Time
3 hours 1 minute
Difficulty
Advanced
CEU/CPE
3

Video Transcription

00:04
All right, so a little bit more about the attribution to nation States,
00:10
we're at the end of the module. So I wanted to kind of recap some of these concepts a little bit, as I mentioned earlier. This is,
00:17
uh, very difficult work to dio extremely difficult even.
00:22
And as we've seen with new stories in 2016 and 2017
00:28
with
00:29
the alleged Russian interference in presidential elections, for instance, North Korea
00:36
hacking China being involved, all these different entities potentially doing something to cause a problem in another country, interfere with their government processes, Elections air certainly very serious.
00:48
And if that kind of thing is being alleged that they should be a pretty high burden of proof before any kind of action has taken because there could be very serious consequences. Obviously,
01:00
all the ways that hackers have developed to cover their tracks are the same techniques that pen testers use more or less. But hackers have the advantages in that they can certainly
01:11
have a multitude of things like
01:14
owned systems,
01:15
that he uses pivot points. They can have their various proxy chains that they developed that could bounce their traffic all around the planet before it finally gets to its destination,
01:26
making the retracement of those steps nearly impossible. Many proxy chain tools can can be also encrypted and randomized,
01:36
so that even if a particular chain was used during the commission of Ah, Crime or an attack,
01:42
it may not exist in that form anymore. Because it's been shuffled, kindly shuffling the cards and creating a new proxy chain. Each one you know will eventually repeat itself. But you're not going to easily find the original configuration to support investigation. That much should be obvious
02:00
because of all these nation states that are potentially attacking each other and other groups
02:05
that are trying to get in on the action.
02:07
This is very largely become geopolitical. And in any kind of situation like this,
02:14
there has to be very careful analysis before attribution can be attempted,
02:17
and even then it has to be done in a cautious way without necessarily saying there's 100% certainty and unless that does truly exist.
02:28
But in some of the stories I've mentioned that we've seen in the news last two or three years,
02:34
it wasn't always obvious if 100% certainty had been determined because there is a need for publicist public disclosure. Citizens want to know what's happening with, especially with their own government, that can have a detrimental effect on
02:50
current investigations and future investigations. And you'll often hear elected officials, law enforcement officials and so on
02:57
stating that they can't comment on the case that's under investigation.
03:00
They might be able to give very limited information,
03:04
but they can't say too much because that will tip their hand as far as who they're looking at why,
03:10
and that becomes
03:13
part of the mystery. Conspiracy theorists and other kinds of analysts will try to parse the words and try to figure out exactly what was said or what was left unsaid,
03:23
and
03:24
that can muddy the waters, at least in the public sphere. Which is not to say that it can't muddy the waters within the organization
03:31
by having
03:32
alternate competing hypotheses and all these logical and
03:37
cognitive biases that could could work the way into the process. So we should certainly assume that skepticism about results in about announcements
03:46
is not only a healthy thing,
03:50
but that it's a necessary thing. There should be a very high burden of proof and very extremely serious cases like cybercrime attributed to a nation state, which is not just say, that cybercrime attributed to a some other kind of group or even an individual is not serious. But the attribution complexity is certainly greater
04:09
the more threat actors that are involved. If Attackers can actually be caught in the process of doing their their actions, then there is a
04:18
a better chance of correctly identifying
04:21
physical locations and individuals.
04:25
And when I say caught, I don't necessarily mean apprehended.
04:28
What I mean is there observed in the commission of their attack.
04:32
And
04:33
if researchers and analysts can act quickly enough, they may be able to put enough pieces of the puzzle together to get to a reasonably accurate answer.
04:42
And that's the ultimate goal of trying to do this work to begin with. As we saw earlier in this chapter, you may be required t to use a sliding scale of certainty because there may not be enough information.
04:57
There could be some intuition or other
05:00
other perhaps less than perfectly logical methods being used.
05:04
So this way there's a little bit of leeway if if if the assumption or the conclusion reached is not correct.
05:12
Then it could be adjusted a little bit because only an estimate was given to begin with. So within the organization
05:17
that's doing summer threat intelligence analysis,
05:20
this should be in a effort to create an active defense posture.
05:27
This could be achieved by many different means. Of course, the generation of intelligence and the consumption of intelligence is a cycle. It's an ongoing cycle that would be expected to repeat endlessly throughout in organizations. Lifetime.
05:42
We talked about the beginning of the course about a maturity mob related to threat intelligence capabilities,
05:49
and we also touched on
05:51
the different threat feeds their available, some of them for free, some of them requiring your subscription. The methodologies that an analyst chooses
06:00
should also be
06:01
consistent and
06:03
repeatable.
06:05
That way, the organization can continue to make incremental improvements towards their ultimate goal of having a well oiled machine quickly analyzing and responding to incidents and threats as they appear. And for the producer of the intelligence paying special attention to who will actually be consuming, it is
06:25
a overarching task,
06:26
all reporting all conclusions. All methodologies and other supporting information should be carefully noted
06:33
with the expectation of that information may be summoned at some point when the consumer of the intelligence wants more
06:41
detail for the intelligence consumption point of view,
06:45
the
06:46
the policies and procedures that the organization uses
06:49
are shaped by intelligence that's produced and consumed. It could be determined that certain things are working very well, and therefore
06:58
those policies and procedures that come from those policies are deemed to be successful.
07:03
On the other hand,
07:05
it could also point out gaps in the policies and procedures or even situations where that information is just plain wrong.
07:15
And that's another area of focus in order to produce incremental improvements as the organization of matures or gets higher on the maturity capability scale, using the various S. E. T. I platforms that we saw in this course could provide a lot of value.
07:31
Since these have multiple contributors from all around the world, there's millions of events to potentially sift through.
07:39
And this could bring tremendous advantages to the analyst when they're trying to do their their work thio
07:47
between correlation and causation
07:49
and this is just a fantastic era to be to be doing this kind of work. Was there so many tools available
07:57
to make your life just easier overall,
07:59
Um
08:00
Maur, possibly on the internal side of things.
08:03
I did play some evidence, some emphasis rather on sim devices and the value of
08:09
aggregating all of your internal longing events.
08:13
Thio produce
08:16
actionable intelligence. There are certainly cloud based
08:20
solutions like this such azali involved,
08:24
which can provide similar function without having to deal with supporting the infrastructure.
08:28
There's a lot of options there,
08:31
and then, lastly, the value of security stash reports cannot be underestimated.
08:37
The frequency of the reports that the depth of the detail will certainly be something that varies over time.
08:43
But if we if we remember that there are time based triggers an event based triggers for stash reporting,
08:50
then
08:52
the policies and procedures that shape that activity should continue to improve over time as well.
08:58
This provides another method of feedback to the decision makers to say that way. We know we've invested a lot of money in our program and our people,
09:09
our applications and our hardware. We've sent them to trading,
09:15
and they're producing
09:16
quality output that helps the organization's leadership understand if the program is going well, Are they getting their money's worth?
09:24
Have they have they received a reasonable return on their investment?
09:28
All right, well, that concludes. Module four. Stay tuned for the review and conclusions. Thank you.

Up Next

Advanced Cyber Threat Intelligence

The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor