WEBVTT

00:07.670 --> 00:12.740
Frameworks serve as a structured approach, employed by security analysts to dissect and comprehend

00:12.770 --> 00:16.250
the tactics, techniques, and procedures employed by cyber attackers.

00:16.280 --> 00:21.890
These frameworks aid us in recognizing, prioritizing, and mitigating potential security threats.

00:21.920 --> 00:25.730
Targeting organizations information security systems.

00:25.730 --> 00:28.280
The first one I want to discuss today is called miter.

00:28.280 --> 00:34.730
Miter is an attack framework designed against adversary tactics, techniques and procedures, or Ttps.

00:34.760 --> 00:38.540
It goes through matrices, which is a broad spectrum of tactics techniques.

00:38.540 --> 00:43.550
They may use the different tactics or high level objectives pursued by the attackers.

00:43.550 --> 00:47.150
The techniques, which are specific methods or procedures employed.

00:47.150 --> 00:52.910
Data sources the types of information utilized to detect or prevent such attacks, things like logs

00:52.910 --> 00:58.010
or network traffic, the different mitigations or defensive measures that organizations such as ours

00:58.010 --> 01:03.660
can adopt to thwart or mitigate and minimize the impact of such an attack threat actor groups, which

01:03.690 --> 01:10.290
employ specific tactics and techniques, each assigned a unique identifier, for instance APT 67, maybe

01:10.290 --> 01:16.890
in a specific threat group that we're looking at the software or malware tools utilized by an attacker,

01:16.890 --> 01:22.260
these are mapped with the techniques they may execute, the different campaigns or instances of attacks

01:22.260 --> 01:23.910
executed by threat actors.

01:23.910 --> 01:28.350
These are mapped to the text that said techniques they've already used, and finally resources.

01:28.380 --> 01:32.700
Additional information aligning with the understanding and defending against those specific threats,

01:32.700 --> 01:36.090
the organizations, or the tactics and techniques we may have seen.

01:36.090 --> 01:42.180
These could utilize research papers, blog posts, even the dark web within the enterprise attack methodology.

01:42.180 --> 01:47.430
This concentrates on the adversary techniques and behaviors that we have seen in the past, or may see

01:47.430 --> 01:51.090
in the future the initial access methodology they may use.

01:51.090 --> 01:55.650
This is employed to establish a foothold within our targeted network or within the network we're trying

01:55.650 --> 01:56.370
to defend.

01:56.400 --> 02:00.420
These can be such things as a phishing attack or exploiting a vulnerability.

02:00.420 --> 02:02.720
The execution they may have utilized.

02:02.750 --> 02:08.000
Did they pull off a specific phishing email with a specific link, or did they take advantage of a specific

02:08.000 --> 02:10.730
vulnerability using a specific malware?

02:10.730 --> 02:13.310
This is the execution persistence.

02:13.310 --> 02:16.790
Once they got into our network, did they open additional doors?

02:16.790 --> 02:23.720
Maybe provide a back door into a new aspect to our network that provides persistence access?

02:23.870 --> 02:28.760
This could also be rootkits or scheduled tasks that they may be utilized inside of our system.

02:28.790 --> 02:33.170
Privilege escalation these actions are aimed at attaining elevated access.

02:33.170 --> 02:38.840
I think I've used the janitor scenario before where a janitor may have access to email, but not access

02:38.840 --> 02:45.620
to servers, and so you could do privilege escalation or lateral escalation, going either across up

02:45.620 --> 02:50.570
to get access to a specific system or subsystem that the attacker is trying to get access to.

02:50.600 --> 02:51.770
Defense evasion.

02:51.770 --> 02:57.710
This is the strategies we employ to circumvent detection and bypass security controls such as encryption

02:57.740 --> 02:59.150
or obfuscation.

02:59.150 --> 03:03.820
Credentialed access can we grab credentials from a specific user.

03:03.880 --> 03:06.400
Can we harvest credentials off a database?

03:06.430 --> 03:10.270
Or can we brute force our way into getting more access?

03:10.450 --> 03:11.140
Discovery.

03:11.140 --> 03:14.740
These are the techniques of gathering intelligence about the target system or network.

03:14.770 --> 03:18.430
These can include network scanning or active directory enumeration.

03:18.430 --> 03:20.710
Lateral movement which I've kind of already covered.

03:20.710 --> 03:24.490
But this is traversing laterally from one position over to another.

03:24.520 --> 03:30.820
Once we've gained access, we can also do such things as pass the hash or remote desktop exploitation

03:30.820 --> 03:31.750
collection.

03:31.750 --> 03:36.640
This is the action of harvesting data or information from a compromised system, such as keylogging

03:36.640 --> 03:38.170
or taking screenshots.

03:38.350 --> 03:39.400
Exfiltration.

03:39.400 --> 03:40.630
How do we get that data out?

03:40.630 --> 03:45.490
Or how did they get that data out from a compromised network, such as leverage a command and control

03:45.490 --> 03:49.480
server or external storage device, and then command and control itself?

03:49.510 --> 03:54.700
The techniques for communicating with those compromised systems involving a command and control infrastructure,

03:54.700 --> 03:57.670
and how that's utilized across the system.

03:57.700 --> 03:58.690
Iman methodology.

03:58.720 --> 04:01.690
We're really talking about four specific points.

04:01.720 --> 04:02.680
Adversaries.

04:02.680 --> 04:04.190
Who is attacking us?

04:04.190 --> 04:05.780
Where are they attacking from?

04:05.780 --> 04:10.820
The infrastructure that we're utilizing or the infrastructure that they have taken advantage of.

04:10.820 --> 04:14.570
And in our system, in our network, what capabilities they have?

04:14.600 --> 04:19.670
Do they have the capability of just using malware, or do they have the capability of doing some pretty

04:19.670 --> 04:21.470
advanced social engineering attacks?

04:21.470 --> 04:24.080
And finally, their targets, who is their target?

04:24.080 --> 04:27.980
Are we talking about specific people systems of vulnerability?

04:28.070 --> 04:31.130
What specifically are they addressing when it comes to this target?

04:31.130 --> 04:36.320
The cyber kill chain recognizes seven distinct steps that threat adversaries may utilize against an

04:36.320 --> 04:37.430
enterprise environment.

04:37.430 --> 04:39.170
The first step is reconnaissance.

04:39.170 --> 04:45.080
How do I develop a reconnaissance, either via passive or active measures, to identify different traits,

04:45.110 --> 04:48.890
assets, or infrastructure that your organization may utilize?

04:48.920 --> 04:54.740
The recon stage really kind of pinpoints not just the assets that you may utilize, but the vulnerabilities

04:54.740 --> 04:55.550
as well.

04:55.580 --> 04:56.930
Weaponization.

04:56.930 --> 04:59.630
What kind of delivery system am I going to utilize?

04:59.630 --> 05:01.460
What kind of malware am I going to utilize?

05:01.490 --> 05:06.750
What kind of attack am I going to develop to target your specific systems.

05:06.750 --> 05:11.520
This could be anything from a social engineering attack like a spear phishing email or a phishing email,

05:11.550 --> 05:16.920
maybe even phishing all the way down to malware use through a rootkit or a trojan.

05:16.920 --> 05:20.850
We're really kind of developing that weapon against the infrastructure.

05:20.880 --> 05:22.050
Then there's delivery.

05:22.080 --> 05:25.350
How do I get that system into your environment?

05:25.350 --> 05:27.690
Am I taking advantage of a vulnerability?

05:27.720 --> 05:29.550
What's the delivery methodology?

05:29.580 --> 05:31.290
Now, this isn't exploitation.

05:31.290 --> 05:37.140
We're not actually executing the malware on your system, but we're delivering it to your system.

05:37.140 --> 05:41.130
This could be taking advantage of a vulnerability without actually exploiting it.

05:41.130 --> 05:44.010
This could be sending off a phishing email with a link in it.

05:44.010 --> 05:45.540
That's the delivery phase.

05:45.570 --> 05:48.960
Exploitation is the actual exploitation of the system.

05:48.960 --> 05:53.550
If I'm exploiting a vulnerability, then I'm taking that piece of malware, I'm delivering it to the

05:53.550 --> 05:56.040
system, and then I'm actually executing it.

05:56.040 --> 05:57.660
That's the exploitation phase.

05:57.690 --> 06:04.640
Installation of new malware into the system for persistence or for privilege escalation, and then finally

06:04.640 --> 06:05.600
command and control.

06:05.630 --> 06:12.710
How do I circumvent your systems and provide a command and control structure, where I can maintain

06:12.740 --> 06:18.680
access to your enterprise environment, and further gain more control mechanisms over to the different

06:18.680 --> 06:19.490
systems?

06:19.490 --> 06:27.500
The OSS team or open source security testing methodology model is a widely applied in various practical

06:27.500 --> 06:33.170
scenarios and utilizes penetration testing, which serves as a comprehensive guide for simulating attacks

06:33.170 --> 06:36.680
on systems, networks, people or assets to come.

06:36.710 --> 06:38.030
Cover vulnerabilities.

06:38.060 --> 06:43.490
Most companies or enterprise environments will use a third party environment or a third party vendor

06:43.490 --> 06:49.790
to pull off penetration penetration testing, and that penetration testing utilizes a scope of work

06:49.790 --> 06:53.120
that clearly identifies what they're testing for.

06:53.120 --> 06:59.360
We can utilize security auditing, which leverages the auditing process to evaluate our system and infrastructure

06:59.360 --> 07:00.110
security.

07:00.110 --> 07:05.460
It also facilitates the identification of vulnerabilities and the assessment of security controls and

07:05.460 --> 07:08.430
how they are effective within our system, we can do.

07:08.460 --> 07:11.490
Compliance and certification or recertification.

07:11.490 --> 07:12.810
This is recognized by the.

07:13.110 --> 07:18.480
ISO 2701, which identifies specific methodologies that we utilize to.

07:18.510 --> 07:23.820
Ensure that we're complying with regulatory bodies or contractual agreements for certification.

07:23.820 --> 07:29.010
And finally, security training, where we're training security professionals and the employees that

07:29.010 --> 07:32.460
are within our enterprise environment in a structured manner.

07:32.460 --> 07:37.410
This aids in the development and enhancement of their skill set, their awareness, and their expertise

07:37.410 --> 07:39.540
in security testing methodologies.

07:39.570 --> 07:45.780
The OWASp Web Security Testing Framework is designed specifically for web applications and web developers.

07:45.810 --> 07:51.270
It's designed to go through six distinct phases to identify different security vulnerabilities within

07:51.270 --> 07:52.320
web applications.

07:52.320 --> 07:54.600
The first phase planning and preparation.

07:54.600 --> 08:00.030
This initial phase involves defining objectives for the security test and determining the scope of the

08:00.030 --> 08:05.690
assessment that we're going to utilize against our web application Web information gathering or information

08:05.690 --> 08:10.190
gathering is phase two, and this phase the tester gathers relevant information about the target web

08:10.190 --> 08:11.090
application.

08:11.090 --> 08:15.260
This includes architecture functionality, maybe potential attack vectors.

08:15.470 --> 08:18.500
In phase three, we're doing a vulnerability identification.

08:18.500 --> 08:24.320
We systematically assess the web application for security vulnerabilities such as injection, cross-site

08:24.350 --> 08:27.800
scripting, SQL, or session management flaws.

08:27.830 --> 08:29.630
Step four exploitation.

08:29.630 --> 08:34.520
Once we've identified a vulnerability, we're going to attempt to exploit that and assess the severity

08:34.520 --> 08:36.980
of the potential impact of that application.

08:37.160 --> 08:42.650
Poised to exploitation the fifth phase, uh, testers are going to evaluate the level of access gained

08:42.650 --> 08:49.340
and potential consequences that could be attributed to that exploitation against that web application.

08:49.340 --> 08:51.080
And the sixth phase reporting.

08:51.110 --> 08:55.340
We're going to document and report out those test results.

08:55.340 --> 08:57.170
We're going to present to our stakeholders.

08:57.200 --> 08:58.760
A comprehensive report.

08:58.760 --> 09:04.250
And that report should include the vulnerabilities discovered, the severity rating and actual recommendations

09:04.250 --> 09:06.740
for remediation of our web application.