Leveraging External Resources for Data Requirements

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 22 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Transcription
00:00
>> Hello and welcome to lesson
00:00
3.3, Leveraging External Resources.
00:00
In this lesson, we will discuss considerations for using
00:00
publicly available resources and
00:00
describe the role of ATT&CK data sources.
00:00
We will also describe the necessity of
00:00
review and validation of public resources.
00:00
Recall from Module 2 that we observe
00:00
several useful events listed on
00:00
the ATT&CK page for the scheduled tasks technique.
00:00
Another resource available via
00:00
ATT&CK is the ATT&CK data sources,
00:00
which as mentioned in a previous lesson,
00:00
represent the various subjects and
00:00
topics of information that can be collected
00:00
by sensors and logs to
00:00
include data components which identifies
00:00
specific properties and values of
00:00
a data source relevant to detecting the technique.
00:00
Here we can see that the useful event
00:00
that we've been investigating,
00:00
event 4698 is listed as
00:00
a source for detecting scheduled task creation.
00:00
Amongst other sources for other platforms.
00:00
ATT&CK data sources can be a useful starting point to
00:00
give a high-level overview of what
00:00
data is needed to detect the technique.
00:00
Is especially useful to help you evaluate
00:00
your detection approaches and
00:00
data sources for applicability to your environment.
00:00
Keep in mind that data sources
00:00
is not the 100 percent solution,
00:00
and individual research is still required.
00:00
If you do find information that helps
00:00
fill a gap in the data sources knowledge base,
00:00
please share your findings as ATT&CK
00:00
encourages contributions from the community.
00:00
Publicly available analytics can also be
00:00
a good starting point to
00:00
understand relevant data sources.
00:00
In this case, we're looking at analytics
00:00
for the Scheduled Job Tasks technique,
00:00
specifically the Scheduled Tasks sub technique.
00:00
The first analytic here from Sigma uses
00:00
Windows Event ID 106 from the taskscheduler service.
00:00
This event occurs on Windows 7 and server 2008 R2.
00:00
This next CAR analytic uses process creation,
00:00
which we know can come from Cis
00:00
one event one or Windows Event
00:00
4688 and isn't specific to schedule tasks.
00:00
The third analytic is from Elastic.
00:00
It uses a DLL,
00:00
a process creation event,
00:00
and a registry event.
00:00
Another Sigma analytic looking for the same behavior
00:00
uses the 4698 event that we've talked about previously.
00:00
Recall from a few slides ago that ATT&CK sometimes
00:00
lists event logs and
00:00
other specific data sources of interests.
00:00
In this example, it has the event
00:00
IDs that we found in our open-source research,
00:00
but that will not always be the case.
00:00
That's why it's important to be thorough
00:00
in researching what data might be relevant,
00:00
and not just assume that
00:00
a single source will provide comprehensive data.
00:00
There are other data sources
00:00
like vendor documentation and
00:00
blog posts and reports from
00:00
the security community that should be reviewed as well.
00:00
In these examples, we looked at Windows Event IDs,
00:00
but as ATT&CK notes,
00:00
file creation events, registry keys,
00:00
and network data are also relevant data sources.
00:00
In summary, public documentation
00:00
such as ATT&CK data sources and
00:00
open source analytics can provide insight into
00:00
relevant data sources to
00:00
support previously generated hypotheses.
00:00
With that, we've reached the conclusion of Module 3.
00:00
To summarize what we've learned so far,
00:00
while researching data sources,
00:00
you may come up with additional hypotheses
00:00
or abstract analytics.
00:00
Which may be for the same technique that you are already
00:00
researching or for a related technique
00:00
that we haven't examined yet.
00:00
This may cause you to revisit previous steps to
00:00
create or refine questions
00:00
that you're asking of the data.
00:00
It's critical to ensure that hypotheses are
00:00
driving data requirements and not the other way around.
00:00
At the end of this step,
00:00
you should have a set of data requirements down to
00:00
the field level for your abstract analytics.
Up Next