hello and welcome to another application of the minor attack framework. Today we're going to be looking at our case study and some considerations for lateral movement. Primarily, what we're going to focus on really is what are we doing to detect lateral movement? What are some things we should consider
and ask ourselves? And what can we take back to the office and really
start to peel through and see what we're doing and what we've got going on? So we have to start with some considerations. What are some things that must be done? What we cannot get complacent from alert fatigue. And so some organizations, depending on how
things were white, listed within their systems, how their baseline There could be a lot of false positives and a lot of alerts that are just pouring in and people get
snow blind and they really don't look between the lines. They kind of just accepted his normal activity, and they just it's the status quo. So we can't get to a point where we get snow blinded to alerts and we get complacent and we're not looking right.
We also need to be aware of how our network is laid out
and how it works. If we don't know what is normal and what is not normal, how can we properly address threat actors or what could be malicious activity?
And then the last thing we really need to consider is we have to have the ability to hunt for threats and proactively investigate activity. So none of these two manner
these things don't matter if we can't do this. So if we don't have, the resource is we don't have the capability. We really can't investigate any activity. We can't be proactive in any respect.
And so that takes us into some points that we should consider. All right, some poor administrator is going to hear from a manager this this next week after they watch this video, they're gonna ask when was the last time we had an event on incident
and the administrators probably going to say, Have you been watching those videos again?
In this case, if you've got a system, okay, and this is something to consider, and so this will kind of play into the second bullet if you've not had an invent or incident ever,
And you have a connection to the Internet and your users get email. You have to question how you're tracking this particular metric with respect to risk management for the order, right? We're not talking just
the I t folk or the help desk spoke or the system administrator keeping track of these things. It's what is management's awareness
of the last time they dealt with an event or an incident.
And typically these are things that explode and people are going crazy, and we're trying to figure out how to fix everything and how to get back to business as usual. But there are what I like to call near misses. There are incidents that come up events that come up where we kind of blocked the attacker and were successful,
but that never makes it up the chain.
So knowing whether or not the things were implementing their successful and they're helping us to reduce risk,
right, we're spending. That's a lot of times where we get to the feeling of we're spending money to spend money, but I don't see the benefit, so you have to ask the questions right?
And if you utilize 1/3 party to do some threat hunting on alert. You want events or incidents? How often do you hear from them?
What are some of the things that they're alerting you? Are they alerting you on near misses or they alerting you on suspicious processes? Or do they handle all of that? And if they do wins the last time you've been given a brief or understanding of what it is that they're doing. And I have to say this, and it's because I've seen that
a lot of organizations. Okay, let's just say here that there's a graph
and there's really nothing here on extra y as far as the access. But let's say that this is a baseline
Anything that hits above this baseline
will generate on alert. This is an event,
but anything that hits below this threshold
does not get an event or no work, right? So you have to ask yourself, a lot of organizations apply what I like to call a standard baseline configuration, meaning that regardless of how normal activity looks, an abnormal activity looks within the environment. This is
the standard. This is what we apply, regardless
of what you are as an organization or what you do,
right, So that one event that happens
may not be substantial. It may not matter, but there may be things down here in the ether,
that we would consider abnormal or an event or even an incident. And so, if you were never base lined
that Hey, some of these things
are in fact, suspicious. But some of these things they're not.
And you should really be here.
But you're here. You are missing all of the things that happened in between these two points, right? So you need to make sure that you're engaging
this third party to better understand how this is reducing risk and how your systems were baseline. If they apply a standard baseline, they don't. They didn't engage you to understand if these activities were normal. They didn't engage you to understand if these things were malicious, they just snapped on a basic,
um, baseline and they check the box and you're on boarded.
That could be a problem. So you need to go back and ask those hard questions and really understand what it is that they're seen and whether or not it is normal activity.
And you know otherwise. How would you know if a threat actor was moving through your network, which is our third bullet?
And if the answer is why I consume these types of services, I have these types of people in my department's then go to them and ask, How will I know?
What would we see? What would be something that should be alerted on? And there could be certain activities like in map scans or attempts to take over processes in the network that may end up under that baseline that you're not getting alerts on. And this could literally be a threat actor
making lateral movement through the network and they don't ever hit
that baseline. So keep those things in mind, asked those questions and ensure that if you were consuming this type of service or if you are doing this type of work internally,
that you are asking these questions responsibly and that you have a good, comfortable understanding of the things that you're doing to reduce risk and mitigate the ability of a threat actor to move unnoticed
through your systems.
So with that in mind, I want to thank you for your time today,
and I look forward to seeing you again soon