Raw Data to Narrative Reporting
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
2 hours 24 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Welcome to Lesson 2.4,
00:00
raw data to narrative reporting.
00:00
In this lesson, we're going to be
00:00
practicing the process we went over in
00:00
the last couple of lessons with
00:00
an exercise mapping raw data to attack,
00:00
and then we're going to be reviewing those results.
00:00
We're also going to be talking
00:00
about some best practices for
00:00
featuring your attack map data and narrative reporting.
00:00
Exercise 2, working with broad data.
00:00
This exercise is broken down into two tickets from
00:00
assimilated intrusion and you can
00:00
access the tickets under the resources section.
00:00
For the first ticket, you're
00:00
going to be looking at some content that
00:00
is similar to the examples we
00:00
walked through previously in the module,
00:00
where we had a series of commands interactively
00:00
executed via command.exe on an end system.
00:00
The second ticket feature some analysis of
00:00
the primary remote access Trojan
00:00
used during the incident.
00:00
You can record your results in
00:00
whatever way works best for you.
00:00
You can edit the tickets directly or use notes,
00:00
but try to identify as many behaviors as possible.
00:00
Then once you have those behaviors,
00:00
work through the mapping process
00:00
and map them to the relevant tactics,
00:00
techniques or sub techniques.
00:00
We recommend that you now pause for
00:00
around 25 minutes to do
00:00
this exercise. Welcome back.
00:00
When reviewing your experience with this exercise,
00:00
did you have any specific questions that you would
00:00
have gone back and asked your incident responders?
00:00
Were there places where there just wasn't
00:00
enough information for you to
00:00
really determine what was going on?
00:00
Or were there any areas where you wanted to do
00:00
some additional research or
00:00
pull in more data than what was provided?
00:00
Was this exercise more challenging or simpler than
00:00
the Module 1 exercise
00:00
where you are mapping to narrative reporting?
00:00
Do you encounter this type of
00:00
data when you're looking at activity?
00:00
Are there other things that you
00:00
think should have been in here for behaviors?
00:00
Finally, did you find any behaviors that you
00:00
weren't able to map to a technique or sub technique?
00:00
We're now going to be walking through and
00:00
reviewing the exercise results,
00:00
starting with Ticket 473822.
00:00
First off, ipconfig/all.
00:00
As you'll recall, we use this as
00:00
an example throughout the beginning of this module,
00:00
and we saw that it directly mapped to
00:00
system network configuration discovery.
00:00
Arp-a, another one you'll find
00:00
mapping to system network configuration discovery.
00:00
It's not irregular to see
00:00
the same technique twice in a row.
00:00
The echoed username is showing the adversary,
00:00
the currently logged in username and
00:00
this maps to system owner user discovery.
00:00
Tasklist/v is displaying currently running processes on
00:00
Windows and this is process discovery.
00:00
Sc query is obtaining information on
00:00
all the different services running within Windows,
00:00
and this is system service discovery.
00:00
System info is displaying
00:00
detailed configuration information and
00:00
patch levels of the systems,
00:00
and this is system information discovery.
00:00
Net group domain admins.
00:00
This is showing a specific domain
00:00
group and the members of it,
00:00
and we map this to permission groups,
00:00
discovery domain groups.
00:00
Net user/domain.
00:00
We map this to account discovery domain account.
00:00
Net group domain controllers.
00:00
This is looking at the list of
00:00
domain controllers that are within the domains where
00:00
the adversaries found themselves and
00:00
this maps to remote system discovery.
00:00
Netsh advfirewall.
00:00
This is showing another system
00:00
network configuration discovery.
00:00
Then finally netstat-ano is
00:00
showing all the connections at the system currently has,
00:00
and this maps to system network connections discovery.
00:00
You might've noticed that all of
00:00
these techniques feature the word discovery.
00:00
It probably won't surprise you that they all
00:00
fall under the discovery tactic.
00:00
It's not unusual for an adversary to go through and
00:00
sequentially perform a number of discovery commands.
00:00
As we discussed earlier in the module,
00:00
these are all also execution,
00:00
so command and scripting interpreter.
00:00
These were all run on command at exe,
00:00
and we saw them via Sysmon.
00:00
The second ticket is a little more challenging.
00:00
As I mentioned, this is text information
00:00
coming out of remote access Trojan,
00:00
has some flaws and there are also
00:00
some activities occurring behind the scenes.
