WEBVTT 00:00.229 --> 00:03.690 >> Welcome to Module 3. This module is split into 00:03.690 --> 00:05.460 five lessons which all focus on 00:05.460 --> 00:08.590 the central theme of Operationalizing ATT&CK. 00:10.580 --> 00:14.100 Specifically, we will explore 00:14.100 --> 00:15.800 how we can apply the knowledge we've captured in 00:15.800 --> 00:18.150 [inaudible] attack to various cybersecurity operations 00:18.150 --> 00:20.520 and practices and how this enables us as 00:20.520 --> 00:22.080 defenders to perform what we call 00:22.080 --> 00:24.210 threat-informed defense or the systematic 00:24.210 --> 00:26.100 application of a deep understanding of 00:26.100 --> 00:28.485 adversary trade grab and technology to prevent, 00:28.485 --> 00:31.200 detect, and respond to cyber attacks. 00:31.200 --> 00:34.600 Without further ado, let's dive in. 00:35.870 --> 00:38.055 Welcome to Module 3, 00:38.055 --> 00:41.470 Lesson 1, Cyber Threat Intelligence. 00:42.430 --> 00:44.870 In this lesson, we will explore 00:44.870 --> 00:47.210 the importance of cyber threat intelligence within 00:47.210 --> 00:50.420 security operations and appreciate how attack 00:50.420 --> 00:51.800 can provide a starting point and 00:51.800 --> 00:54.780 structure for tracking this intelligence. 00:56.740 --> 00:59.810 In any battle, intelligence and 00:59.810 --> 01:02.960 knowledge very often separates winners and losers, 01:02.960 --> 01:04.520 and cyber is no different. 01:04.520 --> 01:05.975 A cyber threat intelligence, 01:05.975 --> 01:08.360 or CTI allows us to track, 01:08.360 --> 01:10.010 understand, and maybe even 01:10.010 --> 01:12.600 get ahead of what our adversaries are doing. 01:14.710 --> 01:18.170 Attack provides a great starting point for identifying 01:18.170 --> 01:19.850 what behaviors have been reported 01:19.850 --> 01:22.590 for specific groups or malware. 01:22.660 --> 01:25.550 As you recall, the model allows us to map 01:25.550 --> 01:27.320 adversaries to the behaviors 01:27.320 --> 01:29.135 via techniques or sub techniques, 01:29.135 --> 01:31.100 but also capturing references to 01:31.100 --> 01:33.095 the publicly available cyber threat intelligence 01:33.095 --> 01:35.250 describing these behaviors. 01:39.610 --> 01:43.445 But as we know, CTI comes in various forms. 01:43.445 --> 01:45.920 In this case, we can see impactful and 01:45.920 --> 01:48.845 powerful intelligence captured in the form of blogs, 01:48.845 --> 01:52.200 reported command lines, or even tweets. 01:56.380 --> 01:59.675 But attack allows us to consistently capture, 01:59.675 --> 02:02.390 share, and distribute this intelligence. 02:02.390 --> 02:06.440 Specifically, we can decompose these reports and capture 02:06.440 --> 02:08.450 the associated behaviors and capture 02:08.450 --> 02:11.940 them within the model presented by attack. 02:13.820 --> 02:17.545 If that, we've used the knowledge check for Lesson 1. 02:17.545 --> 02:19.910 Which of the following is not true? 02:19.910 --> 02:22.070 Please pause the video and take a second to 02:22.070 --> 02:24.990 think of the correct answer before proceeding. 02:29.390 --> 02:32.345 In this case, the correct answer was b. 02:32.345 --> 02:33.860 The data in ATT&CK can help us 02:33.860 --> 02:36.260 format and find cyber threat intelligence. 02:36.260 --> 02:37.910 But since the data is already mapped to 02:37.910 --> 02:40.595 publicly available reporting and documentation, 02:40.595 --> 02:43.410 we're probably not going to produce anything new. 02:45.560 --> 02:48.830 With that, we've reached the end of Lesson 1. 02:48.830 --> 02:52.490 In summary, intelligence is critical for decision-making, 02:52.490 --> 02:54.035 as well as providing priorities 02:54.035 --> 02:56.970 and shaping cybersecurity operations. 02:56.980 --> 03:00.320 ATT&CK provides a starting point and means for 03:00.320 --> 03:03.870 structuring this intelligence about adversary behaviors.