Cyber Kill Chain Analysis – Putting the Pieces Together

This final video in Module 9 ties things together by discussing identifying and categorizing malicious activity in order to get a clear picture of the attacker and what they're up to. This consists of determining if the attacker is inside or outside the organization, the type of user privileges they've managed to obtain, and the attacker's intent. Again, correlating intel data is critical to obtaining a clearer picture of the attack and attackers. This goes back to examining and correlating data from the entire suite of devices such as NIDS, NIPS, HIDS, HIPS, and SIEM devices. Dean then mentions the importance of incident response teams interaction. Stakeholders must be kept in the loop during an evolving incident. Tight coordination of various staff is critical and regular update meetings - sometime as often as 15 minutes - are required to keep senior management apprised of the situation as it unfolds. The video concludes with Dean discussing malware reverse engineering. This process can yield vital clues to who designed the malware and methods for detecting similar exploits in the future. It's critical that a malware lab isolated from other networks be used for the analysis in order to prevent further infections of other systems.