Threat Management

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 20 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Threat management. The learning objectives
00:00
for this lesson are to define threat intelligence,
00:00
to differentiate the different types of threat actors,
00:00
and to describe supply chain attacks.
00:00
Let's get started. Threat intelligence.
00:00
This is the continual process that is designed to help
00:00
organizations understand the threats that they may face.
00:00
Because the threats are always evolving,
00:00
we need to make sure that our processes for
00:00
identifying those threats are also evolving.
00:00
CISA has designated 16 critical sectors to
00:00
help identify the different types
00:00
of issues that they may face.
00:00
These sectors would include energy,
00:00
health care, financial, etc.
00:00
You can find out more information
00:00
at the URL on the screen.
00:00
Keep in mind the purpose of threat intelligence is
00:00
to help us stay ahead as much
00:00
as we can of the new threats
00:00
that are emerging and what we need to
00:00
be able to do to defend against
00:00
those threats for our own organization.
00:00
Let's talk about the different types
00:00
of threat intelligence.
00:00
First, we have tactical.
00:00
This is focused on the tactics,
00:00
techniques, and procedures or TTPs.
00:00
This is data that can be used by
00:00
an organization to perform vulnerability remediation,
00:00
infrastructure hardening and etc.
00:00
For this, we have the different tactics
00:00
that a threat actor might use,
00:00
their techniques, and their procedures.
00:00
But these are more about every group
00:00
or every specific threat actor
00:00
has their own way of doing things.
00:00
We want to make sure that those that we've
00:00
identified as being the likely threats for us,
00:00
that we are hardening our systems to be
00:00
able to defend against those known TTPs.
00:00
If your risk assessment has identified that you are
00:00
a likely target for
00:00
a specific type of threat attacker such as say,
00:00
just a hacktivist, then you want to make sure that
00:00
your websites are hardened
00:00
and that your web servers are protected.
00:00
You don't really need to worry about
00:00
nation-state-level attackers if you
00:00
haven't identified that as a threat.
00:00
The tactical intelligence will help you to make sure that
00:00
you are using the correct TTPs
00:00
to harden your organization.
00:00
Then strategic intelligence is
00:00
focused on the bigger picture.
00:00
This is used to identify the motivations, capabilities,
00:00
the intentions of the threat actors
00:00
so that we can develop midterm plans.
00:00
This is a step
00:00
above tactical where we want to make sure that
00:00
we understand why the threat actors
00:00
we've identified are doing what they're doing,
00:00
just how good are their capabilities and
00:00
we want to make sure that we
00:00
factor that into our planning for the future.
00:00
Then also we have operational intelligence,
00:00
and this is collected from
00:00
the organization's own infrastructure,
00:00
such as our SIEM devices or logs.
00:00
This will identify the current attacks
00:00
and the indicators of compromise.
00:00
This is real-time information.
00:00
This is what's going on in
00:00
your organization right now
00:00
so you can read your firewall logs,
00:00
your SIEM logs, your event logs on your servers.
00:00
All of that information is letting you
00:00
know the things that are going on now.
00:00
You can use that to craft your own response and in turn,
00:00
harden your system against those types of attacks.
00:00
Threat and adversary emulation.
00:00
Threat emulation is when we use the known TTPs to
00:00
emulate how an attacker may operate in a realistic way.
00:00
We do this so that we can test our current defenses.
00:00
If we go and use the TTPs and use the actual tools
00:00
that an attacker that we think is
00:00
going to be a likely attacker against us,
00:00
we can simulate those attacks against ourselves to make
00:00
sure that we are already hardened against those.
00:00
Now adversary emulation is a
00:00
little different because it uses
00:00
the TTPs of a specific threat actor in a realistic way.
00:00
We're not using all the tools that are
00:00
available to us or all the TTPs.
00:00
We're using those that we think are specific
00:00
to one specific adversary.
00:00
We're going to get into the different types of
00:00
adversaries in just a little bit.
00:00
Threat hunting. Threat hunting is
00:00
using threat intelligence to help us develop
00:00
hypothesis and analytics that is
00:00
based on what threat actors are known to do
00:00
so that the threats can be
00:00
proactively found rather than passively detected.
00:00
If we already know what their tools
00:00
are using or what their procedures
00:00
are and all of their tactics,
00:00
we can turn around and use that information to help
00:00
us harden our own defenses before something happens.
00:00
We don't have to wait around for
00:00
it and detect the attack.
00:00
We can actively harden our systems and
00:00
our defenses against them because we
00:00
already know what's happening outside in the real world.
00:00
We can get this information
00:00
from advisories and bulletins.
00:00
This is information that's been released by
00:00
vendors and researchers about
00:00
new TTPs and vulnerabilities
00:00
that have been detected in the wild.
00:00
These are usually the ones that are zero-day or
00:00
really freshly found live on the web.
00:00
We really want to pay attention to these because while
00:00
our organization might not be a target
00:00
for zero days and that type of thing,
00:00
we want to make sure that
00:00
we go ahead and harden those because when they
00:00
eventually filter down to other threat actors
00:00
who might use them against us, we're already protected.
00:00
We can also make use of
00:00
intelligence fusion and threat data.
00:00
This is SIEM and threat
00:00
analytics platforms that can apply
00:00
intelligence fusion techniques to
00:00
the collected information to locate threats.
00:00
This is gathering all the information
00:00
on our network and then
00:00
using that intelligence fusion system to help
00:00
look at that collected information and try to find
00:00
the needle in the haystack of
00:00
maybe things that we didn't notice,
00:00
but by taking all this information
00:00
together and making a new big picture out of it,
00:00
we can see things in a different way
00:00
and find new threats.
00:00
Let's discuss intelligence collection methods.
00:00
First, we have our intelligence feeds.
00:00
These provide data such as known phishing IPs and URLs,
00:00
malware, ransomware, or that type of thing.
00:00
These are really good for firewalls
00:00
because you can put these in and
00:00
they will block outgoing connections
00:00
to these IP addresses of these URLs,
00:00
for example, for phishing so that if your users receive
00:00
an email that has one of these known links
00:00
in it, it's going to get blocked.
00:00
When they go to click on it, it's not going to
00:00
be allowed to go out of the firewall.
00:00
That's a very helpful feature.
00:00
Then we also can find information from the deep web.
00:00
The deep web is the parts of
00:00
the web that are not indexed and are generally hidden.
00:00
But this also includes the so-called dark web.
00:00
The dark web is a component of the deep web.
00:00
A lot of times what will happen is
00:00
a company will be breached and their data will be stolen,
00:00
and then information will be put
00:00
up for sale on the dark web.
00:00
Once that is done,
00:00
they'll usually provide samples
00:00
so that people can prove that
00:00
this is real information from
00:00
the company they're claiming it to be from.
00:00
If you see that information through
00:00
your own dark web monitoring or
00:00
a third-party service that you
00:00
found that locates that information,
00:00
that's a way for you to know that
00:00
you've been breached and you
00:00
need to look into starting to find the cause of that.
00:00
We can also use open-source intelligence or OSINT.
00:00
This is publicly available information
00:00
such as social media,
00:00
DNS records, websites, that type of thing.
00:00
A lot of times attackers
00:00
will post their information on social media.
00:00
If we're monitoring for those,
00:00
then we can get signs of different attacks.
00:00
>> A lot of times they'll post how they went
00:00
about doing their attacks
00:00
with the tools and things that they've used,
00:00
and we can use that information
00:00
to craft our own response.
00:00
Finally, we have human intelligence or HUMINT.
00:00
This is collecting intelligence by
00:00
actually interacting with people.
00:00
This might be interacting with
00:00
the hacker himself or herself,
00:00
it might be going through with
00:00
other different types of
00:00
groups that are posting information online.
00:00
Regardless, as long as you're
00:00
interacting with people to collect information,
00:00
this is considered human intelligence.
00:00
Let's move on to the actual threat actor groups.
00:00
The first level is the script kiddie.
00:00
This is a person that we'll be using
00:00
a hacker tool and they'll have
00:00
no knowledge of how that tool works,
00:00
they just click and run.
00:00
Their goals are usually doing this for the fun of it,
00:00
either gaining attention or proving their skills.
00:00
These are the lowest level attacker.
00:00
Now, that doesn't mean that they're not dangerous
00:00
because a lot of times they can
00:00
cause a massive amount of damage to an organization
00:00
because they don't understand
00:00
these tools and what they're doing.
00:00
This especially true when someone's
00:00
using denial-of-service attacks on an organization,
00:00
it doesn't take a lot to be able to do that.
00:00
Insider threat is the next level.
00:00
This is an employee or a contractor,
00:00
that's the key thing to keep in mind.
00:00
They're already on the inside,
00:00
so they're inside the castle,
00:00
and they might be a threat,
00:00
whether it's intentional or unintentional.
00:00
This could be where an individual
00:00
accidentally does something and causes
00:00
a lot of problems or damage to
00:00
your company because they are on the inside.
00:00
This is also a reason we want to make sure we're
00:00
looking at permission creep
00:00
where a user doesn't
00:00
have more access rights than they need,
00:00
because if they have those rights and then they make
00:00
a mistake then the damage can even
00:00
spread a lot further on the inside.
00:00
The next level are competitors.
00:00
You may be a victim of cyber espionage
00:00
to steal your information.
00:00
This is far more common than most people realize,
00:00
and we want to make sure that we are
00:00
protecting ourselves from this.
00:00
Next up is organized crime.
00:00
If there's money to be made,
00:00
you're going to find organized crime there.
00:00
Now organized crime has shifted to using
00:00
cyber to help them facilitate their crimes.
00:00
Ransomware gangs are a good example of this,
00:00
but they're also getting into cyber espionage.
