1 00:00:00,310 --> 00:00:01,980 Attack frameworks. 2 00:00:01,980 --> 00:00:02,900 In this lesson, 3 00:00:02,900 --> 00:00:03,750 we're going to talk about 4 00:00:03,750 --> 00:00:05,810 the three different attack frameworks, 5 00:00:05,810 --> 00:00:07,520 the Lockheed Martin Kill Chain, 6 00:00:07,520 --> 00:00:09,157 the MITRE ATT&CK Framework 7 00:00:09,157 --> 00:00:11,920 and the Diamond Model of Intrusion Analysis. 8 00:00:11,920 --> 00:00:14,570 First, let's talk about the kill chain. 9 00:00:14,570 --> 00:00:16,650 This kill chain model was first developed 10 00:00:16,650 --> 00:00:19,160 by Hutchins, Cloppert, and Amin, 11 00:00:19,160 --> 00:00:22,200 under contract from Lockheed Martin's Corporation. 12 00:00:22,200 --> 00:00:23,870 It was then released into the public domain 13 00:00:23,870 --> 00:00:25,530 for everyone to use. 14 00:00:25,530 --> 00:00:28,290 Now, the kill chain has a seven-step method 15 00:00:28,290 --> 00:00:29,800 that starts with reconnaissance 16 00:00:29,800 --> 00:00:34,030 and then moves into weaponization, delivery, exploitation, 17 00:00:34,030 --> 00:00:36,340 installation, command and control, 18 00:00:36,340 --> 00:00:38,080 and action on objectives. 19 00:00:38,080 --> 00:00:38,913 And as you can see, 20 00:00:38,913 --> 00:00:40,607 it is very linear going from the top 21 00:00:40,607 --> 00:00:42,300 all the way down to the bottom, 22 00:00:42,300 --> 00:00:45,490 starting with step one and going to step seven. 23 00:00:45,490 --> 00:00:46,670 This is an older model, 24 00:00:46,670 --> 00:00:48,420 and newer variations of frameworks 25 00:00:48,420 --> 00:00:50,390 are doing more of an iterative approach. 26 00:00:50,390 --> 00:00:52,350 But let's go through this step by step 27 00:00:52,350 --> 00:00:54,400 so we can see what happens in each of these stages 28 00:00:54,400 --> 00:00:57,230 because it is still a good way to think about things. 29 00:00:57,230 --> 00:00:59,100 First, we have reconnaissance. 30 00:00:59,100 --> 00:01:00,060 And in this stage, 31 00:01:00,060 --> 00:01:01,270 the attacker is going to determine 32 00:01:01,270 --> 00:01:03,000 what methods they need to use 33 00:01:03,000 --> 00:01:05,650 to complete the other phases of their attack. 34 00:01:05,650 --> 00:01:07,250 Now, one of the big issues here 35 00:01:07,250 --> 00:01:09,140 is that the attacker doesn't want to get caught 36 00:01:09,140 --> 00:01:10,560 while they're doing reconnaissance, 37 00:01:10,560 --> 00:01:12,220 so they try to be sneaky. 38 00:01:12,220 --> 00:01:13,940 They try to use things like open source 39 00:01:13,940 --> 00:01:16,500 and passive information gathering and things like that 40 00:01:16,500 --> 00:01:18,540 so that they cannot be detected. 41 00:01:18,540 --> 00:01:20,840 This phase, you can use both passive 42 00:01:20,840 --> 00:01:23,770 or active scanning techniques on the target network, 43 00:01:23,770 --> 00:01:25,160 but generally, we're going to start out 44 00:01:25,160 --> 00:01:26,630 with passive information gathering 45 00:01:26,630 --> 00:01:29,020 and then move into active scanning. 46 00:01:29,020 --> 00:01:30,980 By the time you're done with reconnaissance, 47 00:01:30,980 --> 00:01:34,350 you should have a good idea of what that network looks like, 48 00:01:34,350 --> 00:01:35,970 what type of software they're using, 49 00:01:35,970 --> 00:01:38,690 and what type of vulnerabilities may exist. 50 00:01:38,690 --> 00:01:40,790 At that point, we can start figuring out 51 00:01:40,790 --> 00:01:42,520 how we want to move into phase two, 52 00:01:42,520 --> 00:01:44,390 which is weaponization. 53 00:01:44,390 --> 00:01:46,680 During weaponization, the attacker is going to couple 54 00:01:46,680 --> 00:01:49,740 payload code that will enable access with exploit code 55 00:01:49,740 --> 00:01:52,350 and this will allow them to go after a vulnerability 56 00:01:52,350 --> 00:01:54,820 to execute onto that target system. 57 00:01:54,820 --> 00:01:55,850 Now, by doing this, 58 00:01:55,850 --> 00:01:58,980 you basically are coding or creating the malware 59 00:01:58,980 --> 00:02:00,880 or the exploit you want to run. 60 00:02:00,880 --> 00:02:02,810 but you are not running it yet. 61 00:02:02,810 --> 00:02:04,930 You've only created it inside your own lab 62 00:02:04,930 --> 00:02:07,170 and haven't sent it to the victimized system. 63 00:02:07,170 --> 00:02:10,030 This brings us to step three, delivery. 64 00:02:10,030 --> 00:02:12,270 This is where the attacker is going to identify a vector 65 00:02:12,270 --> 00:02:14,374 by which they can transmit the weaponized code 66 00:02:14,374 --> 00:02:16,290 to the target environment. 67 00:02:16,290 --> 00:02:17,630 This may be by email. 68 00:02:17,630 --> 00:02:19,580 This may be by dropping the USB drive 69 00:02:19,580 --> 00:02:21,930 loaded with that malware in their parking lot. 70 00:02:21,930 --> 00:02:24,890 Whatever the mechanism is doesn't really matter right now. 71 00:02:24,890 --> 00:02:26,080 We just have to think about the fact 72 00:02:26,080 --> 00:02:27,160 that we have to get it there, 73 00:02:27,160 --> 00:02:29,290 and that's what delivery is all about. 74 00:02:29,290 --> 00:02:31,800 Step four takes us to exploitation. 75 00:02:31,800 --> 00:02:34,390 This is where the weaponized code is actually executed 76 00:02:34,390 --> 00:02:37,740 on the target system by whatever mechanism you've done. 77 00:02:37,740 --> 00:02:40,030 If you sent them an email with a phishing link 78 00:02:40,030 --> 00:02:41,470 and they click that link, 79 00:02:41,470 --> 00:02:43,520 the sending of the email was delivery. 80 00:02:43,520 --> 00:02:46,040 Clicking the link is when exploitation happens 81 00:02:46,040 --> 00:02:47,940 and they actually start running that code. 82 00:02:47,940 --> 00:02:50,040 Or, if you dropped it on a USB drive 83 00:02:50,040 --> 00:02:51,840 and they plugged that into their system 84 00:02:51,840 --> 00:02:54,110 and the autorun started up that code, 85 00:02:54,110 --> 00:02:55,940 that would be exploitation. 86 00:02:55,940 --> 00:02:58,320 At this point, the code has been run. 87 00:02:58,320 --> 00:03:00,160 And this brings us to step five, 88 00:03:00,160 --> 00:03:01,690 which is installation. 89 00:03:01,690 --> 00:03:04,270 During installation, we're going to have a mechanism 90 00:03:04,270 --> 00:03:07,430 that enables the weaponized code to run a remote access tool 91 00:03:07,430 --> 00:03:10,500 and achieve persistence on that target system. 92 00:03:10,500 --> 00:03:12,230 So if we had a stage one dropper 93 00:03:12,230 --> 00:03:14,210 that was run as part of exploitation, 94 00:03:14,210 --> 00:03:17,300 we now have downloaded and installed our phase two. 95 00:03:17,300 --> 00:03:19,050 This would be our installation. 96 00:03:19,050 --> 00:03:21,630 And this gives us control of that system moving forward 97 00:03:21,630 --> 00:03:23,800 and that persistence that we're looking for. 98 00:03:23,800 --> 00:03:26,130 At that point, we move into step six. 99 00:03:26,130 --> 00:03:29,034 Step six is command and control, or C2. 100 00:03:29,034 --> 00:03:30,850 This is where the weaponized code 101 00:03:30,850 --> 00:03:33,800 establishes an outbound channel to a remote server 102 00:03:33,800 --> 00:03:36,466 that can then be used to control that remote access tool 103 00:03:36,466 --> 00:03:38,770 and possibly download additional tools 104 00:03:38,770 --> 00:03:40,560 to help you progress in your attack. 105 00:03:40,560 --> 00:03:43,610 At this point, you now pretty much own the system. 106 00:03:43,610 --> 00:03:44,609 You have access to it, 107 00:03:44,609 --> 00:03:46,470 you can remote into that system, 108 00:03:46,470 --> 00:03:48,600 and you can now run commands on that system. 109 00:03:48,600 --> 00:03:50,210 That's what C2 is all about. 110 00:03:50,210 --> 00:03:53,559 Now, the final step is actions on objectives. 111 00:03:53,559 --> 00:03:55,760 This is where the attacker is typically going to use 112 00:03:55,760 --> 00:03:57,430 the access that they've achieved 113 00:03:57,430 --> 00:03:59,210 through steps one through six 114 00:03:59,210 --> 00:04:01,550 to now start doing what they wanted to do. 115 00:04:01,550 --> 00:04:04,110 That may be transferring data from a remote system, 116 00:04:04,110 --> 00:04:05,800 such as data exfiltration, 117 00:04:05,800 --> 00:04:07,710 or some other goal or motive. 118 00:04:07,710 --> 00:04:10,223 Whatever their goal was originally with reconnaissance, 119 00:04:10,223 --> 00:04:12,890 they've now achieved that by being on the system, 120 00:04:12,890 --> 00:04:15,380 they have two-way communication using command and control, 121 00:04:15,380 --> 00:04:18,300 and now we can perform action on objectives. 122 00:04:18,300 --> 00:04:20,110 Now, when we look at this kill chain, 123 00:04:20,110 --> 00:04:22,780 going from step one all the way down to step seven, 124 00:04:22,780 --> 00:04:24,610 we use this to do an analysis, 125 00:04:24,610 --> 00:04:27,100 and a kill chain analysis can be used to identify 126 00:04:27,100 --> 00:04:29,030 defensive courses of actions 127 00:04:29,030 --> 00:04:31,360 by being able to counter the progress of an attack 128 00:04:31,360 --> 00:04:32,560 at each stage. 129 00:04:32,560 --> 00:04:33,877 So if I can start mapping out 130 00:04:33,877 --> 00:04:37,000 what are all the ways somebody can break into my system, 131 00:04:37,000 --> 00:04:39,750 run malicious code, gain persistence, 132 00:04:39,750 --> 00:04:41,310 do C2 on my servers, 133 00:04:41,310 --> 00:04:42,800 and do some kind of action, 134 00:04:42,800 --> 00:04:45,300 I can then put in things to block that. 135 00:04:45,300 --> 00:04:46,740 I can try to detect that. 136 00:04:46,740 --> 00:04:47,960 I could try to deny that. 137 00:04:47,960 --> 00:04:50,130 I could try to disrupt it or degrade it. 138 00:04:50,130 --> 00:04:51,570 I might want to try to deceive them 139 00:04:51,570 --> 00:04:53,840 or destroy their capabilities. 140 00:04:53,840 --> 00:04:55,700 All of these things are the six Ds 141 00:04:55,700 --> 00:04:57,740 that we're going to try to do to an attacker 142 00:04:57,740 --> 00:04:59,870 who's trying to break into our systems. 143 00:04:59,870 --> 00:05:02,060 So this is the idea of using the kill chain 144 00:05:02,060 --> 00:05:03,610 and why we do this. 145 00:05:03,610 --> 00:05:06,190 Now, as I said, this is a very linear method, 146 00:05:06,190 --> 00:05:08,070 but there are newer methods out there 147 00:05:08,070 --> 00:05:10,160 that work in more of an iterative manner 148 00:05:10,160 --> 00:05:12,100 or allow you to think holistically 149 00:05:12,100 --> 00:05:14,180 across multiple lines of attack. 150 00:05:14,180 --> 00:05:16,490 For example, the MITRE ATT&CK Framework 151 00:05:16,490 --> 00:05:18,130 is one of those models. 152 00:05:18,130 --> 00:05:19,730 Because the kill chain was criticized 153 00:05:19,730 --> 00:05:21,840 for focusing too much on perimeter security 154 00:05:21,840 --> 00:05:24,400 with that linear method going from outside in, 155 00:05:24,400 --> 00:05:26,520 the MITRE ATT&CK Framework was developed. 156 00:05:26,520 --> 00:05:28,740 Now, the MITRE ATT&CK Framework is a knowledge base 157 00:05:28,740 --> 00:05:30,950 that's maintained by the MITRE Corporation 158 00:05:30,950 --> 00:05:34,070 for the listing and explaining specific adversary tactics, 159 00:05:34,070 --> 00:05:36,040 techniques, and common knowledge 160 00:05:36,040 --> 00:05:39,600 which is where the A-T-T-at-C-K comes from. 161 00:05:39,600 --> 00:05:41,610 And these are also known as procedures. 162 00:05:41,610 --> 00:05:45,350 You can find all of these at attack.mitre.org, 163 00:05:45,350 --> 00:05:47,863 and this is a free open source website that you can go 164 00:05:47,863 --> 00:05:50,160 and look at all this information. 165 00:05:50,160 --> 00:05:53,430 Now, where the kill chain was a very linear process, 166 00:05:53,430 --> 00:05:55,570 the MITRE ATT&CK framework is not. 167 00:05:55,570 --> 00:05:57,680 It uses more of a matrices model, 168 00:05:57,680 --> 00:05:59,356 and you can see that here on the screen. 169 00:05:59,356 --> 00:06:01,550 Notice there are different columns here, 170 00:06:01,550 --> 00:06:03,520 and each one is a certain type 171 00:06:03,520 --> 00:06:05,630 or category of attack that might occur. 172 00:06:05,630 --> 00:06:07,800 For instance, there's defense evasion, 173 00:06:07,800 --> 00:06:09,250 there's credential access, 174 00:06:09,250 --> 00:06:12,490 there's discovery and lateral movement and execution. 175 00:06:12,490 --> 00:06:14,450 And underneath each of these is a tactic 176 00:06:14,450 --> 00:06:16,710 or technique that could be used by an attacker 177 00:06:16,710 --> 00:06:19,450 to be able to accomplish that particular goal. 178 00:06:19,450 --> 00:06:20,920 Now again, this is a free resource, 179 00:06:20,920 --> 00:06:24,270 and you can go play with it at attack.mitre.org. 180 00:06:24,270 --> 00:06:25,200 Now, when you go there, 181 00:06:25,200 --> 00:06:27,010 you're going to see something that looks like this, 182 00:06:27,010 --> 00:06:29,630 and this is what we call the attack navigator. 183 00:06:29,630 --> 00:06:31,960 From here, you can select different things 184 00:06:31,960 --> 00:06:34,000 and highlight them with different colors. 185 00:06:34,000 --> 00:06:35,830 What you're seeing here on the screen is an example 186 00:06:35,830 --> 00:06:39,810 of one actor's TTPs that we've mapped out. 187 00:06:39,810 --> 00:06:40,720 Based on that, 188 00:06:40,720 --> 00:06:43,700 we know that if we're talking about APT28, for example, 189 00:06:43,700 --> 00:06:46,260 these are the things that they might be used to doing. 190 00:06:46,260 --> 00:06:47,620 And if you click on each one of these, 191 00:06:47,620 --> 00:06:50,240 you'll get more details about the particular TTP 192 00:06:50,240 --> 00:06:51,271 that they use. 193 00:06:51,271 --> 00:06:53,630 Now again, this is a great model 194 00:06:53,630 --> 00:06:55,810 for being able to map out an overall adversary 195 00:06:55,810 --> 00:06:57,510 and all their different capabilities 196 00:06:57,510 --> 00:07:00,220 and capacities that they use in their different attacks. 197 00:07:00,220 --> 00:07:02,490 And so we can compare one to another. 198 00:07:02,490 --> 00:07:04,660 And then if we're on the incident response, 199 00:07:04,660 --> 00:07:05,980 we can start looking, okay, 200 00:07:05,980 --> 00:07:08,470 I have this and this and this that I've noticed, 201 00:07:08,470 --> 00:07:09,950 and they fall into these columns, 202 00:07:09,950 --> 00:07:12,167 and when I compare that against the MITRE matrix, 203 00:07:12,167 --> 00:07:13,700 I know that that is common 204 00:07:13,700 --> 00:07:15,650 against this particular adversary, 205 00:07:15,650 --> 00:07:17,030 and so that might help me figure out 206 00:07:17,030 --> 00:07:18,960 what defenses I want to use. 207 00:07:18,960 --> 00:07:20,090 As you look at this chart, 208 00:07:20,090 --> 00:07:21,880 you may notice that it is very focused 209 00:07:21,880 --> 00:07:23,780 on the exploitation phase 210 00:07:23,780 --> 00:07:26,370 and it's not really focused on the reconnaissance phase. 211 00:07:26,370 --> 00:07:28,650 And so if we go back and look at the reconnaissance phase, 212 00:07:28,650 --> 00:07:29,890 there's actually another matrix 213 00:07:29,890 --> 00:07:31,750 called the pre-ATT&CK matrix. 214 00:07:31,750 --> 00:07:34,140 The pre-ATT&CK tactics matrix is going to align 215 00:07:34,140 --> 00:07:34,990 to the reconnaissance 216 00:07:34,990 --> 00:07:37,800 and weaponization phases of the cyber kill chain. 217 00:07:37,800 --> 00:07:38,633 And that way, 218 00:07:38,633 --> 00:07:40,340 we can also see what those things look like 219 00:07:40,340 --> 00:07:43,300 and try to detect things before it becomes a real attack 220 00:07:43,300 --> 00:07:45,750 and it's while it's still in the pre-ATT&CK phase, 221 00:07:45,750 --> 00:07:47,070 'cause if we can get it earlier, 222 00:07:47,070 --> 00:07:48,690 we're further left of boom. 223 00:07:48,690 --> 00:07:49,640 We can then prevent that 224 00:07:49,640 --> 00:07:51,430 from becoming a full-blown incident. 225 00:07:51,430 --> 00:07:52,860 The third model I want to talk about 226 00:07:52,860 --> 00:07:55,180 is the diamond model of intrusion analysis. 227 00:07:55,180 --> 00:07:59,390 Now, this model is used to represent an intrusion event. 228 00:07:59,390 --> 00:08:01,210 Anytime you have intrusion event. 229 00:08:01,210 --> 00:08:04,470 It has some relation to these four categories, 230 00:08:04,470 --> 00:08:06,640 the victim, the capability, the adversary, 231 00:08:06,640 --> 00:08:07,473 and the infrastructure, 232 00:08:07,473 --> 00:08:09,080 as you see here on the screen. 233 00:08:09,080 --> 00:08:11,010 Now, you can also put some meta features in there, 234 00:08:11,010 --> 00:08:12,440 things like a timestamp, 235 00:08:12,440 --> 00:08:15,070 what phase you're in, the result, the direction, 236 00:08:15,070 --> 00:08:16,864 the methodology, or the resources. 237 00:08:16,864 --> 00:08:20,280 But these four categories are really where the focus is. 238 00:08:20,280 --> 00:08:21,380 Now, for each incident, 239 00:08:21,380 --> 00:08:24,200 we would want to map them out and look at this model. 240 00:08:24,200 --> 00:08:26,310 For instance, this model's going to allow an analyst 241 00:08:26,310 --> 00:08:28,280 to exploit the fundamental relationship 242 00:08:28,280 --> 00:08:30,010 between the different features. 243 00:08:30,010 --> 00:08:30,905 If we start out here, 244 00:08:30,905 --> 00:08:33,060 the victim starts this process. 245 00:08:33,060 --> 00:08:34,760 They discover there's malware. 246 00:08:34,760 --> 00:08:37,230 Now that points to capability because we have the ability 247 00:08:37,230 --> 00:08:38,940 to see that we've been had. 248 00:08:38,940 --> 00:08:41,150 Then if we see that capability, 249 00:08:41,150 --> 00:08:43,960 we can then see that the malware might contain a C2 domain 250 00:08:43,960 --> 00:08:45,850 as we go through our incident response. 251 00:08:45,850 --> 00:08:46,683 If we do that, 252 00:08:46,683 --> 00:08:47,970 that now points to infrastructure, 253 00:08:47,970 --> 00:08:50,320 because C2 is an infrastructure problem. 254 00:08:50,320 --> 00:08:51,153 Once we look at that, 255 00:08:51,153 --> 00:08:52,940 we start seeing the C2 domain resolves 256 00:08:52,940 --> 00:08:54,430 to a C2 IP address. 257 00:08:54,430 --> 00:08:56,010 Again, that's infrastructure, 258 00:08:56,010 --> 00:08:57,770 so we're still in the same place. 259 00:08:57,770 --> 00:08:59,270 As we start digging into that further, 260 00:08:59,270 --> 00:09:00,830 we might look at our firewall logs, 261 00:09:00,830 --> 00:09:03,520 and that reveals that the victims have been contacting 262 00:09:03,520 --> 00:09:04,950 that C2 IP address. 263 00:09:04,950 --> 00:09:07,010 So that points down to our victim. 264 00:09:07,010 --> 00:09:09,410 But also that IP address is owned 265 00:09:09,410 --> 00:09:11,580 and it provides details about the adversary, 266 00:09:11,580 --> 00:09:13,210 so that now points to the adversary. 267 00:09:13,210 --> 00:09:15,000 And so you can see with these arrows, 268 00:09:15,000 --> 00:09:16,660 how these different things tie together, 269 00:09:16,660 --> 00:09:17,512 and very quickly, 270 00:09:17,512 --> 00:09:20,190 you can see where you should focus your efforts. 271 00:09:20,190 --> 00:09:22,960 For instance, if I focus on infrastructure and C2, 272 00:09:22,960 --> 00:09:24,960 that is going to help me point towards the adversary 273 00:09:24,960 --> 00:09:26,290 and the victim in this case, 274 00:09:26,290 --> 00:09:28,340 and it really does help me point those things out 275 00:09:28,340 --> 00:09:30,820 much quicker using this type of a model. 276 00:09:30,820 --> 00:09:31,720 Now, for each event, 277 00:09:31,720 --> 00:09:33,460 we're also going to define a tuple, 278 00:09:33,460 --> 00:09:36,490 and this is in the format of E equals something. 279 00:09:36,490 --> 00:09:38,980 And this is basically an array of information 280 00:09:38,980 --> 00:09:40,960 that contains information on the adversary, 281 00:09:40,960 --> 00:09:42,880 the capability, the infrastructure, 282 00:09:42,880 --> 00:09:43,980 and the victim. 283 00:09:43,980 --> 00:09:45,700 And we also have things like our timestamp 284 00:09:45,700 --> 00:09:47,640 and other metadata that we have. 285 00:09:47,640 --> 00:09:49,492 By putting all this information into this format, 286 00:09:49,492 --> 00:09:53,000 we can then use it inside of some sort of automated system, 287 00:09:53,000 --> 00:09:54,530 for instance, our SIEM 288 00:09:54,530 --> 00:09:56,300 that can then help correlate all this information 289 00:09:56,300 --> 00:09:57,540 together for us. 290 00:09:57,540 --> 00:09:59,920 Now, each of these three models have their benefits 291 00:09:59,920 --> 00:10:00,928 and their drawbacks, 292 00:10:00,928 --> 00:10:02,630 and the good thing about them is 293 00:10:02,630 --> 00:10:03,910 you can use them individually 294 00:10:03,910 --> 00:10:05,780 or you can actually combine them together, 295 00:10:05,780 --> 00:10:08,080 and that way you can get the best of both worlds. 296 00:10:08,080 --> 00:10:10,810 For instance, if I wanted to combine the diamond model 297 00:10:10,810 --> 00:10:11,950 with the kill chain, 298 00:10:11,950 --> 00:10:14,120 I might get something that looks like this. 299 00:10:14,120 --> 00:10:15,870 You can see going from top to bottom, 300 00:10:15,870 --> 00:10:18,350 I have the different steps of the cyber kill chain, 301 00:10:18,350 --> 00:10:21,120 and then I have three different threads going across. 302 00:10:21,120 --> 00:10:22,580 And as I'm tracking these threads, 303 00:10:22,580 --> 00:10:24,400 I'm starting to look at where they are 304 00:10:24,400 --> 00:10:25,617 inside the diamond model. 305 00:10:25,617 --> 00:10:27,970 And you can see how I went from one to two 306 00:10:27,970 --> 00:10:29,800 all the way down to 14, 307 00:10:29,800 --> 00:10:30,633 and in there, 308 00:10:30,633 --> 00:10:31,660 I have three different threads 309 00:10:31,660 --> 00:10:33,440 or three different attacks that are going on 310 00:10:33,440 --> 00:10:35,660 that could be three different adversaries, 311 00:10:35,660 --> 00:10:37,720 and how these things connect to each other 312 00:10:37,720 --> 00:10:40,400 based on those four areas of the diamond. 313 00:10:40,400 --> 00:10:41,700 So starting with one, 314 00:10:41,700 --> 00:10:43,050 we got up to capability 315 00:10:43,050 --> 00:10:46,060 and that tied into infrastructure of attack number two, 316 00:10:46,060 --> 00:10:47,870 and then as we went down to number three, 317 00:10:47,870 --> 00:10:50,070 that took us from the victim of number two 318 00:10:50,070 --> 00:10:52,370 into the adversary of number three, 319 00:10:52,370 --> 00:10:55,419 and so on and so on as we connect all these things together. 320 00:10:55,419 --> 00:10:57,350 Again, the real benefit here 321 00:10:57,350 --> 00:10:58,900 is starting to use these things together 322 00:10:58,900 --> 00:11:00,780 to start figuring out how we can model 323 00:11:00,780 --> 00:11:03,850 the behavior of our adversaries so we can better define 324 00:11:03,850 --> 00:11:06,550 how we're going to stop them by using our analysis 325 00:11:06,550 --> 00:11:09,200 to be able to better define our defensive techniques.