WEBVTT

00:00.000 --> 00:02.175
>> Welcome to Lesson 2.2,

00:02.175 --> 00:05.310
Identifying and
Researching Behaviors.

00:05.310 --> 00:07.560
We'll kick off the
mapping process

00:07.560 --> 00:08.970
in this lesson by
walking through

00:08.970 --> 00:10.170
some examples of how to

00:10.170 --> 00:12.299
>> recognize behaviors
in raw data.

00:12.299 --> 00:14.370
>> Next, we'll move
on to step 2 in

00:14.370 --> 00:16.365
researching the
identified behaviors.

00:16.365 --> 00:17.010
In this stuff,

00:17.010 --> 00:18.510
we're also going to
talk about the need for

00:18.510 --> 00:20.700
multiple data sources
and the types of

00:20.700 --> 00:24.220
data sources that may
contribute to your research.

00:24.740 --> 00:28.275
Step 1, finding the behavior.

00:28.275 --> 00:29.855
Walking through this data,

00:29.855 --> 00:33.390
we see a couple of commands
captured by Sysmon that

00:33.390 --> 00:35.010
are being run interactively via

00:35.010 --> 00:37.680
command.exe by an adversary.

00:37.680 --> 00:40.900
Next, we have some data
from a couple of flows.

00:40.900 --> 00:44.705
This is from malware being
run in a sandbox environment.

00:44.705 --> 00:47.210
Finally, there are some
registry keys that we're

00:47.210 --> 00:50.135
seeing being added
during an incident.

00:50.135 --> 00:53.450
All of these commands are
being run by an adversary,

00:53.450 --> 00:55.719
and each of them is
possibly a behavior.

00:55.719 --> 00:57.890
Some of the flows can
be behaviors that we're

00:57.890 --> 01:00.650
actually seeing from the
piece of software itself,

01:00.650 --> 01:02.750
and the register
keys being added,

01:02.750 --> 01:04.340
can be either a
behavior coming from

01:04.340 --> 01:06.890
the adversary or the software.

01:06.890 --> 01:09.455
We're going to be researching
these potential behaviors

01:09.455 --> 01:12.240
over the next couple of slides.

01:13.450 --> 01:17.105
Our next step in the process
is researching the behavior.

01:17.105 --> 01:18.410
Before we start looking into

01:18.410 --> 01:19.730
the potential
behaviors that we just

01:19.730 --> 01:21.170
found in the raw data,

01:21.170 --> 01:22.880
I want to go into
the analysis process

01:22.880 --> 01:24.580
for raw data a bit more.

01:24.580 --> 01:26.515
Depending on your
Intel requirements

01:26.515 --> 01:27.960
at the data you're reviewing,

01:27.960 --> 01:29.600
this step can mirror
their approach to

01:29.600 --> 01:31.745
analyzing data in
near to reporting,

01:31.745 --> 01:34.505
but it can also present
some different aspects.

01:34.505 --> 01:37.040
As we discussed with the
pros and cons of mapping

01:37.040 --> 01:39.500
from the two different
sources in the last lesson,

01:39.500 --> 01:42.020
raw data can require
a deeper level of

01:42.020 --> 01:43.940
expertise in order to follow

01:43.940 --> 01:46.435
what's happening in
a specific datatype.

01:46.435 --> 01:48.260
This can require
that an analyst has

01:48.260 --> 01:50.150
experience in looking
at network packets

01:50.150 --> 01:51.770
and forensic data
or understanding

01:51.770 --> 01:54.210
what different
Windows commands do.

01:54.210 --> 01:56.105
As you're working with raw data,

01:56.105 --> 01:57.620
you may realize
that supplementary

01:57.620 --> 01:59.120
data sources are needed for

01:59.120 --> 02:00.770
you to glean enough context

02:00.770 --> 02:02.690
to understand what
the behavior is.

02:02.690 --> 02:04.160
This might require further

02:04.160 --> 02:05.600
queries and leveraging
your incident

02:05.600 --> 02:07.700
responders or collaborating with

02:07.700 --> 02:09.815
the analysts that are
providing this data.

02:09.815 --> 02:11.794
Also in some cases,

02:11.794 --> 02:14.255
the research can be
very straightforward.

02:14.255 --> 02:16.100
You might be able
to quickly find

02:16.100 --> 02:18.620
some relevant results
and additional insights

02:18.620 --> 02:20.450
on your favorite search
engine or you can search

02:20.450 --> 02:23.130
the attack website for
a specific command,

02:23.130 --> 02:25.430
and often the description
of the command will provide

02:25.430 --> 02:28.040
a good idea of what technique
that behavior falls under.

02:28.040 --> 02:29.630
Other times, it might
be a little more

02:29.630 --> 02:31.385
difficult to
determine a behavior,

02:31.385 --> 02:32.960
especially if a command line is

02:32.960 --> 02:35.569
complex and the
contents is sparse.

02:35.569 --> 02:37.970
In this case, unpacking the
complexity by pulling in

02:37.970 --> 02:41.030
other data sources is needed.

02:41.030 --> 02:42.740
You might have to
use the sandbox,

02:42.740 --> 02:44.720
perform further file analysis,

02:44.720 --> 02:46.970
or leverage a search
engine to pull in

02:46.970 --> 02:50.520
that extra insight into
the technical details.

02:51.740 --> 02:53.765
As we just discussed,

02:53.765 --> 02:55.460
researching potential
behaviors from

02:55.460 --> 02:57.800
raw data on the attack
website can often give us

02:57.800 --> 02:59.345
an idea of what the behavior

02:59.345 --> 03:02.095
is and where we
can likely map it.

03:02.095 --> 03:04.220
For example, if you
start searching through

03:04.220 --> 03:07.040
the attack website
for IP config/all,

03:07.040 --> 03:08.750
it appears in one technique,

03:08.750 --> 03:10.880
specifically under a
procedure example for

03:10.880 --> 03:13.474
system network
configuration discovery.

03:13.474 --> 03:16.400
This provides a description
of what's going on and it can

03:16.400 --> 03:17.690
help us gain an understanding of

03:17.690 --> 03:19.490
what the adversary's goal is.

03:19.490 --> 03:20.960
You might have an assessment of

03:20.960 --> 03:22.370
what technique that behavior

03:22.370 --> 03:25.340
is going to map to and what
tactic it aligns with,

03:25.340 --> 03:28.590
but it can also be a
little more complex.

03:29.030 --> 03:32.120
The other command line that
was in the data was running

03:32.120 --> 03:36.025
recycler.exe and there were
also some command-line flags.

03:36.025 --> 03:38.505
We see something
with a VSDX file,

03:38.505 --> 03:41.390
but there isn't necessarily
enough detail right now.

03:41.390 --> 03:43.040
Although we might
be able to make

03:43.040 --> 03:45.770
an initial assessment of what
one of the behaviors is,

03:45.770 --> 03:48.415
somatic context is
required at this step.

03:48.415 --> 03:51.560
We'll pull in and review
another data source.

03:51.560 --> 03:53.270
If we put this command into

03:53.270 --> 03:56.150
a sandbox and perform
file analysis,

03:56.150 --> 03:58.990
exists the following output.

03:58.990 --> 04:01.290
It's likely looking
more familiar.

04:01.290 --> 04:03.590
The output displays a
banner that is showing us

04:03.590 --> 04:06.394
that this is a war,
so an archiver.

04:06.394 --> 04:08.570
At this point, we'll
leverage a search engine for

04:08.570 --> 04:10.400
some additional
research on the flags

04:10.400 --> 04:12.755
and to gain more insight
into what's occurring.

04:12.755 --> 04:15.215
After researching that -HP,

04:15.215 --> 04:17.030
we can determine that
it's being used to

04:17.030 --> 04:19.860
compress and encrypt the file.

04:20.570 --> 04:25.035
Now, for the final piece of
the puzzle, that VSDX file.

04:25.035 --> 04:27.240
We're going to leverage
a search engine again,

04:27.240 --> 04:28.520
and from the first result,

04:28.520 --> 04:30.895
we can see that
it's a Visio file.

04:30.895 --> 04:32.750
We know that a Visio file is

04:32.750 --> 04:34.565
not going to be
coming out of a RAR.

04:34.565 --> 04:36.230
This actually provides us with

04:36.230 --> 04:39.245
some valuable contexts to
what's potentially happening.

04:39.245 --> 04:42.200
From our research, we can
deduce that someone is likely

04:42.200 --> 04:43.910
pretending that this information

04:43.910 --> 04:45.964
is being compressed
and encrypted

04:45.964 --> 04:47.855
as a Visio diagram.This

04:47.855 --> 04:50.075
could be an attempt
to exfiltrate data,

04:50.075 --> 04:51.350
but some further
details would be

04:51.350 --> 04:53.645
beneficial for our analysis.

04:53.645 --> 04:56.880
We'll be discussing that
in the next lesson.

04:57.280 --> 05:00.620
In Lesson 2.2, we walked
through a couple of

05:00.620 --> 05:03.275
examples of identifying
the behaviors in raw data.

05:03.275 --> 05:05.510
We discussed how to
research the behaviors,

05:05.510 --> 05:07.070
highlighting that in many cases,

05:07.070 --> 05:09.460
multiple data sources are
going to be required.

05:09.460 --> 05:11.120
In the next lesson,

05:11.120 --> 05:13.250
we'll discuss how to
translate behaviors into

05:13.250 --> 05:16.470
tactics techniques
and sub-techniques.