WEBVTT

00:00.000 --> 00:03.060
>> This is Module 1, Lesson 4,

00:03.060 --> 00:04.830
ATT&CK mapping process:

00:04.830 --> 00:08.410
identifying techniques
or sub-techniques.

00:09.410 --> 00:12.630
In this lesson, we
have three objectives.

00:12.630 --> 00:15.090
The first is to learn
key strategies for

00:15.090 --> 00:18.045
identifying techniques
and sub-techniques.

00:18.045 --> 00:20.865
We're going to go
over some examples of

00:20.865 --> 00:22.260
working with these strategies

00:22.260 --> 00:23.970
with texture and actual report,

00:23.970 --> 00:26.280
as well as some of the
external resources that you

00:26.280 --> 00:29.505
might use as you
take a look at this.

00:29.505 --> 00:32.850
Our overall hope is that
you get out of this,

00:32.850 --> 00:34.770
the ability to identify
techniques and

00:34.770 --> 00:37.305
sub-techniques in
narrative reporting,

00:37.305 --> 00:41.470
so step 4 of the process
we gave in Lesson 1.

00:44.330 --> 00:48.295
On to step 4. This is often

00:48.295 --> 00:49.690
the hardest step in

00:49.690 --> 00:53.180
the mapping process that we
gave in the first lesson.

00:53.180 --> 00:55.420
Techniques and
sub-techniques are

00:55.420 --> 00:57.220
not always easy to identify.

00:57.220 --> 01:00.505
There are a lot of
them in ATT&CK.

01:00.505 --> 01:03.010
The process we've gone
through so far in

01:03.010 --> 01:04.510
the first few steps

01:04.510 --> 01:07.930
is in order to try
to make this better.

01:07.930 --> 01:10.060
Also, some techniques may

01:10.060 --> 01:12.190
appear in ATT&CK multiple times.

01:12.190 --> 01:14.740
This is reflected
throughout ATT&CK,

01:14.740 --> 01:17.065
where an adversary may
be trying to do one of

01:17.065 --> 01:20.620
a couple of different things
with a particular behavior.

01:20.620 --> 01:23.710
For example, hijack
execution flow and all of

01:23.710 --> 01:26.720
its sub-techniques fall
under persistence,

01:26.720 --> 01:29.315
privilege, escalation,
and defense evasion.

01:29.315 --> 01:31.940
Because there are a couple
of different reasons why

01:31.940 --> 01:35.700
an adversary may actually
use these behaviors.

01:37.540 --> 01:41.150
Not every behavior that
you're going to find in

01:41.150 --> 01:43.490
every report is necessarily

01:43.490 --> 01:46.145
a technique or
sub-technique in ATT&CK.

01:46.145 --> 01:50.630
It may be not a match
with the tech scope.

01:50.630 --> 01:52.760
It could be something outside

01:52.760 --> 01:55.850
of the technical space
that ATT&CK lives in,

01:55.850 --> 01:58.190
it could be something
more like just

01:58.190 --> 02:01.160
providing indicators
compromise to an analyst,

02:01.160 --> 02:04.040
and not every behavior
that could be mapped is

02:04.040 --> 02:07.150
actually malicious
activity by an adversary.

02:07.150 --> 02:10.400
Contexts can be key for
determining this and

02:10.400 --> 02:11.750
taking a look at what it is

02:11.750 --> 02:14.195
the adversary is
trying to accomplish.

02:14.195 --> 02:16.100
You can take a look at

02:16.100 --> 02:18.380
tools that the
adversary is using,

02:18.380 --> 02:21.050
and isn't actually a
hostile adversary usage.

02:21.050 --> 02:24.605
Are they trying to meet one
of those tactics in ATT&CK?

02:24.605 --> 02:26.645
It's also true that not

02:26.645 --> 02:29.705
every possible technique
is documented.

02:29.705 --> 02:33.470
One of the goals of ATT&CK
is to describe seen

02:33.470 --> 02:36.740
in the wild adversary behaviors,
and so for that reason,

02:36.740 --> 02:38.840
if it hasn't been given
to us before from

02:38.840 --> 02:42.140
threat intelligence reporting
or contributed to ATT&CK,

02:42.140 --> 02:44.075
it might not be an ATT&CK.

02:44.075 --> 02:48.320
Now that said, if you are
finding behaviors and reporting

02:48.320 --> 02:50.330
that are coming from
actual adversaries

02:50.330 --> 02:52.430
and you're not finding
them in ATT&CK,

02:52.430 --> 02:53.960
might be a great opportunity to

02:53.960 --> 02:56.690
contribute those to us

02:56.690 --> 02:59.520
so they will be an
ATT&CK in the future.

03:01.010 --> 03:03.980
I'm going to get into
three key strategies

03:03.980 --> 03:05.780
that you can use
in order to try to

03:05.780 --> 03:07.610
find this specific technique and

03:07.610 --> 03:10.355
sub-technique to
map to an ATT&CK.

03:10.355 --> 03:13.220
The first is to take what
you've already been doing in

03:13.220 --> 03:15.650
the previous steps
and looking at

03:15.650 --> 03:16.820
the list of techniques and

03:16.820 --> 03:19.310
sub-techniques for the
tactic or tactics you

03:19.310 --> 03:21.860
previously identified
because that'll

03:21.860 --> 03:25.550
get you down to a much
smaller portion of ATT&CK.

03:25.550 --> 03:28.370
Get into a little bit
of just searching

03:28.370 --> 03:30.920
the attack.mitre.org
website directly.

03:30.920 --> 03:32.540
We have a lot of text in there,

03:32.540 --> 03:34.415
and it may help you key in on

03:34.415 --> 03:35.645
the specific technique or

03:35.645 --> 03:38.075
sub-technique that
you're looking for.

03:38.075 --> 03:40.385
Finally, if that's not working,

03:40.385 --> 03:44.050
taking a look at how ATT&CK
actually is doing mappings.

03:44.050 --> 03:47.090
We have thousands of
examples in this point

03:47.090 --> 03:50.810
of adversary behavior from
reports map to ATT&CK.

03:50.810 --> 03:52.610
Just taking a look at how

03:52.610 --> 03:55.740
we're actually doing
that ourselves.

03:57.200 --> 04:01.910
Strategy 1, taking a
look at the list of

04:01.910 --> 04:03.560
techniques and sub-techniques in

04:03.560 --> 04:07.410
the tactic that you
previously identified.

04:07.730 --> 04:10.010
As you take a look,

04:10.010 --> 04:12.860
you're going to find that
ATT&CK these days actually has

04:12.860 --> 04:17.850
two levels of technique;
techniques and sub-techniques.

04:17.850 --> 04:21.830
Now, sub-techniques are just
more specific techniques.

04:21.830 --> 04:23.330
They have all the same fields,

04:23.330 --> 04:26.179
the same properties
as techniques.

04:26.179 --> 04:29.870
But we recommend that as
you're mapping to ATT&CK,

04:29.870 --> 04:32.060
that you get down
to the lowest level

04:32.060 --> 04:33.695
of detail that you're able to.

04:33.695 --> 04:34.970
That is, if there is

04:34.970 --> 04:38.030
both a technique and a
sub-technique that applies,

04:38.030 --> 04:41.570
we recommend going down
to the sub-technique.

04:41.660 --> 04:45.604
Take a look at the behaviors
in the given tactic.

04:45.604 --> 04:48.590
It's going to give you
a much smaller list of

04:48.590 --> 04:50.735
techniques and
sub-techniques then

04:50.735 --> 04:52.700
you have looking
at of all ATT&CK.

04:52.700 --> 04:55.310
Now, this is even more
true in something like

04:55.310 --> 04:57.620
initial access or impact

04:57.620 --> 04:59.780
where there's only a
few techniques there,

04:59.780 --> 05:01.480
but there's still
quite a few there,

05:01.480 --> 05:04.840
if you're looking at something
like defense evasion.

05:04.840 --> 05:08.690
As you go through, you can
take a look at details

05:08.690 --> 05:12.844
that are in the first paragraph
of each of the reports.

05:12.844 --> 05:15.860
Sometimes it may not
make sense to go

05:15.860 --> 05:18.110
all the way down to the
sub-technique at first,

05:18.110 --> 05:20.015
sometimes it may be that

05:20.015 --> 05:23.380
it's fairly obvious
what technique applies,

05:23.380 --> 05:25.555
then you need to open
it up, take a look,

05:25.555 --> 05:29.230
and see if there are sub-techniques
that actually match.

05:29.230 --> 05:31.820
Other times, if something really

05:31.820 --> 05:34.880
specifically maps to a
given sub-technique,

05:34.880 --> 05:37.955
you may be able to go
directly to that level.

05:37.955 --> 05:39.560
It may be that you're actually

05:39.560 --> 05:41.090
working your way back
up where you were

05:41.090 --> 05:44.420
first able to identify a
sub-technique directly,

05:44.420 --> 05:47.760
and then work back
up to the technique.

05:50.410 --> 05:54.050
If that fails, if you're not
finding what you're looking

05:54.050 --> 05:55.310
for in the tactic that you

05:55.310 --> 05:57.440
believe that the
adversary was doing,

05:57.440 --> 05:59.255
it might be worth looking

05:59.255 --> 06:01.849
across the entire
ATT&CK website.

06:01.849 --> 06:04.535
We have a lot of
text in ATT&CK that

06:04.535 --> 06:07.625
is both describing the
adversary behavior itself,

06:07.625 --> 06:10.460
as well as a number of
examples where we've mapped

06:10.460 --> 06:14.020
adversary behavior already
to specific techniques.

06:14.020 --> 06:15.560
This can be things like just

06:15.560 --> 06:17.420
using your favorite
search engine

06:17.420 --> 06:20.585
to search the
attack.mitre.org website

06:20.585 --> 06:24.155
using Control F keyword
searches across

06:24.155 --> 06:26.330
different lists of
techniques looking for

06:26.330 --> 06:29.255
text and the technique
name itself.

06:29.255 --> 06:32.750
You can also take a look at
procedure level details.

06:32.750 --> 06:33.920
In a lot of cases,

06:33.920 --> 06:36.380
we may have mapped
something that came from

06:36.380 --> 06:38.180
very similar texts to

06:38.180 --> 06:40.810
what you're looking for
from the report you have,

06:40.810 --> 06:43.550
and it can be worth trying
specific command strings.

06:43.550 --> 06:45.230
We have a lot of

06:45.230 --> 06:47.420
example commands in
ATT&CK at this point,

06:47.420 --> 06:48.980
they may match up exactly

06:48.980 --> 06:51.325
with what you're seeing
and adversary do.

06:51.325 --> 06:54.870
If that fails,

06:54.870 --> 06:58.640
it may be worth backing
up a step and taking

06:58.640 --> 07:00.455
a look at how

07:00.455 --> 07:03.680
we're actually mapping
techniques to ATT&CK.

07:03.680 --> 07:07.070
If you get into some of the
groups and software pages

07:07.070 --> 07:08.510
on ATT&CK or techniques

07:08.510 --> 07:10.324
and looking at
procedure examples,

07:10.324 --> 07:12.875
you can actually see some of how

07:12.875 --> 07:14.840
the ATT&CK team is

07:14.840 --> 07:18.035
taking details from reporting
and mapping them to ATT&CK.

07:18.035 --> 07:20.240
It may be helpful to just take

07:20.240 --> 07:22.960
a look at how we're doing it,

07:22.960 --> 07:25.040
and it may be useful as a hint

07:25.040 --> 07:28.200
to take another
direction forward.

07:30.070 --> 07:32.570
Let's get into some examples of

07:32.570 --> 07:34.895
actually using some
of these strategies.

07:34.895 --> 07:36.980
In that report that we've looked

07:36.980 --> 07:39.260
at in the previous lessons,

07:39.260 --> 07:41.150
we had a couple of these phrases

07:41.150 --> 07:42.965
in there that we've
already highlighted.

07:42.965 --> 07:45.410
Used email attachments,

07:45.410 --> 07:49.690
created scheduled
task, installed tools.

07:49.690 --> 07:53.270
These are terms that
you can search in

07:53.270 --> 07:55.250
ATT&CK and you'll find directly

07:55.250 --> 07:57.970
appearing in
different techniques.

07:57.970 --> 08:00.470
For example, used
email attachments.

08:00.470 --> 08:01.705
You'll find that directly in

08:01.705 --> 08:03.689
phishing, spearphishing
attachment,

08:03.689 --> 08:09.105
which is sub-technique 1566.001.

08:09.105 --> 08:11.530
If you'll look for
create scheduled task,

08:11.530 --> 08:15.190
you'll find scheduled
task/job, T1053.

08:15.190 --> 08:17.380
Now, if you then
go in and look at

08:17.380 --> 08:20.500
the sub-techniques
of that technique,

08:20.500 --> 08:23.825
look at the details around
create scheduled task,

08:23.825 --> 08:26.200
you'll find that you can
probably get all the

08:26.200 --> 08:29.665
way down to T1053.005.

08:29.665 --> 08:32.890
Another level down.
Installed tools.

08:32.890 --> 08:34.540
Again, you'll find directly in

08:34.540 --> 08:37.820
ingress tool transfer, T1105.

08:41.060 --> 08:46.155
If I search for
SOCKS5 in ATT&CK,

08:46.155 --> 08:49.875
I may or may not find an
appropriate matching technique.

08:49.875 --> 08:51.560
But so if, for example,

08:51.560 --> 08:53.530
I look for just SOCKS,

08:53.530 --> 08:58.310
I come up right in
non-application layer protocol,

08:58.310 --> 09:01.085
where we describe SOCKS

09:01.085 --> 09:04.010
as a non-application
layer protocol.

09:04.010 --> 09:07.475
It is directly in the
technique description itself.

