Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

In part 2 of the deep dive into CKC7, we look the evidence presented by IOCs. This data can then be instrumental is uncovering adversary activity. Exploits such as keyloggers can provide a big advantage to an intruder by capturing keystrokes in realtime that can reveal passwords. Evidence that one has been installed is a strong IOC. Remote Access Trojans (RAT) and spyware are also evidence of a compromise and can be extremely dangerous. The video concludes with a discussion of social engineering and the various tactics employed from in-person exploits to phishing to phone exploits.

Video Transcription

00:04
Now we think about
00:06
looking at all that data there could be. Okay, we've got some IOC's. We see some evidence that
00:12
information is now coming from and going to
00:17
some of our systems, and we need to do something about this.
00:21
One of the most insidious things to try and track down and eradicate would be a key logger.
00:27
Key Logger is a tremendous advantage for the attacker because they can
00:32
capture credentials directly.
00:33
They don't have to worry about breaking
00:36
encryption or cracking passwords
00:39
because they've got a presence on the victim machine and they're just captured the keystrokes as they have.
00:45
No, this
00:46
the act of installing the key logger when the key locker tries to send its data back to the attacker. That might generate additional activity in the network, which could then be used to point
00:58
to that activity as an IOC.
01:00
Same thing could be said about remote access Trojan.
01:03
This is, except exceptionally dangerous if this happens in your environment,
01:08
and really it's a very challenging goal for the attacker as well.
01:15
But if a rat does in fact victims machine, the attacker may gain complete full control as if they were sitting right there in front of it,
01:23
got control over the mouse that got control of the keyboard,
01:27
and
01:27
they'll depending on how, when the attack takes place,
01:34
the intruder may also
01:36
be lucky. And the victim was logged in with escalated privilege count when the attack occurred.
01:42
So the victim was log in as administrator or as a as route
01:47
when the rat takes control.
01:49
Now, the intruder also has administrative or bree privileges.
01:53
There could be detections of this activity that could be IOC's that are generated
02:00
in order to say that we know that certain points are in action. We saw certain gated moving around, so that looks like
02:06
Ah, well, no rats. Unless Jerry and IOC, for this information
02:10
and make it part of our knowledge base,
02:15
think there could be clues like applications that we're not running. The four are now running. When the victim returns to the machine,
02:23
they see that some other programs have started. Or perhaps programs that were running have been shoved out.
02:30
There might be new service is, or new network connections that that we're not there before, so
02:36
any one of these neat might be investigated as a possible IOC
02:43
really on spyware.
02:44
This takes in many different forms
02:46
everything from monitoring all traffic coming in and out of the USB port.
02:51
That's a great type of spyware. If you're able to get down to a system
02:54
is now a thumb drive or an external hard drive, all the data go into and film can be monitored.
03:00
It's extremely useful for the attacker.
03:02
Let's find where also might be something more
03:06
more traditional, like
03:07
trying to look at all of your email trying to discover all of your Web browsing history.
03:13
Since these can reveal reveal
03:15
tantalizing clues for the attacker to go further with their attempts to fish somebody or steal an identity or steal credentials,
03:25
they could, For instance, if they have an attacker gains control of an email account,
03:30
the victim might notice something's going on because it seems like they're not getting certain messages, which they,
03:35
we're assured, have been sent.
03:38
Maybe there's evidence on a bunch of messages being deleted,
03:42
and the victim knows they didn't do that, So
03:45
that raises suspicions yet again.
03:49
Untold trick for a compromise email count would be to try to figure out all of the websites that the victim goes to
03:54
and then request password resets from those websites.
03:59
The intruder then wouldn't intercept those password resets,
04:02
change the password to something that they like and then delete that e mail.
04:08
Now the victim doesn't know that the password reset has even occurred
04:11
unless they have some other out of band notification, like a text to your mobile phone.
04:16
That sometimes don't is a secondary check.
04:19
Just to make sure that
04:20
the activity was authorized by the the actual
04:25
owner that count
04:27
other types of spyware involves
04:29
remotely enabling
04:30
microphones and Web gems.
04:34
This has obvious implications for anyone working in a
04:38
high security environment.
04:41
And one thing that could be done as a way of system hardening is to just administratively disabled
04:48
microphones and cameras when they're not needed,
04:51
if they're if they're not needed for official business purposes and they can just remain disabled.
04:58
This gives a clue how, however, once someone just the investigation
05:02
and says, Okay, well, I've determined that the Web camera and microphone have been re enabled.
05:08
Therefore, this is a possible IOC and should be investigated.
05:12
You can kind of see how
05:14
the common attack techniques might leave behind some clues or some residual information, which can point to a compromise.
05:23
Then we move on to social engineering,
05:25
one of my favorite topics.
05:27
Social engineering is supposed to be most effective face to face,
05:31
and the reasons for this are
05:34
are very wide and varied.
05:36
But the main idea is that
05:39
it's the social engineer
05:41
is very skilled at
05:44
acting. Basically,
05:46
they can
05:46
change their voice as needed. They can change their appearance as needed
05:51
and change their behavior as well. Because they're trying to play the role of
05:58
a component of the attack
06:00
could be the
06:00
I'm putting on a uniform and carrying some equipment to make it look like you're an electrician's are some other kind of repair man.
06:09
It could be
06:10
carrying a clipboard
06:12
and a
06:14
a bunch of books to make it look like you're doing some auditing or some other kind of checking.
06:18
Very simple things like this can be effective
06:21
against an unwitting victim.
06:26
Now, how we detect that
06:28
if you're a victim of social engineering attack, that's face to face.
06:31
How would you notice that
06:33
the adversary is
06:36
interacting with you instead of a legitimate
06:40
business person?
06:42
One of the easiest ways to to do This is to think about people's different levels of sensitivity
06:47
to the unusual or two
06:50
people that they might consider to be
06:53
suspicious.
06:55
We all heard the expression, you know, had a gut feeling about this person or had a gut feeling about what they said.
07:01
Gut feelings are typically very,
07:04
very convincing,
07:06
and
07:08
they should be paid attention to, especially if you're working environment that has high security.
07:14
Perhaps the social engineer approaches the victim and asks for information, which seems out of place
07:19
responding with a simple question, such as, Who are you again? Can I see your badge?
07:26
Who authorized you to request this information from me?
07:30
Anything that that constitutes some kind of a probing question back to social engineer that's performing the attack
07:36
might reveal the fact that it is, in fact, an attack
07:41
because the engineers most likely to try to change the subject
07:46
or try Thio,
07:47
you know, leave the area
07:49
so that they can escape from further questioning.
07:51
They might also
07:54
tried escalate the attack
07:56
by claiming that they have authority
07:59
given to them from someone else higher up the chain.
08:01
You know, if you don't help me with this, I'm gonna report you to your boss
08:05
or the classic Jean, Do you know who I am? Or do you know who I work for?
08:11
Thes intimidation tactics may be successful against a wide range of people.
08:16
Not everybody is going to stand their ground and demand an answer
08:20
because they might not want to appear to be rude or uncooperative or unprofessional.
08:26
Other types of social engineering attacks take place over email.
08:30
We might think of these as just phishing attacks,
08:33
but generally there are some social engineering components. There's some kind of enticement,
08:39
some kind of scenario
08:41
and maybe even the A, uh,
08:46
the potential for danger. You get an email saying that your your bank account is
08:52
has been shown to have suspicious activity. Better log in right away and verify these transactions.
08:56
A lot of people might click that link
08:58
and take that action, not realizing that they've just been tricked into going to
09:03
a copy
09:05
of their banks website, which is only there to to harvest their credentials.
09:09
So, you know, it could be a powerful tool
09:11
for this purpose. But on the other hand,
09:13
frequently phishing emails of social engineering emails have mistakes in them.
09:18
Could be missing words.
09:20
Poor punctuation
09:22
force in tax
09:24
The
09:24
the email just has something that seems off about. It doesn't appear to be an official correspondence from that vendor.
09:31
So this goes back to the idea of getting proper security awareness, training
09:37
and even
09:39
testing people once in a while of my performing fishing exercises, which are intended
09:43
to illicit a response to the user
09:46
so that people can be better trained to say Okay, I did not click the link. Therefore, I passed the test.
09:52
Someone else over here did click the like. They thought this was a legitimate email and they flunked the test.
09:56
Now there's a learning opportunity. You're learning moment there,
10:01
and lastly we have the telephone,
10:03
probably the oldest one of the oldest tools for social engineering.
10:07
Because all the attacker has to do is focus on what they want to say,
10:11
how you want to say it, how they want to use their voice.
10:15
They might have a script in front of them with a bunch of topics
10:18
and the script my branch in two different directions, depending on the response of the victim.
10:22
This is very similar to the way that telemarketers work or anyone that sells
10:28
over the phone.
10:28
They've got a certain thing that they need to say and then
10:31
depending on with the victim says, or what their potential customers says, they can adapt their techniques.
10:37
This could be a lot less challenging to do than doing this in person, because
10:43
in person
10:43
the attacker has to do the same task. They still have to adjust their
10:48
their verbal techniques, but they also have to control their body language and use it effectively.
10:52
Whereas doing this over the phone does not require a strong sense of body language just had to keep your voice
11:00
controlled so that it conveys the correct sentiment to the person on the other end.

Up Next

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor