Working with Data Sources Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
3 hours 16 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
>> Welcome to Lesson 2, Module 2,
00:00
within the ATT&CK based
00:00
>> SOC assessments training course.
00:00
>> In this lesson, we're going to talk
00:00
about how you can understand
00:00
data sources in the context
00:00
of ATT&CK based SOC assessments.
00:00
This lesson fits into the third phase
00:00
of our generic ATT&CK assessment methodology,
00:00
analyzing components and in particular represents
00:00
the first sub phase of this larger phase.
00:00
Here, within the analyzed components stage,
00:00
we really consider three primary things we look at,
00:00
data sources, analytics, and tools.
00:00
In this lesson, we're going to focus
00:00
primarily on how you can analyze
00:00
data sources as they
00:00
relate to ATT&CK based SOC assessments.
00:00
This lesson has three primary learning objectives.
00:00
First, after this lesson,
00:00
you should understand what ATT&CK data sources are.
00:00
Second, after the lesson,
00:00
you should know how to quickly identify
00:00
relevant data sources given
00:00
an informal description of them.
00:00
Of course, lastly tied into the second point,
00:00
you should be able to map informal logging strategies
00:00
back to the ATT&CK data sources that
00:00
those strategies might be keying off of.
00:00
Looking at the ATT&CK framework,
00:00
here we have a screenshot of
00:00
the OS credential dumping pack technique.
00:00
One of the interesting things we can see here is in
00:00
the lower right-hand side, the data sources.
00:00
This is effectively a list
00:00
of different things that defenders can
00:00
monitor to potentially
00:00
identify this adversarial behavior.
00:00
Breaking it down even further,
00:00
ATT&CK features 58 unique,
00:00
not standardized, but unique, defined data sources.
00:00
On average, each data source
00:00
maps to about 26 techniques.
00:00
Of course, this is skewed very
00:00
heavily and you can look at the chart on the right
00:00
to see that really the most useful or rather
00:00
the techniques that can potentially help detect the most
00:00
techniques are process monitoring,
00:00
which clocks in at 286 potential techniques,
00:00
process command line parameters at 182,
00:00
and then file monitoring at 162.
00:00
Of course, there's a lot of nuance and differences here,
00:00
but you can see that there's a nice spread
00:00
of different data sources that we
00:00
can consider in running an ATT&CK based SOC assessment.
00:00
From an assessment's perspective,
00:00
data sources sound great.
00:00
This is good to have, but why do we really care?
00:00
What is the key thing for assessments and data sources?
00:00
Ultimately, the point is,
00:00
most SOCs tap into data sources in some way,
00:00
be it directly logging them using detection tools,
00:00
a key off of them, building
00:00
custom signatures and analytics,
00:00
leveraging ATT&CK data sources.
00:00
The idea is that ultimately if we can
00:00
map what this SOC does,
00:00
what their technologies are doing
00:00
with the data sources they're using,
00:00
back to the ATT&CK framework,
00:00
then we can infer some kind of coverage.
00:00
For this lesson when we talk about
00:00
this methodology we're going to go through coverage here.
00:00
It's really just whether or not
00:00
the data source can potentially detect a technique.
00:00
We'll get into a little bit why we use
00:00
this very simple definition later in the lesson.
00:00
Here's an example of how we can analyze
00:00
a specific data source strategy.
00:00
We're given a description of a SOC here.
00:00
It's relatively contrived, but here we're going to say,
00:00
oh, my SOC has amazing detection.
00:00
We are running antivirus on all of our endpoints,
00:00
leveraging quantum supremacy for
00:00
predictive blockchain analytics,
00:00
capturing packets to and from all of our endpoints,
00:00
forwarding all application logs into a SIM platform,
00:00
and proactively patching all zero-days
00:00
with next-gen artificial intelligence.
00:00
Given this as my strategy
00:00
for what I'm doing with my SOC,
00:00
what techniques might I be able to detect?
00:00
Well, the way you can figure that out is to break down
00:00
this informal strategy into each of
00:00
these bullet points and
00:00
analyze the bullet points individually.
00:00
Walking through what that looks like.
00:00
We're going to look at the first bullet point,
00:00
running antivirus in all endpoints.
00:00
Right away, we can see that phrase,
00:00
antivirus, and realize,
00:00
Oh hey, this maps back to
00:00
the ATT&CK data source, antivirus.
00:00
Right there we have a data source this is going off of.
00:00
In the second bullet point we're leveraging
00:00
quantum supremacy and predictive blockchain analytics.
00:00
Those sound cool, particularly when used together,
00:00
but they don't really map back to the ATT&CK framework.
00:00
The third bullet point,
00:00
capturing packets to and from
00:00
all endpoints is pretty solid,
00:00
we can immediately say, oh, capturing packets,
00:00
that represents packet capture
00:00
within the ATT&CK data source corpus.
00:00
Next bullet point is forwarding
00:00
all application logs into a SIM platform.
00:00
SIM platform is great,
00:00
but here the key thing we care
00:00
about is the application logs.
00:00
That right there is an ATT&CK data source.
00:00
Then the last bullet point,
00:00
we're proactively patching all zero-days
00:00
with next-gen artificial intelligence.
00:00
This is another fun one,
00:00
but like the second bullet point,
00:00
these are cool things to do,
00:00
but not necessarily relevant for ATT&CK data source.
00:00
After running through this analysis,
00:00
the cool thing that we have is that we have
00:00
these three data sources
00:00
that we know that this SOC is going to be using,
00:00
and we can look at each of them to
00:00
understand what coverage looks like.
00:00
Here we've created little heat maps showing
00:00
what each of these data sources might be able to detect,
00:00
and what's cool is you can
00:00
aggregate all of them together to
00:00
paint this general coverage scheme that says,
00:00
hey, if that's your data source strategy,
00:00
here is where you might be good,
00:00
here's where you might not be so good.
00:00
A couple of Gotchas
00:00
and Tips for working with data sources.
00:00
Number 1, always pay attention to
00:00
deploying versus collecting versus using a data source.
00:00
There's a ton of nuance here.
00:00
I've given you an example.
00:00
I go to antivirus from the last slide.
00:00
Here this is something that you
00:00
deploy an antivirus software suite to your end point,
00:00
but you can also use it as a data source.
00:00
There's nuance there and you almost always have
00:00
to make a judgment call based on the context.
00:00
Then the second key thing is that
00:00
even if you're collecting something,
00:00
you're not always using it.
00:00
We can forward all the process monitoring logs
00:00
into our platform,
00:00
but if we're not building good analytics with those logs,
00:00
there's going to be a lot more noise to signal.
00:00
The second tip is to be as specific with
00:00
data sources as possible whenever possible.
00:00
Always try to log
00:00
specific sources as opposed to broad categories.
00:00
An example here is,
00:00
suppose you have a network appliance,
00:00
say from vendor A,
00:00
it's best to note that you have A's logs
00:00
as opposed to just generically application logs.
00:00
Always try to be specific when you can.
00:00
It's also not just the type
00:00
of data but where it's collected.
00:00
If I tell you, I'm collecting process monitoring logs,
00:00
that's a good thing for me to do,
00:00
but if I'm only doing that on, say,
00:00
five percent of the end points, it might not work.
00:00
Well, maybe it's not as bad,
00:00
fantastic of a thing.
00:00
Of course, it is a good thing to do,
00:00
but it's not going to provide you a ton of coverage,
00:00
because I'm only doing it on
00:00
a very small portion of my network.
00:00
Then looking at a data source doesn't
00:00
mean you'll detect a technique.
00:00
Often just with data sources,
00:00
we like to say, can you see the data source or not?
00:00
But coverage itself,
00:00
when you're performing the full ATT&CK
00:00
by SOC assessment,
00:00
that ultimately depends on
00:00
how you're using the data source.
00:00
This goes back to process monitoring as a great example,
00:00
something that you can adjust a ton of,
00:00
but if you're not building good analytics with that data,
00:00
you're really not going to be detecting anything.
00:00
Then lastly, a little bit of nuance,
00:00
sub-techniques and techniques,
00:00
they don't always have the same data sources.
00:00
Sometimes sub-techniques have data sources
00:00
that don't apply to the primary technique.
00:00
Of course, ATT&CK data sources are great,
00:00
but the community has done a great job of
00:00
building more resources to use
00:00
to come up with different ATT&CK assessment methodologies
00:00
with regards to data sources,
00:00
as well as other resources that say map
00:00
actual logs to the
00:00
ATT&CK data sources that they applied to.
00:00
One that's always stuck out to me is the first one,
00:00
Olaf Hartong ATT&CK data map project.
00:00
Here is just a very simple screenshot from
00:00
that project taken from
00:00
an Excel sheet that Olaf published.
00:00
The cool thing is that on the left,
00:00
we map these different ATT&CK data sources to
00:00
the actual events that we
00:00
might see at the technical level.
00:00
Just to give you an example highlighted,
00:00
we have an event code,
00:00
Windows:4656, which is
00:00
a very specific Windows event log.
00:00
We can see this maps to Windows registry.
00:00
I like this sheet a lot because
00:00
oftentimes when you're doing
00:00
an ATT&CK based SOC assessment,
00:00
you will be getting this stuff on the right.
00:00
Those are very detailed descriptions
00:00
of what logs are being collected,
00:00
and then using a chart like this,
00:00
we can easily map them back to
00:00
the ATT&CK data source that those logs represent.
00:00
A few summaries and takeaway points from this lesson.
00:00
Number 1, data sources provide
00:00
a cornerstone of many SOC activities.
00:00
Almost any ATT&CK base SOC assessment should
00:00
have some sort of analysis of data sources within it.
00:00
Number 2, mapping SOC things,
00:00
the data sources can let us infer ATT&CK coverage.
00:00
This is a very quick and easy way for us to understand,
00:00
or maybe not abstract,
00:00
but not well-defined in an ATT&CK perspective,
00:00
things that the SOC is doing.
00:00
You can let us take those things and
00:00
push them back to the ATT&CK framework.
00:00
But, of course, there's tons of nuance.
00:00
Not all data sources are created equal.
00:00
Just because you're collecting
00:00
a data source doesn't mean you're using it,
00:00
and be careful with data sources and sub-techniques.
00:00
Lastly, it to close out this lesson,
00:00
we encourage you to look at the next lesson
00:00
where we'll walk through a few examples that
00:00
you can use to really use these and put into
00:00
practice the points from this lesson itself.
Up Next