Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

Analysts in an organization play vital roles in CTI. Their number and specific duties will vary depending on an organization's size, but their fundamental responsibility is to identify actionable threats and communicate them to interested stakeholders. Activities of CTI analysts fall into fall into strategic and tactical functions. We'll cover each in later modules. For now, it's important to understand that analysts are tasked with detecting, analyzing, and responding to threats. The analysis step is critical for warding off false positives. An important part of the analysis step is compiling indicators of compromise or IOCs. A baseline of activity and metrics is developed beforehand which is then applied to any events that raise suspicion. This consists of unusual outbound traffic, anomalies in privileged user account activity, unusual occurrence of encrypted traffic among other indicators.

Video Transcription

00:04
other things to think about is the analysts themselves.
00:07
I mentioned this ideal of earlier from a financial point of view,
00:12
but if your organization is large enough and you've got enough maturity in the cyber security program,
00:19
then you probably will have a tactical threat. Analyst and operational threat analysts. In a strategic for an analyst,
00:26
these functions could be performed by
00:28
the same team. For instance, if your organization's little bit smaller.
00:33
But as a
00:34
relationships larger, larger, it might make more sense to break these into separate little functions.
00:40
Or at least you got a
00:42
CT I theme. I'm sorry, c t. I team with different analysts rules within it.
00:49
And these are great things to focus on as faras
00:55
having a
00:56
level of expertise
00:58
for that particular function
01:00
because a tactical threat analyst is going to have slightly different priorities and methods and tools than someone who's working at the strategic level. That makes sense.
01:10
So the idea would be that these these different types of ales would work together
01:15
sharing information where it's appropriate
01:18
in order to
01:19
look at the bigger picture and the smaller picture, and maybe the medium sized picture
01:23
first
01:25
detecting and responding a P T S.
01:29
Sometimes the AP ti is not discovered for years at a time.
01:33
And that's where the tactical and operational Strategic
01:38
Threat identification could play a big part
01:41
because there may be some near term indicators
01:45
that
01:46
that seemed to point to a threat that's in the environment.
01:49
And then when it studied at over ah, larger timescale and using different types of information, it might be determined, Hey, we've got a bigger problem than we thought and it's more pervasive than we thought.
02:00
And therefore, that's the benefit of these different levels of focus as it relates to time frames.
02:07
We're the biggest tricks of of any threat intelligence program would be to identify false positives.
02:14
It's very easy to get excited and think that you found something that's actionable,
02:20
but really there needs to be some sort of verification or validation steps
02:24
so that the organization doesn't waste time
02:27
chasing its tail.
02:29
The idea that you should
02:30
be able to verify the information from maybe two or maybe three different sources is a pretty good rule of thumb to follow.
02:38
This way you could do some correlation and some verification from
02:42
different places, different sources differing threat feeds, for instance.
02:46
And this provides more assurance or confidence to your management when they decide to
02:53
pull the trigger and say, Okay, we've got a big problem. Let's get the incident response team going on this.
02:58
So talking again about into indicators of compromise.
03:00
I've got several of them listed here, and these are all
03:04
things that might be
03:06
suspicious. They might be malicious,
03:09
for instance, any kind of large amounts of traffic
03:13
compared to a baseline,
03:15
the baseline concept is pretty important. It applies to a lot of different things. But
03:20
in the cyber security sense,
03:23
having a baseline,
03:23
uh,
03:27
security configurations,
03:29
performance considerations and so on is very important, because what this means is
03:35
that you've got some point of reference to say that we've measured
03:38
a typical worked it. For instance,
03:43
we know that there's a certain amount of
03:46
streaming video traffic. There's a certain amount of
03:50
encrypted communications coming in and out of the environment.
03:53
It might be a certain expected about an email, traffic and so on.
03:59
There's a really great tools for measuring these kind of things, things like a net flows,
04:03
which basically will let you look at
04:06
the metadata of all the package your network
04:10
which is basically the headers, right.
04:12
And
04:13
this will let you categorize the traffic to say that we've got this percent of
04:17
streaming video. This percent of
04:21
regular http traffic, some other percentage of FTP traffic or whatever is appropriate.
04:29
And if you look at that information over longer time frames, it becomes easier to spot anomalies.
04:34
So So the longer timeframe becomes sort of a baseline. And then you look for
04:40
unusual spikes in that traffic, too,
04:42
to say Okay, well, looks like maybe there is a denial of service attack happening.
04:46
Or maybe there's a worm outbreak, and this explains the spikes in outbound traffic
04:53
to a
04:55
I. P. Address the public I p address. That's got a poor reputation score.
05:00
You could go on and on for quite a while, thinking of all the different types of indicators of compromise.
05:05
This is just a small
05:08
lives to get you started
05:10
and to to think about, how would you measure this?
05:13
How would you measure, for instance, up something like patching anomalies
05:17
if you've got a well defined program for patching
05:20
and systems are getting past outside of the normal maintenance where? No. Then that's a potential IOC.
05:28
Um,
05:28
what about data in suspicious locations?
05:31
I mentioned this an earlier conversation.
05:34
Intruders typically will bundle up information that they're intending to exfiltrate.
05:41
In the meantime, they've got to find a place to keep it
05:44
hopefully so that it doesn't get discovered until the time is right for them to pull the data back out
05:49
so you could use things. Tools like file integrity, verifiers,
05:55
trip wires. A good example of this
05:58
looking for, ah, an alternate data streams
06:00
or just doing searches for zip archives or any other archive type file.
06:06
This could be
06:08
indicators that something strange is going on, especially if those files are password protected or encrypted,
06:14
and nobody knows anything about it. And that's not a normal way of doing business that looks suspicious just on its own
06:21
strange ports and addresses on the network
06:25
again. Something like that flows is useful for this kind of thing.
06:30
These are great ways, Thio correlate as well you might.
06:33
Okay, we're on it flows showing a strange amounts of traffic going to I P addresses that are unfamiliar, and we're also seeing some indicators on our I. D d a p s.
06:44
Maybe you correlate that with some firewall logs or even longs from your proxy.
06:47
Then you can start to paint a more complete picture to show where the connections are coming from, where they're going to
06:54
and if the traffic appears to be something other than than what it's headers imply.
07:00
A simple example of this might be something where you discover
07:04
a large amount of data that appears to be http
07:10
TCP ports, right?
07:12
That's what the header of the package says. But inside the payload,
07:15
there's encrypted data
07:17
that shouldn't be the case. If it's Http,
07:19
the entire payload should be in the clear should be readable
07:24
by using a simple packet sniffer
07:26
or a particle analyzer.
07:28
So if I discover http packets with an encrypted payload,
07:32
there's an excellent chance that someone's
07:34
using a tunneling mechanism through http because that port is open
07:40
and you can get through the firewall with it
07:42
that by definition, should be treated as suspicious traffic.
07:46
You get the idea here on what
07:47
which have things to look for,
07:49
and as the analysts become more accustomed to their jobs and the tools are more refined and tuned to eliminate false positives.
07:59
Then your your list of potential IOC's
08:03
might expand quite a bit.
08:05
And then, hopefully you've got the right criteria and the right thresholds to understand
08:09
if a particular I'll see is appears to be happening,
08:13
you should build a drill down a little bit deeper and find out if it's really all right. So that's the end of the box. Will see you in the next one. Thank you.

Up Next

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor