WEBVTT

00:00.990 --> 00:03.089
This is module for lesson to

00:03.510 --> 00:05.029
research how techniques and sub

00:05.250 --> 00:06.720
techniques are being used

00:07.110 --> 00:08.874
and defensive operations for dealing

00:09.060 --> 00:10.060
with them.

00:12.760 --> 00:14.049
So if two objectives for this

00:14.050 --> 00:15.373
lesson, hopefully, that you

00:15.910 --> 00:17.576
learn the approach for identifying

00:17.770 --> 00:19.629
how techniques and sub techniques

00:19.630 --> 00:20.904
are being used in relevant

00:21.190 --> 00:22.190
situations and

00:23.320 --> 00:25.149
understanding of how to research the

00:25.150 --> 00:26.718
associated defensive options for

00:27.040 --> 00:29.050
those techniques and sub techniques.

00:34.750 --> 00:36.529
So research how techniques and some

00:36.550 --> 00:37.630
techniques are used.

00:38.230 --> 00:40.119
So this is important in

00:40.120 --> 00:41.198
creating our defensive

00:41.200 --> 00:42.200
recommendations.

00:42.970 --> 00:44.409
If we're taking a cyber threat

00:44.410 --> 00:46.359
intelligence approach, we want

00:46.360 --> 00:47.529
to make sure that the defensive

00:47.530 --> 00:48.999
recommendations we eventually come

00:49.000 --> 00:50.000
up with line up with

00:50.830 --> 00:52.479
what the adversaries are actually

00:52.480 --> 00:53.480
doing.

00:53.740 --> 00:55.210
So this is getting down to the

00:55.630 --> 00:56.630
procedure level of

00:57.490 --> 00:59.229
how a technique is being used by an

00:59.230 --> 01:00.230
adversary.

01:00.700 --> 01:02.379
So it's really important that as we

01:02.380 --> 01:03.399
create our defensive

01:03.400 --> 01:05.017
recommendations, if they actually

01:05.650 --> 01:07.267
overlap with what an adversary is

01:07.540 --> 01:08.912
doing, because it's entirely

01:09.310 --> 01:10.437
possible that there are

01:11.170 --> 01:12.879
ways of doing a technique

01:13.330 --> 01:15.069
that have no relevance to how our

01:15.070 --> 01:16.629
adversaries are actually doing them.

01:17.650 --> 01:19.689
So let's start with taking a look at

01:19.690 --> 01:21.339
the reporting that we pulled these

01:21.340 --> 01:22.900
techniques from the first place.

01:23.710 --> 01:25.659
So this is the Apte thirty nine

01:25.660 --> 01:27.579
report where

01:28.930 --> 01:30.699
thirty nine leverages spearfishing

01:30.700 --> 01:32.499
emails with malicious attachments

01:32.500 --> 01:33.550
and or hyperlinks.

01:34.180 --> 01:36.219
This is leading up to user

01:36.220 --> 01:37.592
execution, both of malicious

01:38.140 --> 01:39.489
link and malicious attachment.

01:39.970 --> 01:41.379
OK, so spearfishing,

01:43.390 --> 01:44.829
going back to Cobalt kidI

01:46.120 --> 01:47.709
spearfishing emails, links to

01:47.710 --> 01:49.239
malicious sites or weaponized word

01:49.240 --> 01:50.240
documents.

01:50.710 --> 01:52.599
OK, again, our user

01:52.600 --> 01:54.849
execution is coming from

01:55.090 --> 01:57.250
spearfishing, so that's

01:57.490 --> 01:59.019
at least in the examples that we're

01:59.020 --> 02:00.219
looking at. It looks like spear

02:00.220 --> 02:01.239
fishing is going to be pretty

02:01.240 --> 02:02.139
important.

02:02.140 --> 02:03.309
Well, let's take a look at some

02:03.310 --> 02:04.750
broader examples.

02:06.950 --> 02:09.049
So this is the user execution

02:09.050 --> 02:11.059
technique page on attack

02:12.920 --> 02:14.599
Apte 30 to

02:14.900 --> 02:16.249
spearfishing emails

02:16.880 --> 02:19.159
if thirty three spearfishing emails,

02:19.550 --> 02:20.689
spear fishing emails.

02:22.730 --> 02:24.347
Links to Israel hosting malicious

02:24.860 --> 02:26.719
content, emails,

02:26.990 --> 02:28.669
emails, spearfishing,

02:29.240 --> 02:31.219
and if you go through the rest of

02:31.220 --> 02:33.199
the procedure, examples in

02:33.200 --> 02:34.817
use or execution, there's a theme

02:35.150 --> 02:36.949
here over and over and over again.

02:37.310 --> 02:38.749
The way that adversaries are getting

02:38.750 --> 02:40.073
people to click on stuff is

02:40.430 --> 02:41.430
spearfishing.

02:41.510 --> 02:42.833
So whatever we do, it looks

02:43.340 --> 02:44.359
like it's going to be really

02:44.360 --> 02:45.360
important that it is

02:46.340 --> 02:47.899
able to deal with spearfishing.

02:51.240 --> 02:52.367
So we know that we need

02:53.100 --> 02:54.569
to be able to deal with spearfishing,

02:54.870 --> 02:56.729
how do we pull together some

02:56.730 --> 02:58.249
of our options for dealing with

02:58.560 --> 02:59.579
user execution?

03:00.750 --> 03:02.459
There are a lot of different sources

03:02.460 --> 03:04.199
out there that provide defensive

03:04.200 --> 03:05.425
information, its index to

03:06.150 --> 03:07.669
attack its part of the value of

03:08.280 --> 03:10.349
putting your intelligence into

03:10.350 --> 03:11.680
attack in the first place.

03:12.720 --> 03:14.939
I'll go through a few examples of

03:14.940 --> 03:16.529
where you can get data from attack

03:16.530 --> 03:17.530
itself.

03:17.670 --> 03:18.797
So things like our data

03:19.590 --> 03:21.839
sources, detections,

03:21.840 --> 03:22.840
we list mitigations

03:23.670 --> 03:24.670
on each technique.

03:25.050 --> 03:25.979
And then there are a lot of

03:25.980 --> 03:27.809
references on each technique

03:27.810 --> 03:29.699
and sub technique, which may have

03:29.700 --> 03:31.349
their own recommendations for how to

03:31.350 --> 03:32.350
deal with something.

03:33.450 --> 03:35.165
We have our own analytic repository

03:36.030 --> 03:38.099
called the Car or Cyber Analytics

03:38.100 --> 03:40.289
Repository, where we have

03:40.290 --> 03:41.956
specific analytics that are linked

03:42.030 --> 03:43.979
to a number of attack techniques

03:44.340 --> 03:45.659
for how to detect them in something

03:45.660 --> 03:46.660
like a SIM.

03:47.890 --> 03:49.269
There are a number of other free

03:49.270 --> 03:50.919
resources out there, though, that we

03:50.920 --> 03:52.537
have no role with that have taken

03:52.930 --> 03:54.759
attack, have map to it, have

03:54.760 --> 03:55.989
given a bunch of defensive

03:55.990 --> 03:57.166
recommendations, just as

03:57.820 --> 03:59.584
a couple of examples of ones you can

03:59.680 --> 04:00.680
leverage for free.

04:01.260 --> 04:03.550
Roberto Rodriguez's threat playbook,

04:03.950 --> 04:05.559
atomic threat coverage.

04:05.770 --> 04:07.289
But there are a number of other

04:07.360 --> 04:08.536
resources out there that

04:09.280 --> 04:10.900
are linked to attack these days.

04:12.440 --> 04:14.340
And this is just the starting list.

04:14.480 --> 04:16.069
Absolutely supplement with your own

04:16.070 --> 04:17.059
research.

04:17.060 --> 04:18.999
Take a look at how a

04:19.040 --> 04:20.148
technique looks in your own

04:20.149 --> 04:21.439
environment, the footprint it

04:21.440 --> 04:22.469
leaves, and how it is

04:23.300 --> 04:25.069
that you'd actually see it in your

04:25.070 --> 04:26.070
sensing.

04:28.790 --> 04:31.009
So getting into some specific

04:31.010 --> 04:32.470
examples from attack,

04:32.990 --> 04:34.754
so this is the high level technique,

04:34.790 --> 04:35.990
user execution,

04:36.830 --> 04:38.149
the first thing we told you to look

04:38.150 --> 04:39.349
at was data sources.

04:39.860 --> 04:41.899
And so this has all the data

04:41.900 --> 04:43.209
sources that are in the sub

04:43.220 --> 04:44.899
techniques, as well as the

04:45.230 --> 04:47.059
technique itself suggests you

04:47.060 --> 04:49.279
might be able to look at in a virus

04:49.280 --> 04:50.869
process, command line parameters,

04:50.870 --> 04:51.979
process monitoring

04:52.850 --> 04:54.769
as ways of seeing this activity.

04:56.810 --> 04:58.460
You can also get into

04:59.060 --> 05:00.677
some of the specific data sources

05:00.920 --> 05:02.629
that might be useful to a sub

05:02.630 --> 05:04.459
technique, so taking

05:04.460 --> 05:05.783
a look at things like a Web

05:06.470 --> 05:07.470
proxy or some

05:08.480 --> 05:09.509
of the same tech data

05:10.430 --> 05:11.419
sources that are going to be

05:11.420 --> 05:12.680
relevant to the parent.

05:17.040 --> 05:18.959
Another section we suggested looking

05:18.960 --> 05:20.819
at his mitigations, and

05:20.970 --> 05:22.679
these are different ways of

05:22.680 --> 05:24.297
potentially stopping the activity

05:24.600 --> 05:26.190
from happening in the first place,

05:26.970 --> 05:28.391
not just being able to detect

05:29.070 --> 05:30.480
it, but prevent it.

05:31.350 --> 05:33.530
So things like application control,

05:33.810 --> 05:35.490
you may be able to

05:35.820 --> 05:37.584
only allow specific executables that

05:37.650 --> 05:38.909
you're aware of to run in your

05:38.910 --> 05:40.379
environment. So things coming in

05:40.380 --> 05:42.000
from the outside via spearfishing

05:42.390 --> 05:43.390
wouldn't run.

05:44.190 --> 05:45.366
It ranges from different

05:46.320 --> 05:48.149
technical sources, both

05:48.150 --> 05:49.679
network and host, based

05:49.980 --> 05:51.480
to things like user training,

05:52.410 --> 05:54.510
teaching your users to identify

05:55.020 --> 05:56.220
spearfishing emails.

05:56.700 --> 05:58.589
It may be a way to keep them from

05:58.590 --> 05:59.699
clicking on them, since that's the

05:59.700 --> 06:00.959
most common way they're coming in

06:00.960 --> 06:01.960
the door.

06:05.900 --> 06:07.369
We also have given some ways to

06:07.370 --> 06:08.660
detect this activity,

06:09.200 --> 06:10.719
so to be able to tell that it's

06:10.940 --> 06:13.100
happening at some different level

06:14.120 --> 06:15.349
so that things like looking at the

06:15.350 --> 06:16.869
command line arguments, looking

06:17.180 --> 06:19.279
at how files are executed on a given

06:19.280 --> 06:20.309
system, seeing things

06:21.410 --> 06:22.880
like compression applications,

06:23.420 --> 06:25.519
being used to unpack, unwrap various

06:25.520 --> 06:26.869
pieces of malware coming in

06:27.620 --> 06:29.060
using things like antivirus,

06:29.690 --> 06:31.820
detect malware in the first place,

06:32.150 --> 06:34.009
as well as other types of endpoint

06:34.010 --> 06:35.060
network sensing.

06:39.350 --> 06:41.299
Mention the references on

06:41.300 --> 06:42.440
each of these pages to

06:43.160 --> 06:45.529
and so the different user execution

06:45.530 --> 06:46.951
pages have a ton of different

06:47.660 --> 06:49.819
references coming both from

06:49.820 --> 06:50.849
procedure examples as

06:51.890 --> 06:53.262
well as from the description

06:53.720 --> 06:55.480
of the technique itself.

06:56.030 --> 06:57.500
And each of these may have its

06:57.860 --> 06:59.330
own recommendations for how to

06:59.360 --> 07:01.189
actually detect the activity going

07:01.190 --> 07:02.190
on.

07:05.530 --> 07:07.629
So taking these together and looking

07:07.630 --> 07:09.459
at some of the other resources that

07:09.460 --> 07:10.979
we mentioned, we're starting to

07:11.350 --> 07:13.539
build up a list of defensive

07:13.540 --> 07:14.979
options, different things that we

07:14.980 --> 07:16.156
can do to have an impact

07:16.870 --> 07:17.870
on this adversary.

07:19.120 --> 07:20.949
So pulling from these sources, we've

07:20.950 --> 07:22.569
gathered user training,

07:23.440 --> 07:25.269
got application control, stopping

07:25.270 --> 07:27.399
the executable of running block

07:27.400 --> 07:29.115
unknown files and transit's to stop

07:29.290 --> 07:30.760
it at the email, their network

07:31.480 --> 07:33.159
intrusion protection systems.

07:34.440 --> 07:36.155
File detonations of putting it in a

07:36.210 --> 07:37.919
sandbox, executing and seeing how it

07:37.920 --> 07:38.920
runs,

07:39.840 --> 07:41.429
if you dig into some of the external

07:41.430 --> 07:42.753
resources, you'll find that

07:43.320 --> 07:44.459
there are a couple different ways

07:44.510 --> 07:45.689
you can monitor command line

07:45.690 --> 07:47.669
arguments so you can enable

07:47.670 --> 07:49.379
and watch windows vent log

07:49.780 --> 07:50.959
forty six, eighty eight.

07:51.180 --> 07:52.619
You can install assessment on

07:52.620 --> 07:53.620
systems.

07:53.970 --> 07:55.342
You can put antivirus on the

07:55.800 --> 07:57.319
various systems as well as more

07:57.630 --> 07:59.279
advanced endpoint sensing.

08:03.160 --> 08:04.581
So in summary, we've reviewed

08:05.320 --> 08:07.629
approach for identifying how

08:07.630 --> 08:09.129
techniques and some techniques

08:09.490 --> 08:10.960
are being used in relevant use

08:11.320 --> 08:13.480
cases so that we can later make sure

08:13.780 --> 08:15.459
that our defensive recommendations

08:15.460 --> 08:17.409
match up with our adversaries.

08:18.200 --> 08:19.329
You've taken a look at some of the

08:19.330 --> 08:20.829
different places where

08:21.280 --> 08:23.649
you can pull in associated

08:23.650 --> 08:24.777
defensive options using

08:25.720 --> 08:27.429
attack techniques and some

08:27.430 --> 08:29.589
techniques as a data, as a starting

08:29.590 --> 08:30.590
point.

08:30.830 --> 08:32.048
These are everything from attack

08:32.049 --> 08:33.813
data sources, detection mitigations,

08:34.000 --> 08:35.839
references to a

08:35.860 --> 08:37.779
number of external websites that

08:37.780 --> 08:39.039
are reference to attack.