Cyber Kill Chain Analysis - CKC7 Deep Dive

Video Activity

Module 9 consists of three parts as we take a deeper dive into the Cyber Kill Chain 7 (CKC7). Deans discusses which IoC are worth using for pivotings along with the identification and categorization of network and host data, incident response, and malware reverse engineering. CKC analysis begins with malicious activity notification. Physical monito...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Description

Module 9 consists of three parts as we take a deeper dive into the Cyber Kill Chain 7 (CKC7). Deans discusses which IoC are worth using for pivotings along with the identification and categorization of network and host data, incident response, and malware reverse engineering. CKC analysis begins with malicious activity notification. Physical monitoring consisting of gates, guards, and security cameras are concerned with protecting the perimeter. Similarly, on the network side, NIDS and NIPS provide defense between the public internet and the DMZ and between the DMZ and private intranet. HIDS and HIPS are then discussed. These devices provide monitoring and defenses between the DMZ and intranet. Data passing across this boundary should be monitored looking for malicious data traversal. Such devices should be in place at the boundary of any adjacent security zone. The video concludes with a discussion of SIEMs and host-based IDS/IPS. Correlating events assists with the aggregation of intel to provide a better picture of the intruder.

Video Transcription
00:04
Hello. Welcome to the next module of the introduction to Cyber Threat Intelligence.
00:09
This model, we're gonna take a closer look at
00:12
analyzing cyber Kill chain C K. C. Seven.
00:16
This includes
00:17
learning how to
00:19
consider which IOC's are worth
00:22
using for pivoting.
00:24
Also, look at data that comes from the network data that comes from hosts or other end points.
00:30
Touch incident response.
00:33
They will wrap up with malware. Rejoice, engineering. So were the first things to think about is
00:39
if you've spent set up a proper monitoring solution
00:42
and your
00:44
environment is giving some indication that malicious activity or malicious or suspicious activity is taking place,
00:51
how can you use some piece of that information to pivot into other activity?
00:56
One thing to think about is from the physical perimeter. You know, we have Gates, guns, guards,
01:02
security cameras,
01:03
motion detectors.
01:06
But that's not really within the scope of this discussion. Exactly
01:11
we're more concerned about is
01:12
the perimeter of the network.
01:15
This is where *** and nips devices come into play
01:19
because we have a
01:21
a typical organization with the D M Z. Perhaps
01:23
they might have
01:26
a network based idea, so I ps between that boundary of the
01:30
public Internet and the D M Z.
01:34
You would expect to be expected to be another
01:37
firewall and I DPS
01:40
network based on GPS between the D, M Z and the perimeter of the Internet.
01:48
The instrument must be protected properly from
01:52
from any
01:53
unauthorized connections. And, of course,
01:56
that should also be monitored so that there's a clear understanding
02:00
of data that came from
02:02
the public, are not through the D. M Z and therefore
02:07
are subsequently into the Internet.
02:10
So the network based
02:12
ideas right past does not only exists at the perimeter could be
02:15
at the boundary of any adjacent security zones.
02:20
For instance, your APP, Sir, of the Zone
02:23
or a day to day server zone would be within the
02:27
the network perimeter generally.
02:29
So you have another network based I. D. P s. Between those owns to see
02:34
traffic
02:35
coming in and out of those owns, that's brokered.
02:38
Bye.
02:40
Some organizations will even put an I. D. P. S
02:45
on either side of the firewall to capture all network traffic going to and from the firewall
02:50
in both directions.
02:53
This might seem like overkill, but
02:54
in certain cases it's warranted.
02:58
Then we could think about
03:00
narrowing the scope a little bit
03:01
concerning ourselves with host based
03:06
intrusion, detection and prevention.
03:07
This is useful because we can correlate events, sometimes between the host based monitoring and the network based monitoring.
03:15
Also, it's useful because the host
03:19
it is a malware infection happens at the host
03:23
by clicking a link or
03:24
installing software or
03:28
opening up an attachment.
03:30
The host based I PS
03:32
has the best chance of stopping that
03:36
infection exactly where it started,
03:39
ideally preventing it from leaving the host and potentially affecting other
03:45
hosts on the same network.
03:47
So there's a really good reason tohave, host base and network based working together.
03:53
We can then
03:53
bring this back to our discretion about SIM devices.
03:58
Same device
04:00
is generally host based
04:01
because you could
04:02
configure servers, workstations, laptops, even mobile devices
04:06
to send events to assume, sir.
04:10
Not much like CeCe Log.
04:12
The same device could also be getting
04:15
events from routers and switches,
04:16
firewalls, proxies,
04:19
any type of network device that's compatible with the same solution
04:25
should be sending it stayed up to that same device. Now everything could be aggregated,
04:30
and you can get a much clearer
04:31
big picture understanding as to If there really is malicious activity, Where's it coming from? Where is it going to?
04:39
And
04:40
what seems to be the
04:42
the
04:43
the methodology of the intruder.
Up Next
Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By