welcome to less than five module three within the Attack based Stock Assessments training course.
In this lesson, we're going to talk about how you can propose recommendations after running through an attack based stock assessment.
This lesson fits in as the last stage within our generic attack based stock assessment methodology.
So far, you've framed the assessment. You set a rubric. You did the technical analysis. You interviewed staff and you compiled results into a final heat map.
Now, by proposing changes for the sock to enact,
you can help position them, or rather help them orient themselves
towards a more threatened form defense.
This lesson has two primary learning objectives.
After the lesson, you should number one understand the basic types of recommendations and the importance of them
and number to be able to deliver a set of prioritized techniques for the sock to focus on.
So one of the ways we like to contextualized recommendations is that when running an assessment,
you should never attack and run,
you know, for some socks may be delivering a heat map is enough for them. But for many, when you deliver that heat map, your
well to help them understand how they can improve and increase their coverage and just generally orient themselves towards a more threatened form defense.
We like to say that you should always try to give recommendations immediately after an assessment
for basically two reasons. Number one. The socks details are fresh in your mind, so your recommendations are going to be most accurate right after the assessment and number two for the sock receiving the recommendations.
The assessment is going to be fresh in their mind, so they're going to be most receptive to what you might be proposing
towards that we have four primary recommendation categories.
Number one is technique prioritization. This is the focus of this lesson where we talk about how you can create a
kind of small set of techniques for the sock to focus on for them to really kind of amp up their adoption of the attack framework.
The second is process refinement.
These are things that aren't as attack focus. Just general security operations
might not throw, you know, tie into the attack framework directly, but will help the sock and prove what you're doing.
The third is coverage improvement.
This is of key importance. It's not enough to just say, Well, I have where my gaps are. I'm gonna walk away. You always want to have a strategy for how you're going to remediate those gaps and improve your coverage,
and last is follow up engagements. These are things like additional assessments or other kinds of interactions and engagements. The sock can pursue
diving into technique prioritization. Here's an example chart that you might deliver as part of an attack based stock assessment
for many socks. They might look at this and say, Oh, this is super helpful, but,
well, what do I do with this? Where do I even start? You can look at this. You can say, Oh, I have all these gaps, all these low confidence of detection what's important for me to do right now?
And this is where technique prioritization comes in. In addition to the heat map, always try to provide a small set of techniques for the sock to focus on
this number one makes interpreting the heat map more tractable to them because you're really focusing their efforts in their eyes on the things that are the biggest concerns in the short term.
Number two IT grounds the results in something clear and tangible. It's not just here's a sea of gaps in your coverage, but rather here. Here are these gaps and then here are the ones you should really care about right now
and then. Lastly, it provides a really effective starting spot for other recommendations, such as adding in new analytics or conducting atomic tests or purple teammates.
When I walk through a couple of examples of what this looks like
this again is a notional chart of coverage, and we're going to highlight an orange,
a set of techniques that we've identified that might be
specifically high priority for the sake we're working with.
In this case, we followed a few metrics for determining which ones are high priority.
These three command and scripting interpreter brute force and application layer protocol are selected because they're popular and they can give the biggest return on investment when it comes to kind of, you know, increasing coverage.
These four boot or log on initialization scripts, bits, jobs, execution guardrails and system time discovery
were selected because we decided that they were used by relevant threat actors that might be likely to target your network.
These two were highlighted because they
are potentially, they're more public facing, and they could have a significant impact to operations for the organization we're working with.
And lastly, these three were selected because the sock we're working with has the existing logs in place where they can start quickly. Writing analytics to detect these techniques.
A couple of tips for technique prioritization
Small list of techniques are great for short term winds. It's easy to want to recommend the stock do everything, but by providing a small focus list of, say, 5 to 10 techniques, you can really help the sock. Both improve, but also measure their improvement
when recommending techniques. Always pick a strategy for how you want to recommend them based on coverage
for a sock that hasn't yet integrated attack. Focus on recommending techniques that specifically have low coverage
for socks that have already integrated Attack in some way. Recommend techniques that have low or some coverage depending on the specific way you're recommending them
and then always focus on techniques that are immediately relevant.
Number one are they used by relevant threat actors. These techniques are the ones that the sock might be most likely to see occurring on their network.
Are they popular or frequently occurring?
This is a great way to look at the previous kind of cut off in a way that's not as a focus on the threat actors but more generic.
By focusing on the popular techniques, you might be more likely to get a bigger R o I.
Are they easy to execute and do they enable more techniques?
This was a little bit harder to gauge, but for the sake, depending on the sock you're working with, they might be able to identify the techniques that are used to say
most commonly during the red team engagements. And the red team might identify techniques that they think are the key stepping stones were an adversary to target their network
and then, lastly, are the necessary logs readily accessible? This is really important for technique prioritization, particularly for the short term.
By focusing on techniques where you have the necessary logs, you can quickly start rolling out analytics to get those short term winds
and then lastly, try to provide the sock with with your methodology as well as pointers so that they can build their own lists kind of when you're done running the attack based stock assessment.
Well, now close out this lesson with an exercise
here. We're taking a heat map. You know, it's it's again. It's a subset of the full attack matrix. But we have this heat map that we're delivering as part of an attack based stock assessment, and we're trying to figure out which techniques should we tell the socks to focus on
during this assessment. We've identified that the socks specifically cares about a PT 32
oil rig, Sturla, and a P T. 28
and they want to focus on techniques where they have low coverage.
We also know that this sock has a SIM platform that ingests API monitoring authentication logs, antivirus,
ssl slash TLS inspection and Windows error reporting.
Given those pieces of information, our task is to highlight the five or six techniques that we think are of immediate concern for the sock to work work on remediating.
So we're gonna walk through a solution. But if you want to try it on your own, feel free to pause the video, and then when we come back, we'll kind of go through how we look at this problem and how we think a solution or how we think a good solution might look.
All right. Welcome back. We're not going to walk through how How we're going to approach this problem. And really, we're gonna have a three pronged approach.
We're gonna first overlay the threat actor techniques we're going to look at which of those threat actor techniques are indeed detectable. Given the data sources, the sock is ingesting.
And they were going to select the techniques with low confidence.
We're not necessarily going to go strictly in that order, but these are the three main points we're going to follow.
And I kicked that off. We're going to start with overlaying threat actor techniques
here we've come up with with a heat map again, it's that smaller focused heat map
we're gonna put in various colors orange, pink, red and dark red.
How many groups use the techniques? And here we've put a PT 32 on there. You can see we've got a variety of techniques highlighted in orange.
We're then gonna add an oil rig, a couple of techniques upgrade to pink, showing that they're in use by both a PT 32 an oil rig and then a lot more colored in orange.
We're adding interlock again. A couple more pink, a couple more orange, and then we add in a P. T 28.
And interestingly, here you can see we've really only got pink and orange. Which means we've only got, you know, so a decent number of techniques that are used by either one or two of the threat actor groups we specifically care about.
And so, using this heat map, what we're going to do is overlay on top
of the coverage heatmap we produced as part of the assessment.
The idea is for all the techniques that are currently low confidence of detection. We're going to put in whether one group or two groups use that technique,
and when you go through it, you end up with this chart.
Here you get a nice overlay showing you the techniques that have low confidence of detection
that are used by either one or two threat actor groups
that the socks specifically cares about,
and from here you could technically deliver this kind of meeting a bit of the mail
on what the sock is looking for for prioritization list.
However you haven't got. We haven't gotten into the data sources question yet.
And to show what that looks like, we're going to focus on these two techniques on the left command and scripting, interpreter and exploitation for client execution.
When you look at the attack website, you can dive into these in a little more detail and see that
we have a variety of data sources for commanding, scripting, interpreter power shell logs, process, command line parameters, process monitoring and Windows event logs.
Then, for the exploitation technique, we have antivirus process monitoring and system calls.
When you overlay that on the bottom against the data sources, the sock is already ingesting. You can see one stick out anti virus, which can potentially detect or can be used to detect exploitation for client execution,
command and scripting. Interpreter, by contrast, doesn't have any relevant data sources.
So with that in mind, we we bucket now exploitation for client execution into the prayer. It ties technique, technique for focus category, highlighting it in purple. And then we go back to low confidence for command and scripting interpreter,
and then we can walk through the rest of these techniques going with exploitation for privilege escalation
exploitation of remote services. All three of these having data sources that are currently being adjusted
skipping archive, collected data because it doesn't match the data for strategy.
Putting in screen capture, putting in proxy
and then ignoring exfiltration oversee to control.
When we walk through this process, we now have this focus set of six techniques that are used by relevant threat actors
currently low confidence of detection.
And they have data sources currently being ingested by the sock.
So a few summary notes and takeaways to close out the lesson
number one always make sure to follow up an assessment with recommendations. This is critical to running a successful attack based stock assessment, and you really get the biggest return on investment. When you do so,
prioritization plans make daunting coverage charts easier to digest.
This is also super helpful. A coverage chart by itself. It can be a bit overwhelming sometimes, but putting a prioritization plan with the coverage chart
could really make it easier for the stock to internalize
when crafting a prioritization plan should focus on techniques that meet at least one of the three following categories. Number one relevant based on a measure of cyber threat. Intelligence.
Two. Defensible, based on your understanding of the current defenses, the sock has and three gaps based on your assessment and kind of how you want to structure the recommendations.