WEBVTT

00:00:00.940 --> 00:00:01.670
Hey, humans.

00:00:01.680 --> 00:00:05.140
I'm Aaron Rosenmund, and welcome to Blue Team Tools: Defense

00:00:05.140 --> 00:00:08.350
Against Adversary Activity Using MITRE Techniques.

00:00:08.840 --> 00:00:10.020
Quite the title, right?

00:00:10.280 --> 00:00:11.150
Well, I agree.

00:00:11.160 --> 00:00:12.170
Thank you for noticing.

00:00:12.640 --> 00:00:16.129
It's meant to be inclusive of the deceptively broad topic I'm about

00:00:16.129 --> 00:00:20.340
to cover while also giving me ample chances to mess it up by saying

00:00:20.340 --> 00:00:24.500
defense against the dark arts instead, though that isn't entirely incorrect,

00:00:24.500 --> 00:00:25.010
is it?

00:00:25.270 --> 00:00:26.200
I don't know, Aaron.

00:00:26.210 --> 00:00:29.020
That's what you're supposed to be telling me in this course. That's a

00:00:29.020 --> 00:00:30.910
valid point, but stop breaking the fourth wall.

00:00:30.910 --> 00:00:34.420
This isn't a Shakespeare play. But where does this story start?

00:00:34.430 --> 00:00:39.470
Well, it all starts with you, the blue team operator, a security engineer,

00:00:39.590 --> 00:00:42.870
SOC analyst, or are you an incident responder?

00:00:42.940 --> 00:00:43.870
No, no, no.

00:00:44.340 --> 00:00:49.460
You, you are a threat hunter. A threat hunter and the tools, the

00:00:49.460 --> 00:00:51.830
tools are what you use to assess the environment,

00:00:51.840 --> 00:00:55.060
stalk the adversary, and cut them down with precision.

00:00:55.740 --> 00:00:58.350
Regardless of your role, you need tools,

00:00:58.360 --> 00:01:01.350
software, or sets of software that help you do your job.

00:01:02.440 --> 00:01:05.030
And before you flip the channel thinking that you've got it

00:01:05.030 --> 00:01:08.430
covered with your enterprise solutions, I'm here to tell you, no,

00:01:08.580 --> 00:01:08.790
no,

00:01:08.790 --> 00:01:12.690
you don't. By now, you realize that this game of keeping up with the

00:01:12.690 --> 00:01:15.170
advancements of malicious actors is never ending.

00:01:15.640 --> 00:01:18.860
And just as malfeasance individuals and groups create

00:01:18.860 --> 00:01:21.330
new ways to exploit your applications,

00:01:21.340 --> 00:01:25.080
systems, and processes every day, you need tools that

00:01:25.080 --> 00:01:27.370
leverage new ways of detecting this activity.

00:01:27.840 --> 00:01:28.540
Congrats.

00:01:28.780 --> 00:01:31.240
You've been conscripted into the cyber arms race.

00:01:31.470 --> 00:01:32.350
Don't stress about it.

00:01:32.360 --> 00:01:33.360
You didn't have a choice.

00:01:33.840 --> 00:01:34.800
And what does that look like?

00:01:34.810 --> 00:01:36.450
Well, let's use pictures.

00:01:36.840 --> 00:01:37.950
Here is your security.

00:01:38.340 --> 00:01:39.150
See the gap?

00:01:39.540 --> 00:01:42.880
That's where the attackers get in, and it grows wider and wider as time

00:01:42.880 --> 00:01:46.370
goes on and new technologies are developed that avoid all this surface

00:01:46.370 --> 00:01:49.350
area that you don't have adequately covered.

00:01:49.740 --> 00:01:50.630
And when I say covered,

00:01:50.640 --> 00:01:53.860
I'm talking about cyber security functions that have to

00:01:53.860 --> 00:01:57.590
operate within your business so that you can detect attackers

00:01:57.600 --> 00:01:59.610
and the techniques that they use.

