WEBVTT 00:01.279 --> 00:04.680 >> Hello, and welcome to ATT&CK Fundamentals. 00:04.680 --> 00:06.420 My name is Jamie Williams and I will 00:06.420 --> 00:08.895 be your host and instructor. 00:08.895 --> 00:10.740 This course will serve as 00:10.740 --> 00:12.600 the first and fundamental piece of 00:12.600 --> 00:14.805 the MITRE ATT&CK defenders series, 00:14.805 --> 00:17.010 where we will explore how ATT&CK and 00:17.010 --> 00:18.750 a threatened form mindset can help 00:18.750 --> 00:20.670 focus our efforts towards understanding, 00:20.670 --> 00:22.770 and more importantly, improving how 00:22.770 --> 00:27.100 our defenses fair against real-world cyber adversaries. 00:27.230 --> 00:31.020 This course will be all about ATT&CK, specifically, 00:31.020 --> 00:32.940 how we can use ATT&CK to model 00:32.940 --> 00:35.460 the behaviors performed by adversaries as 00:35.460 --> 00:37.350 well as how do we apply this knowledge to 00:37.350 --> 00:39.720 the various defensive cybersecurity practices 00:39.720 --> 00:43.120 and operations we perform every day. 00:43.470 --> 00:46.480 This course is designed for anyone interested in 00:46.480 --> 00:48.880 or already involved in threat modeling. 00:48.880 --> 00:50.350 By the end of the course, 00:50.350 --> 00:52.120 you'll have a better understanding of 00:52.120 --> 00:53.545 the structure and philosophy 00:53.545 --> 00:54.950 that continually shapes ATT&CK, 00:54.950 --> 00:56.290 be able to identify 00:56.290 --> 00:59.290 available ATT&CK resources and operational use cases and 00:59.290 --> 01:01.120 have a better recognition of how ATT&CK 01:01.120 --> 01:04.625 empowers defenders through understanding of threats. 01:04.625 --> 01:07.490 This course is split into three modules. 01:07.490 --> 01:10.315 The first of which focuses on understanding ATT&CK. 01:10.315 --> 01:12.400 In Module 2, we will explore 01:12.400 --> 01:13.990 the benefits of using ATT&CK. 01:13.990 --> 01:16.480 Before, and finally, in Module 3, 01:16.480 --> 01:19.120 lightly diving into the various ways we 01:19.120 --> 01:22.730 can operationalize the knowledge captured in ATT&CK. 01:23.300 --> 01:25.800 Welcome to Module 1. 01:25.800 --> 01:28.550 This module is split into eight lessons which all 01:28.550 --> 01:32.130 focus on the central theme of understanding ATT&CK. 01:32.710 --> 01:35.150 Specifically, we will explore 01:35.150 --> 01:36.460 what data goes into ATT&CK, 01:36.460 --> 01:38.585 how that data is structured and formatted, 01:38.585 --> 01:40.775 as well as how ATT&CK grows over time. 01:40.775 --> 01:43.930 Without further ado, let's dive in. 01:43.930 --> 01:45.900 Welcome to Module 1, 01:45.900 --> 01:49.330 Lesson 1: introduction to attack. 01:49.390 --> 01:51.950 In this lesson, we will explore 01:51.950 --> 01:54.530 the background and motivation behind ATT&CK. 01:54.530 --> 01:55.970 Begin to identify what 01:55.970 --> 01:58.390 information is captured within ATT&CK, 01:58.390 --> 02:00.530 and start to build a recognition and 02:00.530 --> 02:03.720 appreciation for the structure of ATT&CK. 02:05.560 --> 02:08.105 Cyber threats are out there, 02:08.105 --> 02:10.880 whether in the form of malware or threat actors. 02:10.880 --> 02:12.500 As defenders, the ability to 02:12.500 --> 02:15.175 observe and adapt these threats is vital. 02:15.175 --> 02:18.500 This process begins by asking tough questions, such as, 02:18.500 --> 02:20.300 how will these adversaries target us, 02:20.300 --> 02:21.500 and what will they do after 02:21.500 --> 02:23.930 they get access to our networks? 02:25.570 --> 02:27.830 This is where ATT&CK comes in. 02:27.830 --> 02:29.000 ATT&CK is our knowledge base of 02:29.000 --> 02:32.050 adversary behaviors based on real-world observations. 02:32.050 --> 02:34.110 What I mean by this is that the inputs 02:34.110 --> 02:36.105 to ATT&CK are publicly available. 02:36.105 --> 02:38.510 Cyber Threat Intelligence describing campaigns, 02:38.510 --> 02:40.040 actions, and behaviors performed 02:40.040 --> 02:42.540 by real-world adversaries. 02:42.700 --> 02:45.035 ATT&CK is also free, 02:45.035 --> 02:47.315 open, and globally accessible, meaning that, 02:47.315 --> 02:50.360 anyone can consume the information of ATT&CK as well 02:50.360 --> 02:52.025 as contribute information back 02:52.025 --> 02:54.840 to help us grow and expand the model. 02:57.020 --> 02:59.030 A great way to start thinking 02:59.030 --> 03:00.140 about the information capture in 03:00.140 --> 03:03.260 ATT&CK is through David Bianco's Pyramid of Pain. 03:03.260 --> 03:07.360 This model describes the hierarchy in various levels, 03:07.360 --> 03:09.980 and types of indicators of compromise or 03:09.980 --> 03:13.269 IOCs that we can use to describe adversaries. 03:13.269 --> 03:16.490 In this case, every layer and level of 03:16.490 --> 03:19.760 the model has a different value of the IOCs. 03:19.760 --> 03:23.000 Particularly, related to how much pain it inflicts on 03:23.000 --> 03:25.160 the adversaries as defenders are 03:25.160 --> 03:27.950 targeting them at that level of abstraction. 03:27.950 --> 03:30.620 As we can see, levels at 03:30.620 --> 03:31.730 the bottom of the pyramid such as 03:31.730 --> 03:33.290 hash values and IP addresses, 03:33.290 --> 03:34.850 were prevalent to inflict 03:34.850 --> 03:37.160 much pain back to the adversary, 03:37.160 --> 03:40.160 and these are easy or even trivial values to change, 03:40.160 --> 03:42.170 especially compared to those at 03:42.170 --> 03:44.750 the top of the pyramid, such as TTP's. 03:44.750 --> 03:48.270 This is where ATT&CK tends to focus its attention. 03:50.500 --> 03:52.555 Actually, ATT&CK, 03:52.555 --> 03:54.180 expand on the idea of TTPs, 03:54.180 --> 03:55.875 and captures it within the model. 03:55.875 --> 03:57.420 Particularly, the tactics, 03:57.420 --> 03:58.480 techniques, sub techniques, 03:58.480 --> 04:02.650 and procedures executed by real-world adversaries. 04:05.210 --> 04:07.590 The rest of the lessons in this module, 04:07.590 --> 04:09.100 we'll dive into this structure, 04:09.100 --> 04:09.910 and I'll show you how 04:09.910 --> 04:11.875 the TTPs are captured within attack. 04:11.875 --> 04:15.955 Particularly, we'll cover matrices and platforms, 04:15.955 --> 04:19.730 tactics, techniques and sub techniques, 04:19.730 --> 04:21.730 metadata associated with these techniques and 04:21.730 --> 04:23.304 some techniques such as mitigations, 04:23.304 --> 04:25.030 data sources, and detection, 04:25.030 --> 04:27.440 which are vital for defenders, 04:28.070 --> 04:30.340 how techniques and sub techniques are 04:30.340 --> 04:31.735 related to the group in software 04:31.735 --> 04:35.260 that perform and/or execute these behaviors, 04:35.260 --> 04:39.310 and finally, how ATT&CK grows and evolves over time. 04:39.730 --> 04:41.480 By the end, you'll have 04:41.480 --> 04:43.200 an appreciation for the structure of ATT&CK, 04:43.200 --> 04:46.149 and how the various objects interrelate. 04:46.149 --> 04:48.080 Also be able to apply them to 04:48.080 --> 04:50.870 real-world use cases such as APT 28, 04:50.870 --> 04:53.000 accessing credentials using Mimikatz 04:53.000 --> 04:55.260 to dump LSASS memory. 04:57.290 --> 05:01.485 With that, we reach our first knowledge check. 05:01.485 --> 05:04.010 ATT&CK is primarily informed 05:04.010 --> 05:05.555 by which of the following sources? 05:05.555 --> 05:07.400 Please pause the video and take some time 05:07.400 --> 05:11.310 to think about and select the correct answer. 05:14.530 --> 05:17.450 In this case, the correct answer was A, 05:17.450 --> 05:20.210 ATT&CK is primarily informed by what 05:20.210 --> 05:22.010 has been seen in operational use 05:22.010 --> 05:24.080 by the broader community. 05:26.180 --> 05:29.735 With that, we've reached the end of Lesson 1. 05:29.735 --> 05:31.850 In summary, ATT&CK was developed to 05:31.850 --> 05:33.920 address the need to document and understand 05:33.920 --> 05:35.810 adversary behaviors and is built on 05:35.810 --> 05:38.855 publicly reported Cyber Threat Intelligence. 05:38.855 --> 05:42.590 The ATT&CK model was designed to connect tactics, 05:42.590 --> 05:44.000 techniques, and procedures to 05:44.000 --> 05:47.010 the threat actors and malware that perform them.