WEBVTT

00:02.240 --> 00:04.190
This is module one lesson to

00:04.340 --> 00:05.900
attack mapping process,

00:06.260 --> 00:07.489
finding and researching the

00:07.490 --> 00:08.490
behavior.

00:11.820 --> 00:13.094
This lesson, we have three

00:13.320 --> 00:14.320
objectives

00:15.450 --> 00:16.739
going to discover how to find

00:16.740 --> 00:18.989
behaviors, that's step one

00:18.990 --> 00:20.910
of the attack mapping process

00:21.160 --> 00:22.680
I gave in the previous lesson.

00:23.640 --> 00:24.959
We're going to learn how to research

00:24.960 --> 00:25.960
behaviors.

00:26.040 --> 00:27.389
Let's step two of the mapping

00:27.390 --> 00:28.460
process I gave.

00:29.130 --> 00:30.747
And finally, I'm going to go into

00:30.870 --> 00:32.819
some narrative reporting so that we

00:32.820 --> 00:34.680
can see some example behaviors.

00:38.100 --> 00:39.719
Step one of our process, finding the

00:39.720 --> 00:40.720
behavior

00:42.150 --> 00:43.559
you're going to want to look in your

00:43.560 --> 00:45.479
reporting for what the

00:45.480 --> 00:46.754
adversary or software does

00:47.520 --> 00:49.380
during the steps of the compromise,

00:50.520 --> 00:51.959
as you look through your reporting,

00:51.960 --> 00:53.280
you're going to want to focus on

00:53.550 --> 00:55.409
compromise, initial compromise and

00:55.740 --> 00:57.020
compromise details.

00:57.570 --> 00:58.529
So you're going to want to take a

00:58.530 --> 00:59.755
look at how the adversary

01:00.450 --> 01:02.489
actually behaved through different

01:02.490 --> 01:04.299
parts of their intrusion.

01:04.860 --> 01:06.689
So things like how they gained

01:06.690 --> 01:08.307
their initial access to a system,

01:08.430 --> 01:10.019
how they moved around between

01:10.020 --> 01:11.999
systems and how they actually

01:12.000 --> 01:13.568
did the compromise of the victim

01:14.130 --> 01:15.269
network systems.

01:17.150 --> 01:19.069
Oftentimes, this is going

01:19.070 --> 01:21.200
to be verbs so

01:21.230 --> 01:23.060
used to create

01:23.300 --> 01:25.339
installed things

01:25.340 --> 01:26.859
in our narrative reporting that

01:26.870 --> 01:27.948
describe a behavior in

01:28.760 --> 01:30.426
things that the adversary actually

01:30.590 --> 01:31.590
did.

01:34.770 --> 01:36.390
So this isn't going to be

01:36.600 --> 01:38.300
absolutely everything in a report,

01:38.310 --> 01:40.049
there's information reporting that

01:40.050 --> 01:42.150
may not be useful for attack mapping

01:42.930 --> 01:45.389
information that doesn't describe

01:45.390 --> 01:47.489
details about adversary behavior.

01:48.240 --> 01:50.249
Oftentimes, that's found in places

01:50.250 --> 01:52.609
like static malware analysis.

01:53.010 --> 01:55.799
So talking about hashes

01:55.800 --> 01:57.540
or very specific details

01:57.900 --> 01:59.819
of how a piece of malware

01:59.820 --> 02:00.900
was compiled,

02:02.190 --> 02:03.539
infrastructure, registration

02:03.540 --> 02:04.540
information.

02:04.680 --> 02:06.959
So what IP address an adversary

02:06.960 --> 02:09.179
used is not going to be an attack

02:09.180 --> 02:10.180
behavior.

02:12.070 --> 02:13.449
Industry victim targeting

02:13.450 --> 02:15.459
information, so

02:15.610 --> 02:17.080
the fact that an advisory went

02:17.800 --> 02:18.878
after power, utilities

02:20.320 --> 02:22.300
or educational institutions

02:23.080 --> 02:25.290
that exact who is the targeting

02:25.300 --> 02:27.610
is not a attack behavior.

02:32.510 --> 02:34.159
So let's take an example report,

02:34.190 --> 02:36.559
this comes from a fiery report

02:36.890 --> 02:38.620
called Operation Double Tap.

02:38.630 --> 02:40.340
It's a couple of years old now,

02:40.640 --> 02:42.257
but it's still useful for looking

02:42.620 --> 02:43.620
at behaviors.

02:45.130 --> 02:46.894
So the first thing we're going to be

02:47.050 --> 02:48.520
doing here is starting to look

02:49.030 --> 02:50.030
for those verbs,

02:50.860 --> 02:52.477
looking for those descriptions of

02:52.600 --> 02:54.168
the things that the adversary is

02:54.190 --> 02:55.190
doing for

02:56.360 --> 02:57.830
we're talking about successful

02:58.270 --> 02:59.369
exploitation.

03:00.100 --> 03:01.864
We're talking about uses the Windows

03:01.990 --> 03:03.759
command command to

03:04.420 --> 03:05.610
see who am I.

03:06.520 --> 03:07.809
We're talking about creates

03:07.810 --> 03:09.133
persistence by creating the

03:09.610 --> 03:11.139
following scheduled task,

03:13.090 --> 03:15.069
establishes a sock's five

03:15.070 --> 03:16.540
connection to one nine two one

03:17.020 --> 03:18.780
five seven one nine eight one, two,

03:18.790 --> 03:19.790
three.

03:21.680 --> 03:23.509
Sends the Sox five connection

03:23.510 --> 03:24.637
request, and so each of

03:25.370 --> 03:26.840
these are behaviors, there are

03:27.080 --> 03:28.909
things that the adversary is doing

03:29.570 --> 03:31.639
and they're starting place is for us

03:31.790 --> 03:33.211
to be able to look for attack

03:33.830 --> 03:35.299
tactics and techniques.

03:36.860 --> 03:38.359
Some of these might even be multiple

03:38.360 --> 03:39.781
behaviors, at least as we get

03:40.190 --> 03:41.629
towards the language of attack.

03:42.200 --> 03:43.817
So we don't just have establishes

03:44.150 --> 03:45.150
a connection.

03:45.500 --> 03:47.719
We also have using TCP port.

03:47.870 --> 03:49.639
And each of these are things that,

03:49.640 --> 03:51.200
as we go through our process,

03:51.650 --> 03:53.218
will be able to turn into attack

03:53.300 --> 03:54.830
tactics and techniques.

03:58.070 --> 03:59.449
So once we have identified the

03:59.450 --> 04:01.018
behaviors we've gone through, we

04:01.130 --> 04:03.110
figured out where those verbs are,

04:03.500 --> 04:04.519
where are those things that are

04:04.520 --> 04:05.900
advisory actions,

04:07.220 --> 04:08.989
we need to research the behavior.

04:09.290 --> 04:10.820
We want to understand

04:11.210 --> 04:12.830
what is the adversary's doing.

04:12.950 --> 04:14.629
Now, this may be something that

04:14.960 --> 04:16.332
you can skip. You can cheat.

04:16.339 --> 04:18.049
You know, this may be activity that

04:18.050 --> 04:19.189
you already understand.

04:19.200 --> 04:20.599
You understand, you know, what the

04:20.600 --> 04:22.159
adversary was trying to do.

04:22.820 --> 04:24.199
But if there are unfamiliar

04:24.200 --> 04:26.060
adversary software behaviors,

04:26.900 --> 04:28.566
you need to get into and look at a

04:28.790 --> 04:29.839
little bit more of what the

04:29.840 --> 04:30.859
adversary was doing.

04:32.190 --> 04:33.611
So, for example, you may want

04:34.110 --> 04:36.119
to examine details about network

04:36.120 --> 04:37.379
protocols that were used,

04:38.010 --> 04:40.329
some of attack is leveraging

04:40.330 --> 04:41.559
OSFI models.

04:41.610 --> 04:43.529
So looking at things like

04:43.530 --> 04:44.730
application layer,

04:45.630 --> 04:47.002
looking at capabilities that

04:47.550 --> 04:48.677
things have, what's the

04:49.410 --> 04:50.660
assigned number?

04:50.700 --> 04:52.730
Is it a common service?

04:52.740 --> 04:54.260
Is it an uncommon service?

04:54.900 --> 04:56.519
What does it normally used for?

04:57.270 --> 04:59.249
Or is the adversary going up

04:59.250 --> 05:01.139
against specific tools?

05:01.140 --> 05:03.179
So things like Sambor or remote

05:03.180 --> 05:04.180
desktop?

05:05.420 --> 05:06.559
As you go through this, collaborate

05:06.560 --> 05:08.139
with your own organization,

05:08.150 --> 05:09.589
different people are going to have

05:09.590 --> 05:10.729
understanding of different

05:10.730 --> 05:11.730
behaviors.

05:11.960 --> 05:12.889
People are just going to have

05:12.890 --> 05:14.749
different skill sets and

05:14.750 --> 05:16.249
absolutely leverage external

05:16.250 --> 05:17.119
resources.

05:17.120 --> 05:18.799
Search engines are your friend.

05:20.660 --> 05:22.189
Understanding your behaviors will

05:22.190 --> 05:23.449
help you with these next steps.

05:23.450 --> 05:24.289
But not just that.

05:24.290 --> 05:26.350
It also enhances analytic skills.

05:26.360 --> 05:28.459
It will make you a better analyst.

05:30.090 --> 05:32.069
So let's take a couple the behaviors

05:32.070 --> 05:33.540
we identified in that original

05:33.660 --> 05:34.660
report, we said

05:35.490 --> 05:37.319
the adversary used Sock's

05:37.320 --> 05:38.320
proxy.

05:38.460 --> 05:39.979
OK, so maybe we aren't familiar

05:40.470 --> 05:42.309
with Sock's, you know,

05:42.390 --> 05:43.229
we Google it.

05:43.230 --> 05:44.670
We find it in Wikipedia

05:45.150 --> 05:46.473
and, you know, we find this

05:46.950 --> 05:47.950
information here.

05:48.360 --> 05:50.240
Sock's is an Internet protocol.

05:50.760 --> 05:51.760
OK, go through

05:52.770 --> 05:53.897
it. Sock's performs it.

05:54.150 --> 05:56.009
Layer five of the ISI model,

05:56.190 --> 05:58.039
the session layer that

05:58.080 --> 05:59.350
that's a little bit unusual.

05:59.370 --> 06:01.220
So layer five is

06:01.230 --> 06:02.798
not a layer that most things run

06:03.180 --> 06:04.180
on.

06:04.740 --> 06:06.419
OK, so we see it's a proxy.

06:06.420 --> 06:07.800
We see it's layer five.

06:08.070 --> 06:09.359
So we've got at least a little bit

06:09.360 --> 06:11.279
more information on what

06:11.290 --> 06:12.290
Sox's.

06:15.460 --> 06:17.224
So similarly, we said that they were

06:17.320 --> 06:19.410
using Port 1913

06:20.440 --> 06:22.380
well, you know, we we think we

06:22.400 --> 06:24.159
you know, we know ports, we know TCP

06:24.160 --> 06:26.049
IP, but maybe

06:26.050 --> 06:28.059
we haven't heard of 1913

06:28.060 --> 06:28.989
before.

06:28.990 --> 06:30.519
So, you know, maybe this is not a

06:30.520 --> 06:31.899
port that we've come through another

06:31.900 --> 06:33.819
analysis and so we can

06:33.820 --> 06:34.749
hunt for this as well.

06:34.750 --> 06:36.171
And so this is a database out

06:36.610 --> 06:37.884
there of common ports with

06:38.560 --> 06:40.079
different services called Speed

06:40.420 --> 06:41.349
Guide.

06:41.350 --> 06:43.389
We look up Port nineteen thirteen

06:43.750 --> 06:45.850
and we find that it's for

06:45.860 --> 06:47.680
service called arm ADP.

06:49.070 --> 06:50.880
I've never heard of our ADP.

06:50.890 --> 06:52.605
And you know, when we created this,

06:52.810 --> 06:54.309
I talked to my other instructor,

06:54.310 --> 06:55.679
Katie. She had never heard of arm

06:55.720 --> 06:56.720
ADP.

06:57.490 --> 06:59.440
And so, you know, this is not

06:59.980 --> 07:01.479
this is not a common services, is

07:01.480 --> 07:03.339
not a common port, and

07:03.340 --> 07:05.199
that's going to be useful knowledge

07:05.200 --> 07:06.720
for us as we go forward.

07:11.470 --> 07:12.799
So in summary, I've covered a couple

07:12.800 --> 07:14.529
of things going through this lesson,

07:15.250 --> 07:17.259
I've talked a little bit about what

07:17.260 --> 07:18.729
some of the guidelines are for

07:18.730 --> 07:20.049
places where you're likely to be

07:20.050 --> 07:21.610
able to do useful mapping

07:21.970 --> 07:23.649
and looked at tips for finding

07:23.650 --> 07:24.650
behaviors.

07:26.410 --> 07:28.119
I talked about why it's a little bit

07:28.120 --> 07:29.469
important to understand these

07:29.470 --> 07:31.509
behaviors and some

07:31.510 --> 07:33.369
of how you can start doing research

07:33.370 --> 07:35.079
on behaviors themselves.

07:35.650 --> 07:37.839
We also took a look at a negative

07:37.840 --> 07:39.408
report and some of the behaviors

07:39.970 --> 07:41.199
that are coming out of even just a

07:41.200 --> 07:42.639
small piece of text.