2.2 Internal Data Acquisition

00:00

Hello and welcome to the second. Ah, lesson off the first module data collection. This video is about internal data acquisition.

00:12

This video is fully dedicated toe. Explain the different categories off internal data sources before thinking off gathering data or information from external sources. It is wise to think about getting the most off out off your available row crystals. Or should I say

00:31

you're

00:32

I t environment or IittIe infrastructure?

00:36

There are literally hundreds off possible types off data sources around your environment. By leveraging threat data from your own network, you can detect and stop threats. In these cases, you need to know that understanding all the lock types and sources available for selection

00:55

can be pretty difficult.

00:57

And there is no way we could everything to cover every possible source of flocks. This is why we need to identify what may be more valuable than others as a star's point, and you can always add more sources as we go.

01:12

So let's start with defining what data are re collecting and certainly

01:19

internal data sources in globe Any data that could be collected within the organization

01:25

it's can be host or endpoint data

01:29

network data or even finish it. Intelligence. Keep in mind that in most of the cases, threat intelligence analysts are not responsible for data collection. But they need to be knowledgeable about the kind off data they would request from other teams

01:48

in order to build context,

01:49

especially in case off incident.

01:53

So let's start with ah hose data

01:57

whose data comes from endpoint devices so we can call it also end point data.

02:04

These devices can be mobile phones, laptops, desktops, species, but also makeover hardware such as servers like in the data centers.

02:15

You'll be interested in collecting the following data with their within your end points

02:21

process. Execution meta data.

02:23

This data will contain information all the different processes run in on your end parts

02:30

registry. Excess data.

02:32

This data will be related to registry objects, including keys and value meta data on Windows Base. It's in sports, of course

02:46

file data. This data includes dates when the files all the hosts were created or modified, as well as their size type and location where they are storied within the disc.

03:00

Finally, network data.

03:02

This data will define the parent process for network connections.

03:08

So, um, here data could be collected through DDR

03:15

ideas some sensors but also through forensic tools.

03:20

Now let's move to the second type off internal later sources network data.

03:25

It involves collecting data from network and security devices available in your environment. Here I collected some sources that you might find in your IittIe infrastructure, starting with off with the firewall. This data is one of the most important data that it will be collected

03:46

so they viral logs will contain information on network traffic

03:51

as the border off the network

03:53

proxy logs. Here you will be, ah collecting http data containing information on outgoing Web requests such as Internet resources that are being accessed within the internal network.

04:08

Deanna's logs

04:10

the logs you will get here with contain data related do domain name server resolution.

04:15

These will include domain toe I p address mapping

04:20

Web server logs. They record all user requests that were process it by the server, including information about the users.

04:30

These logs also include our errors.

04:34

We can find also authentication server logs if they include signing failures. Ah, successful Loggins and valid request, etcetera.

04:46

You can ingest all of these logs into a same solution and create specific rules for detection.

04:53

And speaking of this, if you are interested in learning more about since I highly recommend visiting the different courses and laps about Central's and products that are already available on cyber

05:08

second emissions data is the serotype off internal data sources.

05:12

Threat Intelligence data comes from working on investigations.

05:16

You can leverage intelligence from your own network, especially when you are working on a campaign and a license.

05:24

In many cases, your own network shows more relevant intelligence tour organization than the intelligence that you are collecting from external data sources

05:34

and maintaining historical knowledge off. Best investigation

05:39

is helpful in leveraging more mature threat awareness based on internal sources, including indicators off compromise, story in your threat, intelligence platform,

05:50

vulnerability scan reports, malware analysis reports,

05:56

forensic reports,

05:58

incident response reports and threat intelligence reports, including the related indicators. Muller And if no, the attribution and Motivation off Adversary.

06:11

That's all for this lesson.

06:13

Ah, here We discussed it the different types off until internal data sources started with host data sources,

06:24

network data source and threat Intelligence data source.