WEBVTT

00:00.000 --> 00:01.710
>> Welcome to lesson 2.3,

00:01.710 --> 00:02.850
Translate Behaviors to

00:02.850 --> 00:05.415
Tactics Techniques
and Sub-techniques.

00:05.415 --> 00:07.290
In this lesson, our objectives

00:07.290 --> 00:08.700
are developing the
ability to take

00:08.700 --> 00:10.080
the behaviors we identify in

00:10.080 --> 00:12.660
raw data and map them to
the relevant tactics,

00:12.660 --> 00:14.130
techniques, and subs.

00:14.130 --> 00:16.590
Then we'll be reviewing
concurrent techniques and

00:16.590 --> 00:17.940
reinforcing the importance of

00:17.940 --> 00:20.890
peer review for attack mappings.

00:21.080 --> 00:23.670
In this step, we're going
to be going through and

00:23.670 --> 00:26.100
translating the behaviors
and the tactics.

00:26.100 --> 00:28.440
With ipconfig/all, this was

00:28.440 --> 00:31.080
a relatively specific
procedure that we previously

00:31.080 --> 00:33.660
found under System Network
Configuration Discovery

00:33.660 --> 00:36.090
and that falls under
the discovery tactic.

00:36.090 --> 00:40.165
Although we've identified
the tactic, we're not done.

00:40.165 --> 00:42.710
As we noted while
reviewing the data,

00:42.710 --> 00:44.720
it was seen being
run via Sysmon,

00:44.720 --> 00:47.995
and so this also falls
under the execution tactic.

00:47.995 --> 00:51.115
For the next behavior,
the recycler.exe,

00:51.115 --> 00:52.760
that's being run via
the command line

00:52.760 --> 00:54.320
and we see via Sysmon,

00:54.320 --> 00:56.810
and we align the pieces
of our research analysis

00:56.810 --> 00:59.665
together to identify what
we think is the tactic.

00:59.665 --> 01:01.880
We ascertained that it's
trying to pretend that it's

01:01.880 --> 01:04.040
a Visio diagram and we have

01:04.040 --> 01:07.325
moderate confidence that
this is exfiltration.

01:07.325 --> 01:09.290
If we were able to leverage

01:09.290 --> 01:10.430
some more information and other

01:10.430 --> 01:11.585
data sources and run this,

01:11.585 --> 01:13.055
it might enrich our analysis

01:13.055 --> 01:14.885
and add some additional details.

01:14.885 --> 01:16.385
But based on what we've found,

01:16.385 --> 01:20.010
it also maps to
execution as well.

01:20.720 --> 01:23.270
Step 4, figuring out what

01:23.270 --> 01:25.735
technique or
sub-technique applies.

01:25.735 --> 01:27.410
Similar to what was covered in

01:27.410 --> 01:30.110
Module 1 about working
with narrative reporting,

01:30.110 --> 01:32.225
you might have
enough information

01:32.225 --> 01:34.010
occasionally to map directly to

01:34.010 --> 01:35.975
a certain technique
or sub-technique

01:35.975 --> 01:38.240
instead of going
through a tactic.

01:38.240 --> 01:39.860
But we need to try
and work through

01:39.860 --> 01:43.235
that structure process
and avoid skipping steps.

01:43.235 --> 01:45.590
If you do map directly
to a technique or sub,

01:45.590 --> 01:47.000
make sure you go through and

01:47.000 --> 01:48.770
confirm that it aligns
with a tactic that

01:48.770 --> 01:50.585
best represents
your understanding

01:50.585 --> 01:52.885
of the adversary goals.

01:52.885 --> 01:56.360
For ipconfig/all, we found that

01:56.360 --> 01:59.495
this maps to system network
configuration discovery,

01:59.495 --> 02:01.955
and as I mentioned,
adding an execution,

02:01.955 --> 02:04.960
we have that it's command
and scripting interpreter.

02:04.960 --> 02:07.384
Then for the recycler binary,

02:07.384 --> 02:09.785
we've identified a couple
of different elements.

02:09.785 --> 02:12.065
We figured out these
command line flags

02:12.065 --> 02:14.245
mean it's compressing
and encrypting data,

02:14.245 --> 02:16.970
so we mapped it to
archive collected data.

02:16.970 --> 02:19.400
But as discussed, it's

02:19.400 --> 02:22.550
also command and
scripting interpreter.

