WEBVTT

00:06.650 --> 00:11.990
In this episode, we're trying to cover a convergence of supply and check technology and how supply

00:12.020 --> 00:17.600
chain impacts what you're trying to accomplish as a cybersecurity analyst, both in a SoC environment

00:17.600 --> 00:19.790
and as your organization as a whole.

00:19.820 --> 00:25.520
We're also going to discuss tactics, techniques, and procedures and how malicious actors are utilizing

00:25.520 --> 00:32.060
this framework in order to pull off some of the more daring or intrinsic attacks against a specific

00:32.060 --> 00:33.980
network or your enterprise environment.

00:34.010 --> 00:39.110
Finally, we're going to discuss intelligence and how threat intelligence impacts your trends and how

00:39.110 --> 00:40.610
to safeguard your networks.

00:40.640 --> 00:46.070
Knowing that threat actors are using that intelligence or using those actions before they actually pull

00:46.070 --> 00:51.500
off the different attacks, all of these combined are an assortment of different features within the

00:51.500 --> 00:57.260
threat analyst that you need to be aware of in order to properly secure your environment and your network

00:57.260 --> 01:00.870
against those specific threat actors that we talked about in the last episode.

01:00.870 --> 01:05.640
Supply chain management affects how you're going to utilize different equipment and where you source

01:05.640 --> 01:10.500
your equipment from, both from an IT standpoint as well as from a cybersecurity standpoint.

01:10.530 --> 01:11.970
You need to be aware of that.

01:11.970 --> 01:14.370
All supply chain is not created equally.

01:14.370 --> 01:20.340
If you're buying servers off of eBay or maybe a third party vendor, they could inject malware and change

01:20.340 --> 01:27.240
the intrinsic capabilities of that specific hardware to in order to move forward against a malicious

01:27.240 --> 01:28.890
vector within your network.

01:28.890 --> 01:35.430
That is to say, if I'm buying a third party equipment from a vendor, and even if it's Cisco or Linksys

01:35.430 --> 01:42.480
or some well-known provider, yet it's going through maybe a shady third party vendor, it could have

01:42.480 --> 01:48.780
malicious activity embedded upon the firmware, or even in the hardware that you wouldn't otherwise

01:48.810 --> 01:49.830
be familiar with.

01:49.860 --> 01:55.530
A lot of times we look at different third party vulnerabilities associated specifically to that hardware,

01:55.530 --> 01:58.470
based on where you source that equipment from.

01:58.470 --> 02:04.380
counterfeit software and hardware is often marked by those third party vendors.

02:04.380 --> 02:10.170
I can tell you from my own experience that we purchased different hardware that we thought was Cisco

02:10.170 --> 02:16.440
equipment, and it had all the the markings on there, had the serial numbers, even had the model number

02:16.440 --> 02:18.870
that was appropriate to a real piece of equipment.

02:18.870 --> 02:23.670
But once you opened up that box, you started to know some key differences and how that information

02:23.670 --> 02:25.500
or how that hardware was laid out.

02:25.500 --> 02:30.270
We later found out that that hardware had actually been infected with specific malware associated with

02:30.270 --> 02:34.590
that firmware, because not only was the hardware counterfeit, but so was the software.

02:34.620 --> 02:40.800
The malicious actor was able to get in there and change specific programs, change different, uh,

02:40.800 --> 02:46.080
complexities of that hardware that allowed them to create a backdoor into that system.

02:46.080 --> 02:51.480
Now, luckily, we were able to find that out because some of the different key influences, a part

02:51.480 --> 02:57.600
of that hardware kind of led us down that trail to identify this as being counterfeit hardware Associated

02:57.600 --> 02:58.980
with a known switch.

02:58.980 --> 03:04.320
Because of that, we were able to remove that from our network and then buy the appropriate hardware

03:04.350 --> 03:06.180
off the supply chain manager.

03:06.210 --> 03:11.550
Now, that sounds like one of the once in a while things, but I want you to picture this way back in

03:11.550 --> 03:17.310
the second Gulf War, there were specific vendors that the United States military utilized in order

03:17.310 --> 03:21.270
to move forward against specific terrorist organizations.

03:21.300 --> 03:24.270
GPS identification was brand new technology.

03:24.270 --> 03:25.170
When it came to that.

03:25.170 --> 03:29.280
People were starting to use digital cameras and digital phones at the time to record their videos,

03:29.280 --> 03:35.970
and the United States military, along with the CIA, was able to then use those pictures that imprinted

03:36.000 --> 03:41.850
a GPS, lat and long associated with that picture, and then were able to identify exactly where the

03:41.850 --> 03:45.690
picture was taken when the terrorist organization published it online.

