WEBVTT

00:00.769 --> 00:02.865
>> This is Module 1,

00:02.865 --> 00:06.760
Lesson 5, Mapping to
a Narrative Report.

00:08.030 --> 00:12.570
Our objectives for this lesson

00:12.570 --> 00:13.965
are to give you some practice

00:13.965 --> 00:15.959
identifying tactics, techniques,

00:15.959 --> 00:19.125
and sub-techniques in
a narrative report

00:19.125 --> 00:21.690
if you're working
with somebody else to

00:21.690 --> 00:23.280
be able to compare
your results to

00:23.280 --> 00:25.680
another analyst's outcomes and

00:25.680 --> 00:28.690
review the exercise results.

00:30.920 --> 00:33.120
This is Exercise 1.

00:33.120 --> 00:35.180
We're going to have
you actually take

00:35.180 --> 00:37.040
a narrative report and map

00:37.040 --> 00:39.175
to attack tactics
and techniques.

00:39.175 --> 00:42.650
I'm going to have you
analyze a portion of

00:42.650 --> 00:44.390
a threat report going through

00:44.390 --> 00:45.470
the process that we've been

00:45.470 --> 00:47.470
covering the rest
of this module.

00:47.470 --> 00:51.315
We've highlighted 21
techniques and sub-techniques

00:51.315 --> 00:56.265
in a threat report called
Cobalt Kitty by Cybereason.

00:56.265 --> 00:58.395
You're going to
review the report.

00:58.395 --> 01:02.175
It should be under the
Resources tab in the system.

01:02.175 --> 01:05.340
There will be two
versions of the report,

01:05.340 --> 01:07.890
one called Cobalt
Kitty Highlights

01:07.890 --> 01:11.970
Only and one called Cobalt
Kitty Tactic Hints.

01:11.970 --> 01:13.710
You can use either.

01:13.710 --> 01:15.335
The tactic hints tell you

01:15.335 --> 01:17.620
what we would suggest
the tactic is,

01:17.620 --> 01:19.970
whereas the highlights only is

01:19.970 --> 01:21.590
the harder version
where you're going to

01:21.590 --> 01:23.800
have to come up with both.

01:23.800 --> 01:25.350
It's a PDF.

01:25.350 --> 01:26.780
If you're using
the right reader,

01:26.780 --> 01:28.190
you should be able
to actually fill in

01:28.190 --> 01:30.110
the fields in the PDF

01:30.110 --> 01:31.970
itself or use a separate piece

01:31.970 --> 01:34.459
of paper to keep track
of your results.

01:34.459 --> 01:38.030
Write down the attack
tactic and technique or

01:38.030 --> 01:39.800
sub-technique you think applies

01:39.800 --> 01:42.110
to each highlighted behavior.

01:42.110 --> 01:44.690
Remember, use the
tricks and tips

01:44.690 --> 01:47.075
that we've given you throughout
the rest of this module.

01:47.075 --> 01:51.415
Do search bar in keyword
searches, the ATT&CK website.

01:51.415 --> 01:53.835
You don't have to be perfect

01:53.835 --> 01:56.495
and there isn't necessarily
a right answer.

01:56.495 --> 01:57.950
You may actually come up

01:57.950 --> 01:59.540
with different
things than we do.

01:59.540 --> 02:01.400
You may feel that some
of the behaviors we've

02:01.400 --> 02:05.285
highlighted aren't really
covered in any techniques.

02:05.285 --> 02:08.390
This also can be an
opportunity to dive into

02:08.390 --> 02:09.890
ATT&CK and take a look at

02:09.890 --> 02:12.290
some of the actual
content in there.

02:12.290 --> 02:15.090
Please pause the video now.

02:15.090 --> 02:17.270
We recommend giving
yourself up to

02:17.270 --> 02:20.340
30 minutes to do this exercise.

02:25.340 --> 02:28.020
Done with that part
of the exercise?

02:28.020 --> 02:30.080
We've got one more step for you

02:30.080 --> 02:33.310
if you're doing this training
working with others.

02:33.310 --> 02:34.950
We said it was going to

02:34.950 --> 02:38.145
be something that
went up to step 5.

02:38.145 --> 02:40.250
The step we didn't cover yet in

02:40.250 --> 02:41.600
the training is to

02:41.600 --> 02:44.795
compare your results
with other analysts.

02:44.795 --> 02:49.790
Collaboration helps hedge
against analysts' biases.

02:49.790 --> 02:52.715
Everyone has different
types of biases.

02:52.715 --> 02:56.275
We'll cover some of those
in the next lesson.

02:56.275 --> 02:58.475
But comparing with
others can help

02:58.475 --> 03:01.555
us come up with better answers.

03:01.555 --> 03:03.980
If you do have
somebody to work with,

03:03.980 --> 03:06.920
compare what you had for
each technique answer.

03:06.920 --> 03:10.025
Discuss if there are
differences, why?

03:10.025 --> 03:12.830
How did you each arrive
at your conclusions?

03:12.830 --> 03:15.320
It is okay if you walk
away disagreeing.

03:15.320 --> 03:17.890
This is analysis at
the end of the day.

03:17.890 --> 03:21.380
If you do have somebody to
work with, please pause.

03:21.380 --> 03:22.910
I suggest giving yourself

03:22.910 --> 03:25.400
10 minutes for this
part of the exercise.

03:25.400 --> 03:27.350
If you don't have
any other analysts

03:27.350 --> 03:29.090
to discuss your answers with,

03:29.090 --> 03:32.070
you can go on to
the next portion.

03:37.190 --> 03:39.300
As we start to get

03:39.300 --> 03:44.240
into what you came up with
for answers on the exercise,

03:44.240 --> 03:46.435
some things to think through.

03:46.435 --> 03:49.440
What were the easiest
and hardest techniques

03:49.440 --> 03:51.625
or sub-techniques to identify?

03:51.625 --> 03:54.590
Why were those easier
or harder for you?

03:54.590 --> 03:56.465
Which tricks did you use to

03:56.465 --> 03:59.590
identify each technique
or sub-technique?

03:59.590 --> 04:01.470
What challenges did you have?

04:01.470 --> 04:03.630
Was there anything
you couldn't find?

04:03.630 --> 04:05.135
How did you address them?

04:05.135 --> 04:06.380
Which steps did you go

04:06.380 --> 04:09.120
through in trying
to figure it out?

04:11.390 --> 04:14.630
I'm going to go through
what our answers

04:14.630 --> 04:18.775
were for the highlighted
portions of the threat report.

04:18.775 --> 04:21.120
Two types of payloads were found

04:21.120 --> 04:22.710
in the spear-phishing email.

04:22.710 --> 04:24.900
It said it was a link
and it says to be

04:24.900 --> 04:27.615
initial access
spearphishing link.

04:27.615 --> 04:29.790
Right next to that we also had

04:29.790 --> 04:32.115
spearphishing emails,
Word documents.

04:32.115 --> 04:34.500
Let this be initial
access-phishing,

04:34.500 --> 04:35.940
spearphishing attachment.

04:35.940 --> 04:38.610
Both of those are
pretty straightforward.

04:38.780 --> 04:41.030
Two types of payloads are found

04:41.030 --> 04:42.155
in the spearphishing emails,

04:42.155 --> 04:44.560
Word documents with
malicious macros.

04:44.560 --> 04:46.865
Let's take a little
bit more understanding

04:46.865 --> 04:50.180
of macros and
languages behind them.

04:50.180 --> 04:52.490
But if you dig into the details,

04:52.490 --> 04:56.930
you'll probably find
defense evasion/execution,

04:56.930 --> 04:59.950
command scripting
interpreter, Visual Basic,

04:59.950 --> 05:03.820
which is language
behind Word macros.

05:03.890 --> 05:07.054
Finally, maybe a little
bit less obvious,

05:07.054 --> 05:08.390
two types of payloads were

05:08.390 --> 05:10.220
found in the
spearphishing emails.

05:10.220 --> 05:14.720
Report goes on to describe
these as successful attacks,

05:14.720 --> 05:18.185
implying that the user
clicked on the email.

05:18.185 --> 05:20.720
Something that might
attack as we do

05:20.720 --> 05:23.450
our own report mappings
is that we would add

05:23.450 --> 05:27.240
a user execution malicious link.

05:31.970 --> 05:34.890
We highlighted the command.exe

05:34.890 --> 05:36.335
being the parent process here,

05:36.335 --> 05:38.450
which is the Windows
command shell.

05:38.450 --> 05:40.280
This is execution commanding

05:40.280 --> 05:43.055
scripting interpreter
Windows command shell.

05:43.055 --> 05:46.490
This talks about scheduled
tasks being created on

05:46.490 --> 05:49.430
Windows and execution and

05:49.430 --> 05:52.535
persistence scheduled tasks/job,

05:52.535 --> 05:54.470
scheduled task, which is

05:54.470 --> 05:58.460
the Windows specific
version of scheduled task.

05:58.460 --> 06:00.680
Right in this command here we

06:00.680 --> 06:04.445
actually have mshta directory.

06:04.445 --> 06:07.250
We've got execution/defense
evasion-signed

06:07.250 --> 06:12.025
binary proxy execution, mshta.

06:12.025 --> 06:14.675
Write in the name
of the technique.

06:14.675 --> 06:18.110
Downloads and executes
an additional payload

06:18.110 --> 06:19.895
from the same server.

06:19.895 --> 06:25.170
Downloads tools come straight
into Ingress Tool Transfer.

06:27.530 --> 06:30.150
Very similar to the command.exe,

06:30.150 --> 06:33.155
we had a parent
process of PowerShell.

06:33.155 --> 06:37.380
This is Command and Scripting
Interpreter-PowerShell.

06:37.970 --> 06:41.340
Obfuscated and
XOR'ed PowerShell.

06:41.340 --> 06:46.145
The words line up right
with the technique name,

06:46.145 --> 06:48.650
obfuscated files or information,

06:48.650 --> 06:51.090
write in defense evasion.

06:51.320 --> 06:54.220
Registry autoruns.

06:54.220 --> 06:57.530
This is an example gave
actually in the introduction

06:57.530 --> 07:01.205
even to register running
keys/startup folder,

07:01.205 --> 07:04.025
which is a sub-technique
of boot or login

07:04.025 --> 07:08.560
autostart execution in
the persistence tactic.

07:08.560 --> 07:13.050
NTFS Alternate Data
Stream is directly in

07:13.050 --> 07:14.980
the NTFS File Attributes

07:14.980 --> 07:19.110
technique which comes
under defensive evasion.

07:21.100 --> 07:26.495
Attackers created and/or
modified Windows services.

07:26.495 --> 07:30.760
Created and modified
are both in there,

07:30.760 --> 07:34.330
so create or modify system
processes Windows service.

07:34.330 --> 07:37.600
Also had actually running
the service itself,

07:37.600 --> 07:43.540
so system service execution,
both under persistence.

07:44.150 --> 07:47.780
Used a malicious
Outlook backdoor macro,

07:47.780 --> 07:50.650
edited a specific
registry value.

07:50.650 --> 07:54.430
That's a pretty specific
technique that's under

07:54.430 --> 07:58.640
Office application startup
within persistence.

07:59.960 --> 08:03.430
Then the registry modification

08:03.430 --> 08:06.290
we have under defense evasion.

08:06.710 --> 08:10.530
Communicated with command
and control servers,

08:10.530 --> 08:12.640
so strong hint here that
were in command and

08:12.640 --> 08:15.545
control from command
and control servers.

08:15.545 --> 08:18.135
Then we have that it's HTTP,

08:18.135 --> 08:23.329
so web protocols,
application layer protocol.

08:25.970 --> 08:31.710
The attacker is downloaded COM
scriptlets using regsvr32.

08:31.710 --> 08:33.940
We have again Ingress
tool transfer

08:33.940 --> 08:35.890
for the downloading
of the tools.

08:35.890 --> 08:37.960
Then with the regsvr32,

08:37.960 --> 08:42.700
that's signed binary
proxy execution regsvr32.

08:43.730 --> 08:48.345
Masquerading is a
specific technique.

08:48.345 --> 08:50.700
The technique is masquerading.

08:50.700 --> 08:52.855
If you look more carefully
at what they're doing,

08:52.855 --> 08:55.900
they're making it look like
a legitimate Windows update.

08:55.900 --> 08:59.240
It match legitimate
name or location.

08:59.240 --> 09:02.714
Network scanning,
looking for open ports,

09:02.714 --> 09:06.550
that's network service
scanning under discovery.

09:09.260 --> 09:13.630
How did you do? If you
feel like you would

09:13.630 --> 09:15.340
like some more practice or even

09:15.340 --> 09:17.250
if you just have a little
bit of extra time,

09:17.250 --> 09:20.785
we've actually provided
a second report

09:20.785 --> 09:23.050
that we've highlighted in
a very similar fashion.

09:23.050 --> 09:26.565
We don't give tactic
hints in this version.

09:26.565 --> 09:28.640
We do have our answers

09:28.640 --> 09:30.950
in there as well
in a separate PDF.

09:30.950 --> 09:32.300
So this will show up in

09:32.300 --> 09:37.445
the resources section as
the FireEye APT 39 report.

09:37.445 --> 09:39.110
I'm not going to go over

09:39.110 --> 09:42.030
the answers to that
in this lesson.

09:43.640 --> 09:46.520
Hopefully in this
lesson you've gotten

09:46.520 --> 09:48.800
some practice
identifying tactics,

09:48.800 --> 09:52.285
techniques, and sub-techniques
in a narrative report,

09:52.285 --> 09:54.140
talked a little bit
about the importance

09:54.140 --> 09:55.490
of comparing your results to

09:55.490 --> 09:58.370
another analyst's
outcomes and gone

09:58.370 --> 10:02.400
through and evaluated
the exercise results.