all right, This is interesting table we have here.
And what this is showing on the left is all of the
phases of the cyber kill chain
for the reconnaissance stays,
doing these different things and what is the organization
they might use? Web Analytics says I was just talking about a bit ago
for detection, for denial, Firewall A CLC firewall rules make the most sense
during the weaponization phase. We can detect problems, perhaps with needs
or a network I ps for denial.
could happen in many differently. So we detect that
perhaps through a vigilant user,
you think about the user community being the eyes and ears of the organization.
Maybe denial happens through a category
because if if you're
malware is trying to connect to a known,
hostile I P address, the proxy should have referenced in its configuration to prevent that happening
In line Anti virus, also very useful for disruption.
Traffic must come in one port and go out another port
and therefore could be analysed and blocked if needed.
The delivery could be degraded with queuing and what this means is that you're trying to,
but for certain information and hold onto it before it's actually delivered
for the exploitation phase. Again, detection could involve an I. D. S. In this case, host based ideas
The denial could be hips host based intrusion prevention system
or maybe something a simple as patching or configuration changes.
You could disrupt exploitation by using data execution prevention technology. This things that did has treated as data and not as excusable code.
There's various operate existing, more application configuration settings you can use to enable this kind of capability
for the installation phase, we get back to his again.
The idea should should detect the fact that suspicious actions are taking place on a host
and should, perhaps even
if you had a hips, you could use that as your part of your
denial phase or denial action. Rather,
change route jails. Also a good idea. This generally applies to a Web servers, but it could be for any type of
service that has a full destruction associated with
user gains access to whatever folder they get access to, and they cannot get out of that folder. They cannot go up to a higher level within the
the file system in order to gain access to the root of the drive. For instance,
course of action for installation
disruption. Anti virus
makes sense, right? If you can detect malware, it may be quarantined and prevented from further operations.
For the command and control phase,
the detection course of action goes back to Ned's.
If your network is detecting
systems multiple systems that are trying to leave the perimeter to contact
a known hostile I P address,
then your news should should detect that action and raise an alert.
If I've got 100 systems all trying to contact their sea to server,
that's pretty important and should be investigated
for the denial course of action. Firewalls and hips come come back into play here
because that means that the
perhaps of them, the malware, is trying to communicate. But it can't get out
because of its being prevented. Three Fire World War or a host based
intrusion prevention device or software rather
disruption. Also, nips and hips could be useful here
because you're preventing certain actions of the mount where from occurring
now you can't get to a C to server cannot tell them out where what to do is like if it was part of a botnet, for instance,
that could be disrupted or even prevented completely.
It's an interesting idea to use a tar pit or or a black hole for degrading
the communication with sea to server.
The tar pits a unusual idea because it
what it's doing is it
holding a connection open when suspicious connection is made
And this will greatly slow down or
or ruin the plan of attack or because they're not able to do scans very effectively, not able to
send instructions to you there
systems that have already been infected with malware
and then for deception purposes. We can think about D in every direction
or DNF plaque holding as it's sometimes called. There's lots of different ways to do this,
but the if a sea to server is identified, then its I P address could be blocked or could be redirected to go to something harmless, thereby removing the ability of the attacker to control of the mount, where on remote systems that have been infected
and then last, we have our actions on objective stays
so detection. There's your audit long you're looking at all the different actions that might have been occurring in previous steps above this step.
You could degrade the actions on objectives by adjusting quality of service settings,
thereby prioritizing traffic, which is not considered dangerous,
lowering the priority of traffic, which may be considered suspicious or dangerous.
And then for the dissection
We have the honey pot.
You have little interaction. Honey pots, which
may fool certain types of tools and may full and experienced
honey pile appears to be advertising service is, but it may not actually allow a full connection. Three way handshake, for instance, does not complete.
Whereas a high interaction honeypot
will allow full connection and may also be compromised.
It's much more convincing to the attacker that they are interacting with a real system.
So that's the reason why hi interaction on imposters sometimes use,
however, they are more risky, and they need to be properly isolated in case the honey pot doesn't compromise. You don't want
the attacker being able to use that system as a pivot point for further actions.
All right, so getting to our last module or last slide. Rather,
we have an expanded view of the courses of action that mist came up with.
I've got a link here.
You can see bring this document up,
taking the second load,
and it's fairly short, only 16 pages
if we weren't looking at.
you know you want to pause the slide or father the video to look at the link.
But the thing I want is a nice detail about
some of the pros and cons of
cyber till chain. They expanded it
to see that. Okay, well, there's seven steps are great.
The courses of action are nice, but
what they did was they moved into a different
arrangement. So in this case, all of your seven stages for phases are across the top,
and then considerations about
how the adversary might act are on the left side.
So, considering their motivation,
how do you detect motivation? How do you deny motivation?
How do you degrade it? Public relations
is an interesting choice here.
It's so his prosecution, if people are getting in trouble
that have been engaging in certain activity, it may deter other similar actors.
The objectives of the of the intruder looking at Rebel a Web analytics again open source. Intelligence gathering. Our ascent,
maybe degrading the objectives by practicing proper lor proper upset or operational security.
Public relations again could be used to to promote disinformation, which confuses the enemy or the adversary.
The avenue of approach
again with webbing Network. And it looks like we saw another
discussions in the previous slide,
disrupting through dynamic defense. So reacting to threats and
actively blocking things
degrading dine out defense again.
And operational security
can help us. Well, if
in our organization,
reveal that it's under attack than the adversaries know that they're having some effect. So there could be some reasons
to keep some of that information,
you know, under wraps.
Deception. Directing toward stronger defenses is an interesting idea. Honey Pops might also be,
and I think, to think about here
for the capability of the attacker Open source Intelligence
could discover through various tools and research what
what there with the adversaries organization is all about, er, could be an individual
might figure out if there are very advanced or venue. They are
yeah, amateurs, for instance,
and inside a threat program could be good for disrupting the capabilities of a person that within the organization that's
perhaps working forward
dynamic defense shows up again for degrading
as well as directing towards stronger defense
And that's a honey pot would be one method there. But it could be other things, too, where certain websites or certain assets are
brought online or taken off line in order to present some moving targets,
and then we have access
actions and assessment
phases to consider with open source intelligence
weapon network and looks insider threat again for denial.
Then we have dynamic defense and operational security for degrading someone's access.
the intruder could be
detective with an insider threat program,
maybe even supply chain awareness.
problems may be introduced into the organization by
malicious software and hardware
denial of actions Roll base access makes a lot of sense.
Also, things like job rotation
and a dual control might also serve some purpose here.
Quality of service showed up in our previous discussion about degrading action so you can change the priority level
of certain types of network traffic relative to other types of network traffic.
And then we still have the honey pot showing up for deceptive purposes.
Doing assessment requires looking at some metrics, like Google analytics with analytics, social media, studying blog's and, uh,
other types of forms where users might post information
public relations for denial again.
And that shows up also for deception. First purposes along with the honey pot, as we see over here.
there's a consideration of a restrike.
Open source intelligence
and various forms of analytics would be used to detect whether attack is recurring,
denying it with dynamic defense, hopefully with enough information gleaned in previous steps
to be able to or effectively denying
or rather defend against a secondary or tertiary attack.
And then we see public relations and honey pot again for deceptive purposes.
So I definitely recommend reading this document
and digging a little bit deeper into this.
All right, that concludes the module. See you in the next one. Thank you.