03:45.690 --> 03:52.590
This is a form of supply chain management that was curtailed via an APT, i.e. the United States government,

03:52.590 --> 03:58.270
to produce those concepts that we needed to know supply chain manipulation is another thing that you

03:58.270 --> 03:59.410
need to be aware of.

03:59.440 --> 04:05.680
Supply chain manipulation happens when you've got a carrier that moves products or services from one

04:05.680 --> 04:12.820
point to another that may be intercepted along the route, meaning that if I have a piece of equipment

04:12.820 --> 04:18.460
that's, say, going from a known good vendor, but it ends up in a warehouse somewhere that may be

04:18.460 --> 04:19.600
a fraudulent threat.

04:19.600 --> 04:24.910
Actor could go in and replace that piece of equipment with a known bad piece of equipment or a piece

04:24.910 --> 04:28.870
of equipment that they were able to inject malicious software into.

04:28.900 --> 04:30.430
This happens on occasion.

04:30.430 --> 04:33.760
It is rare, but it does happen and you just need to be aware of that.

04:33.760 --> 04:39.820
From my first example where we had supply chain management issues, just be aware that all your equipment

04:39.820 --> 04:45.820
should have known good software, known good hardware, recognizable serial numbers and model numbers

04:45.820 --> 04:49.540
and correspond with what you're getting from the actual vendor.

04:49.540 --> 04:51.910
You don't want to use third party vendors when possible.

04:51.910 --> 04:56.560
If I'm buying a piece of Cisco equipment, I need it to come from Cisco when possible.

04:56.560 --> 04:59.920
Now that's not always possible, especially in lower end stuff.

04:59.920 --> 05:02.230
Or if you're buying a used server.

05:02.230 --> 05:07.360
And in those cases, just be aware that there is a certain amount of threat that comes with or a certain

05:07.360 --> 05:13.990
amount of of vulnerabilities that come from buying software or hardware from a third party vendor,

05:13.990 --> 05:18.130
especially if you can't 100% guarantee that that vendor is legit.

05:18.160 --> 05:24.520
Tactics, techniques and procedures refer to the strategic goals, methodologies, and processes that

05:24.520 --> 05:28.420
a threat actor uses in order to invade or exploit a network.

05:28.450 --> 05:33.670
Strategic goals could encompass different aspects of the actual goals of the threat actor.

05:33.670 --> 05:39.550
We just talked about, uh, apts and nation states and script kiddies in the last episode, but what

05:39.550 --> 05:41.020
are their strategic goals?

05:41.020 --> 05:47.860
If it's a specific crime organization, their strategic goal, too, could be to inject a network with

05:47.860 --> 05:51.730
ransomware and then collect money from that ransomware.

05:51.730 --> 05:53.410
That's their goal, right?

05:53.410 --> 05:55.070
But what is their strategic goal?

05:55.070 --> 05:58.370
What is how are they going to actually accomplish that task?

05:58.370 --> 06:00.680
That's the methodology that comes into play.

06:00.710 --> 06:06.440
A different methodology could be utilizing a PDF document or a word document or some other document

06:06.440 --> 06:08.210
where the organization opens it.

06:08.210 --> 06:13.760
They accidentally inject their system with malware that now sets up a botnet within the field.

06:13.760 --> 06:20.330
Their command and control system then sends down the pipeline to upload a new malware form that then

06:20.360 --> 06:25.850
projects ransomware across not just that machine, but worms out into other machines.

06:25.850 --> 06:27.380
That would be their methodology.

06:27.380 --> 06:28.970
And finally, their process.

06:28.970 --> 06:35.390
Their process could be the step by step guide or execution of that specific technique, i.e. step one

06:35.390 --> 06:41.420
find out through social engineering how or who is responsible with administrative privileges within

06:41.420 --> 06:42.140
their network.

06:42.170 --> 06:44.600
Step two send them a spear phishing email.

06:44.630 --> 06:50.810
Step three inject that spear phishing email with a link specific to malware or injection of a specific

06:50.840 --> 06:55.530
type of malware that will then open a communication process with our known servers.

06:55.530 --> 07:01.200
Processes are just step by step directions that the threat actor could utilize in order to pull off

07:01.200 --> 07:03.600
their overarching goal or methodology.

07:03.600 --> 07:09.510
Intelligence sources are broken up into reliability, credibility, accuracy, timeliness, and, of

07:09.540 --> 07:10.740
course, accessibility.

07:10.770 --> 07:14.940
Now these all come into play when it talks about actual intelligence sources.

07:14.940 --> 07:21.150
I could have my intelligence come from a reliable or accurate source, but the credibility may be very

07:21.150 --> 07:21.720
low.

07:21.750 --> 07:24.330
What do I mean by credibility versus reliability?

07:24.330 --> 07:28.830
Because I have a lot of students that kind of get intermingled or muddied when they start talking about

07:28.830 --> 07:29.280
this.

07:29.280 --> 07:35.430
I can have a reliable source, meaning that they're providing Intel on a weekly basis every Friday,

07:35.430 --> 07:37.050
just like they're supposed to be.

07:37.080 --> 07:41.910
However, the information they're providing me isn't actually credible, meaning they're 50 over 50

07:41.940 --> 07:43.890
hit ratio is pretty low.

07:43.920 --> 07:49.950
I could get reliable information from them, meaning that the information is coming every Friday, but

07:49.950 --> 07:52.980
the credibility could be that 50 over 50 structure where?

07:53.010 --> 07:56.400
Yeah, some of it is really on target, but some of it isn't.

07:56.400 --> 07:59.460
This is where credibility comes into play versus reliability.

07:59.490 --> 08:01.050
Then we talk about accuracy.

08:01.080 --> 08:03.900
How accurate is the information that they're giving us.

08:03.930 --> 08:05.910
Is that accuracy 100%.

08:05.940 --> 08:10.950
Meaning that every time they give me data and it's credible data, the accuracy is on point.

08:10.950 --> 08:16.200
We know, hey, they're going to attack this IP address or this piece of malware is directed to this

08:16.200 --> 08:17.370
specific system.

08:17.370 --> 08:20.310
How accurate is the information they're actually giving me.

08:20.340 --> 08:21.570
Then there's timeliness.

08:21.600 --> 08:27.330
Timeliness comes into play with how reliable or how credible the information is coming in at a specific

08:27.330 --> 08:27.960
time.

08:27.990 --> 08:31.890
Now, I just talked about that and I kind of muddied up the waters, but let's take it back into further

08:31.890 --> 08:32.580
step.

08:32.610 --> 08:38.040
If I have credible information that's highly reliable, but it was reliable and credible and accurate

08:38.070 --> 08:44.130
a year ago, it does me no good now, because it was over a year ago that it was actually credible,

08:44.130 --> 08:47.010
meaning that the timeliness is completely off.

08:47.040 --> 08:49.680
However, let's talk about a zero day attack.

08:49.680 --> 08:55.620
If I'm getting credible, reliable information today that hasn't been released to the public or hasn't

08:55.620 --> 08:59.760
been actually constituted out to a network, that's very timely information.

08:59.760 --> 09:04.170
However, if my system has already been injected with the malware and you're just now feeding me the

09:04.170 --> 09:06.510
information, the timeliness is all off.

09:06.510 --> 09:07.920
It really doesn't make sense.

09:07.920 --> 09:10.620
It's like, thank you for telling me something I already know.

09:10.650 --> 09:13.380
And finally, there's accessibility of the information.

09:13.380 --> 09:15.270
How accessible is the information?

09:15.270 --> 09:16.320
What do we mean by that?

09:16.320 --> 09:21.300
Is sometimes the federal government or different government organizations or even threat intelligence

09:21.300 --> 09:26.820
organizations will send us information, or they knew about the information a week ago, and they're

09:26.820 --> 09:32.730
just now giving that to us now, that kind of slues that line between timeliness versus accessibility.

09:32.730 --> 09:35.160
But let's kind of break it out a little bit more by that.

09:35.160 --> 09:36.780
They've given us the information.

09:36.780 --> 09:41.670
It's timely, and the attack hasn't hit our system yet, but we're not telling anybody else within our

09:41.700 --> 09:47.280
IT and framework, which means the CISO and maybe the director has it, but the technicians don't because

09:47.280 --> 09:49.750
they're trying to keep that information very tight lipped.

09:49.780 --> 09:55.240
That means that the technicians that are working on the information and hardening up our system, they

09:55.240 --> 09:58.750
don't have access to the information, but we're fixing the problems.

09:58.750 --> 10:01.000
That's where accessibility really comes into play.

10:01.030 --> 10:05.800
Sometimes we get information at a high level, and we have to do things on our network that we don't

10:05.800 --> 10:06.400
really understand.

10:06.400 --> 10:07.330
The reasons why?

10:07.360 --> 10:12.430
Because management or the type level people that have access to it aren't filtering that information

10:12.430 --> 10:13.150
down to us.

10:13.150 --> 10:17.290
And the reason they're not doing that is because the attack could occur without notice.

10:17.290 --> 10:21.040
Or maybe they're not entirely sure about the credibility or the accuracy.

10:21.070 --> 10:25.810
Accessibility regularly comes into play of how accessible is the information and how far is it getting

10:25.810 --> 10:30.550
passed down to the line of where our technicians or the people that need it, actually have it?

10:30.580 --> 10:34.420
This can be from the company perspective, all the way down to the employee perspective.

10:34.450 --> 10:36.670
This is where accessibility really comes into play.

10:36.700 --> 10:39.490
Finally, let's talk about confidence levels within the chart.

10:39.520 --> 10:45.160
Here you can see specific chart or framework that we utilize in different confidence levels associated

10:45.160 --> 10:48.860
with intelligence or with the information that's coming down the pipeline.

10:48.860 --> 10:53.300
For instance, if our confidence level is zero, we don't have a very good confidence level that the

10:53.300 --> 10:55.580
information is accurate or reliable.

10:55.580 --> 10:59.300
Or maybe it's not timely, meaning that our confidence level is very low.

10:59.330 --> 11:05.690
On the flip side, maybe we have a report of malware that's being developed on the dark web, and we've

11:05.690 --> 11:10.910
seen past sources come from this or past information from this source coming down the pipeline where

11:10.910 --> 11:16.010
it's highly reliable, highly accurate, and it's very time sensitive, meaning that we have a very

11:16.010 --> 11:17.390
high confidence level.

11:17.420 --> 11:19.910
Confidence level really is kind of a judgment call.

11:19.910 --> 11:24.530
It's not all logic based, but what you really need to understand about it is that we need to utilize

11:24.530 --> 11:28.340
that in terms of a real world number.

11:28.340 --> 11:34.040
When associated to an enterprise environment, sometimes we get intelligence that's unreliable but highly

11:34.070 --> 11:35.510
accurate and highly timely.

11:35.510 --> 11:40.130
Sometimes we get highly accurate information, but the reliability is very low.

11:40.160 --> 11:44.630
This sort of confidence level has really come into play, where there's a different chart or flow that

11:44.630 --> 11:45.530
comes into it.

11:45.530 --> 11:47.930
It's more of an art form than logic.

11:47.930 --> 11:52.550
But just realize for Siza that you need to understand that our confidence is either going to be low,

11:52.580 --> 11:53.840
moderate, or high.

11:53.870 --> 11:57.710
And if I have a high confidence level, then I need to act on that information.

11:57.710 --> 12:01.220
That doesn't mean that I have low confidence in the information that I shouldn't act.

12:01.220 --> 12:05.660
We may take predetermined levels, but if I have high confidence levels, I'm going to act before the

12:05.660 --> 12:07.970
low confidence levels on that same information.

12:08.000 --> 12:12.110
Throughout this episode, we talked about supply chain management and how it can be utilized by malicious

12:12.110 --> 12:12.680
actors.

12:12.710 --> 12:18.320
We talked about tactics, techniques, and procedures that malicious actors can utilize across our enterprise

12:18.320 --> 12:18.920
environment.

12:18.920 --> 12:25.910
And finally, we talked about intelligent sources and how intelligent sources interact with those Ttps.

12:25.910 --> 12:32.000
For Cisa, you need to have a high level overview and understanding of tactics, techniques, procedures,

12:32.000 --> 12:34.250
supply chain, and intelligence source.

12:34.250 --> 12:39.740
You're going to see questions about scenario based across different arcs of not only confidence levels,

12:39.740 --> 12:44.180
but how intelligent sources are rated versus the reliability versus accuracy.

12:44.210 --> 12:48.990
You should have a good breadth of knowledge when it comes to high accuracy versus timeliness.

12:49.020 --> 12:51.330
Versus the other concepts that we discussed.

12:51.330 --> 12:56.310
You may get a scenario based question that says, I have highly accurate and reliable information,

12:56.310 --> 12:59.730
but the trustworthiness of the information has been spotty in the past.

12:59.760 --> 13:01.560
How would you rate your confidence level?

13:01.560 --> 13:02.820
That would be expected?

13:03.030 --> 13:05.850
Uh, question that you might see in one Sisa.

13:05.880 --> 13:10.470
You might also see a different question that talks about confidence levels of being very low, but then

13:10.470 --> 13:14.520
the information is highly reliable or, uh, very accurate.

13:14.550 --> 13:19.170
This is where you kind of really have to shave that art form into logic and really look at it from a

13:19.170 --> 13:22.020
perspective of an analyst in your real world position.

13:22.050 --> 13:25.140
Like I said, there's no one tried and true reason to it.

13:25.140 --> 13:29.670
There's a lot of art form associated with it, but you should know the principles and use your judgment

13:29.670 --> 13:30.750
as best you can.

13:30.750 --> 13:35.700
Most of the time, the questions are going to be very slanted in such a way that you can easily identify

13:35.700 --> 13:40.980
whether it's a high confidence level versus a low confidence level, and where the accuracy versus timeliness

13:41.010 --> 13:42.780
versus reliability come into play.

13:42.780 --> 13:45.360
If you can do that, you should be fine with the exam.