CS0-003 Section 4: Classifying Threats
Studied by 0 people
Learn
Practice Test
Spaced Repetition
Match
Flashcards1/36
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
37 Terms
[threat classification] (2)
known
any threat that can be identified using basic signature or pattern matching
i.e malware and documented exploits.
malware → any software that intentionally is designed to cause damage to a computer, a server, a client, or a computer network.
like viruses, and rootkits, trojans, botnets, etc
straightforward to identify and scan for because we have a matching signature in our database that can help us detect it.
documented → piece of software, data, or a sequence of commands that takes advantage of a vulnerability to cause unintended behavior, or to gain unauthorized access to sensitive data.
If we're using a vulnerability scanner, we can look for certain things in our environments that we know have documented exploits against them, and therefore we can detect those things, making them a known threat.
These are very static and we deal with known threats, these are things that are easily detected using signatures, hash values, or other things like that
unknown
a more dangerous area
any threat that cannot be identified using basic signature or pattern matching.
i.e have zero-day exploits, obfuscated malware code, behavior-based detection, recycled threats, known unknowns, and unknown unknowns
unknown threats
[threat classification] p1
zero-day exploit
any unknown exploit in the wild that exposes a vulnerability in the software or hardware, and it can create complicated problems for us well before anyone realizes that something is wrong.
we don't have a way to detect that or to stop it yet.
it is a zero-day because the attack happens on day zero, the first day it was discovered.
obfuscated malware code
malicious code whose execution the malware author has attempted to hide through various techniques such as compression, encryption, or encoding to severely limit our attempts to statically analyze that malware.
you're essentially scrambling the code or changing it slightly
if you keep doing this randomly at different intervals you're going to be able to take a known threat and essentially make it unknown, because you continually are scrambling that code making those signatures inaccurate and they won't detect it anymore.
behavior-based detection
important when we're trying to get unknown threats and discover them.
The reason is we can't use a signature because they're unknown
but using behavior-based detection this is a malware detection method that evaluates an object based on its intended actions before it can actually execute that behavior.
i.e. if you send me a piece of email with an attachment in it, that attachment may be opened in a sandbox first, evaluated based on its behavior, see if it's malicious or not,
if it isn't malicious then be sent into my inbox, and if it is malicious, it can be sent out and be destroyed.
we're going to be doing things heuristically.
We're looking at all the different things like what ports are being opened, what calls are being made in the software,
based on that, we can determine if it's good or if it's bad, and whether we should allow it or not.
unknown threats
[threat classification] p2
recycled threat
the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning.
if we take different pieces and parts of different malware code and we put them together, we can now bypass the signature-based detection of a known threat because it is now something new.
We've recycled it, we've changed it, and now we might be able to get it through that system and pass the anti-malware scans
known unknowns
malware that contains obfuscated techniques to circumvent signature matching and detection
generally where you're going to see a lot of your behavior-based analysis being done.
unknown unknowns
malware that contains completely new attack vectors and exploits
zero-days
All the things here on the bottom where they are something unknown means we don't have a signature
known knowns
things that we are certain of.
We have a piece of malware, we have a good signature for it, and therefore it is a known threat.
We know what it is, and when it comes into our system we immediately can stop it, we can block it, we can alert on it, whatever we need to do because we are certain, we are clear and transparent this is a bad thing
unknown known
something that is known to other people, but it may not be known to you.
i.e. there might be a signature out there inside the McAfee firewall, but there's not one inside your firewall.
so McAfee knows about it and they can stop it, it's a known thing, but to you it's unknown.
Johari Window
Known to Self & Known to other = Open, Known Known
Not known to self & Known to other = Blind, Known Unknown
Known to self & Not known to other = Hidden, Known Unknown
Not known to self & Not known to other = Unknown, Unknown Unknown
[threat actors]
the term we use to describe these bad folks, those who want to do harm to your networks or steal your secure data.
not all threat actors are created equal
so there are different categories or tiers of adversaries
there are many different things that actually motivates each type of threat actor
Originally though, a hacker was simply a computer enthusiast and not considered a criminal.
Crackers were hackers with malicious intent and those were the people who were criminals.
The reason we got cracker is because it's a criminal hacker
but due to the media coverage in the 1990s and early 2000s, the terms got blended together where hackers became known as these evil threat actors among us.
but in the information security world, people try to retain the term hacker
for computer enthusiasts and even for security professionals like cybersecurity analysts.
And this led to the categorization of hackers by the different hats they wear.
black hat → an unauthorized hacker, was developed to describe these criminal hackers or crackers
white hat → ethical hackers or authorized hackers
grey hat → some hackers who sometimes operate as good folks and sometimes as bad folks and these are actually called gray hat hackers or semi authorized hackers
[threat actors]
Social media profiling
Generally, the hacker is first going to start out by utilizing social media to profile a vulnerable employee within an organization.
