Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

In the final video in the module we wrap up by taking a look at threats and attacks and the processing and dissemination of intel. A typical cyber attack begins with intruders performing reconnaissance to identify targets. This is followed by scanning for services and open ports that can then be connected to in order to gain deeper access. From there, info gathering is performed to set the stage for data exfiltration. Data can be hidden or encrypted to prevent detection and then later downloaded either in one big chunk or via multiple downloads. There are tradeoffs to the intruder with both approaches in terms of being detected. Intruders then have several options once gaining access depending on their goals and intent. Advanced persistent threats require a repeatable method of access and can be used to pivot to compromising other systems. If the intent is malicious, then an assault phase of the attack is entered. This can consist of destroying information, deleting database tables, or subjecting the compromised system to a DDoS attack or otherwise crashing it. On the defensive side, a great deal of planning and direction is required to gather intel from multiple sources. It then must be processed in order to determine if any action is required. The dissemination phase must get the actionable intel into the hands of stakeholders in a position to act upon it.

Video Transcription

00:04
then we move on to the stages of cyber attacks.
00:08
This is sort of a high level description of what a typical cyber attack involves.
00:14
Normally, we want to think about intruders
00:17
as performing some kind of reconnaissance.
00:20
They have to identify targets, after all,
00:23
once they identify a suitable target than they will typically try to scan that target.
00:28
Looking for service is that are running, looking for any ports that are open or any other
00:34
potential way to connect to that resource
00:37
in an attempt to go further,
00:40
which is to obviously get access
00:44
once access is achieved, whether that's through a command show or
00:49
Web log in
00:51
or through some other kind of thing, like Internet Relay chat, there's
00:55
dozens and dozens of ways to gain access to a system could be through a file share,
01:00
for instance. There's lots of different methods.
01:03
Generally, once the access has been achieved, then
01:06
the intruder typically wants to escalate their privileges.
01:10
It's to their advantage to become administrator or to become route,
01:14
because once they've done that, then they can make changes to that asset,
01:18
which facilitate
01:19
further exploring further hacking. And so, uh,
01:23
sometimes the goal is to exfiltrate data
01:27
hand.
01:30
The ability to capture the information that's required might require
01:34
elevated privileges. So escalation plays into this step as well.
01:38
Usually an attacker will.
01:42
We'll gather information
01:44
and try to put it into a location in the system that where it's likely to not be discovered.
01:49
They might use different methods to hide the information. You could encrypt it. For instance,
01:53
they could
01:56
use techniques like alternate data streams to hide one file inside of another file.
02:00
And
02:01
this way, as the intruder is gathering information
02:06
like perhaps email addresses, phone numbers, account numbers,
02:09
password hash is
02:12
sensitive files whenever it might be.
02:15
The methodology from the intruders point of view is it makes more sense to gather the information and put into a big bundle somewhere like Qatar Archive
02:23
or some other kind of encrypted bundle.
02:25
That way, they can try to pull the information out
02:29
in one big chuck.
02:30
This like seem
02:32
less suspicious overall than doing a bunch of smaller transactions
02:38
where those mar are more likely to get noticed because they're happening more than once.
02:42
There are different schools of thought on this, of course,
02:45
if the the bundle of data to be extra traded, his two large than that in itself becomes suspicious. So there are tradeoffs between
02:53
gathering information and doing it one time versus doing
02:58
smaller pieces of of the overall data that that will be excellent traded.
03:06
Most intruders into systems are also interested in sustaining their accents or maintaining their access.
03:13
This is another reason why the actions of the intruder needs to be done in a stealthy way.
03:20
If they can maintain
03:22
a stealthy presence and they're not triggering
03:24
the I. D. Piasters,
03:25
triggering
03:28
alerts on the assume device, for instance,
03:31
that is more likely they'll be able to remain hidden
03:35
so that they can continue their exploratory. Or they could continue gathering information for ex filtration.
03:42
Um,
03:43
we also could think about advanced, persistent threats in this context
03:47
because you can't maintain a long term campaign, for instance,
03:53
without having a
03:53
very repeatable
03:57
method to gain access to a system,
04:00
and the initial access point might be a pivoting
04:04
point as well.
04:05
So someone gains an access to a Web server or to a database server,
04:11
and now they use that in order to pivot other systems that are reachable from that device on the network
04:19
beyond this, we have potentially the assault face of a cyber attack.
04:25
This is beyond something as simple as just stealing information.
04:29
It could be
04:30
destroying information like trying to delete database tables. Or it could be something like a denial of service attack
04:39
or perhaps
04:41
making changes to a system so that it corrupts. It's information or or crashes or some other problem.
04:48
So the attack and take
04:49
any, uh,
04:51
variety of different forms. It just depends on what the motives of the attacker are there,
04:57
which ultimate goals are really.
05:00
And then the concept concept of obfuscation means that
05:05
the Attackers generally trying to cover their tracks.
05:09
This leads back to what I was just speaking about a moment ago
05:13
in regards to staying hidden and staying stealthy
05:16
if the attacker came, successfully
05:18
delete log files or selectively edit log files.
05:23
Or perhaps they
05:26
can impede the ability of assistant to do any logging whatsoever. If you can shut down the logging function,
05:31
that's always a great trick for an intruder to accomplish.
05:36
And these are all methods to help hide the presence of an intruder in the system
05:42
so that
05:43
they can continue their work as long as possible
05:46
is once, and intruders discover. Typically, organization wants to
05:49
to disable their access until further damage could be
05:54
sustained.
05:56
So it's a good term analogy to think about there and some good concepts to dig a little bit deeper
06:00
in future.
06:02
We could also think about
06:04
beyond the
06:06
the terminology and some of the things like cyber attacks. Phases
06:11
is what is the actual life cycle of intelligence information
06:15
ways. He is our first step planning and direction,
06:18
and what this is mean, meant Thio describe is the idea that
06:26
the actions to gather intelligence
06:30
to gather threat information to gather vulnerability information must be done in a deliberate way. It should not be something that's ad hoc or random
06:40
implementing an I. D. P s implementing a SIM,
06:45
setting up logging for your firewalls or proxies. These all take deliberate action,
06:49
and they promote the idea that you're getting
06:53
continuous monitoring information from a lot of different areas within the organization's infrastructure,
07:00
so that the collection idea then
07:03
could be a lot of different things. As I mentioned when I was talking about sim devices,
07:08
any
07:09
any network device that can generate log events
07:13
could be a good candidate for continuous monitoring purpose.
07:18
So all the things I've just talked about firewalls, proxies, switches
07:24
any kind of server
07:26
applications themselves,
07:28
operating systems running on servers are running on a user and points.
07:31
These are all great areas where data can be collected
07:34
because it may have some usefulness, especially when we think about
07:39
correlating information.
07:41
I've got an event that happened on this system, an event that happened on this system. They don't mean much by themselves. When we link them together, we can see that there's something else happening,
07:49
and this can lead to a deeper understanding of what is actually going on on the environment.
07:57
And we have the processing of information
08:00
processing in the intelligence information
08:01
and trying to exploit that,
08:05
meaning that
08:05
if you gather the information, you've got good data sources available.
08:11
Once it gets pulled together, someone still needs to look at it and decide if it's actionable is incredible.
08:18
Is this a false positive and so on?
08:20
So only after some reasonable analysis has been done?
08:24
Should the analyst or the the security practitioners decide to take some some action?
08:31
You don't want to be in a situation where someone is crying wolf again and again
08:37
because they act too quickly, and then when a real situation pops up,
08:41
their credibility has been damaged. So that causes problems for the organization
08:46
moving on to the analysis and production at aspect of intelligence.
08:52
With this,
08:54
the output of the processing expedition say's feeds naturally into some further analysis,
09:01
and this could be done in a number of different ways. There could be individuals or even teams of people analyzing events, analyzing different statistics or metrics
09:11
or other information that leads them to believe that there's something interesting going up.
09:16
And then the production aspect means that you're creating a report or creating some kind of notification mechanism
09:24
that lets a decision maker take action.
09:28
Risk based decisions are our best performed when there is an abundance of information to support
09:35
the decision one way or the other
09:37
so that production might also be automated
09:41
in the form of something like a dashboard.
09:43
You might be feeding information to something like a
09:48
and point management system. The caffeine makes the point policy orchestrator E. P. O.
09:54
This is a great tool for this kind of situation because you can
09:58
gather data, gather lots of statistics. Metrics involve you in different points
10:03
and then present that to a dashboard
10:07
as a quick reference to see what the security posture looks like today when it looks like right now,
10:13
if there's something interesting or suspicious, you could always drill down deeper
10:16
and decide what might be done next in order to
10:20
resolve any issues.
10:22
Then we have the dissemination and integration of intelligence information,
10:28
and this refers to
10:28
the step of actually giving the information to the people that need it. We can think about
10:33
who is a stakeholder
10:35
for this asset or this environment.
10:37
Who would want to know
10:39
this information about
10:41
actions that are, or events that are taking place?
10:46
That could be a tricky thing to understand, especially in the large environment,
10:50
because we might be various people who
10:54
have some need to know or some interest in knowing
10:58
and the trying to sort all that out can be a little bit of a challenge
11:03
for my experience.
11:05
In any case,
11:07
the information, all the analysis doesn't have much value if it's not given to the people who need it
11:13
in order to make that risk based decision,
11:16
integration means that
11:18
this this intelligence might become part of the new policy might become
11:22
part of the new procedure.
11:24
It could drive other actions, like purchasing additional hardware, person purchasing, additional software.
11:31
So this life cycle has a lot of value. If it's performed correctly
11:37
and the organization's leadership,
11:39
hopefully we'll be in a position to support the effort
11:43
and to see the value that they return on the investment.
11:48
All right, this ends the section I'll see you in the next month. Thank you.

Up Next

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor