Storing and Displaying ATT&CK®-Mapped Data

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

2 hours 24 minutes
Video Transcription
we're now going to proceed with Module three of the attacks CT I training course. This module is going to focus on learning how to store and analyze attack math data.
We'll have a total of four lessons for this module. The first lesson will be 3.1, which will learn how to store and display attack mapped Intel. The second lesson, 3.2, will focus on showing you how to express attack mapped Intel. The third lesson, 3.3, will learn how to analyze this data,
and lastly, less than 3.4 is more of a walkthrough on the hands on exercises you'll be doing with the Attack Navigator tool.
As we just said, this lesson will be focused on learning how to store and display attack map Intel. So let's get started
our objectives for less than 3.1. Our first to consider who or what will be consuming the map. Intel
and second is to identify the most effective storage platform for our environment and requirements.
When we first talked about story, an attack mapped intel, we have several things that we need to consider. The first is who is consuming this intelligence. Is it a human analyst? Is it a machine? Taking in that data to a sim
who is interpreting the data will determine how we represent and store it.
The next is what are our intelligence requirements when we're thinking in terms of adding contextual meaning to something we need to determine if the full text is needed, or just components that can describe it in a meaningful or productive way.
After we establish the requirements, we can then think of how detail we want them to be. Do we want to just include the parent techniques? Do we want some techniques for more depth?
Or do we also want a procedure to provide the example of how the technique is used as well?
The next thing we want to consider is how we'll capture this level of detail, and when it's captured in a specific format, how will that allow us to link it to other intelligence for a C. T. I needs?
And lastly, we'll need to consider how this data will be imported and exported and specifically what format it will be in. So we'll be an XML, Jason et cetera.
Here we have a screenshot showing how some techniques are even represented and referenced on Wikipedia pages. Take a look at the right side panel, the page shown here, and you can see how the technique scheduled task matters back to the attack framework. And now it's displayed with the appropriate metadata, such as the technique. I'd the tactic, the platform and so on.
Here we have a screenshot of another useful C. T. I. Tool for tracking and sharing indicators of compromise and threat intelligence within your organization, Miss is an open source threat intelligence platform for sharing, storing and correlating these I. O. C. S for targeted attacks, threat, intelligence, financial fraud, information, vulnerability information or even counter terrorism threats.
It allows you to store data in a structured format allowing for automated use of their database. With an extensive support of cybersecurity. Indicators has flexible important export features as well to help you share that data within your organization.
Here we have another slide showing the myth tool. In an example of how we can store and display attack, not threat intelligence, Mr is a great tool for sharing your threat intelligence between teams across your organization in a streamlined and simple way.
It also allows you the ability to link indicators as well as supplemental files or materials that can help bring together an investigation for your C. T. I needs
in less than 3.1, we learned about the different ways that we can consume link contextualized in import and export attack mapped into.
We also learned about the different options that we have for our storage platform, environment and requirements.
Up Next