welcome to less than 2.4 raw data to narrative reporting.
In this lesson, we're going to be practicing the process. We went over the last couple of lessons with an exercise mapping raw data to attack, and they were going to be reviewing those results.
We're also going to be talking about some best practices for featuring your attack map data and narrative reporting
exercise to working with broad data.
So this exercise is broken down into two tickets from a simulated intrusion, and you can access the tickets under the resources section for the first ticket. You're going to be looking at some content that is similar to the examples we walked through previously in the module, where we had a series of commands interactively executed via command dot x E on an end system.
And the second ticket features some analysis of the primary remote Access Trojan used during the incident.
You can record your results in whatever way works best for you.
You can edit the tickets directly or use notes, but try to identify as many behaviors as possible. And then, once you have those behaviors work through the mapping process and mapped into the relevant tactics, techniques or sub techniques. We recommend that you now pause for around 25 minutes to do this exercise.
So, in reviewing your experience with this exercise, did you have any specific questions that you would have gone back and ask your instant responders?
Were there places where there just wasn't enough information for you to really determine what was going on? Or were there any areas where you wanted to do some additional research or pulling more data than what was provided?
Was this exercise more challenging? Are simpler than the module one exercise where you were mapping to narrative reporting.
Do you encounter this type of data when you're looking at activity?
And are there other things that you think should have been in here for behaviors?
Finally, did you find any behaviors that you weren't able to map to a technique or sub technique
we're now going to be walking through and reviewing the exercise results starting with ticket for 73822
So first off I p config special. As you'll recall, we use this as an example throughout the beginning of this module and we saw that it directly mapped to system network configuration Discovery,
AARP Dish a. Another one you'll find mapping to system network configuration discovery,
and it's not a regular to see the same technique twice in a row.
The echoed username is showing the adversary the currently logged in user name and this maps to system owner User Discovery.
Tesla's slash B is just playing currently running processes on Windows, and this is process Discovery.
SC Query is obtaining information on all the different services running running within Windows, and this is system service. Discovery
System Info is just playing detailed configuration information and patch levels of the systems, and this is system information. Discovery
Net Group Domain Admins. This is showing a specific domain group and the members of it, and we map this to permission groups. Discovery Domain groups
Net user slash domain We map this to account Discovery Domain account
Net Group Domain Controllers This is looking at the list of domain controllers that are within the domains where the adversaries found themselves and this maps to remote system. Discovery
Net is H A T V firewall. This is showing another system network configuration discovery
and then finally, net stat dash a n O is showing all the connections of the system currently has, and this maps to system network connections. Discovery.
So you might have noticed that all of these techniques feature the word discovery.
It probably won't surprise you that they all fall under the discovery tactic.
It's not unusual for an adversary to go through and sequentially perform a number of discovery commands. And as we discussed earlier in the module, these are all also execution. So command and scripting interpreter
And these were all run on command at XC, and we saw them via six months.
The second ticket is a little more challenging, as I mentioned, this is text information coming out of a remote access. Trojan
has some flows, and there are also some activities occurring behind the scenes.
So first off, we have the wind spool dot txt file, and that's defensive Asian masquerading.
Next, we have the C two protocols base 64 encoded, and this is command and control data encoding Standard encoding
and then commands over https, which is command and control application layer protocol Web protocols.
We have that it's deal noting files and this maps to command and control ingress tool transfer.
We can see that it's able to do a shell command, and we map this to execution command and scripting interpreter.
We also have power shell commands, and this is execution command and scripting interpreter Power Shell.
Next, we see that it can execute a P E V an API call. That's the create process, and we map this to execution native a p I.
And we see another defensive Asian masquerading as they're trying to copy something that's attempting to pretend to be a legitimate once told an Excel file.
And finally, we have the adversary adding a run key. And that's actually in the description that you'll find within boot or log on Auto start Execution Registry Run Keys Startup folder.
Now, as you're going through this exercise and came to any different conclusions or had different answers, this doesn't necessarily mean that you're wrong.
As Adam noted, a module one mapping can be subjective,
but I would encourage you to review how you're mapping is different from ours and then look at the different procedure details within each of these techniques or sub techniques. And if you're able to collaborate with another analyst and compare your results and identify where any potential gaps are.
So now that we've gone through the process of mapping this raw data into attack, I want to discuss some options for using that information we've touched on enriching narrative reporting with attack and analyzing original data into attack. To create these reports,
we have a couple of recommendations for enhancing those narrative reports, either by augmenting them with the attack map data or by including in some procedures from the original data.
So a key element is that we recommend keeping the techniques with the related procedures and the information around it. So there's enough context for people to understand the mapping.
This enables other analysts to evaluate the intelligence in the mapping, and it ensures that everyone's on the same page in terms of what behavior is mapped to which techniques are sub techniques.
It also allows for more uncomplicated capture of these procedures, and this could be a core part of crafting crafting those defenses against specific adversary behavior.
So walking through a couple of examples of effective reporting formats,
an instance when we added footnotes with the techniques to avoid disrupting the report with in text techniques.
An instance to the report author has included the information that actually describes the activity along with the techniques, and this is similar to the format that our team uses and the procedure examples with an attack.
Instance, three is an example of a format that is a little less effective
when you include mapping at the end of the report, you lose a lot of that context,
and this is sort of similar to having the I. O. C. S at the end of the report where you can have no idea what it actually means or what the recommended action associated with it is.
And so ensuring that these techniques are tied to that relevant context can be really important and will enhance the effectiveness of your reports.
In this lesson, we practice mapping raw data to attack with two tickets and then walk through the results.
We reinforced the value of collaborating with other analysts, and we reviewed a couple of best practices for enriching narrative reporting with attack map data.
In this module, we reviewed the mapping process that Adam introducing module one and applied it to raw data.
We practice mapping that raw data to attack and whatever some approaches for expressing attack map data Nearly reporting
in module three, my colleague Jackie will discuss this concept and depth and outline how you can store, display and analyze your attack map data in order to make it actionable.
This is the end of module to