00:04
Hello and welcome to the next module and the introduction to Cyber Threat Intelligence. Course,
00:09
this module we're gonna talk about, um, aging multiple
00:16
Obviously, this is the
00:18
gonna be the norm for a lot of organizations here.
00:21
You're not just looking as single intrusion or a single campaign of intrusions,
00:28
and it's pretty pretty typical to have
00:30
multiple different scenarios playing out in parallel.
00:35
So there are some challenges that come along with that.
00:37
And that's why the should be some
00:41
extra methodology considered
00:43
properly. Manage this and keep things moving forward.
00:47
So we'll look at multiple kill chains in progress. We also talk about
00:51
intrusions that may be related, starting off with simultaneous intrusions.
00:58
It could be the case that you're intrusions are simultaneous, but yet separate. They're not part of a
01:06
activity by my by a group that's
01:10
taking a two pronged or three pronged approach.
01:14
the organization is a
01:17
a large target, and therefore it's expected that multiple intrusions would be
01:23
attempted in any given moment and tell it
01:26
the challenge in dealing with these scenarios is
01:30
trying to find reliable ways to recognize patterns
01:37
A pattern that repeats
01:41
from one intruding to the next does not guarantee that they are related,
01:45
doesn't guarantee it that it's the same threat actors doing the work.
01:49
It just raises the possibility
01:52
that that the intrusions are related or that they are being performed with the same people.
01:57
There's only so many ways to skin a cat, as I like to say, and
02:01
it's a typical method to get into an environment exists.
02:06
And that will be the one that will be seen multiple times by different intruders
02:12
as well as being seen, perhaps by the same untrue, because it becomes a reliable method.
02:17
the danger here is placing too much reliance
02:23
on the patterns themselves. As we talked about before. A confirmation bias
02:30
that you're placing too much relevance on the recognition of the pattern
02:35
as a way of doing he mental shortcut. It may not be a conscious decision to say that we don't want to study this harder. We think we know what we're dealing with,
02:46
gray area for some organizations to make sure that
02:49
that you spend enough time to differentiate one pattern of behavior from another,
02:53
but that you don't waste too much time
02:57
analyzing patterns, which appear to be coming from the same
03:00
actors or the same sources.
03:04
Speaking of sources, one of the
03:07
aspects of this kind of that announces is trying to find the appropriate sources of data that can be correlated
03:14
as we talked about in a previous module. We have a lot of choices.
03:16
You have everything from your physical security considerations
03:22
to the network perimeter itself with your network ideas network, I PS
03:28
host based ideas, an I. P s
03:30
firewalls, law proxies,
03:32
sing devices and so on.
03:35
There's a lot of different pieces of the infrastructure
03:38
that could be used to gather correlating information,
03:42
and we can't forget the possible benefit of getting this. Some of this correlation information from security service is
03:49
for security vendors, for that matter.
03:52
It's not uncommon for a vendor to send out alerts to their customers when a large
03:57
the event appears to be underway.
03:59
That could be further confirmation that this is something serious, and we should be paying attention to it
04:03
because even the the vendors that supply our
04:08
hardware and software and other service's are telling us that there's a problem.
04:13
So those were the good things that pay attention to.
04:17
We also have to think about a communications plan that was just disgusting earlier module
04:25
That module is describing the communications plan
04:27
MAWR in the context of incident response.
04:31
it also makes sense to have policies and procedures in place. Some protocols, if you will,
04:38
for communicating between different teams.
04:42
Different individuals on different teams
04:44
might need to share information.
04:47
And if there are classifications, issues or other
04:50
privacy issues and such, then that has to be done very carefully.
04:58
the need for procedures and policies when sharing information with other organisations would be even greater
05:04
because now you have to make sure that there's a
05:08
step to sanitize the information. If it can be shared it all
05:12
senior leadership should define these
05:14
the governance model and the high level policies which dictate how this activity might actually be accomplished.
05:21
I'm sure we can all certainly see the value, though
05:25
sharing information with other organizations
05:28
can build up a lot of
05:30
data there quickly into a knowledge base
05:33
as long as the day it has been properly sanitized,
05:38
shared within the organization
05:40
could also produce similar outcomes.
05:43
The main goal is to think about who has
05:46
experience and exposure to the events that are unfolding,
05:49
and how can that information be obtained
05:55
utilized To deal with an ongoing investigation
05:59
could be a challenge, but it's ah worthwhile effort to undergo in any case.