Methodology Overview

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Welcome to Lesson 1.5 of threat hunting fundamentals.
00:00
In this lesson, we'll
00:00
wrap up the fundamentals module with
00:00
an overview of the methodology and
00:00
how it is visualized in the V diagram.
00:00
In the spirit of hypothesis-driven hunting,
00:00
let's be clear about
00:00
the foundational hypothesis for all hunting,
00:00
which is that malicious actors
00:00
will try to steal my information,
00:00
deceive or extort me and or deny,
00:00
disrupt, or degrade my mission
00:00
or business through cyberspace.
00:00
This is the foundational hypothesis that
00:00
drives the fact that we're hunting at all,
00:00
no matter which approach we're taking.
00:00
Their behaviors will be like
00:00
those of other malicious campaigns.
00:00
This is where the TTP level
00:00
of the pyramid of pain pays off.
00:00
These behaviors are common and constraining to actors.
00:00
In a signature-based approach,
00:00
the hypothesis is that the group
00:00
attacking me will reuse hashes,
00:00
IP addresses, domain names,
00:00
and other lower-level indicators of compromise.
00:00
We know that advanced groups can and do
00:00
regularly alter these indicators to evade this detection.
00:00
The key difference with
00:00
this approach is that theory and empirical evidence
00:00
show that adversaries frequently reuse known TTPs.
00:00
We've codified a systematic approach to leveraging
00:00
the relative consistency of
00:00
adversary TTPs to give defenders an advantage.
00:00
For simplicity of teaching this approach,
00:00
we visualized it in the form of a V diagram.
00:00
The V shape allows us to
00:00
represent two dimensions of this process.
00:00
The typical sequence of steps
00:00
progresses from left to right.
00:00
In addition, there is a vertical component of
00:00
the diagram which represents
00:00
the different elements we focus on in that step.
00:00
At the top of the V is the malicious activity layer.
00:00
At the start of the process on the left,
00:00
we have a description of malicious TTPs.
00:00
MITRE's representation of
00:00
known malicious TTPs this attack and
00:00
we'll be using attack as
00:00
our malicious activity model throughout this course.
00:00
These are the same TTPs we'll be aiming to
00:00
detect at the end of our hunt process on
00:00
the far right of the V. You learned
00:00
about attack as part of
00:00
the MITRE attack fundamental course,
00:00
which is the starting point for this course.
00:00
Wouldn't it be great if the very next step were to
00:00
just jump to the right and
00:00
simply detect those behaviors in your network.
00:00
It's going to take a little bit more work than that and
00:00
those intermediate steps are
00:00
the primary focus of this course.
00:00
How do we apply
00:00
the knowledge of adversarial behavior represented in
00:00
attack to develop and effectively
00:00
employ analytics that detect that behavior.
00:00
In our process, the next step
00:00
is to study those malicious behaviors,
00:00
to develop hypotheses about what they'll look like in
00:00
our network and abstract analytics
00:00
that could detect them.
00:00
These hypotheses and abstract analytics
00:00
will then be implemented, tested,
00:00
and improved on at the far right side of
00:00
the V to enable our hunt to detect those malicious TTPs.
00:00
Once we know how we plan to detect the malicious TTPs,
00:00
we'll be prepared to
00:00
identify the data we'll need to collect,
00:00
to feed those analytics.
00:00
Developing data collection requirements primes
00:00
us to effectively assess our current data collection,
00:00
identify gaps, and address them.
00:00
Each layer of this fee is derived
00:00
from the layers above on the left side,
00:00
and it supports the layers above on the right.
00:00
In addition to having
00:00
the vertical layers for malicious activity,
00:00
analytics and data, the V has two sides.
00:00
The downstroke of the V is about discovering,
00:00
characterizing, researching, and planning,
00:00
it is more abstract and generic.
00:00
These steps are being done by
00:00
cybersecurity researchers already and you can
00:00
contribute to that community and
00:00
leverage their work for these steps.
00:00
Then we can pivot,
00:00
from characterization to execution on
00:00
the upstroke on the right of the V. In these steps,
00:00
we move in reverse order,
00:00
back up the layers to implement
00:00
the ideas and plans
00:00
developed in the downstroke on the left.
00:00
These steps will be much more tailored to
00:00
your environment as you implement
00:00
the analytic concepts as concrete analytics in
00:00
a particular platforms syntax and tune
00:00
them based on the background activity
00:00
present in your environment.
00:00
Analytics that have good precision in
00:00
one environment might generate
00:00
too many false positives in
00:00
another and these steps on the right are all
00:00
about customizing and tuning for your situation.
00:00
We will teach the components of
00:00
this process in a sequence that
00:00
roughly corresponds to the order
00:00
in which you'll execute the steps.
00:00
In practice, you're very likely to
00:00
implement these steps in iterative loops of
00:00
different sizes as you refine
00:00
your work and update things based on what you find.
00:00
Often in the course of
00:00
collecting data and tuning analytics,
00:00
you gain additional insights into
00:00
both the malicious behavior and similar benign behavior,
00:00
which leads to a more refined hypothesis
00:00
and a better analytic.
00:00
Don't feel obligated to always
00:00
strictly follow these steps in the order shown
00:00
in this V. In summary,
00:00
this is a six step process with three layers.
00:00
Malicious activity sought and detected, analytics,
00:00
designed and tuned, and
00:00
data collection requirements defined and implemented.
00:00
The left side of the V is more theoretical and
00:00
you can leverage a lot of community work
00:00
to help with these steps.
00:00
The right side is focused on
00:00
implementation and customization to your environment.
00:00
It looks like a very sequential process in
00:00
this diagram to keep things simple but in practice,
00:00
they will often loop back to
00:00
previous steps to incrementally improve.
00:00
This concludes the first module of
00:00
MITRE attack defenders threat hunting course.
00:00
We've provided an overview of
00:00
the methodology we're going to teach.
00:00
We've reviewed some foundational concepts about
00:00
hunting and now you're ready to earn
00:00
your first threat hunting badge at
00:00
the MITRE Skills Hub and begin
00:00
Module 2 to learn about crafting
00:00
good hypotheses to start your analytic development.
Up Next