WEBVTT 00:00.919 --> 00:03.000 >> Welcome to Module 1, 00:03.000 --> 00:06.730 Lesson 6 data sources and detections. 00:07.490 --> 00:10.410 In this lesson, we will define and 00:10.410 --> 00:12.740 explore what are attack data sources and 00:12.740 --> 00:15.410 detections and appreciation for 00:15.410 --> 00:16.550 the relationship between 00:16.550 --> 00:18.575 these data sources and detections. 00:18.575 --> 00:20.990 Finally, identify how data sources 00:20.990 --> 00:23.030 and detections are applied to and can 00:23.030 --> 00:25.040 be used by defenders relative to 00:25.040 --> 00:28.080 specific techniques and subject needs. 00:30.170 --> 00:32.625 As you recall from Lesson 4, 00:32.625 --> 00:34.140 attack techniques and sub-techniques 00:34.140 --> 00:35.505 have a wealth of many data. 00:35.505 --> 00:37.340 In this lesson, we will explore 00:37.340 --> 00:39.425 data sources and detections 00:39.425 --> 00:41.480 and how defenders can use these values to 00:41.480 --> 00:44.490 begin to detect adversary behaviors. 00:46.330 --> 00:49.550 We will also explore updates and refinements to 00:49.550 --> 00:50.960 the data sources methodology and 00:50.960 --> 00:54.240 model as of attack Version 9. 00:57.670 --> 01:00.410 Attack defines data sources as 01:00.410 --> 01:02.705 the sources of information collected by sensing 01:02.705 --> 01:05.390 or logging systems that we defenders can use to 01:05.390 --> 01:08.825 identify adversary actions and techniques. 01:08.825 --> 01:13.470 In short, you can think of this as where to collect data. 01:13.480 --> 01:16.670 Historically, attack use data source 01:16.670 --> 01:19.085 values such as process monitoring, 01:19.085 --> 01:21.320 PowerShell logs, or packet capture to 01:21.320 --> 01:22.610 point defenders to where 01:22.610 --> 01:24.655 they need to collect information. 01:24.655 --> 01:26.980 But as of attack Version 9, 01:26.980 --> 01:30.590 we've updated this data source model to more 01:30.590 --> 01:32.915 specifically and consistently capture 01:32.915 --> 01:35.940 the exact data records of defenders. 01:36.560 --> 01:39.470 For example, where we would have 01:39.470 --> 01:41.870 previously used process monitoring we would now 01:41.870 --> 01:44.420 list the data source as process to define 01:44.420 --> 01:45.680 the need for information about 01:45.680 --> 01:48.155 processes and our environment. 01:48.155 --> 01:50.840 Building on that data source process, 01:50.840 --> 01:52.730 we would add a data component to 01:52.730 --> 01:54.800 specify what exact value or information 01:54.800 --> 01:56.780 about a process we need to identify 01:56.780 --> 01:59.360 the specific technique or sub-technique. 01:59.360 --> 02:01.580 As you can see from the example on the right, 02:01.580 --> 02:04.700 we would need process access other processes, 02:04.700 --> 02:07.280 execution of API functions from a process, 02:07.280 --> 02:09.830 as well as potentially creation of processes to 02:09.830 --> 02:11.030 identify the credential 02:11.030 --> 02:14.015 dumping LSASS memory sub-technique. 02:14.015 --> 02:16.520 We hope that this model enables 02:16.520 --> 02:17.840 us to more efficiently map from 02:17.840 --> 02:19.610 the information captured within attack to 02:19.610 --> 02:22.560 specific events and logs in their environment. 02:24.350 --> 02:27.020 In the future, these data sources will be 02:27.020 --> 02:29.220 full objects within the attack model but for now 02:29.220 --> 02:31.280 they're linked to our GitHub where you can 02:31.280 --> 02:33.500 read more about each data source and data component, 02:33.500 --> 02:35.690 including definitions and mappings to 02:35.690 --> 02:39.270 which specific platforms they are applied. 02:40.540 --> 02:42.710 Building on data sources, 02:42.710 --> 02:44.645 attack also provide detections, 02:44.645 --> 02:46.610 which are high level analytic processes 02:46.610 --> 02:49.010 or detection strategies that 02:49.010 --> 02:51.515 we can use to identify techniques. 02:51.515 --> 02:54.950 In short, detections provide 02:54.950 --> 02:57.475 how to interpret the collected data. 02:57.475 --> 02:59.840 If you go to any type of technique or 02:59.840 --> 03:02.870 sub-technique you'll see how these values are applied. 03:02.870 --> 03:04.835 Specifically as I said before, 03:04.835 --> 03:06.710 data sources tell us what information we 03:06.710 --> 03:08.975 should collect and what particular values are needed, 03:08.975 --> 03:11.270 as well as detections telling us what to do with 03:11.270 --> 03:12.320 that data and how to actually 03:12.320 --> 03:13.820 analyze it to make sense of it, 03:13.820 --> 03:16.500 to identify the specific behavior. 03:16.910 --> 03:20.195 You'll also noticed there's a very intentional parallel 03:20.195 --> 03:22.730 between the inputs and how to actually process the data. 03:22.730 --> 03:25.400 Strictly data source is telling us what information goes 03:25.400 --> 03:29.160 in and detection is telling us what to do with that data. 03:31.340 --> 03:33.690 With that, we've reached the end of 03:33.690 --> 03:35.970 Lesson 6 and our knowledge check. 03:35.970 --> 03:38.400 Attack data sources tell us, 03:38.400 --> 03:40.850 please pause the video for a moment and take a 03:40.850 --> 03:44.310 second to think of the correct answer before proceeding. 03:46.630 --> 03:49.250 This case, the correct response 03:49.250 --> 03:50.810 was C. Attack data sources 03:50.810 --> 03:54.990 tell us what data we should collect via sensors or logs. 03:57.050 --> 03:59.550 With that we've reached the end of 03:59.550 --> 04:02.145 Lesson 6 and our summary. 04:02.145 --> 04:04.790 In conclusion attack data sources 04:04.790 --> 04:06.365 tell us what data to collect. 04:06.365 --> 04:08.420 Detections tell us how to analyze, 04:08.420 --> 04:11.430 process, and make sense of that collected data. 04:11.690 --> 04:15.500 Finally, these data sources and detections are applied 04:15.500 --> 04:17.060 specifically to each technique 04:17.060 --> 04:19.470 and sub-technique within attack.