Detection and Analysis

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
1 hour
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:00
>> Welcome to Module 3,
00:00
Lesson 2, Detection and Analytics.
00:00
In this lesson, we will explore how ATT&CK and
00:00
cyber threat intelligence can help us
00:00
prioritize techniques
00:00
and build better detection analytics.
00:00
Building from our last lesson,
00:00
we can use cyber threat intelligence to prioritize
00:00
which tactics and techniques
00:00
are most critical for us to defend.
00:00
In this example, we'll focus on credential access,
00:00
Specifically that LSASS memory sub-technique
00:00
of OS credential dumping.
00:00
We can use the data within
00:00
attack to begin to identify the trends,
00:00
and in this case, how often
00:00
this sub-technique is executed with the Mimikatz tool.
00:00
Before we begin our detection engineering process,
00:00
let's look back at David Bianco's pyramid
00:00
of pain for wisdom and advice.
00:00
While we could target hash values,
00:00
Mimikatz, as we recall,
00:00
these values could change very often and
00:00
won't inflict much pain back to the adversary.
00:00
We can continue to work our way up the pyramid of
00:00
pain until eventually we reach the top,
00:00
we ask the tough question,
00:00
what does Mimikatz actually do?
00:00
ATT&CK can help answer that question.
00:00
The description of this sub-technique will
00:00
explain how adversaries can
00:00
dump credentials from LSASS memory.
00:00
But in this case, we can also use the detection section,
00:00
which highlights the potential for detecting
00:00
this behavior by capturing
00:00
processes interacting with LSASS.
00:00
Highlighting example of writing
00:00
a behavior-based analytic,
00:00
it's to use the cyber analytic repository
00:00
or car project from MITRE.
00:00
Its analytics is available online
00:00
and the URL is at the bottom.
00:00
But as you can see, the description of this analytic is
00:00
focusing on the behavior
00:00
specifically captured within that sub-technique.
00:00
As we identified from
00:00
the detection section of the sub-technique,
00:00
we're going to want to focus on
00:00
processes that access LSASS.
00:00
In this case, you can see
00:00
this analytic does exactly that.
00:00
With that, we've reached the end
00:00
of this lesson and the knowledge check.
00:00
When building detection analytics,
00:00
the knowledge in ATT&CK can?
00:00
Please, pause the video and think of
00:00
the correct response before proceeding.
00:00
In this case, the correct answer was
00:00
d. When building detection analytics,
00:00
the knowledge in ATT&CK can
00:00
help provide defensive suggestions,
00:00
highlight variances and procedures,
00:00
and explain technical details of the target behavior.
00:00
With that, we've reached the end of Lesson 2.
00:00
In summary, cyber threat intelligence can
00:00
help us prioritize how we build detection analytics,
00:00
by pointing out which techniques or
00:00
sub-techniques are most important to us,
00:00
as well as how adversaries
00:00
actually perform in this behaviors.
00:00
Finally, knowledge from
00:00
ATT&CK can augment this process,
00:00
and improve output by helping
00:00
us focus on adversary behaviors.
Up Next