WEBVTT 00:00:02.240 --> 00:00:04.770 When I look at enabling you to deploy these blue team 00:00:04.770 --> 00:00:07.170 tools in your enterprise environments, 00:00:07.180 --> 00:00:09.770 the first thing that I need to give you is how to relate that to management, 00:00:09.770 --> 00:00:10.530 to get by in, 00:00:10.530 --> 00:00:12.960 and so that's the framework that we just covered and 00:00:12.960 --> 00:00:14.570 the kind of thought behind that. 00:00:14.940 --> 00:00:17.030 Then you also need to worry about things like, 00:00:17.040 --> 00:00:20.700 am I fulfilling my audit requirements, am I checking the boxes for compliance, 00:00:20.710 --> 00:00:22.030 and that's also covered. 00:00:22.040 --> 00:00:24.230 And now it's something to focus on you doing the technical 00:00:24.230 --> 00:00:27.570 implementation and the actual hands‑on keyboard action, 00:00:28.140 --> 00:00:29.640 though for this to be truly effective, 00:00:29.640 --> 00:00:32.380 there needs to be a single narrative that combines the need, 00:00:32.390 --> 00:00:35.880 not just for management at a strategic level and not just for compliance, 00:00:35.880 --> 00:00:38.540 but also down to your technical implementation level. 00:00:38.670 --> 00:00:40.950 In that way, we're all talking about the same thing. 00:00:41.440 --> 00:00:43.720 But how do we do that in the most effective way possible? 00:00:43.730 --> 00:00:45.450 That's right, by TTPs. 00:00:45.460 --> 00:00:50.050 And thankfully, MITRE ATT&CK is our source for TTPs based on groups. 00:00:50.440 --> 00:00:53.440 Looking at this from the blue team perspective is a bit different. 00:00:53.450 --> 00:00:56.260 Each of these tools may have overlapping capabilities, 00:00:56.270 --> 00:00:59.440 but especially for teams looking to fill gaps in current operations, 00:00:59.440 --> 00:01:02.770 the best way to build is based on data sources, 00:01:03.140 --> 00:01:04.970 which is what this map represents. 00:01:04.980 --> 00:01:08.410 It's a mine map of TTP's map to data sources that 00:01:08.410 --> 00:01:10.070 you need to use to detect them. 00:01:11.140 --> 00:01:13.680 Depending on the kind of data that you have available, 00:01:13.680 --> 00:01:16.760 you can look at the categorization of these tools based 00:01:16.760 --> 00:01:18.460 on what type analysis they perform. 00:01:19.040 --> 00:01:19.590 And this way, 00:01:19.590 --> 00:01:22.480 you can match your capabilities with the information that you 00:01:22.480 --> 00:01:24.950 currently have available to make you effective today. 00:01:25.640 --> 00:01:28.170 Then you can map those data sources to the MITRE ATT&CK 00:01:28.170 --> 00:01:31.190 techniques that this tool and the courses associated with 00:01:31.190 --> 00:01:32.770 the tool will focus on detecting. 00:01:32.770 --> 00:01:35.080 In the case of operating system analysis, 00:01:35.080 --> 00:01:38.520 this describes an EDR‑like capability, processes, 00:01:38.530 --> 00:01:41.450 OS‑based logs, memory, that sort of thing. 00:01:41.840 --> 00:01:44.010 And, of course, say on Hunt ELK, or HELK, 00:01:44.010 --> 00:01:48.420 the tools capable of using Windows logs to detect malicious use of BITS Jobs, 00:01:48.420 --> 00:01:50.860 Kerberoasting, and the clearing of Windows event logs, 00:01:50.860 --> 00:01:53.500 and so that alignment looks like this. 00:01:53.500 --> 00:01:56.660 Though in the case of a tool like Arkime, formerly Moloch, 00:01:57.000 --> 00:01:58.620 you have network data to analyze, 00:01:58.620 --> 00:02:02.240 and you can detect TTPs like External Remote Services, 00:02:02.250 --> 00:02:04.990 the scanning of IP blocks, or protocol knocking. 00:02:05.000 --> 00:02:06.620 And as you look at different tools, 00:02:06.630 --> 00:02:08.960 they'll be TTPs that aligned to the data source 00:02:08.960 --> 00:02:11.070 explained in each of these courses. 00:02:11.070 --> 00:02:14.790 Application analysis would relate to a tool like Mod Security that is 00:02:14.790 --> 00:02:18.950 analyzing Apache or NGINX logs for web attack signatures. 