09:07.475 --> 09:09.230
You also would
have found it from

09:09.230 --> 09:12.185
the specific tactics that
you've gotten down into.

09:12.185 --> 09:16.200
Again, it's a fairly
direct finding.

09:19.750 --> 09:23.420
Maybe you're just looking
at cross technique lists.

09:23.420 --> 09:26.210
One of the things we
highlighted earlier was,

09:26.210 --> 09:31.655
establishes a SOCKS5 connection
using TCP port 1913.

09:31.655 --> 09:34.070
Well, I want to see what using

09:34.070 --> 09:36.470
port might actually
be in ATT&CK.

09:36.470 --> 09:37.520
We've already figured out that

09:37.520 --> 09:39.500
that's command and control.

09:39.500 --> 09:42.425
Let's take a look at
our technique list.

09:42.425 --> 09:44.225
If I look for port,

09:44.225 --> 09:48.680
I come up with nonstandard
port and port knocking.

09:48.680 --> 09:50.840
If I get into the descriptions,

09:50.840 --> 09:53.255
this is not port knocking.

09:53.255 --> 09:55.580
Port knocking is when an
adversary connects to

09:55.580 --> 09:58.250
a series of specific
numbered ports,

09:58.250 --> 10:01.655
which opens a connection
on the given system.

10:01.655 --> 10:04.880
Now, nonstandard port
on the other hand,

10:04.880 --> 10:07.580
we had already taken
a look at 1913.

10:07.580 --> 10:08.885
We'd done some research.

10:08.885 --> 10:13.345
We recognized that it was not
a normal port to be using,

10:13.345 --> 10:17.000
and this maps down
to nonstandard port.

10:22.130 --> 10:25.280
From this one little phrase,

10:25.280 --> 10:27.935
we've actually been able to
come up with two techniques;

10:27.935 --> 10:32.490
non-application layer protocol,
and nonstandard port.

10:35.480 --> 10:38.090
Backing all the way back to

10:38.090 --> 10:42.180
that piece of report that
we started with here.

10:42.260 --> 10:44.700
We've got this, establishes

10:44.700 --> 10:47.310
a SOCKS5 connection
using TCP port,

10:47.310 --> 10:49.010
where we've come up with

10:49.010 --> 10:52.880
tactics and techniques for
that one little portion.

10:52.880 --> 10:54.835
Now, for now, let's check.

10:54.835 --> 10:57.230
Take a look through
the rest of this,

10:57.230 --> 11:00.409
and see what techniques
you're able to identify.

11:00.409 --> 11:03.440
Please pause the
video, take a look,

11:03.440 --> 11:05.075
see what you're able to find,

11:05.075 --> 11:08.790
and in a minute, I'll give
you what my answers would be.

11:15.800 --> 11:18.740
Going back to the behaviors that

11:18.740 --> 11:22.170
we highlighted earlier
in the module,

11:23.110 --> 11:25.674
we have a successful
exploitation.

11:25.674 --> 11:28.295
We've given a user system
access on the machine.

11:28.295 --> 11:30.485
This is privilege escalation,

11:30.485 --> 11:33.660
exploitation for
privilege escalation.

11:35.830 --> 11:38.690
We had that the malware is using

11:38.690 --> 11:41.660
command.exe in running
a specific command.

11:41.660 --> 11:43.655
Well, the command.exe part,

11:43.655 --> 11:45.740
you'll find directly
in command and

11:45.740 --> 11:48.400
scripting interpreter
Windows command shell,

11:48.400 --> 11:50.195
and the command that's being run

11:50.195 --> 11:53.159
is system owner/user discovery.

11:55.670 --> 12:00.890
Again, we can find scheduled
task jobs, scheduled task.

12:00.890 --> 12:03.890
If we get into first
the technique from

12:03.890 --> 12:05.600
the specific phrase
and then get into

12:05.600 --> 12:09.630
the sub-technique that
is Windows specific.

12:12.680 --> 12:17.740
How did you do? Hopefully,

12:17.740 --> 12:19.865
you've gotten some
strategies out of this

12:19.865 --> 12:22.685
for identifying techniques
and sub-techniques.

12:22.685 --> 12:25.200
We've taken a look at how we
can actually apply those,

12:25.200 --> 12:27.860
dig some of the information
out of the ATT&CK website,

12:27.860 --> 12:29.570
and some of the resources
you might be able

12:29.570 --> 12:31.805
to use for doing this.

12:31.805 --> 12:34.025
We're giving you a
little bit of practice,

12:34.025 --> 12:35.270
identifying techniques and

12:35.270 --> 12:37.535
sub-techniques in
narrative reporting.

12:37.535 --> 12:39.380
We'll get into
some more practice

12:39.380 --> 12:41.520
on doing that in a moment.