8 hours 39 minutes
Hello and congratulations on the completion of the initial access area of the minor attack framework. So
what should we know at this point or what should we know now? What should we be able to apply based on what we've learned here? Well, we looked at initial access. Overall, we defined what it was essentially, that the threat actor gets into the network initially. And we defined some attack types and examples
just in that, that first module are that first lesson in this module.
And then we looked at external remote services. We defined what external remote services are. We reviewed Lennox, Rabbit and Robot as far as it being a crypto minor that, you know, malware that works to put that on systems that have ssh open. And it's also geo location sensitive.
We reviewed the Threat Group oil rig. We also looked at mitigation techniques and best practice detection techniques for external remote services.
From there, we got into spear phishing links.
We define what those are. We looked at Turner, which is another threat group. We reviewed mitigation tank needs and detection techniques.
We then looked at supply chain compromise, So we defined what that was essentially being a piece of software or hardware that is injected with malware or ah, code that allows threat actors access to systems. We reviewed some examples of that, such as the CC cleaner
incident that came up last year and almost happened again this year.
We reviewed mitigation techniques such as code review and things of that nature, and we got into some detection techniques as well. We then looked at trusted relationship, which is not the same as the supply chain compromise. This is
when 1/3 party has direct access to systems and they have the either access to data or access to systems. And they are considered.
I trusted provider and we looked at managed service providers, and we drawn a pyramid
where we discussed how managed service providers or larger software companies may have access to multiple systems. And then on that second tier, there's multiple systems. Could be banks, healthcare providers, hospitals, manufacturers. Whatever the case, Maybe that would have a multitude of account information.
And so we talked about why a Zoran actor would look at
compromising that top tier relationship that's got multiple systems that it would have access to
versus focusing on individual in users. And so why go after my individual information, which is still done on a one for one basis when you know the bank could be compromised and then it's one too many or the managed service provider could be compromised? And then it's 12 a lot.
We reviewed some mitigation techniques here
in detection techniques that are more so on the business side to take care of, such as implementing controls to monitor activity in this relationship, as well as to kind of keep tams on when the provider has access and maybe limiting access as well.
We then looked at valid accounts, which is essentially when a threat actor gains access to credentials or a list of credentials that they can then use against multiple systems to provide them with access. And this is especially dangerous if you've got in users that reuse accounts across
multiple systems. If I used the same administrative accounting password on multiple network devices as well as my domain had been account,
or if I use the same credentials for my banking applications as I do for HR applications, as I do for healthcare applications and so that could become dangerous. If those accounts were in fact compromise, they could be reused across multiple platforms.
And then we rounded everything else out with a case study where we reviewed,
um, and should have been able to apply minor attack framework controls to the scenario of HSBC and their particular incident. So you should have been able to come up with the particular vector that was most likely involved here,
as well as looking at the mitigating controls and detection controls that could have been implemented that may have either prevented the particular scenario or would have made its impact a lot less severe.
So we also looked at a component of this where, you know, do we have culpability is in users
of the particular systems and by re using our credentials across multiple platforms, are we at fault in any way, shape or form for this as well? And so that was more a question for you to ponder and kind of make a determination on as well.
So again, congratulations on completing the this module, and I am happy to be with you here, and I look forward to seeing you again.