Operational security and the defender's vocabulary. SIEM concepts and log retention. The incident-response lifecycle. MITRE ATT&CK as the adversary-behavior reference framework.
Reading (~30 min)
Browse the MITRE ATT&CK Framework landing page at attack.mitre.org. Look at the top-level matrix: Tactics across the top (Initial Access, Execution, Persistence, Privilege Escalation, etc.) and Techniques listed under each Tactic. Pick one Tactic and read three of its Technique descriptions. Notice the structure of each Technique page: description, examples of real-world use by known threat actors, detection notes, and mitigation notes.
The goal is familiarity with the structure, not memorization. By the end of this week you should be able to navigate to any Tactic and find specific Techniques.
Lecture outline (~1.5 hr)
Part 1: The defender's perspective (15 min)
The OWASP Top 10 weeks focused on how attacks work at the application level. This week shifts to the operational layer: how defenders detect, contain, and recover from attacks in progress.
The asymmetry of offense and defense: an attacker needs to find one path in; a defender needs to protect all paths. But defenders have one advantage the attacker does not: visibility into the system's normal behavior. An anomaly is observable; a new attack against a well-understood baseline stands out.
This is why logging and monitoring (OWASP A09, Week 9) is framed as a security failure: you cannot detect anomalies you cannot observe.
Part 2: SIEM and log retention (25 min)
A SIEM (Security Information and Event Management) system collects, normalizes, correlates, and alerts on security-relevant events from across an organization's systems.
What a SIEM does:
-
Collection: Ingest logs from firewalls, web servers, authentication systems, endpoints, network sensors, cloud services. Normalize different log formats into a consistent schema.
-
Correlation: Apply rules that match patterns across multiple log sources. Example rule: "Alert if the same source IP fails authentication on 10 different accounts within 5 minutes" (credential stuffing pattern). No single authentication log shows this pattern; correlation across logs reveals it.
-
Alerting: Generate tickets or pages for security analysts when correlation rules fire.
-
Retention: Store logs for a defined period for forensic investigation. U.S. federal FISMA requirements are typically 12 months online + 3 years cold storage. Most incident investigations need 90 days of logs to reconstruct a sophisticated attack's full timeline.
Common SIEM products: Splunk (enterprise standard), Elastic Stack with SIEM module (open source core, enterprise extensions), Microsoft Sentinel (Azure-native), IBM QRadar. Wazuh is a common open-source alternative for smaller organizations.
Log retention budget math: A medium-sized organization generating 100 GB/day of raw logs compressed to 10 GB/day needs roughly 3.65 TB for 1 year of retention. Log storage is cheap relative to the cost of being unable to investigate a breach.
Part 3: The incident-response lifecycle (25 min)
The NIST SP 800-61 (Computer Security Incident Handling Guide) defines six phases of incident response, often abbreviated and re-ordered in practice:
| Phase | What happens |
|---|---|
| Preparation | Policies, playbooks, tool deployment, team training, contact lists, before an incident happens |
| Detection and analysis | Alert fires, analyst investigates, scope is determined: is this a real incident, and how big? |
| Containment | Stop the bleeding: isolate affected systems, block attacker's network access, preserve evidence |
| Eradication | Remove the attacker's access: patch the vulnerability, remove malware, revoke compromised credentials |
| Recovery | Restore systems to production: validate integrity, bring services back up, monitor for re-infection |
| Post-incident activity (lessons learned) | Document what happened, what worked, what didn't, what changes to make before the next incident |
SEC-101 coverage: vocabulary and structure. PEN-101 and ADV-101 are where students see the attacker's side of this lifecycle in detail (how attackers maintain persistence through eradication, how they cover tracks).
Containment decisions: The hardest decision in incident response is often whether to contain immediately (which tells the attacker you're on to them, possibly causing them to move faster or destroy evidence) or to observe first (to understand full scope) and then contain. This is documented in the engagement rules before an incident happens, not improvised during one.
Part 4: MITRE ATT&CK (25 min)
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a framework that documents how real-world adversaries actually behave: the specific techniques they use, the order they typically use them, and which threat actor groups have been observed using each technique.
The structure:
-
Tactics: The adversary's goal (what they are trying to accomplish): Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact.
-
Techniques: How they accomplish the tactic. Technique T1566 (Phishing) is one way to achieve Initial Access. Technique T1059 (Command and Scripting Interpreter) is one way to achieve Execution.
-
Sub-techniques: More specific variants. T1059.001 is PowerShell; T1059.003 is Windows Command Shell; T1059.006 is Python.
Why ATT&CK matters for defenders:
Detection engineering: a SIEM rule that detects T1003.001 (LSASS Memory credential dumping) is more useful than one that detects "something weird happened." ATT&CK provides the vocabulary for writing precise detection rules tied to real adversary behavior.
Threat intelligence: reports from threat-intelligence vendors use ATT&CK technique numbers to describe what they observed. Comparing one group's TTPs (Tactics, Techniques, and Procedures) against another is straightforward because both reports use the same vocabulary.
Red team / blue team communication: in an authorized penetration test (PEN-101 domain), the attacker and defender can both annotate their activity against ATT&CK. The post-engagement report compares what the red team did with what the blue team detected.
For SEC-101 students: The goal is reading literacy. You should be able to read a threat-intelligence report that says "the threat actor used T1566.001 Spearphishing Attachment for Initial Access and T1053.005 Scheduled Task for Persistence" and understand what the attacker did at a conceptual level.
Independent practice (~5 hr)
- Exercise (1 hr): Go to attack.mitre.org and find one real-world threat actor group (APT29, Lazarus Group, or any group you've heard of). Read their ATT&CK page: which Tactics do they commonly use? Which specific Techniques? Pick one Technique and read its full description, including the detection section. Write a brief summary in your lab notebook.
- picoCTF spine (3 hr): Push into Binary Exploitation beginner challenges. These involve stack analysis and basic control-flow understanding. Document your mental model of each challenge, even if you don't solve it.
- Reflection (1 hr): Write the prompts below.
Reflection prompts
-
MITRE ATT&CK documents adversary behavior at the Technique level, not the tool level. Why is this useful? What advantage does saying "the attacker used T1055 (Process Injection)" have over saying "the attacker used Cobalt Strike"?
-
The incident-response lifecycle includes a "lessons learned" phase after recovery. Why is this phase often skipped in practice, and what does skipping it cost the organization in the long run?
-
SIEM correlation rules fire alerts when patterns match. A rule that is too sensitive generates so many false positives that analysts stop responding to alerts (alert fatigue). A rule that is too specific misses real attacks. This is a signal-to-noise design problem. How would you approach tuning a rule that detects "login from unusual location"? What signals would you use? What makes "unusual" well-defined?
Week 10 of 14. Next: Coordinated Vulnerability Disclosure I (CERT/CC guide, ISO 29147, CNAs, CVSS v3.1 scoring).