Time
3 hours 1 minute
Difficulty
Advanced
CEU/CPE
3

Video Description

Malware Campaigns This lesson covers how campaigns are defined. One way to think about a campaign is looking at it as a bunch of different incidents, with different actors taking some actions in a coordinated manner. Once a campaign is defined, the next step is communicating information about a campaign. A heat map is one method of communicating about a campaign. Heatmaps offer the graphical representation of data and color codes individual data elements. When communicating information about a campaign, it is important to be concise, know your audience and use appropriate templates.

Video Transcription

00:04
all right, So what exactly is a campaign?
00:08
One easy way to think about. This is a bunch of different incidents,
00:12
with a bunch of different threat actors
00:16
taking some some actions in a coordinated way,
00:21
As I talked about a little bit earlier in the module, it's sometimes difficult.
00:25
Two.
00:27
Differentiate between,
00:29
AH, single incidents which may be isolated
00:33
versus those incidents. Would you tend to be grouped together? One of the ways to get closer to answering that question is, of course, to use tools like multi go
00:42
or threat connector. Passive,
00:44
huh?
00:46
Passive total. These are all great ways to
00:50
group things together. Look for the patterns see with relationships might be. And then it should be come or clear that you're actually looking at a campaign because you've got
00:59
things in common between the threat actors between the domains that they register between email addresses,
01:04
things in common with I P addresses
01:07
and other associate ID
01:08
artifacts.
01:11
So the tactics, techniques and procedures of different threat actors could also be used as clues to determine if you're dealing with the campaign.
01:23
This is something we'll talk about a little bit later when we discuss attribution. But
01:29
The base idea, then, is to look for commonality between the different pieces of evidence that are discovered
01:37
to see if there is something that links them together.
01:41
Uh, what about key indicators?
01:44
Uh, these could be a lot of different things that are
01:48
going to be maybe a case by case basis and a lot of circumstances, but
01:53
it's still something Thio consider
01:57
what kind of metrics are important to doing investigation,
02:01
especially when you haven't determined yet. If you're dealing with the campaign or isolated incidents, some of the indicators could have to do with
02:08
when something happened. The order of events.
02:14
Try to look for patterns in the in. The events that lead up to some kind of a compromise.
02:20
He's could provide little clues
02:23
as to how a
02:24
a particular threat actor is operating.
02:27
Their modus operandi is certainly something to try to get a handle on.
02:31
In order to better connect a potential threat actor with their activity
02:39
campaigns should be named.
02:43
The Convention for Naming Campaigns, of course, is gonna vary from one organization to another,
02:50
but a unique name is certainly something needed in order to keep the information separate.
02:55
You don't want to have
02:58
any confusion about which campaign is actually being discussed or investigated
03:02
because of names they're too similar or or you know
03:07
names and are identical in the worst case scenario,
03:10
Trying to, uh, help identify whether
03:15
new incidents are part of an existing campaign that's being studied can also be a little bit tricky.
03:21
Some incidents may turn out to be related after further investigation,
03:27
and also the actual
03:30
type of activity is also important.
03:34
If the existing campaign is dealing with RANSOMWARE, for instance, like we were just looking at some, some of the artifacts for Wanna Cry
03:44
than other Ransomware related incidents and activities
03:46
could also be investigated
03:50
in in the in the hopes that there's a connection between some new action and existing campaign that's already
03:58
under investigation.
04:00
All right, so now let's think a little bit about how do you
04:04
communicate some of the information about a campaign?
04:09
One. Really a nice tool uses a heat map,
04:13
and we saw this when we're looking at a little bit earlier at the Threat Connect tool,
04:18
and the man was a very straightforward way to represent different values of data in a easily
04:27
visualized manner.
04:29
You can use colors as we see here.
04:32
And this particular
04:35
he grabbed has
04:36
not only different colored boxes to represent different information but also different sized boxes.
04:45
Sometimes this is done with circles different color circles. Different sizes indicate
04:49
whatever parameters are the designer wishes.
04:55
Maybe a larger square means Maur activity.
04:58
Smaller square might mean less activity. That's a pretty typical way to do this.
05:02
This heat map could also be done on using a map.
05:06
Um,
05:09
there's endless ways to you. Ah, tinker with this basic idea.
05:14
The trick is a course to find a method that works for your particular situation
05:18
and is hopefully acceptable to the people that are consuming the intelligence.
05:26
As with any kind of communication, it's very important
05:30
to design any reporting or
05:32
or uh
05:34
uh,
05:35
any kind of a lecture presentation. It has to be designed in order to best to the audience, which is which is it's intended for
05:45
if your son sharing this information with technical people than you have a little bit more
05:51
leeway as faras the terminology you can use in the concepts you can present.
05:57
However, if
05:58
a technical discussion is being shared with people who are a little bit more business oriented,
06:02
then you have to keep that in mind by choosing appropriate language, inappropriate examples
06:09
to convey some of the more difficult to understand concepts.
06:14
Using templates is not a bad idea,
06:16
and I talked about a little bit earlier. Having a consistent, repeatable approach to reporting and otherwise
06:24
any other kind of communications
06:27
is a really great goal
06:29
The consumers have. The intelligence will also appreciate
06:31
having a consistent look and feel when they're looking at a report or some other right up of evidence and Gore campaign.
06:41
And then, lastly, we wanted also think about being concise.
06:46
It's very important to think about having a summary or like an executive summary for certain bits of information, which then the reader can decide whether or not to go to another section of the report
07:00
for more detailed explanations.
07:03
But having some high level descriptions or even bullet points is not a bad way to get the reader started
07:11
and giving them the choice to dig deeper if they want. Instead of
07:15
just presenting all of the detailed information right at the beginning of a of a report,
07:21
it's better to be able to kind of drill down a little bit as needed
07:26
when more information is needed.
07:30
Okay. Well, thank you for watching module to stay tuned from 103.

Up Next

Advanced Cyber Threat Intelligence

The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor