Tactical Threat Intelligence - IOC Lifecycle and Tools | Cybrary

Video Activity

Create Free Account

In this video we cover the IOC lifecycle and emphasize its importance in the analysis phase of threat identification and prioritization. During the discover phase some level of event checking is required in order to prioritize. The analyze phase is where the analyst executes a repeatable methodology that is essential to maintaining credibility. Fin...

Sign up with

Or

Already have an account? Sign In »

Time

4 hours 8 minutes

Difficulty

Intermediate

CEU/CPE

4

Create Free Account

In this video we cover the IOC lifecycle and emphasize its importance in the analysis phase of threat identification and prioritization. During the discover phase some level of event checking is required in order to prioritize. The analyze phase is where the analyst executes a repeatable methodology that is essential to maintaining credibility. Finally, the leverage phase is where the analyst proves that an event occurred and potentially correlates an event with other events. Dean introduces and reviews several free IOC tools such as FireEye, Redline, and Memoryze among others. These tools provide a wealth of functions to the CTI analyst and form an essential part of his/her toolbox.

00:04

Now we can move on to

00:06

the actual

00:09

lifecycle of IOC's.

00:12

Naturally, an indicator compromise must be discovered

00:17

through whatever means it could be through reviewing logs. It could be assumed device.

00:21

It could be through doing some auditing or some just general maintenance.

00:26

As we saw earlier module.

00:29

An indicator compromise could take many different forms,

00:32

and

00:34

they are when something interesting is discovered. It's not always

00:38

to be treated suspiciously.

00:40

There should be some level of checking to verify that something is good or bad or

00:45

or slightly suspicious, for instance, and then you must dig deeper in order to make that determination. That's where the analysis comes in.

00:54

And as I already mentioned, the concept of crying wolf

00:58

if and and I'll see is too quickly interpreted to be a true threat.

01:03

Very true breach.

01:06

And now you've put some forces into motion for incident response.

01:11

It's very wasteful and embarrassing even to do that when it's not working. So the analysis phase should be done carefully with a solid methodology that's repeatable

01:22

so that

01:23

the organization doesn't waste time,

01:25

and so that analysts don't lose credibility

01:30

once an IOC has been discovered and it's been confirmed or validated by by some means

01:34

that it can be leveraged.

01:37

And by this, what we What we mean is that the

01:40

since we can prove, for instance, that

01:44

even a happened,

01:46

that must mean that other events, like event be an event. See, for instance,

01:49

might be related. You might be able to establish some correlation between these different events

01:56

and

01:57

because you've got a solid foundation to work from

02:00

other conclusions and other,

02:02

even other estimates of validity can also carry a little bit more weight such an important thing to think about.

02:13

All right, so let's think about some free tools.

02:15

There's a great company called Fire. I have some links here

02:20

and bring up their website really quick,

02:23

actually bring it up in just a moment, but

02:24

ah, fire i dot com. They've got free tools for creating

02:29

IOC's

02:30

tools that help you display them.

02:32

You can run some scans on systems. I'll demonstrate that tool here in just a moment,

02:38

and you're collecting information from the file system from

02:42

Web browsing from memory, for instance,

02:45

others tools to analyze the information

02:47

and then lastly, we'll look at some cyberthreat maps which are freely available

02:53

all right. So here's Fireeye.

02:55

They've got a lot of different products, and service is

02:59

one area that is interesting to look at. Right away, though, is under resource is will go to free software downloads.

03:09

And here's where you can get to really useful tools. The one that will be looking at

03:14

is a red line.

03:15

And as it sounds, it's a free utility

03:17

and lets you look at

03:20

a suspected

03:22

and ah, system that's been compromised.

03:23

I'm gonna run it just on my local machine here, which is an option you can use.

03:28

But, General, you're going to launch this tool

03:30

and

03:30

try to get to run on a remote machine so that you can see

03:36

what some suspicious activity might be doing on a system in your network.

03:42

We also have this memorized tool for members run six

03:46

highlighter,

03:49

also useful for

03:51

looking at information gathered from the other tools

03:54

and then got some other ones here like D. N s response. Looking at your heap

04:02

looking at Microsoft database files.

04:05

And then there's some IOC tools.

04:09

So

04:10

and I'll see,

04:12

as far as these tools are concerned, is just a small collection of information typically in XML format,

04:17

and you just create some details about

04:21

what? The indicator of compromises,

04:25

the more detail you can put into the entry, the more useful it might be.

04:30

So these editors

04:31

and the finder and writer tools allow you to manipulate this information so that you can better

04:39

utilize the information better utilize the IOC data within your environment.

04:45

We'll have a look at that, those in a little bit as well.

04:48

And there's a couple more tools they provide,

04:53

like doing room our reverse engineering work,

04:56

setting up a reverse proxy,

05:00

cash parsing

05:00

and so on.

05:01

It was a really good stuff here.

05:06

So before I demonstrate the tool,

05:09

I like to look at

05:11

a couple of these different cyberthreat naps.

05:13

Uh, one of them is from Fire. I themselves you confined this link on their on their website, go full screen.

05:20

As you can see, it's showing different actions going on in the world. Right now.

05:27

We can see that there's financial service is is the

05:30

the top industry that's being attacked right moment.

05:33

Consulting service is insurance companies,

05:38

and these were all going on in real time,

05:42

and it gives you some information about how many attacks have been seeing today we can see some other information the top here.

05:48

It's a decent tool just to kind of get a very big picture view of what's happening

05:54

on the Internet right now.

05:57

But this tool does not give a whole lot of detailed information

06:01

so we can go to another one by North Technologies

06:06

actually has quite a bit of data. Did you conceal it? It kind of looks a little bit like

06:12

the movie wargames when there's

06:15

simulations of thermonuclear war between different countries, because we can see

06:18

the attacks going from the source to the destination.

06:23

And very helpfully, it also provides the origins of where the attacks came from, listed by country What kind of attack?

06:30

It actually is. But the destination looks like,

06:34

and we could see a little more detail in I P addresses and so on,

06:39

and you can even zoom in on certain areas

06:43

if you want. For instance, you want to focus on the United States.

06:48

You could do that,

06:51

and you could pause the activity

06:54

and even

06:56

get more information about

06:58

so I can pause.

07:03

So if you

07:08

mouse over certain things, you can get information about

07:11

where that country is or what kind of attack? Waas

07:16

And you could also set filters

07:18

so I could just say I want to only look at us and China related to tax.

07:24

Go back to playing that

07:25

that way you're not cluttering up your interface with

07:29

with the

07:30

information. Not really interested in. Maybe I'm only interested in http attacks between

07:35

how the U. S. And China

07:38

actually doesn't look like it lets me do that exactly what I wanted to.

07:41

It's a nice tool

07:43

and it could give you some additional information

07:48

when you're trying to confirm that something's really going up. Maybe there's a, you know, de dos attack happening,

07:54

and quite a few of these attacks might actually be de dos related.

08:01

All right, so let's bring up our

08:03

red line tool.

08:09

So you're blowing.

08:11

This is freely installed.

08:13

I'm sorry. Freely downloaded from

08:16

fine, right,

08:18

and you'll find it underneath. The resource is free software

08:22

area that I showed earlier.

08:24

You want to run this as administrator

08:28

because it's going to give you a lot more detail of thinking and have full of mystery privileges when it's running on that system

08:35

so you can create what are known as collectors

08:39

Standard Collector,

08:39

a more detailed, comprehensive collector

08:43

search collector. These will go out to a target system

08:46

and,

08:48

ah, go look for information that's been generated

08:52

by running a scan

08:54

we can see here

08:56

got

08:58

the ability to edit the script that will run.

09:01

And this basically lets you define what kinds of information you're interested in. Collecting a lot of choices.

09:07

A lot of different information about processes,

09:11

drivers

09:13

hooks, which are one program hooking into another program. Thio. Use some function

09:18

like a DLL library recall, for instance,

09:22

and also acquire a memory image.

09:26

And we can see this is just the memory cap. We also have information related to disk.

09:31

So a new rating, different kinds of files, disk volumes themselves,

09:37

information about the system

09:39

that logs registry and so on

09:41

the network

09:46

and then some other areas. There's even advanced parameters, which will give a little bit more detail for these

09:50

very sections,

09:56

a little bit more granularity as far as what you're looking at hand,

10:01

what kind of data you can actually gather.

10:05

So it's

10:07

quite sophisticated,

10:07

and it's pretty amazing when you think about the fact that this is a free tool.

10:15

I gotta cancel this.

10:16

And what I really want to do

10:18

is if I wanted to, I could save the collector after I've configured it, and then send that to a

10:26

target system

10:26

once that's run, then you can analyze the results

10:31

so I can open the previous analysis I was working on or analyze the results from a recent stand

10:37

in this case. But I wanted to do was running on my local machine. So from this little menu appear

10:41

we get these other choices, which is the same thing we just saw from the main interface.

10:46

Except I get the chance to analyze this local computer

10:52

so I can add a script to make sure it's gonna have everything I want.

10:58

I'll get my memory image.

11:01

Uh, usually the defaults are pretty, uh, pretty good, but you may want to tweet thes

11:07

the more things that you select,

11:09

obviously, the longer

11:11

your scan will take to run.

11:15

So I'm gonna look at my digital signatures.

11:18

Look at deleted files, look for file anomalies.

11:24

Look at my discs and my volumes.

11:28

We'll analyze my sister and restore points. Look at my registry and event logs,

11:35

Port information was like most of these

11:37

browser history.

11:41

All this could be relevant for an investigation because

11:43

any one of these areas could contain artefacts or events

11:48

that indicates the compromise happen

11:50

and that there's something there that that needs to be investigated further.

11:56

And it goes without saying that if you do this kind of work on a system that that is

12:01

suspected,

12:03

that you want to do it all system is still up and running because obviously, you're gonna lose the memory image if you reboot

12:09

so I can verify signatures. And when I look at my

12:13

tasks,

12:20

OK, it's a lot to quite a few options here.

12:22

I'm more or less randomly selected these right now because I just want to get some information.

12:28

You need to look at the documentation for this tool and dig in deeper

12:31

to decide how much of this date is really useful,

12:35

the more options that you select, of course, the more time it will take to run the scan.

12:41

So I'm gonna go ahead and

12:41

look okay,

12:43

uh, this ready set to save to my desktop,

12:46

So I'm gonna go ahead and click okay again to get this to start running

12:50

and you see that it's it'll countdown the different sections

12:54

as needed. North Run the tool.

12:58

So I'm gonna go ahead and pause the video here because this will take some time to run.

13:01

It could take up maybe 15 20 minutes or more. So

13:03

come back in a little bit and have a look.

13:07

Thank you.

Tactical Threat Intelligence - Redline Tool

Tactical Threat Intelligence - FireEye Tool

Operational Threat Intelligence - Analysts and Communication

Operational Threat Intelligence - Diamond Model

Strategic Threat Intelligence - Threat Modeling

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

CEO of SteppingStone Solutions