Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

Module 8 is a deep dive into the Cyber Kill Chain (CKC) that was introduced in an earlier module. The phases of teh CKC lifecycle are:

  • Passive data discovery
  • Detection
  • Denial
  • Delaying
  • Degrading

Lockheed Martin (LM) has produced an intelligence-driven defense model consisting of seven steps. Dean begins reviewing this model by discussing passive discovery of data and the many different sources of data within an environment. Next he discusses detecting future threat actions and capabilities and how this can be accomplished by reverse engineering malware. This process can provide clues to understanding how malware operates and how the infection occurred. Such knowledge can help prevent future infections. Detecting weaponization is discussed next. This involves detecting malicious payloads, Trojans, or what is being targeted such as a file or app. Evidence of such payloads can manifest as registry changes, new or missing files, and other artifacts as well as suspicious traffic activity. The video concludes with a discussion of the analysis of the attack timeline, when the malware was created, tested, and deployed, its capabilities and level of sophistication which all can provide clues to crafting a defense and detection methods.

Video Transcription

00:04
hello and welcome to the next module in the Cyber Threat Intelligence Course.
00:09
In this novel, we're gonna be taking a deeper dive into the cyber killed change.
00:13
Well, look a little bit more where this concept came from.
00:17
We're talking about Pass a gate of Discovery. The detection of
00:20
various artifacts
00:22
of malware, for instance.
00:24
Also look at the
00:26
ways to degrade or disrupt
00:30
the actions of an adversary.
00:32
And then we'll wrap up with the courses of action and an expanded course of action that has to come from Mr Recently.
00:40
So Louis, more data here about the cyber. It'll change from Lockheed Martin.
00:44
They call this their intelligence driven defense model.
00:48
It's certainly a very popular model has been for some time now.
00:53
There are some criticisms, of course, that it's
00:56
perhaps focuses too much on the perimeter.
00:59
That is a decent critique tip to use, but it's still a great wait for an organization to
01:06
gained some familiarity with with industry standard
01:08
that's practices
01:11
on the right. We see seven steps of the cyber kill chain,
01:15
and these are basically the GP piece
01:18
Sargi Teepees of your adversary.
01:21
We covered this a little bit an earlier model,
01:23
but we see that the
01:26
some of the intervening steps that you might engage in
01:30
as it relates to the cyber Kill Jane or C K. C. Seven
01:34
heart also very important,
01:38
beginning with discovery of passive
01:41
first are the passive discovery of data.
01:44
There are lots of DEA sources within a typical environment
01:47
where useful information could be gleaned
01:49
by figuring out
01:52
we're look for and how to interpret it.
01:55
Starting off with the website visitors.
01:57
If you're using tools like Google Analytics or other similar
02:02
vendor provided assets
02:06
you're hosting, provider may have some tools
02:09
to gather different kinds of metrics. Google Analytics is very popular because they can capture
02:15
tremendous amounts of detail about how your website operates.
02:20
Which pages are popular, which pages are not being navigated to
02:23
very often. Even the overall patterns of navigation for your users can be an a lot.
02:30
And this is a great
02:32
way to getting some insight into how your
02:36
you're a public facing asset might be
02:38
used by your customers by your users and, of course, by adversaries.
02:45
So one of the challenges here has to do
02:47
identify proper metrics to gather,
02:52
looking at how long someone stays on the page,
02:54
for instance, might not seem very relevant.
02:57
But if you put that in the context of
03:00
someone appearing to visit a page for exactly 0.25 seconds before switching to another page,
03:07
there's probably not a human behind that activity.
03:09
It stands to reason that that's
03:12
the The idea about
03:14
reconnaissance behavior
03:16
being detectable is also important here,
03:20
because a
03:21
someone who is using a tool to crawl a website first.
03:24
There's many tools out there for this.
03:28
This technique involves going through the Web sites
03:30
source code page by page
03:34
and extracting
03:36
and new aerating any links that are discovered.
03:39
All this data
03:42
is then catalogued by the search engine, for instance, or by the tool that the Attackers running.
03:46
This should look different
03:49
when analyzing metrics and other kinds of analytics when compared to the behavior of a actual human being. On the other end,
03:58
something even more suspicious would be detecting someone trying to copy a website
04:03
again. There are lots of tools for this,
04:06
