WEBVTT 00:00.000 --> 00:02.115 >> Welcome to Module 3, 00:02.115 --> 00:06.040 Lesson 4, Assessment and Engineering. 00:07.070 --> 00:09.330 In this lesson, we'll 00:09.330 --> 00:11.310 explore how we can capture the results of 00:11.310 --> 00:13.315 threat emulation and other outputs 00:13.315 --> 00:15.755 to identify gaps in our defenses. 00:15.755 --> 00:18.970 We'll also build an appreciation of how measuring 00:18.970 --> 00:22.670 our defenses leads to making informed improvements. 00:24.900 --> 00:28.060 The goal of this lesson is improvement. 00:28.060 --> 00:30.340 We can use ATT&CK to measure and 00:30.340 --> 00:32.860 track progress as we assess coverage, 00:32.860 --> 00:36.530 prioritize gaps, and tune our defenses. 00:38.400 --> 00:40.690 To highlight an example of this, 00:40.690 --> 00:43.345 let's look back at our analytic from lesson 2. 00:43.345 --> 00:46.615 As you recall, this analytic is targeting, 00:46.615 --> 00:47.770 identifying adversaries, 00:47.770 --> 00:51.020 dumping credentials via LSASS memory. 00:51.380 --> 00:54.880 We can have a red team emulate threats to 00:54.880 --> 00:58.400 see how this analytic compares to adversary behaviors. 00:58.970 --> 01:02.560 In this case, let's say the analytic got 01:02.560 --> 01:03.700 three procedures executed by 01:03.700 --> 01:06.680 the red team, but missed two. 01:08.390 --> 01:11.950 We now have a more informed understanding of how 01:11.950 --> 01:14.950 our defenses fair against real adversary behaviors. 01:14.950 --> 01:19.160 In this case, it's just the LSASS memory sub-technique. 01:19.890 --> 01:22.450 But we have to remember, this is 01:22.450 --> 01:25.495 just a single sub-technique within a single technique, 01:25.495 --> 01:27.830 within a single tactic. 01:30.910 --> 01:33.740 Expanding this out to the full matrix, 01:33.740 --> 01:36.330 we can see we have a lot of work to do. 01:41.200 --> 01:43.730 But we can use inputs from 01:43.730 --> 01:46.160 our leadership as well as key stakeholders, 01:46.160 --> 01:48.530 to identify what techniques are most critical to address, 01:48.530 --> 01:51.900 and translate that to adversary behaviors. 01:54.130 --> 01:56.975 We can also use similar inputs 01:56.975 --> 01:58.820 to determine what risk we must 01:58.820 --> 01:59.975 tolerate based on 01:59.975 --> 02:03.599 operational shortcomings and defensive limitations. 02:05.410 --> 02:08.690 At the end of the day, we can repeat 02:08.690 --> 02:10.670 this process for each technique and 02:10.670 --> 02:12.920 sub technique that we're interested in, 02:12.920 --> 02:14.720 to get a full view of 02:14.720 --> 02:17.580 where we stand and where we need to be. 02:20.830 --> 02:24.755 As you can see, this threat-driven engineering process 02:24.755 --> 02:28.350 is one piece or informed decision at a time. 02:29.260 --> 02:32.690 It's a cumulative process that never stops, 02:32.690 --> 02:34.700 as our threats will continue to tell us, 02:34.700 --> 02:38.340 where we stand and where we need to be in the future. 02:41.060 --> 02:45.135 With that, reach our knowledge check for lesson 4. 02:45.135 --> 02:46.560 Which of the following best 02:46.560 --> 02:48.375 completes the following sentence? 02:48.375 --> 02:50.910 Please pause the video, and take a second to 02:50.910 --> 02:54.130 select the correct answer, before proceeding. 02:58.060 --> 03:01.475 In this case, the correct answer is B. 03:01.475 --> 03:03.455 Knowledge about our adversary's behaviors 03:03.455 --> 03:04.840 can inform us of a 03:04.840 --> 03:06.950 prioritized and relevant opportunities 03:06.950 --> 03:09.240 for defensive improvements. 03:12.440 --> 03:16.100 With that, we've reached the end of lesson 4. 03:16.100 --> 03:18.320 In summary, we can use 03:18.320 --> 03:19.670 our threat-focused knowledge and 03:19.670 --> 03:22.735 operations to measure our defensive posture. 03:22.735 --> 03:25.460 These constant measurements can identify 03:25.460 --> 03:28.830 where and how we need to make improvements.