Hello and welcome to the next module and the introduction to Cyber Threat Intelligence. Course,
this module we're gonna talk about, um, aging multiple
Obviously, this is the
gonna be the norm for a lot of organizations here.
You're not just looking as single intrusion or a single campaign of intrusions,
and it's pretty pretty typical to have
multiple different scenarios playing out in parallel.
So there are some challenges that come along with that.
And that's why the should be some
extra methodology considered
properly. Manage this and keep things moving forward.
So we'll look at multiple kill chains in progress. We also talk about
intrusions that may be related, starting off with simultaneous intrusions.
It could be the case that you're intrusions are simultaneous, but yet separate. They're not part of a
activity by my by a group that's
taking a two pronged or three pronged approach.
the organization is a
a large target, and therefore it's expected that multiple intrusions would be
attempted in any given moment and tell it
the challenge in dealing with these scenarios is
trying to find reliable ways to recognize patterns
A pattern that repeats
from one intruding to the next does not guarantee that they are related,
doesn't guarantee it that it's the same threat actors doing the work.
It just raises the possibility
that that the intrusions are related or that they are being performed with the same people.
There's only so many ways to skin a cat, as I like to say, and
it's a typical method to get into an environment exists.
And that will be the one that will be seen multiple times by different intruders
as well as being seen, perhaps by the same untrue, because it becomes a reliable method.
the danger here is placing too much reliance
on the patterns themselves. As we talked about before. A confirmation bias
that you're placing too much relevance on the recognition of the pattern
as a way of doing he mental shortcut. It may not be a conscious decision to say that we don't want to study this harder. We think we know what we're dealing with,
gray area for some organizations to make sure that
that you spend enough time to differentiate one pattern of behavior from another,
but that you don't waste too much time
analyzing patterns, which appear to be coming from the same
actors or the same sources.
Speaking of sources, one of the
aspects of this kind of that announces is trying to find the appropriate sources of data that can be correlated
as we talked about in a previous module. We have a lot of choices.
You have everything from your physical security considerations
to the network perimeter itself with your network ideas network, I PS
host based ideas, an I. P s
firewalls, law proxies,
sing devices and so on.
There's a lot of different pieces of the infrastructure
that could be used to gather correlating information,
and we can't forget the possible benefit of getting this. Some of this correlation information from security service is
for security vendors, for that matter.
It's not uncommon for a vendor to send out alerts to their customers when a large
the event appears to be underway.
That could be further confirmation that this is something serious, and we should be paying attention to it
because even the the vendors that supply our
hardware and software and other service's are telling us that there's a problem.
So those were the good things that pay attention to.
We also have to think about a communications plan that was just disgusting earlier module
That module is describing the communications plan
MAWR in the context of incident response.
it also makes sense to have policies and procedures in place. Some protocols, if you will,
for communicating between different teams.
Different individuals on different teams
might need to share information.
And if there are classifications, issues or other
privacy issues and such, then that has to be done very carefully.
the need for procedures and policies when sharing information with other organisations would be even greater
because now you have to make sure that there's a
step to sanitize the information. If it can be shared it all
senior leadership should define these
the governance model and the high level policies which dictate how this activity might actually be accomplished.
I'm sure we can all certainly see the value, though
sharing information with other organizations
can build up a lot of
data there quickly into a knowledge base
as long as the day it has been properly sanitized,
shared within the organization
could also produce similar outcomes.
The main goal is to think about who has
experience and exposure to the events that are unfolding,
and how can that information be obtained
utilized To deal with an ongoing investigation
could be a challenge, but it's ah worthwhile effort to undergo in any case.