Translate Behaviors to Tactics, Techniques and Sub-Techniques
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
2 hours 24 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Welcome to lesson 2.3,
00:00
Translate Behaviors to
00:00
Tactics Techniques and Sub-techniques.
00:00
In this lesson, our objectives
00:00
are developing the ability to take
00:00
the behaviors we identify in
00:00
raw data and map them to the relevant tactics,
00:00
techniques, and subs.
00:00
Then we'll be reviewing concurrent techniques and
00:00
reinforcing the importance of
00:00
peer review for attack mappings.
00:00
In this step, we're going to be going through and
00:00
translating the behaviors and the tactics.
00:00
With ipconfig/all, this was
00:00
a relatively specific procedure that we previously
00:00
found under System Network Configuration Discovery
00:00
and that falls under the discovery tactic.
00:00
Although we've identified the tactic, we're not done.
00:00
As we noted while reviewing the data,
00:00
it was seen being run via Sysmon,
00:00
and so this also falls under the execution tactic.
00:00
For the next behavior, the recycler.exe,
00:00
that's being run via the command line
00:00
and we see via Sysmon,
00:00
and we align the pieces of our research analysis
00:00
together to identify what we think is the tactic.
00:00
We ascertained that it's trying to pretend that it's
00:00
a Visio diagram and we have
00:00
moderate confidence that this is exfiltration.
00:00
If we were able to leverage
00:00
some more information and other
00:00
data sources and run this,
00:00
it might enrich our analysis
00:00
and add some additional details.
00:00
But based on what we've found,
00:00
it also maps to execution as well.
00:00
Step 4, figuring out what
00:00
technique or sub-technique applies.
00:00
Similar to what was covered in
00:00
Module 1 about working with narrative reporting,
00:00
you might have enough information
00:00
occasionally to map directly to
00:00
a certain technique or sub-technique
00:00
instead of going through a tactic.
00:00
But we need to try and work through
00:00
that structure process and avoid skipping steps.
00:00
If you do map directly to a technique or sub,
00:00
make sure you go through and
00:00
confirm that it aligns with a tactic that
00:00
best represents your understanding
00:00
of the adversary goals.
00:00
For ipconfig/all, we found that
00:00
this maps to system network configuration discovery,
00:00
and as I mentioned, adding an execution,
00:00
we have that it's command and scripting interpreter.
00:00
Then for the recycler binary,
00:00
we've identified a couple of different elements.
00:00
We figured out these command line flags
00:00
mean it's compressing and encrypting data,
00:00
so we mapped it to archive collected data.
00:00
But as discussed, it's
00:00
also command and scripting interpreter.
00:00
What's going on with these concurrent techniques?
00:00
There are certain tactics that
00:00
commonly have concurrent techniques.
00:00
These are tactics like execution,
00:00
defense evasion, initial access, collection,
00:00
where a lot of the techniques are
00:00
describing how things are
00:00
happening and other techniques
00:00
are describing what's happening.
00:00
A combination and we often see
00:00
is phishing: spear phishing,
00:00
attachment, and user execution.
00:00
The spear phishing is often coming with
00:00
attachment and a user clicks,
00:00
this is user execution.
00:00
This is initial access and execution happening together.
00:00
Data from local system and Ebell collection
00:00
can be leveraged in concert, so for example,
00:00
an adversary is identifying a hosting a PST file,
00:00
so two types of collection are occurring simultaneously.
00:00
Finally, as we've seen,
00:00
many of those discovery techniques
00:00
can be command in scripting interpreter,
00:00
with Windows built-in commands
00:00
being run one after another.
00:00
In our final step will want to compare
00:00
our analysis to the results for other analysts.
00:00
We discussed collaboration end up in
00:00
the last module to help hedge against biases.
00:00
This is particularly important with raw data,
00:00
given the fact that raw data requires a broader set
00:00
of skills to work with the different types of data.
00:00
You might have one analyst who has
00:00
experience working with things like malware packets,
00:00
reverse engineering,
00:00
and Windows command line and
00:00
understanding what barriers commands do.
00:00
We might have another analysts needed
00:00
for the same incident who's
00:00
very familiar with other platforms
00:00
such as MacOS or Linux,
00:00
or whose skill sets includes looking at
00:00
this forensics and Windows event logs.
00:00
Based on the additional caveats with raw data,
00:00
it's really critical to
00:00
recognize the diverse set of skill sets,
00:00
you'll likely need to be able to leverage them
00:00
and ensure that the analysis is as accurate as possible.
00:00
In Lesson 2.3, we walked through the process for
00:00
translating behaviors from raw data
00:00
into tactics, techniques and subs.
00:00
We talked about concurrent techniques
00:00
and the importance of recognizing
00:00
what's happening as well as how
00:00
it's happening and finally,
00:00
we highlighted how important it is to
00:00
maintain ongoing collaboration with
00:00
analysts that have a diverse skill sets
00:00
and experience working with different types of data.
00:00
In Lesson 2.4,
00:00
we'll take what we've learned so far and
00:00
apply it to a mapping exercise.
Up Next
Similar Content
