WEBVTT 00:00.000 --> 00:02.760 >> Hey, guys. Welcome back to this Cyber Kill Chain course. 00:02.760 --> 00:04.320 This is Abdulrahman Alnaim, and 00:04.320 --> 00:07.395 unfortunately, today, we'll have to conclude. 00:07.395 --> 00:09.270 As I said before, 00:09.270 --> 00:10.800 I'm going to share with you criticism 00:10.800 --> 00:12.135 on the Cyber Kill Chain. 00:12.135 --> 00:14.700 There are two main criticism out there. 00:14.700 --> 00:17.070 The first one is because of the nature of 00:17.070 --> 00:20.100 reconnaissance and more of weaponization, 00:20.100 --> 00:22.965 the fairly passive step that's hard to detect, 00:22.965 --> 00:25.620 and it's extremely difficult to do so. 00:25.620 --> 00:28.740 However, as we shared in the previous video, 00:28.740 --> 00:30.000 when you use the matrix, 00:30.000 --> 00:32.970 you can add more and more controls to detect, deny, 00:32.970 --> 00:34.470 and so on during 00:34.470 --> 00:37.530 the reconnaissance and the weaponization phase. 00:37.530 --> 00:39.240 Although they happen on the Internet, 00:39.240 --> 00:40.734 they happen away from you. 00:40.734 --> 00:44.780 There are one way or another to protect 00:44.780 --> 00:48.500 your system during the reconnaissance 00:48.500 --> 00:50.210 and the weaponization phase. 00:50.210 --> 00:53.870 The second criticism they have for the Cyber Kill Chain 00:53.870 --> 00:58.720 is its not suitable to the insider threat model. 00:58.720 --> 01:02.670 That's actually has some truth into it. 01:02.670 --> 01:04.205 As you won't find, 01:04.205 --> 01:06.095 the delivery fee is being used, 01:06.095 --> 01:08.360 maybe no weaponization and so on. 01:08.360 --> 01:10.350 However, if you use 01:10.350 --> 01:14.115 this Cyber Kill Chain to design a defense in depth, 01:14.115 --> 01:16.485 you would benefit even 01:16.485 --> 01:19.690 from insider threat if you have prototypes management, 01:19.690 --> 01:23.030 if you have elevation of privileges, 01:23.030 --> 01:26.045 rather than giving users administrator accounts, 01:26.045 --> 01:27.680 he won't be able to go 01:27.680 --> 01:29.060 through installation as an example. 01:29.060 --> 01:30.890 If you monitor access 01:30.890 --> 01:34.580 from inside the machine 01:34.580 --> 01:36.665 to everywhere else in the environment, 01:36.665 --> 01:39.080 you can actually detect any reconnaissance 01:39.080 --> 01:41.975 or any command and control that he is actually doing. 01:41.975 --> 01:44.540 The same thing happens on actions on objective. 01:44.540 --> 01:48.380 If you have a strong DLP policy, 01:48.380 --> 01:50.510 you would be able to detect that someone 01:50.510 --> 01:54.065 is sending data out of the environment. 01:54.065 --> 01:57.200 It might not designed for insider threats. 01:57.200 --> 02:02.730 However, the benefits of designing your defense and 02:02.730 --> 02:04.780 depth using the Cyber Kill Chain 02:04.780 --> 02:09.515 will cover a lot of the insider threat. 02:09.515 --> 02:11.570 What they did is they came up 02:11.570 --> 02:14.045 with the Unified Kill Chain which is 02:14.045 --> 02:18.620 a extension of the kill chain 02:18.620 --> 02:21.080 and a mix between 02:21.080 --> 02:22.655 the Lockheed Martin Kill Chain 02:22.655 --> 02:24.890 and the MITRE ATT&CK Framework. 02:24.890 --> 02:28.085 What they did is 18 phases. 02:28.085 --> 02:31.250 They're designed in a way 02:31.250 --> 02:33.590 that there are three main steps. 02:33.590 --> 02:34.850 The initial foothold, 02:34.850 --> 02:36.050 the network propagation, 02:36.050 --> 02:38.140 >> and the action on objective. 02:38.140 --> 02:40.280 >> Each of them has a cycle 02:40.280 --> 02:42.590 that the attacker would go through until he 02:42.590 --> 02:47.745 achieves the objective of that phase. 02:47.745 --> 02:49.260 I'm going to leave a link to 02:49.260 --> 02:53.010 the Unified Kill Chain and the resources. 02:53.010 --> 02:54.590 Please go ahead and read more 02:54.590 --> 02:57.330 about it if you're interested. 