Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

Module 10 deals with the challenge of handling simultaneous intrusions. Multiple kill chains come into effect and the challenge is heightened to determine if any are related. Extra methodology is required in such a situation. Identification of separate, simultaneous intrusions begins with pattern recognition. Reliable methods are critical in this step to prevent the risk of confirmation bias and reaching false correlations. Assistance with correlation can come in the form of vendors alerts or correlation with other analysts and other teams via a comms plan. Coordination in the form of plans, policies, and procedures are required to govern info-sharing. Building a knowledge base of sanitized data is a challenging but worthwhile effort in order to assist with future simultaneous events.

Video Transcription

00:04
Hello and welcome to the next module and the introduction to Cyber Threat Intelligence. Course,
00:09
this module we're gonna talk about, um, aging multiple
00:13
C K C seven chains.
00:16
Obviously, this is the
00:18
gonna be the norm for a lot of organizations here.
00:21
You're not just looking as single intrusion or a single campaign of intrusions,
00:28
and it's pretty pretty typical to have
00:30
multiple different scenarios playing out in parallel.
00:35
So there are some challenges that come along with that.
00:37
And that's why the should be some
00:41
extra methodology considered
00:43
properly. Manage this and keep things moving forward.
00:47
So we'll look at multiple kill chains in progress. We also talk about
00:51
intrusions that may be related, starting off with simultaneous intrusions.
00:58
It could be the case that you're intrusions are simultaneous, but yet separate. They're not part of a
01:03
organized
01:06
activity by my by a group that's
01:10
taking a two pronged or three pronged approach.
01:12
It may just be that
01:14
the organization is a
01:17
a large target, and therefore it's expected that multiple intrusions would be
01:23
attempted in any given moment and tell it
01:26
the challenge in dealing with these scenarios is
01:30
trying to find reliable ways to recognize patterns
01:36
no.
01:37
A pattern that repeats
01:41
from one intruding to the next does not guarantee that they are related,
01:45
doesn't guarantee it that it's the same threat actors doing the work.
01:49
It just raises the possibility
01:52
that that the intrusions are related or that they are being performed with the same people.
01:57
There's only so many ways to skin a cat, as I like to say, and
02:01
it's a typical method to get into an environment exists.
02:06
And that will be the one that will be seen multiple times by different intruders
02:12
as well as being seen, perhaps by the same untrue, because it becomes a reliable method.
02:15
And,
02:16
uh,
02:17
the danger here is placing too much reliance
02:23
on the patterns themselves. As we talked about before. A confirmation bias
02:28
might indicate that
02:30
that you're placing too much relevance on the recognition of the pattern
02:35
as a way of doing he mental shortcut. It may not be a conscious decision to say that we don't want to study this harder. We think we know what we're dealing with,
02:44
so that could be a
02:46
gray area for some organizations to make sure that
02:49
that you spend enough time to differentiate one pattern of behavior from another,
02:53
but that you don't waste too much time
02:57
analyzing patterns, which appear to be coming from the same
03:00
actors or the same sources.
03:04
Speaking of sources, one of the
03:07
aspects of this kind of that announces is trying to find the appropriate sources of data that can be correlated
03:14
as we talked about in a previous module. We have a lot of choices.
03:16
You have everything from your physical security considerations
03:22
to the network perimeter itself with your network ideas network, I PS
03:28
host based ideas, an I. P s
03:30
firewalls, law proxies,
03:32
sing devices and so on.
03:35
There's a lot of different pieces of the infrastructure
03:38
that could be used to gather correlating information,
03:42
and we can't forget the possible benefit of getting this. Some of this correlation information from security service is
03:49
for security vendors, for that matter.
03:52
It's not uncommon for a vendor to send out alerts to their customers when a large
03:57
the event appears to be underway.
03:59
That could be further confirmation that this is something serious, and we should be paying attention to it
04:03
because even the the vendors that supply our
04:08
hardware and software and other service's are telling us that there's a problem.
04:13
So those were the good things that pay attention to.
04:17
We also have to think about a communications plan that was just disgusting earlier module
04:25
That module is describing the communications plan
04:27
MAWR in the context of incident response.
04:30
However,
04:31
it also makes sense to have policies and procedures in place. Some protocols, if you will,
04:38
for communicating between different teams.
04:42
Different individuals on different teams
04:44
might need to share information.
04:47
And if there are classifications, issues or other
04:50
privacy issues and such, then that has to be done very carefully.
04:56
The
04:58
the need for procedures and policies when sharing information with other organisations would be even greater
05:04
because now you have to make sure that there's a
05:08
step to sanitize the information. If it can be shared it all
05:12
senior leadership should define these
05:14
the governance model and the high level policies which dictate how this activity might actually be accomplished.
05:21
I'm sure we can all certainly see the value, though
05:25
sharing information with other organizations
05:28
can build up a lot of
05:30
data there quickly into a knowledge base
05:33
as long as the day it has been properly sanitized,
05:38
shared within the organization
05:40
could also produce similar outcomes.
05:43
The main goal is to think about who has
05:46
experience and exposure to the events that are unfolding,
05:49
and how can that information be obtained
05:53
and possibly
05:55
utilized To deal with an ongoing investigation
05:59
could be a challenge, but it's ah worthwhile effort to undergo in any case.

Up Next

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor