Storing and Displaying ATT&CK®-Mapped Data

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 24 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> We're now going to proceed with
00:00
Module 3 of the ATT&CK CTI training course.
00:00
This module is going to focus on learning how to
00:00
store and analyze ATT&CK-Mapped Data.
00:00
We'll have a total of four lessons for this module.
00:00
The first lesson will be 3.1,
00:00
which we'll learn how to store and
00:00
display ATT&CK-Mapped Intel.
00:00
The second lesson, 3.2,
00:00
we'll focus on showing you how to
00:00
express ATT&CK-Mapped Intel.
00:00
The third lesson, 3.3,
00:00
we'll learn how to analyze this data.
00:00
Lastly, Lesson 3.4 is more of a walk-through on
00:00
the hands-on exercises you'll be
00:00
doing with the ATT&CK Navigator tool.
00:00
As we just said, this lesson,
00:00
we'll be focused on learning how to store and display
00:00
ATT&CK-Mapped Intel. Let's get started.
00:00
Our objectives for Lesson 3.1,
00:00
are first to consider who or
00:00
what will be consuming the mapped Intel.
00:00
Second is to identify
00:00
the most effective storage platform
00:00
for our environment and requirements.
00:00
When we first talk about storing ATT&CK-Mapped Intel,
00:00
we have several things that we need to consider.
00:00
The first is, who is consuming this intelligence?
00:00
Is it a human analyst?
00:00
Is it a machine taking the data to a Sim,
00:00
who is interpreting the data will
00:00
determine how we represent and store it.
00:00
The next is what are our intelligence requirements?
00:00
When we're thinking in terms of adding
00:00
contextual meaning to something,
00:00
we need to determine if the full text is needed or just
00:00
components that can describe it
00:00
in a meaningful or productive way.
00:00
After we establish the requirements,
00:00
we can then think of how detailed we want them to be.
00:00
Do we want to just include the parent techniques?
00:00
Do we want some techniques for more depth?
00:00
Or do we also want a procedure to provide
00:00
the example of how the technique is used as well?
00:00
The next thing we want to consider is
00:00
how we'll capture this level
00:00
of detail and when it's captured in a specific format,
00:00
how will that allow us to link it to
00:00
other intelligence for our CTI needs?
00:00
Lastly, we'll need to consider how
00:00
this data will be imported and exported,
00:00
and specifically what format it will be in.
00:00
Will it be an XML, JSON, etc?
00:00
Here you have a screenshot
00:00
showing how some techniques are even
00:00
represented and referenced on Wikipedia pages.
00:00
Take a look at the right-side panel of the page shown
00:00
here and you can see how the techniques
00:00
scheduled task mask back to
00:00
the attack framework and how it's
00:00
displayed with the appropriate metadata,
00:00
such as the technique ID,
00:00
the tactic, the platform, and so on.
00:00
Here we have a screenshot of another useful CTI tool for
00:00
tracking and sharing indicators of
00:00
compromise and threat
00:00
intelligence within your organization.
00:00
MISP is an open-source threat
00:00
intelligence platform for sharing, storing,
00:00
and correlating these IOCs for
00:00
targeted attacks, threat intelligence,
00:00
financial fraud information, vulnerability information,
00:00
or even counterterrorism threats.
00:00
It allows you to store data in a structured format,
00:00
allowing for automated use of their database with
00:00
an extensive support of
00:00
cybersecurity indicators as flexible,
00:00
import and export features as well to help you
00:00
share that data within your organization.
00:00
Here we have another slide showing
00:00
the MISP tool and an example of
00:00
how we can store and display
00:00
attack math threat intelligence.
00:00
MISP is a great tool
00:00
for sharing your threat intelligence between
00:00
teams across your organization
00:00
in a streamline and simple way.
00:00
It also allows you the ability to
00:00
link indicators as well as supplemental
00:00
files and materials that can help bring
00:00
together an investigation for your CTI needs.
00:00
In Lesson 3.1, we learned about
00:00
the different ways that we can consume,
00:00
link, contextualize,
00:00
and import and export ATT&CK-Mapped Intel.
00:00
We also learned about the
00:00
>> different options that we have
00:00
>> for our storage platform environment and requirements.
Up Next