Time
4 hours 8 minutes
Difficulty
Intermediate
CEU/CPE
4

Video Description

Module 11 consists of three videos dealing with open source intelligence gathering. The latter videos introduce OS intel tools that provide invaluable assistance in the intel gathering process. In this first video, Dean reviews data pivoting using the Diamond Model. This method of pivoting involved using previously collected info. Dean discusses the 24 permutations of traversing the model. Pivoting objectives can vary such as pivoting for discovery or for inquiry. Dean concludes by discussing which indicators are best for pivoting based on vertice such as adversary, infrastructure, capability, or victim.

Video Transcription

00:04
Hello and welcome to the final module. In our introduction to Cyber Threat Intelligence course
00:10
this module, we're gonna have a look at some considerations for open source intelligence gathering.
00:16
There's a really interesting tools out there that are available there free, mostly free.
00:21
Obviously, many of these tools
00:23
are happy to take your money if you want more advanced features
00:27
and more detailed
00:28
reports. But there are quite a few resource is that available for absolutely no cost whatsoever. So first, we're gonna start off
00:36
discussing a little bit about pivoting
00:39
canned
00:40
pitting from the pointer
00:42
point of view of IOC's
00:45
As far as which kinds of
00:47
information are useful
00:49
to look in other directions for additional information.
00:54
And we'll put this as an overlay on top of the diamond model that we just got that we described earlier and discussed earlier,
01:02
you'll see that there's a really easy way to
01:06
to utilize the diamond model
01:07
for pivoting purposes.
01:10
Then we'll look at the
01:11
multi go tool.
01:14
I will
01:15
give a little tour of their face and
01:19
show an example
01:19
that comes with the tool to get you started in your own
01:23
OS and
01:26
investigations.
01:27
And then, lastly, we'll take a look at a great resource
01:32
that's available online for free.
01:34
And this provides quite a few
01:38
a lesson
01:38
tools that you can use
01:41
in your in your investigations in your job.
01:44
All right. Starting off with the pivot and using the diamond model,
01:48
we saw the diamond model earlier
01:49
Stand.
01:51
As you can see as this reminder,
01:53
diagram shows that there are
01:56
conducted
01:57
Verdecia use on the diamond
02:00
as well as a connection between two of the vergis ese
02:04
infrastructure and capability in particular.
02:06
So what you can do with this model
02:08
is you can start with any court,
02:10
depending on which kind of information you're Begin. You begin your investigation with
02:17
you can start the adversary quarter, the capability, the victim or the infrastructure corners.
02:22
And from there you can visit the other quarters in
02:27
in a certain sequence
02:30
hand.
02:30
Basically, there are only 24 variations of this,
02:35
but well, I'll show you those in an upcoming slide.
02:39
But these permutations are important because if I'm starting,
02:43
if the only information I know is capability,
02:46
then from there I could only go to the other three
02:50
corners in some sequence
02:52
and depending on what Dana, you have available monitoring information available.
02:57
The order of visiting the other corners will start to make sense
03:00
Now. If you If you don't have all the information available for all four
03:05
corners of the diamond model,
03:07
then you're then you can go as far as you can go and you have to.
03:12
You used a pivoting concept
03:15
to discover more information.
03:17
Or maybe just ask some questions.
03:20
Like if I If I know what you know who the victim is and I know what who the adversary is.
03:24
What questions do I need to ask in order to figure out what what infrastructure details are available
03:30
or which capability details might be available?
03:34
This is a great way to
03:37
toe leverage the diamond model for advanced,
03:40
uh,
03:42
threat intelligence gathering.
03:45
So now if you look at the
03:46
the different pivoting examples, you'll notice in the
03:51
in the beginning column, the first problem
03:53
we start off with with six different
03:58
permutations that begin with an adversary.
04:00
So maybe all you know at this point is who is attacking you, who is probing, who was scanning and so on.
04:09
So from the
04:10
from the adversary, we can then go to the capability
04:14
or the infrastructure or the victim.
04:15
Those are the only three choices
04:17
and from capability we can then go to infrastructure,
04:20
infrastructure or victim.
04:23
The only two remaining choices
04:25
from infrastructure. We could go to capability or victim and from victim, we could go to capability infrastructure.
04:30
You see this? The way that this plays out,
04:32
it's actually their systematic.
04:35
So I could just look at these att. This chart I can see. Okay, All I know is some infrastructure details,
04:41
and I think I might know who the victim is. So either I goto adversary next,
04:46
or I try to figure out what their capabilities are
04:48
from the adversary. I either go to capability or from capability, I goto adversary.
04:54
It makes a lot of sense when you plan everything out in this manner.
04:58
Uh, this particular arrangement of a diamond model analysis is not
05:03
very hard to find their lots of sources.
05:06
If you do some research, you can find this diagram elsewhere.
05:10
But it's the usefulness of it. That's most important for us.
05:14
You can think about
05:15
What is it that I know now? What is it? I'd like to know next.
05:18
