WEBVTT

00:01.370 --> 00:02.595
This is module for lesson

00:03.290 --> 00:04.290
four, make defensive

00:05.150 --> 00:06.259
recommendations.

00:08.870 --> 00:10.389
If you have three objectives in

00:10.760 --> 00:12.390
this lesson, you're

00:12.580 --> 00:14.089
going to get into some of the

00:14.090 --> 00:15.919
different types of defensive

00:15.920 --> 00:16.920
recommendations.

00:17.690 --> 00:19.069
Talk a little bit about how to

00:19.070 --> 00:21.079
prioritize recommendations.

00:21.470 --> 00:22.489
And we're going to have you go

00:22.490 --> 00:24.079
through an exercise where you're

00:24.080 --> 00:25.305
actually making defensive

00:25.640 --> 00:26.659
recommendations.

00:30.100 --> 00:31.668
So we're now in step five, we're

00:32.140 --> 00:33.169
in the homestretch of

00:34.360 --> 00:35.709
actually making defensive

00:35.710 --> 00:36.710
recommendations,

00:37.930 --> 00:40.149
so it's important to consider

00:40.150 --> 00:41.326
through all of this that

00:42.250 --> 00:44.350
you don't just think about

00:44.770 --> 00:46.840
technical, think about new sensors,

00:47.350 --> 00:49.149
that recommendations can be

00:49.150 --> 00:50.571
strategic, they can be policy

00:51.130 --> 00:52.659
related, operational,

00:53.020 --> 00:54.020
tactical, or even

00:55.330 --> 00:56.653
making a decision to accept

00:57.490 --> 00:58.490
risk.

00:59.950 --> 01:01.719
Who the recommendations are for

01:01.900 --> 01:03.370
is going to vary based on your

01:03.460 --> 01:05.709
organization, so it's very important

01:05.710 --> 01:07.599
to think about who

01:07.600 --> 01:08.825
is your audience for your

01:09.280 --> 01:10.349
recommendations?

01:10.780 --> 01:11.799
Is it management?

01:12.070 --> 01:14.299
Is your security operations center?

01:14.320 --> 01:15.909
Is it information technology?

01:16.240 --> 01:17.240
Or are you the Cyber

01:18.250 --> 01:19.509
Threat Intelligence Shop and you're

01:19.510 --> 01:21.129
making recommendations to all of the

01:21.130 --> 01:22.130
above.

01:22.570 --> 01:24.399
So we've gone through a bunch

01:24.400 --> 01:26.920
of different defensive options

01:27.250 --> 01:28.750
where you're getting them from

01:29.200 --> 01:31.029
ways to to take a look at them,

01:31.030 --> 01:32.680
look at some of the pros and cons.

01:33.430 --> 01:35.439
And so some of the potential

01:35.440 --> 01:37.209
recommendation types that are coming

01:37.210 --> 01:38.829
out of this and, you know, may come

01:38.830 --> 01:39.879
from your own research.

01:40.450 --> 01:41.871
So the sort of obvious is the

01:42.310 --> 01:43.310
technical.

01:43.780 --> 01:45.609
This could be collecting new data

01:45.610 --> 01:47.799
source, radar detection

01:47.800 --> 01:49.599
or an analytic from existing data,

01:50.200 --> 01:51.579
change your config or make an

01:51.580 --> 01:52.609
engineering change or

01:53.620 --> 01:55.150
potentially implement a new tool.

01:55.270 --> 01:57.129
And we've talked about a little bit

01:57.430 --> 01:58.459
of some specific ways

01:59.260 --> 02:00.790
of doing each one of those

02:01.180 --> 02:02.470
over the course of this module.

02:04.060 --> 02:06.159
But there are options definitely

02:06.160 --> 02:07.170
beyond the technical.

02:07.870 --> 02:09.129
So there are things like policy

02:09.130 --> 02:10.119
changes.

02:10.120 --> 02:11.289
Some of the examples we've gone

02:11.290 --> 02:12.699
through in terms of requiring more

02:12.700 --> 02:13.700
training are more

02:14.680 --> 02:16.199
of a policy change, or it could

02:16.750 --> 02:18.639
be policy change on terms of

02:18.640 --> 02:19.865
what's allowed in a given

02:20.080 --> 02:21.080
organization.

02:22.450 --> 02:24.165
There's always the possibility that

02:24.340 --> 02:26.499
the correct answer is accept

02:26.500 --> 02:27.399
risk.

