WEBVTT

00:07.130 --> 00:11.390
In this chapter, we're going to discuss the fundamentals of threat intelligence.

00:11.390 --> 00:16.880
As a Cisa analyst, you're expected to understand the trends and the scope of different threat actors

00:16.880 --> 00:23.390
and how they proceed through the act of acting maliciously, whether it's Apts, nation states, or

00:23.390 --> 00:27.920
script kiddies, you need to understand how those different threat actors correspond to the different

00:27.920 --> 00:30.380
threats associated to your specific network.

00:30.410 --> 00:35.180
You need to understand the intelligence that governs how they intercept different traffic patterns,

00:35.180 --> 00:40.880
what threat actions they utilize, what different technologies they utilize, and how their overall

00:40.910 --> 00:44.960
goals encompass what they're trying to achieve within each individual network.

00:44.990 --> 00:51.470
CSA really appreciates and goes into depth with the idea that you need to understand at what level and

00:51.470 --> 00:57.710
what corresponding threat action each threat actor used in to accomplish their specific goal, whether

00:57.710 --> 01:04.220
it's for funds or financial information, maybe long term intelligence gathering information, or just

01:04.220 --> 01:05.930
wreaking havoc across your network.

01:05.930 --> 01:11.300
Nation state threat actors are sophisticated and well-funded and act on behalf of a government or an

01:11.300 --> 01:14.360
agency that, in turn, acts for the government itself.

01:14.360 --> 01:19.640
In the United States, that's usually the CIA or the NSA, but it can be DoD as well.

01:19.790 --> 01:24.290
Nation state actors have a specific goal or agenda that they're trying to accomplish.

01:24.290 --> 01:29.630
Now, that could be something like on the Russian Ukraine war, where they specifically were acting

01:29.630 --> 01:33.260
as a precursor to actions against Ukraine.

01:33.290 --> 01:39.920
It could also be on a more level base where the nation state actor is acting on behalf of, say, Iran,

01:39.920 --> 01:46.760
where they took over websites and are specifically targeting those websites to provide, uh, propaganda

01:46.760 --> 01:52.100
to prop up their own side of the story, regardless of where they're coming from.

01:52.100 --> 01:57.890
And a nation state actor, you have to remember that those specific nation state actors have a specific

01:57.890 --> 01:59.060
goal in mind.

01:59.060 --> 02:01.260
And they're very sophisticated and well funded.

02:01.260 --> 02:05.010
They have no problem for a long executed plan of action.

02:05.190 --> 02:11.850
They may invade a enterprise network and then hang tight for six months to even two years before they

02:11.850 --> 02:12.780
actually act.

02:12.780 --> 02:18.090
They're there for the long term, and their plans are well executed and well funded, so they have plenty

02:18.090 --> 02:23.670
of time to adopt and utilize that internal network to their advantage.

02:23.670 --> 02:28.980
They're really not in it for the short term, knee jerk goal that you might see with other actors and

02:28.980 --> 02:30.630
the threat actor atmosphere.

02:30.660 --> 02:36.540
Advanced persistent threats are most notably utilized in correspondence with nation states, but not

02:36.540 --> 02:40.800
always the big difference between a nation state and an advanced persistent threat.

02:40.800 --> 02:45.600
And why most people get those two confused is that an advanced persistent threat does not have to be

02:45.600 --> 02:46.950
funded by the government.

02:46.950 --> 02:52.230
It could be a collaboration of different governments, or it could be a part of, say, the Taliban,

02:52.230 --> 02:55.740
where we don't recognize the Taliban as an actual government.

02:55.740 --> 03:00.360
They still are a terrorist organization that has an advanced persistent threat arm.

03:00.360 --> 03:02.940
There are high level security and stealthy.

03:02.970 --> 03:06.360
They are well coordinated and they're in it again for the long term.

03:06.360 --> 03:11.700
There's a lot of overarching goals and overarching complexities when it comes to nation state versus

03:11.730 --> 03:13.110
advanced persistent threat.

03:13.110 --> 03:17.250
And the goals are usually similar in make and in what they're trying to achieve.

03:17.280 --> 03:22.230
But again, the big difference between a nation state actor versus an advanced persistent threat is

03:22.230 --> 03:26.400
an advanced persistent threat doesn't have to have the nation state backing in order to move forward

03:26.400 --> 03:27.840
with its plans and goals.

03:27.840 --> 03:32.400
Russia is usually an advanced, persistent threat that is not backed by the government.

03:32.400 --> 03:37.830
They use highly intelligent and highly sophisticated attacks, but they use it to correspondingly within

03:37.830 --> 03:38.910
different groups.

03:39.090 --> 03:45.330
Their overarching goal may be for long term or maintaining access, and they're fairly coordinated,

03:45.330 --> 03:51.120
but they're not really funded by the government in most, uh, and most of their actions, this would

03:51.120 --> 03:54.840
align more to an advanced persistent threat as opposed to a nation state.

03:54.840 --> 03:59.550
That doesn't mean the nation state can't come in and say, hey, you're doing these types of things,

03:59.550 --> 04:02.430
and if you don't do what we want you to do, we're going to throw you in jail.

04:02.460 --> 04:06.660
That would then become a nation state actor that's utilizing advanced persistent threat.

04:06.690 --> 04:10.380
The waters get really muddy between an apt versus a nation state.

04:10.380 --> 04:14.070
But just remember that an APT doesn't have to be funded by a nation state.

04:14.100 --> 04:17.640
A nation state is funded by the state itself or the government.

04:17.670 --> 04:20.040
Those are really the big differences between the two.

04:20.760 --> 04:24.840
Organized crime is usually in it for the financial gain or for the money.

04:24.870 --> 04:31.200
They're often organized and they're utilizing technology to extract or exploit financial gain out of

04:31.200 --> 04:38.040
the opportunity that uses malware as their main form of injection, meaning that their overall goal

04:38.040 --> 04:39.000
is financial gain.

04:39.000 --> 04:42.990
And that's usually a short term technology that they're exploiting.

04:42.990 --> 04:48.240
So when with the Colonial Pipeline incident, we saw that they had locked everything down with ransomware,

04:48.240 --> 04:53.490
and then they required cryptocurrency in order for them to unlock something that's organized crime.

04:53.520 --> 04:57.240
Remember, when it comes to organized crime, as far as threat actors are concerned, it's all about

04:57.240 --> 05:03.190
the money Insider threats are intentional, usually disgruntled employees that are trying to do something

05:03.220 --> 05:05.440
against the network because they're holding a grudge.

05:05.470 --> 05:08.560
This is most related to somebody that maybe missed a promotion.

05:08.560 --> 05:10.750
Maybe they feel the company is keeping them down.

05:10.780 --> 05:16.090
It could be a different and variety of different reasons, but most often it's I've got a disgruntled

05:16.090 --> 05:20.230
employee that was recently fired, or maybe they were written up for something and they're intentionally

05:20.230 --> 05:22.510
doing something to the network out of spite.

05:22.540 --> 05:24.760
Now, it's not always intentional.

05:24.790 --> 05:29.830
Sometimes there's an unintentional consequence to that insider threat, and that can be clicking on

05:29.830 --> 05:33.520
a piece of phishing email, accidentally downloading a piece of malware.

05:33.640 --> 05:38.530
It could be either unintentional or intentional, and both are considered insider threats.

05:38.530 --> 05:39.760
Incisa.

05:39.790 --> 05:44.170
You need to understand that if isn't an employee and it's inside the internal network, it's considered

05:44.170 --> 05:47.890
an insider threat regardless if it's intentional or unintentional.

05:47.920 --> 05:49.750
Cisa doesn't care.

05:51.220 --> 05:55.900
Script kiddies are usually your young people that are looking for a kick out of it.

05:55.900 --> 06:01.230
They really lack the technical expertise Maybe they're getting into technology or cybersecurity for

06:01.230 --> 06:02.160
the first time.

06:02.160 --> 06:06.810
We often see this with college age students or even high school students, where they're really in it

06:06.810 --> 06:10.050
to show off to their friends or get a kick out of the experience.

06:10.050 --> 06:15.630
They have very low technical experience, low technical knowledge, but they usually find a tool online,

06:15.630 --> 06:18.870
or they watch a video to show them how to hack into something.

06:18.870 --> 06:23.370
And instead of keeping it in a virtual sandbox environment, they decide to do it against a website

06:23.370 --> 06:24.510
or against a company.

06:24.540 --> 06:26.520
Usually they're doing this for fun.

06:26.520 --> 06:32.460
Script kiddies are in most cases, and I say most cases, young adults who are just trying to get a

06:32.460 --> 06:34.260
kick out of doing something for fun.

06:34.260 --> 06:39.060
They have very low technical expertise, and they're doing it with a makeshift tool that is already

06:39.060 --> 06:39.630
out there.

06:39.630 --> 06:43.290
Think your Maltego or your Metasploit technologies well.

06:43.320 --> 06:45.510
Adapted vulnerabilities that have already been discovered.

06:45.510 --> 06:49.710
And there's well, documentation out there, as well as tools that they could utilize by mostly just

06:49.710 --> 06:50.670
pushing a button.

06:50.670 --> 06:52.200
These are your script, kiddies.

06:52.200 --> 06:55.770
Hacktivists could be either low technical or high technical.

06:55.770 --> 07:02.580
It doesn't really matter but their overall goal is to wreak havoc on a network or on an industry, basically

07:02.580 --> 07:03.810
for political needs.

07:03.840 --> 07:09.420
They're really kind of trying to change the social perception of that organization.

07:09.420 --> 07:14.160
So in our most recent activity here in the United States, we saw a lot of different political gains

07:14.160 --> 07:18.960
that most people are trying to move for the political system, either one way or another.

07:18.990 --> 07:25.590
If a hacktivist were to come in and exploit a website and post a lot of propaganda for a candidate or

07:25.590 --> 07:28.380
against a candidate, that would be considered a hacktivist.

07:28.410 --> 07:30.750
But it doesn't just have to be for political candidates.

07:30.780 --> 07:36.750
It can be, you know, save the animals or save the whales, or I don't like this subway terminal because

07:36.750 --> 07:37.920
they let people off.

07:37.920 --> 07:43.680
When you think hacktivists think inside the United States or inside the country of origin, trying to

07:43.710 --> 07:52.020
maneuver political perceptions and against or for a specific arc, their aim is usually well stated,

07:52.020 --> 07:55.440
and they very clearly identify what they're trying to accomplish.

07:55.470 --> 07:59.970
After all, it does no good to do a hack on a system and have it revealed to everybody.

07:59.970 --> 08:01.650
If you can't tell them why you did it.

08:01.650 --> 08:05.970
And this is really the hallmark of what a hacktivist is all about when it comes to threat actors.

08:05.970 --> 08:11.370
As far as Cisa is concerned, you need to get past just understanding what a hacktivist is using for

08:11.400 --> 08:14.220
or what a threat actor is trying to accomplish.

08:14.220 --> 08:20.070
You need to understand the specific principles that make up that threat actor and what their overarching

08:20.070 --> 08:22.050
goals look at different keywords.

08:22.050 --> 08:23.910
Are they going for a political activity?

08:23.910 --> 08:25.410
Are they doing it for fun?

08:25.410 --> 08:27.540
Are they trying to get financial gain out of it?

08:27.540 --> 08:33.570
Maybe it's a long term experiment that they're trying to pull off to get further information or industrial

08:33.570 --> 08:38.580
information further down the road, meaning it's a long term plan of action.

08:38.580 --> 08:42.840
All of these are keywords that you need to be aware of for your Cisa exam.

08:42.840 --> 08:49.200
Expect to see scenario based questions that clearly identify what the goal or how they're going to achieve

08:49.200 --> 08:49.920
that goal is.

08:49.920 --> 08:55.080
Written out those will leads you clearly to the threat actor that you're trying to identify and expect

08:55.080 --> 08:55.320
to see.

08:55.350 --> 08:57.180
Questions associated with that.