WEBVTT 00:00.000 --> 00:01.650 >> We're now going to proceed with 00:01.650 --> 00:04.380 Module 3 of the ATT&CK CTI training course. 00:04.380 --> 00:06.120 This module is going to focus on learning how to 00:06.120 --> 00:08.860 store and analyze ATT&CK-Mapped Data. 00:08.860 --> 00:11.550 We'll have a total of four lessons for this module. 00:11.550 --> 00:13.245 The first lesson will be 3.1, 00:13.245 --> 00:14.340 which we'll learn how to store and 00:14.340 --> 00:15.945 display ATT&CK-Mapped Intel. 00:15.945 --> 00:17.625 The second lesson, 3.2, 00:17.625 --> 00:18.720 we'll focus on showing you how to 00:18.720 --> 00:20.525 express ATT&CK-Mapped Intel. 00:20.525 --> 00:22.140 The third lesson, 3.3, 00:22.140 --> 00:23.985 we'll learn how to analyze this data. 00:23.985 --> 00:26.700 Lastly, Lesson 3.4 is more of a walk-through on 00:26.700 --> 00:28.020 the hands-on exercises you'll be 00:28.020 --> 00:30.030 doing with the ATT&CK Navigator tool. 00:30.030 --> 00:31.530 As we just said, this lesson, 00:31.530 --> 00:33.420 we'll be focused on learning how to store and display 00:33.420 --> 00:35.715 ATT&CK-Mapped Intel. Let's get started. 00:35.715 --> 00:37.739 Our objectives for Lesson 3.1, 00:37.739 --> 00:39.360 are first to consider who or 00:39.360 --> 00:41.575 what will be consuming the mapped Intel. 00:41.575 --> 00:43.100 Second is to identify 00:43.100 --> 00:44.645 the most effective storage platform 00:44.645 --> 00:47.160 for our environment and requirements. 00:48.740 --> 00:51.960 When we first talk about storing ATT&CK-Mapped Intel, 00:51.960 --> 00:54.080 we have several things that we need to consider. 00:54.080 --> 00:56.600 The first is, who is consuming this intelligence? 00:56.600 --> 00:58.000 Is it a human analyst? 00:58.000 --> 01:00.540 Is it a machine taking the data to a Sim, 01:00.540 --> 01:01.940 who is interpreting the data will 01:01.940 --> 01:04.115 determine how we represent and store it. 01:04.115 --> 01:07.520 The next is what are our intelligence requirements? 01:07.520 --> 01:08.930 When we're thinking in terms of adding 01:08.930 --> 01:10.235 contextual meaning to something, 01:10.235 --> 01:12.710 we need to determine if the full text is needed or just 01:12.710 --> 01:14.120 components that can describe it 01:14.120 --> 01:16.160 in a meaningful or productive way. 01:16.160 --> 01:18.140 After we establish the requirements, 01:18.140 --> 01:20.780 we can then think of how detailed we want them to be. 01:20.780 --> 01:22.580 Do we want to just include the parent techniques? 01:22.580 --> 01:24.680 Do we want some techniques for more depth? 01:24.680 --> 01:26.450 Or do we also want a procedure to provide 01:26.450 --> 01:28.910 the example of how the technique is used as well? 01:28.910 --> 01:30.560 The next thing we want to consider is 01:30.560 --> 01:31.970 how we'll capture this level 01:31.970 --> 01:34.670 of detail and when it's captured in a specific format, 01:34.670 --> 01:36.215 how will that allow us to link it to 01:36.215 --> 01:38.585 other intelligence for our CTI needs? 01:38.585 --> 01:40.790 Lastly, we'll need to consider how 01:40.790 --> 01:42.710 this data will be imported and exported, 01:42.710 --> 01:44.735 and specifically what format it will be in. 01:44.735 --> 01:47.970 Will it be an XML, JSON, etc? 01:48.460 --> 01:50.450 Here you have a screenshot 01:50.450 --> 01:51.740 showing how some techniques are even 01:51.740 --> 01:54.560 represented and referenced on Wikipedia pages. 01:54.560 --> 01:56.540 Take a look at the right-side panel of the page shown 01:56.540 --> 01:58.580 here and you can see how the techniques 01:58.580 --> 02:00.350 scheduled task mask back to 02:00.350 --> 02:01.850 the attack framework and how it's 02:01.850 --> 02:03.665 displayed with the appropriate metadata, 02:03.665 --> 02:05.135 such as the technique ID, 02:05.135 --> 02:08.195 the tactic, the platform, and so on. 02:08.195 --> 02:11.690 Here we have a screenshot of another useful CTI tool for 02:11.690 --> 02:13.190 tracking and sharing indicators of 02:13.190 --> 02:14.330 compromise and threat 02:14.330 --> 02:16.040 intelligence within your organization. 02:16.040 --> 02:17.810 MISP is an open-source threat 02:17.810 --> 02:19.730 intelligence platform for sharing, storing, 02:19.730 --> 02:21.560 and correlating these IOCs for 02:21.560 --> 02:23.390 targeted attacks, threat intelligence, 02:23.390 --> 02:26.225 financial fraud information, vulnerability information, 02:26.225 --> 02:27.860 or even counterterrorism threats. 02:27.860 --> 02:30.470 It allows you to store data in a structured format, 02:30.470 --> 02:32.870 allowing for automated use of their database with 02:32.870 --> 02:33.860 an extensive support of 02:33.860 --> 02:36.260 cybersecurity indicators as flexible, 02:36.260 --> 02:38.000 import and export features as well to help you 02:38.000 --> 02:40.920 share that data within your organization. 02:41.200 --> 02:43.460 Here we have another slide showing 02:43.460 --> 02:45.020 the MISP tool and an example of 02:45.020 --> 02:46.475 how we can store and display 02:46.475 --> 02:47.950 attack math threat intelligence. 02:47.950 --> 02:49.280 MISP is a great tool 02:49.280 --> 02:50.870 for sharing your threat intelligence between 02:50.870 --> 02:52.309 teams across your organization 02:52.309 --> 02:54.140 in a streamline and simple way. 02:54.140 --> 02:55.820 It also allows you the ability to 02:55.820 --> 02:57.620 link indicators as well as supplemental 02:57.620 --> 02:59.630 files and materials that can help bring 02:59.630 --> 03:02.425 together an investigation for your CTI needs. 03:02.425 --> 03:04.790 In Lesson 3.1, we learned about 03:04.790 --> 03:06.605 the different ways that we can consume, 03:06.605 --> 03:08.150 link, contextualize, 03:08.150 --> 03:10.850 and import and export ATT&CK-Mapped Intel. 03:10.850 --> 03:12.080 We also learned about the 03:12.080 --> 03:13.489 >> different options that we have 03:13.489 --> 03:17.250 >> for our storage platform environment and requirements.