The Defensive Recommendations Process

00:01

This is module for making defensive recommendations from attack mapped data.

00:06

I'll be your instructor for this module. Adam Pennington.

00:12

We've got four high level objectives in this module.

00:16

I'm going to teach you a process for making defensive recommendations based on attack map data

00:22

and walk through How to identify the priority techniques and sub techniques for your enterprise.

00:27

How to understand that your enterprise capabilities and constraints and give you some practice making customized defensive recommendations.

00:37

We've broken this module up into four lessons.

00:42

First, I'm going to talk about the defensive recommendation process.

00:47

Second, we're going to teach you how to research how techniques and sub techniques are being used in relevant use cases and some of the defensive options that you have for dealing with them.

00:58

The third lesson. Going to show you how to research organizational capabilities and constraints and look at trade offs

01:04

finally going to work through an exercise where you're going to get to make some defensive recommendations.

01:14

So less than one. The defensive recommendation process.

01:21

This lesson. We've got two objectives. I'm going to go over a process for making defensive recommendations,

01:27

and I'm going to talk through a bit about how to determine priority techniques to work with.

01:37

So we've now gone through a bunch of material looking at how to identify techniques seen in the wild.

01:45

We looked at how to extract these techniques from narrative reporting, map them to attack. We looked at how to extract them from raw incident data.

01:53

Talked a little bit about using some of the groups and software data already mapped by the attack team.

01:59

We can identify techniques used by multiple groups, some of the material that was in the previous lesson.

02:04

And this. This might be a really good priority starting point that will leverage for the rest of this module.

02:09

That's well and good, and we've got a bunch of threat intelligence now. But how do we make that intelligence actionable? How do we now do something? Help our defenders leverage that attack intelligence.

02:24

So for the rest of this module, I'm going to be walking through a process for making defensive recommendations

02:31

first. In this lesson, we're going to determine priority techniques and sub techniques, and I'll talk about a few ways of doing that.

02:40

Have you take a look at how techniques and sub techniques are being used in relevant reporting and in the wild,

02:49

Some places where you can research defensive options related to these techniques and sub techniques.

02:54

How to look at your organization's capabilities and constraints.

03:00

Determine what the trade offs are for your organization and what your specific options, maybe. And then finally taking all that information and making defensive recommendations.

03:13

So Step zero determined priority techniques.

03:16

There are a lot of different ways that you can prioritize. We've gotten through some of those in getting started series that we've published on the Web,

03:25

and so there are multiple ways to prioritize. But this is attack for cyber threat intelligence training,

03:31

so we'll focus on leveraging cyber threat intelligence today.

03:36

Some of your options, though, are starting from data sources.

03:39

What data are you already collecting? That you may be able to see specific techniques with

03:46

threat intelligence, which we're going to be going through today?

03:50

What are your adversaries doing? What what are the overlaps between groups? You care about

03:54

a tooling? So what can your tools that you already own? They've already paid for potentially cover, maybe things you're not collecting right now, but built in capabilities

04:06

and then finally, red teaming or adversary emulation. What kinds of gaps did you Red team find the last time they did an evaluation of your environment?

04:18

So in the previous module, we took the output from a couple different reports, and we looked at the overlap between those groups.

04:27

And so this is taking our threat intelligence

04:30

and getting us down to something that's maybe our top priority. We have multiple actors doing these techniques,

04:38

and so maybe they're a good place for us to start in terms of things to worry about, defending against

04:44

for the rest of this module and going through an example.

04:47

I'm going to pick user execution out of this list.

04:51

And so these are all equally valid places to start, and they get us down from the large set of possibilities that we would have looking at all of attack

05:02

and get us down to a much smaller subset

05:05

that we know is being used by threat actors.

05:11

So in this lesson, I've introduced the module and reviewed the process for making defensive recommendations.

05:17

I've gotten into a bit about some of the options for how to determine priority techniques and sub techniques