2 hours 24 minutes
welcome to module to mapping from raw data
in Moscow. One. Adam talks about the process of mapping from narrative reporting to attack.
Now in module two, we'll be talking about leveraging that same process when mapping from raw data, our data from incident response
So our objectives for this module are learning to identify and research behaviors and raw data. Next, we'll be talking about translating those behaviors into tactics, techniques and sub techniques.
Finally, we'll practice mapping the raw data with an exercise, and then we'll review a couple of best practices for displaying the attack map data and reports
moving on to our first lesson 2.1 the process of mapping from raw data.
So our objectives for less than 2.1 are talking through the mapping process for raw data. We're going to be discussing some of the challenges and advantages of mapping from raw data versus Inari reporting and then reviewing the pros and cons of mapping from the two different data sources.
So far in this attack, C t. I training, we've been focusing on reporting and intelligence that has already been developed and is outlining what occurred around the adversary behaviors when mapping from raw data, we're going to be performing the analysis of behaviors directly from the source data that informs those type of reports.
And there are some specific challenges and advantages of mapping from raw data.
So a key challenge with raw data is that there can be a lot more knowledge necessary to actually come to a point where you can map it to attack.
So this might include reviewing many more data sources, and it may require just diverse levels of experience.
Another challenge is that there can be a wide set of potential data that might contain behaviors,
and this can be data from forensic disk images or from shell commands. It can be our from our own analysis from sandbox detonation or from a number of other data sources coming from incident responders.
And finally, you might have to be looking at a lot more data overall in order to figure out what the intent and tactic are for the actual behavior
moving on to the advantages. So a key advantage that there's probably more information available at the procedure level and more detail on the actual data. You're also not reinterpreting someone else's analysis,
You're deciding yourself how to assess the adversary activities.
Finally, in raw data, it really enables you to increase your understanding of different data sources and potentially using different kinds of tools to gain additional information on adversary behaviors.
So throughout the rest of this module, we're going to be following the same mapping process that was covered in module one.
We're going to be walking through each of these steps to identify research and translate those behaviors into the relevant tactic, technique or sub technique.
So with each of the steps and the attack mapping process, there can be a lot of variants between map and the two types of information to attack. And so we're gonna be walking through some of the pros and cons of mapping from the two sources,
starting with Step one, finding the behavior
for raw data. If you're actually looking at data and the information coming from adversary activity,
a lot of it can be a behavior
now. That's not to say that everything an attack is an attack technique.
Is Adam discussed in module one? Attack doesn't include every possible behavior.
A narrative reporting the behaviors might be buried in a lot of content and hidden among IOC s or distributed throughout the report.
For Step two researching behavior with raw data, you might have to work across multiple domains and sources to actually understand the behaviors. Or you might have to review multiple data types simultaneously.
An advantage is that the activity might be recognized procedure as we discussed. And this can help us map directly to a technique or sub technique.
A narrative reporting There might be enough intelligence and related context to really understand their behavior,
but there also might be some lost detail that wasn't included in the report
for Step three. As we translate the behavior into a tactic,
it might take a significant level of domain knowledge and expertise to understand adversary activity and intent and raw data,
whereas a narrative reporting this might already be outlined by the report author, where they have speculated about what the intent is for the behaviors
for Step four and raw data. If we've already found a procedure that goes straight to a technique or sub technique
as we mentioned, this could be relatively simple.
This might also require a really deep understanding of the specific data type in order to understand how that activity was accomplished.
In the case of narrative reporting, it might be as simple as a text match with something we previously map to attack or procedures already an attack. But there also might be a lack of necessary detail to indicate what the technique is.
Finally, with Step five comparing your results to other analysts.
So collaboration with other analysts is really important with raw data to ensure that all the different data sources you're pulling in are covered with the appropriate expertise.
A narrative reporting this collaboration is key to helping us recognize and mitigate those user biases.
So unless I want to 0.1, we just talked about mapping raw data to attack and discuss some of the challenges. Some of the advantages of mapping from raw data compared to nearly reporting,
um, and that includes a more advanced and diverse skill set might be required for raw data. But there's likely more information at the procedure level, and you won't be reinterpreting someone else's analysis.
We also walked through some pros and cons of mapping from each source based on the attack mapping process.
In less than 2.2, we're gonna be diving into identifying and researching the behaviors