1
00:00:12,360 --> 00:00:14,230
And we'll go back to another episode on How to Hack.

2
00:00:14,850 --> 00:00:17,570
So today we'll be discussing about this cyber attack chain.

3
00:00:18,120 --> 00:00:23,010
The reason why we have to understand about a cyber attack is because there are a lot of questions about

4
00:00:23,370 --> 00:00:27,750
what goes on in the penetration testing, how our security assessment being carried out.

5
00:00:28,050 --> 00:00:32,430
And the best way to actually describe that is to look at cyber attack chain.

6
00:00:33,000 --> 00:00:38,910
So in this case, cyber protection is, of course, developed by Lockheed Martin, and it is to help

7
00:00:38,910 --> 00:00:46,110
us understand and visualize the step by step process of how hackers actually go after specific individuals,

8
00:00:46,410 --> 00:00:51,990
a particular enterprise that they have been hired to go after, or if they are state funded hackers,

9
00:00:52,290 --> 00:00:58,350
state sponsored hackers, and they have a particular agency in mind and they are supposed to go after

10
00:00:58,350 --> 00:00:58,620
them.

11
00:00:59,130 --> 00:01:04,740
So there are so many tutorials and so many different kind of hacking videos available.

12
00:01:04,900 --> 00:01:08,370
But the whole idea is doing what you have or you're doing a penetration testing.

13
00:01:08,700 --> 00:01:15,390
It's important to follow this step by step process and it will really help you be able to control and

14
00:01:15,390 --> 00:01:20,660
manage how far you're going into cyber attack chain and how far are you going to penetrate the testing.

15
00:01:21,160 --> 00:01:26,090
So on the left side, we actually have the different phases and of course, we have seven phases.

16
00:01:26,340 --> 00:01:32,580
So here we go, reconnaissance, which is about finding out information on publicly available websites.

17
00:01:32,910 --> 00:01:35,100
And of course, we are weaponization is number two.

18
00:01:35,110 --> 00:01:42,180
So this is about how we can create the payload, whether it is a fully undetectable payload, a microwave

19
00:01:42,180 --> 00:01:42,540
cell.

20
00:01:42,690 --> 00:01:45,810
It's about how we can weaponize it and delivery.

21
00:01:45,840 --> 00:01:47,550
Are we going to use a USB?

22
00:01:47,760 --> 00:01:49,800
Are we going to send a phishing email?

23
00:01:49,920 --> 00:01:51,350
Are we going to send Seabass?

24
00:01:51,450 --> 00:01:56,790
So again, those are the delivery mechanisms that we'll be using in terms of putting the weaponization

25
00:01:56,790 --> 00:01:58,800
or the weaponized payload into the system.

26
00:01:59,430 --> 00:02:01,280
And of course, we have our exploitation.

27
00:02:01,290 --> 00:02:05,850
So exploitation is a way for us to actually attack into the system.

28
00:02:05,850 --> 00:02:11,640
So we will execute you will execute the particular exploit that we have created in number two, which

29
00:02:11,640 --> 00:02:14,760
is to weaponize of payload and number five installation.

30
00:02:14,760 --> 00:02:20,640
So we'll install the malware into the system, into the mobile device or any assets that we have on

31
00:02:20,640 --> 00:02:21,210
hand on.

32
00:02:21,670 --> 00:02:24,600
And this is when we go into number six, where we have command and control.

33
00:02:24,990 --> 00:02:30,240
So whenever you're looking at the tutorials, you're looking at that display framework as the command

34
00:02:30,240 --> 00:02:33,840
and control center to manage and control many of these devices.

35
00:02:34,110 --> 00:02:37,000
And of course, the final thing is on actions and objectives.

36
00:02:37,170 --> 00:02:40,050
So this is what are we trying to accomplish?

37
00:02:40,080 --> 00:02:41,340
Have we achieve our goal?

38
00:02:41,550 --> 00:02:42,220
What was the goal?

39
00:02:42,240 --> 00:02:44,100
Was it for personal data?

40
00:02:44,100 --> 00:02:45,540
Was it for credit card information?

41
00:02:45,570 --> 00:02:46,790
Was it for financial data?

42
00:02:47,040 --> 00:02:49,200
Was it for state secrets?

43
00:02:49,230 --> 00:02:53,160
So, again, all these are the things that we're looking at in terms of the cyber attack chain.

44
00:02:54,780 --> 00:02:58,000
So, of course, we discussed the cyber security Kuching.

45
00:02:58,050 --> 00:03:02,340
So it's really important what you're talking about, the chain of cyber attack chain, because many

46
00:03:02,640 --> 00:03:07,020
enterprises or users can be victimized by many of these cyber breaches.