00:00
First off, we have the winspool.exe file,
00:00
and that's defense evasion masquerading.
00:00
Next we have the C2 protocols, base-64 encoded.
00:00
This is command and control
00:00
data encoding, standard encoding.
00:00
Then commands over HTTPS,
00:00
which is command and control application layer protocol,
00:00
web protocols.
00:00
We have that it's downloading files and
00:00
this maps to command and control Ingress tool transfer.
00:00
We can see that it's able to do a shell command,
00:00
and we map this to execution command
00:00
and scripting interpreter.
00:00
We also have PowerShell commands,
00:00
and this is execution command
00:00
and scripting interpreter PowerShell.
00:00
Next we see that it can execute a PE via an API call.
00:00
That's the create process and we
00:00
map this to execution native API.
00:00
We see another defense evasion
00:00
masquerading as they're trying to copy
00:00
something that's attempting to pretend to be
00:00
a legitimate winspool.exe file.
00:00
Finally we have the adversary adding a run key.
00:00
That's actually in the description
00:00
that you'll find within
00:00
boot or log on autostart execution,
00:00
registry run keys, startup folder.
00:00
Now as you're going through this exercise and came to
00:00
any different conclusions or had different answers,
00:00
this doesn't necessarily mean that you're wrong.
00:00
As Adam noted in Module 1,
00:00
mapping can be subjective,
00:00
but I would encourage you to review how
00:00
you're mapping is different from ours,
00:00
and then look at
00:00
the different procedure details within each of
00:00
these techniques or sub techniques
00:00
and if you're able to,
00:00
collaborate with another analyst and compare
00:00
your results and identify where any potential gaps are.
00:00
Now that we've gone through the process of
00:00
mapping this raw data into attack,
00:00
I want to discuss some options
00:00
for using that information.
00:00
We've touched on enriching
00:00
narrative reporting with attack
00:00
and analyzing original data
00:00
into attack to create these reports,
00:00
and we have a couple of recommendations for
00:00
enhancing those narrative reports.
00:00
Either by augmenting them with the attack map data,
00:00
or by including in some procedures
00:00
from the original data.
00:00
A key element is that we recommend keeping the techniques
00:00
with the related procedures
00:00
and the information around it,
00:00
so there's enough context for
00:00
people to understand the mapping.
00:00
This enables other analysts to
00:00
evaluate the intelligence in the mapping,
00:00
and it ensures that everyone's on the same page in terms
00:00
of what behavior is mapped to
00:00
which techniques or sub techniques.
00:00
It also allows for
00:00
more uncomplicated capture of these procedures and this
00:00
can be a core part of crafting
00:00
those defenses against specific adversary behavior.
00:00
Walking through a couple of examples
00:00
of effective reporting formats.
00:00
In instance 1, we added footnotes with the techniques to
00:00
avoid disrupting the report with in-text techniques.
00:00
In instance 2 the report author has included
00:00
the information that actually describes
00:00
the activity along with the techniques.
00:00
This is similar to the format that our team
00:00
uses in the procedure examples with an attack.
00:00
Instance 3 is an example
00:00
of a format that is a little less effective.
00:00
When you include mappings to the end of the report,
00:00
you lose a lot of that context.
00:00
This is similar to having
00:00
the IOCs at the end of the report,
00:00
where you can have no idea what it actually means,
00:00
or what the recommended action associated with it is.
00:00
Ensuring that these techniques are
00:00
tied to that relevant context
00:00
can be really important and will enhance
00:00
the effectiveness of your reports.
00:00
In this lesson, we practiced mapping raw data to
00:00
attack with two tickets
00:00
and then walk through the results.
00:00
We reinforced the value of
00:00
collaborating with other analysts and we reviewed
00:00
a couple of best practices for enriching
00:00
narrative reporting with attack map data.
00:00
In this module, we reviewed the mapping process that
00:00
Adam introduced in Module 1 and applied it to raw data.
00:00
We practice mapping that raw data to attack and whatever
00:00
some approaches for expressing
00:00
attack map data narrative reporting.
00:00
In Module 3, my colleague Jackie will discuss
00:00
this concept in depth and outline how you can store,
00:00
display, and analyze your attack map data
00:00
in order to make it actionable.
00:00
This is the end of Module 2.
Up Next
Similar Content
