Case Study 2: Threat Intel Demo Lab

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

24 minutes
Video Transcription
everyone Welcome back to the core. So in the last video, we took a look at case study number one again. The organization was looking to get more visualization inside the KUBERNETES data to see what's actually occurring in the environment and make sure that they maintained up time
in this video. Where to take a look at case study number two. So I hope everyone enjoys the company name here, right, 100% security. But again, these case study documents are available in the resource section of the course. So basically 100% security, What they're trying to do is just identify any potentially malicious act actors. So they're gonna be using the crowdstrike
threat until apt to do so. So the threat until app for AWS.
So we're going to do in this video. Just go ahead and add that app to our library, and then we're gonna take a look at the data that we're able to see. So start off in the APP catalogue here, and I was you selected. Go ahead and start search for it here. It makes it a lot easier to find, so just type in threat and you'll find it here. The threat until for aws byproduct crowdstrike.
We're just gonna select that there, you'll see this ad to library button right there. We're just gonna go ahead and click that,
And then again, it's going to pass us to specify the the tags and we want to use. So this 1st 1 here, the Cloud Club Trail one. We're gonna go ahead and type in basically the same one we had done before, Right? If you recall from the previous video, we're going to labs.
Ah, fourth slash aws ford slash and then cloud trail.
All right, so that would be our first tagged their the second tag for our VPC flow logs. We're gonna go ahead and do labs ford slash aws ford slash vpc. Right, So the same thing here Labs four slash AWS
and therefore slash R v p. C.
And we'll select that one. And then for a final tank here for the elastic load balancer where it into a similar format, Right, So we're gonna be doing labs ford slash aws ford slash e l b. So we're gonna type in labs
ford slash aws ford slash e l b.
And we'll see that'll pull it perfect. So now we're just gonna add that tour library
and what we're gonna notice, similar to when we did it with the cloud trail were to notice that we will see a folder now for our crowd strikes. You'll see right there to threat until for a WS folder. So I'm gonna go ahead and close this top one here just to clean that up a little bit. So let's go ahead and select a threat until for a ws option
and you see all the various dashboards underneath there.
So we'll start off in the overview like we have done before.
Most like that dashboard
and we could see we get some basic information pulling in right is going to show us any scanned events over the period of time. It's going to show us threats over time as well as elastic load balancing,
and some areas may not have data in this particular feature.
So next we're gonna take a look at
are, uh,
top option here the welcome dashboard here. So we're gonna take a look at the VPC flow logs,
and it's just gonna show us some basic information about those logs, right. So are there any areas where this was rejected? Flow logs, etcetera.
So next up, we're gonna take a look at
our cloud trail data here, and we're gonna be able to see Are there any specific threats by a leader Geo location? So we can see here that there looked like to be quite a few looks like out of Germany area.
We could also see if there were any threats associated with our cloud trail events, which we see. There is no data here, but if you're in a live environment, you may see that information.
We can also see some information about the elastic load balancers,
and what this will show us is we can see if it's available. You see any threats associated with a specific client i p address. So you may be able to, because basically what this is doing is is comparing these I p addresses to crowdstrike Threat Intel database. So we'll show us,
if anything in their databases saying, Hey, that's a potentially malicious I p address.
You'll see here that some of these source I p addresses are being flagged as malicious,
and it's telling us also the confidence level. Right? So is there a is there? Ah, good indication that this is a malicious I p will. Here it says hi. Right. And as we scroll down, it is quite a bit of data here. As we scroll down, you'll see that the majority of these are going to be high in most instances.
But we can go through many pages of data, and we'll find some low ones in there as well. But
basically these, they're gonna it's gonna flag the high level ones for us, and then it's gonna also one of the neat features here is gonna show us
what happens. Right? So what kind of attack is more likely to happen from this particular I P address? So we could see, for example, that some of these might be malware. Some of these might be, ah, other types of threats that air coming through. Looks like most of these are gonna be malware. So, like, trick about, For example,
Empire power shell
dried X malware.
So several. These remote access Trojan up there, So Ah, bad news, etcetera. So a good amount of these are going to be ah, known malware. So coming through these I p So basically, what this would allow you to do is say, hey, let me go ahead and block these, right? If I know that these air not, um I p addresses that I've authorized or that are legitimate users
These air. Probably someone attacking
our infrastructure here so we could go ahead and block these I p addresses.
So in this video, what is took? A brief look at the threat until app for AWS from Crowdstrike. So again, this is just something that you can plug into sumo logic to give some good visibility that would show us Are these users potentially bad actors? Right. So we see that this one here, for example, we see the source I p
is being flagged is malicious based off the threat until database from Crowdstrike
in the next video, we're just gonna go ahead and wrap up the course
Up Next