Translate Behaviors to Tactics, Techniques and Sub-Techniques

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 24 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
welcome to Lesson 2.3, translating behaviors to tactics, techniques and sub techniques.
00:05
In this lesson, our objectives are developing the ability to take the behaviors we identify and raw data and map them to the relevant tactics, techniques and subs. Then we'll be reviewing concurrent techniques and reinforcing the importance of peer review for attack map ing's.
00:21
So in this step, we're going to be going through and translating the behaviors into tactics
00:26
with i p. Config. Slash All this was a relatively specific procedure that we previously found under system now reconfiguration discovery, and that falls under the discovery tactic. So although we have to identify the tactic, we're not done.
00:40
As we noted while reviewing the data, it was seen being run via servicemen. And so this also falls under the execution tactic
00:48
for the next behavior. The recycler dot x e that's being run via the command line and receive the assessment.
00:54
And we align the pieces of our research analysis together to identify what we think is a tactic. So we ascertain that it's trying to pretend that it's a Visio diagram,
01:03
and we have moderate confidence that this is exfiltration.
01:07
If we were able to leverage some more information and other data sources around this. It might enrich our analysis and add some additional details.
01:15
But based on what we found, it also maps to execution as well.
01:21
So for figuring out what technique or sub technique applies
01:25
so similar to what was covered in module one about working with narrative reporting,
01:30
you might have enough information and occasionally to map directly to a technique or sub technique
01:36
instead of going through a tactic.
01:38
But we need to try and work through that structure process and avoid skipping steps.
01:42
So if you do map directly to a technique or sub, make sure you go through and confirmed that it aligns with a tactic that best represents your understanding of the adversary goals
01:53
for I peek and big slash all.
01:55
We found that this maps to system network configuration discovery.
01:59
And, as I mentioned, adding an execution, we have that its commanding scripting interpreter
02:05
and then for the recycler binary. We've identified a couple of different elements. We figured out these command line flags mean it's compressing and encrypting data,
02:14
so we map it to archive collected data,
02:16
but as discussed, it's also command and scripting interpreter.
02:23
So what's going on with these concurrent techniques?
02:27
There are certain tactics that commonly have concurrent techniques.
02:30
These are tactics like execution, defensive Asian initial access collection, where a lot of the techniques are describing how things are happening and other techniques are describing what's happening.
02:42
A combination we often see is fish fishing, spearfishing attachment and use their execution.
02:47
The spear phishing is often coming with attachment and a user clicks. This is user execution, so this is initial access and execution happening together.
02:58
Data from local system and a bell collection can be leveraged in concert. So, for example, an adversary is identifying and hoisting a PST file. So two types of collection are occurring simultaneously.
03:09
And finally, as we've seen, many of those discovery techniques can be commanding scripting interpreter, with Windows built in commands being run one after another.
03:23
In our final step, we'll want to compare our analysis to the results for other analysts. We discuss collaboration, end up the last module to help hedge against biases.
03:34
This is particularly important with raw data, given the fact that raw data requires a broader set of skills to work with
03:40
the different types of data. And so you might have one analyst who has experienced working with things like malware packets, reverse engineering
03:49
and Linda's command line and understanding what various commands do. We might have another analyst needed for the same incident who is very familiar with other platforms, such as Mac OS or Lennox, are whose skill sets includes looking at this forensics and Windows event logs
04:03
based on the additional caveats with raw data, it's really critical to recognize the diverse set of skill sets. You'll likely need to be able to leverage them and ensure that the analysis is as accurate as possible.
04:17
So in less than 2.3, we walk through the process for transacting behaviors from raw data into tactics, techniques and subs. We talked about concurrent techniques and the importance of recognizing what's happening as well as how it's happening.
04:30
And finally, we highlighted how important it is to maintain ongoing collaboration with analysts that have diverse skill sets and experience working with different types of data
04:39
and less than 2.4, we'll take what we've learned so far and apply it to a mapping exercise
Up Next