02:27.400 --> 02:29.319
So we've determined that a

02:29.320 --> 02:31.060
technique is a priority for us.

02:31.870 --> 02:33.849
We've looked at the pros

02:33.850 --> 02:34.899
and cons. We've looked at our

02:34.900 --> 02:35.859
options.

02:35.860 --> 02:36.879
We've weighed them.

02:37.480 --> 02:39.400
And our final answer may be

02:39.550 --> 02:41.800
that it is either

02:42.100 --> 02:43.970
undetectable, unmitigated evil,

02:44.140 --> 02:46.089
or it's not worth the tradeoff

02:46.510 --> 02:48.029
that all of the options we have

02:48.370 --> 02:49.497
on the table are beyond

02:50.560 --> 02:51.819
what we're willing to accept and

02:51.820 --> 02:53.339
that we we've decided to accept

02:53.740 --> 02:55.119
the risk of that technique

02:55.120 --> 02:56.120
happening.

02:59.730 --> 03:01.396
So to give some specific examples,

03:01.740 --> 03:03.629
so we've talked about user

03:03.630 --> 03:05.729
execution throughout this, so

03:06.240 --> 03:08.340
maybe where we come down to

03:08.370 --> 03:10.400
a policy recommendation,

03:10.770 --> 03:11.946
so we'll tackle them via

03:12.690 --> 03:14.405
user training, we've we've got this

03:14.490 --> 03:16.080
highly technical workforce.

03:16.590 --> 03:17.590
We'll work with them.

03:17.640 --> 03:19.079
We'll help make them into better

03:19.080 --> 03:20.305
sensors against malicious

03:21.330 --> 03:22.330
emails.

03:22.710 --> 03:24.229
But so there are other types of

03:25.050 --> 03:26.177
techniques in attack or

03:26.970 --> 03:27.929
that may come up in your

03:27.930 --> 03:28.930
prioritization.

03:29.250 --> 03:31.259
So, for example, if if we're

03:31.260 --> 03:33.660
working from Supply-Chain compromise

03:34.020 --> 03:35.849
and process component

03:35.850 --> 03:36.850
firmware, these can

03:37.800 --> 03:39.659
be really hard techniques

03:39.660 --> 03:41.699
of really expensive techniques

03:42.180 --> 03:44.280
to potentially mitigate, detect,

03:44.760 --> 03:45.887
and maybe we have stuff

03:46.650 --> 03:48.360
that is a priority to us.

03:49.170 --> 03:50.640
But after we take a look, it's

03:51.210 --> 03:53.129
beyond our capability or beyond

03:53.130 --> 03:55.199
our resources to stop

03:55.200 --> 03:57.000
or detect. And so we have to

03:57.150 --> 03:58.375
accept the risk that, you

03:59.070 --> 04:00.687
know, we're going to move on with

04:00.840 --> 04:01.829
our lives.

04:01.830 --> 04:03.659
And it it might happen.

04:08.670 --> 04:09.993
So we've given this example

04:10.680 --> 04:12.509
we've gone through and

04:12.510 --> 04:13.510
taken a look at user

04:14.490 --> 04:15.490
execution so we

04:16.470 --> 04:18.449
can now take what we've weighed is

04:18.450 --> 04:20.116
are pros and cons, what we've come

04:20.459 --> 04:21.459
up with of how

04:22.680 --> 04:24.329
it works with our given

04:24.330 --> 04:25.330
organization.

04:25.620 --> 04:26.849
And so these are some of the

04:26.850 --> 04:28.679
defensive recommendations we might

04:28.680 --> 04:30.689
make from what we've

04:30.690 --> 04:31.619
worked through the rest of the

04:31.620 --> 04:32.620
module.

04:32.790 --> 04:34.162
So everything we said around

04:35.100 --> 04:36.839
having a technical workforce

04:37.560 --> 04:39.120
is that one

04:39.450 --> 04:41.129
new user training geared around, not

04:41.130 --> 04:42.629
clicking on attachments and how to

04:42.630 --> 04:44.089
identify social engineering.

04:44.700 --> 04:46.319
There are some downsides in terms of

04:46.320 --> 04:47.496
training fatigue, but it

04:48.300 --> 04:49.800
looks like this may be very well

04:50.100 --> 04:52.179
matched with our organization,

04:53.070 --> 04:55.049
our continued use of antivirus.

04:55.260 --> 04:56.039
Why not?

04:56.040 --> 04:57.300
We already have it.

04:57.480 --> 04:59.609
It's already there, no additional

04:59.610 --> 05:00.870
resource requirements.

05:01.230 --> 05:03.269
And so there's no reason to stop

05:03.270 --> 05:04.649
using antivirus.

05:06.000 --> 05:07.421
And lastly, so we've got this

05:08.040 --> 05:09.750
email detonation appliance.

05:10.440 --> 05:12.569
Maybe we try to make sure that our

05:12.570 --> 05:14.040
email is taking an unencrypted

05:14.970 --> 05:16.829
path past it so that we

05:16.830 --> 05:19.079
can make use of our existing tools.

05:20.130 --> 05:21.551
These example recommendations

05:22.110 --> 05:23.384
coming out of the pros and

05:23.970 --> 05:25.587
cons we've worked through and the

05:25.740 --> 05:27.259
options we've worked through up

05:27.630 --> 05:28.630
to this point.

05:31.220 --> 05:32.220
So now it's your turn

05:34.040 --> 05:36.410
in the resources tab

05:36.830 --> 05:38.496
on your exercise, for there should

05:38.510 --> 05:40.100
be a text file called

05:40.490 --> 05:42.379
Making Defensive Recommendations,

05:42.380 --> 05:43.490
Guided Exercise,

05:44.270 --> 05:46.579
download this worksheet and

05:46.580 --> 05:48.649
it will walk you through the

05:48.650 --> 05:50.569
same recommendation process we've

05:50.570 --> 05:52.429
just done with some

05:52.430 --> 05:54.096
guidance. So instead of asking you

05:54.230 --> 05:55.230
to fill in your own

05:56.270 --> 05:57.270
organization, it's

05:58.100 --> 05:59.419
going to give you some different

05:59.420 --> 06:00.919
decision points and suggests some

06:00.920 --> 06:02.450
particular places to look

06:02.900 --> 06:04.272
rather than just having sort

06:04.790 --> 06:06.089
of full open scope.

06:07.280 --> 06:08.299
So you're going to be working

06:08.300 --> 06:09.919
through this process of

06:10.280 --> 06:11.899
determining priority techniques,

06:12.410 --> 06:13.939
researching how the techniques are

06:13.940 --> 06:15.410
being used, research defensive

06:16.160 --> 06:18.079
options related to those techniques,

06:18.830 --> 06:20.594
research organizational capabilities

06:21.110 --> 06:23.329
and constraints determine

06:23.330 --> 06:25.100
what trade offs are for your

06:25.370 --> 06:27.319
national organization on specific

06:27.320 --> 06:28.349
options and then make

06:29.060 --> 06:31.129
recommendations based on

06:31.130 --> 06:32.239
what you've gathered in that

06:32.240 --> 06:33.240
process.

06:33.410 --> 06:35.029
So please post the video now.

06:35.390 --> 06:37.056
And we are just giving yourself 15

06:37.610 --> 06:39.739
minutes for this exercise and

06:40.610 --> 06:42.079
when you come back and unpause, will

06:42.080 --> 06:43.730
go over the exercise.

06:53.630 --> 06:55.579
OK, so as you went through

06:55.580 --> 06:56.630
this exercise,

06:57.440 --> 06:59.279
what resources did you end up using?

06:59.300 --> 07:00.574
So we gave some particular

07:00.620 --> 07:02.120
suggestions, but were there

07:02.510 --> 07:04.029
others that you decided to pull

07:04.370 --> 07:05.659
in, other things that you found

07:05.660 --> 07:06.660
useful?

07:07.610 --> 07:09.227
What kinds of recommendations did

07:09.560 --> 07:10.399
you end up making?

07:10.400 --> 07:11.779
Were they technical?

07:11.810 --> 07:13.040
Were they policy?

07:13.850 --> 07:15.124
Were they risk acceptance?

07:15.500 --> 07:17.629
And did you consider doing nothing

07:17.720 --> 07:19.339
and just accepting the risk?

07:20.630 --> 07:22.459
Were there any options that came up

07:22.460 --> 07:24.649
as you gathered options

07:24.650 --> 07:26.218
here that looked like they would

07:26.540 --> 07:28.059
be completely inappropriate for

07:28.370 --> 07:29.370
you?

07:34.240 --> 07:35.269
So to start with step

07:36.310 --> 07:38.649
zero, determine priority techniques,

07:40.030 --> 07:41.304
we gave you scheduled task

07:41.950 --> 07:44.319
job as the priority technique.

07:44.590 --> 07:46.509
So coming from the same list

07:46.510 --> 07:48.039
that we're working with from our

07:48.040 --> 07:49.040
threat reporting.

07:52.700 --> 07:53.700
Step one, how is

07:54.740 --> 07:56.569
that technique being used

07:56.570 --> 07:57.959
in the reporting we gave you?

07:58.520 --> 08:00.649
So let's take a look at the

08:00.650 --> 08:01.880
core Kitty report.

08:02.480 --> 08:04.279
So we're seeing it being used

08:04.730 --> 08:06.319
coming from a Spearfish.

08:06.320 --> 08:08.480
We're seeing being used from a

08:09.080 --> 08:10.080
word macro.

08:10.490 --> 08:12.649
And so it's being run on the command

08:12.650 --> 08:14.569
line in both cases.

08:19.790 --> 08:21.980
Had you take a look at data sources,

08:21.990 --> 08:23.411
so take a look at some of the

08:23.720 --> 08:25.790
defensive options related to

08:26.090 --> 08:27.740
the technique or some technique,

08:28.130 --> 08:29.869
so you should have come up with data

08:29.870 --> 08:31.519
sources, file monitoring process,

08:31.520 --> 08:32.959
command line parameters, process

08:32.960 --> 08:34.609
monitoring when windows event logs.

08:37.740 --> 08:39.014
I said, you take a look at

08:39.070 --> 08:41.169
detection, so this

08:41.440 --> 08:43.204
gives you a couple different options

08:43.299 --> 08:44.979
of things you might be able to do,

08:44.980 --> 08:46.570
taking a look at

08:47.020 --> 08:48.700
scheduled tasks being run.

08:52.890 --> 08:54.179
We gave you some of the

08:54.180 --> 08:55.699
organizational capabilities and

08:55.830 --> 08:56.830
constraints just so

08:57.780 --> 08:59.849
that you aren't having to take

08:59.850 --> 09:01.370
this from your own organization,

09:01.380 --> 09:02.789
give you something notional to work

09:02.790 --> 09:04.211
with. So for this exercise we

09:04.620 --> 09:05.879
had you assume that you have a

09:05.880 --> 09:07.499
Windows event log collection going

09:07.500 --> 09:08.676
to Assim, but no ability

09:09.570 --> 09:11.040
to collect processed execution

09:11.370 --> 09:13.200
logging, which will narrow your

09:13.230 --> 09:14.489
ability a little bit.

09:18.170 --> 09:20.200
So given where we had

09:20.210 --> 09:21.799
to go through and take a look,

09:22.670 --> 09:24.649
these are some of the specific

09:24.650 --> 09:26.267
trade offs you might have come up

09:26.360 --> 09:27.919
with for your enterprise.

09:29.830 --> 09:31.447
So monitor schedule task creation

09:31.570 --> 09:33.285
from common utilities is in command

09:33.580 --> 09:34.779
line invocation.

09:36.120 --> 09:38.089
Pros might have been would

09:38.090 --> 09:39.169
allow us to collect detailed

09:39.170 --> 09:40.640
information on how the test is

09:40.700 --> 09:42.019
added. It would give us some great

09:42.020 --> 09:43.880
visibility, but

09:43.910 --> 09:45.679
we said the organization has no

09:45.680 --> 09:47.269
ability to collect process

09:47.270 --> 09:48.740
execution. Logging is probably

09:49.130 --> 09:50.130
off the table.

09:51.320 --> 09:52.639
Configure event logging for

09:52.640 --> 09:54.740
scheduled task creation and changes

09:55.700 --> 09:57.317
fits well into our Windows event.

09:57.320 --> 09:59.029
Log collection will get it up to our

09:59.030 --> 09:59.899
Aasim.

09:59.900 --> 10:01.669
Probably be the easiest to implement

10:01.850 --> 10:02.989
enterprise wide.

10:04.490 --> 10:06.409
This will increase collected log

10:06.410 --> 10:07.410
volumes.

10:08.490 --> 10:09.749
There are other tools that are

10:09.750 --> 10:11.309
suggested along the course, the way

10:11.310 --> 10:13.370
that it may be able to use assist

10:13.420 --> 10:15.269
internals, auto runs, we'll

10:15.270 --> 10:16.789
see these scheduled tasks being

10:16.950 --> 10:17.950
used.

