WEBVTT 00:00.379 --> 00:02.640 >> Welcome to Module 3, 00:02.640 --> 00:06.460 Lesson 2, Detection and Analytics. 00:07.130 --> 00:10.890 In this lesson, we will explore how ATT&CK and 00:10.890 --> 00:12.630 cyber threat intelligence can help us 00:12.630 --> 00:13.970 prioritize techniques 00:13.970 --> 00:16.660 and build better detection analytics. 00:18.470 --> 00:20.895 Building from our last lesson, 00:20.895 --> 00:23.895 we can use cyber threat intelligence to prioritize 00:23.895 --> 00:25.680 which tactics and techniques 00:25.680 --> 00:28.035 are most critical for us to defend. 00:28.035 --> 00:31.680 In this example, we'll focus on credential access, 00:31.680 --> 00:34.140 Specifically that LSASS memory sub-technique 00:34.140 --> 00:36.430 of OS credential dumping. 00:37.120 --> 00:39.170 We can use the data within 00:39.170 --> 00:41.530 attack to begin to identify the trends, 00:41.530 --> 00:43.330 and in this case, how often 00:43.330 --> 00:47.030 this sub-technique is executed with the Mimikatz tool. 00:49.670 --> 00:53.070 Before we begin our detection engineering process, 00:53.070 --> 00:54.930 let's look back at David Bianco's pyramid 00:54.930 --> 00:57.700 of pain for wisdom and advice. 00:58.540 --> 01:00.950 While we could target hash values, 01:00.950 --> 01:02.885 Mimikatz, as we recall, 01:02.885 --> 01:04.760 these values could change very often and 01:04.760 --> 01:07.650 won't inflict much pain back to the adversary. 01:08.050 --> 01:10.760 We can continue to work our way up the pyramid of 01:10.760 --> 01:13.225 pain until eventually we reach the top, 01:13.225 --> 01:14.840 we ask the tough question, 01:14.840 --> 01:17.520 what does Mimikatz actually do? 01:20.320 --> 01:23.045 ATT&CK can help answer that question. 01:23.045 --> 01:24.950 The description of this sub-technique will 01:24.950 --> 01:27.560 explain how adversaries can 01:27.560 --> 01:29.825 dump credentials from LSASS memory. 01:29.825 --> 01:32.825 But in this case, we can also use the detection section, 01:32.825 --> 01:35.180 which highlights the potential for detecting 01:35.180 --> 01:37.475 this behavior by capturing 01:37.475 --> 01:40.200 processes interacting with LSASS. 01:44.500 --> 01:46.880 Highlighting example of writing 01:46.880 --> 01:48.200 a behavior-based analytic, 01:48.200 --> 01:50.645 it's to use the cyber analytic repository 01:50.645 --> 01:53.400 or car project from MITRE. 01:54.820 --> 01:57.380 Its analytics is available online 01:57.380 --> 01:58.640 and the URL is at the bottom. 01:58.640 --> 02:01.880 But as you can see, the description of this analytic is 02:01.880 --> 02:03.080 focusing on the behavior 02:03.080 --> 02:06.030 specifically captured within that sub-technique. 02:07.540 --> 02:09.560 As we identified from 02:09.560 --> 02:11.675 the detection section of the sub-technique, 02:11.675 --> 02:13.220 we're going to want to focus on 02:13.220 --> 02:15.635 processes that access LSASS. 02:15.635 --> 02:17.300 In this case, you can see 02:17.300 --> 02:19.680 this analytic does exactly that. 02:24.830 --> 02:27.170 With that, we've reached the end 02:27.170 --> 02:29.600 of this lesson and the knowledge check. 02:29.960 --> 02:32.385 When building detection analytics, 02:32.385 --> 02:34.440 the knowledge in ATT&CK can? 02:34.440 --> 02:36.470 Please, pause the video and think of 02:36.470 --> 02:39.210 the correct response before proceeding. 02:44.440 --> 02:46.820 In this case, the correct answer was 02:46.820 --> 02:49.040 d. When building detection analytics, 02:49.040 --> 02:50.480 the knowledge in ATT&CK can 02:50.480 --> 02:52.280 help provide defensive suggestions, 02:52.280 --> 02:54.425 highlight variances and procedures, 02:54.425 --> 02:57.900 and explain technical details of the target behavior. 02:59.090 --> 03:02.105 With that, we've reached the end of Lesson 2. 03:02.105 --> 03:04.730 In summary, cyber threat intelligence can 03:04.730 --> 03:07.460 help us prioritize how we build detection analytics, 03:07.460 --> 03:09.380 by pointing out which techniques or 03:09.380 --> 03:11.240 sub-techniques are most important to us, 03:11.240 --> 03:12.605 as well as how adversaries 03:12.605 --> 03:14.910 actually perform in this behaviors. 03:15.650 --> 03:18.120 Finally, knowledge from 03:18.120 --> 03:19.940 ATT&CK can augment this process, 03:19.940 --> 03:21.410 and improve output by helping 03:21.410 --> 03:24.000 us focus on adversary behaviors.