Working with Data Sources Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
2 hours 51 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
welcome to Lesson three module to within the attack based stock assessments training course.
00:06
In this lesson, we're going to close out the previous lesson by providing a couple of walk through examples of how to analyze different data source strategies
00:15
to determine what potential attack coverage they might have.
00:19
So kick off this lesson. We're going to start with the following exercise.
00:23
We're giving you a kind of informal, freeform paragraph describing a sock that's deploying
00:29
a defensive strategy, and your task is to try to figure out what data sources this sock might be keying off of.
00:36
So feel free to pause the video, get out a piece of paper and a pad it
00:40
trying to think about what data sources this
00:43
the sock might be looking at.
00:45
So and when you come back and then pause the video, we'll walk through how we look at this and what data sources we think this sock might be able to pick up on.
00:56
Okay, we're not gonna walk through our solution, and this is going to follow a similar processes to walk through. Example. In less than 2.2,
01:03
we're basically going to take each sentence in the strategy and
01:08
decompose it to look at those sentences and figure out what data sources
01:12
they might be keying off of,
01:15
so to kick it off, the first sentence is that the sock is implementing a multi tiered defensive architecture.
01:22
They're going to have Dems galore,
01:23
and this is interesting. But from an attack perspective there, there's no real relevant information there.
01:30
The next statement is short and simple antivirus. On each end point,
01:34
this one's pretty clear. It says it in just right there. Antivirus. That's the attack data source, and so we can immediately add that one to the list now.
01:42
There is, of course, some nuance between whether or not they're deploying antivirus or whether or not they're collecting logs from their antivirus.
01:51
But for this very informal example, we're going to give the sock the benefit of the doubt and assume that they are indeed collecting those longs as well.
01:59
This next sentence is pretty interesting.
02:01
A perimeter firewall that's guaranteed to block zero days,
02:06
a Web proxy to do deep packet SSL inspection and a next gen detonation chamber that will throw everything into.
02:14
There's a lot to unpack there, and when you get to it. There's two big things that stick out.
02:19
Ssl slash TLS inspection and then detonation chamber.
02:24
Want to bypass our firewall and email us? No way. We're deploying the latest and email Gateway Protection software.
02:31
This one's a little bit less common from a data first perspective, but if you kind of go through it, you'll see email. Gateway
02:38
is a pretty good attack data source.
02:43
This is a fun 11 of our engineers is going to even dockerized power shell to prevent crypto mining.
02:50
That's a very fun statement, Um, empowers. You certainly relevant from an attack perspective.
02:55
But from a data source strategy perspective there, there's nothing really relevant to key off of there.
03:02
Oh, and don't forget our SIM platform. We're forwarding logs from all of our defenses as well as every single packet. Yeah,
03:09
all of them into our system.
03:12
Our analytics are top notch. There's no way anyone is getting in here.
03:16
There's a lot in this statement. Of course, it's a little it's got a little bit of flavor to it,
03:21
but really, the key thing is that they're forwarding all of the packets, which which says to us, Hey, that's probably gonna gonna tie into packet capture
03:30
and then the last one. Our analytics are top notch. There's no way anyone is getting in here.
03:36
This one is, of course, great. It's good to have analytics, But from a data source perspective, we're not really looking at the analytic side yet.
03:44
So now, having identified these five data sources, what we can do is kind of put them together and come up with the following heat map
03:52
showing all the different techniques that this sock might be able to detect.
03:55
And here you can see, it's kind of a little bit of coverage throughout the framework, mainly, just strong under command and control and
04:01
maybe a little bit of strength under exfiltration.
04:06
So now we're gonna move on to the next exercise. This one is a little bit shorter. It's a little bit maybe more direct.
04:13
Um, you know, kind of the same same thing as before. Feel free to pause the video, see what you think. And then when you come back, we'll walk through how we look at this strategy.
04:24
Okay. Welcome back. We're not going to walk through it again. It's gonna be the same process as before.
04:29
We'll start out with kind of the first statement, We're going to be looking at all the standard stuff Net flows, packet capture, intel feeds you name it.
04:36
This is a good statement. Right away. You can see net flows, slash enclave net flow and packet capture. Those stick out.
04:44
What's interesting is that, you know, we'd really like to see what the other standard stuff is just because, you know,
04:50
they're they're kind of doing and etcetera here by saying you name it, so there could be more there, But just from this statement, we can really only get those two.
05:00
Our big value add
05:02
is our endpoint in SIM deployment.
05:05
This is a good good thing to have. Great to have, you know, endpoint monitoring. Great to have, you know, some deployment, but there's no real data sources highlighted there.
05:15
Each endpoint is going to be running in. Sussman pulling an event. I ds 468846574732 and 51 42.
05:25
This is a great statement. Um, it's a little confusing just because they do reference like Sussman as well as Windows event ideas, you know, of course, there's
05:32
different numbering there. But you know, we can give them the benefit of the doubt. And we can do is say Okay,
05:39
these are looking at Windows event logs just because we noticed the event log numbers there. And then when you look up those four event logs, you can find that they match two process monitoring and Windows registry
05:49
and then lastly, in case we were breached, we'll also have some disk forensics capabilities. We've gotta crack reverse engineering team to handle any of that tough a PT Malware.
06:00
This is
06:00
perhaps the most
06:02
flavorful statement of of this strategy.
06:05
And when you look through it, you'll find that that really kind of two things stick out.
06:10
Disk forensics actually maps to an attack data source and then malware. Reverse engineering is another potential one.
06:15
What's cool is that these data sources now map too much, much, much more coverage.
06:20
Now, of course, the sock isn't necessarily going to detect all of these techniques,
06:26
but these are the ones that might be visible, given what they're pulling in,
06:30
I'd add that you know, a big part of this heat map is really the process monitoring that they're doing
06:34
just because they're ingesting all those different, you know, process events. They have the potential to detect a lot. But of course there's always nuanced and what they will detect
06:44
in that. You know, it's really the analytics that they deploy to pick up on the anomalous process events.
06:51
So just to close out this this lesson one primary kind of summer and take away
06:58
analyzing data source strategies can provide insight into sock coverage.
07:01
That's really the main lesson learned here. We're kind of closing out the previous lesson as well.
07:06
The big thing to take away is that, you know, even just a paragraph of an informal description of what the sock is doing can be enough to help you understand what potential coverage the sock might have.
Up Next
MITRE ATT&CK Defender™ (MAD) ATT&CK® SOC Assessments Certification Training

This course prepares you for the ATT&CK® Security Operations Center Certification. In this course, students should will gain a better understanding of how modern security operations can align with ATT&CK® and how to better their operations to leverage a threat-informed defense.

Instructed By