Social Engineering
Then they'll conduct some kind of social engineering campaign against them using phishing or other mechanisms
Network scanning
and then the threat actors can also scan and enumerate the networks to find targets
Fingerprinting
and use fingerprinting to identify vulnerable services that they can exploit and attack.
Service discovery
and use service discovery to identify vulnerable services that they can exploit and attack.
Packet Capture
If they find one, they'll then be able to exploit it to gain access to the network and even set up things like packet captures from the victim machines, key loggers or other things to learn more about the network and the computer, and then conduct lateral movement throughout the domain.
[threat actors] (8)
script kiddie
insider threat
competitor
organized crime
hacktivist
natio-state
APT
supply chain threats
script kiddie
[threat actors] (8)
somebody who has the least amount of skill when it comes to being an attacker.
tend to use other people's tools to conduct their attacks and they don't have the skills necessary to develop their own tools like more advanced attackers might.
Instead, a script kiddie is going to use freely available tools found on the internet or an openly available security tool sets that pen testers might also use.
This includes things like Metasploit, Aircrack-ng, John the Ripper, and many others to conduct their attacks.
Using these freely available vulnerability assessment and hacking tools,
these script kiddies can conduct their attacks for profit to gain credibility or just for fun.
i.e. there's a tool out there called Low Orbit Ion Cannon.
This is a really simple program that's used by a lot of script kiddies to conduct denial of service attacks.
Essentially, the script kiddie simply needs to enter a URL or IP address in the input box and then click on a button labeled go.
Immediately, a barrage of traffic is going to begin to flood the victim's system to attempt a denial of service attack. It's really just that simple.
There's no skill or underlying knowledge required.
Instead, simply plug in a website address and hit go and now you're doing an attack.
often also don't understand what tools they're actually using or the damage they can cause or even what actions they're really performing
under the hood.
That said, even these simple tools can create some really undesirable effects to your organization's network.
insider threat
[threat actors] (8)
an employee or former employee who has knowledge of the organization's network, policies, procedures, and business practices.
one of the most dangerous categories for an organization
because these people actually have authorized access to the network if they're a current employee, and this makes them very dangerous and very difficult to find inside of your network.
could either be skilled or unskilled, depending on who they are.
i.e. an unskilled insider might try to copy the organization's files onto a thumb drive and walk out the front door with them.
Even though they were authorized to access those files, they were not authorized to remove them from the network or post them online and this results in some kind of a data breach.
Or you may have a very skilled insider threat who's able to elevate their own user account permissions so they can now access data from across the entire network as a system administrator and then try to grab all of that and sell it to a willing buyer.
To prevent an insider threat, organizations really need to have policies
and enforcement technologies in place,
including things like data loss prevention systems to detect these insiders who attempt to remove data from the network.
Also, all the organization's standard internal defenses need to be properly configured and cybersecurity analysts need to search through the security information and event management systems to identify any patterns of abuse in order to catch these malicious insiders.
intentional and unintentional insider threats.
Now, an intentional insider threat is when an individual within an organization is deliberately seeking to cause harm, and this includes things
like stealing sensitive information, disrupting operations, or even launching a cyber attack against the organization.
This can include malicious insiders who've been recruited or coerced by an outside party,
or those who have personal or financial motives to cause harm to the organization.
On the other hand, an unintentional insider threat is going to refer to an individual within the organization who causes harm unintentionally because they're careless, they have a lack of knowledge, or it's just a simple human error.
This can include actions such as falling for a phishing email,
using weak passwords, or accidentally sharing sensitive information with somebody outside of the organization
both intentional and unintentional insider threats can have serious consequences for an organization's security, and therefore, it's important to have measures in place to mitigate both of these types of insider threats.
A solid cybersecurity strategy should include things like
employee education and training,
access controls,
incident response planes,
and regular monitoring of user activity to detect any unusual behavior.
Additionally, having an incident response team and adequate incident response processes in place can help to quickly detect, contain and deal with any kind of insider threat you may encounter.
competitor
[threat actors] (8)
a rogue business that attempts to conduct cyber espionage against your organization.
focused on stealing your proprietary data, disrupting your business, or damaging your reputation.
often, they will seek to use an employee as an insider threat in your organization to steal the data from you or they may attempt to break into your network over the internet
organized crime
[threat actors] (8)
focused on hacking and computer fraud in order to receive financial gains.
Now, due to the Internet's wide reach, a criminal in one part of the world can hack the computer of somebody on the other side of the globe with relative ease
organized crime gangs often run different schemes or scams using social engineering or conducting more technical attacks using ransomware in order to steal money from their victims.
tend to be well-funded and they use sophisticated attacks and tools as well.
hacktivist
[threat actors] (8)
tends to be comprised of politically motivated hackers who target governments, corporations and individuals to advance their own political ideologies or agendas.
i.e. an environmentalist might be considered a hacktivist if they hack into a logging company because they want to see that company's stock prices fall in effort to drive them out of business and thereby, save the forest.