47
00:03:07,020 --> 00:03:10,630
And over here we can see the different companies that have been compromised.

48
00:03:10,650 --> 00:03:12,930
And again, it all follows the same steps.

49
00:03:12,930 --> 00:03:17,730
So if you read up about the hacks that have happened, you'll recognize that many of these hacks that

50
00:03:17,730 --> 00:03:19,980
have happened follow this specific step.

51
00:03:19,990 --> 00:03:26,070
So if you manage to get a detailed report on it, you'll be able to see how the hackers actually attack.

52
00:03:26,190 --> 00:03:31,050
And it is very similar to what you see in a cyber attack chain, all the cybersecurity cuchi.

53
00:03:33,410 --> 00:03:38,150
So the first step is about reconnaissance, a reconnaissance is about finding publicly available information,

54
00:03:38,420 --> 00:03:45,770
using who is using domain name servers, information, lookout on your servers, and be able to find

55
00:03:45,770 --> 00:03:51,710
out what data they have using Net Kroloff using all these different kind of publicly available information,

56
00:03:51,710 --> 00:03:57,170
including also on Google searching to find out usernames, passwords, more tanks of all the domains

57
00:03:57,560 --> 00:04:03,590
going into dark web, finding accounts, data or passwords of this particular enterprise and getting

58
00:04:03,590 --> 00:04:04,040
those data.

59
00:04:04,910 --> 00:04:10,490
So, again, the characteristics of this, it could range from minutes all the way to weeks and months

60
00:04:10,490 --> 00:04:12,020
trying to find out all this data.

61
00:04:12,290 --> 00:04:14,960
And because a lot of users have social media accounts.

62
00:04:14,990 --> 00:04:20,570
Again, those are good places to also start all that to find out more details about enterprise, about

63
00:04:20,570 --> 00:04:22,320
individuals working in the enterprise.

64
00:04:22,580 --> 00:04:24,610
So this is what we call passive reconnaissance.

65
00:04:24,860 --> 00:04:30,080
We are trying to file all publicly available information, not directly interacting with the enterprise.

66
00:04:30,080 --> 00:04:31,880
So do not on debt.

67
00:04:33,570 --> 00:04:37,610
And of course, this is where we have the active reconnaissance, so active reconnaissance means we

68
00:04:37,620 --> 00:04:38,610
are probing the system.

69
00:04:38,610 --> 00:04:44,130
So whenever you'll look at and map that we have been using in a number of the tutorials, we are trying

70
00:04:44,130 --> 00:04:47,840
to get details about the services of the systems and servers.

71
00:04:47,840 --> 00:04:50,900
They're available in site, that particular enterprise.

72
00:04:51,150 --> 00:04:56,940
So we are actually trying to prop directly into the system, looking at fingerprinting, reconnaissance.

73
00:04:57,210 --> 00:05:01,210
We are working and we are pinging the system to find out more details and data.

74
00:05:01,560 --> 00:05:04,580
So this are information that we can find out immediately from.

75
00:05:04,950 --> 00:05:11,010
So again, active reconnaissance and passive reconnaissance are very different in terms of trying to

76
00:05:11,010 --> 00:05:12,330
find out all these details.

77
00:05:15,190 --> 00:05:19,300
So, of course, this is where we go into the weaponization stage, so the weaponization stage would

78
00:05:19,300 --> 00:05:24,880
actually allow us to see what kind of payload we can create sort of first and most use is actually using

79
00:05:24,880 --> 00:05:29,770
Emmis of venom, or you could actually use a different kind of tubes to create a payload so you could

80
00:05:29,770 --> 00:05:36,130
write your own script or your own malicious software if you know C programming and so on, or you want

81
00:05:36,130 --> 00:05:37,480
to put it up on the shell.

82
00:05:37,480 --> 00:05:40,240
You want to get a reverse shell on it, you want to get a seashell on it.

83
00:05:40,270 --> 00:05:43,420
So again, all these are available as part of weaponization.

84
00:05:43,600 --> 00:05:49,320
And in terms of weaponization, we are also thinking about how can we make it fully undetectable so

85
00:05:49,330 --> 00:05:54,640
that we'll use encoding matter to use different kind of Métis to mask the capability from detection

86
00:05:54,640 --> 00:05:55,900
by antivirus systems.

87
00:05:56,320 --> 00:05:59,600
And of course, ultimately this would bring us into the delivery stage.

88
00:05:59,890 --> 00:06:04,750
So in the delivery phase, this is the part where we're thinking about how are we going to deliver the

89
00:06:04,750 --> 00:06:06,400
payload into the user's machine?

90
00:06:06,820 --> 00:06:11,380
So, again, over here we go to social engineer has seen a number of tutorials.

