WEBVTT

00:01.290 --> 00:03.029
This is Module four, making

00:03.030 --> 00:04.500
defensive recommendations from

00:04.530 --> 00:05.789
attack maps data.

00:06.480 --> 00:07.769
I'll be your instructor for this

00:07.770 --> 00:09.420
module, Adam Penington.

00:12.280 --> 00:14.044
We've got four high level objectives

00:14.380 --> 00:15.380
in this module.

00:16.120 --> 00:17.829
I'm going to teach you a process for

00:17.830 --> 00:19.398
making defensive recommendations

00:19.570 --> 00:21.250
based on attack map data

00:22.120 --> 00:23.884
and walk through how to identify the

00:23.920 --> 00:25.199
priority techniques and sub

00:25.240 --> 00:26.679
techniques for your enterprise,

00:27.310 --> 00:28.709
how to understand that your

00:28.720 --> 00:30.039
enterprise capabilities and

00:30.040 --> 00:31.461
constraints and give you some

00:31.690 --> 00:33.759
practice making customized

00:33.940 --> 00:35.530
defensive recommendations.

00:37.940 --> 00:40.099
We've broken this module up

00:40.100 --> 00:41.369
into four lessons.

00:42.500 --> 00:44.119
First, I'm going to talk about the

00:44.120 --> 00:46.190
defensive recommendation process.

00:47.270 --> 00:48.887
Second, going to teach you how to

00:48.950 --> 00:50.469
research how techniques and sub

00:50.570 --> 00:51.942
techniques are being used in

00:52.490 --> 00:53.568
relevant use cases and

00:54.320 --> 00:55.879
some of the defensive options that

00:55.880 --> 00:57.290
you have for dealing with them.

00:58.340 --> 01:00.189
The third lesson in how to

01:00.200 --> 01:02.149
research organizational capabilities

01:02.150 --> 01:03.473
and constraints and look at

01:03.560 --> 01:05.749
tradeoffs finally

01:05.750 --> 01:07.159
going to work through an exercise

01:07.160 --> 01:08.149
where you're going to get to make

01:08.150 --> 01:09.859
some defensive recommendations.

01:14.560 --> 01:15.932
So lesson one, the defensive

01:16.360 --> 01:17.769
recommendation process.

01:21.880 --> 01:23.439
This lesson, we've got two

01:23.440 --> 01:25.106
objectives, I'm going to go over a

01:25.180 --> 01:26.799
process for making defensive

01:26.800 --> 01:28.719
recommendations and

01:28.720 --> 01:29.829
I'm going to talk through a bit

01:29.830 --> 01:31.349
about how to determine priority

01:31.900 --> 01:33.309
techniques to work with.

01:37.410 --> 01:39.150
So we've now gone through

01:39.630 --> 01:40.953
a bunch of material looking

01:41.550 --> 01:43.559
at how to identify techniques seen

01:43.560 --> 01:44.560
in the wild.

01:45.120 --> 01:46.884
We've looked at how to extract these

01:47.010 --> 01:48.774
techniques from narrative reporting,

01:48.810 --> 01:49.980
map them to attack.

01:50.340 --> 01:51.749
We've looked at how to extract them

01:51.750 --> 01:53.220
from raw incident data,

01:53.790 --> 01:55.200
talked a little bit about using some

01:55.230 --> 01:56.639
of the groups and software data

01:56.640 --> 01:58.470
already mapped by the attack team.

01:59.250 --> 02:00.916
We can identify techniques used by

02:01.140 --> 02:02.249
multiple groups, some of the

02:02.250 --> 02:03.719
material that was in the previous

02:03.720 --> 02:04.720
lesson.

02:04.980 --> 02:06.629
And this might be a really good

02:06.630 --> 02:07.919
priority starting point that will

02:07.920 --> 02:08.969
leverage for the rest of this

02:08.970 --> 02:09.970
module.

02:10.169 --> 02:11.159
So that's well and good.

02:11.160 --> 02:12.679
And we've got a bunch of threat

02:12.810 --> 02:13.860
intelligence now.

02:14.310 --> 02:16.289
But how do we make that intelligence

02:16.290 --> 02:17.662
actionable? How do we now do

02:18.090 --> 02:19.511
something, help our defenders

02:20.370 --> 02:22.530
leverage that attack intelligence?

02:25.420 --> 02:27.037
So for the rest, this module, I'm

02:27.280 --> 02:28.239
going to be walking through a

02:28.240 --> 02:30.009
process for making defensive

02:30.010 --> 02:31.060
recommendations

02:32.530 --> 02:34.469
first in this lesson,

02:34.480 --> 02:36.009
we're going to determine priority

02:36.010 --> 02:37.569
techniques and sub techniques.

02:37.870 --> 02:39.249
And I'll talk about a few ways of

02:39.250 --> 02:40.250
doing that.

