Scoping an Assessment
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
3 hours 16 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
>> Welcome to Lesson 4 module 1 within
00:00
the ATT&CK-based SOC assessments training course.
00:00
In this lesson, we're going to talk about how
00:00
you can scope an ATT&CK-based SOC assessment
00:00
to focus on these specific parts of
00:00
ATT&CK that are relevant for this SOC you're looking at.
00:00
This lesson comes in at the end of framing an assessment,
00:00
where you've teed up the assessment, you're ready to go,
00:00
and you now just need to figure out what
00:00
parts of attack are really relevant
00:00
for this SOC that you're working with.
00:00
Our primary learning objective for
00:00
this lesson is for you to be able to identify
00:00
those relevant parts based on
00:00
the SOC's current status requirements
00:00
and what they're looking for.
00:00
Suppose you've decided to run
00:00
an ATT&CK-based SOC assessment
00:00
for a specific organization,
00:00
you've done all the messaging,
00:00
you set expectations,
00:00
you've totally teed everything
00:00
up so that you are ready to go,
00:00
the next stage is to figure out,
00:00
well, what ATT&CK you want to use.
00:00
ATT&CK has three primary technology domains,
00:00
ICS, mobile, and of course, enterprise.
00:00
When you're running an assessment,
00:00
it's important for you to figure out just
00:00
which of these domains you really need to consider.
00:00
If you're like me and you're focused on enterprise,
00:00
much like the training is,
00:00
you can quickly say, well,
00:00
I'm just going to look at enterprise
00:00
and make a quick judgment there,
00:00
and I don't need to consider ICS or mobile.
00:00
That's okay. But even then you run into questions like,
00:00
which platform do we consider?
00:00
Certainly, there's a lot of overlap between Windows,
00:00
macOS, and Linux,
00:00
but when you have PRE, Cloud,
00:00
and network in the mix,
00:00
you get a variety of
00:00
different postures you might have
00:00
depending on the environment you're looking at.
00:00
Just to set an example,
00:00
here's a notional heatmap for
00:00
an organization that's only using the Linux platform.
00:00
Here, the heatmap shows some decent coverage.
00:00
There's low, some and
00:00
high confidence across each of the tactics.
00:00
A good amount of high confidence
00:00
of detection for a variety of techniques,
00:00
no glaring holes,
00:00
maybe a few more
00:00
gaps and exfiltration than we'd like to see here.
00:00
But certainly, we're seeing representation
00:00
across the framework that we're looking at.
00:00
If we were to take that same coverage and then
00:00
present it with all platforms shown,
00:00
well, now our coverage posture
00:00
looks a little bit different.
00:00
Now we have the reconnaissance and
00:00
resource development tactics shown,
00:00
and those just look like gaps.
00:00
We now have defense evasion and discovery
00:00
with a lot more gaps shown there as well.
00:00
Generally, we're painting a picture that
00:00
technically is the same coverage,
00:00
but is conflating techniques that don't apply to
00:00
a domain to techniques that we might have as actual gaps.
00:00
The biggest downside here is
00:00
that by not scoping it accurately,
00:00
we end up causing confusion
00:00
with the assessment in general,
00:00
how we run it, as well as how we present it.
00:00
When you're running an ATT&CK-based SOC assessment,
00:00
it's imperative that you only choose the parts
00:00
of ATT&CK that are relevant to the SOC.
00:00
There's four key questions you want to ask when doing so.
00:00
Number 1, do they have
00:00
the technology present in their environment?
00:00
This is basically saying, do they have mobile,
00:00
do they have ICS,
00:00
do they have a Cloud environment, Linux, macOS?
00:00
By identifying if they have it,
00:00
you can help see if that technology should be in scope.
00:00
Another question is, well,
00:00
if they do have it, are they supposed to be defending it?
00:00
Are they actually tasked with
00:00
defending this specific technology?
00:00
The third question is whether or not they
00:00
can even potentially see it.
00:00
You don't want to evaluate an organization
00:00
that say only looking at
00:00
the perimeter by focusing
00:00
specifically at endpoint tactics.
00:00
Then lastly, the most interesting one is,
00:00
do they want to assess it?
00:00
Whenever you're running an ATT&CK-based SOC assessment,
00:00
you need to work with the SOC to make sure what you're
00:00
doing is in line with what they're looking for.
00:00
If you're running an assessment
00:00
for an organization that can
00:00
see everything across domains and platforms,
00:00
but they're only interested in their posture for, say,
00:00
network devices, it
00:00
doesn't make a ton of sense for you to go
00:00
outside of that scope and do
00:00
more of an assessment than you really need to,
00:00
and then more than what the SOC actually wants.
00:00
When scoping an ATT&CK-based SOC assessment
00:00
is working with the PRE platform,
00:00
looking at the two PRE tactics,
00:00
reconnaissance, and resource development,
00:00
it seems relatively straightforward that these
00:00
were things that maybe we should include,
00:00
but when you dive in deeper,
00:00
sometimes it's a little bit harder
00:00
to see whether or not these should
00:00
be included in an ATT&CK-based SOC assessment.
00:00
Resource development in particular is fairly
00:00
interesting because these are
00:00
certainly relevant techniques in a relevant tactic,
00:00
but they're often outside of most SOC's scopes.
00:00
Whether or not an adversary is
00:00
acquiring infrastructure might
00:00
not always be visible for the majority of SOCs.
00:00
Additionally, reconnaissance is
00:00
also something that can be in scope,
00:00
but also can be out of scope.
00:00
It really depends on how
00:00
the adversary is executing each of the techniques.
00:00
Generally speaking, though, during
00:00
a typical ATT&CK-based SOC assessment,
00:00
we tend not to include PRE,
00:00
this isn't a hard rule,
00:00
but it's how we've tended to do assessments
00:00
as well as how we're going to be talking
00:00
about assessments during this training.
00:00
A few summary notes and
00:00
takeaways to walk away from this lesson.
00:00
Number 1, include
00:00
exactly the parts of ATT&CK that are relevant to the SOC.
00:00
It makes the most sense for you as the assessor
00:00
as well as the SOC as the one who needs to improve.
00:00
When scoping which part of ATT&CK you should look at?
00:00
Ask four key questions.
00:00
Number 1, is the technology present?
00:00
Number 2, should the SOC defend against it?
00:00
Number 3, can the SOC defend against it?
00:00
Number 4, does the SOC
00:00
want those techniques to be part of the assessment?
00:00
Be careful when working with PRE.
00:00
If you're unsure as to whether or
00:00
not it's in scope, leave it out.
00:00
Including it, if it's not in scope,
00:00
can potentially cause confusion and might
00:00
send the wrong message for the SOC you're working with.
00:00
Lastly, for this course,
00:00
we focus primarily on enterprise,
00:00
not including the PRE techniques.
Up Next
Similar Content
