[Instructor] This is module two, Mapping to ATT&CK from a Finished Report. Let's talk about this
process of applying ATT&CK to CTI that we started
our training out with. In module one you focused
on understanding ATT&CK. Adam talked you through what ATT&CK is, some use cases, and how to
apply it to cyber threat intel. Here in module two, we're
gonna start diving in to how you map data to ATT&CK. And in module two we're
gonna focus on how you map from finished reporting,
then Adam's gonna walk you through how to map
data from raw information, from raw incidents, for
example, in module three. Then move on to modules four and five, so this is where we are in our
roadmap in this CTI training. Let's talk about, first
off, why is it so difficult to map cyber threat intel to ATT&CK? This is not an easy process, otherwise why would we have training to do it? First off, it requires a shift
in how we think as analysts. Think of that pyramid of
pain that Adam brought up. Many of us, myself included,
are used to looking for atomic indicators,
things like domain names, IP addresses, email addresses. Well, as we map to ATT&CK,
we have to shift up that pyramid of pain and
think about behaviors, those tactics, techniques, and procedures. And if you're an analyst
who has been mapping IPs for years, this can be a
little bit tough to shift in your own mind. But the good news is,
we think it's worth it. Another thing that's tough about this is the volume of ATT&CK techniques, there are hundreds of
them in enterprise ATT&CK and pre-ATT&CK can be really overwhelming when analysts first look at ATT&CK and we realize that. So we'll give you some strategies today where you can address that and hopefully kind of bypass that sense
of being overwhelmed to help you successfully map to ATT&CK. Next up, the other thing
we hear from people is sometimes they're overwhelmed
by the technical detail in ATT&CK techniques. Maybe if your a strategic level analyst you never heard of
something like rundll32. That's okay, analysts come
from all different backgrounds and ATT&CK gives you so much information, descriptions of every
technique that you can use to learn, even if you're not familiar with those technical details. As I said, we think this is
a really worthwhile process, even though it's difficult,
the shift in that thinking that analysts have to make from indicators to behaviors is really useful to them in better understanding adversaries and learning something new. Learning those new adversary techniques that are really important
nowadays to make sure you're detecting adversaries. And it also pushes them to learn more on the technical side. Maybe it's outside of their comfort level, but that's okay. So in short, yes it is difficult to map cyber threat intel or data to ATT&CK, but we think it's really worthwhile and hopefully after this
training you'll agree. Here's a process we recommend you follow as you're trying to map data, information or intel to ATT&CK. Step zero, you have to understand
something about ATT&CK. Adam gave you a head start
with the first module of our training where he
described what ATT&CK is, some use cases for it, and how to use it for cyber threat intel. Once you understand ATT&CK,
you're going through your information, data, or
intel, you have to start by finding the behavior. Little bit different than
identifying an indicator, so we'll talk through that process. Next, need to research the behavior. Maybe you aren't sure what it is, maybe you've never heard of it before. After you've researched it a
little bit to understand it, then translate that
behavior into a tactic. And there are fewer tactics
than there are techniques in ATT&CK as Adam briefed you on earlier, so this is a little bit
easier than if you just jumped right to the technique finding. Next up, figure out what technique applies to that behavior, and then lastly, a really important part of the process that we'll have you
optionally work through in our exercise that applies this process, comparing your results to other analysts which helps you hedge against your biases and get better mapping. There are two key sources
that you're gonna use where you get this data
or information from. First off, finished reporting,
which I'm gonna talk through in this module how you map from that, and then Adam will talk you
through in the next module how to map to ATT&CK from raw data. Step zero, understanding ATT&CK. Before you can map to
ATT&CK, you need to know a little bit about what it is. A great place to start is with completing module one of this training
as Adam walked you through what ATT&CK is, the tactics,
the techniques, the structure. A great way to get analysts
started is by watching an ATT&CK presentation, for
example, one that I gave at Sp4rkcon, you can find that
on our Getting Started page, and it's a great overview
of what ATT&CK is and some of the key use cases there. On that same Getting Started
page, you'll find our Philosophy Paper, and
then lots of blog posts, an ebook that we recently
published on our Getting Started series, lots of other content that can help you understand ATT&CK. From there, I'd suggest you
read the tactic descriptions. Those adversaries technical
goals, things like lateral movement, initial access,
and at least understand what each of those goals are. From there, just skim the techniques. There are hundreds of them so we realize we might not have time to
read each and every one, that's okay, but skim them to get a sense of what ATT&CK techniques are. You're not gonna understand
everything about ATT&CK, you're not gonna know every technique even if you read through them all, so encourage ongoing
learning amongst your team. I know one SOC who had
analysts present each week a different technique and
then they would discuss how do we detect this, how do
we mitigate that technique. So that's a great way
you can kind of encourage this ongoing learning and
discussion amongst your team to help you all understand
ATT&CK together. Step one of the process,
find the behavior. As I mentioned, this is
a very different mindset from looking for those atomic indicators like IP addresses. Think about verbs, think
about what the adversary or the malware actually does to identify what the behavior is. For enterprise ATT&CK in
particular, you might wanna focus on initial compromise
and post compromise details, how the adversaries got in,
what they do after they got in. It's also important to
note that some information isn't the best for mapping to ATT&CK and we'll be the first to admit that. For example, static malware analysis. If you have some assembly, x86,
some analysis from IDA Pro, those aren't always behaviors. Some of them are, but
if you're just looking at assembly, that might not
map to ATT&CK very well. Similarly, infrastructure
registration information. There are some people
doing some great work on passive DNS, other things like that, that might not be the best
for mapping to ATT&CK. Again, we're looking at behaviors. And also, important
information if you're mapping to the diamond model, things
about victim targeting, also relevant for cyber threat intel, but maybe not the most
relevant for mapping to ATT&CK. So really focus on those
behavioral details, that's gonna give you the
best bang for your buck as you map to ATT&CK. So let's take a look at an example of how we go through this step of the process of finding the behavior. We're using an older
FireEye report on APT3. What we're gonna do is just
apply each of the steps of our process to this report. So first we have to find the behavior. We have to focus on what the malware, what the adversary's
actually doing, those verbs. So let's walk through this. First one, successful exploitation, that's something that happened. Command, issuing a command
could be a behavior. Looking at verbs again,
creating persistence, creating a scheduled task. Establishing a connection,
sending a connection request. So we've gone through and
identified some things that we think might be behaviors here. What we'll do in the next
steps of our process, identify the tactic and
the technique that apply to each of those
behaviors, and this mimics what you will see in your
exercise for this module. The next step of the process,
researching that behavior. None of us knows everything,
and so as analysts, you might see something in a report, hey I've never seen that
before, I'm not quite sure what that means. That's fine, if your
analysts don't know what something is, do additional research. That's what we as CTI
analysts should be doing. Maybe talk amongst your team. I partner with a bunch
of red teamers on my team who know a ton and they're great resources about what adversaries might be doing. Or external resources to walk you through, Google, Wikipedia,
there's so much out there in open source that
can help you understand these adversary behaviors. And again, this might not always be quick. Maybe you spend 10, 20 minutes researching a single behavior, mapping
a single technique, but then you know something
you didn't before. And understanding what that behavior is will then help you follow
through the next steps of this process. So let's take an example from our report. They mentions SOCKS and maybe
you've never heard of SOCKS. That's okay, go to one of the best websites ever, Wikipedia. So you bring up the
Wikipedia article for SOCKS and it tells you it's
an internet protocol, layer five of the OSI model. If you haven't heard of the OSI model, great look that up as well,
figure out what that means. Okay, so now we know it's
in layer five protocol, we know a little bit more about SOCKS if we didn't know that already. We also saw in that report
a mention of port 1913. I know I've never seen port 1913 used. When I've done this training
before, most analysts had also never heard of that port, so we look it up, Speed Guide
a great source on ports, and the assignment is armadp, which I had never heard of that
service either or that port. So maybe we need to do some more research, but right now we just
know 1913 is something that I've never heard of, which gives you a piece of information to keep
moving on with the process. So we have our behaviors
and we've researched them, and now we wanna translate
those behaviors into a tactic. Into those adversary goals. So to do this, think about the question, what is the adversary
trying to accomplish. Adversary intent is really tough to know and their goals are very
difficult to discern, but you can try to take a
guess based on that behavior. Sometimes this is gonna
require some domain expertise, some knowledge of how
adversaries behave in a network, but the great thing
about mapping to ATT&CK from finished intelligence
is sometimes there are clues in there, as we'll see during
our exercise in our examples. The good news about this step
is there are only 12 options to choose from as your mapping to a tactic in enterprise ATT&CK. Initial access, execution, persistence, privilege
escalation, et cetera. So only 12 to choose from. Your odds are pretty good if
you have some domain expertise that you might map to the right thing. And you can always ask your team mates. Let's take a look at how we apply this to our example report. Reading through, okay the
malware establishes a SOCKS5 connection, moving on the first
three bytes of the command identifier, the commands are
supported by the malware. So we summarize this
into a simple statement like well, malware has to connect in order to command the malware to do something. And pretty straight forward here, that tactic would be command and control. That adversaries goal is
establishing a connection and sending commands across it. So we've identified our
tactic from our behavior. Next step of the process,
figure out what technique applies to that behavior. This is often the toughest
part of this entire process, made more difficult by the
fact that not every behavior necessarily maps to a specific technique. So some of that is just knowing ATT&CK, knowing what techniques we have, that goes back to step zero
of understanding ATT&CK, but even if you don't
know every technique, we have some simple
strategies that can help you figure out how to successfully
map your intel to ATT&CK even if you don't know every
ATT&CK technique in the book. First off, take a look
at the list of techniques under the identified tactic. So as we'll talk about, we
figured out in the last step in our example, that
was command and control. So let's bring up that
tactic page and then we've narrowed down the techniques
to choose from by a lot. Also, try searching our
website, attack.mitre.org, we have a search bar in the upper right, try different key words. Maybe you have some procedure level detail or some command line
information, some flags an adversarY used, some specific commands or incident response details. Any kind of different keywords you can use to search through our
website, that might give you a chance at finding the right technique. Let's go to our example again. We decided that was a
command and control tactic, so as I suggested, let's
bring up that tactic page. This page lists all the
techniques under the command and control tactic. So we start scanning and we notice something kind of interesting. We see there are protocol techniques and there are port techniques. That gives us a clue
that though we identify kind of one tactic and a
series of behaviors here, maybe there are two
techniques for communication outside of a network protocol and port. So that gives us a piece of information as we're trying to figure out
what techniques apply here. Diving into our example
details again, we see the malware first establishes
a SOCKS5 connection in that description and
we learned about SOCKS from Wikipedia, so we try searching. Try a search of the
ATT&CK website for SOCKS and see what pops up. In this case, we got lucky and we find that the term SOCKS is in the description for the technique Standard
Non-Application Layer Protocol. So we see that in the
technique description and we also see one of our
software example BUBBLEWRAP was previously seen
communicating using SOCKS. So we have an idea, maybe
SOCKS5 conNections map to Standard Non-Application
Layer Protocol, but we also thought that
maybe there's a port technique that applies here since
we saw on the tactic page that there are techniques
for both port and protocol. So we take a look and
just do a Control + F on that command and
control list of techniques, and we see there are three port techniques that popup in that search:
commonly used port, uncommonly used port, and port knocking. Out of these three, well I'd
say that I'd never personally seen port 1913 used by
adversaries, most other people hadn't heard of it, so out of these three, I would personally select
uncommonly used port. So we worked through the
first behaviors that we saw and we identified the
tactics, for both of these they were command and control, and then we identified the techniques. Establishing a SOCKS5
connection, we said that would be standard non-application layer protocol, and then using TCP port
1913, we mapped that to uncommonly used port. So we've taken our first
two behaviors, mapped those behaviors to tactics, then
mapped them to techniques, and so now let's continue
through our report. Looking at successful exploitation
to give system access, that's privilege escalation as the tactic, and then the technique
would be exploitation for privilege escalation. The next one, using the
Windows command cmd.exe whoami, we'd map that as the execution tactic because command line interface
is doing that execution and then also to the discovery tactic, system owner or user
discovery for the whoami, or the adversary is trying to figure out maybe who owns or uses that system. Continuing on, this is
where the finished reporting helps you out because
persistence, which is one of our tactics, is right
there in the description. So persistence is the tactic, and again, scheduled task is a technique
name, so it's right there for you in the reporting, pretty easy one. That brings us to exercise
two, where you're going to be analyzing a threat report
to find the enterprise ATT&CK techniques in it. We have a report, open
source, from Cyberreason on Cobalt Kitty, and what we've
done is we've gone through that report and highlighted
sections for you with the different
behaviors we want you to try to find techniques for. We've highlighted 22 of them
in a PDF and we want you to basically go through the
process we've just outlined. Identifying the behavior,
which we've given you a head start on, identifying the tactic, identifying the technique. So that's what we want you to do, all of the materials are in
attack.mitre.com/training/cti under Exercise Two, and
you have a little bit of a choose your own adventure here. If you want more of a
challenge, you can start with the highlights
only PDF, which has just highlighted the behaviors
for you, or if maybe you wanna ease into it, you can choose the tactic hints PDF, which gives you the hint of which tactic it is and then you just fill in the technique. One note on this is that
sometimes people have a little bit of a struggle
figuring out which highlights correspond with which boxes,
it doesn't really matter, just focus on those highlighted
sections and identifying the tactic and technique for each of them. You're welcome to fill it into the PDF or just use a text document,
however you work best. Couple tips as you do
this, use keyword searches of our website as we talked about, searching for something like SOCKS and procedure levels
details or command line. Also remember you don't
have to be perfect, it's okay, this is a learning process, so use this as a chance
to dive into ATT&CK. We now recommend that you pause the video and give yourself about 30
minutes for this exercise, but we encourage you to take as long as you need to complete this. We now have an optional
bonus step from exercise two that you should have taken a
couple minutes to work through. As we talked about in our overall overview of the mapping threat
intel to ATT&CK process, there's a step five
that's really important. And that step is comparing
your results to other analysts. Let's talk about why that's so important. As an analyst, as a human,
I have my own biases. I often identify the techniques
that I'm familiar with, so I see scheduled tasks all the time, I see spear-phishing
attachment all the time, so I'm more likely to
identify those techniques. By comparing my results to other analysts, we can start to hedge against biases. On the ATT&CK team, we try
to have at least two people review every report to try to
put this step of the process into action ourselves and
it helps do a better job of identifying all the
techniques in a report. So for example, maybe analyst
one goes through a report and they see six techniques
listed on the slide, analyst goes through a
report and they see five. Well, they compare those,
they contrast those, and they see, well there
was one protocol technique they disagreed on. One analyst had standard
non-application layer protocol and one analyst had custom
command and control protocol. That's okay, this is a
great opportunity for them to discuss why are those
different, what were their interpretations of what that behavior was? So this is a step of the process we highly recommend you follow if
you have other analysts on your team, and again,
we do this ourselves on the ATT&CK team. So that brings us to
the optional bonus step of exercise two. If you're going through
this exercise as a team, which I highly recommend,
compare what you got in the exercise to other analysts. And again, like I mentioned
in that last slide, you're not gonna get the
same answers and that's okay. Wherever there are differences,
stop and talk about it, discuss what did you see,
how did you interpret that behavior versus a different analyst. It is okay to disagree here. If you're doing this as a
team, I suggest you please pause here for about 10 minutes to discuss your differences among analysts. If you don't have a team, that's okay, you can just advance to the
next part of the training. Let's go over this exercise. Exercise two I asked you
to map a Cyberreason report to identify the different
ATT&CK techniques in it as well as the tactics. Some questions for you to think about, and if you're in a group, you
can pause and discuss these. What were the easiest and
hardest techniques to identify, how'd you identify each
of those techniques? What challenges did you have and how did you address those challenges? So as we've done this training before, some of what we've heard
on the easiest techniques were the ones that are
really straight forward, like PowerShell or scheduled tasks. Harder ones may be user
execution, that's commonly a difficult one just because
folks maybe don't know that technique or don't
know that that's often paired with spear phishing. In terms of identify the
technique, we've heard a lot of folks using the search method of searching the ATT&CK website, as well as the tactic
method of bringing up the tactic page, looking
at those techniques. Another struggle we've
heard on this exercise is just the overwhelming nature of ATT&CK. And we've found a few people
get analysis paralysis and get overwhelmed, but
we found that most folks can push through and just get started. Maybe it's not exactly
right and you're not sure of your answer, but diving into ATT&CK and understanding those
techniques, that's the point of this exercise and as you do it more, you'll get better at it. Let's talk through the
techniques that we found in this report. Again, this is just one set of answers and it's very possible that
you got different answers. That doesn't mean you're wrong. If you can defend those
answers we're fine with that. So these are just the
techniques that we found. First off, the report
starts by saying two types of payloads were found in
the spear-phishing emails. First off, a link, so we
map that to Initial Access as the tactic and Spearphishing
link as the technique. Then a separate type of
payload, Word documents. Map that to again, Initial Access, but spear-phishing
attachment instead of link. The third one, they
noted that Word documents with malicious macros were
found in those emails. We mapped that to defense
evasion/execution, two tactics here, and to the very broad technique of scripting. This one sometimes trips
people up because ATT&CK does have techniques
that are different levels of granularity as we'll talk
about throughout the training. But in this case, we map
macros usually to scripting. The next one, two types
of payloads were found in those spear-phishing
emails, so this is sort of an implied technique. In order to get those payloads to execute, the user was probably doing that, so we map it to user execution. This is often one that I forget even, or analysts are likely to miss. But generally, whenever there's
spear-phishing attachment or spear-phishing link,
the method of execution is commonly user execution. Moving along, the next
technique was in an image. Cmd.exe, so mapping that
to execution for the tactic and command line interface
for the technique, pretty straight forward one there. Next one, it's in the
