00:04
hello and welcome to the next module in the Cyber Threat Intelligence Course.
00:09
In this novel, we're gonna be taking a deeper dive into the cyber killed change.
00:13
Well, look a little bit more where this concept came from.
00:17
We're talking about Pass a gate of Discovery. The detection of
00:22
of malware, for instance.
00:26
ways to degrade or disrupt
00:30
the actions of an adversary.
00:32
And then we'll wrap up with the courses of action and an expanded course of action that has to come from Mr Recently.
00:40
So Louis, more data here about the cyber. It'll change from Lockheed Martin.
00:44
They call this their intelligence driven defense model.
00:48
It's certainly a very popular model has been for some time now.
00:53
There are some criticisms, of course, that it's
00:56
perhaps focuses too much on the perimeter.
00:59
That is a decent critique tip to use, but it's still a great wait for an organization to
01:06
gained some familiarity with with industry standard
01:11
on the right. We see seven steps of the cyber kill chain,
01:15
and these are basically the GP piece
01:18
Sargi Teepees of your adversary.
01:21
We covered this a little bit an earlier model,
01:26
some of the intervening steps that you might engage in
01:30
as it relates to the cyber Kill Jane or C K. C. Seven
01:34
heart also very important,
01:38
beginning with discovery of passive
01:41
first are the passive discovery of data.
01:44
There are lots of DEA sources within a typical environment
01:47
where useful information could be gleaned
01:52
we're look for and how to interpret it.
01:55
Starting off with the website visitors.
01:57
If you're using tools like Google Analytics or other similar
02:02
vendor provided assets
02:06
you're hosting, provider may have some tools
02:09
to gather different kinds of metrics. Google Analytics is very popular because they can capture
02:15
tremendous amounts of detail about how your website operates.
02:20
Which pages are popular, which pages are not being navigated to
02:23
very often. Even the overall patterns of navigation for your users can be an a lot.
02:32
way to getting some insight into how your
02:36
you're a public facing asset might be
02:38
used by your customers by your users and, of course, by adversaries.
02:45
So one of the challenges here has to do
02:47
identify proper metrics to gather,
02:52
looking at how long someone stays on the page,
02:54
for instance, might not seem very relevant.
02:57
But if you put that in the context of
03:00
someone appearing to visit a page for exactly 0.25 seconds before switching to another page,
03:07
there's probably not a human behind that activity.
03:09
It stands to reason that that's
03:14
reconnaissance behavior
03:16
being detectable is also important here,
03:21
someone who is using a tool to crawl a website first.
03:24
There's many tools out there for this.
03:28
This technique involves going through the Web sites
03:30
source code page by page
03:36
and new aerating any links that are discovered.
03:42
is then catalogued by the search engine, for instance, or by the tool that the Attackers running.
03:46
This should look different
03:49
when analyzing metrics and other kinds of analytics when compared to the behavior of a actual human being. On the other end,
03:58
something even more suspicious would be detecting someone trying to copy a website
04:03
again. There are lots of tools for this,
04:06
and the copying of an entire website will certainly look suspicious to various monitoring tools that you'll probably have in your organization.
04:16
net flows, for instance, would see large amounts of data going outbound to a single I P address
04:21
that looks like something strange is going on should be investigated,
04:26
so I don't find the patterns
04:30
To be fully effective is really what we're getting out here. But also think about
04:35
what kinds of capabilities and actions doesn't adversary plan for the future.
04:43
until the event happens. There might be some ability to do some prediction
04:47
or some intelligent guessing.
04:50
For instance, the idea of reverse engineering mount where
04:55
is very critical for most organizations, this is a large
04:59
in broad body. Acknowledge her brought in deep, you might also say,
05:02
but better analysis on reverse engineering of malware provides a lot of clues.
05:09
There could be domain names that were discovered in the malware
05:12
or I P addresses that are related to
05:16
maybe maybe information that links back to their command and control servers, for instance.
05:23
Also, there could be an understanding of how that were operates.
05:26
What connections doesn't try to make what files doesn't try to change
05:30
which register entries are affected when it, when it tries to install itself.
05:34
All these clues have value to the analyst
05:38
because then they could try to understand. Okay, well, now we know a little bit more about how the
05:43
the now operates weaken,
05:46
understand better how the infection happened to begin with, and hopefully
05:49
also understand how to prevent
05:53
similar malware from being successful in the future
05:58
weaponization of malware.
06:00
Generally, we think about that as occurring at the Attackers. End of the conversation.
06:03
They create a malicious payload
06:09
pdf or something else like this,
06:12
and then their goals to just get it delivered to the victim.
06:15
Sometimes weaponization happens at the victim's machine
06:18
because some file that exists already on that system is the target of the malware insertion process.
06:26
Or maybe it's a common program that the victim uses, like,
06:33
program like word or maybe even the calculator
06:36
or some other operating system tools. Perhaps.
06:40
So when the weaponization happens at the victim machine, there is expected to be some kind of residual evidence.
06:47
it could be changes to the registry is I just spoke about a minute ago
06:53
that could be files and folders that weren't there before
06:57
new files and folders missing 1000 folders.
07:00
There could be changes to system configuration files.
07:04
as we talked about in earlier chapters, might be considered indications of compromise.
07:10
So they relate back to this idea that there's
07:13
some tangible evidence of a change or changes made to a system
07:17
when malware was either delivered and activated or perhaps created and activated at the victim's machine.
07:26
Other considerations would be to look at the actual
07:31
If it's known anyway,
07:33
you'll need access to a lot of information to able to do this sort of analysis properly.
07:39
But it might be possible to look at when malware was created
07:43
when it was tested and when it was deployed.
07:46
If there's enough information available
07:50
again provide some insight into how the
07:54
the Attackers methodology operates, what kinds of capabilities do they appear to have?
08:00
What is their level of sophistication?
08:01
And also, how long does it take them to
08:05
create malware once they've gained access to a system?
08:09
These are all good good clues because it helps to inform a properly created defense and also an axe to inform
08:18
detection methods and to refine them so that they're more timely in the future.
08:24
So these artifacts and these these different clues that left behind
08:28
should be collected and
08:30
plugged into the timeline as best as possible.
08:33
This allows the analyst
08:35
to work with other individuals. Maybe, you know, security engineers or
08:43
even developer teams and so on.
08:46
And they could start to piece together how the attack happened, how long it took to
08:50
developed the, you know, the capability that caused a problem
08:54
and maybe even how long it took before detection was possible.
08:58
In the case of of a P. T. S or
09:01
advanced persistent threats,
09:05
sometimes detection can take days, weeks, months, even years.
09:07
And knowing how that timely operates is vital to
09:13
improving over over that
09:15
are making incremental improvements in the future.