6.1 Cyber Kill Chain

00:01

Welcome back, ladies and gentlemen,

00:03

welcome to another episode of Introduction to Sever Threat Intelligence. Today we're going to start working on the model cyber trade, intelligent frameworks, and it's starting with the cyber cyber kill chain. Also name, isn't it? OK, let's start.

00:20

That's almost everything in the computer world there frameworks available to give teams, processes, procedures and instructor to which they can attach to in order to make everything more effective.

00:33

If this model went going to review three men mainframe worse, that often shows very useful to implement in a cyber credit intelligence life cycle.

00:42

The frameworks explaining this model are not competitive but rather complimentary. Duke in Italy's utilize 12 or all three of them

00:54

recorded future in its Threat Intelligence Handbook states cyber tracked intelligence frameworks provide instructors for thinking about attacks on adversaries.

01:03

They promote a broth understanding off how Attackers think the methods they use, and we're in an attack. Life cycles specific events occur

01:14

frameworks also health focus attention on the details that acquire forget investigations to ensure that threats have been fully removed and that measures are put in place to prevent future in crew shins off the same kind

01:30

finally frameworks like useful for sharing information, we think, and across organizations

01:36

they provide a common grammar and sink ticks for explaining the details, off attacks and how those details relates to each other.

01:46

The cyber kill chain, first developed by Luckett Marching in 2011 is the best known of the cyber credit intelligence frameworks. The cyber kill chain is based on the military concept off the kill chain, which breaks destructor off an attack into different stages.

02:04

The essence of an intrusion is that the aggressor must develop a pale to breach across the boundary, establish oppresses inside a trusted environment and from that presence, take actions towards their objectives,

02:19

be they moving laterally inside environment or violating the confidentiality, integrity or availability off the offer system in the environment.

02:29

But brick, by breaking an attack up, defenders can pinpoint which stage it is

02:36

and deploy a profit. Contra measures security teams can develop a standard response for each stage and be prepared in order to mitigate what a tool or technology is costing. Inside the network,

02:49

the Sabre kill Ching also allows organizations to build a defense in depth models that targets a specific parts of the kill chain.

03:00

The Sabre Guilty describes seven stages often attack

03:06

1st 1 We have the reconnaissance in thes fates research, identification and selection of Tartars, often represented as a crawling Internet website such as a conference proceedings and making least for email addresses, social relations, it relationships or information on a specific technologies.

03:25

The second face, it's weaponization sze couple in a remote Access Trojan with an exploit inter the livable payload typically by means often out of maybe tool like a weapon izer.

03:39

Increasingly, client application data files such as Adobe Pirtle Document formally, PDF or Microsoft Office documents surface the weaponized a liberal

03:52

that their face is delivery, which is the transmission of the weapon to the targets. His environment.

03:58

The three most prevalent delivery of Victor's were for weapon. It's payloads by advanced, persistent threat actors.

04:05

For the years 24 2010 R email attachments, websites and use be removable media. According to the LOCKHEEDMARTIN Computer DNC in Response team,

04:16

the fourth face is exploitation after the weapons delivered to become host exploitation treaters. Intruders code most often exploitations targets an application or operating system vulnerability,

04:30

but it could also more simply exploit the users themselves or levers and operating system feature their outer executes code.

04:40

The fifth face is the installation.

04:44

This is the insulation off a remote access Trojan or batter on the Big Tim system, allowing the adversary to maintain persistent persistence inside the environment.

04:57

The sixth face is the common and control face.

05:00

Typically compromise host most beacon out bone to an Internet controller. Surber. To establish a common and control channel advanced persistent threat. Malware, especially requires manual interactions rather than conduct activity automatically.

05:15

Once to the Common and Control channel establishes in cruder shake hands on the Keeper access inside the target environment.

05:26

The seventh and last phase Artie actions and objectives sometimes refer to as ex filtration

05:31

on Lee. Now, after progressing, two of the 1st 6 faces can intruder steak actions to achieve their original objectives.

05:40

Typically, dis objectivist data exfiltration, which involves collecting and creating and extracting information from the victim environment.

05:49

Violations of data integrity or availability are potential of detectives as well are tentatively our tenant. Alternatively, the intruders may only desire access to the initial big Tim bucks for use as a hot point to compromise additional systems and love ladder lurch latterly inside the network.

06:10

These faces are showing the tyrant below, since it is a process where where one comes after the other one completion

06:19

different. A mental elements of intelligence thesis model is the indicator.

06:25

On indicator is any piece of information that objectively describes an inclusion. Indicators can be subdivided into Cree tribe types.

06:33

Atomic Theater. Mick indicators are those which cannot be broken down into smaller parts on retain their meaning in the context of an intrusion.

06:43

Typically, examples Our I P addresses email addresses and vulnerability identifiers.

06:49

Another indicator. Our computers. Computers indicators are those which are real from day data involved in an incident.

07:00

Common computer indicators include the hash values and regular expression.

07:03

And lastly, there is the behavioral indicators

07:09

thes air collections of computer anatomic indicators, often subject to qualification by quantity and possible combinatorial logic.

07:18

An example will be a statement such as

07:21

the intruder will initial use of factor, which generated noble traffic matching regular expression at the rate off some frequency

07:32

to sew my P actress

07:34

and then replace it with one Martin. The empty five harsh

07:39

value.

07:40

Once access was his tablet.

07:43

This three indicator types hello analysts to classify the obtain information in a way that we let them go from general to specific as much as needed.

07:55

December Kill Chain is a good way to start thinking about how to defend against attacks, but it has some limitations. One of the big criticisms off this model is that it doesn't take into account the way many motors attacks work. For example, many phishing attacks escaped the exploitation face entirely and instead

08:13

rely on the victim to up in a Microsoft Office document with an embedded macro or to double click on an attached script.

08:22

But even with these limitations, December December kill chain creates a good base linked to discuss attacks and where they can be stopped.

08:31

It also makes each year to share information about attacks. We think on outside of the organization, using stander and well defined attack points,

08:41

you can find more information about this approach through the link. At the bottom of these is light.

08:46

Now it's time for some questioning.

08:50

What do you think that an inclusion schemer, such of the cyber kill chain works well for defining the cyber threat? Intelligence stages

09:01

in going back to every stage of the cipher key chain.

09:03

What type of thing for mentioning of off information you think has to be available in each of its faces.

09:11

These two are very interesting questions to do some analysis off what we've just learned and how it should be applied in real life.

09:20

Because, let me tell you, really, life is very different from pen and paper. Don't forget that.

09:28

Okay to review. In today's brief lecture, we discussed benefits. A cyber tracked intelligence cap can get by sticking to a given framework

09:37

how decided Kill chain works and benefits the information collection in all of its stages. And how can the information collected helping is stopping a possible compromise.

09:50

Looking forward, we have two more form frameworks to review. Starting with the diamond model and closing up with the meter attack one

09:58

you're in for a creat crossed me