Welcome to the session on Threat Intelligence. In this session, we'll be looking at the ATT&CK MITRE database and we'll also be looking at another one called the D3FEND database. So, let's have a look and look at what threat intelligence is. So, threat intelligence from the ATT&CK MITRE perspective is looking at different tactics and techniques that hackers may use, and remember, the hacker could be a group or could be a sophisticated organisation that could be used to launch an attack against your company or against a group of companies or government agencies. ATT&CK MITRE is a nice little platform which has lots of different information layers, so you've got, like, Reconnaissance, Resource Development-, so, recon is basically gaining information, which we've-, we'll be looking at or have looked at already. We'll look at Execution. What the techniques is used to exploit the information and then right down the end, we'll be looking at something called Exfiltration, which is where we're trying to-, hackers might try and use that technique to get data out of your network completely, try to blend in, maybe with normal traffic by doing that type of technique. Now, this has been around for a while. We'll look at the ATT&CK and then we'll look at another one called D3FEND.  

Now, we can see here at the top, you can see there are different tactics and techniques. The tactics and techniques, so, like the techniques we've got Enterprise version and we also have Mobile version as well. Now, the Mobile version one will involve looking at Android devices and Apple devices, so looking specifically at mobile devices. The Enterprise is looking at more corporate devices. And we can see there, some of these things you probably have, have come across before, specifically phishing. You've probably heard the term phishing, someone sending you a link or sending you an attachment. So, let's have a look at that one because that's probably the ones that you are probably aware of. So, what I'm going to do is going to click on something called, 'Show Sub-techniques', and this will actually show you specifically some information about what's underneath it. And you can see underneath phishing, we've got Spearphishing Attachment, link, and a service. So, what I'm going to do in this one here is actually click on Spearphishing Attachment. Now, Spearphishing Attachment comes up with different adversaries who may be involved in Spearphishing emails or attachments, so these are techniques that different organisations use and as we scroll down, you can see that there are different hacker names or hacker collectives involved in, in launching these types of attacks, but what I want to look at, just for this example, is APT29.  

Now, APT stands for Advanced Persistent Threat. You will need to remember that for your exam and this could be government-run organisations, or it could be a hacker collective. Let's have a look at APT29. And it comes up and it tells me that the threat group APT29 is attributable to the Russian Foreign Intelligence Services. So, this is obviously, Nation State type of attack, specifically targeting Europe and NATO countries, trying to gain information, probably from some form of espionage purposes and you can see that they also have other associated names underneath and as I scroll down, use different techniques, so don't just use spearphishing. They may use other techniques to exploit and pull information up and we can see here that they are using account discovery techniques, they're using brute force ones where they're trying to break people’s passwords with a slow, methodical attack. You'll need to remember that for your exam. And as you go down, we've got other ones where they're trying to identify information in different sites, and as I go right down, we'll probably find, you've got-, they're trying to hide data, hide information and then we've got our phishing ones coming up. This is our spearphishing link. So, spearphishing attachment and spearphishing links. This is what they do. If I go onto the first one-,well, let's go onto the second one.  

Go to the second one and we can see here there's some information underneath, like a white paper underneath relating to this type of threat by this organisation. So, you can see here APT29 involved in a phishing campaign, specifically targeting certain types of devices, and then they'll tell you what type of methodology they'll use for launching this attack and as we scroll down, you'll see different attributions to the organisation itself, and obviously some of it will be going through-, maybe they're creating a false paperwork, getting people to complete paperwork as an attack vector and as we go down, you can see they're using different activity. They're trying to use different phishing techniques, and this is some examples of the phishing technique as well. So, screen shots of actual phishing techniques that this organisation is using, which is very good to understand how they do this and how you can learn from this type of technique by seeing examples of what they're doing. What type of locations and different threat vectors they're using for this purpose. How they're executing it and covers quite a lot of detail, quite a lot of detail. Very good to learn from this platform this type of threat intelligence looking at this information. If I just go back to the ATT&CK MITRE again and I go into the one that says Mitigation at the top and I click on Enterprise Mitigations, you'll see on the left-hand side, these are mitigations to help deal with the threats or attacks against your business or organisation.   

And this is quite useful to understand 'cause remember hackers only have to be successful once, we have to be successful all the time. Hackers only have to be successful once and we have to learn from these types of things. And as you can see here, we've got different types of mitigations to defend against different types of tax. We've got ones where you're scanning for phishing emails, network intrusion prevention system, password policies, making your passwords very secure. We might use TLS, Transport Layer Security, updating software, vulnerability scanning, to make sure we've got no vulnerabilities in our networks. And these are the types of things that we need to do to help protect our network and these are obviously useful to defend against these types of threats that come towards us. Now, that's interesting from this perspective, but let's have a look at another site called D3FEND.  

Now, this is the D3FEND site, and I've actually gone straight into a technique called Steganography. If I just backspace one way and I'll go back into that one to demonstrate that to you. So, this is the D3FEND site, and this was brought out-, it's still in BETA testing at the moment, but I find this site really useful. So, it talks about hardening, it talks about detecting, isolating, and deceiving. Hardening is where you're trying to lock down systems, maybe using different types of multi-factor authentication to help and protect your data. So, not just having one factor, like passwords, which are very weak, easily broken, but you're helping to strengthen it. You've also got detect phase, isolate phase and, obviously, deceive phase. Deceive phase is where you can create, sort of, honey pots, which are like fake elements of sites, which can attract people to that way from your main area of your site and you can obviously use that to scan and locate where people are coming from. But on this one, I want to actually look at the attack look-up one and actually go into Steganography, which, which appeared on the screen to start with and show you what Steganography is. Now, Steganography is hiding data in some form of-, it could be an image file, it could be a video, it could be music, you can also hide it inside spam. You can hide it inside spam, Mark? Yes, let's have a quick look at that one about hiding data in spam. So, this is a tool called Spam Mimic. What I'm going to do on this one here is I'm going to put in some data just to-, just to create a message and I'm going to call it Dave. Dave's Secret Bank Account. So, if this is somebody you know, a Dave and it's their bank account, this is purely by accident. Mark is randomly putting a number in here. If it's someone's bank account, that's obviously unfortunate.    

So, I'm encoding a message and this has created a spam message here, which if I said to somebody else they would know-, they would just think it was spam, but to someone else, that's Dave's secret bank account number. Now, people use this type of exfiltration techniques to blend in with other traffic to get out of people's networks. Now, Mark, that's interesting, so they're using this technique to get data out of our network. How can we defend against that? That's-, that's, a question you're probably asking me. Well, let's go back to our D3FEND again, and this actual slide here tells you and shows you techniques you can use to help detect this type of activity going on and detect Steganography, which is a form of encryption, and see if you can detect this data trying to leave your network and help defend against this type of thing. So, we can see that just by going through some of these very basic steps, there's threat intelligence, ATT&CK MITRE and the D3FEND one can help us to education and understand these types of threats and how to defend against them. Hopefully, this has been useful and look forward to seeing you in the next session.