WEBVTT

00:00.210 --> 00:01.499
For less than three point two, we'll

00:01.500 --> 00:02.999
be learning how to express insta

00:03.000 --> 00:04.349
attack that intel.

00:06.360 --> 00:07.499
Our objectives for less than three

00:07.500 --> 00:09.149
point two are to review methods for

00:09.150 --> 00:11.070
expressing and storing mapped Intel

00:11.220 --> 00:12.569
and to identify the most effective

00:12.570 --> 00:13.939
approach for your environment and

00:13.950 --> 00:14.950
requirements.

00:16.410 --> 00:17.639
Here we have an example of a threat

00:17.640 --> 00:19.109
intelligence report from the company

00:19.110 --> 00:20.110
Anomaly.

00:20.130 --> 00:21.809
This report discusses new malware in

00:21.810 --> 00:23.069
the different types of systems that

00:23.070 --> 00:24.834
it targets and what kind of behavior

00:24.870 --> 00:25.870
is exhibited by it.

00:26.130 --> 00:27.299
The important point to notice here

00:27.300 --> 00:28.679
is that the report not only

00:28.680 --> 00:29.729
describes the new threat

00:29.730 --> 00:31.229
intelligence information in full

00:31.230 --> 00:32.789
text for human consumption,

00:33.090 --> 00:34.500
but they also provide links to the

00:34.770 --> 00:36.569
attack site, to their techniques for

00:36.570 --> 00:37.889
more of a machine and automated

00:37.890 --> 00:38.890
consumption path.

00:39.390 --> 00:40.679
Placing the techniques at the end of

00:40.680 --> 00:42.346
the report is helpful for analysts

00:42.360 --> 00:44.189
not only consume this data, but

00:44.190 --> 00:45.359
to be able to take it and make it

00:45.360 --> 00:46.360
more actionable.

00:46.590 --> 00:48.269
It also helps us standardize how we

00:48.270 --> 00:49.439
talk about specific malware

00:49.440 --> 00:51.106
behaviors so that we can help keep

00:51.240 --> 00:52.469
the community better equipped to

00:52.470 --> 00:53.639
understand different malware

00:53.640 --> 00:54.640
techniques.

00:54.780 --> 00:56.099
One caveat to point out is that this

00:56.100 --> 00:57.539
page has been updated to reflect

00:57.540 --> 00:58.409
some.

00:58.410 --> 00:59.639
So please confirm the actual

00:59.640 --> 01:00.840
technique I.D. with our official

01:01.350 --> 01:02.350
website.

01:03.820 --> 01:04.839
This is an example of a threat

01:04.840 --> 01:06.604
intelligence report from McAfee, but

01:06.610 --> 01:08.109
they look at the operation go secret

01:08.110 --> 01:09.335
campaign for the support.

01:09.910 --> 01:11.739
They list all the procedure examples

01:11.740 --> 01:13.060
from attack at the bottom of the

01:13.070 --> 01:14.229
report, just like we saw in the

01:14.230 --> 01:15.230
previous slide.

01:15.250 --> 01:16.419
But what we see here is that they

01:16.420 --> 01:18.099
also have an extra layer of detail

01:18.100 --> 01:19.864
where they explain how the adversary

01:19.930 --> 01:21.879
used these techniques within their

01:21.880 --> 01:22.809
campaign.

01:22.810 --> 01:23.979
So this is very useful for our

01:24.370 --> 01:25.938
analysis beyond just listing the

01:26.110 --> 01:27.110
techniques.

01:27.780 --> 01:28.829
This is an example of a threat

01:28.860 --> 01:30.209
report from Crown Strike.

01:30.270 --> 01:31.409
The main difference here is that

01:31.410 --> 01:32.549
they list the techniques at the

01:32.550 --> 01:34.069
beginning without the procedure

01:34.200 --> 01:35.009
examples.

01:35.010 --> 01:36.119
So it might be better for someone

01:36.120 --> 01:37.769
looking specifically for technique,

01:37.770 --> 01:39.239
but not necessarily any more of a

01:39.240 --> 01:40.590
procedure level detail.

01:40.950 --> 01:42.149
So they're just looking for the high

01:42.150 --> 01:43.229
level. What are the techniques

01:43.230 --> 01:44.069
observed here?

01:44.070 --> 01:45.539
We don't know how they were used,

01:45.540 --> 01:46.679
but we just want to know which ones

01:46.680 --> 01:47.999
are here so we can determine what's

01:48.000 --> 01:50.069
important for our analysis needs.

01:51.790 --> 01:52.839
The next report we're going to look

01:52.840 --> 01:54.789
at is a report from another

01:54.790 --> 01:56.079
way that threat intelligence reports

01:56.080 --> 01:57.489
will relate back to attack is that

01:57.490 --> 01:58.599
they'll highlight the techniques

01:58.600 --> 01:59.679
within the report as they're

01:59.680 --> 02:00.549
identified.

02:00.550 --> 02:02.169
This is the most useful as it easily

02:02.170 --> 02:03.699
helps the analysts understand which

02:03.700 --> 02:05.230
attack techniques are being shown

02:05.410 --> 02:06.940
and leaves less way for confusion or

02:06.960 --> 02:08.559
misidentification of the techniques

02:08.560 --> 02:10.149
as you read and consume different

02:10.150 --> 02:11.379
threat intelligence reports.

02:13.010 --> 02:14.560
And this is an example of expressing

02:14.580 --> 02:15.989
strong attack map data from a

02:15.990 --> 02:17.369
Digital Shadows Threat intelligence

02:17.370 --> 02:18.389
report here.

02:18.400 --> 02:19.559
They not only had the attack

02:19.560 --> 02:21.539
technique and tactic, but they also

02:21.540 --> 02:22.829
include advice for mitigating the

02:22.830 --> 02:24.400
behavior once it's been detected.

02:24.750 --> 02:26.039
This is just an additional layer of

02:26.040 --> 02:28.259
information to help your analysis

02:28.260 --> 02:29.430
as you read through these reports.

02:30.490 --> 02:32.079
For this example of attack metadata

02:32.080 --> 02:33.519
being expressed and stored, we see

02:33.520 --> 02:35.289
recorded future's way of visualizing

02:35.290 --> 02:36.907
the workflow, well, being able to

02:37.030 --> 02:38.460
apply the attack framework to it,

02:39.040 --> 02:40.449
they show the visualization of the

02:40.450 --> 02:41.871
execution of Meitner tips for

02:42.310 --> 02:43.310
financial threat groups.

02:43.600 --> 02:44.619
They represent these attack

02:44.620 --> 02:46.239
techniques and software over linear

02:46.240 --> 02:48.039
time. So the timestamps are included

02:48.040 --> 02:49.608
as well at the bottom, giving it

02:49.660 --> 02:50.829
lots of detail for analysts to

02:50.830 --> 02:52.329
consume, but in a more manageable

02:52.330 --> 02:53.330
way.

02:54.330 --> 02:55.439
Another great resource for

02:55.440 --> 02:57.149
expressing story in tech that Intel

02:57.150 --> 02:59.039
is Unit 40 two's playbook viewer,

02:59.520 --> 03:00.869
what they do here is they showcase

03:00.870 --> 03:02.069
their threat intelligence reporting

03:02.070 --> 03:03.589
in an interactive Web page that

03:03.630 --> 03:04.859
links the attack techniques to

03:04.860 --> 03:06.599
indicators of compromise that sort

03:06.600 --> 03:07.799
of brings everything together full

03:07.800 --> 03:09.509
circle from human readable text to

03:09.510 --> 03:11.274
machine readable content, all in one

03:11.400 --> 03:12.400
platform.

03:13.360 --> 03:14.559
Another example we have for

03:14.560 --> 03:16.349
expressing storying attack map data

03:16.390 --> 03:17.889
is from the NCC Group Under Threat

03:17.890 --> 03:19.350
Report for about 15

03:19.930 --> 03:21.099
here. We've highlighted the text,

03:21.100 --> 03:22.299
much like you saw in your previous

03:22.300 --> 03:23.574
exercises where the attack

03:23.800 --> 03:24.800
techniques exist.

03:25.090 --> 03:26.199
They didn't do this on their own,

03:26.200 --> 03:27.189
though, which would make it a lot

03:27.190 --> 03:28.659
harder to identify and correlate

03:28.660 --> 03:30.029
these techniques to the attack site.

03:30.310 --> 03:31.449
So this is a report we'd have to do

03:31.450 --> 03:32.709
a little bit more work beyond just

03:32.710 --> 03:33.789
reading the threat intelligence

03:33.790 --> 03:34.839
report from the website.

03:36.540 --> 03:37.649
To summarize what we learned in less

03:37.650 --> 03:39.149
than three point two, let's review

03:39.150 --> 03:40.816
our main highlights, we learned to

03:41.010 --> 03:42.725
consider how attack that intel will

03:42.780 --> 03:44.495
be consumed, linked, contextualized

03:44.910 --> 03:46.110
and imported and exported.

03:46.470 --> 03:47.819
The second is that we reviewed the

03:47.820 --> 03:49.169
internal and external storage

03:49.170 --> 03:50.669
platforms based on the environment

03:50.670 --> 03:52.080
and requirements we're working with.