hello and welcome to attack fundamentals. My name is Jamie Williams, and I will be your host and instructor.
This course will serve as the first and fundamental piece of the Miter Attack Defender series, where we will explore how attack and a threatened for mindset can help focus our efforts towards understanding and, more importantly, improving how our defenses fare against real world cyber adversaries.
This course will be all about attack, specifically, how we can use attack to model the behaviors performed by adversaries as well as how do we apply this knowledge to the various defensive cybersecurity practices and operations we perform every day.
This course is designed for Anyone interested in are already involved in threat modeling.
By the end of the course, you better have a better understanding of the structure and philosophy that continually shapes attack. Be able to identify available tack resources and operational use cases, and have a better recognition of how attack empowers defenders through understanding our threats.
This course is split into three modules, the first of which focuses on understanding attack
in Module two. We'll explore the benefits of using attack before and finally in Module three, lightly diving into the various ways we can operationalize the knowledge captured an attack.
Welcome to Module one. This module split into eight lessons, which all focused on the central theme of understanding Attack.
Specifically, we will explore what data goes into attack, how that data is structured and formatted, as well as how attack grows over time.
Without further ado, let's dive in.
Welcome to model one less than one introduction to attack.
In this lesson, we will explore the background and motivation behind attack,
begin to identify what information is captured within attack
and start to build a recognition and appreciation for the structure of attack.
Cyber threats are out there,
whether in the form of malware or threat actors as defenders. The ability to observe and adapt these threats is vital,
and this process begins by asking tough questions such as How will these adversaries target us? And what will they do after they get access to our networks?
This is where attack comes in. Attack is our knowledge base of adversary behaviors based on real world observations.
What I mean by this is that the inputs to attack are publicly available. Cyber Threat Intelligence, describing campaigns, actions and behaviors performed by real world adversaries.
Attack is also free, open and globally accessible, meaning that anyone can consume the information of attack as well as contribute information back to help us grow and expand the model.
A great way to start thinking about the information captured an attack is through David Broncos. Pyramid of Pain.
describes the hierarchy in various levels and types of indicators of compromise or IOC s that we can use to describe adversaries.
In this case, every layer and level of the model
has a different value of the IOC's particularly related to how much pain it inflicts on the adversaries, as if defenders are targeting them at that level of abstraction.
levels at the bottom of the pyramid, such as hash values and IP addresses, while prevalent, don't inflict much pain
back to the adversary. And these are easy or even trivial values to change,
especially compared to those at the top of the pyramid, such as TTP s.
This is where attacked into focuses attention.
Actually, attack expands on the idea of TPS and captures it within the model,
particularly the tactics, techniques, sub techniques and procedures
executed by real world adversaries
and the rest of the lessons in this module we'll dive into this structure and I'll show you how the T. V. P s were captured with an attack.
Particularly will cover
matrices and platforms,
techniques and sub techniques
metadata associated with these techniques and some techniques such as mitigations, data sources and detections, which are vital for defenders.
How techniques and some techniques are related to the groups and software that reform or execute these behaviors.
And, finally, how attacking grows and evolves over time.
By the end, you have an appreciation for the structure of attack and how the various objects in a relate
and also be able to apply them to real world use cases such as a P 28
access and credentials using many cats to dump else s memory.
And with that, we reach our first knowledge check
Attack is primarily informed by which of the following sources
please positive video and take the time to take some time to think about and select the correct answer.
In this case, the correct answer was a attack is primarily informed by what has been seen in operational use by the broader community.
And with that, we reached the end of less than one
in summary Attack was developed to address the need to document and understand adversary behaviors and is built on publicly reported cyber threat intelligence.
The attack model was designed to connect tactics, techniques and procedures to the threat actors and malware that performed them.