diff --git a/docs/_static/4688_Ex.png b/docs/_static/4688_ex.png similarity index 100% rename from docs/_static/4688_Ex.png rename to docs/_static/4688_ex.png diff --git a/docs/_static/ATTACK_Ex_PC.png b/docs/_static/attack_ex_pc.png similarity index 100% rename from docs/_static/ATTACK_Ex_PC.png rename to docs/_static/attack_ex_pc.png diff --git a/docs/_static/CldTrlEx1.png b/docs/_static/cldtrlex1.png similarity index 100% rename from docs/_static/CldTrlEx1.png rename to docs/_static/cldtrlex1.png diff --git a/docs/_static/CldTrlEx2.png b/docs/_static/cldtrlex2.png similarity index 100% rename from docs/_static/CldTrlEx2.png rename to docs/_static/cldtrlex2.png diff --git a/docs/_static/DataElement_Ex.png b/docs/_static/dataelement_ex.png similarity index 100% rename from docs/_static/DataElement_Ex.png rename to docs/_static/dataelement_ex.png diff --git a/docs/_static/DefinitionCorrelation_Ex.png b/docs/_static/definitioncorrelation_ex.png similarity index 100% rename from docs/_static/DefinitionCorrelation_Ex.png rename to docs/_static/definitioncorrelation_ex.png diff --git a/docs/_static/LinuxEx1.png b/docs/_static/linuxex1.png similarity index 100% rename from docs/_static/LinuxEx1.png rename to docs/_static/linuxex1.png diff --git a/docs/_static/MSDN_4688_Ex.png b/docs/_static/msdn_4688_ex.png similarity index 100% rename from docs/_static/MSDN_4688_Ex.png rename to docs/_static/msdn_4688_ex.png diff --git a/docs/_static/MSDN_4688_Ex_Attributes.png b/docs/_static/msdn_4688_ex_attributes.png similarity index 100% rename from docs/_static/MSDN_4688_Ex_Attributes.png rename to docs/_static/msdn_4688_ex_attributes.png diff --git a/docs/_static/NetworkEx1.png b/docs/_static/networkex1.png similarity index 100% rename from docs/_static/NetworkEx1.png rename to docs/_static/networkex1.png diff --git a/docs/_static/Relationship_Ex.png b/docs/_static/relationship_ex.png similarity index 100% rename from docs/_static/Relationship_Ex.png rename to docs/_static/relationship_ex.png diff --git a/docs/_static/WinEx1.png b/docs/_static/winex1.png similarity index 100% rename from docs/_static/WinEx1.png rename to docs/_static/winex1.png diff --git a/docs/_static/WinEx2.png b/docs/_static/winex2.png similarity index 100% rename from docs/_static/WinEx2.png rename to docs/_static/winex2.png diff --git a/docs/definitions.rst b/docs/definitions.rst index f006901..ea46b2a 100644 --- a/docs/definitions.rst +++ b/docs/definitions.rst @@ -1,13 +1,13 @@ Definitions =========== -This page defines the key terms used throughout our research. +This page defines the key terms used throughout our research. -MITRE ATT&CK +MITRE ATT&CK ------------ MITRE ATT&CKĀ® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK focuses on how external adversaries compromise and operate within computer information networks. -Techniques +Techniques ~~~~~~~~~~ Techniques represent "how" - the means by which adversaries achieve tactical objective. @@ -15,7 +15,7 @@ Sub-techniques ~~~~~~~~~~~~~~ Sub-techniques break down behaviors described by techniques into more specific means by which adversaries achieve tactical objectives. -Data Source +Data Source ~~~~~~~~~~~ Data Sources represent information collected by a sensor or logging system that may identify properties or values relevant to identifying the adversarial action being performed, sequence of actions, or the results of those actions. @@ -29,7 +29,7 @@ Data Elements ------------- Data elements are names, definitions, and attributes that are being used or captured in an event -.. image:: _static/MSDN_4688_Ex.png +.. image:: _static/msdn_4688_ex.png :width: 500 Sensors @@ -40,5 +40,5 @@ Telemetry/Events ---------------- Telemetry/events are generated by sensors in the form of log data, automatically generated and transmitted or streamed in near real-time, regardless of the format (e.g., json, csv, etc.). -.. image:: _static/4688_Ex.png +.. image:: _static/4688_ex.png :width: 500 diff --git a/docs/example_technique_mappings/CloudTrail.rst b/docs/example_technique_mappings/cloudtrail.rst similarity index 100% rename from docs/example_technique_mappings/CloudTrail.rst rename to docs/example_technique_mappings/cloudtrail.rst diff --git a/docs/example_technique_mappings/Linux.rst b/docs/example_technique_mappings/linux.rst similarity index 100% rename from docs/example_technique_mappings/Linux.rst rename to docs/example_technique_mappings/linux.rst diff --git a/docs/example_technique_mappings/Network.rst b/docs/example_technique_mappings/network.rst similarity index 100% rename from docs/example_technique_mappings/Network.rst rename to docs/example_technique_mappings/network.rst diff --git a/docs/example_technique_mappings/Windows.rst b/docs/example_technique_mappings/windows.rst similarity index 100% rename from docs/example_technique_mappings/Windows.rst rename to docs/example_technique_mappings/windows.rst diff --git a/docs/methodology/step2.rst b/docs/methodology/step2.rst index 7936294..3a27580 100644 --- a/docs/methodology/step2.rst +++ b/docs/methodology/step2.rst @@ -1,52 +1,52 @@ Step 2: Definition Correlation =============================== -What makes sensors useful to defenders is the meaning and context associated with the event. For each identified event ID, -consult the available documentation to understand its capabilities. Gather specific facts about the event ID that will -later help in mapping the event to the set of ATT&CK Data Sources it is able to detect. +What makes sensors useful to defenders is the meaning and context associated with the event. For each identified event ID, +consult the available documentation to understand its capabilities. Gather specific facts about the event ID that will +later help in mapping the event to the set of ATT&CK Data Sources it is able to detect. -The most common way to bring context to the event is by applying the description and other types of metadata such as the -Data Elements and Fields. Documented description, elements, and fields can help provide understanding of what the sensor is +The most common way to bring context to the event is by applying the description and other types of metadata such as the +Data Elements and Fields. Documented description, elements, and fields can help provide understanding of what the sensor is truly capturing, and make creating mappings more efficient. -Identify the Source of Data +Identify the Source of Data --------------------------- -Start with **identifying the source of data**. In a Windows environment, we can collect information pertaining to "Processes" -from built-in event providers such as Microsoft-Windows-Security-Auditing and open third-party tools, including Sysmon. +Start with **identifying the source of data**. In a Windows environment, we can collect information pertaining to "Processes" +from built-in event providers such as Microsoft-Windows-Security-Auditing and open third-party tools, including Sysmon. -Additional context on potential source of the data can be gained by considering: +Additional context on potential source of the data can be gained by considering: - *Why were these security events generated in my environment? (Activity)* - *What operating system supports its generation? (Platform)* -For example, the documentation provided by Microsoft for Windows `Event ID 4688: A new process has been created `_ -provides context for this event. By the event description, 4688 is generated every time a new process starts. The information -provided by this event includes the user account that requested the creation of the process, and information of a process that -executed a new process. This event also provides metadata that can help us to describe the data elements needed later on in +For example, the documentation provided by Microsoft for Windows `Event ID 4688: A new process has been created `_ +provides context for this event. By the event description, 4688 is generated every time a new process starts. The information +provided by this event includes the user account that requested the creation of the process, and information of a process that +executed a new process. This event also provides metadata that can help us to describe the data elements needed later on in Step 3 of this methodology. .. image:: ../_static/msdn_4688_ex.png :width: 600 -- The action that triggered the generation of this event was the creation of a new process (Activity). -- This security event can be collected by using the built-in event logging application for devices that work with the Windows operating system (Platform). Within a Windows environment, it is typically known to have a "process" as a source of data. +- The action that triggered the generation of this event was the creation of a new process (Activity). +- This security event can be collected by using the built-in event logging application for devices that work with the Windows operating system (Platform). Within a Windows environment, it is typically known to have a "process" as a source of data. Correlate to ATT&CK Data Component Definition --------------------------------------------- -To correlate with ATT&CK, the `Data Source `_ pages provide definitions for each -individual Data Source. +To correlate with ATT&CK, the `Data Source `_ pages provide definitions for each +individual Data Source. .. image:: ../_static/attack_ex_pc.png :width: 600 -For Process Creation, ATT&CK's definition is : **..the initial construction of an executable..**. Through key word review, it -can be determined that this is the same as **..a process is created..** Therefore, event ID 4688 can be linked with this -ATT&CK Data Component. +For Process Creation, ATT&CK's definition is : **..the initial construction of an executable..**. Through key word review, it +can be determined that this is the same as **..a process is created..** Therefore, event ID 4688 can be linked with this +ATT&CK Data Component. -A similar process can be used to examine Sysmon EID 1, Sysmon EID 8, WinEvtx 4688, and WinEvtx 4696. The image below shows that -the definitions all have some correlation with either starting or executing a process. +A similar process can be used to examine Sysmon EID 1, Sysmon EID 8, WinEvtx 4688, and WinEvtx 4696. The image below shows that +the definitions all have some correlation with either starting or executing a process. -.. image:: ../_static/definitioncorrelation_Ex.png - :width: 700 \ No newline at end of file +.. image:: ../_static/definitioncorrelation_ex.png + :width: 700