Part 1 Campaigns and OSINT Intro

Video Activity

Campaigns and OSINT Intro This lesson discusses campaigns and open-source threat intelligence techniques and tools. A significant challenge analysts face today is understanding the difference between an isolated incident and a coordinated campaign. For example, there might be a group of incidents that appear to be related but upon further analysis...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
3 hours 1 minute
Difficulty
Advanced
CEU/CPE
3
Video Description

Campaigns and OSINT Intro This lesson discusses campaigns and open-source threat intelligence techniques and tools. A significant challenge analysts face today is understanding the difference between an isolated incident and a coordinated campaign. For example, there might be a group of incidents that appear to be related but upon further analysis, it is discovered they were all isolated incidents. To understand an incident, analysis of individual intrusions and various data points is crucial. In addition, internal data and internal data and OSINT may be used in conjunction. OSINT Pivoting, Domains and Link Analysis is a tool which can be used in this process. This consists of using Excel to create pivot tables and temporal analysis to discover what has already happened and what may happen in the future. Using an Excel spreadsheet allows data to be viewed from all different angles which allows for better insight and discovery.

Video Transcription
00:04
hello and welcome to Module two of the Advanced Cyber Threat Intelligence Course In this module, we're going to talking a little bit about campaigns and open source intelligence techniques and tools.
00:16
One of the main challenges for the analyst is to
00:21
figure out how to differentiate between isolated incidents
00:27
and a coordinated campaign.
00:31
Often there might be
00:33
clusters of incidents that appeared to be related to each other.
00:37
But after further analysis, it turns out that they may not actually be related to each other. And the key to getting a little further along in this in this path to making these determinations
00:50
is to figure out which threat thieves
00:53
are being used internally through continuous monitoring, for instance,
00:58
or, uh,
00:59
feeds that air coming from your SIM device firewalls, proxies and so on.
01:04
Pairing that up with feeds that may come externally
01:10
that may come from vendors. Some of these could be free feed sum could be paid feeds.
01:15
And
01:17
once once you start to aggregate, all this information than the goal would be to
01:22
try to do correlation
01:25
finding events and the evidence for a indication of compromise. For instance, finding a any kind of evidence that proves
01:34
that certain events are linked together.
01:38
Maybe because they all share commonalities such as I P addresses or domain names, or have some other
01:45
characteristics in common ability to do pattern recognition is also important. And this will come with more time and experience as the analyst
01:53
gets more time in front of the monitoring system, more time in front of the threat feeds.
02:00
And
02:00
ideally, there would be a point where
02:04
certain sequences of events might indicate that a compromise is about to happen. Or maybe it's already happened.
02:13
And those patterns
02:14
of behavior patterns of different events can be very useful, because now the analyst could be
02:20
a little bit more on a proactive footing instead of a reactive footing. So seeing the big picture, then
02:27
it becomes, ah, a little bit easier for the analyst to decide
02:30
what is it that should be done next. We have this information that we gather here. We have information we gather from over here. We've done some correlation,
02:38
and now we need to decide
02:42
what is our next goal in this investigation.
02:45
A part of the challenge is figuring out how to engage in proper pivoting.
02:51
Now, pivoting is A is a general concept
02:55
in the sense that
02:59
any piece of data that is gathered during analysis of threat feeds or an investigation
03:06
using various tools and such
03:08
things like I p addresses you are l's domain names, email addresses,
03:14
the names of persons of interest.
03:16
Any one of these things could be possibly used as a pivot point in order to pursue other information. Doing various searches using tools like Multi Go and other open source of the threat of analysis tools might
03:31
produced unexpected results
03:34
in that the the analyst might
03:37
discover information that they didn't know existed. And now they're getting sent down a different path,
03:43
which hopefully will lead them to a deeper understanding of the incidents in question. Another piece of the challenge, of course, is the temporal analysis of this information. If the timeline of events is well known, then it becomes simpler, too.
04:00
Place the events along a timeline and be able to do analysis
04:05
in a more complete fashion. As I mentioned in the introductory CT, I course, there are many reasons to use something like
04:15
the network Time protocol and T p.
04:18
This way, all of your infrastructure that you're using for gathering information for reporting and so on is all referencing a common time source.
04:28
This is critical during an investigation, because you want to know with a very high degree of certainty
04:33
which order the events occurred in.
04:36
And with NTP, you can be accurate down to several thousands of a second, so it's certainly something to to ensure is implemented in your environment, back to pivoting for a minute.
04:48
One of the easiest tools Thio to use for this purpose is the plain Old Excel spreadsheet you confined. Plenty of resource is on the Internet showing how to create a picnic table,
05:01
but that's really a coincidence that it's called a pivot table. What we're really talking about with Excel, spread spreadsheets and pivoting is the idea that you would gather your information, get it formatted, and now you have multiple columns of information may be a time and date stamp information,
05:20
the type of threat you're looking at,
05:23
where it was first seeing where it was most recently seen,
05:27
what assets might be affected.
05:30
Any and all characteristics or details about each of these events could be put into a spreadsheet,
05:36
and then the pivoting mechanism within Excel allows you to choose
05:42
certain columns within that spreadsheet to summarize the information.
05:46
And there's lots of ways to
05:48
view your data from different angles to get better insights into what you actually have to work with, but really
05:56
going back to the timeline idea. Since
05:59
event data from an investigation is going to inevitably have a time stamp, this helps to place the pieces of the puzzle in the timeline where they belong,
06:08
and it becomes more clear as to what happened first. What happened next
06:13
and the correlation can take on a deeper level of understanding for the analyst.
Up Next
Advanced Cyber Threat Intelligence

The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.

Instructed By