Now we see the diamond model
so you might be familiar with this.
This is a very simplified way to think about
In this example that we have here.
Diamond has four corners
the victim, the capability, the adversary and the infrastructure.
The trick is knowing how the edges of the diamond function. In a typical example, we also see on the left here some metadata information.
So even though you're gathering lots of data, you should also be thinking about
the extra details that describe that data.
For instance, in this example,
we can see in Step one that malware was discovered by a victim
or a victim's machine was doing some monitoring.
Intrusion detection, anti virus would have you.
So we go from the victim edge to the capability
and your capability is
what is the male we're actually doing?
What is it capable of?
Reverse engineering of malware is a very deep, separate topic altogether.
But we can say from a simplified example that this this malware was examined and it contains a demanding, perhaps a domain name
that relates to the attacker system or
they've even a command and control server.
So we go from the capability back to our infrastructure to do some analysis on this information
and turns out that this domain does resolve to a C to I p address.
So this is a known command and control server that was may be identified from some previous monitoring,
and now we can do some correlation. There's new malware, but it's But it's also trying to
communicate with a known existing sea too, sir.
Now, more correlation can be done between infrastructure. Go along this attitude back to the victim
to think about. Okay, we've got proxies, We've got firewalls, We have I. D. P s.
Let's do some searching for these I p addresses and find out if there's more activity
and ideally, you would discover questions ideally. But hopefully you would discover
that there are more victims in the environment.
More systems are trying to communicate outbound
through your firewall through your proxy
to this sea to address
and the sea to address could be also analyzed
on its own by running different types of tools to see if it has it that reputation scorer to see if it's been associated with malware in the past.
There are lots of service is that provide this kind of data for
cough free sometimes or for paying customers.
there are multiple victims now, this becomes a larger type of incident, and maybe more resource is would be applied towards resolving it. That address will now be I analyzed in the fifth stuff
in order to reveal the adversary.
Sometimes it can be a little bit tricky, of course, because any adversary that's well skilled in their craft
would not be using their computer directly on the Internet. That would be going through
a proxy chain or various anonymous users
to disguise their original I p address.
But with enough information and perhaps with the ability to
get logs from other organizations, you might be able to trace back to the original I P address anyway if it's not been changed too many times.
This is the the point where that
the analysis of intrusion really does become the most difficulty figuring out what is the rial
source address of this information. Oftentimes it's it's very difficult to tell
because this information is so easy to spoof and therefore the challenge
is great, and the advantage in this case goes to the intruder, not the defender.
thinking about this diamond idea and keeping in mind the metadata, we can start to have a mental picture of
what kind of information is required when an intrusion is detected.
And what should we do about it As we take each step in the analysis further and further along to finally try to get to revealing the adversary information
now, we could think a little bit about
operating in a larger context
if the if The Threat actor, for instance, is part of the group,
like activists, One of the best known activist groups is the anonymous group,
they are very loosely coupled,
individuals that are apparently all around the world.
They really don't appear to have a defined leader.
They sort of just work together as a group and sort of work things out on their own is first. Who's going to do what
That makes them very difficult to defend against because
you can't just us, you know, take a typical approach and say, OK, we're going to
damage their leadership capability. Therefore the organization will fall apart. That may not happen with a group like this.
Cyber criminals, on the other hand, are somewhat similar,
but they're not necessarily hacking foreign agenda. They're usually hacking because the
heavy way to make money,
hacking into a TM machines,
banking websites, credit card websites
trying to get key loggers installed on victims machines, they can steal passwords and credentials.
These are all very common things that your typical several criminal would attempt
line their pockets with someone else's money.
We also have to think about state sponsored packing
countries like China, perhaps North Korea, Russia.
All these countries are occasionally in the news for
that I described different types of hacking that's going out,
and this is a reality of the modern world. We live in that governments
pack each other looking for information that's useful to promote their own agendas.
And this is also there serious, because national security secrets could be a steak, and that's
certainly more important than people just losing money from a bank account.
One of the most difficult things to defend against in this in this scenario would be the privileged insider
people that have access. They may already have security clearance and they've got the ability to get into systems and information that
would be very difficult to do if they were coming from the outside.
Plus, as a insider, they're aware,
have the Perhaps they're aware of security controls that might be preventing their access. They might be in charge of those security controls since they are privileged.
So this opens up a really big Pandora's box of problems
because now you've got people that are trusted. Perhaps they've got clearances. As I said, it might be high up in an organization union, but yet they have a hidden agenda to work for a competitor or work for another government.
Or maybe they just want to steal information and sell it.
the ways to detect people like this are varied and change
occasionally. But we think about things like job rotation
having a separation of duties, dual control and so on.
This makes it difficult for one single individual to successfully
accomplish a complicated hack by themselves
if they've got to involve other people. If they have to collude
now, the chances of detection will go up because if two people are working on an internal AC,
there's double the chance that someone's gonna make a mistake or say something or reveal themselves.
If you've got three people involved, then you triple the odds. And so
so the advantage starts to slip away, the more people are involved.
In any case, I hope this gives a nice overview of what operational threat intelligence looks like in some of the considerations that you have to think about as an analyst.
Thank you, I'll see you in the next month.