WEBVTT

00:00.000 --> 00:01.920
>> Welcome to Lesson 2.4,

00:01.920 --> 00:04.455
raw data to narrative reporting.

00:04.455 --> 00:06.090
In this lesson,
we're going to be

00:06.090 --> 00:07.740
practicing the process
we went over in

00:07.740 --> 00:09.510
the last couple of lessons with

00:09.510 --> 00:11.590
an exercise mapping
raw data to attack,

00:11.590 --> 00:14.145
and then we're going to be
reviewing those results.

00:14.145 --> 00:15.420
We're also going to be talking

00:15.420 --> 00:16.770
about some best practices for

00:16.770 --> 00:20.370
featuring your attack map
data and narrative reporting.

00:20.370 --> 00:24.105
Exercise 2, working
with broad data.

00:24.105 --> 00:27.230
This exercise is broken
down into two tickets from

00:27.230 --> 00:29.330
assimilated intrusion
and you can

00:29.330 --> 00:31.850
access the tickets under
the resources section.

00:31.850 --> 00:33.410
For the first ticket, you're

00:33.410 --> 00:34.880
going to be looking
at some content that

00:34.880 --> 00:36.230
is similar to the examples we

00:36.230 --> 00:38.030
walked through previously
in the module,

00:38.030 --> 00:40.310
where we had a series of
commands interactively

00:40.310 --> 00:43.760
executed via command.exe
on an end system.

00:43.760 --> 00:46.460
The second ticket
feature some analysis of

00:46.460 --> 00:48.515
the primary remote access Trojan

00:48.515 --> 00:50.105
used during the incident.

00:50.105 --> 00:51.800
You can record your results in

00:51.800 --> 00:53.480
whatever way works best for you.

00:53.480 --> 00:56.195
You can edit the tickets
directly or use notes,

00:56.195 --> 00:59.290
but try to identify as many
behaviors as possible.

00:59.290 --> 01:00.980
Then once you have
those behaviors,

01:00.980 --> 01:02.780
work through the mapping process

01:02.780 --> 01:04.460
and map them to the
relevant tactics,

01:04.460 --> 01:06.260
techniques or sub techniques.

01:06.260 --> 01:08.120
We recommend that
you now pause for

01:08.120 --> 01:09.710
around 25 minutes to do

01:09.710 --> 01:14.505
this exercise. Welcome back.

01:14.505 --> 01:17.479
When reviewing your experience
with this exercise,

01:17.479 --> 01:19.790
did you have any specific
questions that you would

01:19.790 --> 01:22.360
have gone back and asked
your incident responders?

01:22.360 --> 01:24.620
Were there places where
there just wasn't

01:24.620 --> 01:25.670
enough information for you to

01:25.670 --> 01:27.425
really determine
what was going on?

01:27.425 --> 01:29.690
Or were there any areas
where you wanted to do

01:29.690 --> 01:30.950
some additional research or

01:30.950 --> 01:33.160
pull in more data than
what was provided?

01:33.160 --> 01:36.140
Was this exercise more
challenging or simpler than

01:36.140 --> 01:37.655
the Module 1 exercise

01:37.655 --> 01:40.070
where you are mapping
to narrative reporting?

01:40.070 --> 01:41.570
Do you encounter this type of

01:41.570 --> 01:43.250
data when you're
looking at activity?

01:43.250 --> 01:45.140
Are there other things that you

01:45.140 --> 01:47.480
think should have been
in here for behaviors?

01:47.480 --> 01:50.120
Finally, did you find
any behaviors that you

01:50.120 --> 01:53.820
weren't able to map to a
technique or sub technique?

01:54.760 --> 01:57.110
We're now going to be
walking through and

01:57.110 --> 01:58.655
reviewing the exercise results,

01:58.655 --> 02:02.500
starting with Ticket 473822.

02:02.500 --> 02:05.920
First off, ipconfig/all.

02:05.920 --> 02:07.550
As you'll recall, we use this as

02:07.550 --> 02:10.130
an example throughout the
beginning of this module,

02:10.130 --> 02:12.170
and we saw that it
directly mapped to

02:12.170 --> 02:14.905
system network
configuration discovery.

02:14.905 --> 02:17.810
Arp-a, another one you'll find

02:17.810 --> 02:20.765
mapping to system network
configuration discovery.

02:20.765 --> 02:22.310
It's not irregular to see

02:22.310 --> 02:24.715
the same technique
twice in a row.

02:24.715 --> 02:28.160
The echoed username is
showing the adversary,

02:28.160 --> 02:29.960
the currently logged
in username and

02:29.960 --> 02:33.510
this maps to system
owner user discovery.

02:33.930 --> 02:37.250
Tasklist/v is displaying
currently running processes on

02:37.250 --> 02:40.359
Windows and this is
process discovery.

02:40.359 --> 02:43.340
Sc query is obtaining
information on

02:43.340 --> 02:46.475
all the different services
running within Windows,

02:46.475 --> 02:49.115
and this is system
service discovery.

