WEBVTT

00:07.220 --> 00:12.230
And this episode we're going to talk about pattern recognition and why it's important for you as a cybersecurity

00:12.230 --> 00:14.450
analyst to use pattern recognition.

00:14.480 --> 00:20.870
Most times, people look at cybersecurity as purely a logical scheme for scientific measures, but that's

00:20.870 --> 00:22.250
not necessarily true.

00:22.280 --> 00:30.770
Cybersecurity is part intuition and part logic to form a analytical point of view that points to a specific

00:30.770 --> 00:34.460
problem or a series of problems within your network.

00:34.610 --> 00:40.040
Pattern recognition is the process of identifying recurring patterns or anomalies within your network.

00:40.070 --> 00:45.380
That means to say that if I have zeros and ones that are constantly popping up at distinct times, or

00:45.410 --> 00:49.130
for a distinct period of time, that that would constitute a pattern.

00:49.160 --> 00:53.870
Now we use pattern recognition to identify botnets or exfiltration of data.

00:53.870 --> 00:59.900
We can also utilize pattern recognition to identify if something is anomalous within our network traffic.

00:59.900 --> 01:05.960
Meaning if I have a specific IP address that we're communicating with for 15 seconds every hour on the

01:05.960 --> 01:06.410
matter.

01:06.440 --> 01:11.030
Then that's a pattern that we need to identify for a potential problem within our network.

01:11.150 --> 01:16.430
Pattern recognition is utilized not just in malware, but it's also utilized for storage capacity.

01:16.460 --> 01:20.810
You can use pattern recognition to find out if your employees are doing something that maybe they shouldn't,

01:20.810 --> 01:23.510
or even to identify baseline traffic.

01:23.510 --> 01:29.960
If you're continually, every day, every 1:00 in the morning, sending an update to your cloud provider

01:29.960 --> 01:37.100
to upload data or to provide storage for your data against ransomware, then that's a pattern.

01:37.100 --> 01:42.140
But that's a good pattern if you're utilizing patterns to identify specific times of the day when you're

01:42.140 --> 01:44.180
utilizing your antivirus programs.

01:44.210 --> 01:49.760
Obviously a good pattern, but what if you were communicating from a specific client at a specific time,

01:49.760 --> 01:53.630
every single day for 15 seconds to an unknown IP address?

01:53.630 --> 01:58.250
Well, that could lead to an indicator of compromise, which is a malicious pattern that you need to

01:58.250 --> 01:59.060
be aware of.

01:59.090 --> 02:03.110
We use patterns not only against malware, but for data exfiltration.

02:03.110 --> 02:05.780
We use patterns to identify faults in our network.

02:05.780 --> 02:11.180
Maybe we're seeing an error within our network traffic at a specific time, every 15 minutes that could

02:11.180 --> 02:17.780
throw faults to an IT position where not necessarily malicious in use, but could identify network problems

02:17.780 --> 02:22.640
or even identify problems from our backhaul inside of our IT infrastructure.

02:22.790 --> 02:27.500
Pattern recognition could identify different faults within the technology that we're using.

02:27.500 --> 02:33.440
It could be used again against malware, or it could identify problems that are occurring in our technology,

02:33.440 --> 02:37.730
where we can identify whether or not something is getting ready to go bad, or something that has already

02:37.730 --> 02:41.510
gone bad, and potentially open a vulnerability within our own network.

02:41.720 --> 02:47.210
Pattern recognition really is utilized not only for cybersecurity, but also for IT and repair of those

02:47.210 --> 02:48.440
infrastructure problems.

02:48.440 --> 02:54.440
Within pattern recognition, we often talk about how a command and control system, or how our clients

02:54.440 --> 02:58.520
within our internal network are communicating to a known bad IP address.

02:58.520 --> 03:04.130
Or maybe it's not known, but we're seeing a pattern within the traffic communicating to an outside

03:04.130 --> 03:05.210
IP address.

03:05.330 --> 03:11.150
Uh, a lot of times that enters a command and control infrastructure where our client or our server

03:11.150 --> 03:17.780
is talking, maybe every hour or every 45 minutes for a specific time to a specific IP address.

03:17.780 --> 03:19.010
Outside of our network.

03:19.010 --> 03:25.670
We refer to that as a command and control base, where a malicious actor is utilizing a command and

03:25.670 --> 03:28.100
control infrastructure to talk to its malware.

03:28.130 --> 03:30.740
That's intrusive on our clients.

03:30.740 --> 03:35.510
This could provide some malicious activity that we need to be aware of, but command and control can

03:35.510 --> 03:39.230
be utilized for more than just DDoS attacks or just malware.

03:39.290 --> 03:44.480
You can also see it from a perspective of where the command and control center is taking control of

03:44.480 --> 03:50.870
the botnets not just one client, but multiple clients within our infrastructure that could indicator

03:50.870 --> 03:54.980
of compromise, can repeat back to a DDoS attack or a denial of service attack.

03:55.010 --> 04:00.290
It could also be indicative of malware that's communicating to a command and control center to exfiltrate

04:00.290 --> 04:00.890
data.

04:00.890 --> 04:08.120
It could also be for a time bomb or a logic bomb inside of our internal network Any type of those malware

04:08.150 --> 04:14.930
where we're having communication to an unknown IP address outside of our network on a known schedule

04:14.930 --> 04:20.300
indicates a pattern which then constitutes a command and control center, which could cause some serious

04:20.300 --> 04:22.190
issues within our internal network.

04:22.220 --> 04:27.230
Suspicious commands that you need to be aware of could be file manipulations, where we're seeing manipulation

04:27.230 --> 04:28.850
of files at a distinct time.

04:28.880 --> 04:34.550
Again, that pattern recognition comes back into play with how are these file manipulations taking place?

04:34.580 --> 04:36.440
Are we seeing file manipulations?

04:36.440 --> 04:42.500
Not on a specific timeline, but maybe the same files are being manipulated on one machine or more than

04:42.500 --> 04:46.610
one machine, and it's happening across various aspects of our departments.

04:46.610 --> 04:52.340
We could see where the timeline doesn't necessarily match up, but the actual manipulation of the file

04:52.340 --> 04:53.210
matches up.

04:53.210 --> 04:59.030
We can see system executions happening at a distinct time, or maybe they're happening in series where

04:59.030 --> 05:03.110
one machine starts and then another machine, and it kind of cascades throughout our network.

05:03.140 --> 05:05.270
Again, that's a pattern we can see.

05:05.300 --> 05:06.830
Network configuration commands.

05:06.830 --> 05:13.220
Maybe I've got a box inside my edge network where we're doing an ipconfig, or we're doing a ping command,

05:13.220 --> 05:17.960
and then we're seeing that again, that cascading effect from different systems across our network.

05:17.990 --> 05:22.700
Now, it doesn't mean that every single client or every single server is going to send out that same

05:22.700 --> 05:24.200
network configuration command.

05:24.200 --> 05:28.910
But maybe we're seeing at one point of our network and then on various other points of our network,

05:28.910 --> 05:33.770
which looks random, but once you dive into it, you can start to see a pattern develop.

05:33.770 --> 05:40.070
Those patterns are indicative of malicious actors taking control of our network, or somehow injecting

05:40.070 --> 05:41.690
malware into our systems.

05:41.690 --> 05:46.820
That usually corresponds to data movement, where data is moving from one client to another, and it

05:46.820 --> 05:49.010
could also expel data exfiltration.

05:49.010 --> 05:55.220
There are commands or malicious actors that will move data from internal clients to a server, so that

05:55.220 --> 05:58.520
they can exfiltrate data all at once at a specific time.

05:58.520 --> 06:00.020
So you have to be careful of that.

06:00.020 --> 06:04.520
If I've got clients that are sitting on different departments, but they're all communicating to the

06:04.550 --> 06:11.090
same server and they're moving data or infrastructure information to that single point within your server

06:11.090 --> 06:12.860
or within your network architecture.

06:12.890 --> 06:14.900
Do they have a reason to move that data.

06:14.930 --> 06:16.460
Sometimes the answer is yes.

06:16.460 --> 06:21.620
If I have a file server that I'm moving a lot of stuff for, and that's where the files are held up,

06:21.620 --> 06:22.580
that makes sense.

06:22.580 --> 06:27.680
But if I have a lot of files that are moving, maybe to a web server or an email server that necessarily

06:27.680 --> 06:32.120
isn't used for that type of specific movement, that could be an indicator of compromise.

06:32.150 --> 06:34.220
The last point is unknown users.

06:34.220 --> 06:39.650
If I have an unknown user, maybe from the HR department that is now operating in the operations department,

06:39.650 --> 06:44.690
or maybe it's a brand new user that's operating in several different departments simultaneously, is

06:44.690 --> 06:45.830
there a reason for that?

06:45.830 --> 06:51.290
Is that user have power or administrative privileges, and if so, why do they have administrative privileges?

06:51.290 --> 06:57.530
We should have a list of every user that's associated with admin privileges across our entire network.

06:57.560 --> 07:02.660
If we don't understand that user or we don't recognize that user, we need to shut it down pretty quickly.

07:02.660 --> 07:04.910
And again, that would be indicative of a pattern.

07:04.910 --> 07:08.960
Once that's completed, we need to go back through and do an audit and figure out everything that that

07:08.960 --> 07:11.600
user touched, if it was malicious in nature.

07:11.630 --> 07:16.160
Throughout this episode, we talked about different patterns and how to utilize those patterns, how

07:16.190 --> 07:18.800
time of day really matters when it comes to pattern recognition.

07:18.800 --> 07:21.770
But it's not just solely on the pattern of time.

07:21.770 --> 07:26.810
We also have to look about what the communication process is taking place, whether it's from one client

07:26.810 --> 07:29.090
or multiple clients, and how they're talking to one another.

07:29.090 --> 07:35.300
Really, that intuition or that gut feeling that you have as a security analyst comes into play.

07:35.300 --> 07:40.880
We have to have that careful mix of logic versus intuition in order to do our jobs well.

07:40.880 --> 07:46.850
You should expect to see Cisa exam questions specifically on the logic front of your exam.

07:46.850 --> 07:50.780
We're not really going to see a lot of intuition in there, because it's really hard to measure that

07:50.780 --> 07:53.630
intuition when it comes to an exam like Cisa.

07:53.660 --> 07:57.800
So they're really going to concentrate on the logic portion of it and really kind of make you think

07:57.800 --> 07:59.480
from a logical standpoint.

07:59.510 --> 08:01.790
Now you've probably heard me say logic, logic, logic.

08:01.790 --> 08:04.670
And for the Cisa exam that's important to know.

08:04.700 --> 08:09.590
However, in your real world job, you need to understand that those gut feelings, that intuition that

08:09.590 --> 08:15.260
you have is going to play a major role in how you interact with different malicious actors or pattern

08:15.260 --> 08:16.190
recognition.

08:16.190 --> 08:19.790
But for Cisa, stick to the logic and you should be fine.