Cyber Kill Chain Management - Handling Simultaneous Intrusions | Cybrary

Video Activity

Create Free Account

Module 10 deals with the challenge of handling simultaneous intrusions. Multiple kill chains come into effect and the challenge is heightened to determine if any are related. Extra methodology is required in such a situation. Identification of separate, simultaneous intrusions begins with pattern recognition. Reliable methods are critical in this s...

Sign up with

Or

Already have an account? Sign In »

Time

4 hours 8 minutes

Difficulty

Intermediate

CEU/CPE

4

Create Free Account

Module 10 deals with the challenge of handling simultaneous intrusions. Multiple kill chains come into effect and the challenge is heightened to determine if any are related. Extra methodology is required in such a situation. Identification of separate, simultaneous intrusions begins with pattern recognition. Reliable methods are critical in this step to prevent the risk of confirmation bias and reaching false correlations. Assistance with correlation can come in the form of vendors alerts or correlation with other analysts and other teams via a comms plan. Coordination in the form of plans, policies, and procedures are required to govern info-sharing. Building a knowledge base of sanitized data is a challenging but worthwhile effort in order to assist with future simultaneous events.

00:04

Hello and welcome to the next module and the introduction to Cyber Threat Intelligence. Course,

00:09

this module we're gonna talk about, um, aging multiple

00:13

C K C seven chains.

00:16

Obviously, this is the

00:18

gonna be the norm for a lot of organizations here.

00:21

You're not just looking as single intrusion or a single campaign of intrusions,

00:28

and it's pretty pretty typical to have

00:30

multiple different scenarios playing out in parallel.

00:35

So there are some challenges that come along with that.

00:37

And that's why the should be some

00:41

extra methodology considered

00:43

properly. Manage this and keep things moving forward.

00:47

So we'll look at multiple kill chains in progress. We also talk about

00:51

intrusions that may be related, starting off with simultaneous intrusions.

00:58

It could be the case that you're intrusions are simultaneous, but yet separate. They're not part of a

01:03

organized

01:06

activity by my by a group that's

01:10

taking a two pronged or three pronged approach.

01:12

It may just be that

01:14

the organization is a

01:17

a large target, and therefore it's expected that multiple intrusions would be

01:23

attempted in any given moment and tell it

01:26

the challenge in dealing with these scenarios is

01:30

trying to find reliable ways to recognize patterns

01:36

no.

01:37

A pattern that repeats

01:41

from one intruding to the next does not guarantee that they are related,

01:45

doesn't guarantee it that it's the same threat actors doing the work.

01:49

It just raises the possibility

01:52

that that the intrusions are related or that they are being performed with the same people.

01:57

There's only so many ways to skin a cat, as I like to say, and

02:01

it's a typical method to get into an environment exists.

02:06

And that will be the one that will be seen multiple times by different intruders

02:12

as well as being seen, perhaps by the same untrue, because it becomes a reliable method.

02:15

And,

02:16

uh,

02:17

the danger here is placing too much reliance

02:23

on the patterns themselves. As we talked about before. A confirmation bias

02:28

might indicate that

02:30

that you're placing too much relevance on the recognition of the pattern

02:35

as a way of doing he mental shortcut. It may not be a conscious decision to say that we don't want to study this harder. We think we know what we're dealing with,

02:44

so that could be a

02:46

gray area for some organizations to make sure that

02:49

that you spend enough time to differentiate one pattern of behavior from another,

02:53

but that you don't waste too much time

02:57

analyzing patterns, which appear to be coming from the same

03:00

actors or the same sources.

03:04

Speaking of sources, one of the

03:07

aspects of this kind of that announces is trying to find the appropriate sources of data that can be correlated

03:14

as we talked about in a previous module. We have a lot of choices.

03:16

You have everything from your physical security considerations

03:22

to the network perimeter itself with your network ideas network, I PS

03:28

host based ideas, an I. P s

03:30

firewalls, law proxies,

03:32

sing devices and so on.

03:35

There's a lot of different pieces of the infrastructure

03:38

that could be used to gather correlating information,

03:42

and we can't forget the possible benefit of getting this. Some of this correlation information from security service is

03:49

for security vendors, for that matter.

03:52

It's not uncommon for a vendor to send out alerts to their customers when a large

03:57

the event appears to be underway.

03:59

That could be further confirmation that this is something serious, and we should be paying attention to it

04:03

because even the the vendors that supply our

04:08

hardware and software and other service's are telling us that there's a problem.

04:13

So those were the good things that pay attention to.

04:17

We also have to think about a communications plan that was just disgusting earlier module

04:25

That module is describing the communications plan

04:27

MAWR in the context of incident response.

04:30

However,

04:31

it also makes sense to have policies and procedures in place. Some protocols, if you will,

04:38

for communicating between different teams.

04:42

Different individuals on different teams

04:44

might need to share information.

04:47

And if there are classifications, issues or other

04:50

privacy issues and such, then that has to be done very carefully.

04:56

The

04:58

the need for procedures and policies when sharing information with other organisations would be even greater

05:04

because now you have to make sure that there's a

05:08

step to sanitize the information. If it can be shared it all

05:12

senior leadership should define these

05:14

the governance model and the high level policies which dictate how this activity might actually be accomplished.

05:21

I'm sure we can all certainly see the value, though

05:25

sharing information with other organizations

05:28

can build up a lot of

05:30

data there quickly into a knowledge base

05:33

as long as the day it has been properly sanitized,

05:38

shared within the organization

05:40

could also produce similar outcomes.

05:43

The main goal is to think about who has

05:46

experience and exposure to the events that are unfolding,

05:49

and how can that information be obtained

05:53

and possibly

05:55

utilized To deal with an ongoing investigation

05:59

could be a challenge, but it's ah worthwhile effort to undergo in any case.

Cyber Kill Chain Management - Managing Multiple CKCs

Using Open Source Intelligence - IOC Pivoting

Using Open Source Intelligence - Maltego Introduction

Using Open Source Intelligence - 250 Free Resources

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

CEO of SteppingStone Solutions