91
00:06:11,620 --> 00:06:13,350
So it's about website attacks.

92
00:06:13,360 --> 00:06:15,880
We want to create website hoster, particular payload.

93
00:06:16,120 --> 00:06:22,390
Do you want to create infectious media generator put into a USB drive executed moment of user plug it

94
00:06:22,390 --> 00:06:23,330
into the computer.

95
00:06:23,740 --> 00:06:24,730
Do you want to have a payload?

96
00:06:24,730 --> 00:06:29,710
You want a mass mailer to all these options are here inside a social engineer toolkit and we'll be exploring

97
00:06:29,710 --> 00:06:30,790
a lot more later on.

98
00:06:31,090 --> 00:06:32,860
So this is about the transmission of the attack.

99
00:06:33,070 --> 00:06:37,260
How do we get the payload, a weaponized payload into the user's computer?

100
00:06:37,270 --> 00:06:43,960
So, again, another key point in terms of sending out a face in order to talk about is also what kind

101
00:06:43,960 --> 00:06:44,920
of payload are you doing?

102
00:06:45,220 --> 00:06:47,960
Because some of these delivery mechanisms can be very different.

103
00:06:48,250 --> 00:06:53,740
So, one, you could be using a lot of phishing emails that could be blasted out to millions of users

104
00:06:54,130 --> 00:06:54,700
or two.

105
00:06:54,700 --> 00:07:00,430
It could be a very targeted, very specific format of the email that is sent to one person where we

106
00:07:00,580 --> 00:07:05,110
just want that person to click onto it so that we can go after that particular entity.

107
00:07:07,220 --> 00:07:12,110
And this is on the exploitation stage, so this is what happens once you're weaponized, you've delivered

108
00:07:12,380 --> 00:07:15,500
the user clicks onto it and you get a revised shell immediately.

109
00:07:15,530 --> 00:07:17,270
So this is the detonation of the attack.

110
00:07:17,660 --> 00:07:21,860
So once the exploit happens, we are in we are into the system.

111
00:07:22,070 --> 00:07:25,470
And this allow us to have control of their environment.

112
00:07:25,670 --> 00:07:30,290
So, again, this is all about gaining access, bypassing security mechanisms.

113
00:07:30,290 --> 00:07:32,450
So this is the detonation of the payload.

114
00:07:34,540 --> 00:07:37,960
And of course, once you hit a destination, this is where we go into the installation.

115
00:07:37,990 --> 00:07:40,970
So this is where we want persistance inside the system.

116
00:07:41,030 --> 00:07:46,600
We want to have the ability to persist inside the mobile device, inside the server, inside a computer

117
00:07:46,600 --> 00:07:47,140
device.

118
00:07:47,650 --> 00:07:50,950
So, again, this is what we call a payload again on the screen.

119
00:07:51,250 --> 00:07:52,830
So this is a Microsoft disable.

120
00:07:53,080 --> 00:07:59,710
Once the user click on enable content immediately will get access and we'll install a pilot into the

121
00:07:59,710 --> 00:08:05,260
system and we will actually create persistance so that we can be able to latch onto the computer system

122
00:08:05,260 --> 00:08:07,270
no matter how much the update to it.

123
00:08:09,520 --> 00:08:13,510
And of course, this is the command and control and command control, we have a number of options in

124
00:08:13,510 --> 00:08:17,530
sight, the channel where we discuss about how we can actually control the system.

125
00:08:17,530 --> 00:08:22,900
So the first one that is most use a lot of time is using a supply framework and as of flow, of course,

126
00:08:22,900 --> 00:08:24,340
on empire power shell.

127
00:08:24,340 --> 00:08:28,300
So Ampara directly to manage based on the power shell scripting.

128
00:08:28,300 --> 00:08:32,320
So and not a great way for us to manage many, many of these computers and systems.

129
00:08:32,560 --> 00:08:34,170
So this is what we call the bots.

130
00:08:34,540 --> 00:08:39,150
So any of these computers that have been hacked into, we call them to barter, we controlling them.

131
00:08:39,400 --> 00:08:41,590
And on the top you can see we got a bot herders.

132
00:08:41,590 --> 00:08:48,040
So the bot herder actually allows you, which is you to control what the bots will do as a result of

133
00:08:48,040 --> 00:08:50,290
them being hijacked into.

134
00:08:53,340 --> 00:08:55,870
So, of course, the focus can be very different.

135
00:08:55,920 --> 00:09:00,770
So if you're a state funded hacker, chances are you're going for sensitive data, confidential data,

136
00:09:00,930 --> 00:09:05,010
top secret data, top secret data, meaning they have grave danger to a nation.

137
00:09:05,160 --> 00:09:07,740
So you're going after those specific data.