02:41.450 --> 02:42.829
You know, have you take a look at

02:42.830 --> 02:44.569
how techniques and some techniques

02:44.570 --> 02:46.759
are being used in relevant

02:46.760 --> 02:48.319
reporting and in the wild,

02:49.400 --> 02:50.989
some places where you can research

02:50.990 --> 02:52.656
defensive options related to these

02:52.970 --> 02:54.529
techniques and sub techniques,

02:55.400 --> 02:57.199
how to look at your organization's

02:57.200 --> 02:59.030
capabilities and constraints,

03:00.110 --> 03:01.874
determine what the tradeoffs are for

03:01.970 --> 03:03.439
your organization and what your

03:03.440 --> 03:05.050
specific options may be,

03:05.540 --> 03:06.949
and then finally taking all that

03:06.950 --> 03:08.749
information and making defensive

03:08.750 --> 03:09.800
recommendations.

03:13.550 --> 03:15.529
So step zero determine priority

03:15.530 --> 03:17.509
techniques, there

03:17.540 --> 03:19.189
are a lot of different ways that you

03:19.190 --> 03:20.379
can prioritize.

03:20.630 --> 03:21.949
We've gotten through some of those

03:22.250 --> 03:24.229
and getting started series

03:24.230 --> 03:25.580
that we've published on the Web.

03:26.420 --> 03:27.890
And so there are multiple ways

03:28.250 --> 03:29.029
to prioritize.

03:29.030 --> 03:30.469
But this is a attack for cyber

03:30.470 --> 03:31.840
threat, intelligence training.

03:32.270 --> 03:34.069
So we'll focus on leveraging cyber

03:34.070 --> 03:35.389
threat intelligence today.

03:36.350 --> 03:38.479
Some of your options, though, are

03:38.480 --> 03:39.919
starting from data sources.

03:40.790 --> 03:42.554
What data are you already collecting

03:43.250 --> 03:45.169
that you may be able to see specific

03:45.170 --> 03:46.170
techniques with

03:47.180 --> 03:48.289
threat intelligence, which we're

03:48.290 --> 03:49.680
going to be going through today.

03:50.300 --> 03:51.819
What are your adversaries doing?

03:51.830 --> 03:53.599
What what are the overlaps between

03:53.600 --> 03:54.600
groups? You care about

03:56.090 --> 03:56.899
tooling?

03:56.900 --> 03:58.419
So what can your tools that you

03:58.850 --> 04:00.800
already own, you've already paid for

04:01.130 --> 04:02.649
potentially cover, maybe things

04:02.660 --> 04:04.249
you're not collecting right now,

04:04.610 --> 04:06.259
but built in capabilities.

04:07.160 --> 04:08.689
And then finally, red teaming or

04:08.690 --> 04:09.690
adversary emulation.

04:09.830 --> 04:11.594
What kinds of gaps did your red team

04:11.750 --> 04:13.729
find the last time they did

04:13.730 --> 04:15.680
an evaluation of your environment?

04:20.100 --> 04:21.374
In the previous module, we

04:22.079 --> 04:23.980
took the output from a couple

04:24.000 --> 04:25.259
different reports and we looked at

04:25.260 --> 04:26.959
the overlap between those groups.

04:27.660 --> 04:29.519
And so this is taking

04:29.520 --> 04:31.529
our threat intelligence and

04:31.530 --> 04:33.147
getting us down to something that

04:33.300 --> 04:35.139
maybe our top priority.

04:35.610 --> 04:37.325
We have multiple actors doing these

04:37.410 --> 04:39.389
techniques, and so maybe

04:39.390 --> 04:41.099
they're a good place for us to start

04:41.100 --> 04:42.717
in terms of things to worry about

04:42.810 --> 04:43.810
defending against

04:44.910 --> 04:46.620
for the rest of this module

04:46.770 --> 04:48.260
and going through an example,

04:48.900 --> 04:50.468
I'm going to pick user execution

04:51.180 --> 04:52.180
out of this list.

04:52.870 --> 04:54.899
And so these are all equally

04:54.900 --> 04:56.100
valid places to start.

04:56.340 --> 04:57.810
And they get us down from

04:58.290 --> 05:00.060
the large set of

05:00.210 --> 05:01.679
possibilities that we would have

05:01.680 --> 05:03.052
looking at all of attack and

05:03.600 --> 05:05.819
get us down to a much smaller subset

05:06.240 --> 05:08.189
that we know is being used by

05:08.340 --> 05:09.340
threat actors.

05:11.100 --> 05:13.049
So in this lesson, I've introduced

05:13.050 --> 05:15.389
the model and reviewed the process

05:15.390 --> 05:16.979
for making defensive

05:16.980 --> 05:18.009
recommendations, I've

05:18.960 --> 05:20.189
gotten into a bit about some of the

05:20.190 --> 05:21.839
options for how to determine

05:21.840 --> 05:23.163
priority techniques and sub

05:23.220 --> 05:25.040
techniques and looked

05:25.050 --> 05:26.399
at what that would mean from a cyber

05:26.400 --> 05:27.990
threat intelligence perspective.