this is Module one Lesson three attack mapping process. Translating a behavior into a tactic
this law. So we have three objectives
for you to understand the 14 tactics in enterprise attack and why they matter.
I'm going to go through some practice showing you how to identify behavior in narrative reporting.
We're going to talk about how to translate those behaviors into tactics, which is step three of the attack mapping process, which showed less than one.
So as we try to translate the behaviors we found and we've gotten some understanding of into a tactic,
the big thing we're looking at is what goal is the adversary trying to accomplish?
What thing is it that the adversary is trying to do in their step of behavior breaking in and acting on a system?
Now, you have a bit easier time here than trying to go straight to techniques or sub techniques
because there are only 14 tactic options currently in enterprise attack.
So I'm going to go into each of the tactics briefly, that is, is currently an enterprise attack and talk a little bit about what sorts of things are in each of them.
The reconnaissance and resource development tactics were added to attack in October of 2020
they take the place of a previous framework called pre attack that lived alongside attack. And these two tactics described activities that happen from an adversary before an adversary tries to break into a system.
So for reconnaissance, the adversaries trying to gather information they can use to plan future operations.
This is things like scanning a victim, looking up in databases, information about people at the victim
and gathering various information that they're going to need in order for an operation to be successful.
Resource development as as the adversary starts to take those reconnaissance intelligence findings and turn them into the resources they need to support their operations,
this is things like writing malware, registering domains,
initial access. Initial access consists of techniques. There are various entry vectors for an adversary to gain their initial foothold in an enterprise,
and these are things like fishing,
like an adversary getting into a supply chain.
Various things were adversaries taking that first step towards getting into environment
execution. Execution consists of techniques that results in adversary controlled code running on a victim system.
These could be things like buffer overflows or just a user clicking on a piece of malware.
Persistence is techniques that adversaries use to keep access to systems.
This may be across restarts this maybe things like credentials changing or any other interruption that could potentially cut off their axis and keep them from coming back in.
And so these will be things like making sure that Mauer restarts upon a reboot,
ensuring that access is open for future attempts to come into the environment
and anything else the adversary is doing to try to make sure that they can get back in later.
privilege, escalations techniques. Adversaries used to gain higher level permissions on a system or network.
Oftentimes, there are things that an adversary is going to want to do often in other tactics
where they need to be an administrator. They need to be root. They need to be system. They need to be something beyond a normal user
in order to be able to accomplish those goals.
It's a privilege escalation are different techniques that the adversary is using to get that higher level permissions
These are techniques that an adversary uses to avoid getting caught
so avoiding defenders,
this could be things like naming their files after another common system utility.
These could be things like hiding the presence of their tools from various security systems running on a computer.
Anything where an adversary is trying to hide from a defender.
Credential. Access credential. Access techniques for stealing credentials like account names and passwords
in order to get into other systems on the network, often for lateral movement or, in some cases, to be able to do privilege escalation. Adversaries want passwords,
and this can be done in a number of different ways. It can be anything from actually dumping it from the local system, getting them off the domain controller
anything. Where an adversary is dumping credentials for use elsewhere in the system.
discoveries techniques that an adversary may use to gain knowledge about the system and the internal network.
This may be techniques they use to find out about where they've landed, so adversaries often look around right after they've gotten onto a first system to figure out Hey, where am I? Am I where I intended to be?
They also want to be able to do lateral movement. They want to get into other computers, and then we need to find those computers first. So anything adversary is doing to try to see that information inside an environment we consider discovery.
Lot of movement is techniques the adversary is using to get to remote systems on the network.
So once the adversary is in an enterprise, the system they land on is often not the one they need to gain either complete control or their final goal, which is whatever information it is. They're coming to steal whatever destruction they're trying to do. They need to get to other systems once they've actually landed.
It's a lot of movement is the techniques that an adversary might do to do that?
It could be a remote desktop protocol to another system could be moving through secure shell across the network. It could be exploitation to get into another computer.
Anything the adversary is doing to move to another system
collection is techniques adversaries used to gather information and the sources that they're going to want to follow through on the rest of their objectives.
These are things like pulling together the information they're getting ready to X ville, pulling those together into a single archive moving into a single system. So it's the adversaries going throughout a computer or a network and gathering the information. They're going to take further activities on
command and control commanding controls, techniques and adversary uses to communicate with systems under their control of the network.
Adversaries usually aren't sitting next to the computer. They're breaking into there somewhere remote, maybe in another country.
And they have to have some method for actually controlling the environments that they've landed in.
So the techniques that are in there in order to be able to actually talk to a victim network or be able to get commands in and out, fall into command and control
Exfiltration is activities the adversaries are sending to send it out the door.
It's often one of the main goals of an adversary to violate confidentiality, to steal information that they're not supposed to have access to,
and the specific techniques that are sending these out the door usually fall into exfiltration.
Finally, impact. So I said, with the exploration, most adversaries are trying to steal data trying to compromise confidentiality.
But if you're familiar with the C. I A pyramid. We've got three different goals that happened with security, confidentiality, integrity and availability.
So the impact is the other two parts of that triad. It's the availability and integrity. So it's techniques adversaries used to disrupt, availability or compromise integrity by manipulating business and operational processes.
So this is your destructive activities, and you're manipulative activities. So these are things like ransomware so encrypting data on an end system to make it so that people can't access it anymore
or things like manipulating data on the wire to steal money.
So we've got those 14 tactics in enterprise attack.
We went through this report before, and this is a snippet from the same report
we used in the previous lesson.
And this is a behavior we've researched a little bit, too.
So malware first establishes a socks five connection to the specific port,
and then it's doing these following commands with the matter.
So the adversary is creating a connection in order to command them our to do something
so it's falling into command and control,
and this is something that we can go through with each of the behaviors in a report.
In order to take a look at? What is it that the adversary is actually trying to do,
and where does it fall into those 14 tactics?
So in summary, some of the things we're hoping you got out of this lesson.
I've gone through some of the types of behaviors that are associated with each of the 14 tactics in enterprise attack.
I got into a little bit about how to link behaviors to these adversary goals get actually up to a tactic and how to translate that behavior into the corresponding tactic.