tightened up training content

Author: johnwunder

trainings/detection-training/Data Sources.ipynb

@@ -6,11 +6,14 @@
    "source": [
     "# Data Source Investigation\n",
     "\n",
-    "We'll use the [ATT&CK Python Client](https://github.com/hunters-forge/ATTACK-Python-Client) to manually examine the techniques, list the data sources, and build a heatmap out of our selected sources.\n",
+    "Let's use the [ATT&CK Python Client](https://github.com/hunters-forge/ATTACK-Python-Client) to manually examine the techniques, list the data sources, and build a heatmap out of our selected sources.\n",
     "\n",
     "If you're looking for less development or a more in-depth and finely-grained dive, check out:\n",
+    "\n",
     "* [DeTTACK](https://github.com/rabobank-cdc/DeTTECT)\n",
-    "* [AttackDatamap](https://github.com/olafhartong/ATTACKdatamap)"
+    "* [AttackDatamap](https://github.com/olafhartong/ATTACKdatamap)\n",
+    "\n",
+    "*Consider: What have you used to track data sources? What has worked well, and what has not worked so well?*"
    ]
   },
   {
@@ -100,7 +103,7 @@
    "source": [
     "## Show the chart in altair\n",
     "\n",
-    "Altair can be used to easily turn pandas dataframes into visualizations. In this case, we just show a bar chart of the top 10 data sources (those that help you detect the most techniques)."
+    "Altair can be used to easily turn pandas dataframes into visualizations. In this case, we just show a histogram that you can scan."
    ]
   },
   {
@@ -109,18 +112,38 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "alt.Chart(df.reset_index()).mark_bar().encode(\n",
+    "df.reset_index()\n",
+    "\n",
+    "alt.Chart(df.reset_index().sort_values('count', ascending=False)).mark_bar().encode(\n",
     "    y=alt.Y(\n",
     "        'source',\n",
     "        sort=alt.EncodingSortField(\n",
-    "            field=\"count\",  # The field to use for the sort\n",
-    "            order=\"descending\"  # The order to sort in\n",
+    "            field=\"count\",\n",
+    "            order=\"descending\"\n",
     "        )\n",
     "    ),\n",
     "    x='count'\n",
     ")"
    ]
   },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "## Advanced Filtering (BONUS)\n",
+    "\n",
+    "How would you alter this chart to only consider some techniques? Maybe (peeking ahead) we have a list of threat actors or techniques we want to prioritize? Can you generate a chart that prioritizes techniques used by APT1 or APT3?"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# TODO: Your code to show a similar chart for APT1 and APT3"
+   ]
+  },
   {
    "cell_type": "markdown",
    "metadata": {},
@@ -140,7 +163,7 @@
    "source": [
     "# First, list the data sources alphabetically so we can figure out which ones we have\n",
     "\n",
-    "df.reset_index().sort_values('source')[['source', 'count']].style.hide_index()"
+    "df.sort_index()[['count']]"
    ]
   },
   {
@@ -151,7 +174,7 @@
     "\n",
     "In the list below, add the data sources that we have available in BRAWL. As a reminder, we have:\n",
     "* Sysmon\n",
-    "* Windows event logs"
+    "* Windows event logs (common security , authentication, and audit logs)"
    ]
   },
   {
@@ -162,8 +185,7 @@
    "source": [
     "# Case sensitive!!!\n",
     "sources_we_have = [\n",
-    "    'Windows event logs',\n",
-    "    'Process monitoring'\n",
+    "    '' # e.g. 'Web proxy'\n",
     "]"
    ]
   },
@@ -248,22 +270,6 @@
     "    \n",
     "FileLink('data_sources.json')"
    ]
-  },
-  {
-   "cell_type": "code",
-   "execution_count": null,
-   "metadata": {},
-   "outputs": [],
-   "source": [
-    "heatmap"
-   ]
-  },
-  {
-   "cell_type": "code",
-   "execution_count": null,
-   "metadata": {},
-   "outputs": [],
-   "source": []
   }
  ],
  "metadata": {

trainings/detection-training/Prioritization Scenarios.ipynb

@@ -4,28 +4,46 @@
    "cell_type": "markdown",
    "metadata": {},
    "source": [
-    "# Prioritizing Using ATT&CK and the Navigator\n",
+    "# Prioritizing Detection Using ATT&CK and the Navigator\n",
+    "\n",
+    "We're going to use the ATT&CK Navigator to overlay some layers and start to prioritize what we want to detect. This is a simplistic approach based on selecting a set of adversaries in the navigator and relying on mapping a threat report."
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "## Scoring Existing Adversaries\n",
+    "\n",
+    "ATT&CK itself already has a set of threat intelligence mapped and accessible in the navigator. We can use that CTI in order to select all techniques that we've seen specific adversary groups use.\n",
+    "\n",
+    "In this case, let's select and score APT1 and APT3.\n",
     "\n",
     "1. Open up the [ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/enterprise/).\n",
-    "2. Select all of the techniques for APT1 and APT3.\n",
-    "3. Assign them a score."
+    "2. Our threat model includes APT1 and APT3. How would you show that in a heatmap?\n",
+    "3. To be safe, download the JSON to save it for later.\n",
+    "\n",
+    "*Consider: What are the downsides of this approach?*"
    ]
   },
   {
-   "attachments": {},
    "cell_type": "markdown",
    "metadata": {},
    "source": [
     "# Adding Additional Internal or Local CTI\n",
     "\n",
     "Create a new layer, and select the techniques you see in the following threat report, which impacts your sector and was active over the past summer.\n",
     "\n",
+    "**Note: MITRE's ATT&CK for CTI training discusses how to map threat reports into ATT&CK in order to arrive at this list of techniques. We didn't want to duplicate that training, so have simply provided a list.**\n",
+    "\n",
     "* Credential Dumping: https://attack.mitre.org/techniques/T1003/ \n",
     "* Bypass User Account Control: https://attack.mitre.org/techniques/T1088/  \n",
     "* Powershell: https://attack.mitre.org/techniques/T1086/ \n",
     "* NTFS File Attributes: https://attack.mitre.org/techniques/T1096/\n",
     "* File Permissions Modification: https://attack.mitre.org/techniques/T1222/  \n",
-    "* Indicator Blocking: https://attack.mitre.org/techniques/T1054/"
+    "* Indicator Blocking: https://attack.mitre.org/techniques/T1054/\n",
+    "\n",
+    "*Consider: What extra threat information, in addition to the techniques, would be helpful at building detections?*"
    ]
   },
   {
@@ -34,13 +52,10 @@
    "source": [
     "# Developing our Priorities\n",
     "\n",
-    "We need to combine these layers into one set of priorities.\n",
-    "\n",
-    "1. Create a new layer as a function on previous layers.\n",
-    "2. Adjust the formula and scoring so that you get prioritized detections.\n",
+    "We need to combine these layers into one set of priorities. We can do that by creating a new layer as a function of previous layers.\n",
     "\n",
-    "BONUS:\n",
-    "1. What if you want to weight the recent incidents higher?\n"
+    "1. Making sure to have the APT1/APT3 layer in the navigator and the new custom layer in the navigator, hit the plus to create a new layer.\n",
+    "2. Adjust the formula and scoring so that you get prioritized detections. How would you weight these different sets of intelligence? What are your top techniques?"
    ]
   },
   {
@@ -51,15 +66,13 @@
     "\n",
     "Let's assume we want to detect the techniques used in the recent Blue Panda campaign. How would we see which techniques we could cover given our data sources?\n",
     "\n",
-    "What other changes might we want to make?"
+    "1. Keeping your prioritization heatmap in the navigator, open up your data sources layer.\n",
+    "2. Create a new layer that shows you, of your prioritized techniques:\n",
+    "  * Which can be detected given current data collection\n",
+    "  * Where you have gaps.\n",
+    "\n",
+    "*Consider: What data sources might you want to add to increase coverage?*"
    ]
-  },
-  {
-   "cell_type": "code",
-   "execution_count": null,
-   "metadata": {},
-   "outputs": [],
-   "source": []
   }
  ],
  "metadata": {