Hello. Welcome to this Introduction to Advanced Python Security course. In this video, we're going to talk about some of the frameworks that MITRE has developed in the cybersecurity space. The reason for this is that a lot of these frameworks are going to be showing up throughout this learning path, so it's useful to be familiar with them before we start referencing them. In this video, we're going to have five sections. We'll start out with an introduction to the MITRE frameworks and provide a little bit of background information. Then the next three videos, we're going to talk briefly about each of the three frameworks that are going to crop up occasionally throughout this course. Then finally, we'll discuss the structure of the remainder of this learning path and how the MITRE frameworks tie into this. Let's get started. The MITRE Corporation is a US government federally funded research and development center. As a research and development center, it makes sense that they do research in a few different areas. One of the specialties of MITRE is cybersecurity research. They act as a nonprofit, independent research organization, and they create some really great stuff around cybersecurity. One of these cybersecurity products that MITRE produces is a collection of frameworks. These frameworks are designed to help improve knowledge and to maybe simplify or streamline discussion of cybersecurity topics. Everyone can agree, this is the MITRE framework, and this is the particular part of it we're talking about. We're making sure that we're using the same vocabulary and have about the same basic understanding before we start going down into the weeds. Over several years, MITRE has published three frameworks covering various aspects of cybersecurity. MITRE ATT&CK has been around for a while, while Shield and D3FEND are very recent. Let's talk about ATT&CK first. As I just mentioned, ATT&CK is the original MITRE framework. As its name suggests, it's focused on the offensive side of cybersecurity, the attack. It describes the ways in which an attacker can achieve the various goals of a cyber attack. Within the cyber attack life cycle, you can target a number of different objectives as you move towards your final goal. For example, if your goal is a data breach, well, you can't breach data without gaining access to it. You at least need initial access to the target environment and potentially some other steps along the way. The MITRE ATT&CK framework is designed to define those various steps you might have to take and then describe ways in which someone could accomplish them. It's broken up into a collection of tactics, which are those high level goals, things like initial access, credential access, defense evasion, etc. Then inside each of these tactics, we have a variety of techniques which are definitive or discrete ways of accomplishing them. For example, you might perform a brute force guessing attack to try to determine user credentials or you try to steal them out of a web browser. With this combination of tactics and techniques, we have well-defined ways of accomplishing various offensive goals. Also, MITRE provides a lot of information for each particular technique. That's the first of our three MITRE frameworks. The second one is MITRE Shield. MITRE Shield's relatively new compared to MITRE ATT&CK. It was designed to talk about the concept of active defense. If you think about it, a lot of defense is reactive, you're trying to identify any attacks against you and then clean them up as quickly as possible before they cause too much damage. Active defense involves actively engaging the attacker in an attempt to thwart their efforts. MITRE Shield is very similar to MITRE ATT&CK with tactics and techniques. Tactics is goals, and techniques are ways of achieving them. But in this case, our tactics are goals of the defender instead of the attacker. Things like channeling the attacker towards a particular target, maybe a honeypot on the network or away from specific high-value resources, or things like containment, like quarantining an attacker in a certain infected area so that they can't expand out and target the rest of the network, etc. Then again, techniques are particular ways of accomplishing these goals. One useful thing to note is that MITRE Shield has mappings to MITRE ATT&CK. If you have an offensive technique from MITRE ATT&CK, MITRE Shield describes ways that active defense can be used to defeat that particular technique. Then our third framework is very new and it's called MITRE D3FEND. It's name like ATT&CK suggests its goal, defensive countermeasures for cybersecurity. The goal here is to make ATT&CKs much more difficult to achieve. The way it does that is via five main tactics, harden, detect, isolate, deceive and evict. Under these, we have sort of more detailed tactics, things like app. In the hardening tactic we have application hardening, credential hardening, message hardening, and platform hardening. Then below that, in the tradition of ATT&CK and Shield, we have techniques for accomplishing these various goals. Like MITRE Shield, MITRE D3FEND is mapped to the ATT&CK framework. The various techniques and tactics described here, you can determine what offensive techniques they can help to protect against. We just spent several minutes talking about MITRE ATT&CK, Shield and D3FEND. Why is that? To answer that question, let's talk about what you should expect from the rest of this learning path. This learning path discusses the use of more sophisticated Python scripts for cybersecurity. Earlier learning path called just Python for cyber security, which is sort of an intro to the space. Here we're trying to move a little bit beyond that. A couple of the ways in which this differs from the initial learning path, are integration. Our earlier learning path very focused on short discrete scripts to accomplish these small goals. Here we'll be trying to build more of an all-in-one tool and some intelligence into it. Maybe if we perform Reconnaissance, based off of that Reconnaissance, the attacker might take an action to gather further information, or try to gain initial access to an environment. By automating that on both the offensive and the defensive side, we take the human out of the loop a little bit, and so can make cybersecurity more scalable, faster, etc. Then the other main difference between this learning path and the previous, as it will be taking advantage of some more advanced functionality. Python has a lot of powerful libraries, and that enables you to do a lot of really cool stuff in cybersecurity. Earlier learning path just sort of skimmed the surface of some of the libraries. Here we'll be diving a little bit deeper and discussing how we can really take advantage of some of that built-in or freely available functionality for cybersecurity. As I mentioned, code samples, demonstrations, etc are going to be on both the offensive and defensive sides of cybersecurity. We'll work on building an offensive toolkit using added more integration, advanced functionality, etc. Then we'll also work on building something defensive designed to defeat that tool and help to more effectively detect, prevent, remediate, etc, threats within an environment. Finally, that reason why we've talked about MITRE ATT&CK, Shield and D3FEND is because the structure that they provide from both an offensive and defensive perspective is really useful for understanding what we can do in cybersecurity and also providing more information. A lot of the offensive stuff we'll talk about in this course, will be drawn from our mapped to MITRE ATT&CK. You can use that as a resource for more information about what we're doing. Then the defensive side will draw from Shield and D3FEND. Talking about both active defense from the Shield framework and some of the countermeasures from D3FEND, to provide that more robust and complete defensive strategy against the offensive side. By mapping everything to these frameworks, get little bit more structure, more details available, and it also makes it easier to understand where you could go from here. If you targeted one particular technique from one particular tactic in one framework, look at the other techniques in that tactic and think about how you could write code for those, and integrate them into the tool as well. Just as a quick recap, we started out with an introduction to the MITRE Frameworks, talking about what MITRE is, and why they're building these frameworks. Then had a quick intro to ATT&CK, Shield and D3FEND, discussing what they're meant to do and how they're designed. Finally, we closed out with a little peek forward into what the rest of this learning path's going to look like.