138
00:09:08,190 --> 00:09:13,260
And if you are a cyber criminal who was going after for financial gains, then you have a very different

139
00:09:13,260 --> 00:09:13,770
set of data.

140
00:09:13,770 --> 00:09:18,030
You could be looking for credit card information, username passwords, doohickeys set on a dark web.

141
00:09:18,240 --> 00:09:24,180
So, again, the purpose, the action and the objective can be very different across many different

142
00:09:24,180 --> 00:09:26,970
kind of threats, many different kinds of attacks.

143
00:09:29,460 --> 00:09:33,480
So, of course, the question will be, if I'm a defender, I'm going on the blue team and I want to

144
00:09:33,480 --> 00:09:36,280
protect against this cyber attack, what can we do?

145
00:09:36,690 --> 00:09:40,860
So the whole idea goes back into the concept of defense, defense in depth.

146
00:09:40,860 --> 00:09:46,190
So defense in depth means that we must always have a way of slowing down the attacker.

147
00:09:46,530 --> 00:09:51,380
So if a state funded hacker or someone who is persistent in trying to get into enterprise, getting

148
00:09:51,390 --> 00:09:57,090
a data, what we can do is to slow down the person as much as possible and keep changing to different

149
00:09:57,090 --> 00:10:00,630
kind of security mechanisms or countermeasures that we have in place.

150
00:10:00,630 --> 00:10:04,920
That will take a very long time for the hacker to go after you.

151
00:10:04,950 --> 00:10:10,580
So if you're managing an enterprise, you may have thousands of computers and point servers and so on.

152
00:10:10,920 --> 00:10:16,080
So what you do is you will actually make sure that you have antivirus systems, you have a security

153
00:10:16,080 --> 00:10:21,360
monitoring platform, you have a web application, firewall database, firewall and many different of

154
00:10:21,360 --> 00:10:24,300
these security mechanisms in place that will slow down your hacker.

155
00:10:24,600 --> 00:10:30,030
So the hacker want to get in to you to USB and you realize that all of your end points have the USB

156
00:10:30,030 --> 00:10:33,930
disable, then a hacker have to try something else in order to gain access into a system.

157
00:10:34,230 --> 00:10:38,700
And this would take longer and longer for them to persist through in order to gain access into your

158
00:10:38,700 --> 00:10:39,580
sensitive data.

159
00:10:40,020 --> 00:10:45,360
So defense in depth is going to be a great way for you to actually stop many of these potential threats.

160
00:10:47,740 --> 00:10:52,720
So, of course, there are some potential flaws with the whole idea of the cyber attack chain and of

161
00:10:52,720 --> 00:10:58,750
course, thinking about a cyber Accutane is that the hacker has to go through every of this single phase.

162
00:10:59,140 --> 00:11:04,780
But the reality is that that's not the case because the hacker could perhaps be able to get all your

163
00:11:04,780 --> 00:11:10,090
usernames and passwords directly from publicly available information due to all the data breaches.

164
00:11:10,480 --> 00:11:15,430
And from there on, they could immediately get access into many of your accounts and credentials.

165
00:11:15,610 --> 00:11:20,770
So that could be a very quick way, because on point number two or seven steps must be successful for

166
00:11:20,770 --> 00:11:22,210
a successful cyber attack to occur.

167
00:11:22,500 --> 00:11:26,770
But that's not always the case, because once you got usernames, once you got passwords, you could

168
00:11:26,770 --> 00:11:33,640
morph your attack into other ways or other objectives in order to gain other kind of sensitive data.

169
00:11:34,420 --> 00:11:39,970
So, of course, on the finer point, the defender has seven opportunities to break the chain and minimize

170
00:11:39,970 --> 00:11:40,820
data exfiltration.

171
00:11:40,840 --> 00:11:45,340
So if you're playing blue team again, you recognize that you do have the advantage.

172
00:11:45,340 --> 00:11:51,910
If we are trying to conceptualize playing defense in terms of trying to stop the hacker from gaining

173
00:11:51,910 --> 00:11:54,570
full access or completing the full cyber attack chain.

174
00:11:55,420 --> 00:11:58,270
So once again, I hope you learned something valuable in today's lecture.

175
00:11:58,300 --> 00:12:02,170
So if you have any questions, feel free to comment below and I'll try my best to answer any of your

176
00:12:02,170 --> 00:12:02,770
questions.

177
00:12:03,040 --> 00:12:06,850
So we're going to, like, share subscribe the channel so that you can be kept abreast of the latest

178
00:12:06,850 --> 00:12:07,650
cybersecurity Tiriel.

179
00:12:07,870 --> 00:12:09,340
Thank you so much once again for watching.