Lecture 08
Summary
TLDRThis script is a detailed walkthrough of mapping cybersecurity incidents to the ATD CK framework using raw data. It discusses techniques such as initial access, execution, and persistence, and emphasizes the importance of understanding attacker behavior and tactics. The instructor guides through the process of analyzing various commands and network interactions, illustrating how to identify and map tactics and techniques from both finished reports and raw data. The session also covers the significance of creating databases for attack pattern recognition and the challenges of attribution in cybersecurity.
Takeaways
- 📈 The main objective is to understand how to map raw data to the ATD (Adversarial Tactics, Techniques, and Common Knowledge) framework.
- 🔒 The script discusses techniques such as stealing VPN credentials, compromising web services, and using phishing to gain initial access to a network, which are part of the 'External Remote Service' category.
- 🐟 The term 'STIX' is mentioned as a format used for cyber threat intelligence, which is important for creating and understanding threat reports.
- 🔑 Command injection is highlighted as a method for attackers to execute commands on a web server host, which falls under the 'Execution' tactic.
- 🔄 The script explains how certain behaviors can be associated with multiple tactics, emphasizing the need to understand the context of each action.
- 🔍 The importance of network intrusion detection is stressed for identifying command and control communications, which may use various protocols.
- 🛡️ 'Persistence' in cybersecurity is defined as ensuring that an executable remains on a system even after reboots, often achieved through methods like writing to startup folders or registry entries.
- 🤝 The script touches on the idea of 'resource development' in the context of cyber kill chain, which is about creating the necessary tools and resources for an attack, synonymous with 'weaponization'.
- 🧐 The need for cybersecurity professionals to think from both an attacker's and a defender's perspective is emphasized to effectively anticipate and counter threats.
- 📚 The 'Cobalt Kitty' report is used as an example to demonstrate how to map tactics and techniques from a finished report, which is a valuable exercise for understanding the cyber attack process.
- 🔑 The script concludes with the importance of mapping ATD from raw data, which is a critical skill for threat intelligence analysts who must interpret various data sources to identify and respond to cyber attacks.
Q & A
What is the main objective of the session described in the transcript?
-The main objective of the session is to learn how to map ATD (Adversarial Tactics, Techniques, and Common Knowledge) framework from raw data.
What is the significance of using the code number 45975 on m.com in the context of the session?
-The code number 45975 is used on m.com to access and answer questions related to the session, which is part of the learning process about external remote services and cyber threat intelligence.
What are the three choices given in the example question about external remote services, and which one is not a procedure for it?
-The three choices are: 1) stealing an employee's VPN credential to access the network, 2) compromising a vulnerable web service to get a remote shell access, and 3) phishing followed by a backdoor infection to obtain access. The third choice, phishing followed by a backdoor infection, is not an external remote service procedure as the initial access is through phishing, not an external remote service.
What is STIX and why is it important in the context of the session?
-STIX (Structured Threat Information Expression) is a language and serialization format used for cyber threat intelligence. It is important in the session as it helps in understanding and creating files for cyber threat intelligence, which is a key part of mapping ATD framework.
What is the role of Network Intrusion Detection in identifying Command and Control (C2) communications?
-Network Intrusion Detection plays a crucial role in monitoring all network traffic to identify any suspicious IP addresses or communication patterns that may indicate C2 communications, which are often used by attackers to control compromised systems.
What does the term 'Persistence' refer to in the context of cybersecurity?
-In cybersecurity, 'Persistence' refers to the ability of a malware or an unwanted executable to remain on a system even after reboots, often achieved by writing the executable to startup folders, injecting itself into always-running processes, or changing registry entries for autorun.
What is the difference between 'Resource Development' in the ATD framework and 'Weaponization' in the Cyber Kill Chain?
-In the ATD framework, 'Resource Development' refers to the process of creating resources for attacking, such as exploits or phishing emails, after identifying a target's weak spots. In the Cyber Kill Chain, 'Weaponization' is the process of preparing an attack, which includes developing the actual exploit or payload to be used in the attack.
Why is it important for cybersecurity professionals to understand both the attacker's and defender's perspectives?
-Understanding both perspectives is crucial for cybersecurity professionals because it allows them to anticipate what an attacker might do and then devise effective defensive strategies against those potential attacks. This dual understanding helps in creating comprehensive security measures.
What is the purpose of creating a database of tactics and techniques used by various APT (Advanced Persistent Threat) groups?
