Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

The concluding video of Module 10 deals with the managing multiple CKCs. Dean takes us through examining similarities, methodology, threat actors, and overlapping indicators. Progress tracking and triage engagement are also covered. As discussed in the previous video, identifying a correlation between multiple events is challenging, but the ability to do so allows for managing related campaigns and the grouping of events. Understanding intruder intent and mission objectives form the basis of an incident response plan. Finding clues can be challenging due to adversaries changing up behavior in order to not be predictable. Sometimes requesting assistance from in-house developers can prove helpful when analysts are lacking tools and detection capability.

Video Transcription

00:04
Now, if you think about
00:06
the possibility of multiple kill chains in progress at a given time,
00:11
they might be coming from different parts of the world. They might have people in different time zones
00:16
that are involved
00:17
in the investigation or in the containment
00:21
or even the recovery efforts,
00:26
again with with with talking with other teams or even other organizations.
00:32
Hopefully, there could be some similarities discovered some kind of overlap
00:37
to see that there's a a p T that we had last year, for instance, and we saw certain IOC's
00:44
and this information turned out to be very helpful in resolution. Maybe you'd like to look at some of the data that we found,
00:51
and the data would hopefully show some methodology,
00:55
ports of protocols, different tools and so on.
00:59
It also might help the point
01:00
the finger in the direction of actual threat actors with right agents,
01:04
whether they be individuals
01:07
or some kind of hacking collective or
01:08
a nation state sponsored effort.
01:14
All that information
01:15
is only useful if it can be properly combined
01:18
to make some some further progress on. The organization is dealing with this problem right now.
01:25
Speaking of progress, how do you track
01:29
the path through the methodology. Once
01:32
the investigation is underway,
01:34
we can think about the the normal types of triage engagements where
01:40
there's an expectation of an update
01:42
every 15 minutes or 30 minutes, or even 60 minutes,
01:46
depending on the severity.
01:48
If it's a
01:49
a very serious problem, the updates is certainly going to be more frequent. That makes sense,
01:53
but that introduces a lot of complexities for
01:57
dealing with
01:59
the various individuals who are part of the investigation.
02:02
It could be language barriers that could be time zone barriers.
02:06
There could be barriers in what what is allowed to be shared versus what must be kept
02:10
concealed
02:13
due to regulations, laws,
02:15
policies and maybe even just come in sets.
02:21
The ultimate goal, though, is still thinking about how to
02:24
properly
02:27
deal with multiple parallel
02:30
Sabac. You'll change.
02:32
There might be special tools available
02:36
to help in this regard.
02:39
Any kind of a project management methodology would probably work pretty well.
02:45
It's just a matter of
02:46
different tasks being performed at the various phases of a project.
02:51
You might still have
02:53
stakeholder meetings. You might still have milestones that have been set in status reports, and so on,
02:59
but you're just working on different
03:01
activities during this during this time. So
03:05
it's really up to the organization's leadership to set the tone here.
03:08
Their governance model would define how much control they feel they need to have
03:14
over the monitoring process, over the feedback process and so on.
03:19
So it's a lot to be left for them to decide
03:22
and then managers and team leads with. Then
03:25
take that. Governments turned into policies, which then translate eventually into some procedures.
03:31
And lastly, we can think about
03:34
the concept of a campaign
03:37
depends on who you ask. But generally the idea of a campaign is that they
03:42
some some event that happens of IOC's have been discovered,
03:46
and the IOC's may be similar enough and maybe appeared to be related,
03:52
and therefore they start to get group together as the campaign.
03:55
This may turn out later to actually be false, but
03:59
in the meantime,
04:00
some sort of organization and grouping of events does make sense until new information rises. That says that that's not a good idea.
04:11
We could take a group like anonymous, for instance, whether they're very loosely coupled. They don't have well defined leadership,
04:17
but yet they can still
04:19
work together
04:21
in parallel on various objectives
04:25
and
04:26
if they're all using similar tools, if they're if they're timing, seems to be very similar as faras. When attacks start when they stop
04:32
when they switch from planet to Plan B to Plan C, for instance,
04:38
then that starts to make more and more sense that this is a coordinated effort.
04:41
Bye
04:42
individuals who may be related to each other,
04:45
maybe
04:46
trying thio watch their attacks
04:48
imperil offer that very same reason that they just want to have maximum effectiveness.
04:55
However thes IOC's, they're they're detected. As I mentioned, earlier conversations are not a guarantee
05:00
that
05:02
the intrusions are related in any way.
05:04
It could just be that the Attackers are using similar tools, similar methods
05:09
or similar malware,
05:11
and therefore the IOC's appear to be related. But they're really not.
05:15
That's that's the channel, just using apart all these little details
05:18
and trying to figure out exactly what you're dealing with
05:21
as a cyber threat analyst.
05:25
We can think about
05:28
conversations that we had earlier in this course
05:30
where the intentions and objectives of the adversary are being estimated.
05:35
The more data that's collected that the closer, the analyst can get to two inaccurate
05:42
depiction of what the adversaries, objectives and intentions might be.
05:46
The targeting certainly tells a lot about this.
05:51
The type of target,
05:54
the type of information it contains,
05:57
how it fits into the bigger picture of the top network apology or the infrastructure. All those clues do offer substantial insight
06:04
into what the adversaries trying to accomplish.
06:06
Another factor which aggravates the process of investigation is the fact that tactics and tools
06:13
will change over time, that the dollar will change over time.
06:16
Any adversary that was doing their best to remain
06:21
not only undetected but
06:25
Maura Anonymous, perhaps, would certainly be thinking about
06:28
changing up their plan and modifying their their
06:31
behavior so that they don't become too predictable.
06:35
This is a basic mob
06:38
evasion technique, if you think about it
06:41
and even good, you know, the good guys have to practice these kinds of
06:45
methodology
06:46
shuffling, if you will,
06:48
because if you are
06:50
interacting with an R and an asset that's actively being compromised,
06:57
the defenders don't want always appear to be using the same methods, either because then that becomes too predictable
07:01
for the adversary. And
07:03
there could be a loss of
07:05
of information. As a result,
07:10
one last idea to throw at you is the idea of using developers
07:14
in conjunction with incident response when all these activities are taking place.
07:18
That might seem like a strange thing to suggest.
07:21
Some information that companies have released
07:25
indicates that
07:26
there may be times where
07:28
IOC's have been found or other events of them then discovered.
07:32
But there's a lack of
07:34
understanding because there might not be the proper tools in place
07:39
in order to bring the data together with the proper analysis.
07:43
Or maybe there's a,
07:45
uh,
07:46
a lack of a detection capability for certain kinds of information.
07:49
If developers could be
07:53
huh
07:53
brought into the process and kept
07:56
I reserved until meeting
07:58
that they might be able to cobble something together to help the investigation proceeds.
08:03
Nothing interesting
08:05
angle to to think about as faras,
08:07
how to make the organization more efficient,
08:09
and you utilize resource is more,
08:11
more carefully.
08:13
All right, so that sums up this module.
08:16
I'll see you in the next one, which will be the last one for the course. Thank you.

Up Next

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor