Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion Today. We're going to talk about browser bookmark discovery. So let's go ahead and jump right in,
00:12
said Today's objectives for this particular discussion are to describe browser bookmark discovery and what that looks like at a high level. We're gonna look at some mitigation techniques, will talk detection techniques, and in between here, I'll give you a quick example of what an export looks like for bookmarks.
00:30
Now browser bookmark discovery with respect to the minor attack framework is when a threat actor uses bookmarks to reveal personal information about a target. It could also be possible that there are internal details about the organization and its infrastructure.
00:47
So consider this. If you're anything like me, I don't remember. Unfortunately,
00:51
all of the I P addresses that correlate the things like be sphere servers or network infrastructure or internal pages. That may just be I p based, so I tend to use bookmarks to help me on my my company, you know, device.
01:07
Use those bookmarks to help me to keep track of the things that I know. I need to get into the things that I know that I worked with on a regular basis
01:14
because I can't remember all of the girls. And the subspace is that I need to get into and everything that I need to put into it, to get to the page that I'm looking for.
01:23
And so in orderto be expedient and to get two things quickly, I just use bookmarks in chrome. Well, that's fine. But the thing about that is that when threat actors get on the system or potentially get on a system,
01:37
they may look for those types of things. And so they could say, Oh, look, there's an I P address that this person is going to. Quite often there's a
01:44
Web page that they're going to quite often. No. Look, there's something product specific that they're always using in looking at. So they must use Cisco where Dell or, you know, they must use one of these types of things. And so
01:56
again, it gives it threat actor the potential ability to kind of know what's going on in your infrastructure, what you're using day today, and if you auto feel credentials, which we, you know, do not allow in our organization, you shouldn't be doing that.
02:09
If you go on a long into a page upon clicking a bookmark or something of that nature that makes it threat, actors job that much easier.
02:19
And that could be really, really bad. If you on a long into, like you're hyper visor management portal or something of that nature and now they could see all of your virtual infrastructure, they can log into anything that could be a very cumbersome day and very troublesome thing to have to clean up.
02:35
So just a quick example. This is from my personal system, so there's nothing work related per se here, but you'll notice that this is just a snippet. So I went into chrome and actually just did an export of the bookmarks, and it kind of laid everything out for me and this nice, neat sheet. And so everything that I have here
02:53
you can see is pretty much related to when I was going through some O. A. C P prep
02:58
and working on that. But you've got your cheat sheets and everything. That's so this person might be able to get this information to know. Hey, this person may have access to systems that have tools on them use for exploitation. This person
03:12
may have, you know, elevated privilege. Maybe they've got a separate and count somewhere. Maybe they've got
03:19
access to sites or tools or things of that nature that could be to my benefit. So there are some things here that a threat actor may be able to look through and go up. This seems to be a likely target, or they may go. Oh, this doesn't seem to be very beneficial,
03:31
but then they can attempt to do other things on the system as well, or use the system as a ah point for them to then move either further into the network or do additional research.
03:43
So let's talk about mitigation techniques here. Really,
03:46
we're looking at into user awareness training and making sure that where
03:53
informing users on the appropriate way to save information on the things that they shouldn't be doing, like auto feeling passwords on separation of work and personal accounts, making sure that we don't go to banking sites and things that nature on on the company systems. Just just because one it's not really
04:13
healthy for you as an end user to utilize company equipment to go to banking *** in most cases, organizations indicating company policies that you have no privacy on the systems that
04:27
you know you shouldn't use systems for personal use. A. There is some give and take there that they say healthy use. You know, it's not interfering with work and things that nature is good
04:35
and OK, but still, you know, you never want to
04:40
put your personal information and your personal accounts
04:45
on a corporate asset. It's just not good practice because that asset could be picked up one day, wiped and reloaded and you lose things or, you know you never know who else in the organization could get access to that system and see information that should otherwise be kept confidential. So
05:02
be night, mindful of that, and ensure that users air well trained on the expectations of the organization for handling that kind of data.
05:12
So some detection techniques, again looking kind of like the previous ones here, were monitoring for commands that provide arguments that could be used to gather browser bookmark information.
05:21
So most of what we're going to be looking at in the next discussion sets where we get into talking about remote access of other applications. Lateral movement Discovery thinks that nature it all kind of compounds here we get from blocking applications per se and looking for hashes and looking for payloads
05:42
to looking for activity patterns that are indicative of
05:45
a person that is trying to gather information or trying to move through systems.
05:50
And so we're getting more and more into a need tohave individuals who are able to evaluate system activity and tell us where we may have a threat actor present. So let's go ahead and do a quick check on learning. True or false bookmarks are typically what an end user puts in between printed pages to save their place.
06:12
All right, well, if you need additional time, please pause the video. So this particular statement, with respect to bookmarks and printed pages, is false. I don't even know that people still use bookmarks. I've been using business cards and things of that nature to keep my place in books
06:30
and things of that nature. I can't actually remember the last time I picked up in actual book, Monti's
06:34
in a book, but some of you may have book marks, but in this case, This is not true with respect to the context of our discussion.
06:45
So let's go ahead and jump over to our summary. So today summary is pretty straightforward. We described what browser bookmark discovery is we talked about, looked at an example
06:56
we discover, describe mitigation techniques, is primarily being end user awareness training and providing good separation of personal and business information on those accounts, not auto filling
07:06
credentials. Things of that nature. So in user awareness, training is going to be big here
07:12
and then we looked at detection techniques again, really falling back into making sure that we're monitoring system activity from known malicious behavior or things that may be suspect that we would need to evaluate further. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor