Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

In this concluding video of the CKC module, Dean reviews a useful table that covers all phases of the CKC. He then presents a similar table from NIST that presents the information in a different arrangement. The first table presents the CKC phases along with available actions for each phase. Not every phase has an available action and actions can differ between phases. For comparison, Dean then reviews a similar table from NIST but one with an expanded view of courses of action and a different arrangement of phases. It's a short document that provides the analyst with a different way of looking at the CKC.

Video Transcription

00:04
all right, This is interesting table we have here.
00:07
And what this is showing on the left is all of the
00:10
phases of the cyber kill chain
00:13
for the reconnaissance stays,
00:16
if the intruder is
00:18
doing these different things and what is the organization
00:21
they might use? Web Analytics says I was just talking about a bit ago
00:25
for detection, for denial, Firewall A CLC firewall rules make the most sense
00:31
during the weaponization phase. We can detect problems, perhaps with needs
00:36
network I. D. S
00:38
or a network I ps for denial.
00:43
The delivery
00:45
could happen in many differently. So we detect that
00:47
perhaps through a vigilant user,
00:50
you think about the user community being the eyes and ears of the organization.
00:56
Maybe denial happens through a category
00:59
filtering a proxy
01:00
because if if you're
01:03
malware is trying to connect to a known,
01:06
hostile I P address, the proxy should have referenced in its configuration to prevent that happening
01:11
In line Anti virus, also very useful for disruption.
01:17
Traffic must come in one port and go out another port
01:19
and therefore could be analysed and blocked if needed.
01:26
The delivery could be degraded with queuing and what this means is that you're trying to,
01:30
but for certain information and hold onto it before it's actually delivered
01:38
for the exploitation phase. Again, detection could involve an I. D. S. In this case, host based ideas
01:44
or hits.
01:47
The denial could be hips host based intrusion prevention system
01:51
or maybe something a simple as patching or configuration changes.
01:56
You could disrupt exploitation by using data execution prevention technology. This things that did has treated as data and not as excusable code.
02:06
There's various operate existing, more application configuration settings you can use to enable this kind of capability
02:14
for the installation phase, we get back to his again.
02:17
The idea should should detect the fact that suspicious actions are taking place on a host
02:23
and should, perhaps even
02:25
if you had a hips, you could use that as your part of your
02:30
denial phase or denial action. Rather,
02:35
change route jails. Also a good idea. This generally applies to a Web servers, but it could be for any type of
02:40
service that has a full destruction associated with
02:46
user gains access to whatever folder they get access to, and they cannot get out of that folder. They cannot go up to a higher level within the
02:53
the file system in order to gain access to the root of the drive. For instance,
02:58
that's a great
02:59
course of action for installation
03:01
disruption. Anti virus
03:06
makes sense, right? If you can detect malware, it may be quarantined and prevented from further operations.
03:15
For the command and control phase,
03:16
the detection course of action goes back to Ned's.
03:20
If your network is detecting
03:23
systems multiple systems that are trying to leave the perimeter to contact
03:28
a known hostile I P address,
03:30
then your news should should detect that action and raise an alert.
03:35
If I've got 100 systems all trying to contact their sea to server,
03:39
that's pretty important and should be investigated
03:43
for the denial course of action. Firewalls and hips come come back into play here
03:49
because that means that the
03:51
perhaps of them, the malware, is trying to communicate. But it can't get out
03:55
because of its being prevented. Three Fire World War or a host based
04:00
intrusion prevention device or software rather
04:05
disruption. Also, nips and hips could be useful here
04:10
because you're preventing certain actions of the mount where from occurring
04:14
now you can't get to a C to server cannot tell them out where what to do is like if it was part of a botnet, for instance,
04:21
that could be disrupted or even prevented completely.
04:27
It's an interesting idea to use a tar pit or or a black hole for degrading
04:32
the communication with sea to server.
04:35
The tar pits a unusual idea because it
04:39
what it's doing is it
04:41
holding a connection open when suspicious connection is made
04:45
until it times out.
04:46
And this will greatly slow down or
04:49
or ruin the plan of attack or because they're not able to do scans very effectively, not able to
04:58
send instructions to you there
05:00
systems that have already been infected with malware
05:03
and then for deception purposes. We can think about D in every direction
05:09
or DNF plaque holding as it's sometimes called. There's lots of different ways to do this,
05:14
but the if a sea to server is identified, then its I P address could be blocked or could be redirected to go to something harmless, thereby removing the ability of the attacker to control of the mount, where on remote systems that have been infected
05:30
and then last, we have our actions on objective stays
05:33
so detection. There's your audit long you're looking at all the different actions that might have been occurring in previous steps above this step.
05:44
You could degrade the actions on objectives by adjusting quality of service settings,
05:48
thereby prioritizing traffic, which is not considered dangerous,
05:54
and
05:55
lowering the priority of traffic, which may be considered suspicious or dangerous.
06:00
And then for the dissection
06:02
course of action.
06:04
We have the honey pot.
06:06
You have little interaction. Honey pots, which
06:09
may fool certain types of tools and may full and experienced
06:13
Attackers
06:14
because the
06:15
honey pile appears to be advertising service is, but it may not actually allow a full connection. Three way handshake, for instance, does not complete.
06:23
Whereas a high interaction honeypot
06:26
will allow full connection and may also be compromised.
06:29
It's much more convincing to the attacker that they are interacting with a real system.
06:34
So that's the reason why hi interaction on imposters sometimes use,
06:38
however, they are more risky, and they need to be properly isolated in case the honey pot doesn't compromise. You don't want
06:44
the attacker being able to use that system as a pivot point for further actions.
06:50
All right, so getting to our last module or last slide. Rather,
06:56
we have an expanded view of the courses of action that mist came up with.
07:00
I've got a link here.
07:01
You can see bring this document up,
07:12
taking the second load,
07:24
and it's fairly short, only 16 pages
07:30
if we weren't looking at.
07:31
So if you are,
07:32
you know you want to pause the slide or father the video to look at the link.
07:36
You do that.
07:38
But the thing I want is a nice detail about
07:42
some of the pros and cons of
07:45
cyber till chain. They expanded it
07:47
to see that. Okay, well, there's seven steps are great.
07:50
The courses of action are nice, but
07:53
what they did was they moved into a different
07:57
arrangement. So in this case, all of your seven stages for phases are across the top,
08:03
and then considerations about
08:05
how the adversary might act are on the left side.
08:11
So, considering their motivation,
08:13
how do you detect motivation? How do you deny motivation?
08:16
How do you degrade it? Public relations
08:18
is an interesting choice here.
08:20
It's so his prosecution, if people are getting in trouble
08:24
that have been engaging in certain activity, it may deter other similar actors.
08:31
The objectives of the of the intruder looking at Rebel a Web analytics again open source. Intelligence gathering. Our ascent,
08:39
maybe degrading the objectives by practicing proper lor proper upset or operational security.
08:48
Public relations again could be used to to promote disinformation, which confuses the enemy or the adversary.
08:56
The avenue of approach
08:58
again with webbing Network. And it looks like we saw another
09:01
discussions in the previous slide,
09:05
disrupting through dynamic defense. So reacting to threats and
09:09
actively blocking things
09:13
degrading dine out defense again.
09:16
And operational security
09:18
can help us. Well, if
09:20
in our organization,
09:20
reveal that it's under attack than the adversaries know that they're having some effect. So there could be some reasons
09:26
to keep some of that information,
09:31
you know, under wraps.
09:33
Deception. Directing toward stronger defenses is an interesting idea. Honey Pops might also be,
09:39
and I think, to think about here
09:41
for the capability of the attacker Open source Intelligence
09:46
could discover through various tools and research what
09:50
what there with the adversaries organization is all about, er, could be an individual
09:54
might figure out if there are very advanced or venue. They are
09:58
yeah, amateurs, for instance,
10:01
and inside a threat program could be good for disrupting the capabilities of a person that within the organization that's
10:09
perhaps working forward
10:11
an enemy
10:13
dynamic defense shows up again for degrading
10:16
as well as directing towards stronger defense
10:18
for deception.
10:22
And that's a honey pot would be one method there. But it could be other things, too, where certain websites or certain assets are
10:28
brought online or taken off line in order to present some moving targets,
10:33
for instance,
10:35
and then we have access
10:37
actions and assessment
10:39
phases to consider with open source intelligence
10:43
for detection
10:45
weapon network and looks insider threat again for denial.
10:50
Then we have dynamic defense and operational security for degrading someone's access.
10:58
The actions
10:58
of the
11:01
the intruder could be
11:01
detective with an insider threat program,
11:05
maybe even supply chain awareness.
11:07
Because certain
11:09
problems may be introduced into the organization by
11:11
purchasing
11:13
malicious software and hardware
11:16
denial of actions Roll base access makes a lot of sense.
11:20
Also, things like job rotation
11:22
and a dual control might also serve some purpose here.
11:28
Quality of service showed up in our previous discussion about degrading action so you can change the priority level
11:35
of certain types of network traffic relative to other types of network traffic.
11:41
And then we still have the honey pot showing up for deceptive purposes.
11:46
Doing assessment requires looking at some metrics, like Google analytics with analytics, social media, studying blog's and, uh,
11:56
other types of forms where users might post information
12:01
public relations for denial again.
12:03
And that shows up also for deception. First purposes along with the honey pot, as we see over here.
12:11
Leslie,
12:11
there's a consideration of a restrike.
12:15
So are you.
12:16
Open source intelligence
12:18
and various forms of analytics would be used to detect whether attack is recurring,
12:24
denying it with dynamic defense, hopefully with enough information gleaned in previous steps
12:30
to be able to or effectively denying
12:31
or rather defend against a secondary or tertiary attack.
12:37
And then we see public relations and honey pot again for deceptive purposes.
12:41
So I definitely recommend reading this document
12:46
and digging a little bit deeper into this.
12:48
All right, that concludes the module. See you in the next one. Thank you.

Up Next

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor