WEBVTT

00:00.109 --> 00:04.960
>> Welcome to Module 2,
Lesson 2, Common Language.

00:05.780 --> 00:08.400
In this lesson, we
will appreciate

00:08.400 --> 00:10.560
the common language
created by ATT&CK,

00:10.560 --> 00:12.690
and recognize how this
common language can

00:12.690 --> 00:15.940
help operational teams
communicate and collaborate.

00:18.410 --> 00:21.150
As security
practitioners, we feel

00:21.150 --> 00:23.430
the complexity of
our craft every day,

00:23.430 --> 00:25.410
as it requires
many technologies,

00:25.410 --> 00:27.915
processes, and people
to work together.

00:27.915 --> 00:30.645
Not to mention, we are
flooded with information

00:30.645 --> 00:34.030
that comes in at varying
levels of detail and format.

00:34.160 --> 00:36.840
But as we know,
collaboration and

00:36.840 --> 00:40.360
communication across all
of these resources is key.

00:41.750 --> 00:45.570
This is where the ATT&CK
common language comes in.

00:45.570 --> 00:48.680
ATT&CK create a common
language that is critical for

00:48.680 --> 00:50.540
consistently and
accurately sharing

00:50.540 --> 00:52.565
ideas about adversary behaviors.

00:52.565 --> 00:55.500
This language is abstracted
to an operational level,

00:55.500 --> 00:57.365
and has many
practical use cases,

00:57.365 --> 00:59.435
such as connecting
adversary perspective

00:59.435 --> 01:00.730
to what we're going
to do about it,

01:00.730 --> 01:03.210
in terms of defensive
countermeasures.

01:04.960 --> 01:07.415
To highlight an example of this,

01:07.415 --> 01:08.840
let's walk through a notional

01:08.840 --> 01:11.460
example from a security team.

01:11.530 --> 01:14.900
In this case, an Intel analyst

01:14.900 --> 01:18.039
notices a command line
you used by adversaries.

01:18.039 --> 01:22.110
Red Team recognized that
as Mimikatz syntax.

01:22.110 --> 01:24.650
Finally, the defense
of analysts can

01:24.650 --> 01:27.450
write an analytic looking
for those strings.

01:27.650 --> 01:30.065
While this does yield benefit,

01:30.065 --> 01:31.910
the lack of context
and communicated

01:31.910 --> 01:34.625
details may lead to an
operational shortcoming.

01:34.625 --> 01:36.380
In this case, looking

01:36.380 --> 01:38.285
back to David Bianco's
Pyramid of Pain,

01:38.285 --> 01:40.160
strings are pretty low

01:40.160 --> 01:43.290
in terms of cost back
to the adversary.

01:46.400 --> 01:48.995
Let's walk that same example

01:48.995 --> 01:51.260
with the context
provided by ATT&CK.

01:51.260 --> 01:53.510
Each one of these
ideas can be enhanced.

01:53.510 --> 01:56.075
In this case, looking at
that same command line

01:56.075 --> 01:59.345
and recognizing this is very
common across many groups.

01:59.345 --> 02:02.630
The red team may also
use ATT&CK to better

02:02.630 --> 02:05.920
decompose the behavior that
is executed by that command,

02:05.920 --> 02:07.880
leading to a better analytic

02:07.880 --> 02:10.740
that is actually
targeting the behavior.

02:13.090 --> 02:16.320
With that, if we start
knowledge check for Lesson 2.

02:16.320 --> 02:19.200
ATT&CK provides a language
that can be used by.

02:19.200 --> 02:21.350
Please pause the video and
take a second to think

02:21.350 --> 02:24.060
about the correct answer
before proceeding.

02:26.080 --> 02:29.780
In this case, the correct
answer was E. ATT&CK provides

02:29.780 --> 02:31.040
a language that can be used by

02:31.040 --> 02:33.510
anyone involved
in cybersecurity.

02:35.290 --> 02:38.565
With that, we've reached
the end of Lesson 2.

02:38.565 --> 02:40.925
In summary, ATT&CK
creates a language

02:40.925 --> 02:43.450
for describing cyber
adversary behaviors.

02:43.450 --> 02:46.290
This language is abstracted
to an operational level,

02:46.290 --> 02:47.360
and can help connect

02:47.360 --> 02:48.440
the adversary perspective of

02:48.440 --> 02:51.210
ATT&CK to defensive
countermeasures.