Now, if you think about
the possibility of multiple kill chains in progress at a given time,
they might be coming from different parts of the world. They might have people in different time zones
in the investigation or in the containment
or even the recovery efforts,
again with with with talking with other teams or even other organizations.
Hopefully, there could be some similarities discovered some kind of overlap
to see that there's a a p T that we had last year, for instance, and we saw certain IOC's
and this information turned out to be very helpful in resolution. Maybe you'd like to look at some of the data that we found,
and the data would hopefully show some methodology,
ports of protocols, different tools and so on.
It also might help the point
the finger in the direction of actual threat actors with right agents,
whether they be individuals
or some kind of hacking collective or
a nation state sponsored effort.
All that information
is only useful if it can be properly combined
to make some some further progress on. The organization is dealing with this problem right now.
Speaking of progress, how do you track
the path through the methodology. Once
the investigation is underway,
we can think about the the normal types of triage engagements where
there's an expectation of an update
every 15 minutes or 30 minutes, or even 60 minutes,
depending on the severity.
a very serious problem, the updates is certainly going to be more frequent. That makes sense,
but that introduces a lot of complexities for
the various individuals who are part of the investigation.
It could be language barriers that could be time zone barriers.
There could be barriers in what what is allowed to be shared versus what must be kept
due to regulations, laws,
policies and maybe even just come in sets.
The ultimate goal, though, is still thinking about how to
deal with multiple parallel
Sabac. You'll change.
There might be special tools available
to help in this regard.
Any kind of a project management methodology would probably work pretty well.
It's just a matter of
different tasks being performed at the various phases of a project.
You might still have
stakeholder meetings. You might still have milestones that have been set in status reports, and so on,
but you're just working on different
activities during this during this time. So
it's really up to the organization's leadership to set the tone here.
Their governance model would define how much control they feel they need to have
over the monitoring process, over the feedback process and so on.
So it's a lot to be left for them to decide
and then managers and team leads with. Then
take that. Governments turned into policies, which then translate eventually into some procedures.
And lastly, we can think about
the concept of a campaign
depends on who you ask. But generally the idea of a campaign is that they
some some event that happens of IOC's have been discovered,
and the IOC's may be similar enough and maybe appeared to be related,
and therefore they start to get group together as the campaign.
This may turn out later to actually be false, but
some sort of organization and grouping of events does make sense until new information rises. That says that that's not a good idea.
We could take a group like anonymous, for instance, whether they're very loosely coupled. They don't have well defined leadership,
but yet they can still
in parallel on various objectives
if they're all using similar tools, if they're if they're timing, seems to be very similar as faras. When attacks start when they stop
when they switch from planet to Plan B to Plan C, for instance,
then that starts to make more and more sense that this is a coordinated effort.
individuals who may be related to each other,
trying thio watch their attacks
imperil offer that very same reason that they just want to have maximum effectiveness.
However thes IOC's, they're they're detected. As I mentioned, earlier conversations are not a guarantee
the intrusions are related in any way.
It could just be that the Attackers are using similar tools, similar methods
and therefore the IOC's appear to be related. But they're really not.
That's that's the channel, just using apart all these little details
and trying to figure out exactly what you're dealing with
as a cyber threat analyst.
conversations that we had earlier in this course
where the intentions and objectives of the adversary are being estimated.
The more data that's collected that the closer, the analyst can get to two inaccurate
depiction of what the adversaries, objectives and intentions might be.
The targeting certainly tells a lot about this.
the type of information it contains,
how it fits into the bigger picture of the top network apology or the infrastructure. All those clues do offer substantial insight
into what the adversaries trying to accomplish.
Another factor which aggravates the process of investigation is the fact that tactics and tools
will change over time, that the dollar will change over time.
Any adversary that was doing their best to remain
not only undetected but
Maura Anonymous, perhaps, would certainly be thinking about
changing up their plan and modifying their their
behavior so that they don't become too predictable.
evasion technique, if you think about it
and even good, you know, the good guys have to practice these kinds of
shuffling, if you will,
interacting with an R and an asset that's actively being compromised,
the defenders don't want always appear to be using the same methods, either because then that becomes too predictable
for the adversary. And
there could be a loss of
of information. As a result,
one last idea to throw at you is the idea of using developers
in conjunction with incident response when all these activities are taking place.
That might seem like a strange thing to suggest.
Some information that companies have released
there may be times where
IOC's have been found or other events of them then discovered.
But there's a lack of
understanding because there might not be the proper tools in place
in order to bring the data together with the proper analysis.
a lack of a detection capability for certain kinds of information.
If developers could be
brought into the process and kept
I reserved until meeting
that they might be able to cobble something together to help the investigation proceeds.
angle to to think about as faras,
how to make the organization more efficient,
and you utilize resource is more,
All right, so that sums up this module.
I'll see you in the next one, which will be the last one for the course. Thank you.