hello and welcome to Module two of the Advanced Cyber Threat Intelligence Course In this module, we're going to talking a little bit about campaigns and open source intelligence techniques and tools.
One of the main challenges for the analyst is to
figure out how to differentiate between isolated incidents
and a coordinated campaign.
Often there might be
clusters of incidents that appeared to be related to each other.
But after further analysis, it turns out that they may not actually be related to each other. And the key to getting a little further along in this in this path to making these determinations
is to figure out which threat thieves
are being used internally through continuous monitoring, for instance,
feeds that air coming from your SIM device firewalls, proxies and so on.
Pairing that up with feeds that may come externally
that may come from vendors. Some of these could be free feed sum could be paid feeds.
once once you start to aggregate, all this information than the goal would be to
try to do correlation
finding events and the evidence for a indication of compromise. For instance, finding a any kind of evidence that proves
that certain events are linked together.
Maybe because they all share commonalities such as I P addresses or domain names, or have some other
characteristics in common ability to do pattern recognition is also important. And this will come with more time and experience as the analyst
gets more time in front of the monitoring system, more time in front of the threat feeds.
ideally, there would be a point where
certain sequences of events might indicate that a compromise is about to happen. Or maybe it's already happened.
of behavior patterns of different events can be very useful, because now the analyst could be
a little bit more on a proactive footing instead of a reactive footing. So seeing the big picture, then
it becomes, ah, a little bit easier for the analyst to decide
what is it that should be done next. We have this information that we gather here. We have information we gather from over here. We've done some correlation,
and now we need to decide
what is our next goal in this investigation.
A part of the challenge is figuring out how to engage in proper pivoting.
Now, pivoting is A is a general concept
any piece of data that is gathered during analysis of threat feeds or an investigation
using various tools and such
things like I p addresses you are l's domain names, email addresses,
the names of persons of interest.
Any one of these things could be possibly used as a pivot point in order to pursue other information. Doing various searches using tools like Multi Go and other open source of the threat of analysis tools might
produced unexpected results
in that the the analyst might
discover information that they didn't know existed. And now they're getting sent down a different path,
which hopefully will lead them to a deeper understanding of the incidents in question. Another piece of the challenge, of course, is the temporal analysis of this information. If the timeline of events is well known, then it becomes simpler, too.
Place the events along a timeline and be able to do analysis
in a more complete fashion. As I mentioned in the introductory CT, I course, there are many reasons to use something like
the network Time protocol and T p.
This way, all of your infrastructure that you're using for gathering information for reporting and so on is all referencing a common time source.
This is critical during an investigation, because you want to know with a very high degree of certainty
which order the events occurred in.
And with NTP, you can be accurate down to several thousands of a second, so it's certainly something to to ensure is implemented in your environment, back to pivoting for a minute.
One of the easiest tools Thio to use for this purpose is the plain Old Excel spreadsheet you confined. Plenty of resource is on the Internet showing how to create a picnic table,
but that's really a coincidence that it's called a pivot table. What we're really talking about with Excel, spread spreadsheets and pivoting is the idea that you would gather your information, get it formatted, and now you have multiple columns of information may be a time and date stamp information,
the type of threat you're looking at,
where it was first seeing where it was most recently seen,
what assets might be affected.
Any and all characteristics or details about each of these events could be put into a spreadsheet,
and then the pivoting mechanism within Excel allows you to choose
certain columns within that spreadsheet to summarize the information.
And there's lots of ways to
view your data from different angles to get better insights into what you actually have to work with, but really
going back to the timeline idea. Since
event data from an investigation is going to inevitably have a time stamp, this helps to place the pieces of the puzzle in the timeline where they belong,
and it becomes more clear as to what happened first. What happened next
and the correlation can take on a deeper level of understanding for the analyst.