Mapping to a Narrative Point
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
2 hours 24 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> This is Module 1,
00:00
Lesson 5, Mapping to a Narrative Report.
00:00
Our objectives for this lesson
00:00
are to give you some practice
00:00
identifying tactics, techniques,
00:00
and sub-techniques in a narrative report
00:00
if you're working with somebody else to
00:00
be able to compare your results to
00:00
another analyst's outcomes and
00:00
review the exercise results.
00:00
This is Exercise 1.
00:00
We're going to have you actually take
00:00
a narrative report and map
00:00
to attack tactics and techniques.
00:00
I'm going to have you analyze a portion of
00:00
a threat report going through
00:00
the process that we've been
00:00
covering the rest of this module.
00:00
We've highlighted 21 techniques and sub-techniques
00:00
in a threat report called Cobalt Kitty by Cybereason.
00:00
You're going to review the report.
00:00
It should be under the Resources tab in the system.
00:00
There will be two versions of the report,
00:00
one called Cobalt Kitty Highlights
00:00
Only and one called Cobalt Kitty Tactic Hints.
00:00
You can use either.
00:00
The tactic hints tell you
00:00
what we would suggest the tactic is,
00:00
whereas the highlights only is
00:00
the harder version where you're going to
00:00
have to come up with both.
00:00
It's a PDF.
00:00
If you're using the right reader,
00:00
you should be able to actually fill in
00:00
the fields in the PDF
00:00
itself or use a separate piece
00:00
of paper to keep track of your results.
00:00
Write down the attack tactic and technique or
00:00
sub-technique you think applies
00:00
to each highlighted behavior.
00:00
Remember, use the tricks and tips
00:00
that we've given you throughout the rest of this module.
00:00
Do search bar in keyword searches, the ATT&CK website.
00:00
You don't have to be perfect
00:00
and there isn't necessarily a right answer.
00:00
You may actually come up
00:00
with different things than we do.
00:00
You may feel that some of the behaviors we've
00:00
highlighted aren't really covered in any techniques.
00:00
This also can be an opportunity to dive into
00:00
ATT&CK and take a look at
00:00
some of the actual content in there.
00:00
Please pause the video now.
00:00
We recommend giving yourself up to
00:00
30 minutes to do this exercise.
00:00
Done with that part of the exercise?
00:00
We've got one more step for you
00:00
if you're doing this training working with others.
00:00
We said it was going to
00:00
be something that went up to step 5.
00:00
The step we didn't cover yet in
00:00
the training is to
00:00
compare your results with other analysts.
00:00
Collaboration helps hedge against analysts' biases.
00:00
Everyone has different types of biases.
00:00
We'll cover some of those in the next lesson.
00:00
But comparing with others can help
00:00
us come up with better answers.
00:00
If you do have somebody to work with,
00:00
compare what you had for each technique answer.
00:00
Discuss if there are differences, why?
00:00
How did you each arrive at your conclusions?
00:00
It is okay if you walk away disagreeing.
00:00
This is analysis at the end of the day.
00:00
If you do have somebody to work with, please pause.
00:00
I suggest giving yourself
00:00
10 minutes for this part of the exercise.
00:00
If you don't have any other analysts
00:00
to discuss your answers with,
00:00
you can go on to the next portion.
00:00
As we start to get
00:00
into what you came up with for answers on the exercise,
00:00
some things to think through.
00:00
What were the easiest and hardest techniques
00:00
or sub-techniques to identify?
00:00
Why were those easier or harder for you?
00:00
Which tricks did you use to
00:00
identify each technique or sub-technique?
00:00
What challenges did you have?
00:00
Was there anything you couldn't find?
00:00
How did you address them?
00:00
Which steps did you go
00:00
through in trying to figure it out?
00:00
I'm going to go through what our answers
00:00
were for the highlighted portions of the threat report.
00:00
Two types of payloads were found
00:00
in the spear-phishing email.
00:00
It said it was a link and it says to be
00:00
initial access spearphishing link.
00:00
Right next to that we also had
00:00
spearphishing emails, Word documents.
00:00
Let this be initial access-phishing,
00:00
spearphishing attachment.
00:00
Both of those are pretty straightforward.
00:00
Two types of payloads are found
00:00
in the spearphishing emails,
00:00
Word documents with malicious macros.
00:00
Let's take a little bit more understanding
00:00
of macros and languages behind them.
00:00
But if you dig into the details,
00:00
you'll probably find defense evasion/execution,
00:00
command scripting interpreter, Visual Basic,
00:00
which is language behind Word macros.
00:00
Finally, maybe a little bit less obvious,
00:00
two types of payloads were
00:00
found in the spearphishing emails.
00:00
Report goes on to describe these as successful attacks,
00:00
implying that the user clicked on the email.
00:00
Something that might attack as we do
00:00
our own report mappings is that we would add
00:00
a user execution malicious link.
00:00
We highlighted the command.exe
00:00
being the parent process here,
00:00
which is the Windows command shell.
00:00
This is execution commanding
00:00
scripting interpreter Windows command shell.
00:00
This talks about scheduled tasks being created on
00:00
Windows and execution and
00:00
persistence scheduled tasks/job,
00:00
scheduled task, which is
00:00
the Windows specific version of scheduled task.
00:00
Right in this command here we
00:00
actually have mshta directory.
00:00
We've got execution/defense evasion-signed
00:00
binary proxy execution, mshta.
00:00
Write in the name of the technique.
00:00
Downloads and executes an additional payload
00:00
from the same server.
00:00
Downloads tools come straight into Ingress Tool Transfer.
00:00
Very similar to the command.exe,
00:00
we had a parent process of PowerShell.
00:00
This is Command and Scripting Interpreter-PowerShell.
00:00
Obfuscated and XOR'ed PowerShell.
00:00
The words line up right with the technique name,
00:00
obfuscated files or information,
00:00
write in defense evasion.
00:00
Registry autoruns.
00:00
This is an example gave actually in the introduction
00:00
even to register running keys/startup folder,
00:00
which is a sub-technique of boot or login
00:00
autostart execution in the persistence tactic.
00:00
NTFS Alternate Data Stream is directly in
00:00
the NTFS File Attributes
00:00
technique which comes under defensive evasion.
00:00
Attackers created and/or modified Windows services.
00:00
Created and modified are both in there,
00:00
so create or modify system processes Windows service.
00:00
Also had actually running the service itself,
00:00
so system service execution, both under persistence.
00:00
Used a malicious Outlook backdoor macro,
00:00
edited a specific registry value.
00:00
That's a pretty specific technique that's under
00:00
Office application startup within persistence.
00:00
Then the registry modification
00:00
we have under defense evasion.
00:00
Communicated with command and control servers,
00:00
so strong hint here that were in command and
00:00
control from command and control servers.
00:00
Then we have that it's HTTP,
00:00
so web protocols, application layer protocol.
00:00
The attacker is downloaded COM scriptlets using regsvr32.
00:00
We have again Ingress tool transfer
00:00
for the downloading of the tools.
00:00
Then with the regsvr32,
00:00
that's signed binary proxy execution regsvr32.
00:00
Masquerading is a specific technique.
00:00
The technique is masquerading.
00:00
If you look more carefully at what they're doing,
00:00
they're making it look like a legitimate Windows update.
00:00
It match legitimate name or location.
00:00
Network scanning, looking for open ports,
00:00
that's network service scanning under discovery.
00:00
How did you do? If you feel like you would
00:00
like some more practice or even
00:00
if you just have a little bit of extra time,
00:00
we've actually provided a second report
00:00
that we've highlighted in a very similar fashion.
00:00
We don't give tactic hints in this version.
00:00
We do have our answers
00:00
in there as well in a separate PDF.
00:00
So this will show up in
00:00
the resources section as the FireEye APT 39 report.
00:00
I'm not going to go over
00:00
the answers to that in this lesson.
00:00
Hopefully in this lesson you've gotten
00:00
some practice identifying tactics,
00:00
techniques, and sub-techniques in a narrative report,
00:00
talked a little bit about the importance
00:00
of comparing your results to
00:00
another analyst's outcomes and gone
00:00
through and evaluated the exercise results.
Up Next
Similar Content
