Part 2 Adversary Infrastructure and the Dark Web

Video Activity

Adversary Infrastructure and the Dark Web This lesson discusses campaigns and open source threat intelligence. This consists of: - Characterizing the adversary Identifying adversary infrastructure Threat agents In addition, this lesson also discusses using the Dark Web or Deep Web as a resource. According to experts, 96% of the Internet is hidden...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
3 hours 1 minute
Difficulty
Advanced
CEU/CPE
3
Video Description

Adversary Infrastructure and the Dark Web This lesson discusses campaigns and open source threat intelligence. This consists of: - Characterizing the adversary

  • Identifying adversary infrastructure
  • Threat agents

In addition, this lesson also discusses using the Dark Web or Deep Web as a resource. According to experts, 96% of the Internet is hidden and there are many unknown resources available. When utilizing the Dark Web/Deep Web for research, it is important to exercise extreme caution as it is heavily monitored.

Video Transcription
00:04
Now let's think about the adversaries infrastructure, trying to do some characterization of there.
00:11
Their character, their capabilities, their abilities.
00:14
Thank you.
00:15
These are things that may be discovered through
00:19
the current investigation through your correlation events that we
00:23
you might have been working already. Or perhaps if the adversary has been seen before.
00:29
There may be historical information which could be used for this purpose,
00:33
but trying to understand
00:35
skills and abilities and capabilities
00:38
can take a little bit of time. There might be some very subjective estimations of water man for Syria might actually be capable of.
00:46
That's why you want to try to back that up
00:49
with circumstantial evidence with factual evidence.
00:54
Whatever kind of event logs and data that could be brought to bear would make a lot of sense here. You might also make an estimation of the knowledge that an adversary has.
01:04
For instance, if they are targeting certain
01:10
areas of the infrastructure
01:11
that might indicate that they have only gained enough knowledge to do only the activity that they are currently engaged in.
01:21
Maybe at a later stage after more information is gained, they may try other tactics or
01:27
or use some pivoting techniques in order to try to scan or attack other pieces of the infrastructure.
01:34
That's when you know that the knowledge has increased because of their techniques and tactics have changed and becoming a little bit more specific, perhaps even more advanced.
01:45
So that increased level of access
01:48
is a telltale sign that
01:49
that the kid ability, skills and knowledge and all these other characteristics
01:53
are at a low level, moderate level or higher level. You'll know that as time goes on by doing the analysis, other pieces of the infrastructure would involve the hard assets. Let's call them
02:07
I p addresses domain names, email addresses, actual names of persons of interest. There are plenty of open source intelligence tools
02:17
to, uh, gather some of this information and,
02:22
well, we'll see a couple of examples of this as we go through the rest of the course.
02:27
But these are the kinds of bits and pieces of data that will
02:30
start to populate your diagrams and charts and
02:35
and helped you to be able to connect the dots a little bit to see
02:38
where is the information coming from. I'm sorry where the attacks coming from
02:44
and what kinds of infrastructure that's out on the Internet is actually involved in this activity and to bundle, and also with this kind of actions, would be thinking about the different types of threat agents.
02:58
We see a nice list here of
03:00
hackers that are unstructured, restructured. Meaning Are they part of a group? Are they disciplined and organized, or is it perhaps a lone wolf
03:08
doing their their actions on their own
03:12
and not really being affiliated with a
03:15
another group? Organized crime is always a possibility, since the various organized crime groups around the world
03:23
have been known to forcibly recruit
03:27
hackers and other individuals to do their dirty work, so to speak.
03:30
So this is certainly a possibility for some of the evidence you might uncover.
03:36
Then there's things like the traditional industrial espionage trying to
03:43
get competitors information, get competitors secrets
03:47
legally or otherwise in order to gain some kind of some kind of advantage in the marketplace.
03:53
One of the hardest things to defend against us, everyone knows, is the privileged insider.
03:59
Since
04:00
they have access, they have knowledge.
04:02
They might also have
04:05
administrative rights, and within some of the infrastructure that they're using
04:10
and if they are launching attacks.
04:14
It's very likely that they are well aware of how they would be monitored and so they can evade that monitoring if if they're skilled enough.
04:23
We also have activists to consider
04:26
groups like the anonymous or the Shadow brokers. Others like this. They have somewhat more of a public profile. And so some of their capabilities and skills and knowledge might be a little bit easier to estimate
04:40
when it comes to terrorism groups that are funded or unfunded or our nation state actors.
04:46
There could be a wide variety of characteristics to discover about these as well.
04:53
Obviously, if if a group appears to be well funded, then that may imply that they've got multiple actors within the group working together as a team,
05:02
they may have access to more advanced tools
05:06
and may be able to sustain their activities over the long term.
05:12
So these have certainly
05:13
other things that throw into the mix. As you're trying to better understand what you're actually dealing with
05:19
when you're up against an adversary and discovering their the infrastructure that you're able to see is a great start, other considerations would be too,
05:30
Uh, you know, spend a little bit of time
05:33
in enemy tour it in enemy territory?
05:36
Yeah, the deep web of the Dark Web.
05:40
It has been estimated to contain 96% of what's actually available on the Internet
05:46
and the commercial Internet, If you want to call it, that
05:48
is the remaining 4% that the rest of us are using
05:54
thio for entertainment purposes and shopping and everything else. This is a nice diagram showing
06:00
some of the differences between what's on the surface that actually looks like a little bit more than 4% the way this diagrams drawn. But you get the idea.
06:08
The Deep Web would have other things that may not necessarily be involved in criminal activity but
06:15
is not easily found without using special tools in any case,
06:19
and then the dark Web
06:21
is where the criminal activity was most likely located.
06:26
There's an interesting ah website
06:28
called the Dark Web News, and they haven't article
06:32
basically trying to guide. Someone threw gaining access to the dark Web,
06:39
and it goes through a little bit of details about
06:43
setting up a VPN using tour,
06:46
trying to use anonymous eyes, er's
06:50
and give a decent amount of information about how to remain anonymous. How to be careful when you're doing your research,
06:59
and
07:00
it is important to be careful when you're when you're doing research in the dark web of the deep Web because it is being monitored.
07:06
And even if you're doing research any for defensive purposes, it's still something to keep in mind as you're going about your business.
07:17
You wouldn't want to a draw undue attention to yourself,
07:21
even though you're not actually doing anything wrong.
07:26
So this could be a good website Thio to gain a little bit of a greater overall knowledge
07:30
of
07:31
the tools that the adversaries using where they might be going, what they might be doing there.
07:38
And that's really probably a topic for an entire
07:43
course would be engaging in the dark webs resource is
07:48
and tools that are available so that you can better understand how the enemy is using them.
07:54
Maybe we'll see that in the future course
Up Next
Advanced Cyber Threat Intelligence

The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.

Instructed By