Maybe you have two pieces of the puzzle, Then you have three pieces of a puzzle.
05:24
You might even have all four.
05:26
In any case, it's goingto thio
05:28
be represented by one of these
05:30
different permutations of
05:32
this model.
05:34
So I think you'll really enjoy using this technique once you
05:40
adapted to
05:41
two. It's a rule set, if you will.
05:43
Now you might be thinking, Well,
05:45
if I got some IOC's
05:46
and I want to pivot from one to the other, let's see, I know some capability when I want to figure out who the adversary is
05:54
or I know the adversary. Wanna figure out where the capabilities are
05:57
of that adversary?
05:58
Uh, you might
05:59
have to try to categorize these these bits of information. To some typical examples.
06:04
It's over. Adversaries. We typical typically think about
06:08
a different hacking groups. Activists like Anonymous, for instance,
06:13
nation states, privileged insiders that the most
06:16
difficult to defend against
06:19
and even script kiddies
06:21
script kiddies are not usually too dangerous.
06:25
They're generally using very basic tools to do things like in out of service,
06:30
But they can still cause damage,
06:33
and they need to be considered.
06:35
If you knew that you were dealing with a
06:40
an amateur hacker someone that's not very sophisticated.
06:43
You might put them in this category and then make other assumptions about what their capabilities are,
06:47
uh,
06:48
with what they're targeting and so
06:51
moving on to infrastructure. We have typical pieces of the infrastructure here, like
06:58
an I P address,
06:59
domain name and email address,
07:01
maybe even a hash.
07:03
The hash could be a representative of a
07:06
file that's been changed.
07:09
Maybe that maybe the
07:11
hash is also something that
07:13
was captured as, ah
07:15
as it passed over the wire
07:17
because it's being used as some kind of an authentication token or security took.
07:23
Even now, where could could sit in this category,
07:27
detaining out where it exists and how it was developed in what what its behavior actually want.
07:32
Now, if you consider capabilities, we have malware yet again
07:36
because a adversary concern really
07:40
custom design malware to
07:44
to perpetrate an attack
07:46
or to establish a persistent
07:48
presence on some
07:50
some system.
07:54
There's also spyware
07:55
kind of broad category, but looking at a victim's Web usage,
08:00
their e mails, instant messaging,
08:03
the video and their microphone
08:07
file system details, all these things
08:09
could be considered as useful Under this category,
08:13
we can't forget social engineering
08:16
because it's skilled. Attacker is going to have quite a few tools in their tool box.
08:22
And social engineering is one of the most elusive tools, too,
08:26
to defend against
08:28
because the security controls for social engineering are basically between your ears right there inside your head.
08:35
If you don't realize that a social engineering attack is underway, then you may not be able to defend against it.
08:41
And then when you look at the most gutsy
08:46
possibility, which is infiltration,
08:48
where hacker or
08:50
the member of a hacking group,
08:52
or a member of a foreign government,
08:56
or even a hacktivist group might try to physically infiltrate
09:00
the target organization in various ways in order to gain information,
09:05
This could be literally the cliche example of breaking in the middle of the night
09:11
and stealing information.
09:15
But it could be something much more subtle as well, where the
09:18
the intruder tries to get hired as a employee of the organization,
09:24
and they may be given access.
09:26
Two.
09:28
Restricted resource is very quickly after being hired.
09:31
I've certainly seen this myself and some jobs that I've held
09:35
where I was on the job for,
09:37
uh,
09:37
couple days, three days maybe. And I was already being given root access or administrator access,
09:45
too. Critical assets.
09:46
I didn't think that was a good idea
09:48
at the time, and I at least one occasion I spoke up about it, but
09:54
most people that I raised my concerns to were like Well, you know,
09:56
here you see, like a nice guy, you seem trustworthy.
10:00
Your initial background check didn't turn up any problems,
10:05
but you can see the danger here.
10:07
If a new hire is given
10:09
access to quickly to critical resource is,
10:13
then that could certainly open up the door for a massive attack. Or,
10:18
huh?
10:18
As we, as I mentioned earlier, the other privileged insiders that most difficult thing to defend against.
10:24
So maybe in those courses for those cases. Rather,
10:28
it's better to keep people
10:31
on some sort of a probation for a period of time.
10:35
But, of course, your leadership will decide what's best.
10:39
Let me get to the victim.
10:41
1/4 of the diamond model
10:43
everyone from an individual up to an entire government could be along the spectrum of who the victims are.
10:50
Even non government organizations
10:54
or pseudo government organizations. There, several of those in the U. S. And other countries
10:58
and because they are closely
11:00
aligned with the governments of their countries as far as how they do business and what kind of information they share, their frequently the targets of various types of hacking activity.

Up Next

Intro to Cyber Threat Intelligence

The CTI course consists of 12 information-packed modules. CTI is a critical function within any organization that involves roles like analysts, methodologies, tools, teams, and policies. From threat analysis to the Cyber Kill Chain, learn it here.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor