then we move on to the stages of cyber attacks.
This is sort of a high level description of what a typical cyber attack involves.
Normally, we want to think about intruders
as performing some kind of reconnaissance.
They have to identify targets, after all,
once they identify a suitable target than they will typically try to scan that target.
Looking for service is that are running, looking for any ports that are open or any other
potential way to connect to that resource
in an attempt to go further,
which is to obviously get access
once access is achieved, whether that's through a command show or
or through some other kind of thing, like Internet Relay chat, there's
dozens and dozens of ways to gain access to a system could be through a file share,
for instance. There's lots of different methods.
Generally, once the access has been achieved, then
the intruder typically wants to escalate their privileges.
It's to their advantage to become administrator or to become route,
because once they've done that, then they can make changes to that asset,
further exploring further hacking. And so, uh,
sometimes the goal is to exfiltrate data
The ability to capture the information that's required might require
elevated privileges. So escalation plays into this step as well.
Usually an attacker will.
We'll gather information
and try to put it into a location in the system that where it's likely to not be discovered.
They might use different methods to hide the information. You could encrypt it. For instance,
use techniques like alternate data streams to hide one file inside of another file.
this way, as the intruder is gathering information
like perhaps email addresses, phone numbers, account numbers,
sensitive files whenever it might be.
The methodology from the intruders point of view is it makes more sense to gather the information and put into a big bundle somewhere like Qatar Archive
or some other kind of encrypted bundle.
That way, they can try to pull the information out
less suspicious overall than doing a bunch of smaller transactions
where those mar are more likely to get noticed because they're happening more than once.
There are different schools of thought on this, of course,
if the the bundle of data to be extra traded, his two large than that in itself becomes suspicious. So there are tradeoffs between
gathering information and doing it one time versus doing
smaller pieces of of the overall data that that will be excellent traded.
Most intruders into systems are also interested in sustaining their accents or maintaining their access.
This is another reason why the actions of the intruder needs to be done in a stealthy way.
If they can maintain
a stealthy presence and they're not triggering
alerts on the assume device, for instance,
that is more likely they'll be able to remain hidden
so that they can continue their exploratory. Or they could continue gathering information for ex filtration.
we also could think about advanced, persistent threats in this context
because you can't maintain a long term campaign, for instance,
method to gain access to a system,
and the initial access point might be a pivoting
So someone gains an access to a Web server or to a database server,
and now they use that in order to pivot other systems that are reachable from that device on the network
beyond this, we have potentially the assault face of a cyber attack.
This is beyond something as simple as just stealing information.
destroying information like trying to delete database tables. Or it could be something like a denial of service attack
making changes to a system so that it corrupts. It's information or or crashes or some other problem.
So the attack and take
variety of different forms. It just depends on what the motives of the attacker are there,
which ultimate goals are really.
And then the concept concept of obfuscation means that
the Attackers generally trying to cover their tracks.
This leads back to what I was just speaking about a moment ago
in regards to staying hidden and staying stealthy
if the attacker came, successfully
delete log files or selectively edit log files.
can impede the ability of assistant to do any logging whatsoever. If you can shut down the logging function,
that's always a great trick for an intruder to accomplish.
And these are all methods to help hide the presence of an intruder in the system
they can continue their work as long as possible
is once, and intruders discover. Typically, organization wants to
to disable their access until further damage could be
So it's a good term analogy to think about there and some good concepts to dig a little bit deeper
We could also think about
the terminology and some of the things like cyber attacks. Phases
is what is the actual life cycle of intelligence information
ways. He is our first step planning and direction,
and what this is mean, meant Thio describe is the idea that
the actions to gather intelligence
to gather threat information to gather vulnerability information must be done in a deliberate way. It should not be something that's ad hoc or random
implementing an I. D. P s implementing a SIM,
setting up logging for your firewalls or proxies. These all take deliberate action,
and they promote the idea that you're getting
continuous monitoring information from a lot of different areas within the organization's infrastructure,
so that the collection idea then
could be a lot of different things. As I mentioned when I was talking about sim devices,
any network device that can generate log events
could be a good candidate for continuous monitoring purpose.
So all the things I've just talked about firewalls, proxies, switches
operating systems running on servers are running on a user and points.
These are all great areas where data can be collected
because it may have some usefulness, especially when we think about
I've got an event that happened on this system, an event that happened on this system. They don't mean much by themselves. When we link them together, we can see that there's something else happening,
and this can lead to a deeper understanding of what is actually going on on the environment.
And we have the processing of information
processing in the intelligence information
and trying to exploit that,
if you gather the information, you've got good data sources available.
Once it gets pulled together, someone still needs to look at it and decide if it's actionable is incredible.
Is this a false positive and so on?
So only after some reasonable analysis has been done?
Should the analyst or the the security practitioners decide to take some some action?
You don't want to be in a situation where someone is crying wolf again and again
because they act too quickly, and then when a real situation pops up,
their credibility has been damaged. So that causes problems for the organization
moving on to the analysis and production at aspect of intelligence.
the output of the processing expedition say's feeds naturally into some further analysis,
and this could be done in a number of different ways. There could be individuals or even teams of people analyzing events, analyzing different statistics or metrics
or other information that leads them to believe that there's something interesting going up.
And then the production aspect means that you're creating a report or creating some kind of notification mechanism
that lets a decision maker take action.
Risk based decisions are our best performed when there is an abundance of information to support
the decision one way or the other
so that production might also be automated
in the form of something like a dashboard.
You might be feeding information to something like a
and point management system. The caffeine makes the point policy orchestrator E. P. O.
This is a great tool for this kind of situation because you can
gather data, gather lots of statistics. Metrics involve you in different points
and then present that to a dashboard
as a quick reference to see what the security posture looks like today when it looks like right now,
if there's something interesting or suspicious, you could always drill down deeper
and decide what might be done next in order to
Then we have the dissemination and integration of intelligence information,
the step of actually giving the information to the people that need it. We can think about
who is a stakeholder
for this asset or this environment.
Who would want to know
this information about
actions that are, or events that are taking place?
That could be a tricky thing to understand, especially in the large environment,
because we might be various people who
have some need to know or some interest in knowing
and the trying to sort all that out can be a little bit of a challenge
the information, all the analysis doesn't have much value if it's not given to the people who need it
in order to make that risk based decision,
integration means that
this this intelligence might become part of the new policy might become
part of the new procedure.
It could drive other actions, like purchasing additional hardware, person purchasing, additional software.
So this life cycle has a lot of value. If it's performed correctly
and the organization's leadership,
hopefully we'll be in a position to support the effort
and to see the value that they return on the investment.
All right, this ends the section I'll see you in the next month. Thank you.