1 00:00:09,250 --> 00:00:15,700 OK, so the last lecture I sort of laid out my story, how I got into cybersecurity, and now we're 2 00:00:15,700 --> 00:00:20,200 going to dig into the computer attack methodology and we touched on it a little bit in the last lecture. 3 00:00:20,530 --> 00:00:25,840 But and this one, we're going to go a little bit deeper because this is sort of an attack nomenclature 4 00:00:25,840 --> 00:00:28,720 that every cybersecurity professionals understand. 5 00:00:29,110 --> 00:00:35,110 It helps you to break down the attack chain of major threat actor groups today. 6 00:00:35,470 --> 00:00:41,620 So if we go to Spider's Web site, we click on groups right when I click on Talk with this. 7 00:00:43,660 --> 00:00:47,330 You can see a list of various advanced persistent recruits. 8 00:00:47,740 --> 00:00:51,850 So what about 17 like these are different hacking groups. 9 00:00:52,060 --> 00:00:53,370 A lot of them are state sponsored. 10 00:00:54,400 --> 00:00:57,670 But if you if you click, why is the same like April 28? 11 00:01:00,100 --> 00:01:05,170 It'll give you an overview of the group, gives you some, you know, alternate names for that group 12 00:01:05,830 --> 00:01:09,220 because different research teams have different names for the same group. 13 00:01:10,540 --> 00:01:16,270 And then if you go down to the bottom, you can actually see the techniques that are used. 14 00:01:16,480 --> 00:01:16,750 Right. 15 00:01:16,750 --> 00:01:20,790 So there's some things they did, all the techniques that map tommyrot. 16 00:01:20,800 --> 00:01:20,950 Right. 17 00:01:20,950 --> 00:01:26,100 So you can see it register domains, imitating NATO, OSCE, many security websites. 18 00:01:26,830 --> 00:01:28,830 These are some of the things that this particular group has done. 19 00:01:29,530 --> 00:01:33,520 You can scroll through all this and sometimes I'll even see the comments. 20 00:01:33,520 --> 00:01:33,700 Right. 21 00:01:33,700 --> 00:01:35,020 So I'll see. 22 00:01:35,260 --> 00:01:37,960 So if you see this particular, I'll see you in your registry. 23 00:01:39,850 --> 00:01:46,840 Could be an indication that this particular threat cluster was on or in your environment doesn't mean 24 00:01:46,840 --> 00:01:53,500 it is the case, but it could be something that you obviously need to take into consideration here. 25 00:01:53,500 --> 00:02:00,280 You can see that they use a macro like this command, certainly to decode to decode the contents of 26 00:02:00,280 --> 00:02:03,290 a text files during a base64 encoded period. 27 00:02:03,760 --> 00:02:07,400 And this maps to this particular technique, t one one four zero. 28 00:02:08,020 --> 00:02:13,480 So if you go to the main matrices, if you just go to a minor league and you click on matrices, you 29 00:02:13,480 --> 00:02:19,930 can see all the tactics for the attacker goals on the top and then all the techniques, how those goals 30 00:02:19,930 --> 00:02:20,870 are tied on the bottom. 31 00:02:21,340 --> 00:02:24,610 And if you click the vertical gray bar, you can expand. 32 00:02:25,640 --> 00:02:28,820 A particular technique, see, there's two here and see the sub techniques. 33 00:02:29,890 --> 00:02:33,730 Right, so act of scanning has some technique for scanning IP blocks and vulnerability scanning. 34 00:02:35,650 --> 00:02:39,020 Gather victims information has forced up techniques like bar. 35 00:02:39,700 --> 00:02:41,100 You can see what the techniques are. 36 00:02:42,040 --> 00:02:46,330 You can gather information about the hardware, the software, the firmware or the client configurations. 37 00:02:47,600 --> 00:02:48,600 This is really important to know. 38 00:02:48,610 --> 00:02:51,820 Now, the nice thing about it is it's laid out in a logical fashion. 39 00:02:52,120 --> 00:02:56,410 So typically attackers will start with reconnaissance and start fishing for information. 40 00:02:57,580 --> 00:03:02,530 They might search open source technical databases to get information about the victim organization and 41 00:03:02,530 --> 00:03:03,730 how how are they going to do that? 42 00:03:04,240 --> 00:03:11,430 Or they might use who is they might use digital certificates and the same sort of go through these this 43 00:03:11,440 --> 00:03:11,800 data. 44 00:03:13,450 --> 00:03:16,710 Then, of course, they're going to want to mobilize their resources and they're attacking infrastructure, 45 00:03:17,380 --> 00:03:21,130 so they may just compromise a legitimate website that will compromise infrastructure in the first two. 46 00:03:22,000 --> 00:03:24,190 And you can see some of the things they might do. 47 00:03:24,370 --> 00:03:27,070 They might host a virtual private server or they might start a botnet. 48 00:03:27,730 --> 00:03:32,770 They might develop their capabilities by using malware, maybe even using exploits. 49 00:03:33,490 --> 00:03:34,330 And this just continues. 50 00:03:34,350 --> 00:03:35,740 So this is really, really good to know. 51 00:03:36,040 --> 00:03:42,250 And I strongly, strongly recommend that you actually read through at least read through all of the 52 00:03:42,400 --> 00:03:42,970 tactics. 53 00:03:43,660 --> 00:03:47,830 Ideally, you would read through the techniques as well, because it really give you a good understanding 54 00:03:47,830 --> 00:03:49,570 of how attackers think and how they work. 55 00:03:50,230 --> 00:03:54,790 And you also give you the language you can use to speak to other, you know, cyber threat hunters or 56 00:03:54,790 --> 00:04:00,070 ethical hackers, red team or blue team and even management, because this is this going rich that we 57 00:04:00,070 --> 00:04:01,600 all use when it comes to speaking cyber. 58 00:04:02,700 --> 00:04:05,130 All right, so you've got execution, persistence. 59 00:04:06,120 --> 00:04:07,620 How do you survive a reboot, right? 60 00:04:07,660 --> 00:04:08,610 Probably an escalation. 61 00:04:08,640 --> 00:04:13,770 OK, so you can survive a reboot, but how do you elevate your permissions to higher security context 62 00:04:13,770 --> 00:04:15,390 so you can wreak havoc on the system? 63 00:04:16,650 --> 00:04:20,490 Then once you do that, you probably have to worry about. 64 00:04:21,570 --> 00:04:27,760 So antivirus or an endpoint detection and response platform, ETR, like carbon black or cloud strike, 65 00:04:27,760 --> 00:04:29,640 falcon or counter-attack. 66 00:04:29,940 --> 00:04:34,840 You know, there's so many different ideas out there and there's many others. 67 00:04:35,040 --> 00:04:40,350 Once you attack, it might find a way to evade it one day and then the next day it doesn't work because 68 00:04:40,350 --> 00:04:44,400 it's constantly a cat and mouse game between the attackers and the defenders. 69 00:04:45,990 --> 00:04:51,030 And you can keep moving forward, you can see credential access is putting techniques, you can, you 70 00:04:51,030 --> 00:04:52,460 know, brute force, of course, that's one of them. 71 00:04:53,310 --> 00:04:57,180 But look at that as you expand it, you'll see there's different ways to brute force pass, which bring. 72 00:04:57,750 --> 00:04:58,830 Right password guessing. 73 00:04:58,830 --> 00:05:01,710 Password cracking is not the only thing credential stuffing. 74 00:05:02,310 --> 00:05:03,750 It must say you don't know what credential stuffing is. 75 00:05:03,760 --> 00:05:04,260 You just click it. 76 00:05:04,710 --> 00:05:08,420 It tells you that this is when data shows up in a public database. 77 00:05:08,820 --> 00:05:14,970 You know, sometimes when an organization is breached or the credentials are dumped to pastebin or to 78 00:05:14,970 --> 00:05:19,640 the dark web and you have clear text credentials that are now exposed to the public. 79 00:05:20,430 --> 00:05:26,730 Well, if you can match those credentials to a user that maybe you can recycle or reuse those credentials 80 00:05:26,730 --> 00:05:32,460 or what's known as stuff them your credentials stuffing to see if you can authenticate another resource 81 00:05:32,460 --> 00:05:35,910 in the target organization using those previously exposed to credentials. 82 00:05:37,170 --> 00:05:43,860 As you can see, this is a very useful website, and you definitely should be well aware of it. 83 00:05:44,310 --> 00:05:49,950 Now, one of the things I want to show you is if you go to the attack navigator, you have some fun 84 00:05:49,950 --> 00:05:50,340 with this. 85 00:05:50,460 --> 00:05:54,960 So we're going to go first to site and I'm going to download a miter attack layer. 86 00:05:55,470 --> 00:05:58,080 OK, so let me show you what I'm talking about here. 87 00:05:59,870 --> 00:06:02,240 Let's pick up the Ryuk ransomware. 88 00:06:04,160 --> 00:06:07,490 And let's grab the attack navigator where so I click this. 89 00:06:08,510 --> 00:06:11,890 I'm going to actually click raw sometimes that's what you need. 90 00:06:11,900 --> 00:06:13,130 You need the raw link. 91 00:06:14,120 --> 00:06:16,700 So let's control see this go back in here. 92 00:06:17,180 --> 00:06:19,520 We delete until the. 93 00:06:20,640 --> 00:06:21,470 Put a little arrow. 94 00:06:23,210 --> 00:06:25,490 All right, so we're a different versions, but let's see if it works anyway. 95 00:06:28,760 --> 00:06:33,630 Sweet, so the cool thing about this now is you can see that Ferragu sees this right up here. 96 00:06:33,970 --> 00:06:35,240 Remember, we got that from sites. 97 00:06:35,240 --> 00:06:38,540 GitHub, by the way, site is a breach in a tech simulation platform. 98 00:06:39,110 --> 00:06:45,920 It's a way that you can emulate a protector or an activity cluster that's affiliated with a particular 99 00:06:46,430 --> 00:06:48,110 nation state adversary. 100 00:06:48,620 --> 00:06:51,140 And you can use their tool to emulate that. 101 00:06:51,140 --> 00:06:51,710 It's a paid tool. 102 00:06:51,710 --> 00:06:58,310 It's not free, but there are free ones like I think Prelude is an emerging free one is a rework of 103 00:06:58,310 --> 00:06:59,510 Mr. Caldera. 104 00:07:00,410 --> 00:07:01,460 But that's beside the point. 105 00:07:01,470 --> 00:07:02,200 That's a different topic. 106 00:07:02,390 --> 00:07:04,940 When I showed you here that these community threats are all layers. 107 00:07:06,410 --> 00:07:12,530 These are murder attack layers, and so you can just do what I did before you click inside a particular 108 00:07:12,530 --> 00:07:21,950 Apte, you find the attack navigation that Jason you click on the raw stream here, the grab that euro. 109 00:07:23,180 --> 00:07:23,720 Copy it. 110 00:07:25,780 --> 00:07:34,120 Right, click copy, you go back to Navigator and it maps the threat actors techniques against the MIETEK 111 00:07:34,120 --> 00:07:35,360 framework, right? 112 00:07:35,420 --> 00:07:36,660 So that is really, really useful. 113 00:07:36,670 --> 00:07:37,660 So we can create a new type. 114 00:07:39,250 --> 00:07:44,860 And we can say go away from your own space than anyone. 115 00:07:46,380 --> 00:07:49,080 Click the little arrow like, OK. 116 00:07:50,920 --> 00:07:51,520 And look. 117 00:07:52,900 --> 00:08:01,810 Now we've got Ryuk and we've got LPT 41, which is really cool, so you can see here that these guys 118 00:08:01,810 --> 00:08:02,890 are using Paracha. 119 00:08:04,290 --> 00:08:06,450 They're using the Windows command show. 120 00:08:08,280 --> 00:08:09,030 It's about. 121 00:08:10,190 --> 00:08:11,550 Control minus. 122 00:08:13,480 --> 00:08:17,620 Yes, we can get a little bit more of it this way and see the doing these different things for defensive 123 00:08:17,620 --> 00:08:18,640 agents or using bits. 124 00:08:19,930 --> 00:08:21,280 If you don't know what it is, you can just click it. 125 00:08:22,380 --> 00:08:26,220 I thought you could just click and get you can't click it and put it, but you can of course remember 126 00:08:26,220 --> 00:08:30,840 that did or you could just go back to minor attack and look for bits. 127 00:08:31,410 --> 00:08:31,830 Yeah, bits. 128 00:08:31,860 --> 00:08:37,980 I'm in on defensive position, so I'm just going to type Edman 129 00:08:42,750 --> 00:08:43,260 bits. 130 00:08:44,340 --> 00:08:45,540 Bits, jobs on a defensive. 131 00:08:46,470 --> 00:08:50,280 Sorry, the text is really small on my screen, even though it isn't for you, it is for me because 132 00:08:50,280 --> 00:08:57,060 I'm zooming in after I recorded the video sort of -- jobs, you can see what this is and gives you 133 00:08:57,060 --> 00:08:58,310 a nice little explanation. 134 00:09:00,420 --> 00:09:05,040 So I think it's very, very useful, so, you know, make sure that you get comfortable with miter, 135 00:09:05,340 --> 00:09:10,080 you know, understand these techniques, go through these these techniques, read them, you know, 136 00:09:10,230 --> 00:09:10,930 click through the links. 137 00:09:10,950 --> 00:09:16,080 Don't be afraid to just kind of take your time and enjoy this, because this is how you develop a real 138 00:09:16,080 --> 00:09:20,460 passion for the stuff and the ones the people in this field that have the most passion typically are 139 00:09:20,820 --> 00:09:24,540 the most highest paid and also have the highest technical acumen. 140 00:09:25,080 --> 00:09:26,780 So you want to be in the story. 141 00:09:27,420 --> 00:09:28,740 That's all we're going to do for this lecture. 142 00:09:29,160 --> 00:09:34,350 And the next one, we're going to jump into the MITERS Shield methodology and explain the differences 143 00:09:34,350 --> 00:09:35,610 between shield and attack. 144 00:09:36,150 --> 00:09:38,560 And then we're going to really just come right up. 145 00:09:38,610 --> 00:09:40,320 See you in the next lecture.