WEBVTT

00:00.199 --> 00:03.315
>> Hey guys, welcome back

00:03.315 --> 00:05.670
to the cyber kill chain
course on Cybrary.

00:05.670 --> 00:08.130
This is Abdulrahman
Alnaim and today we're

00:08.130 --> 00:12.280
covering action on objectives.

00:12.710 --> 00:18.119
We reach the end the
goal of the attack.

00:18.119 --> 00:22.050
Now that we've finished our
successful reconnaissance,

00:22.050 --> 00:25.034
successful weaponization,
successful delivery,

00:25.034 --> 00:29.640
successful exploitation,
and installation,

00:29.640 --> 00:31.485
and then went through

00:31.485 --> 00:36.000
a textbook example of
command and control.

00:36.000 --> 00:41.370
Now, the attacker went
through the environment,

00:41.370 --> 00:42.735
however, so far,

00:42.735 --> 00:46.725
he did not gain a
single thing, nothing.

00:46.725 --> 00:49.820
The only thing that
he can say now

00:49.820 --> 00:52.955
is he was able to hack
this or that company,

00:52.955 --> 00:56.420
but he does not even have
the proof that he did that.

00:56.420 --> 00:59.910
Now, he moves to
action on objective.

01:04.220 --> 01:07.190
In the action on objectives,

01:07.190 --> 01:11.940
the attacker performs the
steps to achieve that goal.

01:11.940 --> 01:14.045
Basically going
through the sixth step

01:14.045 --> 01:18.115
is to achieve the
action on objective.

01:18.115 --> 01:22.640
Now the attacker
is in the network,

01:22.640 --> 01:24.454
>> he has connectivity.

01:24.454 --> 01:29.700
>> Now, he needs to get
basically the payment histories,

01:29.700 --> 01:31.715
the login data,
account information,

01:31.715 --> 01:33.830
any other sensitive information

01:33.830 --> 01:36.425
to ransom the whole network,

01:36.425 --> 01:40.120
and hope people
would pay for that.

01:40.120 --> 01:42.855
That's action on objective.

01:42.855 --> 01:46.530
This step, by the way,
might take months.

01:46.530 --> 01:50.120
It's because the
attacker tries to

01:50.120 --> 01:56.190
be as less noisy as possible.

01:56.190 --> 01:57.930
He's trying to take

01:57.930 --> 02:01.275
a billion thousand steps
without being detected.

02:01.275 --> 02:04.455
He needs to be silent.

02:04.455 --> 02:07.200
That's why it takes
a lot of time.

02:07.200 --> 02:10.160
During that time he needs,
again communication,

02:10.160 --> 02:11.870
which is command and control

02:11.870 --> 02:15.635
so action on objective
is the goal.

02:15.635 --> 02:18.065
Let's go back to our example.

02:18.065 --> 02:20.120
I'm not sure if you guys noticed

02:20.120 --> 02:23.795
one thing when I
displayed the picture.

02:23.795 --> 02:30.020
There's one thing that
actually caught my eye.

02:30.020 --> 02:38.100
Basically, the machine has
no antivirus, nothing.

02:38.100 --> 02:41.550
It's not showing.
The other thing,

02:41.550 --> 02:44.375
it's a laptop, which
means it's portable.

02:44.375 --> 02:46.400
Basically, these are the things

02:46.400 --> 02:48.545
that someone would look into.

02:48.545 --> 02:50.480
Because it's a laptop,
it's portable,

02:50.480 --> 02:52.040
there's a lot of data stored on

02:52.040 --> 02:53.615
the laptop because
he needs to access

02:53.615 --> 02:57.795
even when he's away
from the office.

02:57.795 --> 03:07.740
Let's go back to the
machine itself and start

03:07.740 --> 03:12.420
with going to the
desktop because a lot of

03:12.420 --> 03:17.955
people would save some
data on the desktop.

03:17.955 --> 03:24.160
I need to put cd users

03:26.450 --> 03:32.880
then let's go to desktop.

03:32.880 --> 03:37.560
Then we're going to look

03:37.560 --> 03:44.025
what things they
have on the desktop.

03:44.025 --> 03:47.430
This might seem interesting.

03:47.430 --> 03:49.490
Obviously, in a
real life situation

03:49.490 --> 03:51.650
would not be as easy as this,

03:51.650 --> 03:53.900
however, a folder in the desktop

03:53.900 --> 03:57.175
is called Crown Jewels.txt.

03:57.175 --> 03:59.550
I know in reality,

03:59.550 --> 04:03.190
this will never
happen but why not?

04:05.600 --> 04:13.630
Let's open that file and see
what information is in it.

04:15.290 --> 04:22.530
It's not really a Linux machine,

04:22.530 --> 04:27.990
so say

04:27.990 --> 04:34.330
less crown jewels.txt.

04:45.860 --> 04:48.335
Again, I'm sorry about that.

04:48.335 --> 04:51.505
I thought for some reason
when you use Linux,

04:51.505 --> 04:56.105
less is one of the things
that you get used to.

04:56.105 --> 04:58.500
I'm showing the crown jewels are

04:58.500 --> 05:01.320
texts and it says crown jewels.

05:01.320 --> 05:05.250
Obviously, this is just capture

05:05.250 --> 05:10.015
the flag situation where
it was extremely obvious.

05:10.015 --> 05:12.025
But there you go.

05:12.025 --> 05:14.800
You want to go through the or

05:14.800 --> 05:17.830
the attacker would go through
the machine file by file

05:17.830 --> 05:25.425
until he reaches his goal
that he started this for.

05:25.425 --> 05:27.650
Again, don't forget that I

05:27.650 --> 05:30.095
still have all of these
options that I can run.

05:30.095 --> 05:31.415
I can record the mic.

05:31.415 --> 05:32.450
Again, it's a laptop,

05:32.450 --> 05:34.805
if I run a mic

05:34.805 --> 05:39.845
when they are in the meeting
or something like that,

05:39.845 --> 05:41.720
I would be able to
get more information

05:41.720 --> 05:44.850
>> that I hope for.

05:45.529 --> 05:48.170
>> You can terminate processes.

05:48.170 --> 05:51.830
You can basically
clear the event logs.

05:51.830 --> 05:53.060
Obviously, a lot of hackers

05:53.060 --> 05:55.470
would do that before they leave.

05:58.010 --> 06:02.330
There's a lot of capabilities
that you can do that.

06:02.330 --> 06:04.950
Don't forget that.

06:07.130 --> 06:11.405
We covered the final step
of the cyber kill chain,

06:11.405 --> 06:14.705
what is the main purpose of

06:14.705 --> 06:19.500
the action on objective phase?

06:19.880 --> 06:22.910
As I said, now the intruder

06:22.910 --> 06:28.355
takes the action required
to achieve that goal,

06:28.355 --> 06:30.410
getting the data that he wants,

06:30.410 --> 06:31.610
credit card information,

06:31.610 --> 06:37.105
payment history, any
other possibility.

06:37.105 --> 06:39.560
There's a limitless
number of possibilities

06:39.560 --> 06:42.350
of objectives that a
hacker might have.

06:42.350 --> 06:45.660
It might be just destructive
where he destroy

06:45.660 --> 06:47.430
the whole system and leave

06:47.430 --> 06:50.429
>> what can be ransomware thing.

06:50.429 --> 06:52.980
>> It depends on the objective.

06:52.980 --> 06:55.430
We have a number of
true or falses here.

06:55.430 --> 06:57.740
The first one is action
on objective can be

06:57.740 --> 07:01.350
done quickly and
shouldn't take too long.

07:02.240 --> 07:04.740
That's actually not true.

07:04.740 --> 07:08.060
Action, as I said, the
attacker has to be as quiet as

07:08.060 --> 07:09.770
possible during action on

07:09.770 --> 07:12.740
objective because you don't
want to be discovered.

07:12.740 --> 07:14.780
You want to take your time
now that you are beyond

07:14.780 --> 07:16.430
any security system or

07:16.430 --> 07:19.160
any capabilities for
them to discover you,

07:19.160 --> 07:22.250
you want to be as
quiet as possible.

07:22.250 --> 07:24.290
Take your time, explore

07:24.290 --> 07:26.780
everything that you
can to explore,

07:26.780 --> 07:29.695
and then action on
your objective.

07:29.695 --> 07:34.175
Second, hacker use or
hackers use actions

07:34.175 --> 07:38.500
on objective to erase
any log and leave.

07:38.500 --> 07:40.020
In other kill chain,

07:40.020 --> 07:41.840
that's one, usually,

07:41.840 --> 07:45.170
the last phase where basically
action on objective,

07:45.170 --> 07:50.260
and then erase all of
your logs and leave.

07:50.260 --> 07:52.560
However, in the cyber kill chain

07:52.560 --> 07:55.550
it's usually not something

07:55.550 --> 07:57.680
that they pay attention
to erasing the logs

07:57.680 --> 08:00.770
because it's the
action on objective.

08:00.770 --> 08:02.570
He got the goal regardless

08:02.570 --> 08:04.254
>> if they discovered
him or not.

08:04.254 --> 08:10.015
>> After the fact he
achieved his objective.

08:10.015 --> 08:13.370
However, it's usually a good
idea for an attacker to

08:13.370 --> 08:17.755
erase any logs before
leaving the environment.

08:17.755 --> 08:22.885
Finally, action on objective
is the goal of the attack.

08:22.885 --> 08:27.090
That's actually true
because what we

08:27.090 --> 08:30.140
said is the first
six-step is for me

08:30.140 --> 08:31.040
>> to reach that goal,

08:31.040 --> 08:33.170
>> to reach basically
the capability to

08:33.170 --> 08:36.390
get my objective out
of the whole attack.

08:38.120 --> 08:41.855
Today, we covered the
action on objectives.

08:41.855 --> 08:45.500
We covered the full
cyber kill chain.

08:45.500 --> 08:47.390
We went through reconnaissance,

08:47.390 --> 08:51.450
>> weaponization, delivery,

08:51.459 --> 08:55.670
>> exploitation,
installation, command and

08:55.670 --> 09:01.105
control and we just covered
action on objectives.

09:01.105 --> 09:02.645
In the next video,

09:02.645 --> 09:06.590
we're going to use the
cyber kill chain to

09:06.590 --> 09:09.880
design a defense in-depth

09:09.880 --> 09:14.270
model for a corporate
or a company.

09:14.270 --> 09:17.820
Thank you so much and
I'll see you then.