WEBVTT

00:00.060 --> 00:01.739
Welcome to Module two, mapping from

00:01.740 --> 00:03.209
Raw Data, and

00:03.560 --> 00:05.459
one, Adam talks about the process of

00:05.460 --> 00:06.869
mapping from narrative reporting to

00:06.870 --> 00:07.769
attack.

00:07.770 --> 00:09.539
Now Module two will be talking about

00:09.540 --> 00:11.157
leveraging that same process when

00:11.190 --> 00:12.611
mapping from raw data or data

00:13.080 --> 00:14.310
from incident response.

00:15.510 --> 00:17.009
So our objectives for this module

00:17.010 --> 00:18.509
are learning how to identify and

00:18.510 --> 00:20.070
research behaviors and raw data.

00:20.160 --> 00:21.479
Next, we'll be talking about

00:21.480 --> 00:22.949
translating those behaviors into

00:22.950 --> 00:24.359
tactics, techniques and subject

00:24.360 --> 00:25.389
makes final practice,

00:26.370 --> 00:27.569
mapping the raw data with an

00:27.570 --> 00:29.129
exercise. And then we'll review a

00:29.130 --> 00:30.449
couple of best practices for

00:30.450 --> 00:32.039
displaying the attack map data and

00:32.040 --> 00:33.040
reports.

00:34.550 --> 00:36.139
Moving on to our first lesson, two

00:36.140 --> 00:37.669
point one, the process of mapping

00:37.670 --> 00:38.670
from raw data.

00:40.140 --> 00:41.549
So our objectives for less than two

00:41.550 --> 00:42.899
point one are talking through the

00:42.900 --> 00:44.460
mapping process for raw data.

00:44.610 --> 00:45.839
We're going to be discussing some of

00:45.840 --> 00:47.159
the challenges and advantages of

00:47.160 --> 00:49.079
mapping from our data versus

00:49.080 --> 00:50.639
narrative reporting and then

00:50.640 --> 00:51.869
reviewing the pros and cons of

00:51.870 --> 00:53.099
mapping from the two different data

00:53.100 --> 00:54.100
sources.

00:56.470 --> 00:58.000
So far in this attack

00:58.480 --> 00:59.949
training, we've been focusing on

00:59.950 --> 01:01.899
reporting and intelligence that has

01:01.900 --> 01:03.609
already been developed and is

01:03.610 --> 01:05.229
outlining what occurred around the

01:05.230 --> 01:06.406
adversary behaviors when

01:07.180 --> 01:08.409
mapping from raw data.

01:08.440 --> 01:09.699
We're going to be performing the

01:09.700 --> 01:12.069
analysis of behaviors directly

01:12.070 --> 01:13.687
from the source data that informs

01:13.780 --> 01:14.889
those type of reports.

01:15.960 --> 01:16.979
And there are some specific

01:16.980 --> 01:18.779
challenges and advantages of mapping

01:18.780 --> 01:19.780
from raw data.

01:20.070 --> 01:21.785
So a key challenge with raw data is

01:21.810 --> 01:23.100
that there can be a lot more

01:23.130 --> 01:25.019
knowledge necessary to

01:25.020 --> 01:26.686
actually come to a point where you

01:26.700 --> 01:28.359
can map mapping to attack.

01:29.310 --> 01:31.074
So this might include reviewing many

01:31.200 --> 01:32.964
more data sources and it may require

01:33.330 --> 01:35.370
just diverse levels of experience.

01:35.970 --> 01:37.319
Another challenge is that there can

01:37.320 --> 01:39.029
be a wide set of potential data that

01:39.030 --> 01:40.402
might contain behaviors, and

01:41.010 --> 01:42.700
this can be data from forensic disk

01:42.720 --> 01:44.669
images or from SQL commands.

01:45.030 --> 01:46.794
It can be our from our own analysis,

01:47.040 --> 01:48.959
from sandbox detonation or from

01:48.960 --> 01:50.430
a number of other data sources

01:50.670 --> 01:52.790
coming from instant responders.

01:53.460 --> 01:55.077
And finally, you might have to be

01:55.170 --> 01:56.999
looking at a lot more data overall

01:57.000 --> 01:58.519
in order to figure out what the

01:58.530 --> 02:00.000
intent and tactics are for the

02:00.450 --> 02:01.450
actual behavior.

02:02.880 --> 02:04.349
Moving on to the advantages.

02:04.440 --> 02:06.106
So a key advantage is that there's

02:06.150 --> 02:07.865
probably more information available

02:08.340 --> 02:10.379
at a procedure level and more detail

02:10.380 --> 02:11.380
on the actual data.

02:11.520 --> 02:12.990
You're also not reinterpreting

02:13.050 --> 02:14.460
someone else's analysis.

02:14.880 --> 02:16.399
You're deciding yourself how to

02:16.800 --> 02:18.580
assess the adversary activities.

02:19.260 --> 02:20.650
Finally in Raw Data.

02:20.670 --> 02:22.199
It really enables you to increase

02:22.200 --> 02:23.849
your understanding of different data

02:23.850 --> 02:25.559
sources and potentially using

02:25.980 --> 02:27.269
different kinds of tools to gain

02:27.270 --> 02:29.069
additional information on adversary

02:29.070 --> 02:30.070
behaviors.

02:31.070 --> 02:32.149
So throughout the rest of this

02:32.150 --> 02:33.379
module, we're going to be following

02:33.380 --> 02:34.997
the same mapping process that was

02:35.270 --> 02:36.399
covered in Module one,

02:37.100 --> 02:37.969
we're going to be walking through

02:37.970 --> 02:39.409
each of these steps to identify

02:39.410 --> 02:40.879
research and translate those

02:40.880 --> 02:42.590
behaviors into the relevant tactic,

02:42.860 --> 02:44.150
technique or some technique.

02:45.770 --> 02:47.269
So with each of the steps and the

02:47.270 --> 02:48.919
attack mapping process, there can be

02:48.920 --> 02:50.537
a lot of variance between the two

02:50.630 --> 02:52.129
types of information to attack.

02:52.370 --> 02:53.359
And so we're going to be walking

02:53.360 --> 02:55.124
through some of the pros and cons of

02:55.340 --> 02:56.779
mappings into two sources,

02:57.680 --> 02:59.329
starting with step one, finding the

02:59.330 --> 03:01.279
behavior for raw data.

03:01.290 --> 03:02.899
If you're actually looking at data

03:02.900 --> 03:04.270
and the information coming from a

03:04.500 --> 03:05.500
activity.

03:05.600 --> 03:07.150
A lot of it can be a behavior.

03:07.700 --> 03:08.659
Now, that's not to say that

03:08.660 --> 03:10.277
everything in attack is an attack

03:10.280 --> 03:12.439
technique is Adam discussed

03:12.440 --> 03:14.659
a major one attack doesn't include

03:14.660 --> 03:16.069
every possible behavior

03:16.730 --> 03:17.809
and narrative reporting.

03:17.810 --> 03:19.219
The behaviors might be buried in a

03:19.220 --> 03:20.589
lot of content and hidden among

03:20.600 --> 03:21.629
IONSYS or distributed

03:22.550 --> 03:24.529
throughout the report for step

03:24.530 --> 03:26.149
to research and behavior.

03:26.540 --> 03:28.069
With raw data, you might have to

03:28.070 --> 03:29.638
work across multiple domains and

03:29.690 --> 03:31.356
sources to actually understand the

03:31.400 --> 03:33.139
behaviors, or you might

03:33.410 --> 03:35.076
have to review multiple data types

03:35.210 --> 03:36.999
simultaneously in

03:37.070 --> 03:38.687
a village that the activity might

03:38.990 --> 03:40.729
be a recognized procedure, as we

03:40.730 --> 03:41.730
discussed.

03:41.780 --> 03:43.789
And this can help us map

03:43.790 --> 03:45.460
directly to a technique or some

03:45.470 --> 03:47.689
technique and narrative reporting.

