Introduction to ATT&CK®

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
1 hour
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:01
>> Hello, and welcome to ATT&CK Fundamentals.
00:01
My name is Jamie Williams and I will
00:01
be your host and instructor.
00:01
This course will serve as
00:01
the first and fundamental piece of
00:01
the MITRE ATT&CK defenders series,
00:01
where we will explore how ATT&CK and
00:01
a threatened form mindset can help
00:01
focus our efforts towards understanding,
00:01
and more importantly, improving how
00:01
our defenses fair against real-world cyber adversaries.
00:01
This course will be all about ATT&CK, specifically,
00:01
how we can use ATT&CK to model
00:01
the behaviors performed by adversaries as
00:01
well as how do we apply this knowledge to
00:01
the various defensive cybersecurity practices
00:01
and operations we perform every day.
00:01
This course is designed for anyone interested in
00:01
or already involved in threat modeling.
00:01
By the end of the course,
00:01
you'll have a better understanding of
00:01
the structure and philosophy
00:01
that continually shapes ATT&CK,
00:01
be able to identify
00:01
available ATT&CK resources and operational use cases and
00:01
have a better recognition of how ATT&CK
00:01
empowers defenders through understanding of threats.
00:01
This course is split into three modules.
00:01
The first of which focuses on understanding ATT&CK.
00:01
In Module 2, we will explore
00:01
the benefits of using ATT&CK.
00:01
Before, and finally, in Module 3,
00:01
lightly diving into the various ways we
00:01
can operationalize the knowledge captured in ATT&CK.
00:01
Welcome to Module 1.
00:01
This module is split into eight lessons which all
00:01
focus on the central theme of understanding ATT&CK.
00:01
Specifically, we will explore
00:01
what data goes into ATT&CK,
00:01
how that data is structured and formatted,
00:01
as well as how ATT&CK grows over time.
00:01
Without further ado, let's dive in.
00:01
Welcome to Module 1,
00:01
Lesson 1: introduction to attack.
00:01
In this lesson, we will explore
00:01
the background and motivation behind ATT&CK.
00:01
Begin to identify what
00:01
information is captured within ATT&CK,
00:01
and start to build a recognition and
00:01
appreciation for the structure of ATT&CK.
00:01
Cyber threats are out there,
00:01
whether in the form of malware or threat actors.
00:01
As defenders, the ability to
00:01
observe and adapt these threats is vital.
00:01
This process begins by asking tough questions, such as,
00:01
how will these adversaries target us,
00:01
and what will they do after
00:01
they get access to our networks?
00:01
This is where ATT&CK comes in.
00:01
ATT&CK is our knowledge base of
00:01
adversary behaviors based on real-world observations.
00:01
What I mean by this is that the inputs
00:01
to ATT&CK are publicly available.
00:01
Cyber Threat Intelligence describing campaigns,
00:01
actions, and behaviors performed
00:01
by real-world adversaries.
00:01
ATT&CK is also free,
00:01
open, and globally accessible, meaning that,
00:01
anyone can consume the information of ATT&CK as well
00:01
as contribute information back
00:01
to help us grow and expand the model.
00:01
A great way to start thinking
00:01
about the information capture in
00:01
ATT&CK is through David Bianco's Pyramid of Pain.
00:01
This model describes the hierarchy in various levels,
00:01
and types of indicators of compromise or
00:01
IOCs that we can use to describe adversaries.
00:01
In this case, every layer and level of
00:01
the model has a different value of the IOCs.
00:01
Particularly, related to how much pain it inflicts on
00:01
the adversaries as defenders are
00:01
targeting them at that level of abstraction.
00:01
As we can see, levels at
00:01
the bottom of the pyramid such as
00:01
hash values and IP addresses,
00:01
were prevalent to inflict
00:01
much pain back to the adversary,
00:01
and these are easy or even trivial values to change,
00:01
especially compared to those at
00:01
the top of the pyramid, such as TTP's.
00:01
This is where ATT&CK tends to focus its attention.
00:01
Actually, ATT&CK,
00:01
expand on the idea of TTPs,
00:01
and captures it within the model.
00:01
Particularly, the tactics,
00:01
techniques, sub techniques,
00:01
and procedures executed by real-world adversaries.
00:01
The rest of the lessons in this module,
00:01
we'll dive into this structure,
00:01
and I'll show you how
00:01
the TTPs are captured within attack.
00:01
Particularly, we'll cover matrices and platforms,
00:01
tactics, techniques and sub techniques,
00:01
metadata associated with these techniques and
00:01
some techniques such as mitigations,
00:01
data sources, and detection,
00:01
which are vital for defenders,
00:01
how techniques and sub techniques are
00:01
related to the group in software
00:01
that perform and/or execute these behaviors,
00:01
and finally, how ATT&CK grows and evolves over time.
00:01
By the end, you'll have
00:01
an appreciation for the structure of ATT&CK,
00:01
and how the various objects interrelate.
00:01
Also be able to apply them to
00:01
real-world use cases such as APT 28,
00:01
accessing credentials using Mimikatz
00:01
to dump LSASS memory.
00:01
With that, we reach our first knowledge check.
00:01
ATT&CK is primarily informed
00:01
by which of the following sources?
00:01
Please pause the video and take some time
00:01
to think about and select the correct answer.
00:01
In this case, the correct answer was A,
00:01
ATT&CK is primarily informed by what
00:01
has been seen in operational use
00:01
by the broader community.
00:01
With that, we've reached the end of Lesson 1.
00:01
In summary, ATT&CK was developed to
00:01
address the need to document and understand
00:01
adversary behaviors and is built on
00:01
publicly reported Cyber Threat Intelligence.
00:01
The ATT&CK model was designed to connect tactics,
00:01
techniques, and procedures to
00:01
the threat actors and malware that perform them.
Up Next