Hello and welcome to the final module. In our introduction to Cyber Threat Intelligence course
this module, we're gonna have a look at some considerations for open source intelligence gathering.
There's a really interesting tools out there that are available there free, mostly free.
Obviously, many of these tools
are happy to take your money if you want more advanced features
reports. But there are quite a few resource is that available for absolutely no cost whatsoever. So first, we're gonna start off
discussing a little bit about pivoting
pitting from the pointer
point of view of IOC's
As far as which kinds of
information are useful
to look in other directions for additional information.
And we'll put this as an overlay on top of the diamond model that we just got that we described earlier and discussed earlier,
you'll see that there's a really easy way to
to utilize the diamond model
for pivoting purposes.
Then we'll look at the
give a little tour of their face and
that comes with the tool to get you started in your own
And then, lastly, we'll take a look at a great resource
that's available online for free.
And this provides quite a few
tools that you can use
in your in your investigations in your job.
All right. Starting off with the pivot and using the diamond model,
we saw the diamond model earlier
As you can see as this reminder,
diagram shows that there are
Verdecia use on the diamond
as well as a connection between two of the vergis ese
infrastructure and capability in particular.
So what you can do with this model
is you can start with any court,
depending on which kind of information you're Begin. You begin your investigation with
you can start the adversary quarter, the capability, the victim or the infrastructure corners.
And from there you can visit the other quarters in
in a certain sequence
Basically, there are only 24 variations of this,
but well, I'll show you those in an upcoming slide.
But these permutations are important because if I'm starting,
if the only information I know is capability,
then from there I could only go to the other three
corners in some sequence
and depending on what Dana, you have available monitoring information available.
The order of visiting the other corners will start to make sense
Now. If you If you don't have all the information available for all four
corners of the diamond model,
then you're then you can go as far as you can go and you have to.
You used a pivoting concept
to discover more information.
Or maybe just ask some questions.
Like if I If I know what you know who the victim is and I know what who the adversary is.
What questions do I need to ask in order to figure out what what infrastructure details are available
or which capability details might be available?
This is a great way to
toe leverage the diamond model for advanced,
threat intelligence gathering.
So now if you look at the
the different pivoting examples, you'll notice in the
in the beginning column, the first problem
we start off with with six different
permutations that begin with an adversary.
So maybe all you know at this point is who is attacking you, who is probing, who was scanning and so on.
from the adversary, we can then go to the capability
or the infrastructure or the victim.
Those are the only three choices
and from capability we can then go to infrastructure,
infrastructure or victim.
The only two remaining choices
from infrastructure. We could go to capability or victim and from victim, we could go to capability infrastructure.
You see this? The way that this plays out,
it's actually their systematic.
So I could just look at these att. This chart I can see. Okay, All I know is some infrastructure details,
and I think I might know who the victim is. So either I goto adversary next,
or I try to figure out what their capabilities are
from the adversary. I either go to capability or from capability, I goto adversary.
It makes a lot of sense when you plan everything out in this manner.
Uh, this particular arrangement of a diamond model analysis is not
very hard to find their lots of sources.
If you do some research, you can find this diagram elsewhere.
But it's the usefulness of it. That's most important for us.
What is it that I know now? What is it? I'd like to know next.
Maybe you have two pieces of the puzzle, Then you have three pieces of a puzzle.
You might even have all four.
In any case, it's goingto thio
be represented by one of these
different permutations of
So I think you'll really enjoy using this technique once you
two. It's a rule set, if you will.
Now you might be thinking, Well,
and I want to pivot from one to the other, let's see, I know some capability when I want to figure out who the adversary is
or I know the adversary. Wanna figure out where the capabilities are
have to try to categorize these these bits of information. To some typical examples.
It's over. Adversaries. We typical typically think about
a different hacking groups. Activists like Anonymous, for instance,
nation states, privileged insiders that the most
difficult to defend against
and even script kiddies
script kiddies are not usually too dangerous.
They're generally using very basic tools to do things like in out of service,
But they can still cause damage,
and they need to be considered.
If you knew that you were dealing with a
an amateur hacker someone that's not very sophisticated.
You might put them in this category and then make other assumptions about what their capabilities are,
with what they're targeting and so
moving on to infrastructure. We have typical pieces of the infrastructure here, like
domain name and email address,
The hash could be a representative of a
file that's been changed.
Maybe that maybe the
hash is also something that
as it passed over the wire
because it's being used as some kind of an authentication token or security took.
Even now, where could could sit in this category,
detaining out where it exists and how it was developed in what what its behavior actually want.
Now, if you consider capabilities, we have malware yet again
because a adversary concern really
custom design malware to
to perpetrate an attack
or to establish a persistent
There's also spyware
kind of broad category, but looking at a victim's Web usage,
their e mails, instant messaging,
the video and their microphone
file system details, all these things
could be considered as useful Under this category,
we can't forget social engineering
because it's skilled. Attacker is going to have quite a few tools in their tool box.
And social engineering is one of the most elusive tools, too,
because the security controls for social engineering are basically between your ears right there inside your head.
If you don't realize that a social engineering attack is underway, then you may not be able to defend against it.
And then when you look at the most gutsy
possibility, which is infiltration,
the member of a hacking group,
or a member of a foreign government,
or even a hacktivist group might try to physically infiltrate
the target organization in various ways in order to gain information,
This could be literally the cliche example of breaking in the middle of the night
and stealing information.
But it could be something much more subtle as well, where the
the intruder tries to get hired as a employee of the organization,
and they may be given access.
Restricted resource is very quickly after being hired.
I've certainly seen this myself and some jobs that I've held
where I was on the job for,
couple days, three days maybe. And I was already being given root access or administrator access,
too. Critical assets.
I didn't think that was a good idea
at the time, and I at least one occasion I spoke up about it, but
most people that I raised my concerns to were like Well, you know,
here you see, like a nice guy, you seem trustworthy.
Your initial background check didn't turn up any problems,
but you can see the danger here.
If a new hire is given
access to quickly to critical resource is,
then that could certainly open up the door for a massive attack. Or,
As we, as I mentioned earlier, the other privileged insiders that most difficult thing to defend against.
So maybe in those courses for those cases. Rather,
it's better to keep people
on some sort of a probation for a period of time.
But, of course, your leadership will decide what's best.
Let me get to the victim.
1/4 of the diamond model
everyone from an individual up to an entire government could be along the spectrum of who the victims are.
Even non government organizations
or pseudo government organizations. There, several of those in the U. S. And other countries
and because they are closely
aligned with the governments of their countries as far as how they do business and what kind of information they share, their frequently the targets of various types of hacking activity.