10:18.870 --> 10:20.099
Some of the pros this would love to

10:20.100 --> 10:21.959
see other persistence techniques

10:21.960 --> 10:24.029
as well. So other ways

10:24.030 --> 10:25.409
that things are being added to the

10:25.410 --> 10:26.700
system to run at bood

10:27.420 --> 10:28.679
auto runs free,

10:29.400 --> 10:31.829
but it free is not necessarily

10:31.830 --> 10:34.049
free. It's not currently installed.

10:34.390 --> 10:35.579
It would need to be pushed out to

10:35.580 --> 10:37.229
all systems and we need to build up

10:37.230 --> 10:39.179
the data collection in analytics

10:39.180 --> 10:40.699
around it for it to actually be

10:41.100 --> 10:42.100
useful.

10:43.460 --> 10:45.499
Another defense option that came

10:45.500 --> 10:46.872
up was to monitor processing

10:47.360 --> 10:48.549
command line arguments

10:49.250 --> 10:50.710
again, this would allow us to

10:50.720 --> 10:52.130
collect detailed information,

10:52.730 --> 10:54.619
but we gave as a

10:54.650 --> 10:56.389
constraint that the organization has

10:56.390 --> 10:57.559
no ability to collect this

10:57.560 --> 10:58.560
information.

11:01.130 --> 11:02.845
So we've guided your paths and your

11:03.080 --> 11:04.909
steps a little bit where we

11:04.910 --> 11:07.069
think you might have come up with

11:07.430 --> 11:09.019
a couple of different options that

11:09.020 --> 11:11.029
look like this, but your

11:11.030 --> 11:12.709
answers may differ depending on how

11:12.710 --> 11:14.082
you actually are reading and

11:14.390 --> 11:15.859
processing the information that

11:15.860 --> 11:16.860
you're going through.

11:17.420 --> 11:19.369
So we think you might have come up

11:19.370 --> 11:20.990
with an option of

11:21.440 --> 11:23.269
enabling Microsoft Windows Test

11:23.270 --> 11:24.799
scheduler operational

11:25.280 --> 11:26.839
setting within the event, logging

11:26.840 --> 11:28.310
service and creating analytics

11:28.940 --> 11:31.009
around event ID 106,

11:31.370 --> 11:32.919
an event ID 140.

11:33.830 --> 11:35.389
So these are things that come from

11:35.390 --> 11:36.811
the defensive options and the

11:37.190 --> 11:38.807
detection options that are within

11:39.230 --> 11:40.820
the technique and some technique.

11:42.430 --> 11:43.839
Another option might have come up

11:43.840 --> 11:45.789
with is to use Waterfront's to

11:45.790 --> 11:46.868
watch for changes that

11:47.740 --> 11:49.140
could be attempts at protests.

11:49.150 --> 11:51.279
Maybe you decided that the

11:51.280 --> 11:52.897
additional logging infrastructure

11:53.320 --> 11:54.789
and pulling it together would be

11:54.790 --> 11:56.769
worth it based on the constraints

11:56.770 --> 11:57.770
that we gave.

12:01.720 --> 12:03.579
So in this final lesson,

12:03.850 --> 12:05.516
we've examined the different types

12:06.100 --> 12:07.960
of defensive recommendations,

12:08.650 --> 12:10.809
you've looked at how to prioritize

12:10.810 --> 12:12.525
recommendations when you might need

12:12.580 --> 12:14.099
to accept risk, and we've given

12:14.590 --> 12:17.169
you some practice making customized

12:17.170 --> 12:19.239
defensive recommendations and

12:19.240 --> 12:20.416
considering the elements

12:20.440 --> 12:21.959
contributing to your individual

12:22.000 --> 12:23.000
approach.

12:25.700 --> 12:26.700
This is now the end

12:27.830 --> 12:29.300
of our attack for cyber threat

12:29.420 --> 12:30.529
intelligence journey

12:31.490 --> 12:33.107
now worked through five different

12:33.230 --> 12:34.749
modules, getting into different

12:35.000 --> 12:37.159
aspects of first

12:37.160 --> 12:38.629
understanding how attack is useful

12:38.630 --> 12:40.296
for cyber threat intelligence, how

12:40.610 --> 12:42.178
to map narrative and raw data to

12:42.350 --> 12:43.771
attack, how to work with that

12:44.090 --> 12:45.658
intelligence, and then how to do

12:46.010 --> 12:47.659
something with that intelligence.

12:50.480 --> 12:52.520
And this is the end of module four.

12:52.550 --> 12:54.259
And thank you for joining us for

12:54.260 --> 12:54.889
this training.