02:57.500 --> 02:59.600 At the beginning of the course, 02:59.600 --> 03:02.450 we shared with you a pre-assessment questions. 03:02.450 --> 03:04.880 I think it might be more applicable to change that to 03:04.880 --> 03:07.645 a post assessment questions. 03:07.645 --> 03:09.855 What is the cyber kill chain? 03:09.855 --> 03:11.520 We talked about the kill chain 03:11.520 --> 03:14.649 >> being a military model to 03:14.649 --> 03:17.900 >> identify attacks or to 03:17.900 --> 03:21.035 have a successful attack on a target, 03:21.035 --> 03:23.465 beside the kill chain is not really different. 03:23.465 --> 03:27.785 What Lockheed Martin did is translated 03:27.785 --> 03:31.910 the steps that attackers usually have 03:31.910 --> 03:34.460 during a targeted attack and to 03:34.460 --> 03:37.800 a seven phase model that 03:37.800 --> 03:42.290 is applicable and is widely used by everyone. 03:42.290 --> 03:44.540 What are the seven phases or 03:44.540 --> 03:46.580 steps of the Lockheed Martin Kill Chain? 03:46.580 --> 03:48.170 The first one is reconnaissance, 03:48.170 --> 03:49.940 second is weaponization, 03:49.940 --> 03:51.265 three is delivery, 03:51.265 --> 03:52.950 four is exploitation, 03:52.950 --> 03:54.660 five is installation, 03:54.660 --> 03:57.135 six is command and control, 03:57.135 --> 04:01.345 and seven is action on objective. 04:01.345 --> 04:03.240 What steps in the kill chain are 04:03.240 --> 04:05.220 passive and which are active? 04:05.220 --> 04:06.660 As we said in reconnaissance, 04:06.660 --> 04:08.450 its a combination of both. 04:08.450 --> 04:10.730 There's some active aspect of it and 04:10.730 --> 04:13.785 there's some passive aspect of it. 04:13.785 --> 04:16.920 Weaponization, it's a fairly passive step. 04:16.920 --> 04:20.540 Then you have delivery, exploitation, installation, 04:20.540 --> 04:22.100 command and control and action 04:22.100 --> 04:25.370 objective being active phases. 04:25.370 --> 04:27.570 Finally, how do we the Cyber Kill Chain 04:27.570 --> 04:28.880 in designing defense? 04:28.880 --> 04:32.630 We went over the defense matrix where we 04:32.630 --> 04:36.240 have our seven phases and one access detect, 04:36.240 --> 04:38.660 deny, and so on, on the other axis. 04:38.660 --> 04:43.250 Then we decide our network to detect, deny, disrupt, 04:43.250 --> 04:45.710 and so on, on each and every one of 04:45.710 --> 04:49.260 the seven phases of the Cyber Kill Chain. 04:49.420 --> 04:51.845 Before we conclude, 04:51.845 --> 04:54.260 let's go on last time over the Cyber Kill Chain. 04:54.260 --> 04:56.210 We start with the reconnaissance where you gathered 04:56.210 --> 05:00.370 as much information as possible about the target. 05:00.370 --> 05:03.085 Then we moved on to a weaponization, 05:03.085 --> 05:06.470 where we designed our payload that we're going to use. 05:06.470 --> 05:09.770 We could not have successfully designed a weapon during 05:09.770 --> 05:11.150 weaponization if we did not 05:11.150 --> 05:14.015 have a successful reconnaissance. 05:14.015 --> 05:16.475 Step 3 or Phase 3, 05:16.475 --> 05:17.780 we went through delivery. 05:17.780 --> 05:19.280 Again, we use the information we 05:19.280 --> 05:21.230 gained during reconnaissance to 05:21.230 --> 05:24.680 design a successful delivery of our payload. 05:24.680 --> 05:27.845 In Phase 4, we exploited the vulnerability on 05:27.845 --> 05:30.590 the victims environment. 05:30.590 --> 05:32.240 >> In Phase 5, 05:32.240 --> 05:35.385 >> we installed a payload on the victim's machine. 05:35.385 --> 05:37.890 In Phase 6, we communicated to do this payload. 05:37.890 --> 05:39.249 >> In Phase 7, 05:39.249 --> 05:40.550 >> we achieved our goal, 05:40.550 --> 05:42.199 we achieved our objective, 05:42.199 --> 05:46.370 and we got the information or the data 05:46.370 --> 05:51.385 that we want to get from that targeted attack. 05:51.385 --> 05:55.535 I hope you guys enjoyed this course as much as I did. 05:55.535 --> 05:59.280 Good luck protecting your environment.