Make Defensive Recommendations

00:01

This is module for lesson for make defensive recommendations.

00:08

You've got three objectives in this lesson

00:12

going to get into some of the different types of defensive recommendations.

00:17

Talk a little bit about how to prioritize recommendations, and we're going to have you go through an exercise where you're actually making defensive recommendations.

00:30

So we're now at Step five. We're in the homestretch

00:33

of actually making defensive recommendations.

00:37

So it's important to consider through all of this

00:41

that you don't just think about technical. Think about new sensors

00:47

that recommendations can be strategic. They can be policy related, operational, tactical

00:54

or even making a decision to accept risk.

00:59

Who the recommendations are for is going to vary based on your organization's. So it's very important to think about

01:07

who is your audience for your recommendations. Is it management? Is your your security operations center? Is that information technology or are you the cyber Threat Intelligence shop and you're making recommendations to all of the above.

01:22

So we've gone through a bunch of different defensive options where you're getting them from ways to to take a look at them. Look at some of the pros and cons,

01:33

and so some of the potential recommendation types that are coming out of this and may come from your own research.

01:40

So the sort of obvious is the technical.

01:42

This could be collecting new data source.

01:46

Write a detection or an analytic from existing data,

01:49

change it configure, make an engineering change

01:53

or potentially implementing new tool. And we've talked about a little bit of some specific ways of doing. Each one of those over the course is module.

02:02

Yeah,

02:04

but there are options definitely beyond the technical.

02:07

So there are things like policy changes. Some examples we've gone through in terms of requiring more training are more of a policy change. Or it could be policy change on terms of what's allowed in a given organization.

02:22

There's always the possibility that the correct answer is accept risk. So we've determined that a technique is a priority for us.

02:30

We've looked at the pros and cons. We've looked at our options, we've weighed them,

02:37

and our final answer may be that

02:39

it is either undetectable, unmitigated ble or it's not worth the trade off

02:46

that all of the options we have on the table are are beyond what we're willing to accept and that we we've decided to accept the risk of that technique happening,

02:59

So to give some specific example. So we've We've talked about user execution throughout this. So maybe we we come down to a policy recommendation, so we'll tackle them via user training. You know, we've we've got this highly technical workforce

03:15

will work with them, will help make them into better sensors against malicious emails.

03:22

But so there are other types of techniques and attack or that may come up in your prioritization. So, for example, if we're working from supply chain compromise and pos boot component firmware,

03:37

these can be really hard techniques, really expensive techniques to potentially mitigate and detect.

03:44

And so maybe we have stuff that is a priority to us.

03:49

But after we take a look, it's beyond our capability or beyond our resources

03:53

to stop or detect. And so we have to accept the risk that, you know, we're going to move on with our lives, and it might happen.

04:08

So we've given this example. We've gone through and taking a look at user execution.

04:15

So we can now take what we've weighed as our pros and cons what we've come up with

04:20

of how it works with are given organization. And so these are some of the defensive recommendations we might make from

04:30

what we've worked through the rest of the module.

04:31

So everything we said around having a technical workforce

04:36

is that you know, so one new user training geared around, not clicking on attachments and how to identify social engineering.

04:44

There are some downsides in terms of training fatigue, but it looks like this may be very well matched with our organization.

04:53

Continued use of antivirus. Why not we? We already have it. It's already there, no additional resource requirements. And so there's there's no reason to stop using anti virus.

05:05

And lastly, so we've got this email detonation appliance. Maybe we try to make sure that our email is taking an unencrypted path past it so that we can make use of our existing tools.

05:18

These are example recommendations coming out of the pros and cons we've worked up through and the options we've worked through up to this point.

05:30

So now it's your turn

05:33

in the resources tab

05:35

on your exercise. For there should be a text file called making Defensive recommendations guided exercise.

05:44

Download this worksheet

05:45

and it will walk you through the same recommendation process. We've just done

05:50

with some guidance. So instead of asking you to fill in your own organization, it's going to give you some different decision points and suggests some particular places to look

06:01

rather than just having sort of full, open scope.

06:06

So you're going to be working through this process of determining priority techniques,

06:12

researching how the techniques are being used.

06:15

Research defensive options related to those techniques.

06:17

Research, organizational capabilities and constraints.

06:21

Determine what trade offs are for your notional organization on specific options

06:28

and then make recommendations based on what you've gathered in that process.

06:32

So please pause the video now, and we're just giving yourself 15 minutes for this exercise and when you come back and then pause will go over the exercise.

06:53

Okay, So as you went through this exercise,

06:57

what resources did you end up using? So we gave some particular suggestions, but were there

07:01

others that you decided to pull in other things that you found useful?

07:06

What kinds of recommendations did you end up making? Were they technical? Were they policy?

07:13

Were they risk acceptance? And did you consider doing nothing and just accepting the risk.

07:19

Were there any options that came up as you gathered options here that looked like they would be completely inappropriate for you.

07:33

So to start with, uh, step zero determined priority techniques,

07:39

we gave you a scheduled task job as the priority technique coming from the same list that we're working with from our threat reporting

07:51

Step one. How is that technique being used in the reporting we gave you?

07:58

So let's take a look at the Cobalt Kitty report.

08:01

So we're seeing it being used coming from a spearfish. Were being seeing it being used from a word macro. And so it's being run on the command line. In both cases,

08:18

how did you take a look at data sources? So take a look at some of the defensive options related to the technique or sub technique, so you should have come up with data sources, file monitoring process, command line parameters, process monitoring Windows, event logs,

08:37

I said, you take a look at detection,

08:39

so this gives you a couple different options of things you might be able to do. Taking a look at scheduled tasks being run.

08:52

We gave you some of the organizational capabilities and constraints

08:56

just so that you aren't having to take this from your own organization, give you something notional to work with. So for this exercise, we had to assume that you have a Windows event log collection going to assume, but no ability to collect. Process execution. Logging, which will narrow your ability a little bit.

09:18

So given where we had you go through and take a look.

09:22

These are some of the specific trade offs you might have come up with for your enterprise.

09:28

So monitor scheduled task creation from common utilities using command line in vacation

09:35

pros might have been would allow us to collect detailed information on how the task is added. It would give us some great visibility,

09:43

but we said the organization has no ability to collect process execution. Logging system is probably off the table.

09:50

Configure event. Logging for scheduled task creation and changes

09:54

fits well into our Windows event. Log collection will get it up to our SIM. Probably be the easiest to implement enterprise wide.

10:03

This will increase collected log volumes.

10:07

There are the tools that are suggested along the course of the way that may be able to use assist internals. Auto runs will see these scheduled tasks being used.

10:18

Uh, some of the pros. This would let us see other persistence techniques as well. So other

10:22

ways that things are being added to the system to run at boot

10:26

auto runs free.

10:28

But it frees not necessarily free. It's not currently installed. You need to be pushed out to all systems, and we need to build up the data collection in analytics around it for it to actually be useful.

10:43

Another defensive option that came up was to monitor processing command line arguments

10:48

again. This would last collect detailed information,

10:52

but we gave us a constraint that the organization has no ability to collect this information.

11:01

So we we've guided your path and your steps a little bit where we think you might have come up with a couple of different options that look like this. But you're your answers may differ depending on how you actually reading and processing the information that you're going through.

11:16

So we think you might have come up with an option of enabling Microsoft Windows Task Scheduler operational setting within the event logging service and creating analytics around event I. D. One oh six, an event I. D. 1 40.

11:33

These are things that come from the defensive options and the detection options that are within the technique and sub technique.

11:41

Another option might have come up with is to use auto runs to watch for changes that could be attempts of persistence. Maybe you decided that

11:50

the additional logging infrastructure and pulling it together would be worth it, based on the constraints that we gave.

12:01

So in this final lesson, we've examined the different types of defensive recommendations

12:07

you've looked at, how to prioritize recommendations would you might need to accept risk.

12:13

And we've given you some practice making customized defensive recommendations,

12:18

considering the elements contributing to your individual approach.

12:24

This is now the end of our attack for cyber threat Intelligence Journey

12:31

Now work through five different modules, getting into different aspects of first understanding how attack is useful for cyber threat intelligence, how to map narrative and raw data to attack, how to work with that intelligence and then how to do something with that intelligence.