and the copying of an entire website will certainly look suspicious to various monitoring tools that you'll probably have in your organization.
04:14
A 90 PS
04:15
no
04:16
net flows, for instance, would see large amounts of data going outbound to a single I P address
04:21
that looks like something strange is going on should be investigated,
04:26
so I don't find the patterns
04:28
for
04:30
date of discovery.
04:30
To be fully effective is really what we're getting out here. But also think about
04:35
what kinds of capabilities and actions doesn't adversary plan for the future.
04:41
It's hard to know
04:43
until the event happens. There might be some ability to do some prediction
04:47
or some intelligent guessing.
04:50
For instance, the idea of reverse engineering mount where
04:55
is very critical for most organizations, this is a large
04:59
in broad body. Acknowledge her brought in deep, you might also say,
05:02
but better analysis on reverse engineering of malware provides a lot of clues.
05:09
There could be domain names that were discovered in the malware
05:12
or I P addresses that are related to
05:15
its creators,
05:16
maybe maybe information that links back to their command and control servers, for instance.
05:23
Also, there could be an understanding of how that were operates.
05:26
What connections doesn't try to make what files doesn't try to change
05:30
which register entries are affected when it, when it tries to install itself.
05:34
All these clues have value to the analyst
05:38
because then they could try to understand. Okay, well, now we know a little bit more about how the
05:43
the now operates weaken,
05:46
understand better how the infection happened to begin with, and hopefully
05:49
also understand how to prevent
05:53
similar malware from being successful in the future
05:58
weaponization of malware.
06:00
Generally, we think about that as occurring at the Attackers. End of the conversation.
06:03
They create a malicious payload
06:06
injected into a
06:09
pdf or something else like this,
06:12
and then their goals to just get it delivered to the victim.
06:15
Sometimes weaponization happens at the victim's machine
06:18
because some file that exists already on that system is the target of the malware insertion process.
06:26
Or maybe it's a common program that the victim uses, like,
06:30
uh,
06:30
you know, officer
06:33
program like word or maybe even the calculator
06:36
or some other operating system tools. Perhaps.
06:40
So when the weaponization happens at the victim machine, there is expected to be some kind of residual evidence.
06:46
In many cases,
06:47
it could be changes to the registry is I just spoke about a minute ago
06:53
that could be files and folders that weren't there before
06:57
new files and folders missing 1000 folders.
07:00
There could be changes to system configuration files.
07:03
All these things,
07:04
as we talked about in earlier chapters, might be considered indications of compromise.
07:10
So they relate back to this idea that there's
07:13
some tangible evidence of a change or changes made to a system
07:17
when malware was either delivered and activated or perhaps created and activated at the victim's machine.
07:26
Other considerations would be to look at the actual
07:30
timeline.
07:30
Four.
07:31
If it's known anyway,
07:33
you'll need access to a lot of information to able to do this sort of analysis properly.
07:39
But it might be possible to look at when malware was created
07:43
when it was tested and when it was deployed.
07:46
If there's enough information available
07:49
and this
07:50
again provide some insight into how the
07:54
the Attackers methodology operates, what kinds of capabilities do they appear to have?
08:00
What is their level of sophistication?
08:01
And also, how long does it take them to
08:05
create malware once they've gained access to a system?
08:09
These are all good good clues because it helps to inform a properly created defense and also an axe to inform
08:18
detection methods and to refine them so that they're more timely in the future.
08:24
So these artifacts and these these different clues that left behind
08:28
should be collected and
08:30
plugged into the timeline as best as possible.
08:33
This allows the analyst
08:35
to work with other individuals. Maybe, you know, security engineers or
08:39
network engineers,
08:43
even developer teams and so on.
08:46
And they could start to piece together how the attack happened, how long it took to
08:50
developed the, you know, the capability that caused a problem
08:54
and maybe even how long it took before detection was possible.
08:58
In the case of of a P. T. S or
09:01
advanced persistent threats,
09:05
sometimes detection can take days, weeks, months, even years.
09:07
And knowing how that timely operates is vital to
09:13
improving over over that
09:15
are making incremental improvements in the future.

Up Next

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor