Welcome to Mitre Attack for Cyber Threat Intelligence Training.
This is Module zero. Introducing the training.
I'm Adam Pennington and I'll be your instructor for this part of the training. I lied, miter attack and created the first version of this course, along with my former colleague Katie Nichols.
I've been around attacks since its initial creation and even gathered much of the intelligence that was used in attacks. First version.
In my 12 years at Mitre, I've been largely focused on cyber threat, intelligence and deception, and I've been both the defender and a CT analyst in multiple operations centers.
This module only has one lesson where I'm introducing the training itself
and going over a little bit about how attack can help with cyber threat intelligence.
This lesson is three objectives.
I'm first going to go over the training goals for the overall course.
I'm going to review how the training modules are laid out,
and then I'm going to get into a little bit about how attack can help for cyber threat intelligence.
So we have a number of goals that we're hoping you'll take away from this course.
First is why attack is useful for cyber threat Intelligence. We want you to have some understanding of why you might use it in the first place.
Had a map to attack from both narrative reporting and raw data.
How do you get the intelligence that you have today into language of attack?
I want you to have an understanding of how to restore and display attack map data and what you should consider. When you're actually doing that.
I want you to have an understanding of how to perform cyber threat intelligence analysis using attacked map data
and finally taking that intelligence how to make defensive recommendations to your defenders.
You might notice that learning attack isn't in here,
and we're assuming some knowledge of attacking this course. I'll get into some more resources for learning about it in module one. But you'll get a lot more out of this course if you complete our attack fundamentals, training or another method of learning about the structure and contents of attack first.
So the way the rest of this course is laid out, we're currently in module zero, where I'm introducing the training itself and I'll get into a little bit about why attack is useful for cyber threat intelligence in a moment
and module one, I'll get into how to map to attack from narrative reporting. How to take the existing reporting you have today talking about adversaries and add attack to it.
Well, then switch into mapping to attack from raw data.
How can you take your reporting from malware analysis your raw incident response data and turn that into attack as well,
Then move on in module three into storing and analyzing attack Mapped intelligence.
Once you have your intelligence leveraging attack,
how can we actually store it and make sense of it? Be able to compare it. Look at it in intelligent ways.
Finally, we'll wrap up with making attack map data actionable and how to give defensive recommendations to your defenders from this attack Mapped intelligence
Before getting into attack. I wanted to take a moment to talk about what is cyber threat intelligence, since it's commonly misunderstood.
Sergio Couch Gerani, in a paper he wrote on Industrial Control System Intelligence, give a definition we like
threat. Intelligence is actionable knowledge and insight on adversaries and their militias activities, enabling defenders in their organizations to reduce harm through better security decision making.
It's a great definition, and the only edition we might make to that
is that it's actual knowledge and insight. But it's also the process of doing that.
From that definition. I'm going to talk about how attack can help with cyber threat intelligence.
There's a couple ways that we see that attack can help with cyber threat intelligence.
You can use your knowledge of adversary behaviors that you're getting through attack. To help inform defenders.
You can also structure threat intelligence with attack.
This allows us to do a couple of things
so we can do things like compare behaviors between adversaries
so we can say one threat group does a specific thing. Another threat group does another set of behaviors and look at them next to each other.
We can compare a single group over time so we can say a PT three today is doing a particular behavior. What did they look like a year or two ago? How do they change over time?
We can also compare groups to defenses. So what is it that an adversary really care about Does and how well do our defenses stack up to that adversary?
It also lets us communicate in a common language just to be able to talk to each other, using the same language to talk about behavioral, cyber threat intelligence.
So when we say it allows you to communicate the defenders,
C T I analysts might currently be saying this is what the adversary is doing. The run key is Adobe Update er.
If they leverage attack, they can point at a specific attack technique t 15 47.1
which is Buddha Log and Auto start Execution Register Run Keys Startup folder.
If the CT I analyst uses this common language, it means that the defender has a lot of resources they can look at to see if they might be able to detect it. And how might they go about seeing this in the future?
We say that it allows people to communicate with each other and existing reporting. We might have company a saying. A PT lead is using Auto Run and Company B, saying fuzzy duck used to run king.
If they both leverage attack,
they then have a common definition. Again, this is T 15, 47 01
and when both companies are using the same language. It means that cyber threat intelligence consumers
understand what they mean by it.
In this lesson, we covered a couple things.
I went over the training goals for the overall course.
I took a look at how the modules are going to be laid out for the rest of it,
And we also took a look at how attack can help with cyber threat intelligence by giving a common language and structure.
This is just the beginning of our journey on working with Attack for Cyber Threat Intelligence,
and next up, I'll be getting into how to map to attack from narrative reports.
This is Module one Mapping to attack from narrative reports
This module we have four high level objectives.
First, to learn how to identify behaviors in narrative reporting.
To understand how to translate those behaviors into attack tactics, techniques and sub techniques.
I want you to get some practice mapping narrative reporting to attack.
I'm going to try to help you understand analysts and source bias and learn how to hedge against these.
We've broken up this module into six lessons.
In this lesson. I'm going to be getting into the challenges, advantages and the attack mapping process
next, going to get into finding and researching behaviors and narrative reporting.
How to translate those behaviors you find into attack tactics,
how to identify techniques and sub techniques within those tactics. From the reporting,
I'm going to give you some practice mapping a narrative report to attack.
And finally, I'm going to get a bit into how to hedge your biases that are likely to happen throughout this process.
This is our first lesson. The module getting into the challenges, advantages and the process of mapping to attack
this lesson have three objectives.
We'll help you understand the prerequisites for attack mapping. What is it you need to have in your toolkit
and what needs to be true about the reporting itself? For you to be likely to be able to map it to attack,
I'm going to get a little bit into both the down and the upsides of mapping to attack.
And finally I'm going to go over the process that we're going to be using for the rest of this module for mapping to narrative reporting
in order to get started with attack. There are a number of resources out there that might help you get going.
We've created another course along with this one called Attack Fundamentals that you can take that will go over a lot of the structure. In basics of minor attack
among the team, we've put out a lot of presentations like Might Attack the Plate Home Edition from Black Hat USA
On our website, we have things like our design and philosophy paper and getting started page. There's a lot of resources for getting going with attack,
even just something like reading the tactic descriptions. There are only 14 in enterprise attack,
and that can give you a much better idea of what's going to be in there. As you dig in,
you can pick at random and start skimming techniques and sub techniques and attacks. Start reading the descriptions. Look at what kinds of pieces are actually in there,
and once you're a bit more comfortable and you've gotten started with attack, you can also still challenge yourself to ongoing learning and discussion.
Something we've seen some other teams do is to in their weekly meeting or something like that. Learn a technique and associated sub technique a week, so cover one little piece of attack
this can also be something you do as a team. So going over techniques and sub techniques, uh, talking about with another analysts are talking about with the rest of your threat intelligence team
When you're mapping to attack, there are both challenges and advantages that you're likely to gain from going through this process.
So some of the challenges
mapping to attack requires a shift in thinking. If you're used to thinking about a focus on an adversary as indicators of compromise, you know, talking about I p addresses hashes. Talking about behaviors instead can be a bit of a shift.
Attack is fairly big at this point. There are quite a few attack techniques and sub techniques, and it can seem overwhelming, just trying to consume it all at once.
Attack gets into the technical details of how a adversary is actually doing a particular behavior.
This can get complex. It can be outside of your particular skill area. Uh, and so it can seem really complex.
We do think there are some advantages as well as working through this process,
working with behaviors and working with attack forces. A shift in thinking
you end up actually thinking about behaviors, which can be a really good place to catch adversaries. Instead of just looking at indicators,
it can give you opportunity to discover new adversary techniques and looking at behaviors. You may actually see things that even attack doesn't have yet,
and it can facilitate learning the technical side so I can help you start to understand the technical basis for things that adversaries are doing.
So with understanding attack being a prerequisite,
we're going to go through the rest of this mapping process throughout the rest of this module,
going to start with finding the behavior.
How do we take our narrative reporting
and recognize what is behavior that likely would be found an attack in the first place?
We're going to research that behavior. We want to understand a little bit about
what it is the adversaries doing, why they're likely doing it so that we can dive further into attack.
We're going to translate that behavior into a tactic. So we want to go through the 14 tactics of attack
and figure out which one that adversary activity would likely fit into.
We're not going to go one level deeper. We're going to try to identify techniques or sub techniques for that particular behavior.
And finally we recommend comparing your results to other analysts. It helps hedge against bias, and it gets you a better result in the end.
So this lesson we've covered a couple of quick things
reviewed the prerequisites to attack mapping
and some of the resources to help you get started with attack itself.
We've talked about some of the challenges and corresponding advantages to doing this attack mapping process in the first place.
And finally, I've given the attack mapping process that we're going to be using for the rest of this module for coming from a narrative reporting.