WEBVTT 00:00.000 --> 00:04.870 >> Welcome to Module 1, Lesson 2, matrices and platforms. 00:05.870 --> 00:08.430 In this lesson, we will explore how 00:08.430 --> 00:10.965 matrices are used to visualize ATT&CK, 00:10.965 --> 00:12.870 begin to understand the differences 00:12.870 --> 00:14.715 between various ATT&CK platforms, 00:14.715 --> 00:16.515 and identify the relationships 00:16.515 --> 00:18.670 between these different platforms. 00:21.170 --> 00:23.670 You may have already seen this, but ATT&CK is 00:23.670 --> 00:25.620 typically visualized in what we call a matrix, 00:25.620 --> 00:28.125 which captures the relationships between tactics, 00:28.125 --> 00:30.610 techniques, and sub-techniques. 00:31.430 --> 00:33.840 ATT&CK is not one matrix though, 00:33.840 --> 00:36.180 rather a series or collection of matrices, 00:36.180 --> 00:37.530 each of which focuses on 00:37.530 --> 00:39.405 specific technology domain or 00:39.405 --> 00:42.520 ecosystem that the adversary is operating within. 00:44.440 --> 00:48.325 This is ATT&CK's oldest and most popular matrix 00:48.325 --> 00:51.530 which captures the enterprise technology domain. 00:51.650 --> 00:55.000 The enterprise technology domain is indicative of 00:55.000 --> 00:56.620 a traditional enterprise network 00:56.620 --> 00:59.210 and associated cloud technologies. 00:59.700 --> 01:02.620 As we can see, this matrix is comprised of 01:02.620 --> 01:04.765 14 tactics and various techniques 01:04.765 --> 01:07.100 that an adversary may reform. 01:07.460 --> 01:09.840 Within each technology domain, 01:09.840 --> 01:11.860 ATT&CK also defines what we call 01:11.860 --> 01:13.600 platforms or specific systems 01:13.600 --> 01:15.925 that an adversary may operate against. 01:15.925 --> 01:17.905 In the case of enterprise, 01:17.905 --> 01:20.905 we can see they're various platforms defined, 01:20.905 --> 01:21.955 which may be indicative of 01:21.955 --> 01:24.460 operating systems or specific applications, 01:24.460 --> 01:26.725 such as Windows, Linux, 01:26.725 --> 01:30.320 MacOS, Cloud, or network. 01:31.160 --> 01:34.815 Enterprise also includes the pre-platform, 01:34.815 --> 01:36.590 which captures behaviors performed by 01:36.590 --> 01:38.285 an adversary pre-compromise, 01:38.285 --> 01:40.160 such as those under 01:40.160 --> 01:43.770 the reconnaissance and resource development tactics. 01:46.240 --> 01:49.190 ATT&CK also includes technology domains 01:49.190 --> 01:51.770 outside of enterprise, such as mobile, 01:51.770 --> 01:55.535 which is platforms for Android and iOS, 01:55.535 --> 01:58.160 and ATT&CK for industrial control systems, 01:58.160 --> 02:00.330 or ICS, which includes 02:00.330 --> 02:01.910 behaviors performed against various 02:01.910 --> 02:04.080 operational technologies. 02:07.800 --> 02:11.620 Although distinct, overlapping redundancies 02:11.620 --> 02:13.945 often exist between matrices. 02:13.945 --> 02:17.290 This is based on the fact that adversaries perform 02:17.290 --> 02:18.730 very similar behaviors between 02:18.730 --> 02:20.795 different technology domains and platforms. 02:20.795 --> 02:23.185 They may also perform actions 02:23.185 --> 02:26.020 that spanned various technologies. 02:28.970 --> 02:32.700 With that, we reach our knowledge check for Lesson 2. 02:32.700 --> 02:35.515 True or false? Each ATT&CK matrix 02:35.515 --> 02:38.440 is completely distinct from other matrices. 02:38.440 --> 02:40.900 Please pause the video and take a second to think 02:40.900 --> 02:43.610 of the correct answer before proceeding. 02:47.510 --> 02:50.975 The answer is knowledge check is false. 02:50.975 --> 02:52.990 There are very often 02:52.990 --> 02:57.070 overlapping redundancies between matrices within ATT&CK. 02:58.850 --> 03:01.905 With that, we've reached the end of Lesson 2. 03:01.905 --> 03:04.655 In summary, matrices capture 03:04.655 --> 03:06.260 the relationship between tactics, 03:06.260 --> 03:09.210 techniques, and procedures within ATT&CK. 03:09.230 --> 03:12.860 Each matrix focuses on specific technology domain, 03:12.860 --> 03:16.470 it may also be filtered down to a specific platform. 03:17.530 --> 03:21.105 Finally, while ATT&CK matrices are unique, 03:21.105 --> 03:25.630 very often their relationships can overlap in many ways.