WEBVTT 00:00.000 --> 00:02.910 >> Threat management frameworks. 00:02.910 --> 00:05.850 The learning objectives for this lesson are to 00:05.850 --> 00:08.190 explain the MITRE Adversarial Tactics, 00:08.190 --> 00:10.935 Techniques, and Common Knowledge or ATT&CK Framework. 00:10.935 --> 00:12.450 To describe the ATT&CK for 00:12.450 --> 00:14.520 industrial control system framework. 00:14.520 --> 00:17.670 To define the diamond model of intrusion analysis, 00:17.670 --> 00:21.435 and to evaluate the Cyber Kill Chain. Let's get started. 00:21.435 --> 00:24.060 The MITRE Adversarial Tactics, 00:24.060 --> 00:25.410 Techniques, and Common Knowledge, 00:25.410 --> 00:27.900 or ATT&CK Framework, is a knowledge base of 00:27.900 --> 00:30.240 real-world information about tactics, 00:30.240 --> 00:31.725 techniques, and procedures. 00:31.725 --> 00:33.840 It describes in detail how 00:33.840 --> 00:36.240 a potential adversary would perform an attack, 00:36.240 --> 00:38.610 and then it breaks it down into logical groupings. 00:38.610 --> 00:40.380 For example, one of these groupings 00:40.380 --> 00:42.345 would be privilege escalation. 00:42.345 --> 00:44.870 We'll see that in more detail on the next slide. 00:44.870 --> 00:47.075 If you'd like more information about the framework, 00:47.075 --> 00:49.950 you can find it at the URL on the screen. 00:50.290 --> 00:53.620 Here is the MITRE ATT&CK Framework. 00:53.620 --> 00:55.535 If we go to privilege escalation, 00:55.535 --> 00:58.475 we can go down through and look for a specific technique. 00:58.475 --> 01:00.770 Clicking on that will give the details of 01:00.770 --> 01:02.840 how that is used in the wild. 01:02.840 --> 01:05.420 Keep in mind this is active information has been 01:05.420 --> 01:07.190 collected by security researchers 01:07.190 --> 01:08.630 and companies from around the world, 01:08.630 --> 01:10.040 so this is real. 01:10.040 --> 01:13.040 This is good information for you to take and make sure 01:13.040 --> 01:14.210 that your systems are 01:14.210 --> 01:17.160 hardened against these types of attacks. 01:17.770 --> 01:19.940 MITRE also is created 01:19.940 --> 01:22.790 an ATT&CK Framework for the industrial control systems. 01:22.790 --> 01:24.470 It is also a knowledge base of 01:24.470 --> 01:27.805 real-world information about TTPs for ICS. 01:27.805 --> 01:29.750 You can find out more information about 01:29.750 --> 01:32.525 this at the URL on the screen. 01:32.525 --> 01:35.975 Very similar to the normal ATT&CK Framework, 01:35.975 --> 01:37.685 it's broken down in the same way. 01:37.685 --> 01:41.660 We can look up a delivery or a discovery, 01:41.660 --> 01:43.115 or a different types of 01:43.115 --> 01:45.140 the logical groupings and then scroll down through 01:45.140 --> 01:47.030 there to find the different types 01:47.030 --> 01:48.755 of techniques that have been discovered. 01:48.755 --> 01:51.110 This is especially critical for ICS 01:51.110 --> 01:53.780 because ICS system tend to be less protected, 01:53.780 --> 01:56.205 less well defended and hardened. 01:56.205 --> 01:58.355 Making sure that your ICS systems 01:58.355 --> 01:59.960 are not vulnerable to these attacks 01:59.960 --> 02:01.070 we'll take it a long 02:01.070 --> 02:04.440 way to ensuring that your systems are secure. 02:05.210 --> 02:08.745 The diamond model of intrusion analysis. 02:08.745 --> 02:11.060 The key to remember about the diamond model 02:11.060 --> 02:13.055 is that an adversary achieves 02:13.055 --> 02:15.995 goals by using capabilities 02:15.995 --> 02:19.560 over infrastructure against the victim. 02:19.580 --> 02:23.955 These four words help make up the diamond model; 02:23.955 --> 02:27.580 goals, capabilities, infrastructure, and victim. 02:27.580 --> 02:29.450 For every intrusion, 02:29.450 --> 02:32.330 an adversary moves towards their goals by 02:32.330 --> 02:34.265 leveraging their capabilities 02:34.265 --> 02:36.740 on infrastructure against victims, 02:36.740 --> 02:38.405 and this will create an impact. 02:38.405 --> 02:41.900 Every act of intrusion will indicate how an attacker uses 02:41.900 --> 02:43.010 the different capabilities and 02:43.010 --> 02:46.145 methodologies over infrastructure against the victim. 02:46.145 --> 02:48.270 The diamond model also allows for 02:48.270 --> 02:51.665 meta-features that are included in the model as ovals, 02:51.665 --> 02:53.360 and they describe details that may be 02:53.360 --> 02:55.220 included at the base level. 02:55.220 --> 02:57.080 In addition, these meta-features may describe 02:57.080 --> 03:00.360 technology and social-political aspects. 03:01.400 --> 03:03.630 Here is a graphic of 03:03.630 --> 03:06.400 the diamond model of intrusion analysis. 03:08.510 --> 03:11.290 The Cyber Kill Chain. 03:11.290 --> 03:13.580 This is a proprietary product that 03:13.580 --> 03:15.395 was created by Lockheed Martin. 03:15.395 --> 03:17.720 It describes the steps an adversary 03:17.720 --> 03:20.200 must complete to achieve their goals. 03:20.200 --> 03:21.820 It begins with reconnaissance. 03:21.820 --> 03:24.200 This is gathering information about the target. 03:24.200 --> 03:26.990 It may be using open-source intelligence, OSINT, 03:26.990 --> 03:31.130 to find out who are the key players and 03:31.130 --> 03:33.140 who are the people in different departments so 03:33.140 --> 03:35.220 that you can better craft or phishing emails, 03:35.220 --> 03:38.945 or it may be looking for information about the DNS. 03:38.945 --> 03:41.915 Are there any subdomains that are not 03:41.915 --> 03:43.610 common knowledge that may be would 03:43.610 --> 03:45.605 be good attack vectors. 03:45.605 --> 03:47.510 From there we go to weaponization. 03:47.510 --> 03:48.560 This is when malware is 03:48.560 --> 03:51.790 crafted that will be used in the attack. 03:51.790 --> 03:53.580 Next, we move to delivery. 03:53.580 --> 03:57.885 How the malware will be sent to the target site. 03:57.885 --> 03:59.780 For example, this could be malware 03:59.780 --> 04:01.610 delivered through a phishing email, 04:01.610 --> 04:04.205 or it could be a weaponized payload on a website. 04:04.205 --> 04:05.915 It can be many different things. 04:05.915 --> 04:09.770 This is the last stage or I should say 04:09.770 --> 04:11.600 the most important stage where 04:11.600 --> 04:14.525 a defender can stop the attack from progressing. 04:14.525 --> 04:15.830 If we can stop it from being 04:15.830 --> 04:18.790 delivered we can stop the kill chain. 04:18.790 --> 04:20.920 From there we move to exploitation. 04:20.920 --> 04:23.690 This is when the tools that were delivered are 04:23.690 --> 04:26.800 used to exploit vulnerabilities on the system. 04:26.800 --> 04:29.285 After that we move to installation. 04:29.285 --> 04:32.300 This is where we would see 04:32.300 --> 04:34.520 backdoors being implemented by 04:34.520 --> 04:36.230 the malware that was installed. 04:36.230 --> 04:38.570 This is also a good stage to stop 04:38.570 --> 04:40.100 the attack by using 04:40.100 --> 04:41.960 host-based intrusion detection systems 04:41.960 --> 04:44.750 or host-based intrusion prevention systems to 04:44.750 --> 04:46.010 let us know that these are 04:46.010 --> 04:48.005 being installed on our systems. 04:48.005 --> 04:49.880 Finally, after that, I 04:49.880 --> 04:51.800 should say we have command and control. 04:51.800 --> 04:55.760 This is where the attacker now has 04:55.760 --> 04:59.810 control over the networks and by using these backdoors, 04:59.810 --> 05:01.640 they can come and go as they please to send out 05:01.640 --> 05:03.620 additional commands to the malware 05:03.620 --> 05:05.035 installed on the network. 05:05.035 --> 05:07.940 Then finally, we have actions on objective. 05:07.940 --> 05:10.010 This is where the attacker goes 05:10.010 --> 05:12.200 about trying to achieve their objectives. 05:12.200 --> 05:14.029 Are they there to steal information? 05:14.029 --> 05:15.380 Are they there to use 05:15.380 --> 05:17.300 your network to attack someone else? 05:17.300 --> 05:19.430 Whatever it is, this is the goal they're 05:19.430 --> 05:22.650 shooting for is the last step, step 7. 05:23.450 --> 05:26.520 Summary. We went over 05:26.520 --> 05:28.650 the MITRE Adversarial Tactics, Techniques, 05:28.650 --> 05:31.210 and Common Knowledge or ATT&CK Framework and we also 05:31.210 --> 05:32.410 discussed the ATT&CK Framework 05:32.410 --> 05:34.090 for industrial control systems. 05:34.090 --> 05:35.860 From there we went over the diamond model of 05:35.860 --> 05:37.300 intrusion analysis and then 05:37.300 --> 05:39.580 we went over the Cyber Kill Chain. 05:39.580 --> 05:43.555 Let's do some example questions. Question 1. 05:43.555 --> 05:46.465 This step in the Cyber Kill Chain describes how 05:46.465 --> 05:48.190 adversaries will successfully use 05:48.190 --> 05:50.660 tools to achieve a breach. 05:50.660 --> 05:53.550 This is step 4, exploitation. 05:53.550 --> 05:57.175 This is when the tools there have already been 05:57.175 --> 05:59.530 uploaded will exploit vulnerabilities 05:59.530 --> 06:02.750 to give the attacker access to the systems. 06:03.050 --> 06:08.540 Question 2. This model states adversary achieves 06:08.540 --> 06:10.895 goals by using capabilities 06:10.895 --> 06:14.030 over infrastructure against victims. 06:14.030 --> 06:16.040 This is the diamond model of 06:16.040 --> 06:20.485 intrusion analysis. Question 3. 06:20.485 --> 06:22.070 This is a knowledge base of 06:22.070 --> 06:24.230 real-world adversary tactics and 06:24.230 --> 06:26.150 techniques broken into groups 06:26.150 --> 06:28.620 with matrices for each group. 06:29.480 --> 06:32.400 The MITRE Adversarial Tactics, Techniques, 06:32.400 --> 06:35.515 and Common Knowledge or ATT&CK Framework. 06:35.515 --> 06:39.419 Which framework would be used for ICS? 06:39.940 --> 06:43.970 ATT&CK for industrial control systems, also by MITRE. 06:43.970 --> 06:45.380 Hope this lesson was useful 06:45.380 --> 06:47.820 for you, and I'll see you in the next one.