WEBVTT 00:00.890 --> 00:03.020 This is module one, lesson three, 00:03.290 --> 00:05.599 attack mapping process, translating 00:05.600 --> 00:07.400 a behavior into a tactic. 00:10.400 --> 00:11.539 This lesson, we have three 00:11.540 --> 00:14.029 objectives for you to understand 00:14.030 --> 00:15.949 the 14 tactics in enterprise 00:15.950 --> 00:17.869 attack and why they matter 00:18.920 --> 00:20.292 are going to go through some 00:20.300 --> 00:22.064 practice showing you how to identify 00:22.190 --> 00:24.079 behavior in narrative reporting. 00:24.630 --> 00:25.609 We're going to talk about how to 00:25.610 --> 00:27.080 translate those behaviors into 00:27.530 --> 00:28.902 tactics, which is step three 00:29.750 --> 00:31.459 of the attack mapping process, which 00:31.460 --> 00:32.569 showed less than one. 00:37.810 --> 00:39.609 So as we try to translate the 00:39.610 --> 00:41.325 behaviors we found and we've gotten 00:41.380 --> 00:42.654 some understanding of into 00:43.240 --> 00:45.369 a tactic, the big 00:45.370 --> 00:46.840 thing we're looking at is what 00:47.500 --> 00:49.419 Cole is the adversary trying 00:49.420 --> 00:50.420 to accomplish. 00:51.490 --> 00:53.379 What thing is it that 00:53.560 --> 00:54.879 the adversary is trying to do in 00:54.880 --> 00:57.159 their step of behavior and breaking 00:57.160 --> 00:59.169 in and acting on a system? 01:02.280 --> 01:03.799 Now, you have a bit easier time 01:04.260 --> 01:05.926 here than trying to go straight to 01:06.180 --> 01:07.859 techniques or techniques 01:08.580 --> 01:10.940 because there are only 14 tactical 01:10.950 --> 01:12.469 options currently in enterprise 01:12.810 --> 01:13.810 attack. 01:15.810 --> 01:17.699 So I'm going to go into each 01:17.700 --> 01:19.199 of the tactics briefly 01:19.560 --> 01:21.226 that is is currently an enterprise 01:21.480 --> 01:23.519 attack and talk a little bit about 01:23.520 --> 01:24.899 what sorts of things are in each of 01:24.900 --> 01:25.900 them. 01:26.730 --> 01:28.229 The reconnaissance and resource 01:28.230 --> 01:29.847 development tactics were added to 01:30.030 --> 01:31.999 attack in October of twenty twenty. 01:32.910 --> 01:34.739 They take the place of a 01:34.740 --> 01:36.161 previous framework called pre 01:36.720 --> 01:38.609 attack that lived alongside 01:38.610 --> 01:39.479 attack. 01:39.480 --> 01:40.950 And these two tactics describe 01:41.340 --> 01:42.810 activities that happen from an 01:42.930 --> 01:44.819 adversary before an adversary 01:44.820 --> 01:46.319 tries to break into a system. 01:47.950 --> 01:49.599 So for reconnaissance, the adversary 01:49.600 --> 01:51.119 is trying to gather information 01:51.430 --> 01:52.753 they can use to plan future 01:52.870 --> 01:53.870 operations. 01:54.460 --> 01:55.869 This is things like scanning a 01:55.870 --> 01:57.939 victim, looking up in databases, 01:57.940 --> 01:59.459 information about people at the 01:59.470 --> 02:01.389 victim and 02:01.390 --> 02:03.069 gathering various information that 02:03.070 --> 02:04.569 they're going to need in order for 02:04.570 --> 02:06.340 an operation to be successful. 02:08.110 --> 02:09.384 Resource development as as 02:10.120 --> 02:11.679 the adversary starts to take those 02:11.680 --> 02:13.003 reconnaissance intelligence 02:13.690 --> 02:14.768 findings and turn them 02:15.610 --> 02:16.982 into the resources they need 02:17.500 --> 02:19.150 to support their operations. 02:19.780 --> 02:21.639 This is things like writing malware, 02:21.760 --> 02:24.069 registering domains, buying 02:24.070 --> 02:25.090 up VPN. 02:27.340 --> 02:29.259 Initial access, initial access 02:29.260 --> 02:30.583 consists of techniques that 02:31.180 --> 02:32.748 are various entry vectors for an 02:32.800 --> 02:34.419 adversary to gain their initial 02:34.420 --> 02:36.099 foothold in an enterprise, 02:37.030 --> 02:39.219 and these are things like fishing, 02:39.760 --> 02:41.328 like an adversary getting into a 02:41.530 --> 02:43.509 supply chain, various 02:43.510 --> 02:44.559 things where an adversary is taking 02:44.560 --> 02:46.149 that first step towards getting into 02:46.150 --> 02:47.150 an environment 02:48.400 --> 02:49.400 execution. 02:49.450 --> 02:51.640 Execution consists of techniques 02:52.030 --> 02:53.919 that results in adversary controlled 02:53.920 --> 02:54.920 code running on a 02:55.870 --> 02:56.919 victim system. 02:58.280 --> 03:00.129 These could be things like buffer 03:00.130 --> 03:01.930 overflows or just 03:02.110 --> 03:04.240 user clicking on a piece of malware. 03:06.200 --> 03:08.239 Persistence is techniques 03:08.240 --> 03:09.612 that adversaries use to keep 03:10.430 --> 03:11.870 access to systems. 03:12.560 --> 03:14.539 This may be across restarts. 03:14.540 --> 03:16.369 This may be things like credentials 03:16.370 --> 03:18.036 changing or any other interruption 03:18.740 --> 03:20.680 that could potentially cut off their 03:20.690 --> 03:22.729 access and keep them from coming 03:22.730 --> 03:23.730 back in. 03:24.860 --> 03:26.359 And so these will be things like 03:26.360 --> 03:28.075 making sure that the power restarts 03:28.160 --> 03:29.360 upon a reboot, 03:30.800 --> 03:31.927 ensuring that access is 03:32.720 --> 03:33.896 open for future attempts 03:34.550 --> 03:35.839 to come into the environment 03:36.680 --> 03:38.239 and anything else the adversary is 03:38.240 --> 03:39.679 doing to try to make sure that they 03:39.680 --> 03:41.059 can get back in later. 03:44.780 --> 03:46.939 Privilege, escalation, privilege 03:46.940 --> 03:48.169 escalations, techniques that 03:48.170 --> 03:49.934 adversaries use to gain higher level 03:50.120 --> 03:51.919 permissions on a system or network, 03:52.980 --> 03:54.303 oftentimes there are things 03:54.800 --> 03:56.179 that an adversary is going to want 03:56.180 --> 03:58.340 to do, often in other tactics 03:59.060 --> 04:00.236 where they need to be an 04:00.290 --> 04:01.869 administrator. They need to be rude, 04:01.880 --> 04:03.007 they need to be system. 04:03.050 --> 04:04.669 They need to be something beyond a 04:04.670 --> 04:05.869 normal user 04:06.500 --> 04:07.909 in order to be able to accomplish 04:07.910 --> 04:08.910 those goals. 04:09.440 --> 04:10.940 It's a privilege. Escalation 04:11.360 --> 04:12.919 are different techniques that the 04:12.920 --> 04:14.145 adversary is using to get 04:15.080 --> 04:17.300 that higher level permissions. 04:19.550 --> 04:20.628 Defense, Asian seizure 04:21.709 --> 04:23.277 techniques and an adversary uses 04:23.570 --> 04:25.399 to avoid getting caught, so 04:25.400 --> 04:27.140 avoiding defenders, 04:28.550 --> 04:30.118 this could be things like naming 04:30.350 --> 04:31.918 their files after another common 04:32.360 --> 04:33.490 system utility. 04:34.220 --> 04:35.659 These could be things like hiding 04:35.660 --> 04:37.129 the presence of their tools from 04:37.130 --> 04:38.894 various security systems, running on 04:39.050 --> 04:40.999 a computer, anything 04:41.000 --> 04:42.764 where an adversary is trying to hide 04:42.800 --> 04:43.800 from a defender. 04:46.100 --> 04:47.521 Credential access, credential 04:48.290 --> 04:49.760 access techniques for stealing 04:49.790 --> 04:51.456 credentials like account names and 04:51.710 --> 04:52.710 passwords 04:54.170 --> 04:56.089 in order to get into other 04:56.090 --> 04:58.069 systems on a network, often for 04:58.070 --> 04:59.687 lateral movement or in some cases 05:00.230 --> 05:01.504 to be able to do privilege 05:01.670 --> 05:02.670 escalation. 05:02.930 --> 05:04.699 Adversaries want passwords, 05:05.390 --> 05:07.009 and this can be done in a number of 05:07.010 --> 05:08.010 different ways. 05:08.160 --> 05:09.728 It can be anything from actually 05:10.130 --> 05:11.740 dumping it from the local system, 05:11.750 --> 05:12.859 getting them off the domain 05:12.860 --> 05:13.860 controller. 05:14.120 --> 05:15.541 Anything with an adversary is 05:15.800 --> 05:17.123 dumping credentials for use 05:17.390 --> 05:18.499 elsewhere in the system. 05:20.740 --> 05:23.079 Discovery, discoveries, techniques 05:23.080 --> 05:24.399 and an adversary means to gain 05:24.400 --> 05:25.689 knowledge about the system in the 05:25.690 --> 05:26.690 internal network. 05:27.310 --> 05:28.929 This may be techniques they use to 05:28.930 --> 05:30.519 find out about where they've landed. 05:30.520 --> 05:31.520 So adversaries often 05:32.380 --> 05:33.899 look around right after they've 05:34.240 --> 05:36.004 gotten onto a first system to figure 05:36.040 --> 05:37.069 out, hey, where am I? 05:37.300 --> 05:38.840 Am I where I intended to be? 05:39.850 --> 05:41.289 They also want to be able to do 05:41.290 --> 05:42.099 lateral movement. 05:42.100 --> 05:43.119 They want to get into other 05:43.120 --> 05:45.279 computers and then may need to find 05:45.280 --> 05:46.358 those computers first. 05:46.420 --> 05:48.160 So anything adversary's doing 05:48.490 --> 05:49.960 to try to see that information 05:50.560 --> 05:52.449 inside an environment we 05:52.450 --> 05:53.529 consider discovery. 05:55.320 --> 05:56.669 A lot of movement is techniques, the 05:56.670 --> 05:58.889 adversaries using to get to remote 05:58.890 --> 06:00.189 systems on a network. 06:01.080 --> 06:02.939 So once the adversary is in 06:02.940 --> 06:04.949 an enterprise, the system they land 06:04.950 --> 06:06.869 on is often not the one they need 06:06.870 --> 06:09.029 to gain either complete control 06:09.030 --> 06:10.304 or their final goal, which 06:10.920 --> 06:12.329 is whatever information it is 06:12.330 --> 06:14.069 they're coming to steal, whatever 06:14.070 --> 06:15.619 destruction they're trying to do, 06:15.990 --> 06:17.609 they need to get to other systems 06:17.610 --> 06:18.959 once they've actually landed. 06:19.560 --> 06:20.789 And so a lot of movement is the 06:20.790 --> 06:22.319 techniques that an adversary might 06:22.320 --> 06:23.320 do to do that. 06:23.820 --> 06:25.889 It could be remote desktop 06:25.890 --> 06:27.509 protocol to another system, 06:28.160 --> 06:29.630 could be moving through secure 06:30.240 --> 06:32.279 shell across a network. 06:32.640 --> 06:34.404 It could be exploitation to get into 06:34.470 --> 06:36.509 another computer and anything 06:36.510 --> 06:38.339 the adversary is doing to move to 06:38.340 --> 06:39.340 another system. 06:43.400 --> 06:44.429 Collection collection 06:45.230 --> 06:46.729 is technique's adversaries used to 06:46.730 --> 06:48.559 gather information and 06:48.560 --> 06:50.030 the sources that they're going 06:50.420 --> 06:51.988 to want to follow through on the 06:52.130 --> 06:53.319 rest of their objectives. 06:54.000 --> 06:55.421 These are things like pulling 06:55.670 --> 06:57.019 together the information that 06:57.020 --> 06:58.430 they're getting ready to fill, 06:58.910 --> 07:00.259 you know, pulling those together 07:00.530 --> 07:02.269 into a single archive, moving into a 07:02.270 --> 07:03.270 single system. 07:03.650 --> 07:05.299 So it's the adversaries going 07:05.300 --> 07:07.489 throughout a computer or 07:07.490 --> 07:08.813 a network and gathering the 07:09.350 --> 07:10.549 information that they're going to 07:10.550 --> 07:12.110 take further activities on. 07:14.180 --> 07:16.129 Command and control and control 07:16.130 --> 07:18.050 is techniques and adversary uses 07:18.380 --> 07:19.703 to communicate with systems 07:20.360 --> 07:21.830 under their control, network 07:22.760 --> 07:24.620 adversaries usually aren't 07:24.860 --> 07:26.449 sitting next to the computer that 07:26.450 --> 07:28.279 they're breaking into their, you 07:28.280 --> 07:29.539 know, somewhere remote, maybe in 07:29.540 --> 07:30.540 another country. 07:30.980 --> 07:32.929 And they have to have some method 07:32.930 --> 07:34.106 for actually controlling 07:34.850 --> 07:36.409 the environments that they've landed 07:36.410 --> 07:37.339 in. 07:37.340 --> 07:39.319 So the techniques that are in there 07:39.620 --> 07:41.809 in order to be able to actually talk 07:41.810 --> 07:43.427 to a victim network or be able to 07:43.520 --> 07:44.941 get commands in and out, fall 07:45.470 --> 07:46.760 into command and control. 07:48.610 --> 07:49.610 Exfiltration, 07:50.710 --> 07:52.639 exfiltration is activities 07:52.680 --> 07:54.444 adversaries are sending to send data 07:54.730 --> 07:55.730 out the door. 07:56.260 --> 07:57.828 It's often one of the main goals 07:58.420 --> 08:00.669 of an adversary to violate 08:00.880 --> 08:02.439 confidentiality, to steal 08:02.440 --> 08:03.489 information that they're not 08:03.490 --> 08:04.929 supposed to have access to. 08:05.500 --> 08:07.119 And the specific techniques that are 08:07.120 --> 08:08.739 sending these out the door usually 08:08.740 --> 08:10.149 fall into exfiltration. 08:12.400 --> 08:14.379 Finally impact so severe 08:14.390 --> 08:16.029 the exfiltration. Most adversaries 08:16.030 --> 08:17.598 are trying to steal data, trying 08:17.860 --> 08:20.099 to compromise confidentiality. 08:20.770 --> 08:22.485 But if you're familiar with the CIA 08:22.660 --> 08:24.609 pyramid, we've got three 08:24.610 --> 08:26.019 different goals that happen with 08:26.020 --> 08:28.060 security, confidentiality, 08:28.510 --> 08:30.279 integrity and availability. 08:31.090 --> 08:33.369 So impact is the other two parts 08:33.370 --> 08:34.569 of that triad. 08:35.020 --> 08:37.440 It's the availability and integrity. 08:37.450 --> 08:39.309 So it's techniques adversaries use 08:39.669 --> 08:41.499 to disrupt availability or 08:41.500 --> 08:42.999 compromised integrity by 08:43.000 --> 08:44.225 manipulating business and 08:44.230 --> 08:45.739 operational processes. 08:47.440 --> 08:48.763 So this is your destructive 08:49.120 --> 08:50.688 activities and your manipulative 08:50.800 --> 08:51.800 activities. 08:51.880 --> 08:53.529 So these are things like ransomware. 08:53.530 --> 08:55.098 So encrypting data on end system 08:55.570 --> 08:57.069 to make it so that people can't 08:57.070 --> 08:58.269 access it anymore, 08:58.900 --> 09:00.468 or things like manipulating data 09:00.820 --> 09:02.440 on the wire to steal money. 09:06.160 --> 09:08.440 So we've got those 14 tactics 09:08.890 --> 09:10.299 in enterprise attack, 09:11.050 --> 09:12.765 we went through this report before, 09:12.940 --> 09:14.349 and this is a snippet from the same 09:14.350 --> 09:16.299 report we used 09:16.300 --> 09:17.470 in the previous lesson. 09:18.520 --> 09:20.139 And this is a behavior we've 09:20.140 --> 09:21.470 researched a little bit, too. 09:22.000 --> 09:23.274 So our first establishes a 09:23.830 --> 09:25.989 sock's five connection to specific 09:25.990 --> 09:28.149 port, and then it's doing 09:28.150 --> 09:29.919 these following commands or with the 09:29.920 --> 09:30.920 matter. 09:31.990 --> 09:33.362 So the adversary is creating 09:33.850 --> 09:36.039 a connection in order to command 09:36.040 --> 09:37.539 the power to do something. 09:38.230 --> 09:39.489 So that's falling into command and 09:39.490 --> 09:40.490 control. 09:40.930 --> 09:42.189 And so this is something that we can 09:42.190 --> 09:43.513 go through with each of the 09:43.570 --> 09:45.190 behaviors in a report 09:45.910 --> 09:47.429 in order to take a look at what 09:48.190 --> 09:49.954 is it that the adversary is actually 09:50.080 --> 09:52.059 trying to do and where 09:52.060 --> 09:53.334 does it fall into those 14 09:54.190 --> 09:55.190 tactics? 10:00.840 --> 10:02.109 So in summary, some of the things 10:02.110 --> 10:03.479 we're hoping he got out of this 10:03.480 --> 10:05.369 lesson, I've gone 10:05.370 --> 10:06.742 through some of the types of 10:06.840 --> 10:08.519 behaviors that are associated with 10:08.520 --> 10:10.260 each of the 14 tactics 10:10.740 --> 10:12.149 in enterprise attack. 10:12.880 --> 10:14.579 I got into a little bit about how to 10:14.580 --> 10:16.197 link behaviors to these adversary 10:16.410 --> 10:18.450 goals, get actually up to a tactic 10:18.720 --> 10:20.309 and how to translate that behavior 10:20.310 --> 10:22.200 into the corresponding tactic.