Here, it is an environmental hacktivist who is really focused on taking this company out so the environment can have a better chance of surviving.
Hacktivists can be individuals or they can be part of larger groups as well.
i.e. Anonymous is a really large and well-known hacktivist group.
Hacktivists tend to vary in levels of organization from loosely organized to highly structured and they can have a high level of sophistication in their attacks
but they tend not to be well funded because most of these folks are doing it based on their ideology and not because they're trying to seek out financial gain.
nation state and apt
[threat actors] (8)
one of the most skilled types of threat actors you're going to encounter
this group usually has people with exceptional capability, funding and organization and they have the intent to hack a particular network or system.
Nation-states don't simply pick a network at random to attack
but instead, they determine specific targets to achieve their political motives.
refers to a government or government affiliated groupthat conducts cyber attacks.
can be used for a variety of reasons such as espionage, sabotage, or intelligence gathering.
always going to be well-funded and well-equipped, and they have access to really sophisticated tools and techniques including zero day vulnerabilities.
They're also highly motivated
These incredibly organized teams of hackers conduct highly covert attacks over long periods in time, and so we often will refer to them as an APT or an advanced persistent threat.
Now, not all APTs are nation-states
but almost all nation-states are going to be considered APTs and we'll talk a little bit more about the differences between an APT and a nation-state in just a minute.
Nation-state actors are really, really good at what they do and they're very difficult to find once they're in your network.
Over the years, many nation-states have also tried to present themselves as a threat actor inside of one of the other groups
like hacktivists or organized crime.
This way, they can maintain a plausible deniability for the hacks they're conducting.
Oftentimes, a nation-state might use the TTPs of a different nation-state as well in order to implicate them inside of an attack.
And when this is done, it's known as a false flag attack.
i.e. back in 2015, there was a French TV network known as TV5 Monde that was taken off the air by a sophisticated cyber attack.
The network's website was also defaced by a group calling itself the Cyber Caliphate and they made the attack look like it was launched by the Islamic State which is a politically motivated hacktivist group.
Now, when security investigators looked into the attack though, they actually found the attack was conducted in Russian because the code used in the attack was typed with a Cyrillic keyboard during normal working hours in Moscow and St. Petersburg.
If this was accurate, then it means that a Russian nation-state actor was actually trying to appear as an Islamic State hacktivist and that way, they would get the blame for the attack instead of Russia getting the blame and this makes this a false flag attack.
now, when we're talking about a nation-state or an APT, in general, they're going to be inside of a victimized network for six to nine months
before the network defenders even discover there's an intrusion
and some have actually gone several years between their breach and the eventual discovery by a networks defenders.
where an attacker establishes a long-term presence on a network in order to gather sensitive information.
can be carried out by a variety of different actors, including nation-states, criminal organizations, and even individual hackers.
well-funded, well organized and have a high level of persistence and determination in achieving their goals.
APTs usually will infiltrate a network over a prolonged period from weeks to months or even years and they'll carefully hide their activity and blend in with normal network traffic and use a lot of tools that exist on the computer already which we refer to as living off the land.
The main goal is really to harvest sensitive data, intellectual property and other sensitive information from the compromised network
suppy chain
[threat actors] (8)
normally conducted by nation-state actors as well.
i.e. in 2020, there was an attack on the company SolarWinds
that was allegedly tied back to Russian nation-state actors.
The threat actors hacked into the SolarWinds corporate network in order to add a backdoor into the code for SolarWinds.
SolarWinds has numerous corporations and governments as their clients and users.
So this backdoor that was embedded into their next update went out to all of these companies and government networks and effectively compromised all of them.
Now, this meant that the nation-state actors now had control over all of those networks and be able to access them.
This attack was not really directed at SolarWinds but instead, it was directed at SolarWind's customers.
But to get to those customers, they had to get themselves into SolarWinds network and then put code into their distribution channels.
i.e. A similar supply chain access attack was also conducted against the retailer Target in 2015 by criminal attackers.
in this case, an HVAC company that services the store's equipment was hacked, and that connection between the HVAC company system and the Target systems allowed the attacker to steal data from the retailer's point of sale systems and credit card terminals.
i.e. Another attack credited to nation-states over the years that involves a supply chain was the embedding of root kits into Cisco routers and switches that were purchased from third party suppliers.
And this again, is another reason why supply chain management and using trusted suppliers is so important to the security of your organization and its networks.
[malware]
commondity
zero day
c2
commodity
[malware]
malicious software applications that are widely available for sale and are easily obtained and used.
can usually find these on the dark web/dark net, and there are online marketplaces where you can buy remote access Trojans things like Poison Ivy, Dark Comet, and Extreme Rat etc.
These things are all available online for a fee where you can download them and then start using them as part of your attacks if you're a bad guy.
generic, off the shelf pieces of malware, going against everybody
also targeted or custom malware
knowing this can help you identify that malware and if you determine it's commodity or targeted this can help you determine the severity of an incident
because if somebody is using targeted malware against your organization, there is a higher severity to that incident for you because you are being targeted.
you’re not just randomly hit by some drive-by piece of malware, and so this is something that's important for you to consider.
zero-day
[malware]
any vulnerability that is discovered or exploited before the vendor can issue a patch for it.
usually applied to the vulnerability itself,
but in recent years people talk about zero day malware as well as they start referring to the attack or the malware that is exploiting that zero day.
You may see either term being used on the exam when they talk about zero day they may be talking about the vulnerability or the malware
how serious is it?
Well, zero day exploits are big business. These things cost a lot of money and a lot of time to develop.
i.e. if you're a bug bounty person and you start finding zero day vulnerabilities you can actually get lots of money for turning those over to the company because they don't want those out on the open market.
But you can also sell those to different governments and law enforcement agencies, and even on the dark web and some of these zero day exploits have gone for millions of dollars.
There is one that sold for over $1 million that targeted Apple iPhones.
These things are big business now because they cost so much money most adversaries will only use a zero day vulnerability for a very high value attack.
They're not going to waste these and so generally what you're going to see is that people tend to try to attack something with a generic or off the shelf piece of malware first and get into the network.
And if that target is valuable enough and they can't get in through other means then they would go and use their zero day.
Often countries and nation states are stockpiling these zero days so that they can use them as they're doing their spying and their espionage and other things that are a very high value for them.
C2
[malware]
we need to talk once more about APTs.
APTs originally referred to the person but now it refers more to the ability.
an APT is an attacker's ability to obtain, maintain and diversify access to network systems using different exploits and malware.
this can be done through commodity malware or through targeted or custom malware.
either way, when that attacker gets into your system they don't want to get out and generally you're going to find nation states and organized crime actors have this APT capability.
APTs are considered known unknowns
meaning we know that they're out there we know they're trying to attack us but we don't know exactly how
because they're always modifying their techniques and they're always getting better all the time.
known unknown
a lot of times APTs will go out and use commodity malware or other off-the-shelf technologies to try to infect as many machines as possible.
Then they'll have those report back to what's called a C2 node or a command and control node.
C2 node → any infrastructure of hosts and services with which attackers direct distribute or control malware over botnets.
so often they will build up these large botnets especially if you're dealing with a crime organization.
as they do this you're going to have all these different machines all around the world that connect back to the bot master who is in charge of the C2 network and they can then issue a command to use those machines in any way they see fit.
They may use them as a pivot point into somebody else's network to attack the network from there.
So as law enforcement tries to track it back they find this innocent bot as opposed to the bot master.
Also, we can take all these machines and then use them to attack a single target if we're doing a distributed denial of service attack, for instance
and this is the whole idea of using a C2 node.
It's this single point of contact that we can then use to talk to everybody else across our networks to do the bidding that we want to do and APTs use this a lot.
target(s) of APTs
[malware]
generally they're going to target financial institutions healthcare companies, and even governments because they all have large PII data sets and that can be turned into money.
Additionally, they may go after governments to carry out political objectives like interfering in elections or spying in another country to figure out what they're going to do in the larger geopolitical spectrum.
APT groups
[malware]
generally an APT is not a single person but it is a group of people.
Generally, you're going to have a staff that has different realms of expertise.
i.e. i may have one person whose job it is to break down the front door and get into the system.
I may have another person whose job it is to make sure that when they're in that system they have persistence and they don't get kicked out.
I may have another person who's a linguist who can help me translate the information I'm getting.
i.e. we talked earlier about the fact that Russia and China and North Korea all have teams of APTs that go out and attack other companies and countries and things like that.
Well, if I'm in China and I break into an American company their information is probably written in English and if my hacker only speaks Chinese or Mandarin that would be an issue.
So we may have a linguist there to help translate that information for them.
This is all the types of thing we have to think about when we think about APTs because they are well funded.
They have a team of people and they are all working together against you.
persistence
[malware]
the ability of a threat actor to maintain covert access to a target host or network.
This means that once I break in I can stay in your network for long periods of time.
Studies have shown that the average APT is on your network for six to seven months before they are detected.
That is a long time, and they can do a lot of stuff on that network without you ever knowing they're there.
that is going to be one of the things we have to start figuring out is
how do we detect these APTs?
How can we find if they're in our network?
[threat research]
historically we use malware and threat signatures to detect malicious activity,
but this is becoming less and less effective with the rise of more sophisticated adversary tactics.
Because of this, cybersecurity analysts like you have to move away from the use of a single static signature and instead
start identifying and correlating multiple indicators of compromise to identify those attacks.
This becomes essential when conducting threat hunting as well
concepts used to identify threats in our research
reputational threat research
IoCs
behavioral threat research
reputational threat research
[threat reseach]
focus on the reputation of something or reputation data.
reputation data → things like blacklists of known threat sources such as malware signatures, IP address ranges, and DNS domains.
All of this data helps provide the basis for what we're going to use inside our research because they tell us known things that we know are bad,
i.e. this website gives malware, this IP address was seen in an attack, things like that.
Now, one of the ways that we can see these different things based on reputational data is by
looking at sites like Talos Intelligence.
homepage tracks all the activity and rates for each source address with a granular reputation score and a basic score of good, neutral or poor.
This basically tells us, do we have a good reputation or a bad reputation?
Just like in the real world when you meet somebody new, you have to know are they somebody you can trust or are they somebody you can't trust, and their reputation is what's going to tell you that.
Similarly, an email address, an IP address and other things do have reputations associated with them and these are going to be either good, poor, or neutral
IoC
[threat research]
residual sign that an asset or network has been successfully attacked or is continuing to be attacked right now.
can be all sorts of different things,
like a hash value, an IP address, a file being left on a system, or anything else like this,
anything that gives us a clue that something has happened on this system.
For example, here on the screen, you can see a list of IOCs
from a particular incident.
You'll notice the source, the summary, and the attribute.
the source could have been the file system or the registry or prefetch or something like that.
The summary is what we actually are looking for and the attribute was it created, modified, visited, or whatever the action was.
based on our analysis, we can piece together a preliminary narrative of what we think happened based on all these indicators of compromise.
i.e. the attacker may have sent a spearfishing email and this contained a malicious PDF attachment known as ultrawidget.pdf.
When this person saved it to the desktop at this particular time, we then saw five minutes later that windows/sys/WOW//acmCleanup.exe was created as well as a run key was used for persistence.
This again, is another indicator of compromise.
As we go down these events, we can see all the different things that happened from opening this file, to installing that software, to running that software and all the different things that happened on this system.
as we start looking at these indicator compromises and we put them together, we can start figuring out those patterns.
other things you can look at for indicators of compromise?
unauthorized software and files on the system,
suspicious emails,
suspicious registry and file system changes,
unknown important protocol usage,
excessive bandwidth usage,
rogue hardware that you find on your network.
a service disruption or defacement
suspicious or unauthorized account usage.
you need to not just know what these basic categories are, but you need to be able to identify them.
If I show you a snippet from a log, you need to be able to look at that and say, "Ah, based on this log, I see that this bad thing happened and this is an indicator of compromise,
and it indicates that we had unauthorized software and files on the network" or something of that nature.
you may hear the term IOA, which is an indicator of attack.
used for evidence of an intrusion attempt that is in progress right now.
so maybe on that long list of IOCs I showed you on the screen, we've only gotten through the first one or two of those.
That might be an IOA but the entire attack has not finished and has not been successful yet.
Most of the time in the industry though, we do talk about IOCs or indicators of compromise, and you'll hear me reference that a lot throughout this course.
behavioral threat research
[threat research]
a term that refers to the correlation of IOCs into different attack patterns.
we took all these different IOCs and if I see them in this particular order, that may indicate that adversary X has done this,
and if I see 'em in a different order, it might be that adversary Y has done this, and
that is based on their TTPs.
This is all their different strategies and the way they do business.
When you talk about a TTP
These are behavior patterns that were used in the historical cyber attacks previously and it tells you what the different adversary actions are.
By learning these, you're going to be able to start understanding the way your adversary thinks and how you could try to get one step ahead of them to prevent them from getting further into your networks.
TTPs
[threat research]
there are different TTPs that have different actions.
DDoSs,
viruses or worms,
network reconnaissance,
APTs,
data exfiltration.
DDoS or a DDoS,
this is where you might see a traffic surge coming to you from multiple different areas.
The idea here is that an attacker can leverage their botnet to try to take down your service, and if you could start seeing unusual activity all coming into your servers from various places around the world, that may be the indication that a DDoS is underway.
virus and worms
if I start looking at your system and I have high CPU or memory usage, this could be a sign that there's some kind of malware infecting your host,
or you might see a virus detect alert if there's a known signature,
but again, if this is a new piece of malware and a new virus or worm, you're going to have to look for secondary effects like high CPU, high memory, high network usage and things like that.
network reconnaissance
Somebody might be scanning your systems and you can detect that.
i.e. if I start scanning your system and I start at port one, then port two, then port three, then port four, you can see that as a port scan inside your logs.
This is a form of network reconnaissance and you can associate that action with my TTP of scanning you before I'm going to attack you
APTs
where the attacker needs to have some sort of c2 over your system to maintain persistence and be able to do things on your system.
one of the big things you're going to be looking for from an APT when you're trying to find their TTPs
is what is their C2 mechanism?
Because by seeing what that C2 mechanism is, that's usually going to be unique to each and every APT that's out there.
some of the C2 mechanisms in servers can use different things as a way to hide themselves,
and there's two really common ones, port hopping and fast flux DNS.
data exfiltration
you can see this either by looking at your database or your file shares and seeing a high volume of network transfer
and you see a big change in the amount of data that's being sent out
i.e. if I look at my servers, and I know that every week we normally have two gigabytes worth of data that's transferred to our students, but this week we have 60 gigabytes.
That could be a possible IOC and a possible behavior that I need to look into that might be data exfiltration.
Now notice I said might, it doesn't always mean that it is.
When I look into it, I might determine that I sold 30 times the amount of courses than I normally do, so with 30 times more students, I would have 30 times more data, and so that would be an explained anomaly and not a data exfiltration.
but if I look and say, well, I had a 100 students last week and a 100 students this week, and I went up by 30 times the amount of data, something there isn't right, and so we'd have to look into that further to see if this is a data exfiltration event.
another indication of data exfiltration might be if you see file types or compression or encryption that's being used on data and you normally don't have that.
This is especially true within your networks.
i.e. when you get data from my server, it is encrypted because we have an https connection between your computer and my web server.
but if you had two computers on your local area network and you're sending data back and forth between them, most of the time you're not encrypting that data.
if you start seeing a lot of encryption within your network, that is something that might be an indicator of data exfiltration.
port hopping and fast flux DNS
two ways C2 mechanisms in servers can use different things as a way to hide themselves
port hopping
when an APT's C2 application might use any port to communicate from,
it might use port 22 right now and if it thinks it's being detected, it'll jump to port 53 and it'll jump to port 1258, or whatever port it's going to use,
and by jumping between ports, it can try to evade detection as well.
fast flux DNS
rapidly changes the IP address associated with the domain, so
you have one domain name, but you have multiple IP addresses that are associated with it, and so even if you start blocking IP addresses, they can change the backend IP address and still route their communications to the C2 server.
this allows an adversary to defeat your IP based blacklisting and it allows them to maintain communication and remain as an advanced persistent threat by maintaining that C2 communication between them and your machine.
one of the ways you can detect this fast flux DNS is by
looking at the communication patterns that emerge as these changes keep happening, because we're going to see that your machine now went from this IP to that IP, to this third IP to the fourth IP, and that can be detected through your proxy logs.
[attack frameworks]
Lockheed Martin Kill Chain
Mitre ATT&CK Framework
Diamond Model of Intrusion Analysis
Lockheed Martin Kill Chain
[attack frameworks]
This kill chain model was first developed by Hutchins, Cloppert and Amin, under contract from Lockheed Martin's Corporation.
It was then released into the public domain for everyone to use.
Now, the kill chain has a seven-step method
starts with reconnaissance, moves into weaponization, delivery, exploitation, installation, commanding control, and action on objectives.
it is very linear
This is an older model and newer variations of frameworks are doing more of an iterative approach.
a kill chain analysis can be used to identify defensive courses of action, by being able to counter the progress of an attack at each stage.
so if I can start mapping out what are all the ways somebody can break into my system, run malicious code, gain persistence, do C2 on my servers, and do some kind of action,
i can then put in things to block that.
I can try to detect that.
I could try to deny that.
I could try to disrupt it or degrade it.
I might want to try to deceive them, or destroy their capabilities.
All of these things are the Six Ds that we're going to try to do to an attacker who's trying to break into our systems.
but there are newer methods out there that work in more of an iterative manner, or allow you to think holistically across multiple lines of attack.
i.e. Mitre ATT&CK
Lockheed Martin Kill Chain (2)
[attack frameworks]
reconnaissance
the attacker's going to determine what methods they need to use to complete the other phases of their attack.
one of the big issues here is that the attacker doesn't want to get caught while they're doing reconnaissance, so they try to be sneaky.
They try to use things like open source and passive information gathering, and things like that, so that they cannot be detected.
This phase, you can use both passive or active scanning techniques on the target network,
but generally, we're going to start out with passive information gathering, and then move into active scanning
By the time you're done with reconnaissance, you should have a good idea of what that network looks like, what type of software they're using, and what type of vulnerabilities may exist.
weaponization
here, the attacker is going to couple payload code that will enable access with exploit code, and this will allow them to go after a vulnerability to execute onto that target system.
by doing this, you basically are coding or creating the malware or the exploit you want to run, but you are not running it yet, you've only created inside your own lab, and haven't sent it to the victimized system.
delivery
where the attacker is going to identify a vector by which they can transmit the weaponized code to the target environment.
This may be by email, this may be by dropping a USB drive, loaded with that malware, in their parking lot.
Whatever the mechanism is, doesn't really matter right now.
We just have to think about the fact that we have to get it there, and that's what delivery is all about.
exploitation
This is where the weaponized code is actually executed on the target system, by whatever mechanism you've done.
i.e. if you sent them an email with a phishing link and they click that link, the sending of the email was delivery.
clicking the link is when exploitation happens, and they actually start running that code.
i.e. Or if you dropped it on a USB drive, and they plug that into their system, and the Autorun started up that code
At this point, the code has been run,
installation
we're going to have a mechanism that enables the weaponized code to run a remote access tool and achieve persistence on that target system.
So if we had a stage one dropper that was run as part of exploitation, we now have downloaded and installed our phase two.
This would be our installation and this gives us control of that system moving forward and that persistence that we're looking for.
C2
where the weaponized code establishes an outbound channel to remote server that can then be used to control that remote access tool and possibly download additional tools to help you progress in your attack.
At this point, you now pretty much own this system.
You have access to it, you can remote into that system, and you can now run commands on that system.
actions on objectives
where the attacker is typically going to use the access that they've achieved through steps one through six, to now start doing what they wanted to do.
that may be transferring data from a remote system such as data exfiltration or some other goal or motive.
whatever their goal was originally with reconnaissance,
they've now achieved that by being on the system;
they have two-way communication using command and control,
and now we can perform action on objectives.
Mitre ATT&CK
[attack frameworks]
Because the kill chain was criticized for focusing too much on perimeter security, with that linear method going from outside in, the MITRE ATT&CK framework was developed.
a knowledge base that's maintained by the Mitre Corporation
for listing and explaining specific adversary tactics, techniques and common knowledge, which is where the ATT&CK comes from.
And these are also known as procedures.
You can find all of these at attack.mitre.org and this is a free, open source website that you can go and look at all this information.
Now, where the kill chain was a very linear process, the MITRE ATT&CK framework is not.
It uses more of a matrices model, and you can see that here on the screen.
Notice there are different columns here, and each one is a certain type or category of attack that might occur.
i.e. there's defense evasion, there's credential access, there's discovery, and lateral movement and execution,
and underneath each of these is a tactic or technique that could be used by an attacker to be able to accomplish that particular goal.
Now again, this is a free resource,
and you can go play with it at attack.mitre.org
attack navigator.
From here, you can select different things and highlight them with different colors.
What you're seeing here on the screen is an example of one actor's TTPs that we've mapped out.
Based on that, we know that if we're talking about APT 28, for example, these are the things that they might be used to doing.
And if you click on each one of these you'll get more details about the particular TTP that they use.
a great model for being able to map out an overall adversary and all their different capabilities and capacities that they use in their different attacks.
we can compare one to another,
and then if we're on the incident response, we can start looking, okay, I have this and this and this that I've noticed, and they fall into these columns, and
when I compare that against the mitre matrix, I know that that is common against this particular adversary.
that might help me figure out what defenses I want to use.
As you look at this chart, you may notice that it is very focused on the exploitation phase, and it's not really focused on the reconnaissance phase.
And so if we go back and look at the reconnaissance phase,
there's actually another matrix called the pre-ATT&CK matrix.
aligns to the reconnaissance and weaponization phases of the cyber kill chain, and that way we can also see what those things look like and try to detect things before it becomes a real attack, and while it's still in the pre-acttack phase,
'cause if we can get it earlier, we're further left of boom, we can then prevent that from becoming a full-blown incident
diamond model of intrusion analysis
[attack frameworks]
used to represent an intrusion event.
Anytime you have an intrusion event, it has some relation to these four categories:
the victim, the capability, the adversary, and the infrastructure,
Now, you can also put some meta-features in there;
things like a timestamp, what phase you're in, the result, the direction, the methodology or the resources.
for each incident, we would want to map them out and look at this model.
this model is going to allow an analyst to exploit the fundamental relationship between the different features.
the victim starts this process,
they discover there's malware.
Now that points to capability,
because we have the ability to see that we've been had.
Then, if we see that capability, we can then see that the malware might contain a C2 domain as we go through our incident response.
If we do that, that now points to infrastructure because C2 is an infrastructure problem.
Once we look at that, we start seeing the C2 domain resolves to a C2 IP address.
that's infrastructure, so we're still in the same place.
As we start digging into that further, we might look at our firewall logs and that reveals that the victims have been contacting that C2 IP address, so that points down to our victim.
But also that IP address is owned and it provides details about the adversary,
so that now points to the adversary.
As you can see with these arrows, ow these different things tie together, and very quickly you can see where you should focus your efforts.
i.e. if I focus on infrastructure and C2, that is going to help me point towards the adversary and the victim in this case, and it really does help me point those things out much quicker, using this type of a model.
Now for each event, we're also going to define a tuple
in the format of e equals something.
And this is basically an array of information that contains information on the adversary, the capability,
the infrastructure, and the victim.
And we also have things like our timestamp and other metadata that we have.
By putting all this information into this format, we can then use it inside of some sort of automated system, for instance, our SIEM, that can then help correlate all this information together for us.
[indicator management]
STIX
TAXII
OpenIOC
MISP
notice where I spent most of my time in this lesson.
We talked a lot about STIX, and so, STIX is going to be much more important than the other three when it comes time for the exam.
The big takeaway for this is I want you to remember what that format looks like.
You don't have to memorize it, but you should know that when you see a JSON format like that, your mind should trigger that this is STIX and STIX is probably going to be the answer on the exam.
STIX
[indicator management]
the Structured Threat Information eXpression
standard terminology for IoCs and ways of indicating relationships between them That's included as part of the OASIS Cyber Threat Intelligence, or CTI, framework.
designed as a format for automated feeds so organizations can share this information on the fly.
STIX does a great job of sharing information between systems,
and it's expressed in JavaScript object notation, or JSON, format.
With JSON, you get an attribute and value paired together inside of the language,
we start with a curly bracket at the beginning and a curly bracket at the end.
And then, we have a lot of different pairs, such as type, observed-data, id, with some-unique-string, created, and some date, the number_observed, and a number.
you can see how these attributes and values are paired together inside this language.
If you see something that looks like this, this is JSON format, and on the exam, if you see something in JSON format it's most likely going to be referring to STIX.
built from higher-level STIX domain objects, or SDOs,
can contain multiple attributes and values.
We put all these things together to get the information we're looking for.
Now, what are some of these SDOs?
we have things like observed data → which is going to be a stateful property of your computer system and what you've actually seen the event occurring in.
This might be something like an IP address or an executable file or something like that.
We also have indicators → a pattern of observables that are of interest, something that you want to do some further analysis on.
anytime you have an indicator, this is something that's been observed and you may want to dig a little deeper on to figure out if it's an indicator of past compromise or a TTP.
And then, we have attack patterns → these are known adversary behaviors, starting with the overall goal of what they're trying to attack and then elaborating down to some kind of specific technique or procedure.
Then we have campaigns and threat actors → the people who are trying to attack you.
Who are these people? What are their goals? What is their campaign?
And finally, we have courses of action → the mitigating actions or security controls that you can use to reduce the risk from these different attacks and how to resolve these incidents.
By taking all these SDOs together, you start creating a connection of this relationship of objects.
And this can do a lot of different things for you as you start indicating what it was, what the targets were, and what things were attributed to it.
i.e. we have a vulnerability, we have a campaign, and we have a threat actor.
And you can see how STIX has all these relationships.
When we have a single indicator, this indicates a campaign. It indicates a threat actor.
The campaign is attributed to the threat actor and the campaign can be attributed over to the target, which was the vulnerability.
And the way STIX works is it creates this language for us to describe these things in a very easy way to share them automatically across our systems.
Now, one quick note for the exam. STIX version one is an XML-version-based format but the exam is only going to talk about STIX version two.
Everything I've talked about up to this point in this lesson was talking about STIX version two,
TAXII
[indicator management]
the Trusted Automated Exchange of Indicator Information,
or TAXII.
a protocol for supplying codified information to automate incident detection and analysis
What TAXII is used for is to
transmit this data back and forth between servers and clients over some kind of a secure connection, like a secure web connection, HTTPS, using something like a REST API.
i.e. if you have a cyber threat intelligence subscription with some service provider, they're going to maintain their data repository, but you as a subscriber need to get the information from them.
And so, the way you do this is you're going to obtain this update to all of your data for your analysis tools using TAXII.
TAXII is really the connection mechanism, and you can actually take STIX and provide it over TAXII as well
OpenIOC
[indicator management]
this is a framework that was developed by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis.
When we talk about OpenIOC, this is an open source tool
and so, it has a lot of different information for each entry.
Each entry is going to have a lot of different metadata there,
such as the author, the category information, the confidence level, the usage license, plus a description and a definition.
All of these definitions that are built-in here are going to be built using logical statements such as DNS host names, or a string pattern for a file name, or something like that so we can build these indicators together.
by doing this, we all learn more and we can share these indicators amongst ourselves
MISP
[indicator management]
Malware Information Sharing Project.
MISP is going to provide a server platform for cyber threat intelligence sharing, a proprietary format, and supports OpenIOC definitions as well, and it can also import export STIX over TAXII.
So when you start dealing with MISP, you can start putting all of this information together.
We can get the definitions from OpenIOC,
we can get the indicators from STIX,
and we can transmit all that information back to us over TAXII.
And so, using all these together gives us a lot of benefits inside of MISP.
And again, MISP is an open source project that is free to use.
Note 
Flashcards (38)