The Cyber Kill Chain - Evaluating and Denying Threats

Video Activity

Part 2 of the module on the CKC examines the steps concerned with analyzing threats and the various defensive actions available to thwart them. Threat analysis can consist of looking at the delivery mechanism, examining log files from various sources along with looking for obvious signs of malicious intent such as emails with harmful links and atta...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4
Video Description

Part 2 of the module on the CKC examines the steps concerned with analyzing threats and the various defensive actions available to thwart them. Threat analysis can consist of looking at the delivery mechanism, examining log files from various sources along with looking for obvious signs of malicious intent such as emails with harmful links and attachments or infected software. Knowing what assets and individuals are being targeted can provide valuable clues. This type of intel can be extracted from log files, IDPS, firewalls and proxies as well as from phishing and social engineering attacks. Intent can also be inferred from the targeting of databases, websites, Active Directory servers, and evidence of network mapping. The synchronization of events from various sources is critical for proper forensic reconstruction. This entails the use of NTP (Network Time Protocol). It entails extra work, but is required to prevent possible incorrect conclusions. Delaying and degrading adversary tactics and malware are key steps in the CKC. Processes and methods for these steps consist of security awareness training, secure coding practices, vulnerability scanning and pentesting, endpoint hardening of servers and mobile devices to reduce attack surfaces, along with endpoint process auditing.

Video Transcription
00:04
now I could think about
00:06
trying to deny a threat access to your environment. To begin with, there's several different
00:11
ways to go about this.
00:13
One obvious choice would be to just
00:15
and lines the delivery mechanism.
00:18
If nothing information has been gathered during a forensics investigation,
00:24
you've got your log files files
00:26
from firewalls, proxies,
00:30
hi DPS
00:31
and so on.
00:32
You could look for the obvious path. It's like email
00:37
e mails that have malicious attachments or links to malicious websites,
00:43
maybe even
00:45
someone installing software, which appears to be safe to use but actually has malware
00:50
invented in it. This could be commercial software
00:53
that's been known to happen. It's somewhat rare, but still a possibility.
00:57
So the delivery mechanism should be understood to see if that is part of the
01:02
the vulnerability. Maybe it's something that people are doing
01:04
that is not completely a technological problem,
01:10
And we want to think about what,
01:11
through this understanding through this analysis, what assets or which individuals
01:15
were actually targeted.
01:19
If the
01:21
if enough information is technical information is available, you can look at various forms of logging,
01:26
different events from your sin device for I. D. P s and so on
01:30
to get an idea
01:32
as tree, which assets were targeted? Which ones were not.
01:36
And
01:37
during later analysis, maybe there's some,
01:40
uh, understanding of why that is.
01:42
But individuals
01:45
might also be an interesting thing to study, because there's
01:48
the typical phishing attack or social engineering based attacks, and these are
01:52
sort of the very synonymous with each other,
01:56
where a fishing attempt
01:57
does involve some social engineer, but it's not always that straightforward. It could be social engineering done in person
02:05
or over the phone.
02:06
And that's not really
02:07
what we would normally associate with fishing, which is usually done through email
02:15
anyways. The knowing what the targeting Waas
02:17
does help, too.
02:20
Try to estimate what the intentions were of the adversary or the attacker.
02:24
Are they going after data Days is to try to excel Trait customer data.
02:29
Maybe they want to
02:31
get information about the public facing websites because
02:36
there's a pathway there to get into a database. For instance,
02:39
they might be trying to learn about the network topology trying to map it all out
02:45
because they are involved in a PT and they part of an A P T campaign would be of course to stun Tine,
02:52
very carefully
02:53
mapping out the entire network topology of the entire network infrastructure
02:58
so that you know where the firewalls are. You know where the ideas or I P s might be located?
03:02
You'll know if there's
03:04
host based I PS and ideas in use, you might figure out where all the ropes go where all the gateways are.
03:10
These are all valuable
03:12
bits of information
03:14
for the attacker to to try to realize, to help their with their long term goals.
03:21
One thing that I need to play some emphasis on
03:24
is the value of using NTP
03:28
or network time protocol.
03:30
Because I've discussed all these different ways to gather information on these different data sources.
03:35
They lose a lot of their usability if you're not synchronized to a single time source
03:43
so that a well run organization should have
03:46
a system within the perimeter of that synchronizes with an external time source typically provided by a university
03:53
or a government agency,
03:55
thes time sources are accurate to within thousands of a second,
04:00
so they make an excellent reference point.
04:02
That system that's within the perimeter now will be used to secret eyes. All the rest of the systems within the perimeter.
04:10
They all point to it
04:11
as their time source.
04:13
The reason. This is so important.
04:15
There's many reasons, but one reason
04:16
is that certain protocols will not function correctly. If
04:20
the time
04:21
between two systems is
04:24
is not very, very closely aligned,
04:28
things like Curb Rose or P K I. Other applications may break authentication mechanisms may break.
04:34
So it's important to that reason.
04:35
The primary reason why NTP is so important is that
04:40
you want to always be thinking about
04:42
if you're gaining data from 10 different sources, all different pieces of infrastructure of your environment,
04:47
trying to do a forensic investigation
04:49
you want to know with very
04:53
you're high degree of certainty exactly which events happen and in which order.
05:00
If my clocks are two minutes off on this system and the three minutes off on this other system,
05:04
and maybe another system is a minute ahead
05:08
now, I've got to figure all the time. Delta's out before I can properly analyze the data that just causes a lot of extra work and possibly some confusion and maybe even
05:18
incorrect conclusions as well.
05:21
So
05:24
moving on, we could think about okay, Now we've studied Cem
05:28
instances where, by following the C K c seven methodology, we know that an attacker gun and they did some things. We got some information about that.
05:36
How do you deal with this process of
05:40
delaying or degrading these kinds of actions in the future?
05:44
That's an important consideration to consider.
05:47
The organization should always be trying to find ways to make incremental improvements in these areas,
05:53
so that as time goes on, all these processes become more mature
05:58
and there should be less time
06:00
wasted on trying to figure out what to do because it's already known methodology and everyone
06:05
should be better, Well, well versed in their job functions,
06:11
we could start with security awareness training.
06:14
This is a middle requirement for most individuals that work in any kind of 90 capacity.
06:20
Sometimes the security awareness training is not very effective. However,
06:25
it may be the same training for several years in a row, and everyone just knows the answers to the questions, and they just skip to the end and get their proof that they took the train.
06:34
That's obviously not going to benefit the organization as much as
06:39
having Maur interactive training which does change from time to tell him
06:43
and requires thinking and problems all of it.
06:46
We can also consider secure coding practices. That's an obvious choice for any organization that develops their own software in house
06:56
compliance audits. Vulnerability scans should also be a regular scheduled,
07:01
actually within most organizations,
07:04
occasionally penetration testing as well.
07:08
I may have already mentioned the two different triggers for audits, vulnerability, scanning and time testing.
07:14
General, these are time based,
07:15
so it's an annual thing or a biannual thing or a quarterly thing that's being done
07:21
well. The other trigger is a fact based,
07:24
So there's been a large incident
07:26
now. Audits, vulnerability, scanning and pen testing may all have to happen again because
07:30
something's happened and the organization needs assurance that their controls and their people
07:36
are performed correctly,
07:39
there's
07:40
that's the best way to get that kind of information.
07:43
Looking at your
07:45
very Zen point to the organization, whether it's a server or work station or even a mobile device,
07:49
those can be studied as faras. They're configurations.
07:53
There be patterns of behavior for use,
07:56
and, of course, they should be hardened a CZ much as possible
07:59
to make it more difficult for an intruder to gain access to begin with
08:03
or effectively. You're trying to reduce the attack surface
08:07
so that in a penetrator,
08:09
the attacker
08:11
just doesn't see as many opportunities to gain
08:13
the ability to interact with a system in an unauthorized manner.
08:20
It stands to reason also that,
08:22
as I mentioned the previous section
08:24
reverse engineering. And now they're trying to block command control,
08:28
trying to
08:30
block access to
08:33
malicious websites that perhaps the malware is trying to connect you. These are all standard
08:37
actions that you were taken or to better deal with
08:41
the denial
08:43
of future problems.
Up Next
Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By