-Creating such a database helps in analyzing and distinguishing between different APT groups by understanding their attack patterns, sequences, and methods. This can be used for attribution, which is the process of identifying the source of an attack, and can also aid in developing machine learning models to predict and defend against such attacks.
How does the process of mapping ATD from raw data differ from mapping it from a finished report?
-Mapping ATD from raw data requires a deeper understanding of technology and forensics, as analysts must interpret log files, network packet traces, and other raw data sources to identify behaviors, tactics, and techniques. In contrast, mapping from a finished report involves analyzing the already identified behaviors, tactics, and techniques presented in the report, which is often more straightforward.
Outlines
🔍 Mapping ATD Framework to Raw Data
The speaker begins by introducing the task of mapping raw data to the ATD (Adversarial Tactics, Techniques, and Common Knowledge) framework. They guide the audience to use a specific website and code to answer questions about external remote services, distinguishing between techniques used for initial access. The speaker elaborates on the STIX format for cyber threat intelligence and discusses the importance of recognizing multiple tactics within a single action. The paragraph concludes with an example of identifying the tactic behind a device establishing a TCP connection to a suspicious IP, suggesting network intrusion detection as a method to verify command and control connections.
🛡️ Understanding Persistence in Cybersecurity
This paragraph delves into the concept of persistence in cybersecurity, explaining how it differs from the common understanding of the term. The speaker discusses various methods attackers use to maintain a presence on a compromised system, such as writing executables to startup folders or injecting code into running processes. The paragraph also touches on the transformational goal of cybersecurity courses, aiming to make individuals more vigilant about potential threats, and the importance of understanding the attacker's perspective to effectively defend against them.
📚 The Role of Resource Development in Cyber Kill Chain
The speaker clarifies the misunderstanding about the term 'resource development' in the context of the Cyber Kill Chain (CKC) model. They explain that resource development is analogous to weaponization, where an attacker creates the necessary tools and resources for an attack, such as phishing emails or exploits. The paragraph emphasizes the importance of understanding the attacker's perspective and the process of developing resources to carry out an attack effectively.
🕵️♂️ Analyzing the Cobalt Kitty Report with ATD Framework
The speaker provides guidance on how to analyze the Cobalt Kitty report using the ATD framework. They mention different versions of the report, including one with highlights and another with tactic hints, to help understand the mapping process. The paragraph discusses the importance of identifying tactics and techniques from the report and the value of practicing this skill for both understanding attack patterns and preparing for exams or real-world scenarios.
👥 Group Dynamics in Cybersecurity Training
In this paragraph, the speaker discusses the intentional mixing of students in group projects to simulate real-world dynamics, where one cannot always work with familiar partners. They emphasize the importance of learning to work with a diverse range of professionals and the benefits of identifying freeloaders in group settings. The speaker also hints at the challenges of mapping ATD from raw data in the next homework, encouraging students to prepare for the task.
🔬 Transitioning from Finished Reports to Raw Data Analysis
The speaker explains the transition from analyzing finished reports to working with raw data, which is common in incident response and forensic analysis. They discuss the importance of understanding the ATD framework and the need for technical expertise to interpret raw data such as shell commands, malware analysis, and network packet traces. The paragraph also touches on the value of creating a database of tactics and techniques used by various APT (Advanced Persistent Threat) groups for machine learning and attribution purposes.
🗝️ Forensic Analysis Techniques and ATD Mapping
This paragraph provides an example of how to perform forensic analysis and map findings to the ATD framework. The speaker discusses specific commands used by attackers, such as 'ipconfig' and 'sc', and how to interpret their usage in the context of an attack. They explain the process of identifying the tactics and techniques associated with these commands, such as System Network Configuration Discovery and Execution, and the importance of this skill for threat intelligence analysts.
🔑 Deciphering Malicious Activity from Renamed Executables
The speaker continues the forensic analysis by discussing how attackers may rename benign executables to conceal their activities. They provide an example where 'recycler.exe' is found to be a renamed RAR executable, used for compressing and encrypting files, likely for exfiltration. The paragraph explains the process of identifying the tactic of Data Exfiltration and the technique of Execution, emphasizing the need for analysts to have a broad understanding of technology and the ability to research and interpret findings.
⏳ Wrapping Up the Analysis and Preparing for Future Classes
In the concluding paragraph, the speaker summarizes the process of mapping ATD from both finished reports and raw data. They highlight the importance of understanding the techniques and tactics involved in cybersecurity analysis and prepare the audience for further discussions on raw data analysis in upcoming classes. The speaker also encourages the audience to practice these skills to be better prepared for real-world challenges.
🎶 End of Session
The script ends with a musical note, indicating the conclusion of the session without any further content.
Mindmap
Keywords
💡ATD nck framework
💡Initial Access
💡Execution
💡Persistence
💡Command and Control (C2)
💡Reconnaissance
💡Resource Development
💡Cobalt Kitty report
💡Forensic Analysis
💡Endpoint
💡Exfiltration
Highlights
Introduction to mapping ATD CK framework from raw data.
Using m.com with code 45974 to answer questions on external remote service.
Explanation of the difference between initial access and external remote service procedures.
Discussion on STIX format used for cyber threat intelligence.
Command injection tactics and their relation to initial access and execution.
Behavior having multiple tactics in a single action.
TCP connection to a suspicious IP indicating potential command and control.
Importance of network intrusion detection for identifying command and control communications.
Explanation of persistence in cybersecurity and its various methods.
The concept of resource development in the context of cyber kill chain.
Misunderstanding of resource development as a defender's perspective instead of an attacker's.
The necessity for cybersecurity professionals to think from an attacker's perspective.
Details on the Cobalt Kitty report and its use for understanding tactics and techniques.
The process of mapping ATD CK from finished reports versus raw data.
Importance of understanding raw data for threat intelligence analysis.
The role of machine learning in distinguishing between attack groups based on tactics and techniques.
The process of mapping raw forensic data to ATD CK framework.
Interpreting shell commands and their relevance to ATD CK tactics and techniques.
The significance of creating a database of tactics and techniques for attribution.
The challenges and expertise required for mapping raw data to ATD CK.
Transcripts
[Music]
uh main thing that we want to do today
is how to map uh to uh ATD nck framework
from raw data uh so uh let's first
uh look at a few things but before that
uh let's do this
so use
m.com and with the code number 45
97457 and answer the
questions so which of the following is
not on sorry it should have been a
procedure for uh external remote service
we we talked about external remote
service last time
it's uh technique Number 1133 and you
have three choices one is uh stealing an
employees VPN credential and use that to
access the network second is compromise
a vulnerable web service to get a remote
shell
access and third is uh fishing followed
by a backd door uh infection to obtain
access okay okay so this is going good
few
more so stealing an employees VPN
credential and
access is an example of external remote
Service as a technique for initial
access right so we are talking about
initial access the second one you want
to compromise a vulnerable web service
to get a remote shell access this is
also an like last time we talked about
payroll service that was used to access
so this is kind of external remote
service but when you do fishing your
initial access is through fishing right
so it's initial access is not through
external remote Service uh you may use
external remote service later for uh
further access but your initial access
is already done so that is not an
external remote service
procedure uh
we talked about
sticks so what is sticks format used to
communicate okay so this is going
well all right so that's sticks is for
cyber threat intelligence and we'll
actually later in the course we'll
actually look at the sticks format in
detail you know how sticks files are
created for cyber threat intelligence
now an attacker uses command injection
to execute command on web server host
which tactic is
it is it initial access
reconnaissance
execution and
persistence so in this case it is
executing a command so it's an execution
but it may also be initial access
because that's probably how the uh
attacker got in to the system so but
execution is certainly uh the tactic so
certain Behavior can actually have
multiple tactics that's something you
have to look at they might combine two
tactics in one action right okay so you
observe that one of your devices is
establishing a TCP connection to a
suspicious IP what is the uh
tactic so if your device is establishing
TP connection to a suspicious
IP that means some
unwanted executable is already executing
inside your device
right so uh that
executable has executed but but we do
not know whether it has established
persistence because persistence means
that you establish yourself in such a
way so that binary will be executed no
matter whether you reboot your system or
not right so if you just uh execute once
doesn't mean that you are persistent if
you actually shut down your machine and
uh restart it may be gone right so it
depends on whether it's so from this
information we do not know whether
assistance has been established but we
know that it is communicating with some
Service uh somewhere which is a
suspicious IP probably there is a list
of there is a abuse ipdb database where
the uh where we can look and see whether
this IP has been listed as suspicious by
somebody uh then we will say that it's
command and control right okay this
should be happening but uh how do we
check if command and control connects
are connections are
happening okay so uh command and control
uh communication may use uh various uh
types of protocols right so if uh it is
using an HTTP protocol
then it is possible that the Comm
communication will be mediated by your
web server and maybe it will be in the
web server log but it is uh not uh
necessarily in the web server log
because you can actually have
application Level protocol that has been
spe specifically designed to communicate
with the uh command and control server
it could be a DNS uh it could be uh some
some other Direct TCP connection and all
kinds of stuff so so Network intrustion
detection is probably your best bet to
actually check whether command control
is happening if you are going to do host
intution detection in every
host then there is a likelihood that you
will also see it in the collective
collected logs of all hosts intuition
information at the uh host intuition uh
detection manager right but your best
bet is certainly a networking nutrition
detection so you monitor all the network
traffic
and you know whenever you see an IP
address you don't recognize you
automatically look it up from an abuse
IP database so that way you can actually
or URL uh you might have certain
algorithms for uh figuring out the URL
is suspicious so Network intution
detection is probably most likely place
where you will find this so when I say
persistence what kind of things you
think
about oh I think uh I have a Deja view
we already ask this question
before yeah so uh more or less uh it
gives some uh of this thing persist is
uh about ensuring that you uh the
executable stays irrespective of uh uh
you know reboot cycles and uh that most
of the time persistence is done through
uh writing the executable inside your uh
startup folder or uh you know inject
itself into a known process which is
always running uh so so this kind of
stuff or uh you know changing a registry
entry for auto run so there are several
ways to do persistence uh so that's uh
something the reason why I am asking
this is that uh see what happens is that
uh when you are taking a cyber security
course the goal of a cyber security
course is to actually transform the
person right the person who was not
worried about uh uh things that could
happen to their phones and their uh
desktops or their servers uh or their
Network their home
Wi-Fi they they start thinking about
those things right so you uh the idea is
to make you a little Ultra aware of
possible threats right so the word
persistence in general might mean many
things right so persistence that's why
some people wrote that Virat because uh
he got a lot of zeros and then he comes
back or whatever you may want to think
uh I don't like him so I don't know what
his persistence but but in any case uh
in real life persistence would mean
somebody who is uh not easily you know
stopped right like remains persistent
right it happens when we give grids uh
and then people come and be very
persistent that they need a higher grade
right so that is a real world use of uh
persistent but as cyber security
professional your uh uh view of
persistence would usually mean uh you
know something to do with uh you know
unwanted executables making itself
persistent on onto the system so that it
remains there sometimes it also evades
defense uh so it may turn out antivirus
it may actually uh hide itself inside a
dlll or some executable by injecting
itself inside executable so so there are
many ways that uh this kind of
persistence is uh made by by uh unwanted
executables but uh uh the idea is that
uh the uh most nation state attackers
their goal is not to make a spectacular
attack like the Russians did in case of
uh power cut in Ukraine right so that
that kind of attack usually become
spectacular but it is immediately
understood that there has been an attack
and and people will start removing all
the uh uh malware and and block all the
IPS and and and do their best to
actually stop that from happening again
the nation state attackers don't do that
very often they usually would do that if
there is a war or something but in
general they they want to remain
persistent so you will find that most
critical infrastructure in India
probably have persistent uh executables
from various countries and
unless they actually find these things
properly like our C ports or our power
system operators or uh Telecom operators
and so on if they're not doing their
cyber security properly they're probably
having this persistent uh uh agents who
are very very stealthy they communicate
to their command and control very uh
obscurely through very obscure uh
protocols and if there is no network
monitoring if there is no uh uh you know
endpoint monitoring Etc most people
wouldn't know that this is happening and
if this is happening the reason is that
at some point the command and control
will ask the uh agents that are sitting
in various places to actually do some
action right so that's the whole idea
that to position yourself so that uh you
can actually execute a command or series
of commands at the time when it is
required and usually this will be
required when when there is a real
conflict real war like Ukraine and and
Russia uh or what is happening between
hamus and Israel things like that that's
the that's the time when these things
happen so so uh and you might have read
that uh the Iranian uh gas stations were
attacked uh in large number recently and
that were probably be by Israel and uh
because Iranians are giving uh implicit
support to their opponents so they
actually had probably agents uh sitting
in those facilities and they basically
uh executed some commands so so this is
the uh idea of persistence so uh if you
are cyber security professional you have
to think in those terms rather than in
terms of regular everyday meaning of uh
persistence now uh the last question
what comes to your mind when you hear
res resource
development now this is
interesting Andhra
Pradesh fancy defense
oh somebody has given a very nice answer
adding
resources higher
experts okay so uh this one is uh
everybody seems to be spectacularly
wrong right so remember nobody has gone
back and went to the at and CK website I
think right so what is happening is that
um in CKC when we discuss cyber kill
chain we said that there are seven
stages first stage was reconnaissance
second stage was weaponization right now
in ATN CK we if we look at 12 tactics
that starts from initial access it
basically says what happens after
initial access right initial access then
execution then persistence and and
privilege escalation and so on right but
I said uh uh several times that there
are two more before them right one is
same as CC
reconnaissance and second one is same as
weaponization but they call it resource
development right so the attacker once
it does reconnaissance it figures out
that this is the weak spot which I have
to attack through right it could be a
weak uh employee who doesn't know about
fishing EML or it could be web server
that is uh that is that has
vulnerability uh or it could be a
another service that is running on a
particular port and we figured out that
it is running an unpatched version and
and therefore it has a remote code
execution so I'm going to use it but to
do all this I have to develop an exploit
right to do a fishing I have to write an
email which looks believable and then I
also have to either create a link which
will take him to a malware infested
website or I have to actually attach a
malware infested Word file or J file and
so on so this whole process of creating
this resources which we'll use for
attacking uh the the the doing the
initial access what is called resource
development or in case you are going to
exploit you know internet facing service
you have to design the payload you have
to design the exploit right so all these
things are in CKC we call weaponization
in here we are calling it resource
development right that's a terminology
difference so the right answer here
would have been weaponization right but
but you are still thinking in the from
the defender's point of view so all
these answers here is actually from a
defender's point of view the defender is
uh doing hardening uh Defender is doing
sustenance Defender is creating
reliability Defender is upgrading the
system taking backups so you're are
thinking in terms of uh Defender but
atnc is about the offender right so the
person who is attacking them we're
trying to understand what all he
does so we have to accordingly fill our
mind from an attacker's perspective
right so that's why most cyber Security
Professionals are in some sense
schizophrenic they have to always think
in terms of attacker and then they have
to think how I can defend against that
attack right if you cannot imagine what
the attacker would do or then you cannot
defend yourself right so that's a basic
idea okay so that's about this uh these
questions now I want to uh before I go
into the raw data uh aspects I want to
just go back and see where we uh left
off so we actually did the uh we
actually figured out the verbs in the
report uh uh then uh we tried to figure
out the behavior we did research the
behavior from attn C website and maybe
other resources on the Internet or books
or whatever you reference then we assign
to each Behavior what tactic it might be
and if I figure out the tactic well then
I can also try to figure out what
technique is being used and then I have
a whole mapping of the TAC and
techniques now the question is that uh
what this is going to uh uh so then we
said that uh there is an
exercise uh here uh which is called uh
the Cobalt Kitty
report and you can go to this
place so let
me let me show you where it is
so here if you go to this uh ATN c
training and if you go to this uh
mapping from finished reporting so this
is the Cobalt Kitty report right and
this is a uh highlights only version of
the report which
basically has all the highlights but you
have to go through this to figure
out what tactics and what techniques is
this so here you do not have to like say
okay I'm I'm what am I looking for am I
looking for the verbs and all stuff this
report is already
prefilled with uh the places where you
need to find the tactics and techniques
right so this is uh the uh one
version so this will help you to uh go
through this uh in a you know much
faster manner than if you have to
actually go through the entire report by
yourself and figure out where the
behaviors fragments are and what to do
with this behavior and so on and this
report already has a lot of things that
that are already explained in terms of
uh the things that you want to find for
example here is a section called C2
communication so you can figure out that
most of the things tactics here would be
about C2C command and control
communication right it might probably
have the internal reconnaissance right
now what is internal reconnaissance so
from the uh locked Martin kchain you
might get an idea that reconnaissance
happens first then weapon once you find
where to attack you find do the
weaponization once you do that you know
you come inside and you do initial
access Etc
right but many times once the malware is
inside it will again scan it has a it
has the code for scanning it will scan
the network and figure out uh you know
which network is running what open ports
internal open ports and so on right so
there could be reconnaissance again
right and that is the reason why at C is
not a sequence like CC cc is a sequence
at CK is a set of tactics which can
happen multiple times in a kilch in an
attack analysis right so internal
reconnaissance that's talking about so
this will give you also additional hints
as to what are the different uh tactics
and techniques could be because the
headings the lateral movement right so
it is already telling you that here are
discussing how the uh the uh malware
moved literally uh they Ed this mimicat
to they do probably uh see they do uh
credential dumping right so so these are
the kind of things that happened here
right but the point is that if you do
this at home uh you know you will get
some um understanding of how this is
done right now there is another version
here uh let me go go back there is
another version of the same thing which
is called tactic hints so it's the same
document but now the tactics are already
given you have to just find the
techniques so you might actually first
try the one without no without any hints
only highlights then you try with t if
you do well when in that then you are
you are already you know have gotten a
good understanding if you do not then
you actually use the one with the tactic
hints already there right so and then
you try these uh and
then and here at the answers uh do not
look at the
answers uh see here all this uh not only
the um tactic but the techniques are
also listed so this is the answer for
this
one now uh you can
also look at the original report so if
you're if you want to take a challenge
you do not use either the highlights or
the
hints uh tactic hints and do not look at
the answers and try this on the raw
report if you can do it on the raw
report and then you go and match it
against what is the answer uh uh key
then you will probably feel much more
comfortable uh that you can do this in
the exam or in the homework right uh so
that is the reason why I want you to do
this uh you know uh it's not a formal
homework but if you do not do this right
now you will have a problem later
because you will have to do this in
homework it may some fragments of this
could be in the exam and then uh if you
try to learn this in the at the uh you
know this is these things require time
right these things do not happen like I
just go and and you know somebody might
be uh uh very good at this thing
somebody might be uh might have to do a
little bit struggle uh look up the uh
website to figure out what techniques
are there for each tactic for the
tactics that they identify so it might
take some time but eventually if you try
hard uh you will get there right now so
that is uh something I wanted you to uh
do and uh if you look at this uh the
cobal kitty report once you do
that and you have now your groups and
this inside the group you do this and
then you discuss and see how what are
the differences uh in terms of groups
somebody came to me and said uh we want
to have my wing Mets in the group and uh
I have in intentionally asked students
to not choose the groups because what
happens in group projects is that
students uh like if there are three
people one or two will work the other
guy will be a Freel loader but if
they're Wing Mets they will never say
that this guy is a free loader but if
they don't know the guy very well they
will come and tell us that this guy is a
freeloader and then we'll you know
disting differentiate between them right
so this is uh done intentionally so uh
you might uh the other thing is that you
know when you go out in the real world
you will not find your wing Mets in your
projects right it's highly unlikely uh
so
uh you have to learn to diversify and
work with uh people who you uh know only
professionally right this these are the
some of the
things
uh now uh uh so comparison wise so you
will you know if you do it from the from
the hinted report then it is unlikely
that you will be very different right
because you are actually filling in the
same boxes if you do it from the raw
report it might you two of you might
have a very different sets of uh uh
things not not necessarily uh you know
uh uh either of you are wrong you might
be mistaken about something or you might
miss might have missed some behavior
that can happen so uh but it is worth a
try and if you do not try and do it
first time in the exam it's unlikely
that you will do very
well now in the Cobalt Kitty
report uh there are actually uh I would
say uh how many
uh so
22 techniques have been used right at
least according to their analysis so 22
techniques you have to identify from
that report and if you do that uh you
will be in better
shape so you can also uh there in that
same place in the same
website you have uh more uh such
reports and in the next homework what
we'll do is that will give you 31
reports each group has one report and
each group has to do the mapping and
there will be no uh highlights or hints
right and uh our ts are pretty ruthless
so you better do work on
that so I think uh I have given uh
enough hints about the next homework now
let's go to the next uh sub uh sub
module which is mapping atck from raw
data if you are trate Intel analysts in
a company it is likely that nobody is
going to give you a finished report when
an incident happens
right uh when an incident happens you do
forensics you go and look at various
places like you look at the logs you
look at the network uh packet Trace uh
at the time when incident happened you
look at firewall logs you look at wave
server log you look at uh look for newly
created binaries at the at the end
points and so on and you collect them
and then you are asked to do a root
cause
analysis and uh uh and then you have to
actually uh uh explain it in terms of
ATN
CK uh the reason why uh now now you
might ask me that uh well then why are
you ask why are you teaching us about
how to map it from finished report
because in my job I may not get a
finished report uh because I the one who
will actually do the finished report
right so how how can I get a finished
report
so the reason is
that you do not become uh thread Intel
analyst uh overnight right you have to
understand uh what the attackers do now