02:23.650 --> 02:27.020
What's going on with these
concurrent techniques?

02:27.020 --> 02:28.460
There are certain tactics that

02:28.460 --> 02:31.085
commonly have
concurrent techniques.

02:31.085 --> 02:33.020
These are tactics
like execution,

02:33.020 --> 02:36.200
defense evasion, initial
access, collection,

02:36.200 --> 02:37.580
where a lot of the
techniques are

02:37.580 --> 02:38.870
describing how things are

02:38.870 --> 02:40.325
happening and other techniques

02:40.325 --> 02:42.410
are describing what's happening.

02:42.410 --> 02:44.150
A combination and we often see

02:44.150 --> 02:45.830
is phishing: spear phishing,

02:45.830 --> 02:48.230
attachment, and user execution.

02:48.230 --> 02:50.150
The spear phishing
is often coming with

02:50.150 --> 02:52.280
attachment and a user clicks,

02:52.280 --> 02:54.005
this is user execution.

02:54.005 --> 02:58.415
This is initial access and
execution happening together.

02:58.415 --> 03:01.130
Data from local system
and Ebell collection

03:01.130 --> 03:03.680
can be leveraged in
concert, so for example,

03:03.680 --> 03:07.145
an adversary is identifying
a hosting a PST file,

03:07.145 --> 03:10.450
so two types of collection
are occurring simultaneously.

03:10.450 --> 03:12.410
Finally, as we've seen,

03:12.410 --> 03:14.390
many of those
discovery techniques

03:14.390 --> 03:16.250
can be command in
scripting interpreter,

03:16.250 --> 03:17.930
with Windows built-in commands

03:17.930 --> 03:20.790
being run one after another.

03:22.480 --> 03:25.625
In our final step
will want to compare

03:25.625 --> 03:29.690
our analysis to the results
for other analysts.

03:29.690 --> 03:31.670
We discussed
collaboration end up in

03:31.670 --> 03:34.430
the last module to help
hedge against biases.

03:34.430 --> 03:36.830
This is particularly
important with raw data,

03:36.830 --> 03:39.950
given the fact that raw
data requires a broader set

03:39.950 --> 03:43.710
of skills to work with the
different types of data.

03:43.710 --> 03:45.620
You might have one
analyst who has

03:45.620 --> 03:48.140
experience working with
things like malware packets,

03:48.140 --> 03:49.550
reverse engineering,

03:49.550 --> 03:51.080
and Windows command line and

03:51.080 --> 03:53.030
understanding what
barriers commands do.

03:53.030 --> 03:54.500
We might have another
analysts needed

03:54.500 --> 03:56.090
for the same incident who's

03:56.090 --> 03:57.920
very familiar with
other platforms

03:57.920 --> 03:59.600
such as MacOS or Linux,

03:59.600 --> 04:01.640
or whose skill sets
includes looking at

04:01.640 --> 04:04.160
this forensics and
Windows event logs.

04:04.160 --> 04:06.710
Based on the additional
caveats with raw data,

04:06.710 --> 04:07.790
it's really critical to

04:07.790 --> 04:09.710
recognize the diverse
set of skill sets,

04:09.710 --> 04:12.680
you'll likely need to be
able to leverage them

04:12.680 --> 04:16.710
and ensure that the analysis
is as accurate as possible.

04:17.660 --> 04:21.350
In Lesson 2.3, we walked
through the process for

04:21.350 --> 04:23.000
translating behaviors
from raw data

04:23.000 --> 04:24.905
into tactics,
techniques and subs.

04:24.905 --> 04:26.660
We talked about
concurrent techniques

04:26.660 --> 04:28.069
and the importance
of recognizing

04:28.069 --> 04:29.720
what's happening as well as how

04:29.720 --> 04:31.490
it's happening and finally,

04:31.490 --> 04:33.200
we highlighted how
important it is to

04:33.200 --> 04:34.940
maintain ongoing
collaboration with

04:34.940 --> 04:37.190
analysts that have a
diverse skill sets

04:37.190 --> 04:39.370
and experience working with
different types of data.

04:39.370 --> 04:41.280
In Lesson 2.4,

04:41.280 --> 04:43.070
we'll take what we've
learned so far and

04:43.070 --> 04:45.840
apply it to a mapping exercise.