Researching Adversary TTPs
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
8 hours 5 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:00
>> Welcome to Lesson 2.2, Researching Cyber Threats.
00:00
At this point in the course,
00:00
we're going to talk about researching cyber threats.
00:00
We'll first talk about why this matters.
00:00
We'll then discuss approaches for obtaining
00:00
relevant threat information and data.
00:00
In that way, you'll have
00:00
sufficient information to select an emulated adversary.
00:00
Now we establish that this lesson is
00:00
about researching cyber threats.
00:00
The question is, why?
00:00
Why do we perform this research?
00:00
Why does it matter exactly?
00:00
Essentially, we are working towards selecting
00:00
an adversary and TTPs that we will emulate.
00:00
This is a decision that should be
00:00
purposeful and aligned with the organization's goals.
00:00
Now the reason I say that is that sometimes people in
00:00
this profession select adversaries arbitrarily.
00:00
For example, they might say,
00:00
well emulate APT29,
00:00
because we need to start somewhere and that seems cool.
00:00
Now it's possible that
00:00
that approach can work for your project.
00:00
But the reality is that
00:00
most network owners will want to know.
00:00
Why did you select a particular
00:00
adversary for the emulation?
00:00
Maybe you picked APT29.
00:00
But what if the network owners are more concerned
00:00
about other threats like ransomware,
00:00
for example, WannaCry, or maybe
00:00
financial theft actors like fin seven.
00:00
If you arbitrarily select an adversary,
00:00
you risk emulating TTPs
00:00
that are not a priority for the network owner.
00:00
As a result, you end up delivering marginal value.
00:00
The bottom line is we want to be
00:00
purposeful when we select our adversary.
00:00
To that point, purposeful selection first
00:00
requires a general understanding
00:00
of relevant cyber threats.
00:00
Answering the question, why do we do this research?
00:00
Really, it's so that we can make informed decisions about
00:00
what adversary and what TTPs we will emulate.
00:00
Now we understand why we're researching cyber threats.
00:00
We'll now shift gears and start talking about how.
00:00
How should we research
00:00
cyber threats and what are some approaches we can follow?
00:00
Now, researching cyberthreats usually
00:00
involves a combination of gathering
00:00
internal information from the organization and then
00:00
augmenting that information with external resources,
00:00
things like attacks,
00:00
CTI articles, and so on.
00:00
We have these options to perform this research.
00:00
The question is, where do we start exactly?
00:00
Now typically, my first course of
00:00
action is to start with the network owners.
00:00
Basically, ask the network owners
00:00
directly what cyber threats are you concerned about?
00:00
You typically get a spectrum of answers.
00:00
In some cases, you get
00:00
a direct answer where the network owner says,
00:00
"We want you to emulate APT29
00:00
because we know they've compromised us in the past".
00:00
Sometimes you get generalized responses
00:00
like "We want you to emulate ransomware".
00:00
Sometimes you get the other extreme
00:00
where the network owner has
00:00
no idea and they really want
00:00
you to tell them
00:00
what threats they should be concerned about.
00:00
Regardless, when you're trying to figure
00:00
out which adversary you should emulate,
00:00
it's best practice to start
00:00
with the network owners upfront.
00:00
Talk about their concerns so that
00:00
your decisions can be aligned
00:00
with their cybersecurity priorities.
00:00
Another resource you want to leverage is
00:00
the organization's CTI analysts,
00:00
assuming they have them and they're available.
00:00
You see CTI analysts are often the ones best
00:00
postured to tell you what
00:00
cyber threats are most relevant to the organization.
00:00
As a bonus, CTI analysts often have
00:00
very detailed reports that you
00:00
can use to characterize cyber threats.
00:00
You'll find these reports can be really useful when we
00:00
start implementing adversary TTP later in the process.
00:00
Really by talking to CTI analysts
00:00
at this point in the project,
00:00
you can establish relationships
00:00
that will likely pay off later on.
00:00
It's also worthwhile to talk to
00:00
network defenders and system administrators.
00:00
This personnel often have intimate knowledge about
00:00
the network and insights into past incidents.
00:00
They can be helpful in pointing you
00:00
toward relevant cyber threats.
00:00
You'll also find that
00:00
establishing these relationships can
00:00
pay off dividends when you
00:00
actually execute the engagement.
00:00
Because your network defenders,
00:00
your system administrators,
00:00
they can often resolve issues,
00:00
things like accessing the network,
00:00
provisioning accounts in the light.
00:00
Really good practice to talk to the network defenders and
00:00
system administrators when
00:00
you're researching cyber threats.
00:00
Up to this point, we've
00:00
discussed internal information sources.
00:00
But another important part of this process
00:00
is researching publicly available information.
00:00
This can be really helpful for augmenting
00:00
your research or just gaining a broader perspective.
00:00
When I'm looking at publicly available information,
00:00
attack is usually my first destination.
00:00
Usually, by this point,
00:00
I have 1-3 threat actors
00:00
that are candidates for emulation.
00:00
Attack makes it really easy to quickly get up to
00:00
speed with adversaries and their TTPs.
00:00
By going to an attack page for a particular group,
00:00
you can get a quick snapshot
00:00
of who are the adversary targets,
00:00
what their objectives are,
00:00
what TTPs do they use?
00:00
If you want to go deeper,
00:00
you can start tracing
00:00
the original CTI articles that
00:00
was used to substantiate the attack content.
00:00
Now another source I'd like to leverage are
00:00
industry reports like the Verizon Data Breach Report.
00:00
These kinds of reports can be really useful
00:00
for amplifying your recommendations.
00:00
For example, the 2021 Verizon Data Breach Report states
00:00
that 85 percent of intrusions involved a human element.
00:00
I've used metrics like these to negotiate for emulating
00:00
spear-phishing TTPs with elements
00:00
of social engineering as part of an engagement.
00:00
As you are researching cyber threats,
00:00
you will likely ask yourself,
00:00
when are we finished?
00:00
When do we have enough information
00:00
to select an adversary?
00:00
Now ideally, you should have a list
00:00
of candidate adversaries to emulate.
00:00
I usually like to have
00:00
at least a top-three list
00:00
from which I can down select later.
00:00
You also want to have a general understanding
00:00
of these factors.
00:00
In other words, you should be able to speak to
00:00
their objectives and capabilities at a high level.
00:00
Given this understanding, you should also be able to
00:00
articulate why these cyber threats
00:00
are salient interest to the organization.
00:00
It should be clear that
00:00
these cyber threats are
00:00
aligned with the engagement objectives.
00:00
Summarizing this, you're finished
00:00
with the research when you've identified
00:00
candidate adversaries to emulate and you can
00:00
articulate why they are relevant to the organization.
00:00
During this lesson, we talked
00:00
about researching cyber threats.
00:00
The primary reason we do this research is to
00:00
inform adversary and TTP selection.
00:00
We also discussed approaches
00:00
for performing this research to
00:00
include using internal and external information sources.
00:00
For example, network owners,
00:00
CTI analysts, network defenders, and public information.
00:00
Taken together, these sources help us gain
00:00
a general understanding of relevant cyber threats.
00:00
In our next lesson,
00:00
we'll talk about how you can put this information to
00:00
use to select an emulated adversary.
Up Next
