
resources out there that might help you get going.
00:00
We've created another course along with
00:00
this one called ATT&CK fundamentals,
00:00
that you can take that it'll go over a lot of
00:00
the structure in basics of MITRE ATT&CK.
00:00
Among the team, we've put out a lot of presentations like
00:00
MITRE ATT&CK The Plate Home Edition from Black Hat USA.
00:00
On our website, we have things like
00:00
our design and philosophy paper and
00:00
getting started page that has a lot
00:00
of resources for getting going with ATT&CK.
00:00
Even just something like reading the tactic descriptions.
00:00
There are only 14 enterprise ATT&CK,
00:00
and that can give you a much better idea
00:00
of what's going to be in there as you dig in.
00:00
You can pick a random and start
00:00
skimming techniques and sub techniques in ATT&CK,
00:00
start reading the descriptions,
00:00
look at what pieces are actually in there.
00:00
Once you're a bit more comfortable
00:00
and you've gotten started with ATT&CK,
00:00
you can also still challenge yourself to
00:00
ongoing learning and discussion.
00:00
Something we've seen some other teams do is
00:00
in their weekly meeting or something like that,
00:00
learn a technique and associated sub technique a week.
00:00
Cover one little piece of ATT&CK.
00:00
This can also be something you do as a team.
00:00
Going over techniques and sub techniques,
00:00
talking about with another analysts are talking about
00:00
with the rest of your threat intelligence team.
00:00
When you're mapping to ATT&CK,
00:00
there are both challenges and advantages
00:00
that you're likely to gain
00:00
from going through this process.
00:00
Some of the challenges.
00:00
Mapping to ATT&CK requires a shift in thinking.
00:00
If you're used to thinking about
00:00
a focus on an adversary as indicators of compromise.
00:00
Talking about IP addresses, hashes,
00:00
talking about behaviors instead can be a bit of a shift.
00:00
ATT&CK is fairly big at this point.
00:00
There are quite a few ATT&CK techniques
00:00
and sub techniques,
00:00
and it can seem overwhelming,
00:00
just trying to consume it all at once.
00:00
ATT&CK gets into the technical details of
00:00
how adversary is actually doing a particular behavior.
00:00
This can get complex.
00:00
It can be outside of your particular skill area,
00:00
and so it can seem really complex.
00:00
We do think there are some advantages as
00:00
well as working through this process.
00:00
Working with behaviors and working with
00:00
ATT&CK forces a shift in thinking.
00:00
You end up actually thinking about behaviors which
00:00
can be a really good place to catch adversaries,
00:00
instead of just looking at indicators.
00:00
It can give you opportunities to
00:00
discover new adversary techniques.
00:00
In looking at behaviors,
00:00
you may actually see things that
00:00
even ATT&CK doesn't have yet.
00:00
It can facilitate learning of the technical side.
00:00
I can help you start to understand
00:00
the technical basis for
00:00
things that adversaries are doing.
00:00
With understanding ATT&CK being a prerequisite,
00:00
we're going to go through the rest of
00:00
this mapping process throughout the rest of this module.
00:00
We're going to start with finding the behavior.
00:00
How do we take our narrative reporting and recognize
00:00
what is behavior that likely
00:00
would be found in ATT&CK in the first place?
00:00
We're going to research that behavior.
00:00
We want to understand a little bit
00:00
about what it is the adversary is doing,
00:00
why they're likely doing it so
00:00
that we can dive further into ATT&CK.
00:00
We're going to translate that behavior into a tactic.
00:00
We want to go through the 14 tactics of
00:00
ATT&CK and figure out
00:00
which one that adversary activity would likely fit into.
00:00
We're next going to go one level deeper.
00:00
We're going to try to identify techniques or
00:00
sub techniques for that particular behavior.
00:00
Finally, we recommend comparing
00:00
your results to other analysts.
00:00
It helps hedge against bias
00:00
and it gets you a better result in the end.
00:00
This lesson, we've covered a couple of quick things.
00:00
We've reviewed the prerequisites to ATT&CK mapping
00:00
and some of the resources to help you
00:00
get started with the ATT&CK itself.
00:00
We've talked about some of the challenges and
00:00
corresponding advantages to doing
00:00
this ATT&CK mapping process in the first place.
00:00
Finally, I've given the ATT&CK mapping process
00:00
that we're going to be using for
00:00
the rest of this module for
00:00
coming from a narrative reporting.
Up Next