03:47.690 --> 03:49.356
There might be enough intelligence

03:49.430 --> 03:51.349
and related context to really

03:51.350 --> 03:52.729
understand their behavior,

03:53.210 --> 03:54.679
but there also might be some lost

03:54.680 --> 03:56.329
detail that wasn't included in the

03:56.330 --> 03:57.330
report.

03:57.790 --> 03:59.456
For step three is to translate the

03:59.500 --> 04:00.759
behavior into a tactic.

04:01.710 --> 04:03.330
It might take a significant level

04:03.350 --> 04:04.859
domain knowledge and expertize to

04:04.860 --> 04:06.869
understand adversary activity

04:06.870 --> 04:08.330
and intent and raw data,

04:08.970 --> 04:10.489
whereas in narrative reporting,

04:10.860 --> 04:12.477
this might already be outlined by

04:12.780 --> 04:14.152
the report author where they

04:14.430 --> 04:16.145
speculated about what the intent is

04:16.470 --> 04:17.470
for the behaviors

04:18.300 --> 04:20.249
for step four and raw data.

04:20.250 --> 04:21.569
If we've already found a procedure

04:21.570 --> 04:22.739
that goes straight to a technique or

04:22.740 --> 04:24.839
some technique, as we mentioned,

04:24.840 --> 04:26.110
this could be relatively simple.

04:26.580 --> 04:27.989
This might also require a really

04:27.990 --> 04:29.549
deep understanding of the specific

04:29.550 --> 04:31.118
data type in order to understand

04:31.740 --> 04:33.389
how that activity was accomplished.

04:34.050 --> 04:35.699
In the case of narrative reporting,

04:35.700 --> 04:37.169
it might be as simple as a text

04:37.170 --> 04:38.759
match with something we previously

04:38.760 --> 04:41.009
mapped to attack or procedures

04:41.010 --> 04:42.010
already in attack.

04:42.120 --> 04:43.649
But there also might be a lack of

04:43.650 --> 04:45.022
necessary detail to indicate

04:45.660 --> 04:46.920
what the technique is.

04:47.430 --> 04:49.145
Finally, let's step five, comparing

04:49.460 --> 04:51.269
your results to other analysts.

04:52.050 --> 04:53.549
So collaboration with other analysts

04:53.550 --> 04:55.199
is really important with raw data to

04:55.200 --> 04:56.849
ensure that all the different data

04:56.850 --> 04:58.769
sources you're pulling in

04:58.770 --> 05:00.089
are covered with the appropriate

05:00.090 --> 05:02.189
expertize and narrative

05:02.190 --> 05:04.079
reporting. This collaboration is

05:04.080 --> 05:05.599
key to helping us recognize and

05:05.730 --> 05:07.379
mitigate those user biases.

05:08.590 --> 05:10.179
So in less than one two point one,

05:10.180 --> 05:11.748
we just talked about mapping raw

05:11.860 --> 05:13.629
data to attack and discuss some of

05:13.630 --> 05:14.589
the challenges, some of the

05:14.590 --> 05:16.239
advantages of mapping from raw data

05:16.240 --> 05:17.499
compared to reporting,

05:18.550 --> 05:20.649
and that includes a more advanced

05:20.650 --> 05:21.759
and diverse skill set might be

05:21.760 --> 05:22.919
required for raw data.

05:22.930 --> 05:24.549
But there's likely more information

05:24.550 --> 05:26.314
at the procedure level and you won't

05:26.500 --> 05:27.939
be reinterpreting someone else's

05:27.940 --> 05:28.940
analysis.

05:29.290 --> 05:30.759
We also walk through some pros and

05:30.760 --> 05:32.379
cons of mapping from each source

05:32.380 --> 05:34.209
based on the attack mapping process.

05:35.120 --> 05:36.379
And less than two point two, we're

05:36.380 --> 05:38.059
going to be diving into identifying

05:38.060 --> 05:39.650
and researching the behaviors.