Techniques and Sub-Techniques
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
1 hour
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:00
>> Welcome to Module 1,
00:00
Lesson 4, techniques and sub techniques.
00:00
In this lesson, we will define and
00:00
explore what an ATT&CK technique is.
00:00
Recognize the differences between
00:00
techniques and sub techniques.
00:00
Finally, build appreciation for how these techniques and
00:00
sub-techniques fit into the overall ATT&CK TTP model.
00:00
As you recall from our previous lesson,
00:00
ATT&CK tactics define the goals
00:00
of an adversary during a campaign or breach.
00:00
Whereas ATT&CK techniques to find the means by
00:00
which adversaries used to achieve these tactical goals.
00:00
Techniques are written from
00:00
the perspective of the adversary and
00:00
capture how an adversary
00:00
performs each action or behavior.
00:00
As you can see with example to the right,
00:00
drawn from the execution tactic,
00:00
the command and scripting
00:00
interpreter technique capture all adversaries,
00:00
maybe may abuse command and scripting
00:00
languages to execute malicious commands or payloads.
00:00
Similar to tactics,
00:00
the list of techniques very
00:00
often differs across platforms,
00:00
but this list grows and evolves over time to
00:00
keep up with variances and
00:00
innovations of adversary tradecraft.
00:00
Sub-techniques further breakdown
00:00
the details of adversary behaviors
00:00
captured in techniques for all intents and purposes.
00:00
Techniques and sub-techniques are equivalent.
00:00
The only main difference that sub-techniques
00:00
described behaviors at a lower level of detail.
00:00
As you can see with the example to the right,
00:00
are same command and scripting interpreter technique
00:00
has eight sub techniques which defined
00:00
very specific command or programming languages
00:00
that adversaries may be used to execute payloads.
00:00
Sub-techniques always have a single parent
00:00
and are not always but very often platform-specific,
00:00
such as the Windows command shell
00:00
or cmd.exe sub-technique.
00:00
Sub-techniques were explicitly designed
00:00
to help to reduce changes to techniques.
00:00
As we tried to track and capture variations and
00:00
innovations between platforms and adversary behaviors.
00:00
Techniques and sub-techniques subject are
00:00
both objects within the ATT&CK model,
00:00
each of which are assigned unique identifiers.
00:00
Technique IDs are typically referred to as TID,
00:00
as you can see with the example below with brute force.
00:00
It's TIDT1110.
00:00
Sub-technique TIDs are just extensions
00:00
of their parents TID.
00:00
As you can see with the example below with
00:00
the fourth sub-techniques of brute force.
00:00
Sub-techniques and techniques have a wealth of
00:00
additional metadata on each of
00:00
the pages that connect to the rest of ATT&CK model.
00:00
Some of those interesting metadata which we'll explore in
00:00
later lessons include mitigations,
00:00
data sources and detections, and procedure examples.
00:00
With that, we've reached
00:00
the knowledge check for this lesson.
00:00
Techniques and sub-techniques in ATT&CK are.
00:00
Please pause your video and take a second to
00:00
think about the correct answer before proceeding.
00:00
In this case, the correct answer was C,
00:00
techniques and sub-techniques in ATT&CK are
00:00
descriptions of adversary behaviors
00:00
at different levels of detail.
00:00
In summary, ATT&CK techniques
00:00
and sub-techniques represent
00:00
behaviors performed by adversaries or
00:00
how they achieve their tactical goals.
00:00
Finally, techniques and
00:00
sub-techniques are fundamentally the same.
00:00
The only difference being sub-techniques are
00:00
more specific descriptions of these behaviors.
Up Next
Similar Content
