00:04
Now, if you think about
00:06
the possibility of multiple kill chains in progress at a given time,
00:11
they might be coming from different parts of the world. They might have people in different time zones
00:17
in the investigation or in the containment
00:21
or even the recovery efforts,
00:26
again with with with talking with other teams or even other organizations.
00:32
Hopefully, there could be some similarities discovered some kind of overlap
00:37
to see that there's a a p T that we had last year, for instance, and we saw certain IOC's
00:44
and this information turned out to be very helpful in resolution. Maybe you'd like to look at some of the data that we found,
00:51
and the data would hopefully show some methodology,
00:55
ports of protocols, different tools and so on.
00:59
It also might help the point
01:00
the finger in the direction of actual threat actors with right agents,
01:04
whether they be individuals
01:07
or some kind of hacking collective or
01:08
a nation state sponsored effort.
01:14
All that information
01:15
is only useful if it can be properly combined
01:18
to make some some further progress on. The organization is dealing with this problem right now.
01:25
Speaking of progress, how do you track
01:29
the path through the methodology. Once
01:32
the investigation is underway,
01:34
we can think about the the normal types of triage engagements where
01:40
there's an expectation of an update
01:42
every 15 minutes or 30 minutes, or even 60 minutes,
01:46
depending on the severity.
01:49
a very serious problem, the updates is certainly going to be more frequent. That makes sense,
01:53
but that introduces a lot of complexities for
01:59
the various individuals who are part of the investigation.
02:02
It could be language barriers that could be time zone barriers.
02:06
There could be barriers in what what is allowed to be shared versus what must be kept
02:13
due to regulations, laws,
02:15
policies and maybe even just come in sets.
02:21
The ultimate goal, though, is still thinking about how to
02:27
deal with multiple parallel
02:30
Sabac. You'll change.
02:32
There might be special tools available
02:36
to help in this regard.
02:39
Any kind of a project management methodology would probably work pretty well.
02:45
It's just a matter of
02:46
different tasks being performed at the various phases of a project.
02:51
You might still have
02:53
stakeholder meetings. You might still have milestones that have been set in status reports, and so on,
02:59
but you're just working on different
03:01
activities during this during this time. So
03:05
it's really up to the organization's leadership to set the tone here.
03:08
Their governance model would define how much control they feel they need to have
03:14
over the monitoring process, over the feedback process and so on.
03:19
So it's a lot to be left for them to decide
03:22
and then managers and team leads with. Then
03:25
take that. Governments turned into policies, which then translate eventually into some procedures.
03:31
And lastly, we can think about
03:34
the concept of a campaign
03:37
depends on who you ask. But generally the idea of a campaign is that they
03:42
some some event that happens of IOC's have been discovered,
03:46
and the IOC's may be similar enough and maybe appeared to be related,
03:52
and therefore they start to get group together as the campaign.
03:55
This may turn out later to actually be false, but
04:00
some sort of organization and grouping of events does make sense until new information rises. That says that that's not a good idea.
04:11
We could take a group like anonymous, for instance, whether they're very loosely coupled. They don't have well defined leadership,
04:17
but yet they can still
04:21
in parallel on various objectives
04:26
if they're all using similar tools, if they're if they're timing, seems to be very similar as faras. When attacks start when they stop
04:32
when they switch from planet to Plan B to Plan C, for instance,
04:38
then that starts to make more and more sense that this is a coordinated effort.
04:42
individuals who may be related to each other,
04:46
trying thio watch their attacks
04:48
imperil offer that very same reason that they just want to have maximum effectiveness.
04:55
However thes IOC's, they're they're detected. As I mentioned, earlier conversations are not a guarantee
05:02
the intrusions are related in any way.
05:04
It could just be that the Attackers are using similar tools, similar methods
05:11
and therefore the IOC's appear to be related. But they're really not.
05:15
That's that's the channel, just using apart all these little details
05:18
and trying to figure out exactly what you're dealing with
05:21
as a cyber threat analyst.
05:28
conversations that we had earlier in this course
05:30
where the intentions and objectives of the adversary are being estimated.
05:35
The more data that's collected that the closer, the analyst can get to two inaccurate
05:42
depiction of what the adversaries, objectives and intentions might be.
05:46
The targeting certainly tells a lot about this.
05:54
the type of information it contains,
05:57
how it fits into the bigger picture of the top network apology or the infrastructure. All those clues do offer substantial insight
06:04
into what the adversaries trying to accomplish.
06:06
Another factor which aggravates the process of investigation is the fact that tactics and tools
06:13
will change over time, that the dollar will change over time.
06:16
Any adversary that was doing their best to remain
06:21
not only undetected but
06:25
Maura Anonymous, perhaps, would certainly be thinking about
06:28
changing up their plan and modifying their their
06:31
behavior so that they don't become too predictable.
06:38
evasion technique, if you think about it
06:41
and even good, you know, the good guys have to practice these kinds of
06:46
shuffling, if you will,
06:50
interacting with an R and an asset that's actively being compromised,
06:57
the defenders don't want always appear to be using the same methods, either because then that becomes too predictable
07:01
for the adversary. And
07:03
there could be a loss of
07:05
of information. As a result,
07:10
one last idea to throw at you is the idea of using developers
07:14
in conjunction with incident response when all these activities are taking place.
07:18
That might seem like a strange thing to suggest.
07:21
Some information that companies have released
07:26
there may be times where
07:28
IOC's have been found or other events of them then discovered.
07:32
But there's a lack of
07:34
understanding because there might not be the proper tools in place
07:39
in order to bring the data together with the proper analysis.
07:46
a lack of a detection capability for certain kinds of information.
07:49
If developers could be
07:53
brought into the process and kept
07:56
I reserved until meeting
07:58
that they might be able to cobble something together to help the investigation proceeds.
08:05
angle to to think about as faras,
08:07
how to make the organization more efficient,
08:09
and you utilize resource is more,
08:13
All right, so that sums up this module.
08:16
I'll see you in the next one, which will be the last one for the course. Thank you.