02:49.115 --> 02:51.380
System info is displaying

02:51.380 --> 02:53.720
detailed configuration
information and

02:53.720 --> 02:55.130
patch levels of the systems,

02:55.130 --> 02:57.865
and this is system
information discovery.

02:57.865 --> 03:00.185
Net group domain admins.

03:00.185 --> 03:01.850
This is showing a
specific domain

03:01.850 --> 03:03.530
group and the members of it,

03:03.530 --> 03:05.180
and we map this to
permission groups,

03:05.180 --> 03:07.630
discovery domain groups.

03:07.630 --> 03:09.655
Net user/domain.

03:09.655 --> 03:13.325
We map this to account
discovery domain account.

03:13.325 --> 03:15.925
Net group domain controllers.

03:15.925 --> 03:17.380
This is looking at the list of

03:17.380 --> 03:19.330
domain controllers that are
within the domains where

03:19.330 --> 03:21.430
the adversaries
found themselves and

03:21.430 --> 03:24.605
this maps to remote
system discovery.

03:24.605 --> 03:27.125
Netsh advfirewall.

03:27.125 --> 03:28.600
This is showing another system

03:28.600 --> 03:31.070
network configuration discovery.

03:31.070 --> 03:35.110
Then finally netstat-ano is

03:35.110 --> 03:38.140
showing all the connections
at the system currently has,

03:38.140 --> 03:41.975
and this maps to system
network connections discovery.

03:41.975 --> 03:43.990
You might've noticed that all of

03:43.990 --> 03:46.195
these techniques feature
the word discovery.

03:46.195 --> 03:48.100
It probably won't surprise
you that they all

03:48.100 --> 03:50.115
fall under the discovery tactic.

03:50.115 --> 03:53.330
It's not unusual for an
adversary to go through and

03:53.330 --> 03:56.665
sequentially perform a number
of discovery commands.

03:56.665 --> 03:59.060
As we discussed
earlier in the module,

03:59.060 --> 04:01.235
these are all also execution,

04:01.235 --> 04:03.755
so command and
scripting interpreter.

04:03.755 --> 04:06.110
These were all run
on command at exe,

04:06.110 --> 04:08.430
and we saw them via Sysmon.

04:10.420 --> 04:13.774
The second ticket is a
little more challenging.

04:13.774 --> 04:15.680
As I mentioned, this
is text information

04:15.680 --> 04:17.645
coming out of remote
access Trojan,

04:17.645 --> 04:19.490
has some flaws and
there are also

04:19.490 --> 04:22.225
some activities occurring
behind the scenes.

04:22.225 --> 04:25.325
First off, we have the
winspool.exe file,

04:25.325 --> 04:28.310
and that's defense
evasion masquerading.

04:28.310 --> 04:32.435
Next we have the C2
protocols, base-64 encoded.

04:32.435 --> 04:34.070
This is command and control

04:34.070 --> 04:36.830
data encoding,
standard encoding.

04:36.830 --> 04:39.365
Then commands over HTTPS,

04:39.365 --> 04:42.634
which is command and control
application layer protocol,

04:42.634 --> 04:44.270
web protocols.

04:44.270 --> 04:47.030
We have that it's
downloading files and

04:47.030 --> 04:50.880
this maps to command and
control Ingress tool transfer.

04:50.880 --> 04:53.850
We can see that it's able
to do a shell command,

04:53.850 --> 04:56.060
and we map this to
execution command

04:56.060 --> 04:57.815
and scripting interpreter.

04:57.815 --> 05:00.455
We also have
PowerShell commands,

05:00.455 --> 05:02.420
and this is execution command

05:02.420 --> 05:05.210
and scripting
interpreter PowerShell.

05:05.210 --> 05:09.800
Next we see that it can
execute a PE via an API call.

05:09.800 --> 05:11.990
That's the create process and we

05:11.990 --> 05:15.460
map this to execution
native API.

05:15.460 --> 05:17.690
We see another defense evasion

05:17.690 --> 05:19.550
masquerading as
they're trying to copy

05:19.550 --> 05:21.110
something that's attempting
to pretend to be

05:21.110 --> 05:24.090
a legitimate winspool.exe file.

05:24.130 --> 05:27.755
Finally we have the
adversary adding a run key.

05:27.755 --> 05:29.030
That's actually in
the description

05:29.030 --> 05:29.900
that you'll find within

05:29.900 --> 05:32.255
boot or log on
autostart execution,

05:32.255 --> 05:35.550
registry run keys,
startup folder.

05:36.310 --> 05:39.620
Now as you're going through
this exercise and came to

05:39.620 --> 05:42.260
any different conclusions
or had different answers,

05:42.260 --> 05:44.855
this doesn't necessarily
mean that you're wrong.

05:44.855 --> 05:47.040
As Adam noted in Module 1,

05:47.040 --> 05:49.020
mapping can be subjective,

05:49.020 --> 05:50.960
but I would encourage
you to review how

05:50.960 --> 05:53.045
you're mapping is
different from ours,

05:53.045 --> 05:53.780
and then look at

05:53.780 --> 05:55.580
the different procedure
details within each of

05:55.580 --> 05:57.399
these techniques
or sub techniques

05:57.399 --> 05:58.795
and if you're able to,

05:58.795 --> 06:00.860
collaborate with another
analyst and compare

06:00.860 --> 06:04.980
your results and identify
where any potential gaps are.

06:07.070 --> 06:09.440
Now that we've gone
through the process of

06:09.440 --> 06:11.480
mapping this raw
data into attack,

06:11.480 --> 06:12.800
I want to discuss some options

06:12.800 --> 06:14.465
for using that information.

06:14.465 --> 06:15.710
We've touched on enriching

06:15.710 --> 06:17.660
narrative reporting with attack

06:17.660 --> 06:19.520
and analyzing original data

06:19.520 --> 06:21.545
into attack to create
these reports,

06:21.545 --> 06:23.450
and we have a couple
of recommendations for

06:23.450 --> 06:25.195
enhancing those
narrative reports.

06:25.195 --> 06:28.070
Either by augmenting them
with the attack map data,

06:28.070 --> 06:29.870
or by including in
some procedures

06:29.870 --> 06:31.415
from the original data.

06:31.415 --> 06:34.900
A key element is that we
recommend keeping the techniques

06:34.900 --> 06:36.579
with the related procedures

06:36.579 --> 06:38.130
and the information around it,

06:38.130 --> 06:39.460
so there's enough context for

06:39.460 --> 06:41.335
people to understand
the mapping.

06:41.335 --> 06:43.210
This enables other analysts to

06:43.210 --> 06:45.310
evaluate the intelligence
in the mapping,

06:45.310 --> 06:48.070
and it ensures that everyone's
on the same page in terms

06:48.070 --> 06:49.390
of what behavior is mapped to

06:49.390 --> 06:51.265
which techniques
or sub techniques.

06:51.265 --> 06:52.765
It also allows for

06:52.765 --> 06:56.230
more uncomplicated capture
of these procedures and this

06:56.230 --> 06:58.180
can be a core part of crafting

06:58.180 --> 07:01.880
those defenses against
specific adversary behavior.

07:02.690 --> 07:05.245
Walking through a
couple of examples

07:05.245 --> 07:07.359
of effective reporting formats.

07:07.359 --> 07:10.780
In instance 1, we added
footnotes with the techniques to

07:10.780 --> 07:14.305
avoid disrupting the report
with in-text techniques.

07:14.305 --> 07:17.570
In instance 2 the report
author has included

07:17.570 --> 07:19.310
the information that
actually describes

07:19.310 --> 07:21.605
the activity along
with the techniques.

07:21.605 --> 07:23.750
This is similar to the
format that our team

07:23.750 --> 07:26.620
uses in the procedure
examples with an attack.

07:26.620 --> 07:28.910
Instance 3 is an example

07:28.910 --> 07:31.775
of a format that is a
little less effective.

07:31.775 --> 07:34.355
When you include mappings
to the end of the report,

07:34.355 --> 07:36.545
you lose a lot of that context.

07:36.545 --> 07:38.360
This is similar to having

07:38.360 --> 07:40.160
the IOCs at the
end of the report,

07:40.160 --> 07:42.785
where you can have no idea
what it actually means,

07:42.785 --> 07:46.540
or what the recommended
action associated with it is.

07:46.540 --> 07:48.650
Ensuring that these
techniques are

07:48.650 --> 07:50.600
tied to that relevant context

07:50.600 --> 07:52.370
can be really important
and will enhance

07:52.370 --> 07:55.170
the effectiveness
of your reports.

07:56.110 --> 07:59.540
In this lesson, we practiced
mapping raw data to

07:59.540 --> 08:00.815
attack with two tickets

08:00.815 --> 08:02.615
and then walk
through the results.

08:02.615 --> 08:04.460
We reinforced the value of

08:04.460 --> 08:06.350
collaborating with other
analysts and we reviewed

08:06.350 --> 08:08.090
a couple of best
practices for enriching

08:08.090 --> 08:11.580
narrative reporting
with attack map data.

08:13.480 --> 08:17.420
In this module, we reviewed
the mapping process that

08:17.420 --> 08:20.840
Adam introduced in Module 1
and applied it to raw data.

08:20.840 --> 08:23.900
We practice mapping that raw
data to attack and whatever

08:23.900 --> 08:25.220
some approaches for expressing

08:25.220 --> 08:27.415
attack map data
narrative reporting.

08:27.415 --> 08:30.260
In Module 3, my colleague
Jackie will discuss

08:30.260 --> 08:33.020
this concept in depth and
outline how you can store,

08:33.020 --> 08:35.615
display, and analyze
your attack map data

08:35.615 --> 08:38.550
in order to make it actionable.

08:38.710 --> 08:42.720
This is the end of Module 2.