Now let's think about the adversaries infrastructure, trying to do some characterization of there.
Their character, their capabilities, their abilities.
These are things that may be discovered through
the current investigation through your correlation events that we
you might have been working already. Or perhaps if the adversary has been seen before.
There may be historical information which could be used for this purpose,
but trying to understand
skills and abilities and capabilities
can take a little bit of time. There might be some very subjective estimations of water man for Syria might actually be capable of.
That's why you want to try to back that up
with circumstantial evidence with factual evidence.
Whatever kind of event logs and data that could be brought to bear would make a lot of sense here. You might also make an estimation of the knowledge that an adversary has.
For instance, if they are targeting certain
areas of the infrastructure
that might indicate that they have only gained enough knowledge to do only the activity that they are currently engaged in.
Maybe at a later stage after more information is gained, they may try other tactics or
or use some pivoting techniques in order to try to scan or attack other pieces of the infrastructure.
That's when you know that the knowledge has increased because of their techniques and tactics have changed and becoming a little bit more specific, perhaps even more advanced.
So that increased level of access
is a telltale sign that
that the kid ability, skills and knowledge and all these other characteristics
are at a low level, moderate level or higher level. You'll know that as time goes on by doing the analysis, other pieces of the infrastructure would involve the hard assets. Let's call them
I p addresses domain names, email addresses, actual names of persons of interest. There are plenty of open source intelligence tools
to, uh, gather some of this information and,
well, we'll see a couple of examples of this as we go through the rest of the course.
But these are the kinds of bits and pieces of data that will
start to populate your diagrams and charts and
and helped you to be able to connect the dots a little bit to see
where is the information coming from. I'm sorry where the attacks coming from
and what kinds of infrastructure that's out on the Internet is actually involved in this activity and to bundle, and also with this kind of actions, would be thinking about the different types of threat agents.
We see a nice list here of
hackers that are unstructured, restructured. Meaning Are they part of a group? Are they disciplined and organized, or is it perhaps a lone wolf
doing their their actions on their own
and not really being affiliated with a
another group? Organized crime is always a possibility, since the various organized crime groups around the world
have been known to forcibly recruit
hackers and other individuals to do their dirty work, so to speak.
So this is certainly a possibility for some of the evidence you might uncover.
Then there's things like the traditional industrial espionage trying to
get competitors information, get competitors secrets
legally or otherwise in order to gain some kind of some kind of advantage in the marketplace.
One of the hardest things to defend against us, everyone knows, is the privileged insider.
they have access, they have knowledge.
They might also have
administrative rights, and within some of the infrastructure that they're using
and if they are launching attacks.
It's very likely that they are well aware of how they would be monitored and so they can evade that monitoring if if they're skilled enough.
We also have activists to consider
groups like the anonymous or the Shadow brokers. Others like this. They have somewhat more of a public profile. And so some of their capabilities and skills and knowledge might be a little bit easier to estimate
when it comes to terrorism groups that are funded or unfunded or our nation state actors.
There could be a wide variety of characteristics to discover about these as well.
Obviously, if if a group appears to be well funded, then that may imply that they've got multiple actors within the group working together as a team,
they may have access to more advanced tools
and may be able to sustain their activities over the long term.
So these have certainly
other things that throw into the mix. As you're trying to better understand what you're actually dealing with
when you're up against an adversary and discovering their the infrastructure that you're able to see is a great start, other considerations would be too,
Uh, you know, spend a little bit of time
in enemy tour it in enemy territory?
Yeah, the deep web of the Dark Web.
It has been estimated to contain 96% of what's actually available on the Internet
and the commercial Internet, If you want to call it, that
is the remaining 4% that the rest of us are using
thio for entertainment purposes and shopping and everything else. This is a nice diagram showing
some of the differences between what's on the surface that actually looks like a little bit more than 4% the way this diagrams drawn. But you get the idea.
The Deep Web would have other things that may not necessarily be involved in criminal activity but
is not easily found without using special tools in any case,
and then the dark Web
is where the criminal activity was most likely located.
There's an interesting ah website
called the Dark Web News, and they haven't article
basically trying to guide. Someone threw gaining access to the dark Web,
and it goes through a little bit of details about
setting up a VPN using tour,
trying to use anonymous eyes, er's
and give a decent amount of information about how to remain anonymous. How to be careful when you're doing your research,
it is important to be careful when you're when you're doing research in the dark web of the deep Web because it is being monitored.
And even if you're doing research any for defensive purposes, it's still something to keep in mind as you're going about your business.
You wouldn't want to a draw undue attention to yourself,
even though you're not actually doing anything wrong.
So this could be a good website Thio to gain a little bit of a greater overall knowledge
the tools that the adversaries using where they might be going, what they might be doing there.
And that's really probably a topic for an entire
course would be engaging in the dark webs resource is
and tools that are available so that you can better understand how the enemy is using them.
Maybe we'll see that in the future course