WEBVTT

00:00.000 --> 00:01.965
>> Welcome to Module 1,

00:01.965 --> 00:04.755
lesson 7 Groups and Software.

00:04.755 --> 00:07.410
In this lesson, we
will define and

00:07.410 --> 00:09.945
explore what are ATT&CK
groups and software,

00:09.945 --> 00:11.970
identify the
information provided by

00:11.970 --> 00:13.890
ATT&CK about these
groups and software,

00:13.890 --> 00:15.930
and finally, building
appreciation for

00:15.930 --> 00:19.030
how these groups and software
fit into the ATT&CK model.

00:20.930 --> 00:23.160
As you recall from lesson 4,

00:23.160 --> 00:24.645
ATT&CK techniques
and sub-techniques

00:24.645 --> 00:26.145
have a wealth of metadata.

00:26.145 --> 00:28.740
In this lesson, we'll use
the procedure examples of

00:28.740 --> 00:32.230
section to pivot to
groups and software.

00:34.430 --> 00:37.250
As you remember, ATT&CK

00:37.250 --> 00:38.660
breaks down the
tactics, techniques,

00:38.660 --> 00:40.715
and procedures of adversaries

00:40.715 --> 00:42.680
and define these procedures as

00:42.680 --> 00:44.900
specific implementations
or ways that have

00:44.900 --> 00:48.170
a series of executed
techniques or sub techniques.

00:48.170 --> 00:50.330
These specific examples are

00:50.330 --> 00:52.820
populated on each page
of our technique,

00:52.820 --> 00:54.290
as well as on the
page of groups and

00:54.290 --> 00:57.190
software which we'll explore
later in this lesson.

00:57.190 --> 01:00.375
As you can see from
the example below,

01:00.375 --> 01:03.995
these procedure examples
describe the groups or software,

01:03.995 --> 01:05.630
specifically how
they've executed

01:05.630 --> 01:08.360
a specific technique
or sub-technique.

01:09.310 --> 01:11.150
While these procedures are

01:11.150 --> 01:13.300
populated on a technique page,

01:13.300 --> 01:14.780
we can also view these from

01:14.780 --> 01:17.880
the perspective of a
whole group or software.

01:20.230 --> 01:23.150
ATT&CK defines groups as

01:23.150 --> 01:26.550
related intrusion activity
tracked by a common name.

01:27.680 --> 01:30.080
Anyone who's read publicly

01:30.080 --> 01:31.400
available intelligence
knows that there's

01:31.400 --> 01:34.505
various terms related to
groups such as intrusion sets,

01:34.505 --> 01:36.739
threat actors or campaigns

01:36.739 --> 01:38.060
and ATT&CK rolls all these

01:38.060 --> 01:40.100
together into what
we call groups.

01:40.100 --> 01:42.395
Groups are objects
in the ATT&CK model

01:42.395 --> 01:44.855
and are assigned a
unique identifier.

01:44.855 --> 01:48.545
As you can see from example
below, each group has a name,

01:48.545 --> 01:50.480
a short description, as well as

01:50.480 --> 01:53.790
other various metadata
such as aliases.

01:56.050 --> 01:58.860
Defined software as the tools or

01:58.860 --> 02:01.565
malware used by an
adversary during intrusion.

02:01.565 --> 02:04.470
Similar to groups, these
software are objects in

02:04.470 --> 02:05.615
the ATT&CK model
and have their own

02:05.615 --> 02:07.740
unique identifier as well.

02:07.930 --> 02:11.045
ATT&CK software pages
also have their own name,

02:11.045 --> 02:12.650
a short description, and various

02:12.650 --> 02:15.570
other metadata
including aliases.

02:18.430 --> 02:21.470
Here's an example of a
group page, in this case,

02:21.470 --> 02:24.650
we're looking at
the group APT38.

02:24.790 --> 02:27.080
From here this view, we can see

02:27.080 --> 02:29.525
the short description but if
we scroll down that page,

02:29.525 --> 02:31.610
we can also see the techniques

02:31.610 --> 02:33.725
and sub techniques
mapped to APT38,

02:33.725 --> 02:36.560
as well as the software
used by this group based on

02:36.560 --> 02:38.000
publicly available
reporting already

02:38.000 --> 02:40.260
mapped within the
ATT&CK framework.

02:41.800 --> 02:43.460
With that, we've reached

02:43.460 --> 02:45.155
our knowledge check
for lesson 7.

02:45.155 --> 02:46.790
True or false; there are

02:46.790 --> 02:49.910
potentially many procedures
for a given technique.

02:49.910 --> 02:52.530
Please pause the video
and take a second to

02:52.530 --> 02:55.320
think of the correct
answer before proceeding.

02:58.550 --> 03:01.560
In this case, the
answer is true.

03:01.560 --> 03:03.815
As we saw from the example
from the technique,

03:03.815 --> 03:05.945
there are potentially
many procedures for how

03:05.945 --> 03:07.910
each given technique can be

03:07.910 --> 03:10.890
implemented by a specific
group or software.

03:12.760 --> 03:15.500
In summary, ATT&CK
groups represent

03:15.500 --> 03:17.615
the name clusters of
intrusion activity,

03:17.615 --> 03:19.550
whereas software
represents the tools

03:19.550 --> 03:21.740
or malwares used
by these actors.

03:21.740 --> 03:23.795
For both groups and software,

03:23.795 --> 03:26.090
ATT&CK provides
descriptions and aliases,

03:26.090 --> 03:28.610
as well as what techniques
and sub-techniques have been

03:28.610 --> 03:29.690
mapped based on

03:29.690 --> 03:33.540
publicly reported intelligence
from these threats.

03:34.010 --> 03:36.290
Finally, techniques are

03:36.290 --> 03:37.910
mapped to groups
and software via

03:37.910 --> 03:40.190
procedure examples
or the specific ways

03:40.190 --> 03:43.170
that techniques have been
performed by these adversaries.