WEBVTT 00:00.000 --> 00:01.665 >> Welcome to Module 1, 00:01.665 --> 00:04.330 Lesson 5, Mitigations. 00:05.690 --> 00:08.220 In this lesson, we will define and 00:08.220 --> 00:10.155 explore what an ATT&CK mitigation is, 00:10.155 --> 00:13.020 identify where to find these mitigations, and finally, 00:13.020 --> 00:14.280 build an appreciation for how 00:14.280 --> 00:17.140 these mitigations fit into the ATT&CK model. 00:18.800 --> 00:21.210 As you recall from our last lesson, 00:21.210 --> 00:22.755 ATT&CK techniques and some techniques 00:22.755 --> 00:24.025 have a wealth of metadata. 00:24.025 --> 00:25.770 In this lesson, we're going 00:25.770 --> 00:28.390 to explore the mitigation section. 00:30.380 --> 00:34.230 ATT&CK defines the mitigations as configurations, tools, 00:34.230 --> 00:37.260 or processes that we can as defenders use to prevent 00:37.260 --> 00:39.240 a technique from being successful or having 00:39.240 --> 00:41.995 the desired outcome for an adversary. 00:41.995 --> 00:44.870 You can think of these as hardening recommendations 00:44.870 --> 00:46.160 intended to allow us to take 00:46.160 --> 00:47.900 actions such as changing policies or 00:47.900 --> 00:51.120 configurations or deploying certain tools. 00:53.110 --> 00:55.475 As we saw previously, 00:55.475 --> 00:56.960 mitigations are populated on 00:56.960 --> 00:58.760 technique pages where you can see how 00:58.760 --> 01:00.020 these mitigations are directly 01:00.020 --> 01:03.035 applied to preventing a particular adversary behavior. 01:03.035 --> 01:06.155 These mitigations are listed in this section shown below, 01:06.155 --> 01:08.390 as well as a short description of how those mitigation 01:08.390 --> 01:11.820 actually applies to the relevant adversary behavior. 01:12.130 --> 01:14.600 While we can see these mitigations from 01:14.600 --> 01:15.725 the perspective of the techniques and 01:15.725 --> 01:17.195 techniques where they are applied, 01:17.195 --> 01:18.620 we can also click on each one of 01:18.620 --> 01:20.000 these mitigations and see 01:20.000 --> 01:22.860 a page specific to that mitigation. 01:24.070 --> 01:27.500 An example of that page is shown here where you can see 01:27.500 --> 01:28.640 the name of the mitigation 01:28.640 --> 01:30.265 as well as the short description. 01:30.265 --> 01:31.580 In mitigation, there are 01:31.580 --> 01:33.065 also objects in the attack model 01:33.065 --> 01:34.880 and they have their own associated IDs, 01:34.880 --> 01:35.915 as you see on the right. 01:35.915 --> 01:40.350 In this case, the mitigation is labeled M1042. 01:40.540 --> 01:42.815 Towards the bottom of these pages, 01:42.815 --> 01:44.930 you can also see how this mitigation is 01:44.930 --> 01:48.300 applied to various other techniques and sub techniques. 01:50.660 --> 01:52.340 With that, we've reached 01:52.340 --> 01:54.065 our knowledge check for this lesson. 01:54.065 --> 01:56.090 Which of the following is most accurate? 01:56.090 --> 01:58.415 Mitigations can help us. 01:58.415 --> 02:00.770 Please pause the video and take a second to 02:00.770 --> 02:03.600 think of the correct answer before proceeding. 02:05.750 --> 02:08.030 In this case, the correct answer was 02:08.030 --> 02:09.740 B. Mitigations can help 02:09.740 --> 02:11.210 us hard our network to 02:11.210 --> 02:13.950 prevent successful adversary behaviors. 02:15.250 --> 02:17.810 In summary, attack mitigations 02:17.810 --> 02:19.190 are recommendations for how we can 02:19.190 --> 02:20.660 prevent successful execution 02:20.660 --> 02:23.215 of specific adversary behaviors. 02:23.215 --> 02:25.160 Finally, mitigations are 02:25.160 --> 02:26.450 mapped to specific techniques and 02:26.450 --> 02:28.430 sub techniques and are displayed on 02:28.430 --> 02:31.860 those pages as well as on their own mitigation page.