Hello. Welcome to the next module of the introduction to Cyber Threat Intelligence.
This model, we're gonna take a closer look at
analyzing cyber Kill chain C K. C. Seven.
consider which IOC's are worth
Also, look at data that comes from the network data that comes from hosts or other end points.
Touch incident response.
They will wrap up with malware. Rejoice, engineering. So were the first things to think about is
if you've spent set up a proper monitoring solution
environment is giving some indication that malicious activity or malicious or suspicious activity is taking place,
how can you use some piece of that information to pivot into other activity?
One thing to think about is from the physical perimeter. You know, we have Gates, guns, guards,
But that's not really within the scope of this discussion. Exactly
we're more concerned about is
the perimeter of the network.
This is where *** and nips devices come into play
a typical organization with the D M Z. Perhaps
a network based idea, so I ps between that boundary of the
public Internet and the D M Z.
You would expect to be expected to be another
network based on GPS between the D, M Z and the perimeter of the Internet.
The instrument must be protected properly from
unauthorized connections. And, of course,
that should also be monitored so that there's a clear understanding
of data that came from
the public, are not through the D. M Z and therefore
are subsequently into the Internet.
So the network based
ideas right past does not only exists at the perimeter could be
at the boundary of any adjacent security zones.
For instance, your APP, Sir, of the Zone
or a day to day server zone would be within the
the network perimeter generally.
So you have another network based I. D. P s. Between those owns to see
coming in and out of those owns, that's brokered.
Some organizations will even put an I. D. P. S
on either side of the firewall to capture all network traffic going to and from the firewall
This might seem like overkill, but
in certain cases it's warranted.
Then we could think about
narrowing the scope a little bit
concerning ourselves with host based
intrusion, detection and prevention.
This is useful because we can correlate events, sometimes between the host based monitoring and the network based monitoring.
Also, it's useful because the host
it is a malware infection happens at the host
by clicking a link or
installing software or
opening up an attachment.
has the best chance of stopping that
infection exactly where it started,
ideally preventing it from leaving the host and potentially affecting other
hosts on the same network.
So there's a really good reason tohave, host base and network based working together.
bring this back to our discretion about SIM devices.
is generally host based
configure servers, workstations, laptops, even mobile devices
to send events to assume, sir.
Not much like CeCe Log.
The same device could also be getting
events from routers and switches,
any type of network device that's compatible with the same solution
should be sending it stayed up to that same device. Now everything could be aggregated,
and you can get a much clearer
big picture understanding as to If there really is malicious activity, Where's it coming from? Where is it going to?
what seems to be the
the methodology of the intruder.