00:00
There's a lot of money to be made in cyber,
00:00
and again, anytime there's money to be made,
00:00
you're going to find organized crime.
00:00
These groups can be from all over the world,
00:00
they can be small groups all the way up
00:00
to the groups that everyone typically
00:00
associates with organized crime like Russian mafia
00:00
or organized crime from South or Central America,
00:00
or even inside the United States.
00:00
Again, if there's money to be made,
00:00
they're going to be there.
00:00
Next up are hacktivists.
00:00
These will use a cyber attack
00:00
for a specific political agenda.
00:00
They often target corporations because of
00:00
the actions of the corporation
00:00
or maybe their social stance.
00:00
Anonymous is a good example of this.
00:00
Then finally we have nation-states.
00:00
These are the truly skilled attackers
00:00
that come from government organizations.
00:00
These are also known as advanced
00:00
persistent threats or APTs.
00:00
Good examples of these are whenever you
00:00
hear about the attacks from China or from Russia,
00:00
they always have an APT number with them and they
00:00
have really funny names that go along with it.
00:00
These are the groups that are really
00:00
good at getting into things
00:00
because they've got the resources,
00:00
they've got the financial backing to make sure,
00:00
they've got the knowledge,
00:00
and you put all those things together and you
00:00
develop a truly skilled attacker.
00:00
Again, most companies or most organizations
00:00
are not going to be targeted
00:00
by this level of threat actor,
00:00
but if you are, then you
00:00
really need to make sure you're doing
00:00
everything possible to lock everything down.
00:00
Then let's go over supply chain access.
00:00
This is a form of attack that is
00:00
becoming far more common and has to
00:00
go after third party contractors
00:00
to gain access to a target.
00:00
For example, again,
00:00
we've talked about this in the lesson before,
00:00
but Target had this happen to them,
00:00
where their third-party HVAC vendor
00:00
was connected directly into the Target's network.
00:00
The HVAC vendor was breached
00:00
and the attacker pivoted over inside to
00:00
the Target network and was able to compromise
00:00
their payment system and then
00:00
steal credit card information.
00:00
Target itself did not actually get hacked,
00:00
their third party vendor did and then they pivoted over.
00:00
Now, yes, Target should have done a better job of
00:00
making sure that that third-party access was limited,
00:00
but this is something that often goes overlooked,
00:00
is we put something in and we make sure that
00:00
that third party vendor is able to do
00:00
their work and we don't really give
00:00
any thought to anything else.
00:00
I'll give you an example of this that happened with
00:00
us is that one of the sites that we
00:00
took over had a Raspberry Pi there for
00:00
HVAC control and no one
00:00
in the business knew what it was for,
00:00
they just had always seen this little device there,
00:00
and when we finally got into the device,
00:00
we found out that it hadn't been updated in years
00:00
and it was on a very old version
00:00
of the Raspberry Pi software.
00:00
We contacted the HVAC vendor and helped
00:00
them to get it updated because
00:00
this is not their specialty,
00:00
they're not an IT company,
00:00
they're just trying to make sure they're able to monitor
00:00
the HVAC controls for this particular customer of theirs.
00:00
But by doing that,
00:00
they had pretty much introduced
00:00
a huge vulnerability to
00:00
the network that had been there for years.
00:00
You want to make sure that your third-party vendors
00:00
are properly segregated from your network,
00:00
that you don't give them access to anything
00:00
more than what they actually need,
00:00
and to make sure that you give
00:00
due consideration to what it is that they
00:00
actually need on your network so that it doesn't become
00:00
a privileged creep where they just
00:00
keep getting more and more information or heaven forbid,
00:00
that once they're connected,
00:00
that's as far as it goes and you
00:00
don't give it any other thought.
00:00
This is a huge problem and
00:00
oftentimes these guys are easier targets
00:00
because an HVAC vendor maybe
00:00
doesn't have an IT department or if they do,
00:00
they may not have a security department.
00:00
It's not on their radar because
00:00
it's not their primary focus of
00:00
their business. Let's summarize.
00:00
We went over the different types of
00:00
threat actors and then we also
00:00
discussed the types of threat
00:00
intelligence and threat hunting,
00:00
we went over the different types of
00:00
intelligence collection methods,
00:00
and we discuss supply chain attacks.
00:00
Let's do some example questions.
00:00
Question 1, this tactic allows organizations to simulate
00:00
a specific threat actor to
00:00
the organization and how they may attack.
00:00
Adversary emulation. Question 2,
00:00
this type of intelligence is focused on
00:00
the big picture and is used to make mid-range plans.
00:00
Strategic intelligence. Question 3,
00:00
this threat actor type is focused on a political agenda.
00:00
Activist. Finally, Question 4,
00:00
this threat actor type is deeply
00:00
funded and uses sophisticated techniques.
00:00
Nation-state or advanced persistent threat, APT.
00:00
I hope this lesson was helpful
00:00
for you, and I'll see you in the next one.
Up Next