The Cyber Kill Chain - Deep Dive | Cybrary

Video Activity

Create Free Account

Module 8 is a deep dive into the Cyber Kill Chain (CKC) that was introduced in an earlier module. The phases of teh CKC lifecycle are: Passive data discovery Detection Denial Delaying Degrading Lockheed Martin (LM) has produced an intelligence-driven defense model consisting of seven steps. Dean begins reviewing this model by discussing passive di...

Sign up with

Or

Already have an account? Sign In »

Time

4 hours 8 minutes

Difficulty

Intermediate

CEU/CPE

4

Create Free Account

Module 8 is a deep dive into the Cyber Kill Chain (CKC) that was introduced in an earlier module. The phases of teh CKC lifecycle are:

Passive data discovery
Detection
Denial
Delaying
Degrading

Lockheed Martin (LM) has produced an intelligence-driven defense model consisting of seven steps. Dean begins reviewing this model by discussing passive discovery of data and the many different sources of data within an environment. Next he discusses detecting future threat actions and capabilities and how this can be accomplished by reverse engineering malware. This process can provide clues to understanding how malware operates and how the infection occurred. Such knowledge can help prevent future infections. Detecting weaponization is discussed next. This involves detecting malicious payloads, Trojans, or what is being targeted such as a file or app. Evidence of such payloads can manifest as registry changes, new or missing files, and other artifacts as well as suspicious traffic activity. The video concludes with a discussion of the analysis of the attack timeline, when the malware was created, tested, and deployed, its capabilities and level of sophistication which all can provide clues to crafting a defense and detection methods.

00:04

hello and welcome to the next module in the Cyber Threat Intelligence Course.

00:09

In this novel, we're gonna be taking a deeper dive into the cyber killed change.

00:13

Well, look a little bit more where this concept came from.

00:17

We're talking about Pass a gate of Discovery. The detection of

00:20

various artifacts

00:22

of malware, for instance.

00:24

Also look at the

00:26

ways to degrade or disrupt

00:30

the actions of an adversary.

00:32

And then we'll wrap up with the courses of action and an expanded course of action that has to come from Mr Recently.

00:40

So Louis, more data here about the cyber. It'll change from Lockheed Martin.

00:44

They call this their intelligence driven defense model.

00:48

It's certainly a very popular model has been for some time now.

00:53

There are some criticisms, of course, that it's

00:56

perhaps focuses too much on the perimeter.

00:59

That is a decent critique tip to use, but it's still a great wait for an organization to

01:06

gained some familiarity with with industry standard

01:08

that's practices

01:11

on the right. We see seven steps of the cyber kill chain,

01:15

and these are basically the GP piece

01:18

Sargi Teepees of your adversary.

01:21

We covered this a little bit an earlier model,

01:23

but we see that the

01:26

some of the intervening steps that you might engage in

01:30

as it relates to the cyber Kill Jane or C K. C. Seven

01:34

heart also very important,

01:38

beginning with discovery of passive

01:41

first are the passive discovery of data.

01:44

There are lots of DEA sources within a typical environment

01:47

where useful information could be gleaned

01:49

by figuring out

01:52

we're look for and how to interpret it.

01:55

Starting off with the website visitors.

01:57

If you're using tools like Google Analytics or other similar

02:02

vendor provided assets

02:06

you're hosting, provider may have some tools

02:09

to gather different kinds of metrics. Google Analytics is very popular because they can capture

02:15

tremendous amounts of detail about how your website operates.

02:20

Which pages are popular, which pages are not being navigated to

02:23

very often. Even the overall patterns of navigation for your users can be an a lot.

02:30

And this is a great

02:32

way to getting some insight into how your

02:36

you're a public facing asset might be

02:38

used by your customers by your users and, of course, by adversaries.

02:45

So one of the challenges here has to do

02:47

identify proper metrics to gather,

02:52

looking at how long someone stays on the page,

02:54

for instance, might not seem very relevant.

02:57

But if you put that in the context of

03:00

someone appearing to visit a page for exactly 0.25 seconds before switching to another page,

03:07

there's probably not a human behind that activity.

03:09

It stands to reason that that's

03:12

the The idea about

03:14

reconnaissance behavior

03:16

being detectable is also important here,

03:20

because a

03:21

someone who is using a tool to crawl a website first.

03:24

There's many tools out there for this.

03:28

This technique involves going through the Web sites

03:30

source code page by page

03:34

and extracting

03:36

and new aerating any links that are discovered.

03:39

All this data

03:42

is then catalogued by the search engine, for instance, or by the tool that the Attackers running.

03:46

This should look different

03:49

when analyzing metrics and other kinds of analytics when compared to the behavior of a actual human being. On the other end,

03:58

something even more suspicious would be detecting someone trying to copy a website

04:03

again. There are lots of tools for this,

04:06

and the copying of an entire website will certainly look suspicious to various monitoring tools that you'll probably have in your organization.

04:14

A 90 PS

04:15

no

04:16

net flows, for instance, would see large amounts of data going outbound to a single I P address

04:21

that looks like something strange is going on should be investigated,

04:26

so I don't find the patterns

04:28

for

04:30

date of discovery.

04:30

To be fully effective is really what we're getting out here. But also think about

04:35

what kinds of capabilities and actions doesn't adversary plan for the future.

04:41

It's hard to know

04:43

until the event happens. There might be some ability to do some prediction

04:47

or some intelligent guessing.

04:50

For instance, the idea of reverse engineering mount where

04:55

is very critical for most organizations, this is a large

04:59

in broad body. Acknowledge her brought in deep, you might also say,

05:02

but better analysis on reverse engineering of malware provides a lot of clues.

05:09

There could be domain names that were discovered in the malware

05:12

or I P addresses that are related to

05:15

its creators,

05:16

maybe maybe information that links back to their command and control servers, for instance.

05:23

Also, there could be an understanding of how that were operates.

05:26

What connections doesn't try to make what files doesn't try to change

05:30

which register entries are affected when it, when it tries to install itself.

05:34

All these clues have value to the analyst

05:38

because then they could try to understand. Okay, well, now we know a little bit more about how the

05:43

the now operates weaken,

05:46

understand better how the infection happened to begin with, and hopefully

05:49

also understand how to prevent

05:53

similar malware from being successful in the future

05:58

weaponization of malware.

06:00

Generally, we think about that as occurring at the Attackers. End of the conversation.

06:03

They create a malicious payload

06:06

injected into a

06:09

pdf or something else like this,

06:12

and then their goals to just get it delivered to the victim.

06:15

Sometimes weaponization happens at the victim's machine

06:18

because some file that exists already on that system is the target of the malware insertion process.

06:26

Or maybe it's a common program that the victim uses, like,

06:30

uh,

06:30

you know, officer

06:33

program like word or maybe even the calculator

06:36

or some other operating system tools. Perhaps.

06:40

So when the weaponization happens at the victim machine, there is expected to be some kind of residual evidence.

06:46

In many cases,

06:47

it could be changes to the registry is I just spoke about a minute ago

06:53

that could be files and folders that weren't there before

06:57

new files and folders missing 1000 folders.

07:00

There could be changes to system configuration files.

07:03

All these things,

07:04

as we talked about in earlier chapters, might be considered indications of compromise.

07:10

So they relate back to this idea that there's

07:13

some tangible evidence of a change or changes made to a system

07:17

when malware was either delivered and activated or perhaps created and activated at the victim's machine.

07:26

Other considerations would be to look at the actual

07:30

timeline.

07:30

Four.

07:31

If it's known anyway,

07:33

you'll need access to a lot of information to able to do this sort of analysis properly.

07:39

But it might be possible to look at when malware was created

07:43

when it was tested and when it was deployed.

07:46

If there's enough information available

07:49

and this

07:50

again provide some insight into how the

07:54

the Attackers methodology operates, what kinds of capabilities do they appear to have?

08:00

What is their level of sophistication?

08:01

And also, how long does it take them to

08:05

create malware once they've gained access to a system?

08:09

These are all good good clues because it helps to inform a properly created defense and also an axe to inform

08:18

detection methods and to refine them so that they're more timely in the future.

08:24

So these artifacts and these these different clues that left behind

08:28

should be collected and

08:30

plugged into the timeline as best as possible.

08:33

This allows the analyst

08:35

to work with other individuals. Maybe, you know, security engineers or

08:39

network engineers,

08:43

even developer teams and so on.

08:46

And they could start to piece together how the attack happened, how long it took to

08:50

developed the, you know, the capability that caused a problem

08:54

and maybe even how long it took before detection was possible.

08:58

In the case of of a P. T. S or

09:01

advanced persistent threats,

09:05

sometimes detection can take days, weeks, months, even years.

09:07

And knowing how that timely operates is vital to

09:13

improving over over that

09:15

are making incremental improvements in the future.

The Cyber Kill Chain - Evaluating and Denying Threats

The Cyber Kill Chain - CKC Reference Tables

Tactical Threat Intelligence Requirements

Cyber Kill Chain Analysis - CKC7 Deep Dive

Cyber Kill Chain Analysis - IOC Identification

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

CEO of SteppingStone Solutions