WEBVTT

00:00.000 --> 00:01.395
>> Welcome to Module 1,

00:01.395 --> 00:05.055
Lesson 4, techniques
and sub techniques.

00:05.055 --> 00:07.740
In this lesson, we
will define and

00:07.740 --> 00:10.365
explore what an
ATT&CK technique is.

00:10.365 --> 00:12.600
Recognize the
differences between

00:12.600 --> 00:14.625
techniques and sub techniques.

00:14.625 --> 00:18.150
Finally, build appreciation
for how these techniques and

00:18.150 --> 00:22.420
sub-techniques fit into the
overall ATT&CK TTP model.

00:24.320 --> 00:26.970
As you recall from
our previous lesson,

00:26.970 --> 00:29.250
ATT&CK tactics define the goals

00:29.250 --> 00:32.130
of an adversary during
a campaign or breach.

00:32.130 --> 00:35.250
Whereas ATT&CK techniques
to find the means by

00:35.250 --> 00:38.670
which adversaries used to
achieve these tactical goals.

00:38.670 --> 00:40.560
Techniques are written from

00:40.560 --> 00:42.380
the perspective of
the adversary and

00:42.380 --> 00:43.640
capture how an adversary

00:43.640 --> 00:46.354
performs each
action or behavior.

00:46.354 --> 00:48.935
As you can see with
example to the right,

00:48.935 --> 00:51.005
drawn from the execution tactic,

00:51.005 --> 00:52.310
the command and scripting

00:52.310 --> 00:54.935
interpreter technique
capture all adversaries,

00:54.935 --> 00:57.500
maybe may abuse
command and scripting

00:57.500 --> 01:01.590
languages to execute malicious
commands or payloads.

01:01.730 --> 01:04.155
Similar to tactics,

01:04.155 --> 01:05.510
the list of techniques very

01:05.510 --> 01:07.445
often differs across platforms,

01:07.445 --> 01:10.610
but this list grows and
evolves over time to

01:10.610 --> 01:12.170
keep up with variances and

01:12.170 --> 01:15.000
innovations of
adversary tradecraft.

01:17.570 --> 01:20.270
Sub-techniques further breakdown

01:20.270 --> 01:22.370
the details of
adversary behaviors

01:22.370 --> 01:26.759
captured in techniques for
all intents and purposes.

01:26.759 --> 01:29.420
Techniques and sub-techniques
are equivalent.

01:29.420 --> 01:31.550
The only main difference
that sub-techniques

01:31.550 --> 01:34.800
described behaviors at a
lower level of detail.

01:35.380 --> 01:38.210
As you can see with the
example to the right,

01:38.210 --> 01:40.820
are same command and scripting
interpreter technique

01:40.820 --> 01:43.220
has eight sub techniques
which defined

01:43.220 --> 01:46.325
very specific command or
programming languages

01:46.325 --> 01:49.860
that adversaries may be
used to execute payloads.

01:50.090 --> 01:53.450
Sub-techniques always
have a single parent

01:53.450 --> 01:57.035
and are not always but very
often platform-specific,

01:57.035 --> 01:58.805
such as the Windows
command shell

01:58.805 --> 02:01.495
or cmd.exe sub-technique.

02:01.495 --> 02:04.310
Sub-techniques were
explicitly designed

02:04.310 --> 02:06.365
to help to reduce
changes to techniques.

02:06.365 --> 02:09.290
As we tried to track and
capture variations and

02:09.290 --> 02:13.670
innovations between platforms
and adversary behaviors.

02:15.710 --> 02:18.260
Techniques and
sub-techniques subject are

02:18.260 --> 02:20.915
both objects within
the ATT&CK model,

02:20.915 --> 02:24.375
each of which are assigned
unique identifiers.

02:24.375 --> 02:28.384
Technique IDs are typically
referred to as TID,

02:28.384 --> 02:30.890
as you can see with the example
below with brute force.

02:30.890 --> 02:33.870
It's TIDT1110.

02:34.520 --> 02:38.875
Sub-technique TIDs
are just extensions

02:38.875 --> 02:40.315
of their parents TID.

02:40.315 --> 02:42.370
As you can see with
the example below with

02:42.370 --> 02:45.410
the fourth sub-techniques
of brute force.

02:49.280 --> 02:52.690
Sub-techniques and
techniques have a wealth of

02:52.690 --> 02:54.220
additional metadata on each of

02:54.220 --> 02:57.340
the pages that connect to
the rest of ATT&CK model.

02:57.340 --> 03:00.280
Some of those interesting
metadata which we'll explore in

03:00.280 --> 03:04.000
later lessons
include mitigations,

03:04.000 --> 03:09.940
data sources and detections,
and procedure examples.

03:11.090 --> 03:13.270
With that, we've reached

03:13.270 --> 03:15.920
the knowledge check
for this lesson.

03:16.100 --> 03:20.205
Techniques and sub-techniques
in ATT&CK are.

03:20.205 --> 03:22.670
Please pause your video
and take a second to

03:22.670 --> 03:25.740
think about the correct
answer before proceeding.

03:28.690 --> 03:31.745
In this case, the
correct answer was C,

03:31.745 --> 03:34.250
techniques and
sub-techniques in ATT&CK are

03:34.250 --> 03:35.945
descriptions of
adversary behaviors

03:35.945 --> 03:38.520
at different levels of detail.

03:40.150 --> 03:43.340
In summary, ATT&CK techniques

03:43.340 --> 03:45.170
and sub-techniques represent

03:45.170 --> 03:47.030
behaviors performed
by adversaries or

03:47.030 --> 03:50.370
how they achieve
their tactical goals.

03:50.540 --> 03:53.340
Finally, techniques and

03:53.340 --> 03:55.695
sub-techniques are
fundamentally the same.

03:55.695 --> 03:57.740
The only difference
being sub-techniques are

03:57.740 --> 04:01.140
more specific descriptions
of these behaviors.