Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

The first step in responding to a cyber attack is gathering evidence (intelligence) during all phases of an attack from multiple data sources. In this video we'll examine the foundations and lifecycle of intelligence gathering focusing on the following areas:

  • IoA (Indicators of Attack) - continuous monitoring of a wide range of things from the physical to server performance problems to suspicious network activity.
  • IoC (Indicators of Compromise) - direct evidence of a compromise such as permission changes, data exfiltration and hiding, AV disabling, and firewall rule changes.
  • TTPs (Tactics, Techniques, and Procedures) - operational taks indicating a problem such as a procedure that no longer works.
  • CRITs (Collaborative Research into Threats) - open source databases containing malware repositories such as the MITRE webpage.
  • Raw data vs. aggregated data - raw data from network devices of a threat feed is typically in no usable form and must be examined and filtered through other processes to be meaningful. Aggregated data is pieced together from various sources. Alone may not be suspicious, but when aggregated may tell a different story.
  • SIEM (Security Information and Event Management) - devices used to monitor and log events. Must be tuned to minimize false positives.
  • IDPS (Intrusion Detection/Prevention System) - devices to detect and prevent attacks respectively. Typically located at firewalls.

Video Transcription

00:04
hello
00:05
And this module of cyber threat intelligence. We're gonna talk about the foundations of intelligence.
00:11
What does it actually come from?
00:13
What is its life cycle look like?
00:15
And
00:16
this also includes some terminology.
00:19
And the stage is off.
00:22
Ah, yes. Cyber attack is comprised.
00:28
So started, mother terminology. We have indicators of attack
00:33
now, depending on
00:35
how your organization does its continuous monitoring or how you d'oh
00:40
how you manage things like assume divisor and ideas or I p s
00:45
indicator of attack, maybe lots of different things.
00:49
It could be physical. Security related.
00:52
Uh,
00:53
it could be that the
00:56
there's performance problems with the
00:59
public facing website.
01:02
Any of these things
01:03
could be indicators that that show that there's something going on that appears suspicious or
01:08
at the very least, should be investigated to verify that it's normal activity,
01:14
always good to be able to differentiate between
01:18
suspicious and normal activities, since they can sometimes
01:22
look very similar when you're analyzing
01:23
different sources of monitoring information
01:30
indicators of compromise, On the other hand,
01:33
our little bit more direct
01:36
because now we can think about
01:38
actual evidence that something happened.
01:41
An attack is one thing knowing that you're under attack is one thing. That
01:45
finding that files have changed or that
01:49
permissions on a directory have been modified. Maybe there's information missing
01:53
or data has been found that's been
01:57
bundled up in a some kind of an archive, and it's been hidden into
02:00
a deep file system folder.
02:04
These are all things that could indicate that compromises occur,
02:07
or maybe something else. Other examples could be disabling anti virus
02:14
or
02:15
disabling certain firewall rules that were
02:19
helpful for the attack to continue. We can think about this in the context of
02:23
perhaps a, uh advanced, persistent threat.
02:27
So these IOC's, as they're known,
02:30
will vary in their credibility. There will vary in their level of detail.
02:35
The job of the analysts, of course, is to
02:38
pulls much of this information together as possible to make an educated guess as to
02:44
what's actually happening,
02:46
and that they could decide
02:47
what else might be done.
02:51
Some of the resources that are available include,
02:54
uh,
02:55
something some websites that will look at a little bit later in some different tools as well.
03:00
Then we move on to TT piece, tactics, techniques and procedures.
03:05
Anyone who's been in the
03:07
I work for the government or for the military is probably already familiar with this term.
03:14
And this could be
03:15
simple day today, operational
03:17
tasks that are being performed
03:20
in a particular environment
03:23
that indicate that there's a problem.
03:27
Um,
03:28
it could be the identification of a new threat, the identification of a new vulnerability
03:32
or the fact that simply that a procedure no longer works.
03:38
That in itself could be considered a
03:40
a threat or vulnerability, depending on the perspective, of course,
03:44
because if a procedure no longer works, people may stop doing it
03:47
and that information about a failed procedure may take some time to actually
03:54
correct.
03:57
So TTP served their purpose in several different areas.
04:00
Some of the NIST guidance actually
04:03
uses
04:04
the TTP concept
04:06
in regards to do and risk assessments.
04:11
Because you're looking at, where is the threat information come from? It's incredible.
04:15
Uh,
04:15
what is the impact of this threat and so much
04:19
Next we have Critz collaborative research into threats.
04:25
Dan,
04:26
the minor organization actually has
04:30
a nice white page on this,
04:32
and what this is showing us is a little bit information about
04:38
the fact that they decided back in 2014
04:42
to produce this
04:44
open source database.
04:46
This way you have a depository for malware
04:49
and because mount where is so prevalent and
04:54
is constantly expanding,
04:57
the idea here was to
05:00
providing a common database, a common point of access
05:03
to store information about malware and to be able to make it available to the general public.
05:11
And there are other references to the crates idea and other solutions that have been provided by different vendors.
05:18
But the minor organization at least has something that's
05:21
available unusable by
05:26
the the security practitioner or the threat analyst.
05:31
Then we move on to the concept of raw data,
