Hello and welcome to another lesson from the module analyzers and production. This lesson is about another technique off analyzes, which is a combination of the cyber kill chain and courses affection matrix.
For this lesson, we will start with a quick reminder off something that we've learned in the previous video, which is the cyber kill chain. We will also discover together the courses off action metrics, which is constituted off two types of factions passive and active courses of actions.
And you will close this last son with an example
in the previous video we introduce. It's one of the techniques uses for intrusion on the license, which is in reality a combination off two models, the cyber gold chain under them and model.
This lesson will focus as well. All the cyber gold chain. The seventh steps of the cyber kill chain cover all the stages of a single and Children that, when completed successfully, will lead to a compromise. It's important to know that the cyber kill chain is a percent that represents steps off intrusion
based on actions taken from adversary perspective. Within each of these stages
is also an opportunity for defenders to prevent a successful intrusion. If we place ourselves from the network defenders side, then we would apply what we call courses. Affection, metrics. Well,
let's see what all of this means.
Let's start with a basic example. We are in the delivery face off a phishing case. What kind of information is provided in this step?
The delivery can tell us which email and Web infrastructure waas you to deliver the muller.
So in the license, this face would provide you seize or indicators off compromise. These indicators describe adversaries by providing details about their infrastructure, including their Teepees or tactics, techniques and procedures that were used to attack the victim.
In other words, all these indicators should have roll, and it needs to be actionable to increase your defenses.
Now that you mentioned that the indicators off compromise should be actionable, what kind of actions should we take?
There are essentially two significant categories off action that responders can take passive or active.
This categorization off actions is described in another model from Lockheed Martin. Call it the courses, affection, metrics, the passive actions of the courses, affection metrics have no direct influence on the actions of the attacker, which is not the case for the active actions.
Now let's move to the main focus off this lesson, which is the courses. Affection Metrics is a mapping out off defensive factors against the cyber kill chain, a load for the production off kill chain courses, affection, metrics for an intrusion. The produce it set off course is affection, metrics highlights of the defensive actions
that can be taken and provides a model for actionable intelligence.
As described in the table displayed on this light.
Let's discover it together the seventies, constituting the Collins All these metrics
to all the seventies fall under the category off passive courses. Affection which are discover and detect The Discover action is a historical look at the data. This action heavily relies on your capability to store locks for a reasonable amount of time and have them accessible for Sir Shik.
Typically, this type of action is applied against some solutions or storage network data. The goal is to determine whether you have seen a specific indicator in the past. The other passive action is setting up detection rules off an indicator for a future traffic.
These actions are most often executed
in an intrusion detection system or ideas or specific Logan rule on your firewall or application. It can also be configure it as another in your some solution when a specific condition is triggering it.
The active faces in the course is affection, metrics. Very, however, in the type off impact that they have on the attacker or the intrusion, it's important to note that these actions are mutually exclusive and all the one can be applied at a time.
Let's start with the first action, which is deny. The deny action prevents the event from taking place.
Common examples include fireable block or a proxy filter. The second action is disrupt. Disruption makes the event fail as it is. All correct
examples include Korean signing or memory protection measures.
The third action is degrade. The greater will not immediately Failan event, but it will slow down the further actions of the attacker. This tactic lows you two catch up during an incident response process, but you have to consider that the Attackers may eventually succeed in achieving their objectives.
The forest action is deceive, and deception allows you to learn more about the intentions of the attacker by making them.
I think the action was successful. One way to do this is to put a honey pot in place. I redirect the traffic based on an indicator towards the honey pot.
On the fifth action is this tour. The destroyer action is rarely for usual defenders, as this is an offensive action against the Attackers. These actions include physical destruction actions and arresting Attackers, which are usually left to law enforcement agencies.
But they also include take down off their infrastructure
here. As you can see, there are multiple courses affection available for each of the cyber Coltrane faces. Let's stay the delivery delivery face as an example.
You can detect emails if your employees are aware off this threat and will redirect any suspicious email to your security team. You can also deny if you have a proxy filter or you can block the centers. You can destruct if your quarantine emails
by stripping attachments and you can deceive by routing suspicious e mails. Unfortunately, there is no single rule that can tell you what action to apply. The type off action that you'll shoes is partly dependent on the amount of information that you still want to acquire on the attacker or intrusion. For example,
denying an e mail delivery from specific domains
can block malicious attachments. But you wouldn't know what these attachments actually do. Analyzing the attachment and applying passive actions to the newly found indicators very real additional intrusions that took place via other Nam Bok domains.
If you want to acquire more information to feed your threat intelligence process
that it might be more useful to reply to deceive or the great action.
Keep in mind that the actions that you apply will also depend heavily on your capabilities on both technical and organizational level,
even when some actions can be further capabilities from the attacker.
If you have limited incident response resources, it may be more appropriate to apply basic, disrupt or deny actions. And concretely, if you only have a firewall and no way to redirect traffic toe a honeypot, then then I may be your only option.
In this lesson, we learned together how defenders can take more advantage off the concept off cyberculture. We also discovered a mother and a license technique focused our response actions. This method is helpful for organizations to measure what capabilities they are missing
and identify what it should take
to better response to security incidents in the future
and find you there approaches to monitor and log these incidents. It's important to consider that some courses affections are mutually exclusive. Here we are talking about active or mitigating actions.
In contrast, as, of course, is affections are preferred to be applied together to gain more visibility.
This is all for this video,
and we are closing this module as well. And this module we focused on the analyzes and production face and in particular, intrusion and the license. What about more complex cases?
It's important to see how to analyze campaigns are and the license methods that we've seen in this module still valid, or are there more appropriate techniques for campaigns?
This is what we're going to discover in the next module. Call it campaign analysis. We will start the next module with an introduction, including definition off campaign