Cyber Kill Chain Management - Managing Multiple CKCs | Cybrary

Video Activity

Create Free Account

The concluding video of Module 10 deals with the managing multiple CKCs. Dean takes us through examining similarities, methodology, threat actors, and overlapping indicators. Progress tracking and triage engagement are also covered. As discussed in the previous video, identifying a correlation between multiple events is challenging, but the ability...

Sign up with

Or

Already have an account? Sign In »

Time

4 hours 8 minutes

Difficulty

Intermediate

CEU/CPE

4

Create Free Account

The concluding video of Module 10 deals with the managing multiple CKCs. Dean takes us through examining similarities, methodology, threat actors, and overlapping indicators. Progress tracking and triage engagement are also covered. As discussed in the previous video, identifying a correlation between multiple events is challenging, but the ability to do so allows for managing related campaigns and the grouping of events. Understanding intruder intent and mission objectives form the basis of an incident response plan. Finding clues can be challenging due to adversaries changing up behavior in order to not be predictable. Sometimes requesting assistance from in-house developers can prove helpful when analysts are lacking tools and detection capability.

00:04

Now, if you think about

00:06

the possibility of multiple kill chains in progress at a given time,

00:11

they might be coming from different parts of the world. They might have people in different time zones

00:16

that are involved

00:17

in the investigation or in the containment

00:21

or even the recovery efforts,

00:26

again with with with talking with other teams or even other organizations.

00:32

Hopefully, there could be some similarities discovered some kind of overlap

00:37

to see that there's a a p T that we had last year, for instance, and we saw certain IOC's

00:44

and this information turned out to be very helpful in resolution. Maybe you'd like to look at some of the data that we found,

00:51

and the data would hopefully show some methodology,

00:55

ports of protocols, different tools and so on.

00:59

It also might help the point

01:00

the finger in the direction of actual threat actors with right agents,

01:04

whether they be individuals

01:07

or some kind of hacking collective or

01:08

a nation state sponsored effort.

01:14

All that information

01:15

is only useful if it can be properly combined

01:18

to make some some further progress on. The organization is dealing with this problem right now.

01:25

Speaking of progress, how do you track

01:29

the path through the methodology. Once

01:32

the investigation is underway,

01:34

we can think about the the normal types of triage engagements where

01:40

there's an expectation of an update

01:42

every 15 minutes or 30 minutes, or even 60 minutes,

01:46

depending on the severity.

01:48

If it's a

01:49

a very serious problem, the updates is certainly going to be more frequent. That makes sense,

01:53

but that introduces a lot of complexities for

01:57

dealing with

01:59

the various individuals who are part of the investigation.

02:02

It could be language barriers that could be time zone barriers.

02:06

There could be barriers in what what is allowed to be shared versus what must be kept

02:10

concealed

02:13

due to regulations, laws,

02:15

policies and maybe even just come in sets.

02:21

The ultimate goal, though, is still thinking about how to

02:24

properly

02:27

deal with multiple parallel

02:30

Sabac. You'll change.

02:32

There might be special tools available

02:36

to help in this regard.

02:39

Any kind of a project management methodology would probably work pretty well.

02:45

It's just a matter of

02:46

different tasks being performed at the various phases of a project.

02:51

You might still have

02:53

stakeholder meetings. You might still have milestones that have been set in status reports, and so on,

02:59

but you're just working on different

03:01

activities during this during this time. So

03:05

it's really up to the organization's leadership to set the tone here.

03:08

Their governance model would define how much control they feel they need to have

03:14

over the monitoring process, over the feedback process and so on.

03:19

So it's a lot to be left for them to decide

03:22

and then managers and team leads with. Then

03:25

take that. Governments turned into policies, which then translate eventually into some procedures.

03:31

And lastly, we can think about

03:34

the concept of a campaign

03:37

depends on who you ask. But generally the idea of a campaign is that they

03:42

some some event that happens of IOC's have been discovered,

03:46

and the IOC's may be similar enough and maybe appeared to be related,

03:52

and therefore they start to get group together as the campaign.

03:55

This may turn out later to actually be false, but

03:59

in the meantime,

04:00

some sort of organization and grouping of events does make sense until new information rises. That says that that's not a good idea.

04:11

We could take a group like anonymous, for instance, whether they're very loosely coupled. They don't have well defined leadership,

04:17

but yet they can still

04:19

work together

04:21

in parallel on various objectives

04:25

and

04:26

if they're all using similar tools, if they're if they're timing, seems to be very similar as faras. When attacks start when they stop

04:32

when they switch from planet to Plan B to Plan C, for instance,

04:38

then that starts to make more and more sense that this is a coordinated effort.

04:41

Bye

04:42

individuals who may be related to each other,

04:45

maybe

04:46

trying thio watch their attacks

04:48

imperil offer that very same reason that they just want to have maximum effectiveness.

04:55

However thes IOC's, they're they're detected. As I mentioned, earlier conversations are not a guarantee

05:00

that

05:02

the intrusions are related in any way.

05:04

It could just be that the Attackers are using similar tools, similar methods

05:09

or similar malware,

05:11

and therefore the IOC's appear to be related. But they're really not.

05:15

That's that's the channel, just using apart all these little details

05:18

and trying to figure out exactly what you're dealing with

05:21

as a cyber threat analyst.

05:25

We can think about

05:28

conversations that we had earlier in this course

05:30

where the intentions and objectives of the adversary are being estimated.

05:35

The more data that's collected that the closer, the analyst can get to two inaccurate

05:42

depiction of what the adversaries, objectives and intentions might be.

05:46

The targeting certainly tells a lot about this.

05:51

The type of target,

05:54

the type of information it contains,

05:57

how it fits into the bigger picture of the top network apology or the infrastructure. All those clues do offer substantial insight

06:04

into what the adversaries trying to accomplish.

06:06

Another factor which aggravates the process of investigation is the fact that tactics and tools

06:13

will change over time, that the dollar will change over time.

06:16

Any adversary that was doing their best to remain

06:21

not only undetected but

06:25

Maura Anonymous, perhaps, would certainly be thinking about

06:28

changing up their plan and modifying their their

06:31

behavior so that they don't become too predictable.

06:35

This is a basic mob

06:38

evasion technique, if you think about it

06:41

and even good, you know, the good guys have to practice these kinds of

06:45

methodology

06:46

shuffling, if you will,

06:48

because if you are

06:50

interacting with an R and an asset that's actively being compromised,

06:57

the defenders don't want always appear to be using the same methods, either because then that becomes too predictable

07:01

for the adversary. And

07:03

there could be a loss of

07:05

of information. As a result,

07:10

one last idea to throw at you is the idea of using developers

07:14

in conjunction with incident response when all these activities are taking place.

07:18

That might seem like a strange thing to suggest.

07:21

Some information that companies have released

07:25

indicates that

07:26

there may be times where

07:28

IOC's have been found or other events of them then discovered.

07:32

But there's a lack of

07:34

understanding because there might not be the proper tools in place

07:39

in order to bring the data together with the proper analysis.

07:43

Or maybe there's a,

07:45

uh,

07:46

a lack of a detection capability for certain kinds of information.

07:49

If developers could be

07:53

huh

07:53

brought into the process and kept

07:56

I reserved until meeting

07:58

that they might be able to cobble something together to help the investigation proceeds.

08:03

Nothing interesting

08:05

angle to to think about as faras,

08:07

how to make the organization more efficient,

08:09

and you utilize resource is more,

08:11

more carefully.

08:13

All right, so that sums up this module.

08:16

I'll see you in the next one, which will be the last one for the course. Thank you.

Using Open Source Intelligence - IOC Pivoting

Using Open Source Intelligence - Maltego Introduction

Using Open Source Intelligence - 250 Free Resources

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

CEO of SteppingStone Solutions