05:34
an aggregated data.
05:38
These are important concepts to understand as well.
05:40
Raw data means just what it sounds like. It's information that comes from some sort of device on the network, perhaps in monitoring device.
05:48
It could be from
05:50
some sort of other threat feed,
05:54
and the problem with raw data is that it's
05:58
might not be in a format that's actually usable right away.
06:02
Hence the name raw data.
06:04
So this information needs to be
06:08
examined and perhaps filtered by some other process in order to
06:13
make it conform or into a format which is directly usable something like the cyst lock format.
06:18
Or perhaps the four meant that a, uh,
06:21
assume device might understand. Like Ark site.
06:26
The concept of aggregated data, on the other hand,
06:30
is using the idea of aggregation in general, which means that you're getting little bits and pieces of information from various sources
06:38
by themselves. They may not
06:40
compromise.
06:42
They may not come prize
06:44
data that indicates anything too serious. You might get a little bit of information from this monitoring device that
06:51
doesn't appear to be suspicious, that maybe some information from another device that
06:57
that all by itself doesn't appear to be very suspicious. But when you start to put these pieces of the puzzle together, now you see a different picture,
07:04
and that aggregation concept could help to develop a larger
07:10
overview. Are a big picture of you
07:13
of what threat really means in your environment?
07:17
I already mentioned assume device security information and event management.
07:23
There are many choices in the marketplace for symbolizes.
07:28
Some of you may already have experience with
07:30
some of the industry leaders like Ark site
07:33
or Splunk
07:35
for Kiwi.
07:36
They have widely ranging price points and different features. Of course,
07:42
the main beauty of this kind of technology Is that
07:46
any device that's on your network
07:47
that generates log events?
07:50
Uh, this covers just about all networked devices. Whether it's a server or a workstation, I switch around, er firewall proxy,
08:01
a VPN concentrator,
08:05
even things like
08:07
operating system functions within Windows or UNIX or linen.
08:13
Any long event
08:16
should be theoretically able to send its information to a some device.
08:20
Typically, the device that sending the data needs to have some sort of agent
08:26
or configuration change made
08:28
to that device. In order for the information to go to the proper destination,
08:33
you obviously have to configure a destination I i p address and a destination port.
08:39
But the large vendors for these types of devices make
08:43
agents that run on just about all of the other
08:46
major manufacturers equipment that you would typically find in a network infrastructure.
08:52
And once the same devices is initially set up, it requires some tuning. There were similar to an I. D. S R. V I P s
08:58
because you're going to get a lot of false,
09:01
uh, positive events.
09:03
These false positive events are confusing and canned,
09:07
uh,
09:09
sometimes give leave misleading information about whether or not suspicious activity is actually occurring.
09:16
The trick is trying to look at these and more detail in to identify areas where
09:20
certain activity that might appear to be suspicious is actually considered normal and acceptable.
09:26
So there is a tuning process that can last for quite some time until the devices
09:33
is more or less ready to use reliably.
09:35
The beauty of the technology beyond this tuning
09:41
is the fact that the events can be generated for just about
09:46
crashes, say the alerts can be generated for just about any type of event.
09:50
For instance, you might generate an alert because the route passport was changed on Important server.
09:56
Another alert might be generated because the system was rebooted.
10:01
Perhaps an alert will be generated
10:03
because a
10:05
switch for it was was disabled or enabled
10:07
anything that's interesting to the
10:11
the, uh
10:11
I T security staff
10:13
or the people that manage workstations of people that manage servers.
10:18
You're networking staff.
10:20
All these things can be
10:22
configured to send alerts to your SIM device,
10:24
so it's a great way to Artemis the notification process,
10:28
which, of course, is a big part of what continuous monitoring means for most organizations
10:33
the I. D s or the I PS Intrusion Detection and Prevention
10:37
performed a similar function
10:39
in some ways.
10:41
But we normally think of intrusion detection as a passive detection method.
10:48
Soon, devices are passing as well. Some vendors
10:52
allow a scripted
10:54
action to take place when a certain event occurs.
10:58
This is, goes down a bit of a rabbit hole as far as how complex do you want your automated functions to be? But it's a nice future to have
11:05
in certain circumstances.
11:07
The I. D. S, on the other hand,
11:09
simply detects something that matches the signature or matches some behavior,
11:16
matches some other criteria
11:18
and then decides to send out. An alert
11:22
intrusion prevention system
11:24
is very similar to an ideas. It's still detects
11:26
suspicious actions or suspicious information.
11:31
But what it also offers is the capability to block
11:33
the, uh,
11:35
malicious behavior from a current.
11:39
It could do this in various ways that could turn
11:41
often interface. It could block the actions based on a source i p. Address sore sport.
11:48
A lot of devices
11:50
merge these two capabilities together, and therefore they're called I'd GPS devices,
11:56
and this is a great complimentary piece of equipment to have stationed at various points on your network, usually
12:03
anywhere. You've got a fighter. While you probably want to have an I. D. P. S
12:07
so that you can see the traffic that's coming through the firewall and then also
12:11
get information about whether it was allowed or not, whether it was suspicious or not, so on.

Up Next

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor