WEBVTT

00:00.000 --> 00:02.295
>> Now that you've learned
a little bit about how to

00:02.295 --> 00:05.460
express in store ATT&CK
mapped Intel and information,

00:05.460 --> 00:06.660
we can move on to
learning how to

00:06.660 --> 00:08.010
utilize an important tool for

00:08.010 --> 00:11.085
analyzing that data for
our CTI analysis process.

00:11.085 --> 00:13.605
We call this tool the
ATT&CK Navigator.

00:13.605 --> 00:15.450
The ATT&CK Navigator
is designed to provide

00:15.450 --> 00:18.750
basic navigation and annotation
of the ATT&CK matrices.

00:18.750 --> 00:21.100
We're going to practice
using it here.

00:22.910 --> 00:25.650
Our objectives for lesson 3.3

00:25.650 --> 00:26.910
include learning how to review

00:26.910 --> 00:29.940
the ATT&CK navigator's basic
applications features as

00:29.940 --> 00:31.440
well as how to
prioritize techniques

00:31.440 --> 00:34.090
from these different
groups that we encounter.

00:35.540 --> 00:38.240
Here, we can see a
navigator layer in which

00:38.240 --> 00:40.505
the group APT28
has been selected.

00:40.505 --> 00:43.130
What this does is it uses
data currently mapped in

00:43.130 --> 00:44.540
the Mitre ATT&CK
framework to show

00:44.540 --> 00:47.110
all the TTP is
associated with APT28.

00:47.110 --> 00:50.000
The highlighted TTP is
for APT28 are shaded in

00:50.000 --> 00:53.730
blue and a sub techniques are
showing the collapse view.

00:54.280 --> 00:57.260
Now this is a similar view
to the previous slide.

00:57.260 --> 00:58.940
We just have selected
the techniques and

00:58.940 --> 01:01.670
sub-techniques for
the group APT29 now.

01:01.670 --> 01:03.260
The sub-techniques are also in

01:03.260 --> 01:05.060
the now in the expanded view.

01:05.060 --> 01:06.380
They have a little 3D depth to

01:06.380 --> 01:09.035
make it a little more
clear that they're there.

01:09.035 --> 01:12.335
Once we have these two
independent layers and navigator,

01:12.335 --> 01:14.300
we can combine them to
see which TTP's are

01:14.300 --> 01:16.490
shared between the two
different subgroups.

01:16.490 --> 01:18.230
Here, we can see the
overlapping techniques

01:18.230 --> 01:20.915
between APT28 and APT29.

01:20.915 --> 01:23.030
This is useful for
our CTI analysis

01:23.030 --> 01:24.440
because it allows
you to prioritize

01:24.440 --> 01:26.465
detections based
on multiple groups

01:26.465 --> 01:29.030
that are more likely to
target your organization.

01:29.030 --> 01:31.535
When you first open the
ATT&CK navigator tool,

01:31.535 --> 01:32.870
you're presented
with a few options

01:32.870 --> 01:34.250
for how you can get started.

01:34.250 --> 01:36.020
You can either create
a new layer by

01:36.020 --> 01:38.495
selecting the appropriate
domain for your CTI needs.

01:38.495 --> 01:40.955
So that can be
enterprise mobile or ICS

01:40.955 --> 01:43.700
and you can also add a
specific version as well.

01:43.700 --> 01:45.080
The other options
you have are to open

01:45.080 --> 01:47.360
an existing layer
from your system.

01:47.360 --> 01:50.290
You can also create another
layer from other layers

01:50.290 --> 01:54.120
and you can also create a
customized navigator layer.

01:54.760 --> 01:57.065
To create a layer navigator,

01:57.065 --> 01:59.360
you simply go to the browser
version of Navigator

01:59.360 --> 02:00.380
and you're already
presented with

02:00.380 --> 02:01.940
a window that has a new layer.

02:01.940 --> 02:03.215
To add things to this layer,

02:03.215 --> 02:05.210
you can click the
"Select" tool and find

02:05.210 --> 02:06.380
the pre-loaded
threat groups from

02:06.380 --> 02:07.640
the MITRE ATT&CK
site where you can

02:07.640 --> 02:10.040
simply select the group
that you want to view in

02:10.040 --> 02:12.875
the tool and it'll populate
the associated techniques.

02:12.875 --> 02:15.630
Here, we'll select APT28.

02:17.890 --> 02:20.030
Once you've selected the group,

02:20.030 --> 02:21.455
you can add a background color.

02:21.455 --> 02:22.910
The button for that
can be found under

02:22.910 --> 02:25.565
the Technique Controls menu
on the top right section.

02:25.565 --> 02:27.650
Keep the technique selected
with the color that you've

02:27.650 --> 02:29.540
chosen here, which is in red.

02:29.540 --> 02:31.160
Then you can also add a score

02:31.160 --> 02:33.275
under the Technique
Controls menu as well.

02:33.275 --> 02:35.600
For this example, we'll
enter a score of one to

02:35.600 --> 02:36.950
indicate that the
technique has been

02:36.950 --> 02:38.570
used by this particular group.

02:38.570 --> 02:40.010
Once those steps are complete,

02:40.010 --> 02:42.260
we can rename the layer
on the top-left tab to

02:42.260 --> 02:43.490
make it easier for
us to remember

02:43.490 --> 02:45.750
which group we're tracking here.

02:46.490 --> 02:49.420
Now that we finished
APT28's layer,

02:49.420 --> 02:50.930
we can then open
a new tab within

02:50.930 --> 02:53.030
navigator and create
an additional layer.

02:53.030 --> 02:55.880
We will find the techniques
for the threat group, APT29.

02:55.880 --> 02:58.230
Let's go ahead and do that now.

02:59.650 --> 03:02.570
We'll go ahead and repeat
the same exact process

03:02.570 --> 03:04.175
that we did for APT28.

03:04.175 --> 03:07.040
So go ahead and select
the techniques for APT29,

03:07.040 --> 03:08.270
give it a different background

03:08.270 --> 03:09.420
color for those techniques.

03:09.420 --> 03:10.700
This time, we'll
select a different

03:10.700 --> 03:12.140
scoring number to differentiate

03:12.140 --> 03:15.060
between the two threat groups
and their associated TTPs.

03:15.060 --> 03:18.000
Here, we can just
enter a score of two.

03:20.180 --> 03:22.415
This is probably
the most complex,

03:22.415 --> 03:23.885
which is a little bit
of an overstatement

03:23.885 --> 03:25.250
feature of the navigator tool.

03:25.250 --> 03:28.160
We're going to create a third
layer by opening a new tab

03:28.160 --> 03:31.430
and selecting the option create
layer from other layers.

03:31.430 --> 03:34.070
This will allow us to utilize
the two layers that we just

03:34.070 --> 03:36.980
made and create a single
layer for our CTI analysis.

03:36.980 --> 03:38.060
In order to compare

03:38.060 --> 03:39.440
the techniques for
these different layers,

03:39.440 --> 03:41.540
we must enter a simple
equation to express

03:41.540 --> 03:42.680
the relationship between

03:42.680 --> 03:44.690
these two layers
that we just made.

03:44.690 --> 03:48.030
We can simply type in a plus
b to combine the scores.

03:48.030 --> 03:49.700
You can see the labels
for the layer at

03:49.700 --> 03:52.465
the top-left tab section in
case you need to reference.

03:52.465 --> 03:54.560
We'll also want to edit
the gradient where you can

03:54.560 --> 03:56.735
set a low value of
one and a high value,

03:56.735 --> 03:57.860
which is the combined techniques

03:57.860 --> 03:59.225
for these groups as three

03:59.225 --> 04:03.030
to create a coloring for
a combined heatmap layer.

04:03.100 --> 04:04.880
When you're all finished with

04:04.880 --> 04:06.080
scoring and comparing
the layers,

04:06.080 --> 04:07.640
you can then move on
to determining what

04:07.640 --> 04:09.530
you want to do
with the analysis.

04:09.530 --> 04:11.120
You have many options
for exporting

04:11.120 --> 04:13.055
your ATT&CK navigator layer.

04:13.055 --> 04:15.020
The common uses for exporting or

04:15.020 --> 04:17.210
saving the file as JSON or XML.

04:17.210 --> 04:19.850
So you can reload it and reuse
that layer in the future.

04:19.850 --> 04:22.130
Also you can export
the navigator layer as

04:22.130 --> 04:23.750
an SVG image file where you'll

04:23.750 --> 04:26.330
share the coverage heatmap
with the rest of your team.

04:26.330 --> 04:27.920
For the purposes
of this training,

04:27.920 --> 04:30.410
we'll go ahead and export it
as an image file so you can

04:30.410 --> 04:31.700
select the little camera icon

04:31.700 --> 04:33.350
under the layer controls menu.

04:33.350 --> 04:34.850
Before doing that,
if you'd like to

04:34.850 --> 04:37.025
expand the sub techniques
to show deeper coverage,

04:37.025 --> 04:38.180
you can go ahead and select that

04:38.180 --> 04:39.455
from the layer control menus as

04:39.455 --> 04:43.145
well. There you have it.

04:43.145 --> 04:44.810
We now have our
combined coverage map

04:44.810 --> 04:47.015
for APT28 and APT29.

04:47.015 --> 04:48.350
These are visualized here in

04:48.350 --> 04:51.150
the SVG image export feature.

04:52.580 --> 04:54.950
To summarize what
we've learned here,

04:54.950 --> 04:56.090
you should now be
comfortable with

04:56.090 --> 04:57.480
mapping different
threat groups in

04:57.480 --> 05:00.320
the ATT&CK navigator tool
comparing their TTPs,

05:00.320 --> 05:02.060
as well as exporting
your combined layer

05:02.060 --> 05:04.440
into a shareable image file.