4 hours 42 minutes
Hello and welcome to the third lesson from the module analyzes and production. In this lesson, we will discover together another technique off analyzers, which is actually emerging, or mapping off cyber kill chain and die among model.
Let's define our objectives for this lesson. We will start with the two models Cyber Kill chain on Diamond Model, and then we see the mapping off cyber kill chain and diamond model together,
and we will finish our lesson with a practical use case. We will see the example off officiant case. The concept off cyber kill chain is attributed to Lockheed Martin and their 2000 and nine paper entitled Intelligence Driven Computer Network. The fast
informed by analyzes off adversary campaigns
and a True Vision kill chains. It's a defender centric paper that describes the steps and attacker must ache to successfully compromise their target and extract the information there after the theory is that as defender, all you need to do is the destruct, one link in the chain
and the steps that follow are no longer an issue. Obviously not all the steps are apparent to the defender.
You may possibly be able to detect some of the reconnaissance step. If the attacker is brought in your website, for example,
however, you are highly unlikely to have any visibility off the weaponization stage.
How much visit boats you have off? What follows will depend on how well you monitor your own network, including the main server and your end points.
The cyber kill chain is a process composed off seven steps that we will see briefly in this light. The first step is reconnaissance, which means gathering data and intelligence on target organization. And in this face on particular, hackers can take advantage off ascent,
which is something that we've seen in previous lesson.
Second phase ese
weaponization, which means craft and malicious payload using exploits for vulnerabilities. The first step is
delivery, which means that the loads are sent to the target, for example, using a fishing. The fourth step is exploit and which means exploiting vulnerability to gain access. Fifth step is installation, which means installing malware or obtaining credentials and establishing. Baxter's
is C two, or command and control, which means navigate internal network and set up a command and control.
The final step is actions on objectives or actions on target and here ultimate goals are achieved, such as ex filtration of data.
The second model is them and model.
The German model is one of the novel models for cyber Intrusion on the license, where an adversary attacks victim dependent on Dukie and motivations rather than using a Siri's off steps like the kill chain. The dam and model was published by
Center Off Cyber Threat Intelligence and threatened Research in 2000 and 13.
This model consists off four basic elements that are adversary, infrastructure, capability and victim.
An adversary is an actor or a set of actors who attack victim after analyzing their capability against the victim. Initially, the adversary starts with no knowledge off the capability of the victim. After analyzing the capability of the victim, the adversary may find that
more capability than the victim
to attack them or not.
This model is important when dealing with more advancing Attackers, such as those whom have already gained some control over the network. The figure in the slight illustrates that the adversary looks for opportunity to attack a victim, the paintings on the capability or the infrastructure.
Now let's see the different elements or diamonds constituting the diamond model. The 1st 1 is adversary. An adversary is an actor or organization that is responsible for using a capability against the victim. Tau achieve their intent.
The 2nd 1 is capability. The capability feature describes the tool or techniques off the adversary that are used to affect the victim from the most manual and sophisticated methods. Example. Mineral password guessing to the most sophisticated automated techniques.
The third element is infrastructure.
The infrastructure feature. This grabs the physical or logical communication structures that the adversary uses to deliver a capability to maintain control off their capabilities. Example. C two servers and effect results from the victim. Example. Exfiltrate data.
The final one is victim.
The victim is a target off the adversary and against home. The vulnerabilities and exposures are exploited and capable is used.
It can be people network system or an organization,
the dam and model and cyber. It'll change and the license are highly complimentary. When there are dependent, events compose it off. Adversary infrastructure capability and the victim. They can create what we call activity threats
across the kill chain.
These activity threats are also called merging off cyber kill chain and Jamel model or mapping off Sabir Kill chain and Diamond model.
This activity threats not all this pan vertically along a single adversary victim payer better horizontally as adversaries take advantage off knowledge and access gained in one Operation tow. Enable all our operations.
The activity threat example that is displayed on this slide illustrates and adversaries operations against two victims, as well as another and known adversaries operation against 1/3 unrelated victims.
Furthermore, the dashing elements industry the ability for analysts to integrate hypothesis that can be further tested or supported with additional evidence. Gathering
this organization off knowledge is useful in many ways, including the identification off knowledge, gaps and adversary campaigns, as well as a hypothesis, generation and documentation.
Now let's move to the practical use case. Now let's move to the practical use case. The use case is around efficient scenario. We took a really example off fishing email that was analyzed by Cho fans. Fishing defenses Enter.
We took a real example of phishing email analyzed by Cho fans, Fish and Defense Center.
But here we are. Supposing that the targets is called Bob. He received efficient email and click on the link that redirects to Google Doc Page, which contain a fake error message on another embedded link. The link in the dock file downloads the malicious payload.
It's a new exit file, which has been disguised
as video file was. The payload is executed. It creates a copy off itself in a program data where it undertakes control over execution off the mellower. Furthermore, it creates another copy in users RAM and data roaming speed land
that also includes the conflict file for trick bots.
Additionally, if we open up the task scheduler, we can see it also set a task that starts the malicious files from Speed Land folder. And looking at the trigger step, we can see it has been set repeats itself every 11 minutes for 414 days
for this particular version off trick pot.
Now that you have an over a few off the story, we can create the activity threats related to the states. We can start with the first phase, which is reconnaissance and since we have no information regarding this phase from the article, we can leave it empty.
The second trees, which is weaponization. We have an idea about the infrastructure and the capability because the adversary used social engineering
as capability of infrastructure WAAS to create the Google doc and the file that was downloaded, which is the payload
and the victim here is Bob
for the third step, which is delivery. The adversary, which is still a no
uses the capable to, which is social engineering and for infrastructure they use at the Google Dog Legend emails to send it to the victim, which is bob email address for the exploitation phase. The capability is the malware itself, the exit file. The infrastructure is unknown,
and the victim is Bob and his computer
for the installation face, the adversary is still unknown. The capability is the trick. Both Trojan and it was dropped from the previous payload forever, for the infrastructure is still unknown and the victim is Bob on his computer and for the two next steps. We have no idea from the report,
but based on the nature off Trick Ball Trojan, which is a banking Trojan, we can assume that the actions on objectives will be exfiltrate ing
banking information from Bob's computer.
Briefly in this lesson, we've seen the cyber kill chain on the diamond model. And then we combine these two models to create a new technique which is activity threats. And finally finish this video with a really example off off analyzes using a phishing case.
In the end, I believe that we should not ask.
Is it better to use cyber kill chain or a diamond model? But instead, we should ask are reusing them both effectively.
This is all for this lesson. I hope you enjoy this video. In the next lesson, we will cover another analyzes technique and it will be the cyber kill chain and course of actions metrics.
MITRE ATT&CK Defender™ (MAD) ATT&CK® Cyber Threat Intelligence Certification Training
Analysts and researchers gain hands-on instruction directly from MITRE’s experts in this MITRE ATT&CK Defender™ ...
3 CEU/CPE Hours Available
Certificate of Completion Offered
SOC Analyst I Workrole Assessment
The SOC Analyst I Workrole Assessment covers fundamentals SOC I skills such as incident response, ...