Cyber Kill Chain Analysis - Putting the Pieces Together
Video Activity
This final video in Module 9 ties things together by discussing identifying and categorizing malicious activity in order to get a clear picture of the attacker and what they're up to. This consists of determining if the attacker is inside or outside the organization, the type of user privileges they've managed to obtain, and the attacker's intent. ...
Video Description
This final video in Module 9 ties things together by discussing identifying and categorizing malicious activity in order to get a clear picture of the attacker and what they're up to. This consists of determining if the attacker is inside or outside the organization, the type of user privileges they've managed to obtain, and the attacker's intent. Again, correlating intel data is critical to obtaining a clearer picture of the attack and attackers. This goes back to examining and correlating data from the entire suite of devices such as NIDS, NIPS, HIDS, HIPS, and SIEM devices. Dean then mentions the importance of incident response teams interaction. Stakeholders must be kept in the loop during an evolving incident. Tight coordination of various staff is critical and regular update meetings - sometime as often as 15 minutes - are required to keep senior management apprised of the situation as it unfolds. The video concludes with Dean discussing malware reverse engineering. This process can yield vital clues to who designed the malware and methods for detecting similar exploits in the future. It's critical that a malware lab isolated from other networks be used for the analysis in order to prevent further infections of other systems.
Video Transcription
00:04
So how did organizations analysts
00:06
categorize suspicious activity once they've identified it?
00:11
It could be a lot of different questions that might be asked that there's some high level ones, which makes sense right off the bat.
00:16
It's certainly important to know if this was an insider or an outsider performing the attack
00:22
or generating threat wherever methodology you want to use.
00:27
This brings us back to the importance of network based
00:31
I. D. S. I. P s
00:33
working in conjunction with host based on yes and I ps.
00:37
This way you can see the events coming from the public. Internet, for instance, may be going through the D m Z,
00:44
trying to connect two systems that are within the Internet.
00:49
So those
00:50
those host based and network based detection methods will
00:54
provide good value once you can properly correlate that information.
00:57
Also, the there should be some understanding of whether or not the
01:00
attacker was a regular user or
01:03
a privileged user.
01:04
Did they perform their actions within regular account,
01:08
thereby indicating that there are some other weaknesses in the environment that should be addressed?
01:15
Or were they able to escalate their privileges to become an administrator or root
01:19
studying the way that the privilege was escalated would reveal a lot of good information as well.
01:25
Could be that the attacker brought some tool
01:27
with them and implanted on the victim's system, and that allowed them to escalate the privileges.
01:34
You know,
01:34
they might have taken advantage of an existing vulnerability on the victim's system.
01:40
Escalated privileges.
01:41
You know what? They should be well understood so that there could be
01:45
some indication of how powerful this adversary is.
01:49
You know what kind of capabilities to the habit kind of tools are they using?
01:53
Maybe they are an individual. Or maybe they are part of a larger group that's well funded,
01:59
perhaps even state sponsored
02:00
hacking from another country.
02:04
So once the capabilities are better understood, there could be another layer of analysis done to try to infer their intentions.
02:14
You could do this based on what was targeted.
02:15
If it's people, if it's,
02:17
um,
02:19
information in the database, if that's not enough service attack,
02:23
maybe someone's trying to hijack
02:24
a session to a cloud computing environment
02:29
so they can get in with administrative credentials and destroy
02:31
the infrastructure that was
02:35
set up for the customer.
02:37
Maybe their intent is to deny service
02:39
for one particular user because they are spear fishing or their wailing,
02:45
or that the service to be much broader in scope.
02:47
Where is he distributed? Denial of service
02:50
and now
02:52
thousands of
02:53
butts
02:54
as part of the body that could be controlled to direct their traffic towards a public website or something of this nature.
03:01
In all these scenarios, it could be just one person doing the work
03:07
more likely than not with larger scale attacks. They're going to be more than one person, but not always
03:13
this time. Kind of activities very asymmetrical.
03:15
One person with enough skill and technique
03:19
in time
03:20
can accomplish a lot of these goals by themselves.
03:23
Can't FORGET Sequel Junction
03:25
It's a very powerful technique, which allows an adversary to get access to a vacuum database.
03:31
The methods of doing it are quite widely varied. It could be
03:36
trying to inject sequel code into a log in field or email field
03:40
the phone number, search field.
03:44
Any place on public facing
03:46
Web app that does not
03:49
performed proper and for validation could be vulnerable.
03:52
And for validation, as some of you already know
03:55
is the process of in wasn't
03:58
any input
04:00
taken from a user
04:01
to make sure that it conforms exactly to what the application expects.
04:06
For instance, if you were entering in a phone number
04:10
in a field on a Web form,
04:12
think what validation should verify that you're only ending. Entering digits
04:16
should not be any letters.
04:17
They're probably shouldn't be any special characters besides the dash and maybe parentheses.
04:24
Those were the only characters that make up
04:26
a phone number as it's normally represented.
04:30
So these air other indications that adversarial activity is taking place.
04:34
There might even be methods to use sequel injection to interact with the underlying operating system
04:41
to run commands in a shell or two.
04:44
Two things like a numerator network.
04:46
All these clues should be used in conjunction with other monitored events to see if
04:53
the adversary is doing something beyond what was initially anticipated
05:00
so far is where the data comes from.
05:01
Already touched on the outer perimeter,
05:04
the network based I. D s Night PS can provide such a great amount of data because
05:10
you could monitor all the traffic into and out off your public facing network like the D. M Z,
05:16
the connection
05:17
between the D. M. Z Zone and your and your Intranet Zone
05:21
and any other adjacent security zones.
05:25
Network based tools for this are invaluable,
05:29
and, as I pull it up before, sometimes that
05:30
the needs of the nips is on either side of a firewall
05:34
to capture all the information going through from one's own toe. Another which, whichever direction it is
05:42
your host based
05:44
hips or heads
05:45
might also be correlated with network dated but
05:47
could also be correlated with anti virus
05:50
information.
05:53
Maybe Malware was
05:56
was installed on a host and tried to make a up on connection to call its command and control server.
06:02
Maybe the Ballard got quarantine,
06:04
and maybe the hips prevented the connection.
06:06
So there should be some logged events
06:10
for both of those different products to show that that this actually occurred and
06:14
understand its significance in the greater examination
06:18
for investigation.
06:20
And then we can't forget the same device
06:24
because all the other end points, like Browder's firewall, switches proxies
06:29
all these other things could could also be sending some events so that should be brought into
06:34
the network and host based data collection process to see if there's anything useful there
06:41
that could be helped could be used to help with the investigation.
06:46
Now, if we think about
06:47
Incident Response Team's,
06:50
there are some considerations for how these should be used. As I pointed out in previous conversations, some decision maker needs to decide whether to invoke the incident Response team that should not be taken lightly.
07:01
Should be so
07:02
credible information that proves that this incident goes beyond just some unrelated
07:09
small scale events.
07:12
So naturally, the only policies and procedures created
07:15
to notify all of the appropriate stakeholders.
07:18
This could be done through various means. Simple email
07:23
text messages going in conjunction with email calling an emergency meeting
07:29
the the
07:30
The response was very depending on the stroke of the incident that's that's been discovered.
07:36
It wants the Incident Response team has been put into motion. It's natural that some sort of triage will take place,
07:45
and this means that certain individuals will be
07:47
assuming a intermediary role between management
07:51
and the technical staff and perhaps even the
07:55
the legal staff,
07:57
because
07:58
when a large scale that happens,
08:01
there needs to be good communication. For instance, senior management wants to know that
08:05
that all the appropriate people are on the job and that they're doing what they're supposed to be doing.
08:09
They might also request updates every 15 minutes every 30 minutes every 60 minutes
08:15
to see what the progresses
08:16
for containment of the problem or
08:20
even recovery or resolution of the problem.
08:24
So the person's doing the triage function
08:26
need to keep management informed.
08:28
But they also need to communicate with the people that are doing the technical work
08:31
to find out if they've managed to fix the problem yet or if they managed to discover the source of the infection, or
08:39
does he have been able to keep the problem contained? And therefore it's not a danger to any other hosts on the network.
08:46
He's a very important considerations,
08:48
and that should
08:50
be a primary focus of triage.
08:52
Has to keep everybody well informed. The technical people know what matters that wants. Management knows what the technical people are finding out,
09:01
and maybe your public relations or your legal departments are also involved
09:05
because they've got to start preparing some response for a public announcement. Perhaps
09:13
then last night, we can think about male wear reverse engineer.
09:18
One of the biggest requirements here is to make sure that the
09:22
the sandbox or the reverse engineering lab is properly isolated
09:28
because if Mel was discovered,
09:30
it needs to be studied
09:31
in an environment that prohibits that malware from spreading to other systems.
09:37
The
09:39
the forensics work station on the forensics lab that might have multiple systems should be
09:45
air gapped from any other networks.
09:48
You should not be any path from
09:50
from a production network to the
09:52
the The Malware on Forensics Lab.
09:56
This makes all the sense you don't want something accidentally spreading, too
10:01
production systems if it was already isolated in quarantine.
10:05
Typically, virtual machines are used for this purpose
10:09
because it's very easy to set them up with very restrictive networking
10:13
so that the malware could now be studied in its natural habitat, so to speak.
10:18
The malware might be allowed to run,
10:20
and various monitoring solutions are put into place to see what kind of network connections it's making
10:26
to see which domain names or I P addresses are
10:30
encoded in the malware, perhaps to contact a command control system,
10:35
or handler system.
10:37
So the behavior of the malware
10:39
should indicate what it's trying to do if it's trying to change registry settings.
10:45
If it's trying to
10:46
Jean system configuration files and so on.
10:50
So if the code can be brought into a disassemble Rory do bugger,
10:56
it might be able to be examined
10:58
in a static mode. This means that the program's not running
11:03
and the code is looked at.
11:05
We're like, what? We're seeing the image here. You've got a bunch of HTML. You got some assembler or some C
11:09
c++ Ruby python. You name it.
11:13
Well, where could be created with many, many different tools?
11:18
So that static analysis is
11:20
give some indication as to what
11:22
the mount, where is capable of
11:24
maybe even some clues about who designed it.
11:26
Sometimes malware authors will leave their call sign
11:30
in the source code,
11:31
hoping that someone will find it and they can get credit.
11:35
Trying to trace that call sign or that tag back to the actual individual can be a challenge. But
11:41
it is something that has been done before, and it's worth
11:45
investigating.
11:46
There's also dynamic analysis
11:50
where the code is is monitored to the mallards, monitored while it's running and violence doing
11:56
what it's supposed to be doing.
11:56
Uh,
11:58
as I said a few minutes ago, this could involve network connections,
12:03
actions to write or read data from storage, whether its USP storage or ah spindle disc SST storage
12:11
actions that read and write data from
12:13
drew it from memory
12:15
for the registry
12:16
or the colonel or drivers. All these things could be areas
12:20
where
12:20
and I'll see might be detected.
12:24
I hope even joined the chapter on,
12:28
uh,
12:30
deeper don a deeper dive into the Cyprus
12:33
killed.
12:33
So you're the next module. Thank you.
Up Next
Intro to Cyber Threat Intelligence
The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.
Instructed By
