WEBVTT

00:00.000 --> 00:01.830
>> Hey guys, welcome back to

00:01.830 --> 00:03.750
this Cyber kill chain
course on Cybrary.

00:03.750 --> 00:05.205
This is Abdurahman Alnaim.

00:05.205 --> 00:06.840
Today we're going
to cover defense

00:06.840 --> 00:08.820
in depth using the kill chain.

00:08.820 --> 00:10.530
We went over the kill chain,

00:10.530 --> 00:12.510
we went over reconnaissance
where we gathered

00:12.510 --> 00:15.405
as much information as
we can about the target.

00:15.405 --> 00:16.740
Then in phase 2,

00:16.740 --> 00:18.780
we use that information
that we gained during

00:18.780 --> 00:21.450
reconnaissance to
build our weapon,

00:21.450 --> 00:23.700
the payload that we use later on

00:23.700 --> 00:27.570
to exploit and install
on the victim's machine.

00:27.570 --> 00:30.780
In delivery, we went over
social engineering and we

00:30.780 --> 00:33.210
delivered our payload using

00:33.210 --> 00:34.754
>> a social engineering attack.

00:34.754 --> 00:36.480
>> In exploitation, we exploited

00:36.480 --> 00:38.680
the human weakness and installed

00:38.680 --> 00:43.510
the payload on the victim's
machine, in phase 5.

00:43.510 --> 00:45.735
In phase 6, we used

00:45.735 --> 00:48.950
MSFconsole Metasploit to have

00:48.950 --> 00:51.140
command and control
over our back door,

00:51.140 --> 00:53.350
the payload that we
installed in phase 5.

00:53.350 --> 00:56.210
Finally, we actioned
on our objectives

00:56.210 --> 00:59.555
and got access to the
current dos dot text file.

00:59.555 --> 01:02.960
Luckily in our example
was in the desktop,

01:02.960 --> 01:06.470
but it's usually not
as easy as that.

01:06.470 --> 01:08.930
We move to defense.

01:08.930 --> 01:11.000
What we want to do in defense,

01:11.000 --> 01:14.390
we want to use these
defense actions,

01:14.390 --> 01:15.785
detect, deny, disrupt,

01:15.785 --> 01:18.530
degrade, deceive, and contain at

01:18.530 --> 01:22.790
each and every level of
the Cyber kill chain.

01:22.790 --> 01:24.715
In detector what
we're trying to do,

01:24.715 --> 01:26.940
as an example, in
reconnaissance.

01:26.940 --> 01:28.875
We're trying to detect
any reconnaissance.

01:28.875 --> 01:31.020
In denial, we're trying
to deny it in disrupt,

01:31.020 --> 01:32.240
we're trying to stop it or

01:32.240 --> 01:34.280
change it and degrade
we're trying to

01:34.280 --> 01:38.455
reduce or counter
attack the attacker,

01:38.455 --> 01:40.880
and deceive, we're trying to

01:40.880 --> 01:43.790
either send them false
information back during

01:43.790 --> 01:45.650
command and control or send

01:45.650 --> 01:49.305
them fake data during
action on objective.

01:49.305 --> 01:52.100
In contain we use
our design when

01:52.100 --> 01:54.860
we designed our network
and the segregation in

01:54.860 --> 01:57.485
our network to ensure that

01:57.485 --> 02:01.920
the attack is contained in
the smallest possible way.

02:01.920 --> 02:05.480
The best idea to attack
something like this or to

02:05.480 --> 02:10.880
go through a defense action
is to create a matrix.

02:10.880 --> 02:15.555
The matrix would have the
seven phases at the top.

02:15.555 --> 02:17.030
Reconnaissance, weaponization,

02:17.030 --> 02:18.380
delivery exploit, install,

02:18.380 --> 02:20.810
C2 is command-and-control
and action

02:20.810 --> 02:22.415
on objective on the top.

02:22.415 --> 02:25.010
Then on the other axis
we have detect, deny,

02:25.010 --> 02:28.185
disrupt, degrade,
deceive and contain.

02:28.185 --> 02:32.355
Then we start building our
defense in depth model.

02:32.355 --> 02:37.555
This is more of a framework
that you can use.

02:37.555 --> 02:40.115
I'm going to leave
a copy of this in

02:40.115 --> 02:43.850
the resources page
of this matrix.

02:43.850 --> 02:45.995
Then you can take this matrix,

02:45.995 --> 02:48.020
based on the threat agents,

02:48.020 --> 02:51.620
the risk appetite, and the
budget of your company,

02:51.620 --> 02:55.440
decide what controls
you want to add.

02:55.440 --> 02:57.875
As an example in reconnaissance,

02:57.875 --> 02:59.750
you need to do
some web analytics

02:59.750 --> 03:02.440
because it's a
fairly passive step.

03:02.440 --> 03:04.460
You want to know
what information

03:04.460 --> 03:06.440
is out there about your company.

03:06.440 --> 03:07.770
As we saw in our example,

03:07.770 --> 03:11.760
Cybrary hit the web masters or

03:11.760 --> 03:16.755
the system admin information,
it's not available.

03:16.755 --> 03:18.800
You also want to
have something like

03:18.800 --> 03:20.645
a network intrusion detection

03:20.645 --> 03:23.990
to identify any fingerprinting

03:23.990 --> 03:27.755
or any scanning that
happens on your system

03:27.755 --> 03:31.010
and deny a strict
firewall policy

03:31.010 --> 03:32.370
, is extremely important.

03:32.370 --> 03:33.710
You don't want people to have

03:33.710 --> 03:37.055
access to your back-end servers.

03:37.055 --> 03:40.205
If you have a web
application server do not

03:40.205 --> 03:44.685
allow SSH connectivity
remotely, something like that.

03:44.685 --> 03:47.300
The other way of
denying, because again,

03:47.300 --> 03:52.185
it's a fairly passive step

03:52.185 --> 03:54.530
is something like
information sharing policy.

03:54.530 --> 03:58.035
You want to tell
your employees what

03:58.035 --> 04:02.085
can they and they can't
share on the Internet.

04:02.085 --> 04:04.130
You don't want them to put the

04:04.130 --> 04:05.450
firewall model that you use,

04:05.450 --> 04:07.490
you don't want them
to put what kind

04:07.490 --> 04:11.120
of backbone routers
use and so on.

04:11.120 --> 04:14.420
In the sub, you want to have
something like reporting.

04:14.420 --> 04:16.700
You want to raise the
awareness of your employees,

04:16.700 --> 04:21.200
to report any reconnaissance

04:21.200 --> 04:23.945
that is going on the Internet.

04:23.945 --> 04:25.910
Someone might say,
how would they know?

04:25.910 --> 04:27.200
Again, with enough awareness,

04:27.200 --> 04:28.550
they would be able
to identify that

04:28.550 --> 04:30.500
someone is communicating
to them or

04:30.500 --> 04:34.935
accessing their LinkedIn
page that is malicious.

04:34.935 --> 04:40.040
I know of a company
or organization that

04:40.040 --> 04:42.380
was a victim of

04:42.380 --> 04:44.240
a social engineering campaign

04:44.240 --> 04:45.529
>> on one of the social media.

04:45.529 --> 04:47.480
>> One of the employees
identified it,

04:47.480 --> 04:50.060
reported to the company and
reported to the authority.

04:50.060 --> 04:52.940
They were able to stop that
attack at the recon phase.

04:52.940 --> 04:56.745
He did not even move on
to the following stages.

04:56.745 --> 04:58.875
In weaponization again, because

04:58.875 --> 05:01.950
that's needs of being
fairly passive,

05:01.950 --> 05:03.770
there's not a lot
that you can do.

05:03.770 --> 05:05.450
However, your
threat intelligence

05:05.450 --> 05:06.860
should be able to identify

05:06.860 --> 05:10.410
what kind of threats
are you vulnerable to,

05:10.410 --> 05:12.455
and you want to continue
doing the same thing,

05:12.455 --> 05:13.850
across delivery, exploit,

05:13.850 --> 05:16.085
installation,
command and control

05:16.085 --> 05:18.769
and action on objectives.

05:18.769 --> 05:20.300
You can use something
like honeypots,

05:20.300 --> 05:22.100
you can privilege
access management,

05:22.100 --> 05:23.660
log monitoring its key,

05:23.660 --> 05:26.105
host intrusion, detection
system and so on.

05:26.105 --> 05:29.240
Obviously, this is
an example and it's

05:29.240 --> 05:32.540
not something that
you have to follow.

05:32.540 --> 05:34.670
However, the matrix is

05:34.670 --> 05:37.250
a framework that I highly
recommend because it

05:37.250 --> 05:39.590
would give you an idea
what kind of controls do

05:39.590 --> 05:42.200
you have and where
are you lacking?

05:42.200 --> 05:43.550
Obviously, you want to have

05:43.550 --> 05:47.019
>> as much controls as possible.

05:47.019 --> 05:52.295
>> The matrix, however, due
to a higher risk appetite

05:52.295 --> 05:57.410
or a low threat on the
corporate and a low budget,

05:57.410 --> 06:00.710
you might not be able to go

06:00.710 --> 06:03.440
through or have
controls for each and

06:03.440 --> 06:06.580
every one of the phases.

06:06.580 --> 06:09.619
For our post
assessment questions,

06:09.619 --> 06:12.515
what are the steps of
the defense actions?

06:12.515 --> 06:15.064
We covered this, we
started with detect,

06:15.064 --> 06:19.024
deny, disrupt, degrade,
deceive, and contain.

06:19.024 --> 06:20.630
Second is how do we use

06:20.630 --> 06:22.444
>> the Cyber kill
chain in defense?

06:22.444 --> 06:26.300
>> As I said, if you want
to protect from a hacker,

06:26.300 --> 06:27.560
you have to think like a hacker.

06:27.560 --> 06:31.280
The best way to do that is
to use the Cyber kill chain.

06:31.280 --> 06:34.850
Then in each and every
phase you want to detect,

06:34.850 --> 06:36.140
deny, disrupt, degrade,

06:36.140 --> 06:37.825
deceive, and contain.

06:37.825 --> 06:40.930
Finally, is the cyber
defense matrix,

06:40.930 --> 06:43.790
the one I showed in the
example applicable for all.

06:43.790 --> 06:45.830
As I said, the cyber
defense matrix

06:45.830 --> 06:48.125
as a framework is
applicable for all.

06:48.125 --> 06:51.530
However, the examples that I
showed are not necessarily

06:51.530 --> 06:53.090
applicable to your
organization or

06:53.090 --> 06:55.830
the company you work for.

06:56.750 --> 06:59.745
In today's video we covered

06:59.745 --> 07:02.540
defense using the
cyber kill chain.

07:02.540 --> 07:04.040
In the next video we're going

07:04.040 --> 07:05.660
>> to talk about criticism and

07:05.660 --> 07:08.660
>> the unified cyber-security
kill chain and we're going

07:08.660 --> 07:12.970
to conclude our
course. See you then.