Gain in-depth knowledge for passing your exam with Exam-Labs CS0-002: CompTIA CySA+ Certification Exam (CS0-002) certification video training course. The most trusted and reliable name for studying and passing with VCE files which include CompTIA CySA+ CS0-002 practice test questions and answers, study guide and exam practice test questions. Unlike any other CS0-002: CompTIA CySA+ Certification Exam (CS0-002) video training course for your certification exam.

Classifying Threats

3. Threat Actors (OBJ 1.1)

In Security Plus, you learned about the various threat actor types, those people who wish to do us harm. Now, in this lesson, we are going to perform a quick review of some of these types because you are going to see a few questions about the various types of attackers who want to pay, penetrate, or infect your networks and systems on your Cys Plus exam. Now, there are four main categories we're going to discuss. These are nation states, organised crime activists, and insider threats. A nation-state actor is a type of threat actor that is supported by the resources of its host country's military and security services. Now, most nation states, meaning most countries, have developed cybersecurity expertise, and they use cyber as a weapon to achieve their military and commercial goals as well as political goals. If you look through things like FireEye or Mandiant, they have a lot of reports out there on different types of APTs, or advanced persistent threats. APTs are generally going to be nation-state nation state actor.Now, when you look at these, you're going to find some. For instance? Like Russia. Russia has a very strong presence in the world of cybersecurity threat world.And they're not just going after government systems, but sometimes they're also going after commercial systems that have a greater effect on some sort of objective. They want. For example, maybe they would want to go after a power plant. Those power plants in the United States, for instance, are owned by civilian companies, not by our government. And therefore they would be going after a commercial actor to achieve a political goal of being able to hold our power plants at risk. Another example would be China. China is very big in the cyber-espionage area. They have a lot of different people working inside their nation-state cyberattack facilities. Now, inside China, they have different goals as well, and they may not align with Russia's or the United States' goals. For instance, China is known to go after a lot of intellectual property inside the United States, and so that becomes an issue that people are thinking about as well. Another example is North Korea. North Korea has a nation-state apparatus for cyber attacks as well. Now, North Korea is kind of unique because a lot of times their targets are companies that can give them a financial gain. According to FireEye and Mandiant, North Korea has been behind some of the attacks that have led to things like ransomware, like Wanna Cry, and others that have been suspected to be tied back to them as a way for that regime to be able to finance their operations. Again, each nation-state has its own goals, resources, and levels of collaboration with one another and within its own organizations. So if you want to keep up to date on this, I do recommend taking a look at Crowd Strike, Mandiant, or FireEye because they're always putting out great information on these different APTs or advanced persistent threats that are tied back to these different nation states. Organized crime is another threat actor that we must consider. Organized crime is a type of threat actor that uses hacking and computer fraud for commercial gain. In many countries, cyber crime has taken over physical crime because it's easy and very lucrative. These organised crime organisations can make a lot of money from all over the world from the comfort of their own home or office, as long as they have an internet connection. A lot of times, these are going to be financial fraud, blackmail, ransomware, or things of that nature. For instance, Trickbot, which was a very big Trojan back in 2018, was tied to a Russian-based organised crime unit that used it as a way to finance their operations. Our third type of threat actor that we're going to cover in this lesson is known as a hacktivist. Now, a hacktivist is a type of threat actor that is motivated by social issues or political causes. The most well-known of these is Anonymous, but there are others like WikiLeaks, Losec, and many others that use their cyber weapons to promote their political agendas. In the case of Anonymous, they have multiple different political agendas that they've used over the years, depending on what strikes their fancy at the time. If you want to learn more about hacktivists, simply type hacktivists into Google News, and you're going to find a lot of information about these different groups. But for the exam, I want you to remember that if you're dealing with a political or a social issue, the answer is going to be hacktivists. Now the fourth category we have is what's known as an "insider threat." This is a type of threat actor whose assigned privileges on the system can be used to cause intentional or unintentional incidents. So when we talk about an insider threat, think of these as people who are already inside your network. For instance, it's your employees; it's somebody who already has access to the type of information that they would want and access to your systems. Now, within this group of internal threats, we have people who are either intentional or unintentional. Now, often the question I get from students is, "Does an entire threat have to be an employee?" And the answer is no. Sometimes it can be an ex-employee too. Now, if you have an ex-employee, this can actually be something that can be categorised one of two ways. They can be classified as an internal threat or they can be treated as an external threat with insider knowledge. This means, for instance, if you worked for my company and we fired you and you were upset when you left, you didn't just forget everything you knew about our company. You may already know what types of systems we're using, what types of software we're using, and what types of internet connections we're using, and that gives you insider knowledge that can help you form an attack against us. That's why it becomes a blurry line when you start dealing with ex employees.But in general, when you talk about an insider threat, we are talking about a current employee, a current contractor, or somebody who has that insider knowledge because they're a former employee as well. Now, as you start dealing with insider threats, they have different motivations. And there are three main motivations that we like to talk about with insider threats. These are sabotage, financial gain, and business advantage. Now, as you start dealing with these and think about sabotage, this is an employee who has a grievance against you. Maybe you did something that made them feel unhappy. Maybe they don't like the way you're conducting your business; maybe you fired them. Whatever those things are, they now hold a grudge and they want to take it out on you. And that is why sabotage can be a big motivator for an insider threat. Another one is financial gain. People want to make money, and sometimes people get greedy. As a result, they may see an opportunity to profit financially by posing a threat to your systems and take advantage of it. And the third one might be a business advantage. Maybe they are on the payroll of your competitor, and they're stealing your information to feed that back to them. Just like external threats, insider threats can be opportunistic or targeted. Going back to sabotage, this can be somebody who is trying to hurt your systems because they are angry and they want something done. Or if we think about financial gain, they just happen to come across the credit card number for the company, and they're going to use that information for their own financial gain. That's more opportunistic. Both of these are things that happen with insider threats, which we see in the industry all the time. Now, the other thing we have to do when we think about insider threats is figure out if this is intentional or unintentional. Now, if it's intentional, this means the threat actor in this case, our insider threat, is conducting an attack with a specific purpose. They want to go forward, and they want to hurt your system. They have malicious intent. They know they're doing it. When dealing with the unintentional, this is referred to as a threat actor. Again, in our case, an insider threat is one that causes a vulnerability or exposes an attack vector without malicious intent. A great example of an unintentional threat is someone who clicks on a link in a phishing email. They didn't mean to have malicious intent. They didn't mean for your systems to get hacked. But by clicking that email link, they have opened up the firewall and let the attacker into another area. You'll find a lot of this unintentional insider threat is within its shadow it.when we talk about shadow it.What we're referring to is the concept of systems or hardware that are on your network that you don't know about. They weren't sanctioned, and they didn't go through the change control process. For instance, if I took a WiFi access point and plugged it into the network jack in my office, I have now expanded that network into the wireless domain, and that is shadow IT because nobody else knows that I did that. That would be something that didn't have malicious intent. Maybe I just wanted to be able to access my laptop without being tied to the wall, and so I put this access point in. But by doing that, I have now opened up a new vulnerability. This is why insider threats are really difficult to deal with. So I want you to remember to be aware of your insider threats. They are probably the most dangerous thing that you have to deal with because if they're a current employee, they still have permissions to your network, and they can log on and access files and folders and install programmes and do all sorts of stuff. And a lot of times your technical controls aren't going to be able to stop them because most of our technical controls are helping to prevent people from the outside from coming in. And we usually have this idea that, on the inside, our employees are trusted. Now that has shifted over the past few years because again, all these unintentional insider threats are an issue for us as well. But I will tell you, after doing this for many years, insider threats are still the number one risk factor for most of us within our organizations.

4. Malware (OBJ 1.1)

Another aspect of threat classification is describing the various types of adversary tools known collectively as malware. Now we're not going to cover the basic malware like viruses, worms, Trojan horses, root kits, and ransomware because you should already be familiar with all of those from your A+ and your Security Plus studies. And we've gone far beyond that in this course. Instead, we're going to focus on three types of malware: commodity malware, zero-day malware, and command and control. When I talk about commodity malware, we're talking about malicious software applications that are widely available for sale and are easily obtained and used. Now you can usually find these on the dark web or the darknet, and there are online marketplaces where you can buy remote access Trojans, things like Poison Ivy, Dark Comet, Extreme Rat, and many other types of malware out there. These things are all available online for a fee, where you can download them and then start using them as part of your attacks if you're a bad guy. Now, these are commodity malware because they are generic, off-the-shelf pieces of malware. But there is also targeted or custom malware that can be developed and deployed with a target in mind. When you're dealing with commodity malware, it's generic, and it's going against everybody. But when you're dealing with targeted or custom malware, there is a specific target in mind. And so, knowing this can help you identify that malware. And if you determine whether it's commodity or targeted, this can help you determine the severity of an incident because if somebody is using targeted malware against your organization, there is a higher severity to that incident for you because you're being targeted. You're not just randomly hit by a drive-by piece of malware. And so this is something that's important for you to consider. Now, the next thing we have to think about here is a zero-day vulnerability. And a zero-day vulnerability is any vulnerability that is discovered or exploited before the vendor can issue a patch for it. Now this is where we get our zero-day malware from: malware that attacks this zero-day vulnerability. When we talk about zero day, this usually refers to the vulnerability itself. But in recent years, people have zero day malware" as well. as they start referring to the attack or the malware that is exploiting that Zero Day. You may see either term used on the exam. When they talk about "Zero Day," they may be talking about the vulnerability or the malware. So read the question to understand the context. Now the next thing we have to think about when we talk about this zero-day malware is: how serious is it? Well, zero-day exploits are big business. These things cost a lot of money and a lot of time to develop. For example, if you're a bug bounty person and you start finding zero-day vulnerabilities, you can actually get lots of money for turning those over to the company because they don't want those out on the open market. But you can also sell those to different governments and law enforcement agencies, and even on the dark web. And some of these zero-day exploits have gone for millions of dollars. There is one that sold for over $1 million that targeted Apple iPhones. These things are big business now because they cost so much money.Most adversaries will only use a zero-day vulnerability for a very high-value attack. They're not going to waste these. And so generally, what you're going to see is that people tend to try to attack something with a generic or off-the-shelf piece of malware first and get into the network. And if that target is valuable enough and they can't get in through other means, then they would go and use their zero day. Countries and nation states frequently stockpile these zero days in order to use them for spying, espionage, and other highly valuable purposes. Now the third thing we want to talk about is command and control. But before we do that, we need to talk once more about APTS. APT's originally referred to the person, but now it refers more to the ability. An APT is an attacker's ability to obtain, maintain, and diversify access to network systems using different exploits and malware. This can be done through commodity malware or through targeted or custom malware. Either way, when that attacker gets into your system, they don't want to get out. In general, this AT capability is found in nation states and organised crime actors. Now in terms of classification, we talk about our knowns and our unknowns. When we talk about APTS, these are considered unknown. unknown, meaning we know that they're out there and we know they're trying to attack us, but we don't know exactly how they're going to do it because they're always modifying their techniques and they're always getting better all the time, and so this makes them a known unknown threat. Now when we deal with Apt, a lot of times they will go out and use commodity malware or other off-the-shelf technologies to try to infect as many machines as possible. Then they'll have those report back to what's called a C-two node, or a command and control node. A C-2 node is any infrastructure of hosts and services with which attackers direct, distribute, or control malware over botnets. And so often they will build up these large botnets, especially if you're dealing with a crime organization. Now as they do this, you're going to have all these different machines all around the world that connect back to the botmaster who is in charge of the CTwo network, and they can then issue a command to use those machines in any way they see fit. They may use them as a pivot point into somebody else's network to attack the network from there. So as law enforcement tries to track it back, they find this innocent bot as opposed to the bot master. Also, we can take all these machines and then use them to attack a single target if we're doing a distributed denial of service attack, for instance. And this is the whole idea of using AC—it's a single point of contact that we can then use to talk to everybody else across our networks to do the bidding that we want to do. And APts make extensive use of this. What is usually the target of an apt? Well, generally, they're going to target financial institutions, healthcare companies, and even governments because they all have large PII data sets that can be turned into money. Additionally, they may go after governments to carry out political objectives like interfering in elections or spying on another country to figure out what they're going to do in the larger geopolitical sphere. Now, one other key thing about an apt is that generally, an apt is not a single person but a group of people. Generally, you're going to have a staff that has different realms of expertise. For instance, I may have one person whose job it is to break down the front door and get into the system. I may have another person whose job it is to make sure that when they're in that system, they have persistence and don't get kicked out. I may have another person who's a linguist who can help me translate the information I'm getting. For instance, we talked earlier about the fact that Russia, China, and North Korea all have teams of APT to go out and attack other companies and countries and things like that. Well, if I'm in China and I break into an American company, their information is probably written in English, and if my hacker only speaks Chinese or Mandarin, that would be an issue. So we may have a linguist there to help translate that information for them. This is all the type of thing we need to think about when we think about APTS because they are well funded, they have a team of people, and they are all working together against you. Now, I just mentioned the idea of persistence. What is persistence? Persistence is the ability of a threat actor to maintain covert access to a target, host, or network. This means that once I break in, I can stay in your network for long periods of time. Studies have shown that the average adware infection is on your network for six to seven months before it is detected. That is a long time, and they can do a lot of stuff on that network without you ever knowing they're there. That is going to be one of the things we have to start figuring out: how do we detect these APTs? How can we find out if they're in our network? And as we go through this course, we'll talk more about indicators of compromise and how we can start detecting them earlier in the cycle so we can get them out of our network quicker.

5. Threat Research (OBJ 1.2)

In the last few lessons, we discussed the different types of threat classifications and threat types. Now in this lesson we're going to focus on the concept of threat research. As I said before, historically, we used malware and threat signatures to detect malicious activity. But this is becoming less and less effective with the rise of more sophisticated adversary tactics. Because of this, cybersecurity analysts like you have to move away from the use of a single static signature and instead start identifying and correlating multiple indicators of compromise to identify those attacks. This becomes essential when conducting threat hunting as well, which we're going to focus on more in depth later on in this course. For now, though, we're going to take a look at three different concepts in this lesson: reputational, threat, and indicator of compromise research, as well as behavioural threat research, and how we're going to use these three to identify threats during our research. Now the first area is reputational threat research. And here we have to focus on the reputation of something or reputational data. When we talk about reputation data, these are things like blacklists of known threat sources such as malware signatures, IP address ranges, and DNS domains. All of this data helps to provide the foundation for what we'll use in our research because it tells us known bad things. For instance, this website gives out malware. This IP address was seen in an attack and other similar situations. Now, one of the ways that we can see these different things based on reputational data is by looking at sites like Tales Intelligence. Here on the screen, you can see the homepage for the Tales Reputation Center. This area is going to track all the activity and rates for each source address with a granular reputation score and a basic score of good, neutral, or poor. This basically tells us: Do we have a good reputation or a bad reputation? Just like in the real world, when you meet somebody new, you have to know if they are somebody you can trust or if they are somebody you can't trust. Their reputation is what's going to tell you that. Similarly, an email address, an IP address, and other things do have reputations associated with them, and these are going to be either good, poor, or neutral. The second area we want to talk about is indicators of compromise. Now an indicator of compromise is a residual sign that an asset or network has been successfully attacked or is continuing to be attacked. Right now when we talk about an IOC or an indicator of compromise, these can be all sorts of different things like a hash value, an IP address, a file being left on a system, or anything else like this. anything that gives us a clue that something has happened on this system. For example, here on the screen, you can see a list of IOCs from a particular incident. You'll notice the source, the summary, and the attribute. For instance, the source could have been the file system, the registry, or prefetch or something like that. The summary is what we are actually looking for, and the attribute was whether it was created, modified, visited, or whatever the action was. Now, based on our analysis, we can piece together a preliminary narrative of what we think happened based on all these indicators of compromise. For instance, the attacker may have sent a spear phishing email that contained a malicious PDF attachment known as an Ultra Widget PDF. When this person saved it to the desktop at this time, we noticed that WindowsSysWOW64 Acmclinup Exe was created and a run key was used for persistence five minutes later. This is another indicator of compromise. As we go through these events, we can see all the different things that happen, from opening this file to installing that software to running that software, and all the different things that happened on the system. Now, as I said, each of these things individually is an indicator of compromise, and a single thing could reference multiple different attacks or multiple different people. But as we start looking at these indicators of compromise and put them together, we can start figuring out those patterns. Now, what are some other things you can look at for indicators of compromise? Well, you might have unauthorised software and files on the system. You might have suspicious emails. You might have suspicious registry and file system changes. Unknown port and protocol usage is possible. There might be excessive bandwidth usage. There might be rogue hardware on your network. You might find a service disruption or defacement, or you might see suspicious or unauthorised account usage. All of these types of indicators of compromise And later on, when we get into Domain Three of this course, we're going to talk more about threat hunting and developing your own indicators of compromise. As you're looking through systems for the exam, you need to not just know what these basic categories are, but you also need to be able to identify them. If I show you a snippet from a log, you need to be able to look at that and say, "Based on this log, I see that this bad thing happened and this is an indicator of compromise." And it indicates that we had unauthorised software and files on the network or something of that nature. Remember, an IOC is evidence that an attack was successful. In addition to this, you may hear the term IOA, which is an indicator of attack. This is a term used for evidence of an intrusion attempt that is in progress right now. So maybe on that long list of IOCs I showed you on the screen, we've only gotten through the first one or two of those. That might be an IOA, an indicator that an attack has begun, but the entire attack has not finished and has not been successful yet. So this is the difference between an IOC and an IOA. Most of the time in the industry, though, we talk about IOCs or indicators of compromise, and you'll hear me refer to that a lot throughout this course. Now, a third area is behavioural threat research. Behavioral Threat Research is a term that refers to the correlation of IOCs with different attack patterns. Like I said, we took all these different IOCs, and if I see them in this particular order, that may indicate that adversary X has done this. And if I see them in a different order, it might be that adversary Y has done this. And that is based on their TTPs. Here are all their different strategies and the way they do business. When you talk about a TTP, these are your tactics, techniques, and procedures. These are behaviour patterns that were used in historical cyber attacks previously, and it tells you what the different adversary actions are. By learning these, you're going to be able to start understanding the way your adversary thinks and how you can try to get one step ahead of them to prevent them from getting further into your networks. Now, there are lots of different areas that we talk about when we talk about TTPs. There are different TTPs that have different actions. For instance, we have DDoS-distributed denial of services. We have viruses or worms. We have network reconnaissance. We have APTS and we have data exfiltration. when I talk about a DDoS or a DDoS.This is a distributed denial of service attack. This is where you might see a traffic surge coming to you from multiple different areas. The idea here is that an attacker can leverage their botnet to try to take down your service. And if you notice unusual activity coming into your servers from all over the world, it could be an indication that a DDoS attack is underway. Another thing we might look at is viruses and worms. If I start looking at your system and I see high CPU or memory usage, this could be a sign that there is some kind of malware infecting your host. Or you might see a virus detection alert if there's a known signature. But again, if this is a new piece of malware and a new virus or worm, you're going to have to look for secondary effects like high CPU, high memory, high network usage, and things like that. Now, another TTP that might be used is network reconnaissance. Somebody might be scanning your systems, and you can detect that. For instance, if I start scanning your system and I start at port one, then port two, then port three, then port four, you can see that as a port scan inside your logs. This is a form of network reconnaissance. And you can associate that action with my TTP of scanning you before I'm going to attack you. The next thing we want to talk about is APTs, and we've talked about this already. An advanced persistent threat is where the attacker needs to have some sort of command and control over your system to maintain persistence and be able to do things on your system.So one of the big things you're going to be looking for from an apt when you're trying to define their TTPs is, "What is their C-2 mechanism?" Because, based on what the C-2 mechanism is, it is usually unique to each and every apt that exists. Now, some of the C-2 mechanisms and servers can use different things as a way to hide themselves. And there are two really common ones: port hopping and Fastflux DNS. Now, port-hopping is when an APT's C Two application might use any port to communicate from. and so it might use port 22. Right? Now, if it thinks it's being detected, it will jump to port 53 and then jump to port 12580 or whatever port it's going to use. And by jumping between ports, it can try to evade detection as well. Another method they use is fast flux. DNS now—this is a technique that rapidly changes the IP address associated with the domain. So what ends up happening here is that you have one domain name, but you have multiple IP addresses that are associated with it. And so even if you start blocking IP addresses, they can change the back-end IP address and still route their communications to the C-2 server. This allows an adversary to defeat your IP-based blacklisting, and it allows them to maintain communication and remain as an advanced persistent threat by maintaining that channel of communication between them and your machine. Now, one of the ways you can detect this FastFlux DNS is by looking at the communication patterns that emerge as these changes keep happening because we're going to see that your machine now went from this IP to that IP to this third IP to the fourth IP, and that can be detected through your proxy logs. Now, the last behaviour or TTP we want to talk about is data exfiltration. And this is a big one. These days, you can see this either by looking at your database or your file shares and seeing a high volume of network transfers. That's happening if you look at your logs and you see a big change in the amount of data that's being sent out; that could indicate that you have a data exfiltration in progress. For instance, if I look at my servers and I know that every week we normally have 2GB worth of data that's transferred to our students, but this week we have 60GB, that could be a possible IOC and a possible behaviour that I need to look into that might be data exfiltration. Now, notice I said might. It doesn't always mean that it is. When I look into it, I might determine that I sold 30 times as many courses as I normally do. So with 30 times more students, I would have 30 times more data. And so that would be an explained anomaly and not a data exfiltration. But if I look and say, "Well, I had 100 students last week and 100 students this week, and I went up by 30 times the amount of data," something isn't right, right? And so, we'd have to look into that further to see if this is a data exfiltration event. Another indication of data exfiltration might be if you see file types, compression, or encryption being used on data that you normally don't have that.This is especially true within your networks. For example, when you get data from my server, it is encrypted because we have an HTTPS connection between your computer and my Web server. But if you have two computers on your local area network and you're sending data back and forth between them, most of the time you're not encrypting that data. If you start seeing a lot of encryption within your network, that is something that might be an indicator of data exfiltration.

6. Attack Frameworks (OBJ 1.2)

Attack frameworks.In this lesson, we're going to talk aboutthe three different attack frameworks the Lockheed Martinkill chain, the Miter attack framework, and thediamond model of intrusion analysis.First, let's talk about the kill chain.This kill kill chain model was firstdeveloped by Hutchins, Clovert and Eman, undercontract from Lockheed Martin's Corporation.It was then released into thepublic domain for everyone to use.Now the kill chain has a sevenstep method that starts with reconnaissance andthen moves into weaponization delivery, exploitation, installation,command and control, and action on objectives.And as you can see, it is very linear, goingfrom the top all the way down to the bottom,starting with step one and going to step seven.This is an older model and newer variations offrameworks are doing more of an iterative approach.But let's go through this step by step so wecan see what happens in each of these stages, becauseit is still a good way to think about things.First, we have reconnaissance, and in this stage the attackeris going to determine what methods they need to useto complete the other phases of their attack.Now, one of the big issues hereis that the attacker doesn't want toget caught while they're doing reconnaissance.So they try to be sneaky.They try to use things like open sourceand passive information gathering and things like thatso that they cannot be detected.This phase you can use both passive oractive scanning techniques on the target network.But generally we're going to start out with passiveinformation gathering and then move into active scanning.By the time you're done with reconnaissance, youshould have a good idea of what thatnetwork looks like, what type of software they'reusing, and what type of vulnerabilities may exist.At that point, we can start figuring out how wewant to move into phase two, which is weaponization.During weaponization, the attacker is going to cup payloadcode that will enable access with exploit code, andthis will allow them to go after a vulnerabilityto execute onto that target system.Now, by doing this, you basically are coding orcreating the malware or the exploit you want torun, but you are not running it yet.You've only created inside your own lab andhaven't sent it to the victimized system.This brings us to step three, delivery.This is where the attacker is going toidentify a vector by which they can transmitthe weaponized code to the target environment.This may be by email.This may be by dropping a USB driveloaded with that malware in their parking lot.Whatever the mechanism is doesn'treally matter right now.We just have to think about the fact that we haveto get it there, and that's what delivery is all about.Step four takes us to exploitation.This is where the weaponized code is actually executedon the target system by whatever mechanism you've done.If you sent them an email with aphishing link and they click that link, thesending of the email was delivery.Clicking the link is when exploitation happensand they actually start running that code.Or if you dropped it on a USB drive andthey plugged that into their system and the auto runstarted up that code, that would be exploitation.At this point, the code has been run.And this brings us to step five, which is installation.During installation, we're going to have a mechanism thatenables the weaponized code to run a remote accesstool and achieve persistence on that target system.So if we had a stage one dropperthat was run as part of exploitation, wenow have downloaded and installed our phase two.This would be our installation and this givesus control of that system moving forward andthat persistence that we're looking for.At that point, we move into step six.Step six is Command and Control.Or C two.This is where the weaponized code establishes an outboundchannel to remote server that can then be usedto control that remote access tool and possibly downloadadditional tools to help you progress in your attack.At this point, you now pretty much own the system.You have access to it, you can remote into thatsystem and you can now run commands on that system.That's what C two is all about.Now the final step is actions on objectives.This is where the attacker is typically going to usethe access that they've achieved through steps one through sixto now start doing what they wanted to do.That may be transferring data from a remote system suchas data exfiltration or some other goal or motive.Whatever their goal was originally with reconnaissance, they'venow achieved that by being on the system.They have twoway communicationusing command and control.And now we can perform action on objectives.Now, when we look at this kill chain goingfrom step one all the way down to stepseven, we use this to do an analysis.And a kill chain analysis can be used toidentify defensive courses of actions by being able tocounter the progress of an attack at each stage.So if I can start mapping out what are all theways somebody can break into my system, run malicious code, gainpersistence, do see two on my servers and do some kindof action, I can then put in things to block that.I can try to detect that I could try to denythat, I could try to disrupt it or degrade it.I might want to try todeceive them or destroy their capabilities.All of these things are the six DS thatwe're going to try to do to an attackerwho's trying to break into our systems.So this is the idea of using thekill chain and why we do this.Now, as I said, this is a very linearmethod, but there are newer methods out there thatwork in more of an iterative manner or allowyou to think holistically across multiple lines of attack.For example, the Miter Attack Framework is oneof those models because the kill chain wascriticized for focusing too much on perimeter securitywith that linear method going from outside in,the Miter Attack Framework was developed.Now, the Miter Attack Framework is aknowledge base that's maintained by the MiterCorporation for listing and explaining specific adversarytactics, techniques, and common knowledge, which iswhere the Att at CK comes from.And these are also known as procedures.You can find all of these at Attack mitre.organd this is a free open source website thatyou can go and look at all this information.Now, where the kill chain was a verylinear process, the Miter Attack Framework is not.It uses more of a matrices model.And you can see that here on the screen.Notice there are different columns here, andeach one is a certain type orcategory of attack that might occur.For instance, there's defense evasion,there's credential access, there's discoveryand lateral movement and execution.And underneath each of these is a tactic ortechnique that could be used by an attacker tobe able to accomplish that particular goal.Now again, this is a free resource and youcan go play with it at Attack Miter.org.Now, when you go there, you're goingto see something that looks like this.And this is what we call the Attack Navigator.From here you can select different thingsand highlight them with different colors.What you're seeing here on the screen is an example ofone actors TTPs that we've mapped out based on that.We know that if we're talking about Apt28, for example, these are the things thatthey might be used to doing.And if you click on each one of these, you'llget more details about the particular TTP that they use.Now again, this is a great model forbeing able to map out an overall adversaryand all their different capabilities and capacities thatthey use in their different attacks.And so we can compare one to another, and thenif we're on the incident response, we can start looking,okay, I have this and this and this that I'venoticed, and they fall into these columns.And when I compare that against theMiter matrix, I know that that iscommon against this particular adversary.And so that might help me figureout what defenses I want to use.As you look at this chart, you may noticethat it is very focused on the exploitation phaseand it's not really focused on the reconnaissance phase.And so if we go back andlook at the reconnaissance phase, there's actuallyanother matrix called the preattack matrix.The preattack tactics matrix is going to align tothe reconnaissance and weaponization phases of the cyber killchain and that way we can also see whatthose things look like and try to detect thingsbefore it becomes a real attack and it's whileit's still in the preattack phase because if wecan get it earlier we're further left of boom.We can then prevent that frombecoming a full blown incident.The third model I want to talk aboutis the diamond model of intrusion analysis.Now, this model is usedto represent an intrusion event.Anytime you have an intrusion event it hassome relation to these four categories the victim,the capability, the adversary and the infrastructure asyou see here on the screen.Now you can also put some meta features inthere, things like a timestamp what phase you're in,the result, the direction, the methodology or the resources.But these four categories arereally where the focus is.Now for each instance we would want tomap them out and look at this model.For instance, this model is going toallow an analyst to exploit the fundamentalrelationship between the different features.If we start out here, the victimstarts this process, they discover there's malware.Now that points to capability because we havethe ability to see that we've been had.Then if we see that capability we can thensee that the malware might contain a C twodomain as we go through our instant response.If we do that, that now points toinfrastructure because C two is an infrastructure problem.Once we look at that we start seeing the Ctwo domain resolved to a C two IP address.Again, that's infrastructure.So we're still in the same place.As we start digging into that further we might lookat our firewall logs and that reveals that the victimshave been contacting that C two IP address.So that points down to our victim.But also that IP address is ownedand it provides details about the adversary.So that now points to the adversary.And so you can see with these arrows howthese different things tie together and very quickly youcan see where you should focus your efforts.For instance, if I focus on infrastructure in Ctoo, that is going to help me point towardsthe adversary and the victim in this case andit really does help me point those things outmuch quicker using this type of a model.Now, for each event we're also going to definea tuple and this is in the format ofE equals something and this is basically an arrayof information that contains information on the adversary, thecapability, the infrastructure and the victim.And we also have things like ourtimestamp and other metadata that we have.By putting all this information into this format wecan then use it inside of some sort ofautomated system, for instance, our seam that can thenhelp correlate all this information together for us.Now, each of these three modelshave their benefits and their drawbacks.And the good thing about them is you can usethem individually or you can actually combine them together, andthat way you can get the best of both worlds.For instance, if I wanted to combine thediamond model with the kill chain, I mightget something that looks like this.You can see going from top to bottom, Ihave the different steps of the cyber kill chainand then I have three different threads going across.And as I'm tracking these threads, I'm starting tolook at where they are inside the diamond model.And you can see how I went from oneto two all the way down to 14.And in there I have three different threads or threedifferent attacks that are going on that could be threedifferent adversaries and how these things connect to each otherbased on those four areas of the diamond.So starting with one, we got up to capabilityand that tied into infrastructure of attack number two.And then as we went down to number three, thattook us from the victim of number two into theadversary of number three and so on and so on.As we connect all these things together, again, the realbenefit here is trying to use these things together tostart figuring out how we can model the behavior ofour adversaries so we can better define how we're goingto stop them by using our analysis to be ableto better define our defensive techniques.

7. Indicator Management (OBJ 1.1)

As we mentioned before, threat research canbe delivered as narrative reports or automatedfeeds designed to correlate local security informationwith cyber threat intelligence data.Now, sharing is caring inthe threat intelligence world.So to make it easier to share share data, there arelots of different formats out there that could be used.In this lesson, we're going to discussthe four most common formats and processesknown as Sticks, Taxi, OpenIOC, and Mist.The first one we want to talk about isSticks, which is the structured Threat information expression.Now, this is a standard terminology forIOCs and ways of indicating relationships betweenthem that's included as part of theOasis Cyber Threat Intelligence or CTI framework.Now, Sticks is designed as a formatfor automated feeds so organizations can sharethis information on the fly.Sticks does a great job of sharinginformation between systems and it's expressed inJavaScript Object notation or JSON format.With JSON, you get an attribute andvalue paired together inside of the language.And essentially it's going to look like this.Notice here how we start with a curly bracket atthe beginning and a curly bracket at the end.And then we have a lot of different pairs suchas type observed data ID with some unique string createdand some date the number observed and a number.And you can see how these attributes andvalues are paired together inside this language.If you see something that lookslike this, this is JSON format.And on the exam, if you see something in JSONformat, it's most likely going to be referring to Sticks.Now, Sticks is built from higher levelSticks domain objects or STOs, and thesecan contain multiple attributes and values.We put all these things together toget the information we're looking for.Now, what are some of these STOs?Well, we have things like observed data, which isgoing to be a state full property of yourcomputer system and what you've actually seen.The event occurring in this might besomething like an IP address or anexecutable file or something like that.We also have indicators.Indicators are a pattern of observables thatare of interest, something that you wantto do some further analysis on.Any time you have an indicator, this is somethingthat's been observed and you may want to diga little deeper on to figure out if it'san indicator of past compromise or a TTP.And then we have attack patterns.When we deal with attack patterns, these are knownadversary behaviors, starting with the overall goal of whatthey're trying to attack and then elaborating down tosome kind of specific technique or procedure.Then we have campaigns and threat actors.When we talk about this, these are thepeople who are trying to attack you.Who are these people?What are their goals?What is their campaign? That's what we're talking about.When we talk about the campaign and threatactors and finally we have courses of action.Now we deal with courses of action.This is the mitigating actions or security controls thatyou can use to reduce the risk from thesedifferent attacks and how to resolve these incidents.By taking all these SEO together, you startcreating a connection of this relationship of objects.And this can do a lot of different things foryou as you start indicating what it was, what thetargets were and what things were attributed to it.For example, you can see here on thescreen, we have a vulnerability, we have acampaign and we have a threat actor.And you can see how Sticks has all these relationships.When we have a single indicator, this indicates a campaign,it indicates a threat actor, the campaign is attributed tothe threat actor and the campaign can be attributed overto the target, which was the vulnerability.And the way Sticks works is it creates this languagefor us to describe these things in a very easyway to share them automatically across our systems.Now, one quick note for the exam.Sticks version one is an XML versionbased format, but the exam is onlygoing to talk about Sticks version two.Everything I've talked about up to this pointin this lesson was talking about Sticks versiontwo, which uses JSON, not XML.Keep that in mind for the exam.If they're asking about Sticks, they're talking about versiontwo and they're going to be talking about JSON.The next one we want to talk about isthe trusted automated exchange of Indicator Information, or Taxi.Now, Taxi is a protocol for supplying codifiedinformation to automate incident detection and analysis.What Taxi is used for is to transmit thisdata back and forth between servers and clients oversome kind of a secure connection, like a secureweb connection Https using something like a Rest API.So for example, if you have a cyber threatintelligence subscription with some service provider, they're going tomaintain their data repository, but you as a subscriberneed to get the information from them.And so the way you do this is you'regoing to obtain this update to all of yourdata for your analysis tools using Taxi.Taxi is really the connection mechanism and you can actuallytake Sticks and provide it over Taxi as well.The third area we want to talk about is open IOC.And this is a framework that was developed byMandiant that uses XML formatted files for supplying codifiedinformation to automate incident detection and analysis.When we talk about open IOC, this isan open source tool and so it hasa lot of different information for each entry.Each entry is going to have a lotof different metadata there, such as the author,the category information, the confidence level, the usagelicense, plus a description and a definition.All of these definitions that are built in hereare going to be built using logical statements suchas DNS host names or a string pattern fora file name or something like that.So we can build these indicators together.By doing this, we all learn more andwe can share these indicators amongst ourselves.The fourth and final one we're going to talk aboutis MISP, which is the Malware Information sharing project.Now, Mis provides a server platformfor cyber threat intelligence sharing.It provides a proprietary format, but it can alsosupport open IOC definitions, and it can import andexport Sticks CDOs over a taxi system.MSP is going to provide a server platformfor cyber threat intelligence sharing, a proprietary format,and supports Open IOC definitions as well.And it can also import and export Sticks over taxi.So when you start dealing with Mist, youcan start putting all of this information together.We can get the definitions from OpenIOC, we canget the indicators from Sticks, and we can transmitall the information back to us over taxi.And so using all these together gives usa lot of benefits inside of MISP.And again, MSP is an open sourceproject that is free to use.Now, here's a quick exam tip for the exam noticewhere I spent most of my time in this lesson.We talked a lot about sticks.And so Sticks is going to be much more important thanthe other three when it comes time for the exam.The big takeaway for this is I wantyou to remember what that format looks like.You don't have to memorize it, but you should knowthat when you see a JSON format, your mind shouldtrigger that this is Sticks, and sticks is probably goingto be the answer on the exam.

Pay a fraction of the cost to study with Exam-Labs CS0-002: CompTIA CySA+ Certification Exam (CS0-002) certification video training course. Passing the certification exams have never been easier. With the complete self-paced exam prep solution including CS0-002: CompTIA CySA+ Certification Exam (CS0-002) certification video training course, practice test questions and answers, exam practice test questions and study guide, you have nothing to worry about for your next certification exam.

Hide