when you read the in theory that there
are like all this 14 tactics there are
these these techniques and so on that is
one thing and actually reading a good
threat Intel report from uh from firey
mandiant uh Microsoft uh Etc is another
thing right so so you they do a very
thorough
analysis now you know that eventually
you have to do the attc mapping from
your raw data but by doing this uh you
know conversion you actually can uh get
a lot of uh learning about how this uh
you know uh tactics and techniques are
used for attacks but there is another
reason so uh if you have uh if you have
thousands of this kind of
reports and you want to create a
database of tactics and techniques used
by various AP
groups now why do I want to create a
such a
database what is what good is such a
database so I have like uh let's say I I
take 20 attacks from
ap28 and I map them to uh uh you know
tactics techniques and procedures I take
uh 15 attacks from ap3 I map them so I
have a database AP groups what what
attacks they use and in what Manner like
in what sequence and so on so forth
right so what what comes to your mind uh
what can I do with such a
data such data
so I can actually uh try to
learn with machine learning
right how to distinguish between various
uh attack groups right because
eventually uh I want to know whether the
attack that I just just had is from a
nation state attacker or some Hobby
haacker
second thing I want to know is that if
it is a nation state hacker which one it
is
right so uh to do that this process is
called attribution EP attribution so you
want to know which AP it is so I may
want to create this uh
database and uh that um database can be
used for uh learning this so one of my
PhD student has done this right so uh
and what is the uh what is the accuracy
we are
getting yeah so uh so uh in her uh work
she also used natural language
processing to actually use this reports
to extract the mapping automatically so
you do not have to do it you know by uh
you know manually reading everything
does it work for all
reports yeah so so these are the kind of
things that uh you know are happening
but in any case coming back to the raw
data so uh so most of the time you will
be facing raw
data uh so uh now uh this uh uh data is
uh requires you to understand some
technology uh commands and so on right
so you need a much more knowledge and
expertise to interpret the raw data as
Behavior than uh finished reports so
you'll you'll see what you are given are
what kind of shell commands have been
used what kind of malware has been used
what kind of uh they might give you a
forensic dis image and you have to uh
use a forensic analysis tool to find
reconstruct what happened before what
you might get some packet uh information
and so on so process of mapping here
is you have to understand uh of course
ATN CK now from whatever you are given
or whatever your forensic people G give
you you find a
behavior then again you have to research
the behavior then you have to translate
the behavior into tactic and then uh
figure out what technique happened and
compare your results with the other
analysts like before so here is an
example of what the uh forensic people
found after an attack so they found that
the attacker used these commands so
first he use an IP config
command then he uses uh uh SC uh command
in Windows then he found that there is
some uh two-way
interaction between an external IP
address and internal IP address like uh
10.2.3 44 and whatever this 128 29
324 and in this machine like uh
128 29 you are accessing the port
443 443 is a port for https protocol
right and then you see that in the
registry keys in Windows when you to
take a registry dump you find that uh
that there is some new entries in the
registry so these are the
things that are given uh to you by you
are a threat Intel analyst and the
forensic guy is giving you information
this this may not be all the information
we are just showing a fragment of what
is given to you just to show you the
kind of work you have to do to interpret
this so ip config ip config you all know
right you want to look at the uh uh Mac
addresses and IP addresses the uh all
this information but this is somebody
who is doing it inside right not out
from outside you cannot do it from
outside so you are you're already inside
the uh system in inside the network and
you have uh as malware or remote shell
uh it might be a remote shell or it
might be a
malware uh somebody is doing ip config
uh to figure out uh the various
interfaces network
interfaces AC is a command for creating
Services service create um command in
Windows and you can also query and other
stuff in but in the what we saw there it
was trying to create a service in the
the command that we saw it was trying to
create service so we have to now figure
out what service it was trying to create
but we'll get there but SC is the
command now as as a threat Intel analyst
you have to know this right or you have
to research well what is SC command for
right so here is uh you know how the SC
command is used you have to basically uh
say uh a particular you know computer uh
name uh then you have to do create then
you have to say which binary has to run
right when you create the service so it
will tell you like if you try like AC
your computer name and create then it
will ask you like you know you you
haven't completed you have to give me
the binary path and things like that
right so the analyst is now as a
straight analy list you actually have to
get a little bit of expertise on many
things like network uh interpret network
uh packet traces some forensics uh
something about what malware are all
about uh what how they work and things
like that how to how to analyze a
malware uh command line uh what are the
different uh command line you know
commands in command line executables in
Windows or whatever the machine is uh it
may actually have uh multiple uh data
sources from which it has to figure out
so the first thing is that if you do not
know what ip config all is or you want
to see whether there is a tactic related
to this command you go to atck and
search ip config for all and you are
getting this system network
configuration Discovery right so this is
the uh technique that is uh coming up
and it is also showing you examples of
various attack groups that have used
this kind of a uh command so they're
trying to discover the network
configuration of the system on which
they are uh there why they want to know
the system configuration because they
want to know which interfaces are
connected to let's say w Lan or uh some
other uh wired Lan or Wi-Fi Lan and and
they might want to use it for doing
literal movement Etc so here the next
thing that we saw is that in the SC
command they gave a binary a path to a
binary this is recycler
exe and then it is saying that you know
for this command here are the flags and
here are the inputs there are some input
you know directory or input files uh and
there is something called uh they're
talking about a vsdx file
so you are confused right recycler is
supposed to be a benign program right so
why would they want to create a recycler
service if you are malicious so you
actually say okay uh let's see if the
this recycler uh exe binary is already
in this machine the the compromise
machine and you run
it when you run
it you see that it is not the recycler
it's a renamed executable it is actually
the
RAR binary right RAR is for compression
and encryption of files right so so
somebody for defense evation somebody
has renamed this executable to avoid
suspicion right so you figure out that
based of the analysis now we can Google
the flags the flags for RAR not for
Recycler these flags are for the RAR and
determine that uh that it is being used
to compress and encrypt the file so
whatever is the this input file here
this is being compressed and
encrypted okay so we figure out now we
figure out what is this file and then
you do a Google Search and you find that
vsdx is actually a Vio uh Microsoft Vio
file but doesn't mean that it has to be
a viso you can you can re rename any
file with any
uh any kind of uh you know suffix right
it's just that uh when you try to load
that in Visio you might get an error
that this is not according to format you
can take an executable file and call it
PDF right so it's obvious so so what is
uh what we find is from this we are
figuring out that a file is being
compressed and encrypted and it might be
a v diagram but uh it is probably
in the name of a v it is probably
exfiltrating some data when do you
compress and encrypt a files you want to
do something with the file right I mean
you are not just trying to encrypt and
compress unless you are a ransomware
attacker in that case you will encrypt
everything right but here they're
encrypting and compressing one file
which means this file probably has some
intelligence some information that they
want to send to command and control
server and compression is required
because you want to flow below the radar
if you start sending gigabytes of uh
files somebody will notice right some
firewall alarm will go off or some
intution detection will go off but if it
is a small few uh kilobytes or you know
small low megabytes file it can go like
a regular email and everything right so
nobody will get suspicious it will not
be considered an anomaly so we find that
uh that through ip config what they were
trying to do is system network
configuration
Discovery so this is in the discovery
tactic so one of the tactics out of the
14 tactics is called Discovery because
most attacker when they first make their
foothold in the system in one of the
devices they try to figure out they do
internal reconnaissance or something to
figure out where I am what is the
structure you know what is this machine
connected to
and and figure out whether I am actually
running as root all this stuff is about
Discovery
right so so one tactic here is
Discovery and also it is being run
therefore it is also execution right
although this is a benign binary ip
config is a benign program but at least
it is being executed on behalf of a
malicious uh malicious actor so so it's
a part of an attack tactic so it will
also fall under
execution now here we found that uh in
this uh larger SC uh you know service
create command we figured out that vsx
is vco so moderate confidence that this
is
exfiltration because we are trying to
compress and encrypt the file it is
likely to be com compression uh likely
to be exfiltration and then it is being
seen to run by a cismon which is
basically execution right so so this is
how we are mapping the
tactics so here you see that we are
actually
going uh more from technique to uh
tactic rather than tactic in the other
one we went from tactic to technique
here since we are looking at the
commands it's likely that we'll we'll
find the technique first and then we'll
find the tactic okay so we have it's
time so we'll get from here in the next
class uh uh because uh uh this will take
some time about discussing about the
techniques and concurrent techniques and
so on but you start getting the idea
right so you I think you should you
should by now have a good idea about how
to uh do this from uh finished reports
and you are starting to get some idea
about how to do it in with raw data so
by the by the time uh we are uh here uh
next week we'll actually uh do more on
the raw data okay
[Music]
[Music]
[Music]
5.0 / 5 (0 votes)