00:02:19.340 --> 00:02:23.440 Infrastructure Analysis is looking for syslogs from routers and switches or 00:02:23.440 --> 00:02:27.100 even considering cloud‑based infrastructure as supporting infrastructure 00:02:27.110 --> 00:02:29.570 that needs to be monitored and analyzed as well. 00:02:30.340 --> 00:02:33.950 Threat intel tools will use their own various resources of 00:02:33.950 --> 00:02:36.210 information such as MISP and TAXII feeds, 00:02:36.210 --> 00:02:40.200 and incident management really leverages the data output from the 00:02:40.210 --> 00:02:42.830 other types of analysis to identify trends, 00:02:42.830 --> 00:02:45.760 and events, and incidents with tools like TheHive Project. 00:02:46.240 --> 00:02:49.190 And just to really round out the ability to align these blue 00:02:49.190 --> 00:02:52.110 team tools with your business use cases and the specific 00:02:52.110 --> 00:02:56.060 niche they fill in your defense, there is now a resource called MITRE Shield. 00:02:56.060 --> 00:02:59.810 MITRE Shield is the antithesis to MITRE ATT&CK and 00:02:59.810 --> 00:03:01.970 focuses on defensive capabilities. 00:03:02.340 --> 00:03:05.970 Now, in some rooms, the theory of implementation is called active defense, 00:03:05.970 --> 00:03:07.870 and that's what you're going to find on their website. 00:03:07.870 --> 00:03:11.960 But I don't want that to be confused with hacking back or anything that would 00:03:11.960 --> 00:03:15.360 violate any laws or expose an organization to further risk. 00:03:15.740 --> 00:03:18.850 Active in this instance and the instances in which we're going to 00:03:18.850 --> 00:03:22.850 teach you to use these tools is just used to describe the culmination 00:03:22.850 --> 00:03:25.160 of the process I just walked you through, 00:03:25.160 --> 00:03:28.970 to leverage a defensive capability to actively meet the adversary's 00:03:28.970 --> 00:03:32.060 capabilities with a response before you encounter it. 00:03:32.540 --> 00:03:35.140 And just like MITRE ATT&CK, it has its own matrix, 00:03:35.150 --> 00:03:36.930 but much of this is still in development, 00:03:36.930 --> 00:03:39.770 and they're working on how best to organize the dataset. 00:03:40.240 --> 00:03:45.070 Feel free to explore the resource here at shield.mitre.org/matrix. 00:03:45.440 --> 00:03:47.820 My focus is instead on meeting the technique, 00:03:47.830 --> 00:03:48.370 or TTPs, 00:03:48.370 --> 00:03:51.890 with the defensive capability and giving you the capability to 00:03:51.890 --> 00:03:54.560 match blue team tools to defensive use cases. 00:03:55.240 --> 00:03:58.470 What is the use case for these tools as it maps to a 00:03:58.470 --> 00:04:01.150 mitigation to a MITRE ATT&CK TTP? 00:04:01.840 --> 00:04:04.820 You get there in this website by looking at Mappings and then, 00:04:04.830 --> 00:04:06.510 for instance, under Reconnaissance, 00:04:06.520 --> 00:04:10.860 a technique like Gather Victim Network Information is matched by 00:04:10.860 --> 00:04:13.590 the defensive technique of Network Monitoring. 00:04:13.590 --> 00:04:16.860 At the Shield technique level, it's still pretty vague, 00:04:16.870 --> 00:04:20.760 but I see real value from the use case information within the technique. 00:04:20.769 --> 00:04:23.910 Different tools monitor different aspects of the network, 00:04:23.920 --> 00:04:26.740 so there are different use cases for different kinds of network 00:04:26.740 --> 00:04:29.550 monitoring capabilities that need to be explained. 00:04:30.140 --> 00:04:32.930 The defense of use cases, or DUCs, as I call them, 00:04:32.940 --> 00:04:36.410 clearly explain how different implementations relate to 00:04:36.420 --> 00:04:38.960 actively countering adversary TTPs. 00:04:39.540 --> 00:04:40.340 And this way, 00:04:40.350 --> 00:04:44.300 each tool course is going to explain to you the use cases for how it 00:04:44.300 --> 00:04:46.790 will counter each of the MITRE ATT&CK techniques, 00:04:47.010 --> 00:04:51.030 fully covering every angle of a kill chain you may be looking to interrupt 00:04:51.040 --> 00:04:54.050 or a specific adversary that you're looking to counter, 00:04:54.210 --> 00:04:59.290 and most importantly, being very clear about what gap that tool can fill, 00:04:59.290 --> 00:05:01.860 not to waste your time and to enable you to be as 00:05:01.870 --> 00:05:05.040 educated as possible before employing open‑source tools 00:05:05.040 --> 00:05:06.770 as part of your enterprise defense.