3 hours 16 minutes
welcome to lesson for Module one within the attack based stock assessments training course. In this lesson, we're going to talk about how you can scope an attack based stock assessment to focus on the specific parts of attack that are relevant for the sake you're looking at.
This lesson comes in kind of at the end of framing an assessment where you've teed up the assessment, you're ready to go, and you now just need to figure out what parts of attack are really relevant for the sock that you're working with.
Our primary learning objective for this lesson is for you to be able to identify those relevant parts based on the socks, current status requirements and what they're looking for.
So suppose you've decided to run an attack based stock assessment for a specific organization. You've done all the messaging. You set expectations. You've totally teed everything up so that you are ready to go.
The next stage is to figure out well what attack you want to use.
Attack has three primary technology domains Isis Mobile and, of course, enterprise.
And when you're running an assessment, it's important for you to figure out just which of these domains, you really need to consider.
Now, if you're like me and you're focused on enterprise much like the training is, you can kind of quickly say, Well, I'm just going to look at enterprise and make a quick judgment there, and I don't need to consider I c s or mobile and that's okay. But even then you run into questions like which platform do we consider?
Certainly, there's a lot of overlap between Windows, Mac OS and Lennox.
When you have pre cloud and network in the mix,
you kind of get a
variety of different postures you might have, depending on the environment you're looking at
and just to set an example, Here's a notional heatmap for an organization that's only using the Lennox platform here, the heat map shows some decent coverage. You know, there's
low some and high confidence across each of the tactics. A good, a good amount of high confidence, of detection for a variety of techniques, no glaring holes, maybe maybe a little bit
a few more gaps in ex filtration than we'd like to see you. But certainly we're seeing representation across the framework that we're looking at
now. If we were to take that same coverage and then present it with all platforms shown well. Now our coverage posture looks a little bit different Now. We have the reconnaissance and resource development tactics shown, and those just look like gaps.
We now have defensive Asian and discovery with a lot more gaps shown there as well.
And generally we're painting a picture that technically is the same coverage. But it is conflating techniques that don't apply to the domain two techniques that we might have his actual gaps. And so the biggest downside here is that by not scoping accurately, we end up causing confusion with the assessment in general, how we run it as well as how we present it.
So when you're running an attack based stock assessment, it's imperative that you only choose the parts of attack that are relevant to the sock. And there's four key questions you wanna ask when doing so
number one. Do they have the technology present in their environment? This is basically saying, Do they have mobile? Do they have I CS? Do they have a cloud environment? Lennox Mac OS
By identifying if they have it, you can help see if that technology should be in scope.
And another question is, Well, OK, if they do have it, are they supposed to be defending that?
Are they actually tasked with defending this specific technology?
The third question is whether or not they can even possible potentially see it. You don't want to evaluate an organization that say only looking at the perimeter by focusing specifically on endpoint endpoint tactics.
And then, lastly, the most interesting one is. Do they want to assess it? Whenever you're running an attack based stock assessment, you need to work with the sock to make sure what you're doing is in line with what they're looking for. If you're running an assessment for an organization that can see everything across domains and platforms,
but they're only interested in their posture for, say, network devices,
it doesn't make a ton of sense for you to go outside of that scope and do more of an assessment than you really need to. And then what? And then more than what the sock actually wants,
One gotcha. When scoping an attack based stock assessment is working with the pre platform
looking at the two pre tactics reconnaissance and resource development. It seems relatively straightforward that these are things that maybe we should include. But when you dive in deeper, sometimes it's a little bit harder to see whether or not these should be included in an attack based stock assessment.
Resource development, in particular, is fairly interesting because these are certainly relevant techniques and irrelevant tactic. But they're often outside of most socks scopes.
Whether or not an adversary is acquiring infrastructure might not always be visible for the majority of socks. Additionally, reconnaissance is also something that
can be in scope but also can be out of scope. It really depends on how the adversaries executing each of the techniques.
Generally speaking, though, during a typical attack based stock assessment, we tend not to include pre. This isn't a hard rule, but it's how we tended to do them do assessments as well as how we're going to be talking about assessments during this training.
So a few summary notes and takeaways to walk away from this lesson
number one include exactly the parts of attack that are relevant to the sock. It makes the most sense for you as the assessor as well as the sock as the one who needs to improve
When scoping which part of attack you should look at. Ask four key questions. Number one is the technology present. Number two. Should the sock defend against it? Number three. Can't the sock defend against it? And number four Does this sock want
those techniques to be part of the assessment?
Be careful when working with pre. If you're unsure as to whether or not it's in scope, leave it out. Including it, if it's not in scope,
can potentially cause confusion and might send the wrong message for the sake you're working with.
And lastly, for this course, we focus primarily on enterprise, not including the pre techniques.
MITRE ATT&CK Defender™ (MAD) ATT&CK® Cyber Threat Intelligence Certification Training
This course prepares you for the ATT&CK® Cyber Threat Intelligence Certification, and provides hands-on instruction ...
3 CEU/CPE Hours Available
Certificate of Completion Offered
MITRE ATT&CK Defender™ (MAD) ATT&CK® Fundamentals Badge Training
This course is the fundamental piece of the MITRE ATT&CK Defender™ (MAD) series where we ...
2 CEU/CPE Hours Available
Certificate of Completion Offered