WEBVTT 00:00.000 --> 00:03.720 >> Threat management. The learning objectives 00:03.720 --> 00:06.225 for this lesson are to define threat intelligence, 00:06.225 --> 00:09.150 to differentiate the different types of threat actors, 00:09.150 --> 00:11.235 and to describe supply chain attacks. 00:11.235 --> 00:14.650 Let's get started. Threat intelligence. 00:14.650 --> 00:17.300 This is the continual process that is designed to help 00:17.300 --> 00:20.645 organizations understand the threats that they may face. 00:20.645 --> 00:23.465 Because the threats are always evolving, 00:23.465 --> 00:25.580 we need to make sure that our processes for 00:25.580 --> 00:28.570 identifying those threats are also evolving. 00:28.570 --> 00:31.910 CISA has designated 16 critical sectors to 00:31.910 --> 00:33.590 help identify the different types 00:33.590 --> 00:35.180 of issues that they may face. 00:35.180 --> 00:36.680 These sectors would include energy, 00:36.680 --> 00:38.210 health care, financial, etc. 00:38.210 --> 00:39.995 You can find out more information 00:39.995 --> 00:41.615 at the URL on the screen. 00:41.615 --> 00:44.060 Keep in mind the purpose of threat intelligence is 00:44.060 --> 00:46.310 to help us stay ahead as much 00:46.310 --> 00:48.260 as we can of the new threats 00:48.260 --> 00:50.330 that are emerging and what we need to 00:50.330 --> 00:52.070 be able to do to defend against 00:52.070 --> 00:55.380 those threats for our own organization. 00:56.470 --> 00:58.850 Let's talk about the different types 00:58.850 --> 01:00.100 of threat intelligence. 01:00.100 --> 01:01.620 First, we have tactical. 01:01.620 --> 01:03.200 This is focused on the tactics, 01:03.200 --> 01:05.345 techniques, and procedures or TTPs. 01:05.345 --> 01:07.250 This is data that can be used by 01:07.250 --> 01:09.935 an organization to perform vulnerability remediation, 01:09.935 --> 01:12.355 infrastructure hardening and etc. 01:12.355 --> 01:14.750 For this, we have the different tactics 01:14.750 --> 01:16.490 that a threat actor might use, 01:16.490 --> 01:18.345 their techniques, and their procedures. 01:18.345 --> 01:22.175 But these are more about every group 01:22.175 --> 01:24.320 or every specific threat actor 01:24.320 --> 01:26.480 has their own way of doing things. 01:26.480 --> 01:29.390 We want to make sure that those that we've 01:29.390 --> 01:32.150 identified as being the likely threats for us, 01:32.150 --> 01:34.700 that we are hardening our systems to be 01:34.700 --> 01:37.490 able to defend against those known TTPs. 01:37.490 --> 01:41.090 If your risk assessment has identified that you are 01:41.090 --> 01:42.770 a likely target for 01:42.770 --> 01:46.310 a specific type of threat attacker such as say, 01:46.310 --> 01:48.950 just a hacktivist, then you want to make sure that 01:48.950 --> 01:50.225 your websites are hardened 01:50.225 --> 01:53.090 and that your web servers are protected. 01:53.090 --> 01:55.265 You don't really need to worry about 01:55.265 --> 01:57.380 nation-state-level attackers if you 01:57.380 --> 01:58.910 haven't identified that as a threat. 01:58.910 --> 02:01.955 The tactical intelligence will help you to make sure that 02:01.955 --> 02:03.860 you are using the correct TTPs 02:03.860 --> 02:05.890 to harden your organization. 02:05.890 --> 02:08.150 Then strategic intelligence is 02:08.150 --> 02:09.890 focused on the bigger picture. 02:09.890 --> 02:12.740 This is used to identify the motivations, capabilities, 02:12.740 --> 02:15.050 the intentions of the threat actors 02:15.050 --> 02:17.075 so that we can develop midterm plans. 02:17.075 --> 02:18.810 This is a step 02:18.810 --> 02:21.095 above tactical where we want to make sure that 02:21.095 --> 02:23.780 we understand why the threat actors 02:23.780 --> 02:25.655 we've identified are doing what they're doing, 02:25.655 --> 02:28.820 just how good are their capabilities and 02:28.820 --> 02:30.245 we want to make sure that we 02:30.245 --> 02:32.570 factor that into our planning for the future. 02:32.570 --> 02:34.955 Then also we have operational intelligence, 02:34.955 --> 02:35.960 and this is collected from 02:35.960 --> 02:38.300 the organization's own infrastructure, 02:38.300 --> 02:40.330 such as our SIEM devices or logs. 02:40.330 --> 02:42.500 This will identify the current attacks 02:42.500 --> 02:44.015 and the indicators of compromise. 02:44.015 --> 02:46.220 This is real-time information. 02:46.220 --> 02:47.450 This is what's going on in 02:47.450 --> 02:48.740 your organization right now 02:48.740 --> 02:50.120 so you can read your firewall logs, 02:50.120 --> 02:53.030 your SIEM logs, your event logs on your servers. 02:53.030 --> 02:54.620 All of that information is letting you 02:54.620 --> 02:56.585 know the things that are going on now. 02:56.585 --> 03:00.260 You can use that to craft your own response and in turn, 03:00.260 --> 03:04.710 harden your system against those types of attacks. 03:05.870 --> 03:08.790 Threat and adversary emulation. 03:08.790 --> 03:11.930 Threat emulation is when we use the known TTPs to 03:11.930 --> 03:15.010 emulate how an attacker may operate in a realistic way. 03:15.010 --> 03:18.125 We do this so that we can test our current defenses. 03:18.125 --> 03:22.070 If we go and use the TTPs and use the actual tools 03:22.070 --> 03:24.050 that an attacker that we think is 03:24.050 --> 03:26.180 going to be a likely attacker against us, 03:26.180 --> 03:28.730 we can simulate those attacks against ourselves to make 03:28.730 --> 03:31.505 sure that we are already hardened against those. 03:31.505 --> 03:33.080 Now adversary emulation is a 03:33.080 --> 03:34.430 little different because it uses 03:34.430 --> 03:37.790 the TTPs of a specific threat actor in a realistic way. 03:37.790 --> 03:39.470 We're not using all the tools that are 03:39.470 --> 03:41.270 available to us or all the TTPs. 03:41.270 --> 03:43.700 We're using those that we think are specific 03:43.700 --> 03:46.395 to one specific adversary. 03:46.395 --> 03:47.870 We're going to get into the different types of 03:47.870 --> 03:50.280 adversaries in just a little bit. 03:51.050 --> 03:54.320 Threat hunting. Threat hunting is 03:54.320 --> 03:56.600 using threat intelligence to help us develop 03:56.600 --> 03:58.730 hypothesis and analytics that is 03:58.730 --> 04:01.160 based on what threat actors are known to do 04:01.160 --> 04:02.660 so that the threats can be 04:02.660 --> 04:06.170 proactively found rather than passively detected. 04:06.170 --> 04:09.630 If we already know what their tools 04:09.630 --> 04:11.450 are using or what their procedures 04:11.450 --> 04:13.040 are and all of their tactics, 04:13.040 --> 04:15.770 we can turn around and use that information to help 04:15.770 --> 04:18.410 us harden our own defenses before something happens. 04:18.410 --> 04:19.760 We don't have to wait around for 04:19.760 --> 04:21.710 it and detect the attack. 04:21.710 --> 04:24.650 We can actively harden our systems and 04:24.650 --> 04:26.720 our defenses against them because we 04:26.720 --> 04:29.210 already know what's happening outside in the real world. 04:29.210 --> 04:30.590 We can get this information 04:30.590 --> 04:32.585 from advisories and bulletins. 04:32.585 --> 04:34.490 This is information that's been released by 04:34.490 --> 04:36.290 vendors and researchers about 04:36.290 --> 04:38.300 new TTPs and vulnerabilities 04:38.300 --> 04:39.850 that have been detected in the wild. 04:39.850 --> 04:43.400 These are usually the ones that are zero-day or 04:43.400 --> 04:47.200 really freshly found live on the web. 04:47.200 --> 04:49.790 We really want to pay attention to these because while 04:49.790 --> 04:51.890 our organization might not be a target 04:51.890 --> 04:54.110 for zero days and that type of thing, 04:54.110 --> 04:55.565 we want to make sure that 04:55.565 --> 04:57.740 we go ahead and harden those because when they 04:57.740 --> 04:59.840 eventually filter down to other threat actors 04:59.840 --> 05:02.570 who might use them against us, we're already protected. 05:02.570 --> 05:04.055 We can also make use of 05:04.055 --> 05:06.035 intelligence fusion and threat data. 05:06.035 --> 05:07.340 This is SIEM and threat 05:07.340 --> 05:09.350 analytics platforms that can apply 05:09.350 --> 05:11.630 intelligence fusion techniques to 05:11.630 --> 05:13.895 the collected information to locate threats. 05:13.895 --> 05:15.830 This is gathering all the information 05:15.830 --> 05:17.030 on our network and then 05:17.030 --> 05:19.970 using that intelligence fusion system to help 05:19.970 --> 05:22.880 look at that collected information and try to find 05:22.880 --> 05:24.410 the needle in the haystack of 05:24.410 --> 05:26.230 maybe things that we didn't notice, 05:26.230 --> 05:27.830 but by taking all this information 05:27.830 --> 05:29.810 together and making a new big picture out of it, 05:29.810 --> 05:31.280 we can see things in a different way 05:31.280 --> 05:33.480 and find new threats. 05:34.840 --> 05:38.300 Let's discuss intelligence collection methods. 05:38.300 --> 05:40.220 First, we have our intelligence feeds. 05:40.220 --> 05:44.675 These provide data such as known phishing IPs and URLs, 05:44.675 --> 05:46.790 malware, ransomware, or that type of thing. 05:46.790 --> 05:48.530 These are really good for firewalls 05:48.530 --> 05:50.930 because you can put these in and 05:50.930 --> 05:53.420 they will block outgoing connections 05:53.420 --> 05:55.140 to these IP addresses of these URLs, 05:55.140 --> 05:57.780 for example, for phishing so that if your users receive 05:57.780 --> 05:59.360 an email that has one of these known links 05:59.360 --> 06:00.785 in it, it's going to get blocked. 06:00.785 --> 06:02.225 When they go to click on it, it's not going to 06:02.225 --> 06:03.710 be allowed to go out of the firewall. 06:03.710 --> 06:05.060 That's a very helpful feature. 06:05.060 --> 06:08.270 Then we also can find information from the deep web. 06:08.270 --> 06:11.000 The deep web is the parts of 06:11.000 --> 06:13.910 the web that are not indexed and are generally hidden. 06:13.910 --> 06:16.325 But this also includes the so-called dark web. 06:16.325 --> 06:18.670 The dark web is a component of the deep web. 06:18.670 --> 06:20.525 A lot of times what will happen is 06:20.525 --> 06:23.060 a company will be breached and their data will be stolen, 06:23.060 --> 06:24.230 and then information will be put 06:24.230 --> 06:25.825 up for sale on the dark web. 06:25.825 --> 06:27.425 Once that is done, 06:27.425 --> 06:28.835 they'll usually provide samples 06:28.835 --> 06:30.170 so that people can prove that 06:30.170 --> 06:31.460 this is real information from 06:31.460 --> 06:33.290 the company they're claiming it to be from. 06:33.290 --> 06:35.495 If you see that information through 06:35.495 --> 06:37.070 your own dark web monitoring or 06:37.070 --> 06:38.410 a third-party service that you 06:38.410 --> 06:40.145 found that locates that information, 06:40.145 --> 06:41.450 that's a way for you to know that 06:41.450 --> 06:43.010 you've been breached and you 06:43.010 --> 06:46.195 need to look into starting to find the cause of that. 06:46.195 --> 06:49.070 We can also use open-source intelligence or OSINT. 06:49.070 --> 06:51.080 This is publicly available information 06:51.080 --> 06:52.205 such as social media, 06:52.205 --> 06:54.490 DNS records, websites, that type of thing. 06:54.490 --> 06:56.420 A lot of times attackers 06:56.420 --> 06:58.475 will post their information on social media. 06:58.475 --> 06:59.960 If we're monitoring for those, 06:59.960 --> 07:02.169 then we can get signs of different attacks. 07:02.169 --> 07:05.015 >> A lot of times they'll post how they went 07:05.015 --> 07:06.680 about doing their attacks 07:06.680 --> 07:08.270 with the tools and things that they've used, 07:08.270 --> 07:09.650 and we can use that information 07:09.650 --> 07:11.810 to craft our own response. 07:11.810 --> 07:14.090 Finally, we have human intelligence or HUMINT. 07:14.090 --> 07:15.650 This is collecting intelligence by 07:15.650 --> 07:17.210 actually interacting with people. 07:17.210 --> 07:18.530 This might be interacting with 07:18.530 --> 07:20.345 the hacker himself or herself, 07:20.345 --> 07:24.095 it might be going through with 07:24.095 --> 07:26.420 other different types of 07:26.420 --> 07:29.585 groups that are posting information online. 07:29.585 --> 07:31.280 Regardless, as long as you're 07:31.280 --> 07:33.770 interacting with people to collect information, 07:33.770 --> 07:36.690 this is considered human intelligence. 07:38.680 --> 07:42.455 Let's move on to the actual threat actor groups. 07:42.455 --> 07:44.435 The first level is the script kiddie. 07:44.435 --> 07:46.460 This is a person that we'll be using 07:46.460 --> 07:48.020 a hacker tool and they'll have 07:48.020 --> 07:50.150 no knowledge of how that tool works, 07:50.150 --> 07:52.325 they just click and run. 07:52.325 --> 07:55.145 Their goals are usually doing this for the fun of it, 07:55.145 --> 07:57.920 either gaining attention or proving their skills. 07:57.920 --> 07:59.990 These are the lowest level attacker. 07:59.990 --> 08:01.640 Now, that doesn't mean that they're not dangerous 08:01.640 --> 08:04.130 because a lot of times they can 08:04.130 --> 08:06.620 cause a massive amount of damage to an organization 08:06.620 --> 08:07.700 because they don't understand 08:07.700 --> 08:09.335 these tools and what they're doing. 08:09.335 --> 08:11.000 This especially true when someone's 08:11.000 --> 08:13.655 using denial-of-service attacks on an organization, 08:13.655 --> 08:16.175 it doesn't take a lot to be able to do that. 08:16.175 --> 08:18.650 Insider threat is the next level. 08:18.650 --> 08:21.350 This is an employee or a contractor, 08:21.350 --> 08:23.450 that's the key thing to keep in mind. 08:23.450 --> 08:24.500 They're already on the inside, 08:24.500 --> 08:25.910 so they're inside the castle, 08:25.910 --> 08:28.040 and they might be a threat, 08:28.040 --> 08:29.825 whether it's intentional or unintentional. 08:29.825 --> 08:31.685 This could be where an individual 08:31.685 --> 08:33.350 accidentally does something and causes 08:33.350 --> 08:35.120 a lot of problems or damage to 08:35.120 --> 08:37.220 your company because they are on the inside. 08:37.220 --> 08:39.230 This is also a reason we want to make sure we're 08:39.230 --> 08:40.970 looking at permission creep 08:40.970 --> 08:42.770 where a user doesn't 08:42.770 --> 08:45.350 have more access rights than they need, 08:45.350 --> 08:48.080 because if they have those rights and then they make 08:48.080 --> 08:49.700 a mistake then the damage can even 08:49.700 --> 08:52.040 spread a lot further on the inside. 08:52.040 --> 08:54.380 The next level are competitors. 08:54.380 --> 08:56.390 You may be a victim of cyber espionage 08:56.390 --> 08:57.814 to steal your information. 08:57.814 --> 09:00.695 This is far more common than most people realize, 09:00.695 --> 09:02.450 and we want to make sure that we are 09:02.450 --> 09:05.100 protecting ourselves from this. 09:06.040 --> 09:08.705 Next up is organized crime. 09:08.705 --> 09:10.055 If there's money to be made, 09:10.055 --> 09:12.035 you're going to find organized crime there. 09:12.035 --> 09:14.570 Now organized crime has shifted to using 09:14.570 --> 09:17.000 cyber to help them facilitate their crimes. 09:17.000 --> 09:19.250 Ransomware gangs are a good example of this, 09:19.250 --> 09:21.484 but they're also getting into cyber espionage. 09:21.484 --> 09:23.945 There's a lot of money to be made in cyber, 09:23.945 --> 09:25.850 and again, anytime there's money to be made, 09:25.850 --> 09:27.380 you're going to find organized crime. 09:27.380 --> 09:29.120 These groups can be from all over the world, 09:29.120 --> 09:31.160 they can be small groups all the way up 09:31.160 --> 09:33.230 to the groups that everyone typically 09:33.230 --> 09:35.660 associates with organized crime like Russian mafia 09:35.660 --> 09:38.645 or organized crime from South or Central America, 09:38.645 --> 09:40.700 or even inside the United States. 09:40.700 --> 09:41.930 Again, if there's money to be made, 09:41.930 --> 09:42.950 they're going to be there. 09:42.950 --> 09:44.705 Next up are hacktivists. 09:44.705 --> 09:46.550 These will use a cyber attack 09:46.550 --> 09:48.470 for a specific political agenda. 09:48.470 --> 09:51.230 They often target corporations because of 09:51.230 --> 09:52.580 the actions of the corporation 09:52.580 --> 09:54.080 or maybe their social stance. 09:54.080 --> 09:56.600 Anonymous is a good example of this. 09:56.600 --> 09:59.000 Then finally we have nation-states. 09:59.000 --> 10:01.400 These are the truly skilled attackers 10:01.400 --> 10:04.085 that come from government organizations. 10:04.085 --> 10:05.930 These are also known as advanced 10:05.930 --> 10:07.745 persistent threats or APTs. 10:07.745 --> 10:09.950 Good examples of these are whenever you 10:09.950 --> 10:12.725 hear about the attacks from China or from Russia, 10:12.725 --> 10:15.500 they always have an APT number with them and they 10:15.500 --> 10:18.650 have really funny names that go along with it. 10:18.650 --> 10:21.560 These are the groups that are really 10:21.560 --> 10:22.610 good at getting into things 10:22.610 --> 10:24.305 because they've got the resources, 10:24.305 --> 10:27.140 they've got the financial backing to make sure, 10:27.140 --> 10:28.505 they've got the knowledge, 10:28.505 --> 10:30.680 and you put all those things together and you 10:30.680 --> 10:33.200 develop a truly skilled attacker. 10:33.200 --> 10:36.305 Again, most companies or most organizations 10:36.305 --> 10:37.520 are not going to be targeted 10:37.520 --> 10:39.710 by this level of threat actor, 10:39.710 --> 10:41.015 but if you are, then you 10:41.015 --> 10:42.740 really need to make sure you're doing 10:42.740 --> 10:46.650 everything possible to lock everything down. 10:48.400 --> 10:51.635 Then let's go over supply chain access. 10:51.635 --> 10:53.720 This is a form of attack that is 10:53.720 --> 10:55.910 becoming far more common and has to 10:55.910 --> 10:58.535 go after third party contractors 10:58.535 --> 11:00.470 to gain access to a target. 11:00.470 --> 11:03.125 For example, again, 11:03.125 --> 11:05.360 we've talked about this in the lesson before, 11:05.360 --> 11:07.520 but Target had this happen to them, 11:07.520 --> 11:10.445 where their third-party HVAC vendor 11:10.445 --> 11:14.000 was connected directly into the Target's network. 11:14.000 --> 11:15.800 The HVAC vendor was breached 11:15.800 --> 11:18.140 and the attacker pivoted over inside to 11:18.140 --> 11:20.390 the Target network and was able to compromise 11:20.390 --> 11:21.680 their payment system and then 11:21.680 --> 11:23.795 steal credit card information. 11:23.795 --> 11:27.215 Target itself did not actually get hacked, 11:27.215 --> 11:29.885 their third party vendor did and then they pivoted over. 11:29.885 --> 11:32.210 Now, yes, Target should have done a better job of 11:32.210 --> 11:34.760 making sure that that third-party access was limited, 11:34.760 --> 11:37.715 but this is something that often goes overlooked, 11:37.715 --> 11:41.300 is we put something in and we make sure that 11:41.300 --> 11:43.070 that third party vendor is able to do 11:43.070 --> 11:44.360 their work and we don't really give 11:44.360 --> 11:46.130 any thought to anything else. 11:46.130 --> 11:48.260 I'll give you an example of this that happened with 11:48.260 --> 11:50.510 us is that one of the sites that we 11:50.510 --> 11:53.555 took over had a Raspberry Pi there for 11:53.555 --> 11:56.210 HVAC control and no one 11:56.210 --> 11:58.040 in the business knew what it was for, 11:58.040 --> 12:00.230 they just had always seen this little device there, 12:00.230 --> 12:02.855 and when we finally got into the device, 12:02.855 --> 12:05.135 we found out that it hadn't been updated in years 12:05.135 --> 12:06.920 and it was on a very old version 12:06.920 --> 12:08.330 of the Raspberry Pi software. 12:08.330 --> 12:11.390 We contacted the HVAC vendor and helped 12:11.390 --> 12:12.980 them to get it updated because 12:12.980 --> 12:14.690 this is not their specialty, 12:14.690 --> 12:16.100 they're not an IT company, 12:16.100 --> 12:18.350 they're just trying to make sure they're able to monitor 12:18.350 --> 12:22.055 the HVAC controls for this particular customer of theirs. 12:22.055 --> 12:23.510 But by doing that, 12:23.510 --> 12:24.665 they had pretty much introduced 12:24.665 --> 12:25.910 a huge vulnerability to 12:25.910 --> 12:27.920 the network that had been there for years. 12:27.920 --> 12:30.890 You want to make sure that your third-party vendors 12:30.890 --> 12:33.095 are properly segregated from your network, 12:33.095 --> 12:34.700 that you don't give them access to anything 12:34.700 --> 12:36.530 more than what they actually need, 12:36.530 --> 12:38.930 and to make sure that you give 12:38.930 --> 12:41.450 due consideration to what it is that they 12:41.450 --> 12:44.690 actually need on your network so that it doesn't become 12:44.690 --> 12:46.220 a privileged creep where they just 12:46.220 --> 12:48.920 keep getting more and more information or heaven forbid, 12:48.920 --> 12:50.480 that once they're connected, 12:50.480 --> 12:51.530 that's as far as it goes and you 12:51.530 --> 12:52.760 don't give it any other thought. 12:52.760 --> 12:54.845 This is a huge problem and 12:54.845 --> 12:57.410 oftentimes these guys are easier targets 12:57.410 --> 12:59.810 because an HVAC vendor maybe 12:59.810 --> 13:02.390 doesn't have an IT department or if they do, 13:02.390 --> 13:04.130 they may not have a security department. 13:04.130 --> 13:05.510 It's not on their radar because 13:05.510 --> 13:06.920 it's not their primary focus of 13:06.920 --> 13:10.970 their business. Let's summarize. 13:10.970 --> 13:12.440 We went over the different types of 13:12.440 --> 13:13.910 threat actors and then we also 13:13.910 --> 13:15.110 discussed the types of threat 13:15.110 --> 13:16.820 intelligence and threat hunting, 13:16.820 --> 13:18.470 we went over the different types of 13:18.470 --> 13:20.120 intelligence collection methods, 13:20.120 --> 13:22.250 and we discuss supply chain attacks. 13:22.250 --> 13:24.545 Let's do some example questions. 13:24.545 --> 13:28.910 Question 1, this tactic allows organizations to simulate 13:28.910 --> 13:30.740 a specific threat actor to 13:30.740 --> 13:33.630 the organization and how they may attack. 13:33.760 --> 13:38.060 Adversary emulation. Question 2, 13:38.060 --> 13:40.220 this type of intelligence is focused on 13:40.220 --> 13:43.950 the big picture and is used to make mid-range plans. 13:44.350 --> 13:49.445 Strategic intelligence. Question 3, 13:49.445 --> 13:53.580 this threat actor type is focused on a political agenda. 13:53.590 --> 13:57.860 Activist. Finally, Question 4, 13:57.860 --> 13:59.420 this threat actor type is deeply 13:59.420 --> 14:02.610 funded and uses sophisticated techniques. 14:02.890 --> 14:06.890 Nation-state or advanced persistent threat, APT. 14:06.890 --> 14:08.300 I hope this lesson was helpful 14:08.300 --> 14:10.740 for you, and I'll see you in the next one.