00:01:59.660 --> 00:02:02.430
And that's what this is really all about, where are these gaps in your

00:02:02.430 --> 00:02:06.430
functions that enable vulnerabilities that always exist to actually be

00:02:06.430 --> 00:02:10.050
exploited? And just like other arms races, it really doesn't matter

00:02:10.050 --> 00:02:11.660
which side you butter your toast on.

00:02:11.970 --> 00:02:15.270
No one is slowing down to wait on anyone else. This race is

00:02:15.270 --> 00:02:18.800
accelerated by the exponential churn of new technology, all

00:02:18.800 --> 00:02:21.060
required to keep your business on the cutting edge.

00:02:21.340 --> 00:02:22.340
So what am I saying?

00:02:22.420 --> 00:02:22.860
Well,

00:02:23.070 --> 00:02:26.070
if I'm saying anything at all, it's that the blue team tools,

00:02:26.040 --> 00:02:29.210
specifically, the wonderful world of open‑source blue team

00:02:29.210 --> 00:02:31.950
tools that we're discussing today, are the answer.

00:02:32.640 --> 00:02:34.840
They are there to quickly fill the gaps that are too

00:02:34.840 --> 00:02:37.010
cumbersome for enterprise solutions to fill.

00:02:37.230 --> 00:02:39.740
If you want to work with a new data source to detect a new red

00:02:39.740 --> 00:02:43.440
team tool that was released or a MITRE ATT&CK technique that

00:02:43.440 --> 00:02:45.540
you're not sure you have coverage for, well,

00:02:45.550 --> 00:02:46.860
there's a blue team tool for that,

00:02:47.540 --> 00:02:50.650
and you can implement it without a procurement cycle, or an

00:02:50.650 --> 00:02:53.150
evaluation period, or a contract, or any of that.

00:02:53.540 --> 00:02:56.560
See if you like it, and then if you really need this capability,

00:02:56.570 --> 00:02:58.070
you then have two choices.

00:02:58.740 --> 00:03:01.510
You can invest in the people and give them the skills that they need

00:03:01.510 --> 00:03:04.010
to continue to support the open‑source solution,

00:03:04.020 --> 00:03:05.450
something I'm partial to,

00:03:05.460 --> 00:03:10.000
or you can find an enterprise solution that provides that same

00:03:10.010 --> 00:03:13.820
gap fill with the open‑source tool as a stopgap until you can

00:03:13.820 --> 00:03:15.530
get the enterprise solution going.

00:03:15.540 --> 00:03:17.550
Still not convinced? That's okay.

00:03:17.640 --> 00:03:21.390
The rest of this course is going to go over where Blue team tools fit into the

00:03:21.390 --> 00:03:25.840
familiar frameworks that we all use to build our business security, then I'm

00:03:25.840 --> 00:03:30.360
going to get in to how adversary activity can inform our use of blue team tools

00:03:30.370 --> 00:03:34.550
and how we can align these defense capabilities to the offensive capabilities

00:03:34.550 --> 00:03:36.490
with MITRE ATT&CK, and finally,

00:03:36.500 --> 00:03:41.460
I'll take a look at MITRE Shield as a way to chart out how you build a

00:03:41.460 --> 00:03:45.940
defensive capability, matched with the threats to your industry. And while

00:03:45.940 --> 00:03:49.180
we're at it, I don't want to go too much further without recognizing the

00:03:49.180 --> 00:03:52.000
amazing individuals and teams that work together,

00:03:52.000 --> 00:03:57.330
often in their own time, to upkeep these tools for free, all so the community

00:03:57.340 --> 00:04:00.520
and the industry as a whole can benefit. And don't worry,

00:04:00.530 --> 00:04:03.530
we're not ever going to take credit or in any way imply

00:04:03.530 --> 00:04:05.520
that we're responsible for these tools.

00:04:05.530 --> 00:04:07.650
We simply want the world to know more about them.