00:05
And this module of cyber threat intelligence. We're gonna talk about the foundations of intelligence.
00:11
What does it actually come from?
00:13
What is its life cycle look like?
00:16
this also includes some terminology.
00:19
And the stage is off.
00:22
Ah, yes. Cyber attack is comprised.
00:28
So started, mother terminology. We have indicators of attack
00:35
how your organization does its continuous monitoring or how you d'oh
00:40
how you manage things like assume divisor and ideas or I p s
00:45
indicator of attack, maybe lots of different things.
00:49
It could be physical. Security related.
00:53
it could be that the
00:56
there's performance problems with the
00:59
public facing website.
01:03
could be indicators that that show that there's something going on that appears suspicious or
01:08
at the very least, should be investigated to verify that it's normal activity,
01:14
always good to be able to differentiate between
01:18
suspicious and normal activities, since they can sometimes
01:22
look very similar when you're analyzing
01:23
different sources of monitoring information
01:30
indicators of compromise, On the other hand,
01:33
our little bit more direct
01:36
because now we can think about
01:38
actual evidence that something happened.
01:41
An attack is one thing knowing that you're under attack is one thing. That
01:45
finding that files have changed or that
01:49
permissions on a directory have been modified. Maybe there's information missing
01:53
or data has been found that's been
01:57
bundled up in a some kind of an archive, and it's been hidden into
02:00
a deep file system folder.
02:04
These are all things that could indicate that compromises occur,
02:07
or maybe something else. Other examples could be disabling anti virus
02:15
disabling certain firewall rules that were
02:19
helpful for the attack to continue. We can think about this in the context of
02:23
perhaps a, uh advanced, persistent threat.
02:27
So these IOC's, as they're known,
02:30
will vary in their credibility. There will vary in their level of detail.
02:35
The job of the analysts, of course, is to
02:38
pulls much of this information together as possible to make an educated guess as to
02:44
what's actually happening,
02:46
and that they could decide
02:47
what else might be done.
02:51
Some of the resources that are available include,
02:55
something some websites that will look at a little bit later in some different tools as well.
03:00
Then we move on to TT piece, tactics, techniques and procedures.
03:05
Anyone who's been in the
03:07
I work for the government or for the military is probably already familiar with this term.
03:15
simple day today, operational
03:17
tasks that are being performed
03:20
in a particular environment
03:23
that indicate that there's a problem.
03:28
it could be the identification of a new threat, the identification of a new vulnerability
03:32
or the fact that simply that a procedure no longer works.
03:38
That in itself could be considered a
03:40
a threat or vulnerability, depending on the perspective, of course,
03:44
because if a procedure no longer works, people may stop doing it
03:47
and that information about a failed procedure may take some time to actually
03:57
So TTP served their purpose in several different areas.
04:00
Some of the NIST guidance actually
04:06
in regards to do and risk assessments.
04:11
Because you're looking at, where is the threat information come from? It's incredible.
04:15
what is the impact of this threat and so much
04:19
Next we have Critz collaborative research into threats.
04:26
the minor organization actually has
04:30
a nice white page on this,
04:32
and what this is showing us is a little bit information about
04:38
the fact that they decided back in 2014
04:44
open source database.
04:46
This way you have a depository for malware
04:49
and because mount where is so prevalent and
04:54
is constantly expanding,
04:57
the idea here was to
05:00
providing a common database, a common point of access
05:03
to store information about malware and to be able to make it available to the general public.
05:11
And there are other references to the crates idea and other solutions that have been provided by different vendors.
05:18
But the minor organization at least has something that's
05:21
available unusable by
05:26
the the security practitioner or the threat analyst.
05:31
Then we move on to the concept of raw data,
05:38
These are important concepts to understand as well.
05:40
Raw data means just what it sounds like. It's information that comes from some sort of device on the network, perhaps in monitoring device.
05:50
some sort of other threat feed,
05:54
and the problem with raw data is that it's
05:58
might not be in a format that's actually usable right away.
06:02
Hence the name raw data.
06:04
So this information needs to be
06:08
examined and perhaps filtered by some other process in order to
06:13
make it conform or into a format which is directly usable something like the cyst lock format.
06:18
Or perhaps the four meant that a, uh,
06:21
assume device might understand. Like Ark site.
06:26
The concept of aggregated data, on the other hand,
06:30
is using the idea of aggregation in general, which means that you're getting little bits and pieces of information from various sources
06:38
by themselves. They may not
06:42
They may not come prize
06:44
data that indicates anything too serious. You might get a little bit of information from this monitoring device that
06:51
doesn't appear to be suspicious, that maybe some information from another device that
06:57
that all by itself doesn't appear to be very suspicious. But when you start to put these pieces of the puzzle together, now you see a different picture,
07:04
and that aggregation concept could help to develop a larger
07:10
overview. Are a big picture of you
07:13
of what threat really means in your environment?
07:17
I already mentioned assume device security information and event management.
07:23
There are many choices in the marketplace for symbolizes.
07:28
Some of you may already have experience with
07:30
some of the industry leaders like Ark site
07:36
They have widely ranging price points and different features. Of course,
07:42
the main beauty of this kind of technology Is that
07:46
any device that's on your network
07:47
that generates log events?
07:50
Uh, this covers just about all networked devices. Whether it's a server or a workstation, I switch around, er firewall proxy,
08:07
operating system functions within Windows or UNIX or linen.
08:16
should be theoretically able to send its information to a some device.
08:20
Typically, the device that sending the data needs to have some sort of agent
08:26
or configuration change made
08:28
to that device. In order for the information to go to the proper destination,
08:33
you obviously have to configure a destination I i p address and a destination port.
08:39
But the large vendors for these types of devices make
08:43
agents that run on just about all of the other
08:46
major manufacturers equipment that you would typically find in a network infrastructure.
08:52
And once the same devices is initially set up, it requires some tuning. There were similar to an I. D. S R. V I P s
08:58
because you're going to get a lot of false,
09:01
uh, positive events.
09:03
These false positive events are confusing and canned,
09:09
sometimes give leave misleading information about whether or not suspicious activity is actually occurring.
09:16
The trick is trying to look at these and more detail in to identify areas where
09:20
certain activity that might appear to be suspicious is actually considered normal and acceptable.
09:26
So there is a tuning process that can last for quite some time until the devices
09:33
is more or less ready to use reliably.
09:35
The beauty of the technology beyond this tuning
09:41
is the fact that the events can be generated for just about
09:46
crashes, say the alerts can be generated for just about any type of event.
09:50
For instance, you might generate an alert because the route passport was changed on Important server.
09:56
Another alert might be generated because the system was rebooted.
10:01
Perhaps an alert will be generated
10:05
switch for it was was disabled or enabled
10:07
anything that's interesting to the
10:13
or the people that manage workstations of people that manage servers.
10:18
You're networking staff.
10:20
All these things can be
10:22
configured to send alerts to your SIM device,
10:24
so it's a great way to Artemis the notification process,
10:28
which, of course, is a big part of what continuous monitoring means for most organizations
10:33
the I. D s or the I PS Intrusion Detection and Prevention
10:37
performed a similar function
10:41
But we normally think of intrusion detection as a passive detection method.
10:48
Soon, devices are passing as well. Some vendors
10:54
action to take place when a certain event occurs.
10:58
This is, goes down a bit of a rabbit hole as far as how complex do you want your automated functions to be? But it's a nice future to have
11:05
in certain circumstances.
11:07
The I. D. S, on the other hand,
11:09
simply detects something that matches the signature or matches some behavior,
11:16
matches some other criteria
11:18
and then decides to send out. An alert
11:22
intrusion prevention system
11:24
is very similar to an ideas. It's still detects
11:26
suspicious actions or suspicious information.
11:31
But what it also offers is the capability to block
11:35
malicious behavior from a current.
11:39
It could do this in various ways that could turn
11:41
often interface. It could block the actions based on a source i p. Address sore sport.
11:50
merge these two capabilities together, and therefore they're called I'd GPS devices,
11:56
and this is a great complimentary piece of equipment to have stationed at various points on your network, usually
12:03
anywhere. You've got a fighter. While you probably want to have an I. D. P. S
12:07
so that you can see the traffic that's coming through the firewall and then also
12:11
get information about whether it was allowed or not, whether it was suspicious or not, so on.