Welcome to Module three. Lesson to detection and analytics.
In this lesson, we will explore how attack and cyber threat intelligence can help us prioritize techniques and build better detection Analytics
building. From our last lesson, we can use cyber threat intelligence to prioritize which tactics and techniques are most critical for us to defend
and in this example will focus on credential access, specifically the else house memory sub technique of OS credential dumping.
We can use the data with an attack
to begin to identify trends and, in this case, how often this sub technique is executed with the Mimi Cats tool.
Before we begin our detection engineering process, let's look back at David Bianco's Pyramid of Pain for wisdom and advice.
Well, we could target hash values. Many cats, as we recall these values could change very often and won't inflict much pain back to the adversary.
We can continue to work our way up the pyramid of pain
and to eventually reach the top.
We asked a tough question. What does Mimi cats actually do?
An attack can help answer that question.
The description of the stuff technique will explain
how adversaries can dump credentials from Elsa's memory.
But in this case we can also use the detection section,
which highlights the potential for detectives behavior
by capturing processes. Interacting with L. C. S.
To highlight example of writing a behavior based analytic is to use the cyber analytic repository or a car project from minor.
This analytic is available online in the Urals. The bottom.
But as you can see, the description of this analytic
is focusing on the behavior specifically captured within that sub technique.
As we identified from the detection section of the subject, Nique,
we're going to want to focus on processes that excess else s.
And in this case, you can see this analytic does exactly that.
And with that, we reached the end of this lesson and the knowledge check
when building detection Analytics, the knowledge and attack can
please positive video and think of the correct response before proceeding.
In this case, the correct answer was the
When building detection analytics, the knowledge and attack can help provide defensive suggestions, highlight variances and procedures,
and explain technical details of the target behavior.
And with that, we reached the end of Lesson two
cyber threat intelligence can help us prioritize how we build detection analytics by pointing out which techniques or some techniques are most important to us, as well as how our adversaries actually performing these behaviors
knowledge from attack can augment this process and improve output by helping us focus on adversary behaviors.