name, scheduled tasks, mapping that to execution/persistence, and the scheduled task technique. Next, we have a snippet of command line, including mshta.exe. Maybe you're not familiar with that, but this happens to be one that we have by that name on the ATT&CK website. I say mishta, Mshta, is an execution or defense evasion technique. Next one, the act of
downloading, executing an additional payload. We refer to this as the
technique for remote file copy under command and control. Moving right along, this is another image and this is one of the
easy ones, powershell.exe, awesome, that maps to
the execution tactic, and the PowerShell technique. Next one can be a little
challenging for some folks, passing obfuscated and XOR'ed payload. We put this under another broad technique, Obfuscated Files or
Information, which can refer to any type of obfuscation or encoding, and that's under Defense Evasion. The next one, a persistence technique, this is where that finished
reporting helps you identify the tactic. And then they mention
the technique consists of Registry Autorun. This is where sometimes we
just use different words for the same thing. In ATT&CK it's called Registry Run Keys, that's another phrase
for Registry Autorun. Next one, the attackers used
NTFS Alternate Data Streams to hide their payloads. We put that under Defense
Evasion and NTFS File Attributes, again, thinking about the
adversaries were trying to hide their payloads,
that would direct you to the Defense Evasion tactic,
and hopefully that technique. Continuing on, the attackers
created or modified Windows services, so I'd
say that's two techniques under Persistence, they created services, mapping to new service, or
modify, Modify Existing Service, both of which are techniques. Next up, using a malicious
Outlook backdoor macro. Say that five times fast. To edit a specific registry
value to create persistence. Again, the tactic name is right
there in that information, so Persistence is the tactic
and we bin that behavior under Office Application
Startup, along with the Defense Evasion
technique, Modify Registry. We'll talk about through the training what you've seen here
about multiple techniques applying at the same time. That's not uncommon,
especially when it comes to things like Defense
Evasion or Execution. Next one, using different
techniques and protocols to communicate with C2
servers and specifying the HTTP protocol was used,
CNC, it's right there, Command and Control is the tactic, and Standard Application Layer
Protocol is the technique. We put HTTP under Standard
Application Layer Protocol. Finishing up with our
last couple techniques, the simple detail of
traffic being over port 80. Again, that's Command and
Control and Commonly Used Ports. Port 80 is a very commonly used port by adversaries and legitimate traffic. Next up, downloading COM scriptlets using regsvr32, so downloading that, Command and Control again,
that remote file copy, bringing another file onto the system as adversaries often do. And then also a regsvr32
is an execution technique by the same name. Next up, binary was renamed kd-10233.exe. Trying to masquerade as a Windows update. Again, trying to evade defenses, so the Defense Evasion tactic. And then this is another easy one. We have a Masquerading
tactic, it's fairly broad referring to files or other information trying to pretend to be
something they're not. And then last but not
least, network scanning against ranges, looking for open ports. We'd identify that as
the Discovery tactic. Adversaries trying to find out information about their environment, where they are, and specifically,
network service scanning. Again, that information right
there in Network Scanning will give you a hint
for that technique name. That wraps up all the techniques
in this Cyberreason report. If you'd like a little
more practice mapping finished reporting to
ATT&CK, we have an optional bonus report for you. APT39, this is an open
source report from FireEye and you can find this
under the same section, Exercise Two in
attack.mitre.org/training/cti. This time we're taking training wheels off so you don't have any
tactic hints, we just have the highlights of the behaviors for you, and you'll need to go
through that same process to identify the tactics
and the techniques. We're not gonna go
through the answers here, but the answers are in
a separate PDF for you to look at only after you
finish the actual exercise because I know none of you would cheat. As we wrap up this
module, we've talked about this process of mapping CTI to ATT&CK, understanding ATT&CK,
finding the behavior, researching it, translating
it into a tactic, figuring out what technique applies, comparing your results. It seems like a lot and maybe you think, "Hey, with something like PowerShell, "I can skip right to step four, "I know what technique that is." Yeah, absolutely, sometimes
you can skip steps, but remember that increases your bias because you're more likely
to identify those techniques you already know and it's not
gonna work for you every time. Sometimes it works really
well, like PowerShell or scheduled tasks, but if it's something that isn't an easy name, it's
gonna be tougher to find. So we recommend working
through this process even if sometimes you skip steps. As we wrap up module
two, here's a reminder of where we are in our training. We start out with module
one where understood what ATT&CK was, now we're
talking about mapping data to ATT&CK. In this module we've discussed how to map from finished reporting. In module three, Adam's
gonna discuss with you how to map from raw information, which is a little bit different than
mapping from finished reporting. Then we'll move on to storing
and analyzing that data, and the really important part, making defensive recommendations. That concludes module two.