2 hours 24 minutes
This is module four, less than three.
Researching organizational capabilities and constraints and determining trade offs.
This lesson. We have three objectives for you to learn how to identify your organizational capabilities and constraints.
Identify how to tailor tradeoffs for your enterprise
and understand how to make customized defensive recommendations.
So this is Step three of our process research, organizational capabilities and constraints.
Every organization is going to have
different aspects that are easy or harder for them, depending on some of the things that they already have in place
things about their workforce and the organization itself.
So these are going to be things like
what data sources, defenses, mitigations are already collected in place.
So if you're already doing something already doing something that's almost able to take care of how an adversary is using a technique, it may be really inexpensive or simple.
So maybe something like if you're already collecting the right data sources, possibly some new analytics on your existing sources. So just adding something to your sin
so you can also take a look at tools What products are already deployed that might have additional capabilities.
So do you have products in your enterprise
that are already able to take some of these defensive measures or match things that we've said are going to work for a particular technique. But maybe a feature isn't turned on or it just needs to be tuned to match the particular thing.
So this could be something like It's able to gather new data sources or implement new mitigations if we add on the right feature or if we turn on the right capability for it.
Are there things about the organization that may preclude responses? Are there things that are just not on the table for us? Because the organization maybe rules we have on data, we are not allowed to collect
maybe something about our users, where their patterns may make something impossible or easy,
and this could be stuff like user constraints and usage patterns.
So we've we've gone through with this user execution example.
So I'm going to give some notional capabilities and constraints for our fake organization so that we can work through this process.
So national capabilities.
Let's say that our organization already has Windows events, so Windows event logs already collected two assim but not process info.
So we we've got sort of the right types of data sources, but not necessarily what we actually need. Uh, the organization is currently looking at application control tools.
It's a highly technical workforce, so ones that already understand maybe some of the threats there's already an email file detonation appliance in place. So this has already been bought already been installed,
like most organizations going to assume that we already have in a virus and all endpoints.
Okay, so these are the things that we have in hand
that are going to enable certain responses and make certain responses more easier than others.
So some notional constraints for our fake organization.
Let's say that our sin is close to our license limit
that in order to get a lot more events coming in to add new Windows, event log types might be prohibitively expensive to get up to the next level of license.
A large portion of our organization. Let's say our developers, so people who run arbitrary binaries
and that our files and transmit are usually encrypted at the point that they go past a new network intrusion prevention system.
These are all notional. These are just getting so that we can actually take a look at how some of these would fit into specific trade offs.
Your organization is going to be different.
How do we take those? So how do each the options we identified in earlier steps now fit into our organization
so we can look, at example, positives and negatives for how each of these options will work with our organization?
So things like maybe the options we came up with are able to leverage existing strengths, tools and data sources.
So some of that information we were just thinking about about our organization.
It also could very well fit with a specific threat.
If we've got an option that exactly matches up with one adversary is trying to do to us. Well, maybe that wants to rise to the top of our priorities.
There are also some negatives that can come up as we're going through each of these options. So maybe it's something that's going to be really expensive for us but doesn't really mitigate much risk, you know, it's not actually helping us all that much.
It could also be a poor cultural fit with our organization. It could be something that is going to make it so that our users can't get their job done or is extra bad in our particular industry.
Each option is going to be highly dependent on your specific organization.
So continuing to work through the example we have and the defensive options we've gathered and some of the constraints that we've put together for our notional organization.
So defensive option that we came up with is increased user training around clicking on attachments.
this covers the most common use case. It covers spearfishing where we're trying to keep people from clicking on attachments. We said that we have a technical workforce, so they may be very likely to understand this and may make good sensors for incoming malware.
Uh, as a con, though,
is you know, our our workforce. We're putting through more training.
People are sick of security training. They don't want one more. You know, we've already given them some training on spear fishing in the past,
and so you may may or may not work as a trade off.
We said we can do enforcement of application control
now. This sounds great on paper, you know, we're already looking at a solution for this uh, we said in our notional, uh, most of the binaries are concerned that are coming in from malicious actors are not familiar binaries their their new hashes, their brand new things. And so application control is likely going to stop them.
Well, we mentioned that we have a lot of developers.
Developers are creating a lot of their own binaries, and so we might heavily impact our population.
If we prevent our population from running arbitrary binaries, we may have a high support cost. In order to add these developers binaries into our application control solution.
We give us an option monitoring command line arguments to create an analytic, looking at the information coming in
what we said. We are collecting Windows events already.
So we've got you know, where those are going to feed into already feeding into a sim.
But we also said in our constraints earlier
that we really couldn't add more logs to our existing license. It probably was going to be an unacceptable cost.
Uh, it's a virus. Well, we've we've already got it. So you know, there's no no reason to get rid of it.
But the downside is we already have it in place, and it it wasn't working out. Limited, limited coverage
we suggest, as a possibility, installing end point detection response product.
This could give us excellent endpoint visibility without greatly increasing log volumes,
but we don't already have it. This is gonna be a big procurement, and it's possibly going to be a really expensive one. You know, if we want to go there.
We said we have a email detonation appliance
as a pro, it's already in place.
But as Khan, we also said that data is encrypted in places where it's going past our appliances, so we might not have full visibility into our inbound email.
So we've now built up
most of the information we need to get to the finish line.
Learned how to identify organizationally unique capabilities and constraints, the sorts of information that are going to impact, how we can respond and detect different techniques and sub techniques.
You've talked a bit about how to tailor trade offs for your enterprise. What sorts of things to look for that are going to impact. What's easy, what's hard, what's doable and what's not doable for your organization
and gotten a bit into how we can pull those together into how they work with are different defensive options and looking at the pros and cons for each one.
MITRE ATT&CK Defender™ (MAD) ATT&CK® SOC Assessments Certification Training
This course prepares you for the ATT&CK® Security Operations Center Certification. In this course, students ...
2 CEU/CPE Hours Available
Certificate of Completion Offered
MITRE ATT&CK Defender™ (MAD) ATT&CK® Fundamentals Badge Training
This course is the fundamental piece of the MITRE ATT&CK Defender™ (MAD) series where we ...
2 CEU/CPE Hours Available
Certificate of Completion Offered