CySA
Reputational Research (Reputation Data)
Blacklists of known threat sources, such as malware signatures, IP address ranges and DNS domains
Closed-Source
Data derived from the provider's own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers' systems, suitably anonymized.
Data Feeds
Data feeds can be a list of known bad indicators, things like indicators of compromises, domain names, Ip addresses, it might be something like hashes of exploit malware code. All of these types of things are tactical level information. This gives us something that is very operational. It's something we can do something with. If you tell me that this IP address is a known bad IP, I can block it in my firewall so no connections can go to it, right? That's the idea with a data feed.
Open Source
Data that's available without subscription, which may include threat feeds, reputation lists, and malware signature databases
Insider Threat
Employee or person who has authorized access to an organization's network, policies, procedures, and business practices
Installation
Enables the weaponized code to run a remotes access tool and achieve persistence on the target system
organized crime
Focuses on hacking and computer fraud to achieve financial gains
Risk Management
Identifies, evaluates, and prioritize threats and vulnerabilities to reduce their negative impact
Command & Control (C2)
Method used by attackers to maintain communication with compromised systems or devices. Its a critical component of many cyber attacks allowing hackers to remotely manage and control their malicious activities on infected computers or networks.
Security Controls
Mitigates vulnerabilities and risk to ensure the confidentiality, integrity, availability, non repudiation, and authentication of data
Narrative Reports
Now when we're dealing with narrative reports, this is going to give us the analysis of a certain adversary group or certain type of malware, and we're going to get a written report based on that. There are a lot of places you can buy these from, and these come in a format that is really manually created by some threat analyst. And so if you get a job as an intelligence analyst or a threat analyst, you may spend all day going through different packet captures, and going through honeypots, and learning about some kind of adversary or malware, and then write a report on it. And these reports are then sold to all the different SOCs around the world who use them in their defense of their networks. Now, this is very useful at a strategic level. This gives you intelligence about what bad guys are doing, and that can help us decide where we want to put money and which security controls we want to have to be able to defend ourselves from these bad guys and their types of attacks.
AND/OR
Requires both search terms if you use (AND) or requires either search terms if you use (OR)
Threat Intelligence sharing Frame works
STIX, TAXI , OpenIOC, MISP
Technical Controls
Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. - Examples: firewall, IDS, encryption
Responsive Control
System that actively monitors for potential vulnerabilities or attacks, and then takes action to mitigate them before they can cause damage.
Actions on Objectives
The attacker typically uses the access he has achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration) or achieve other goals and motives
Vulnerability Management
The practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities.
Detection and Monitoring
The practice of observing activity to identify anomalous patterns for further analysis
propriety
Threat intelligence is very widely provided as a commercial service offering, where access to updates and research is subject to a subscription fee
What the difference between commodity malware and target or custom malware?
When you're dealing with commodity malware, it's generic, it's going against everybody. But when you're dealing with targeted or custom malware, there's a specific target in mind.
Physical Controls
controls that restrict unauthorized individuals from gaining access to a company's computer facilities
white hat hackers
ethical hackers that break into the systems for non malicious reasons such as to test the system security vulnerabilities or to expose undisclosed weaknesses
Corrective
implemented to mitigate or limit the damage after a security incident has occurred.
black hat hackers
is an unauthorized hacker
Malware
software designed to infiltrate or damage a computer system without the user's informed consent
gray hat hackers
- A cross between black and white—they will often illegally -break into systems merely to flaunt their expertise to the administrator of the system they penetrated or to attempt to sell their services in repairing security breaches. - is a semi-authorized hacker where it sometimes acts as a good or bad folk
Adversary Capability
- A formal classification of the resources and expertise available to a particular threat actor - Assessing the attacker's intent, ability, capability, skills, tenacity, and available resources. - For example, do they use acquired and augmented tools? Which means they're basically using commodity malware and open source tools and techniques. Or do they have a developed capability? If they have a developed capability, this means they can identify and exploit zero-day vulnerabilities and deploy significant human and financial resources to attack planning and execution. Maybe they're advanced. This means they can explore things like supply chains and introduce vulnerabilities way back early in the cycle where you won't even know they're there inside your systems. This is especially true when you're dealing with a nation state, because they use an integrated approach. Where they're using cyber in non-cyber methods to achieve their goals.
OpenIOC
- A framework by Mandiant that uses XML-formatted files for supplying codified information to automate incident detection and analysis - OpenIOC provides a structured way to define and share IoCs, making it easier for organizations to communicate about potential threats and improve their threat detection and incident response capabilities. - When we talk about OpenIOC, this is an open source tool, and so it has a lot of different information for each entry. Each entry is going to have a lot of different metadata there, such as the author, the category information, the confidence level, the usage license, plus a description and a definition. All of these definitions that are built in here are going to be built using logical statements, such as DNS host names, or a string pattern for a file name, or something like that so we can build these indicators together. By doing this, we all learn more, and we can share these indicators amongst ourselves.
Hactivists
- A group of threat actors that is strongly motivated by ideology. - are motivated by political and religious ideologies
Establishing a hypothesis
- A hypothesis is derived from the threat modeling and is based on potential events with higher likelihood and higher impact. - So, essentially we're going to sit around and we're going to think, who might want to harm us, who might want to break into our networks, and how might they be able to do that? And by going through our threat intelligence, we can create a good hypothesis about what type of campaign or what type of adversary group might want to do us harm. Then, we're going to move into profiling threat actors and activities.
DNS Zone Transfer
- A method of replicating DNS databases across a set of DNS serves that is often used during the reconnaissance phase of an attack - DNS Zone transfer is a process that allows one DNS server to share its DNS database (zone) with another DNS server. It's typically used to synchronize and replicate DNS records between authoritative DNS servers. THis is important for maintaining consistency and redundancy in the DNS system. - a zone transfer can be used to collect DNS information about your servers and give it to an attacker so they can plan further attacks
Threat Modeling
- A process by which developers can understand security threats to a system, determine risks from those threats, and establish appropriate mitigations. - Identifies and assess the possible threat actors and attack vectors that pose a risk to the security of an app, network, or other systems - When conducting threat modeling, there is 3 main areas you need to consider * Adversary Capability * Attack Surface * Attack Vector
Trusted Automated eXchange of Indicator Information (TAXII)
- A protocol for supplying codified information to automated incident detection and analysis - What TAXII is used for is to transmit this data back and forth between servers and clients over some kind of a secure connection, like a secure web connection, https, using something like a REST API. - While STIX defines the format and structure of the information, TAXII defines the method and protocol for transporting that information securely and efficiently. - TAXII is really the connection mechanism, and you can actually take STIX and provide it over TAXII as well.
Structured Threat Information eXpression (STIX)
- A standardized and structured language that represents threat information in a flexible, automatable, and easy-to-use manner. - STIX is a standardized language and format used for describing and sharing information about cyber threats, incidents, and vulnerabilities. It was developed by the Cyber Threat Intelligence (CTI) community to facilitate the exchange of threat intelligence data in a consistent and machine readable manner. - STIX does a great job of sharing information between systems, and it's expressed in JavaScript Object Notation, or JSON format - STIX is built from high-level STIX domain objects (SDO) that contain multiple attributes and values. We put all these things together to get the information we're looking for. - what are some of these SDOs? Observed Data, indicators, attack patterns, Campaign and threat actors, course of action
Known Threats
- A threat that can be identified using basic signature or pattern matching. - when we deal with known threats, these are things that are easily detected using signatures, hash values, or other things like that.
Email Harvesting
- An Open Source Intelligence (OSINT) technique used to gather email addresses for a domain -
nation-state
- An individual or group of hackers sponsored or affiliated with a specific country's government. These hackers engage in cyber espionage, cyber warfare, and other malicious activities to further their nation's interest. They often possess advanced skills and resources, allowing them to carry out sophisticated attacks targeting critical infrastructures, sensitive information, or other country's systems. - tried to present themselves as a threat actor inside of the other groups, so they can maintain plausible deniability.
Tactics, Techniques, and Procedures (TTP)
- Behavior patterns used in cyberattacks and adversary actions - Tactics: high level goals that attackers aim to achieve, such as gaining unauthorized access or exfiltration - Techniques: Specific methods and approaches attackers use to accomplish their tactics, like exploiting vulnerabilities or using social engineering - Procedures: Detailed step-by-step instructions on how attackers execute their techniques. - By learning these you're going to be able to start understanding the way your adversary thinks and how you could try to get one step ahead of them to prevent them from getting further into your networks
Threat Hunting
- Cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring. - Threat hunting is the utilization of insights gained from threat research and threat modeling to proactively discover evidence of adversarial TTPs within a network or system. - Essentially, threat hunting is proactive as opposed to being reactive, like you are with an incident response. The idea here is we are going out and hunting or looking for those threats within our network, instead of waiting for them to attack. Now, when you're doing a penetration test, often you're trying to break into your system to demonstrate a weakness. But with threat hunting, we're not doing that. Instead, we're trying to analyze data within the systems we already have. So, because of this, threat hunting is potentially less disruptive than a penetration test. - Threat hunting relies on the use of the tools developed for regular security monitoring and incident response - We're going to be analyzing logs, process information and file system and registry changes from all the different hosts. Generally, all that information is going to be consolidated for us inside of a SIEM. By being inside of a security information and event management system, we're going to be able to correlate that data quicker and do better threat hunting, instead of having to go to each of those systems individually - To do threat hunting, we start out by establishing a hypothesis.
Kill Chain
- Describes the stage by which a threat actor progresses a network intrusion - Has a 7 step method 1. Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command & Control (C2) 7.Actions on Objectives - And as you can see, it is very linear, going from the top, all the way down to the bottom. This is an older model and newer variations of frameworks are doing more of an iterative approach.
Scope
- Different keywords that can be used to select the scope of the search, such as site, filetype, related allintitle, allinurl, or allinanchor. - Based on these, you'll put in the word, like filetype, a colon, and then the file type you want. - For example, if I wanted to search for just PDF files, I could type Filetype:pdf and then whatever my search term was, and I would get only results that had PDFs containing that search term
What is usually the target of an APT ?
- Financial Institutions - Healthcare Companies - Governments (interfering in elections) - All of these have large PII data sets that can be turned into money
Advance Persistent Threat (APT)
- Highly trained and funded groups of hackers (often by nation states) with covert and open-source intelligence at their disposal - Has the ability to obtain, maintain, and diversify access to network using exploits and malware. - Considered a known unknown threat - establishes a long-term presence on a network in order to gather sensitive information -
Now, one of the big things you have to remember with threat hunting is it does consume a lot of resources and a lot of time for you to conduct it. But it can give you a lot of great benefits. For instance:
- Improved detection capabilities because when a threat hunter finds the way that these bad guys have gotten in, and bypassed your detection, you can then feed that back into the detection plan so you can rewrite the rule sets, you can rewrite the detection algorithms, and you can make sure that you use additional scripting and customizations to detect things more accurately. This way, your results from threat hunting can be used to improve your signature-based detection, and prevent future infections. - Integrate intelligence Another thing you can do is it can be integrated with your intelligence. Threat hunting is a great use case for correlating that external threat intelligence you've been getting with what you're seeing in your internal logs and other sources. By putting those two things together, you now have actionable intelligence. - Reduce attack surface The third benefit you can get is to reduce your attack surface area. The benefit here is, as you're doing your threat hunting, you're able to identify the entire attack surface, and where a bad guy may have gotten into your network. Based on that, you can go back and reduce that attack surface. - Block attack vectors This also can help you block attack vectors, because you're now understanding the different attack vectors that are being used and the different TTPs by that bad guy, and you can then add additional security controls to try to block those different ports or interfaces, and prevent them from getting into your network. - Identify critical assets And finally, it's going to help you to identify critical assets. This is really important, because as you're doing your threat hunting, you're going to start seeing what things people tend to go after. And you're going to end up figuring out what are the best defensive options for those critical systems and data assets. One of the things we tend to do is we will bundle those assets together with a certain layer of security controls around those important assets to improve the monitoring and prevention capabilities around them even further, because we see that adversaries are continually going after those targets. And we want to make them an even harder target for the adversary to get into.
reconnaissance
- In this stage, the attacker is going to determine what methods they need to use to complete the other phases of their attack. -Now, one of the big issues here is that the attacker doesn't want to get caught while they're doing reconnaissance, so they try to be sneaky. They try to use things like open source and passive information gathering and things like that so that they cannot be detected. This phase, you can use both passive or active scanning techniques on the target network, but generally, we're going to start out with passive information gathering and then move into active scanning. - By the time you're done with reconnaissance, you should have a good idea of what that network looks like, what type of software they're using, and what type of vulnerabilities may exist. At that point, we can start figuring out how we want to move into phase two, which is weaponization.
Incident Response
- Incident response is an organized approach to addressing and managing the aftermath of a cybersecurity breach or attack
Profiling Threat Actors and Activities
- Involves the creation of scenario that show how a prospective attacker might attempt an intrusion and what their objectives might be - Again, we're going to sit back and think to ourselves, What TTPs might they use? Who wants to harm us? Are they an insider, a hacktivist, a nation state, or an APT? And based on that, we're going to start determining what their objectives might be and what systems they might be going after. At that point, we're going to start our threat hunting, and we're going to use different tactics to do this.
AbuseIPDB
- It is a community-driven database that keeps track of IP addresses reported for abusive behavior - This database is built and maintained by the global community of users who actively report IP addresses that they suspect to be involved in cyber attacks such as hacking, phishing and spamming. This information is then made available to the public, allowing others to check if an IP address has been reported and take the appropriate actions. - This enables organizations to take a proactive approach to its cyber security by monitoring for IP addresses that have been flagged as malicious, organizations can block traffic from those IP addresses, preventing cyber attacks before they can even cause any damage. - The organization can also use the AbuseIPDB to monitor their logs for any suspicious activity, such as a large number of failed login attempts or unusual traffic from specific IP addresses which could be indications that the organization is currently under attack. By using the Abuse IP database to check the IP addresses associated with that activity, the organization can quickly determine if that traffic was malicious and then take appropriate actions to block it. - This is why it's important that you use the Abuse IP Database as one of the security measures and then you can combine it with other security measures as you're making decisions on your cybersecurity posture. -The abuse IP database is not limited to just organizational use, though, because individuals can also benefit by using this database. For example, if you receive an email from an unknown sender, you can check the IP address that it came from against the Abuse IP Database. This can then help you determine if the email is legitimate or if it's likely to be a phishing attempt. By doing this you can protect yourself from falling victim to a phishing attack, which is a really common method used by cyber criminals to gain access to sensitive information. - AbuseIPDB is an essential tool for organizations to look at when trying to protect their networks from cyber attacks by monitoring for IP addresses that have been reported for abusive behavior. And this way organizations can be more proactive in their approach to cybersecurity and reduce their
3 different attack frameworks
- Lockheed Martin Killchain - MITRE ATT&CK Framework - Diamond Model of intrusion analysis
Commodity Malware
- Malicious software applications that are widely available for sale or easily obtainable and usable. - Can find them in the dark web or dark net - its generic, its going against everybody
Obfuscated Malware Code
- Malware code refers to a technique used by cyber attackers to deliberately make the code of their malicious software (malware) more difficult to understand or analyze. The goal of obfuscation is to hide the true internet and functionality of the malware from security researchers, antivirus programs, and other security tools. - By obfuscating the code, cyber criminals can make it challenging for cybersecurity experts to quickly identify and analyze the malware, making it more difficult to develop effective countermeasures and defenses. Obfuscation techniques may include various transformations like code encryption, code rearrangement, using irrelevant code snippets and employing anti-analysis tricks to confuse or hinder the analysis process
Targeted or custom malware
- Malware that can be developed and deployed with a target in mind.
Attack Vector
- Method used by an attacker to gain access to a victim's machine in order to infect it with malware - A specific path by which a threat actor gains unauthorized access to a system - Now an attack vector can be one of three things. It can be cyber which means you're using hardware or software against an IT system. It could be human, which means you're using social engineering to conduct your attack through coercion, impersonation, or even force. Or it can be physical, which means you're trying to take over local access by being on premise and touching the thing to do your attack. These are the three ways that you can think about attack vectors, either cyber, human, or physical.
Open-Source Intelligence (OSINT)
- Methods of obtaining information about a person or organization through public records, websites, and social media
URL Modifier
- Modifiers that can be added to the results page to affect the results, such as &pws=0, &filter=0, and &tbs=li:1 - Now, these modifiers can be added to the results page to affect your results. These are things like &pws=0, which means, "Don't give me personalized results," or &filter=0, which says, "Don't filter the results," or &tbs=li:1, which says, "Do not autocorrect my search terms. Search for it exactly as I typed it." All of these are different ways to modify your URL.
Information Sharing and Analysis Centers (ISACs)
- Not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members. - a collaborative organization that facilitates the sharing of cyber threat information among its members - There is an ISAC for many industries including : Critical infrastructure Government Healthcare Financial Aviation
Collection (& Processing)
- Now that we know what we want to collect, we have to go about actually collecting it. - The collection process is implemented by software tools such as SIEMS and then it's process for later analysis - Now when we collect things, this is where we're gathering all the data. So if I put a network sensor out there, that's collecting PCAP data, packet capture data, it can collect all that information and send it back to a centralized server. I may collect logs from a router, from an intrusion detection system, from a firewall, from servers, from end points, all that data has to be collected and then sent someplace. Generally, we'll put this into a SIEM, which is a security information and event management system. And then we can use that as our center point of all the collection. Now the one challenge we have though is that all this data is coming from different systems, right? Well when all this stuff is coming from different systems, it might come in different formats. So we need to normalize that data and that is the processing part. -The processing part is where we will convert all the data into standard format. This is where we'll convert all the data into a standard format that a single solution, like a single SIEM can actually use. This means all the source IP addresses will be in a certain column. All the destinations will be in another column. All the timestamps will be in a third column and this way we can search and index all this information and use it as we search for those things later on in our analysis cycle. - Now another consideration you have to think about is how are you going to keep all this data secure? So we just took all this data from across our network and all of our sensors and put it in the SIEM. Well we need to make sure we protect that SIEM too. And so we might be using things like encryption on the SIEM, We might be using things like access control in the SIEM. We might be using things for integrity like hashing on the SIEM. All that data needs to be protected as well, because if it's useful to us, it could also be useful to an attacker'
Google Hacking
- Open-source intelligence technique that uses Google search operators to locate vulnerable web servers and applications - Basically, we can do advanced searches using Google to find all sorts of information because Google is one of the best search engines out there. - There are a lot of different things we can do when we're doing these advance operations: we can do things like: * Quotes * NOT * AND/OR * Scope * URL modifiers
Operational Controls
- Operational controls are security controls that are primarily implemented and executed by people (as opposed to systems) - So, in this case, we might be looking to add security guards to make sure people don't break into our building. We also might train all of our employees on how not to fall for a phishing scam when they get an email in their inbox. Both of these would be considered operational controls and not technical controls because we're trying to solve it using people.
Managerial Controls
- Provides oversight of the information system - So, when we have things like risk identification or using different tools to be able to evaluate and select different controls by using things like vulnerability scans and remediations, all of this would be considered oversight or an assessment, and therefore, they are considered managerial controls.
Recycled Threats
- Refers to the process of combining and modifying parts of existing exploit code to create new threats that are not as easily identified by automated scanning - Again, if we take different pieces and parts of different malware code, and we put them together, we can now bypass the signature-based detection of a known threat because it is now something new. We've recycled it. We've changed it. And now we might be able to get it through that system and pass the anti-malware scans.
Shodan (shodan.io)
- Search engine optimized for identifying vulnerable Internet-attached devices. - Basically, Shodan is a website that allows you to do a search for all sorts of different devices out there. They can search for things like thermostats and webcams and ICS and SCADA devices and any other kind of device that's out there. And the way they do this is they go out routinely and they start scanning the entire internet. And they conduct banner grabbing to identify the types of devices and the firmware and the OS and the applications that are in use. And if those are vulnerable, that now gives us a place to look at and start attacking people from. Now again, we're not pen testers and we're not hackers. So we're not going to be using it in that manner. But as a cyber security analyst, you could go on Shodan and start searching across your devices and see if any of yours have been found to be vulnerable, such as your IP addresses, your hostnames, your geographic location, or any of your different devices that are connected through the internet. Again, when you have Internet of Things, these are vulnerable. And Shodan is one of the ways to find those vulnerabilities.
Compensating Controls
- Security controls that are alternative controls used when a primary security control is not feasible. - A type of security control that acts as a substitute for a principal control.
Quates " "
- Specifies an exact phrase and makes a search more precise - For example, if I wanted to have the word Jason Dion, if I just type them into the Google search with Jason space Dion, you're going to end up finding everything that relates to Jason, or Dion, or both. But if you put " Jason Dion ", you're only going to find words that have Jason Dion together like that. Now, that's kind of a silly example but you could see how this could be very useful as you're trying to narrow down the results for a specific phrase or term that you're looking for.
Weaponization
- The attacker couples payload code to enable access with exploit code, which will then use a vulnerability to execute on the target system - Now, by doing this, you basically are coding or creating the malware or the exploit you want to run. but you are not running it yet. You've only created it inside your own lab and haven't sent it to the victimized system. This brings us to step three, delivery
Likelihood
- The chance of a threat being realized, which is usually expressed as a percentage. - For instance, if I have a nation state trying to go after my company, the chances are that they have a high likelihood of being able to break in. They probably have an 80 or 90% chance because they have such sophistication. And they have access to zero-day exploits and other things like that.
impact
- The costs of a security incident or disaster scenario which is usually expressed in cost - So let's say I had some sort of an event that happened and it was something like it was going to take my server down for five minutes. What is the impact of that? Well it probably has a very small cost for me because if my server's down for five minutes, you as a student will probably just try to come back in five minutes and then make your purchase. So we have very little or no impact financially. Now on the other hand, if I was a credit card processing agency, processing all of the world's credit card transactions like Visa or Mastercard and you took me down for five minutes, that's going to cost me thousands or hundreds of thousands of dollars in processing fees that were not able to take because the cards aren't going to be working. And so there'll be a much higher impact if they were down for five minutes, than if I was down for five minutes.
attack surface
- The point at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor - The attack surface refers to the sum total of all points in a system, application, or network that can be targeted by an attacker. It includes all the entry points, interactions, and functionalities that could be exploited to compromise the security of the system. Reducing the attack surface involves minimizing the number of ways that an attacker can potentially gain unauthorized access or cause harm. This can be achieved by eliminating unnecessary features, services,or components, and implementing robust security controls to protect the remaining attack vectors.
Cyber Threat Intelligence
- The process of Investigating, collecting, analyzing, and disseminating information about emerging threats - Threat intelligence in cybersecurity refers to the information and insights gathered from various sources about potential or existing cyber threats. This intelligence helps organizations understand the tactics, techniques, and procedures (TTPs) used by malicious actors to launch cyber attacks. - By collecting and analyzing threat intelligence, organizations can proactively identify potential risks and vulnerabilities, enhance their cybersecurity defenses, and respond more effectively to ongoing or imminent cyber threats. This knowledge allows them to stay one step ahead of cybercriminals and protect their system, networks, and sensitive data from being compromised. - So, when we're talking about security intelligence, we're thinking inward, how are our systems looking? But when we think about cyber threat intelligence, we're looking outward. We're thinking about the attacker groups, we're thinking about malware outbreaks. We'r thinking about zero-day exploits and things like that. All those bad things that are out there that can attack us and hurt us, that is what we're focused on when we're doing cyber threat intelligence. - 2 forms of Cyber Threat Intelligence: Narrative Report Data feeds
Security Intelligence
- The process through which data generated in the ongoing use of information systems is collected, processed, analyzed, and disseminated to provide insights into the security status of those systems - So if you think of a standard system administrator, they log things on their system and review those logs. That is a form of security intelligence. It's for them to be able to understand what their system is doing. As they go through their firewall logs, their intrusion detection alerts and other things like that, you're understanding what your posture is internally inside of your network and what your organization's security posture is now set at. Now, on the other hand, we have to consider our cyber threat intelligence as well.
Data Exfiltration
- The unauthorized transfer of data from a computer or other device - You can see this either by looking at your database or your file shares and seeing a high volume of network transfer that's happening. If you look at your logs and you see a big change in the amount of data that's being sent out, that could indicate that you have a data exfiltration in progress
Open-Source Intelligence (OSINT)
- The use of publicly available information, plus the tools used to aggregate and search for it. - What are some sources of OSINT ? * Publicly available information * Social media * Dating sites * HTML code * Metadata - OSINT can allow an attacker to develop any number of strategies for compromising a target - For instance, if you were an attacker you might find an employee that works for a company on a dating website and strike up a conversation with them, get them interested in you and then start asking them for details about their company's security procedures, maybe. This is a great way to start getting information out of them using social engineering. Or, you might put them in a compromising situation and then you use that for blackmail or entrapment. There's lots of different ways that OSINT can be used in the real world as an attacker going after people in your company. So, it's something to keep in mind.
Command & Control (C2) (kill chain Step)
- The weaponized code establishes an outbound channel to a remote server that can then be used to control the remote access tool and possibly download additional tools to progress the attack. - At this point, you now pretty much own the system. You have access to it, you can remote into that system, and you can now run commands on that system. That's what C2 is all about. Now, the final step is actions on objectives
Exploitation
- The weaponized code is executed on the target system by whatever mechanism you've done. - The Exploitation phase is where the attacker leverages a vulnerability to execute the main part of the attack. - If you sent them an email with a phishing link and they clicked that link, the sending of the email was delivery. Clicking the link is when exploitation happens and they actually start running that code. Or, if you dropped it on a USB drive and they plugged that into their system and the autorun started up that code, that would be exploitation. At this point, the code has been run. And this brings us to step five, which is installation.
Dissemination
- This is how we take that information that we've analyzed and present it to other people. - Publishes information produced by analyst to consumers who need to act on the insights developed - Now this can take a lot of different forms and it depends on your organization and what the intended audience is. You may have oral reports, you may have written reports, you may have a PowerPoint presentation, you may have an email. It really does depend on your organization.
Delivery
- This is where the attacker is going to identify a vector by which they can transmit the weaponized code to the target environment. - This may be by email. This may be by dropping the USB drive loaded with that malware in their parking lot. Whatever the mechanism is doesn't really matter right now. We just have to think about the fact that we have to get it there, and that's what delivery is all about. Step four takes us to exploitation.
Feedback
- This is where we look back through the cycle, see what went right, what went wrong and what we can do better and then we start all over again. - Aims to clarify requirements and improve the collection, analysis, and dissemination of information by reviewing current inputs and outputs - Basically how can we do things better? That's our goal. We always want to improve the implementation of our requirements, our collection, our analysis, and dissemination. And how we can improve over time and get better at what we do
Requirements (planning & Direction)
- This is where we're going to be focused on what we want to collect and figure out how we can best do that. - Sets out the goals for the intelligence gathering effort - At this point, we need to figure out what it is that we want to collect. That way we can figure out what are the things we care about? What do we want to spend the time, money and resources to gather? This is really important to have your goals set because if you don't understand what your goals are and you don't understand what your use case is for this data, you're going to be spending a lot of time and a lot of money collecting a lot of data for no reason at all.
NOT
- Uses the minus sign in font of a word or quotes phrase to exclude results that contain that string - For example, if I wanted to find all of the examples of CYSA but I didn't want anything from Dion Training, I could type in CYSA - Dion Training. And that will give me all the CYSA results without any of the Dion Training results.
DNS Harvesting
- Using Open Source Intelligence (OSINT) to gather information about a domain (subdomains, hosting provider, administrative contacts, and so on). - Uses Open-Source Intelligence (OSINT) to gather information about a domain, such as any subdomains, the hosting provider, the administrative contacts, and so on
Analysis
- We start taking the data we got and we start looking through it to try to make some decisions based on it. - Analysis phase is performed against the given use cases from the planning phase and may utilize automated analysis, AI, and machine learning - Now this is really important because there is so much data that we are collecting at this point that a single person can not read it and analyze it fast enough. So we have to use some sort of way to automate this. So these days one of the most common ways of attacking this problem is by separating our data first into three buckets. First, what do we know is good? Second, what do we know is bad? And third, what we're really concerned with is what we're not sure of, because again, if it's known good, we're going to allow it. If it's known bad, we're going to block it. If we're not sure, that's where further analysis needs to be done. Now because there's so much data at this point, we have to use things like machine learning and artificial intelligence to help our humans go through this data, because there is just so much stuff going over our networks. This allows us again because of our processing, we've normalized it and now in our analysis, we can filter it, we can organize it into a useful form and we can start doing our analysis on it. Now all of the analysis we do should be done in the context of a use case. And these use cases are something that we developed all the way back in our planning phase. This says I'm interested in this type of information for this reason. Because there might be some interesting information, but if it doesn't impact business decisions for you and your organization, why do you even care? And that's the idea here. Our job here is to go through these large data sets and we want to start figuring out, what doesn't look right, what looks funky, what is not going to be good for our organization. And we want to start building our models against that.
Whois
- a public Internet database that contains information about Internet domain names and the people or organizations that registered the domains. It is a source of information that can be used to exploit system vulnerabilities. - A public listing of all registered domains and their registered administrator - This is a place we can go look up Diondre dot com and find out who owns that domain, what's their address, what's their phone number and what's their email. We also can get other information about them from this public database.
Malware Information Sharing Project (MISP)
- provides a server platform for cyber threat intelligence sharing, a proprietary format, supports OpenIOC definitions, and can import and export STIX over TAXII - So when we start dealing with MISP, you can start putting all of this information together. We can get the definitions from OpenIOC, we can get the indicators from STIX, and we can transmit all that information back to us over TAXII. And so using all of these together gives us a lot of benefits inside of MISP, and again, MISP is an open source project that is free to use.
Behavior-based Detection
- used to identify and detect potential threats and malicious activities based on the behavior and actions of software or user rather than relying solely on predefined signatures or patterns - Instead of looking for specific known malware signatures, behavior-based detection focuses on monitoring the activities and interactions of applications, processes, or users in real-time. It looks for unusual or suspicious behavior that may indicate malicious intent, such as unauthorized attempts to access sensitive data, unusual network communication patterns, or abnormal system modifications. - Now behavior- based detection is really important when we're trying to get unknown threats and discover them. The reason is we can't use a signature because they're unknown
Fast Flux DNS
1. A technique rapidly changes the IP address associated with a domain 2. technique used by cybercriminals to evade detection and maintain resilient infrastructure for hosting malicious websites or distributing malware. It involves rapidly changing the IP addresses associated with domain names, making it difficult for security solutions to track and block these malicious sites. - Now, one of the ways you can detect this fast flux DNS is by looking at the communication patterns that emerge as these changes keep happening because we're going to see that your machine now went from this IP to that IP, to this third IP to the fourth IP, and that can be detected through your proxy logs.
Behavioral Threat Research
1. A term that refers to the correlation of IoCs into attack patterns
Indicator of Compromise (IoC)
1. a piece of evidence or information that suggests a system or network has been breached or compromised. 2. Evidence that an attack was successful - When we talk about IoC or an indicator of compromise, these can be all sorts of different things like a hash value, an IP address, a file being left on the system, or anything else like this, anything that gives us a clue that something has happened on the system. - What are some other things you can look at for indicators of compromise: -Unauthorized software and files -Suspicious emails -Suspicious registry and file system changes -Unknown port and protocol usage -Excessive bandwidth usage -Rouge hardware -Service disruption and defacement -Suspicious or unauthorized account usage
prevenatative
A control that acts to eliminate or reduce the likelihood that an attack can succeed
Detective
A control that may not prevent or deter access, but will identify and record any attempted or successful intrusion.
Diamond Model of Intrusion Analysis
A framework for analyzing cybersecurity incidents and intrusions by exploring the relationships between four core features: adversary, capability, infrastructure, and victim
MITRE ATT&CK Framework
A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and common knowledge or procedures
Security Operations Center (SOC)
A location where security professionals monitor and protect critical information assets in an organization.
Documented Exploits
A piece of software, data or sequence of commands that takes advantage of a vulnerability to cause unintended behavior or to gain unauthorized access to sensitive data
zero-day vulnerability
A software vulnerability that is unknown to the vendor that can be exploited by attackers.
Website Harvesting
A technique used to copy the source code of website files to analyze for information and vulnerabilities
Indicator of Attack (IoA)
A term used for evidence of an ongoing intrusion attempt
Unknown Threats
A threat that cannot be identified using basic signature or pattern matching.
Deterrent Controls
A type of security control that discourages intrusion attempts.
zero-day exploit
A vulnerability that is exploited before the software creator/vendor is even aware of its existence.
Critical Infrastructure
Any physical or virtual Infrastructure considered so vital to the US that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination of these.