WEBVTT

00:06.830 --> 00:11.030
As an analyst, you need to be aware of the different intelligence levels, as well as a plethora of

00:11.030 --> 00:16.220
other information that comes along with understanding the different threat actors, threat vectors,

00:16.220 --> 00:18.020
and of course, threat intelligence itself.

00:18.290 --> 00:22.130
In this episode, we're going to discover different intelligence levels and how they correspond to threat

00:22.130 --> 00:27.800
intelligence, so that you can process that different information to be a better Cisa analyst.

00:29.630 --> 00:35.720
Threat intelligence levels are divided into three core categories strategic, operational, and tactical.

00:35.750 --> 00:41.510
With strategic intelligence, we're looking at long term business profiles or goals that interact with

00:41.510 --> 00:42.920
the organization as a whole.

00:42.950 --> 00:47.300
These are usually things like what do we want to do or accomplish within five years?

00:47.300 --> 00:53.090
How does that relate to the cybersecurity department, and what do you need to be aware of as part of

00:53.120 --> 00:57.050
a strategic operational force specific with cybersecurity?

00:57.050 --> 01:01.220
This could include things like maybe setting up a Siem scheme or setting up a new IPS.

01:01.220 --> 01:05.090
Maybe, you know, servers are going to hit end of life and you need to be aware of that.

01:05.090 --> 01:09.800
Those are those long term business strategies that you need to be aware of at an operational level.

01:09.800 --> 01:14.480
You need to be aware of the different strategic objectives so that you could correspond to those strategic

01:14.480 --> 01:15.920
with the operational level.

01:15.920 --> 01:21.500
What that really means is from 1 to 3 years out, what do you need to do in order to correspond with

01:21.500 --> 01:23.180
that strategic level objectives?

01:23.180 --> 01:27.980
We talked about maybe implementing a scheme or setting up new servers that are ending in their end of

01:27.980 --> 01:28.490
life.

01:28.490 --> 01:30.470
But what about that 1 to 3 level goal?

01:30.470 --> 01:32.360
Maybe we need to replace some routers.

01:32.360 --> 01:37.490
Maybe the operational level means that I need to hire new employees, or train my current employees

01:37.490 --> 01:42.530
up to a level so that we can have new, fresh employees coming in that they will in turn, train.

01:42.560 --> 01:46.010
Operational level is really that 1 to 3 mark that we're talking about.

01:46.010 --> 01:51.950
In order to correspond with that strategic level, in order to better provide a foundational level at

01:51.950 --> 01:56.780
the business sense, at a tactical level, you need to be aware of your specific department.

01:56.780 --> 01:58.670
These are six months to one year.

01:58.700 --> 01:59.930
As soon as three months.

01:59.930 --> 02:05.330
In some cases, these are things like maybe I'm already hitting that end of life and we've already passed

02:05.330 --> 02:05.480
it.

02:05.480 --> 02:08.300
Or maybe there's a key vulnerability implemented within the system.

02:08.300 --> 02:10.490
For instance, maybe you're using Windows 10.

02:10.490 --> 02:15.320
And Microsoft came out and said, hey, we're no longer supporting windows 10 in 6 months, and so you

02:15.320 --> 02:17.060
need to update to Windows 11.

02:17.090 --> 02:22.130
Those would be tactical level objectives that need to be associated with they correspond with that operational

02:22.130 --> 02:22.460
level.

02:22.460 --> 02:24.290
And then again, the strategic level.

02:24.290 --> 02:28.460
What you really need to understand about the different intelligence levels, as far as Cisa is concerned,

02:28.490 --> 02:33.200
is short term, medium term and then long term planning from the different levels.

02:33.230 --> 02:37.370
Your C-suite usually puts out strategic level objectives for the business as a whole.

02:37.370 --> 02:41.690
Directors and high level managers usually come up with the operational level, and then your immediate

02:41.690 --> 02:45.350
supervisor usually comes up with that tactical level that you need to be aware of.

02:45.380 --> 02:50.360
The tactical level really is the hands on portion that most analysts intersect with when it comes to

02:50.360 --> 02:52.640
the overarching strategic goals of the company.

02:52.670 --> 02:57.250
Threat intelligence comes in different varieties, and we get threat intelligence from different sources,

02:57.250 --> 02:59.770
and we talked about that in previous episodes.

02:59.770 --> 03:04.120
In this episode, we're really going to contact onto those indicators of compromise.

03:04.120 --> 03:07.810
What provides a clue into what's going on inside of our network?

03:07.840 --> 03:09.640
These can be things like vulnerabilities.

03:09.640 --> 03:14.290
Maybe I've hit end of life like we already talked about, but we've opened up a new vulnerability.

03:14.290 --> 03:19.270
Maybe we downloaded a new software that's supposed to make our lives easier for the IT team, but it

03:19.270 --> 03:22.390
has an inherent flaw with a unencrypted port.

03:22.420 --> 03:26.950
These are different vulnerabilities that we need to be aware of that could open ourselves up to different

03:26.980 --> 03:29.230
threat actors and a new threat vector.

03:29.230 --> 03:31.750
So vulnerabilities come in different capacities.

03:31.750 --> 03:35.200
They can be in configuration management, they could be in new software.

03:35.530 --> 03:37.180
It could be even in new employees.

03:37.180 --> 03:40.330
We need to be aware of the different trends that go along with that as well.

03:40.330 --> 03:45.040
If we're seeing a rash of new ransomware that's coming out through the through the lines of threat intelligence,

03:45.040 --> 03:49.000
then we need to correspond to our defensive structures onto those trends.

03:49.000 --> 03:51.220
You have to remember, cybersecurity is like anything else.

03:51.220 --> 03:54.880
It's not a matter of when we get hit, it's only a matter of time before we get hit.

03:54.880 --> 03:55.910
And that aspect.

03:55.910 --> 03:58.640
We need to be fully aware of impending trends.

03:58.670 --> 04:03.380
Have you ever noticed that when something's hitting the the media a lot, that people seem to jump on

04:03.380 --> 04:06.320
it and we see that in different business cycles?

04:06.320 --> 04:07.760
We saw that with tiny homes.

04:07.760 --> 04:09.950
We see it in a different variety of ways.

04:09.950 --> 04:11.720
Cyber security is no different.

04:11.750 --> 04:14.510
Those trends come into play and we need to be aware of them.

04:14.510 --> 04:18.770
Finally, we need to be aware of our threat landscape, meaning the landscape that is inherent within

04:18.770 --> 04:20.030
our organization.

04:20.030 --> 04:21.380
Are we using VLANs?

04:21.380 --> 04:22.640
Are we using subnetting?

04:22.640 --> 04:26.360
Are we using windows only machines or do we have some Linux intertwined within that?

04:26.390 --> 04:31.790
What kind of IDs or IPS systems are we using that network infrastructure that we're responsible for

04:31.790 --> 04:37.130
from a cybersecurity standpoint, definitely provides a threat landscape in which an attacker is most

04:37.130 --> 04:39.320
likely going to try to invade our network with.

04:39.350 --> 04:44.930
We need to be aware of that landscape and put up defensive measures in order to secure that landscape

04:44.930 --> 04:46.130
as we move forward.

04:47.060 --> 04:50.390
Indicator of compromise could also be abnormal user behavior.

04:50.390 --> 04:53.210
We've all seen that one employee that is stellar.

04:53.210 --> 04:54.850
They never click on those phishing links.

04:54.850 --> 04:56.200
They never do anything wrong.

04:56.200 --> 04:59.590
But then suddenly their abnormal behaviour comes to bear.

04:59.590 --> 05:04.450
And their surfing websites, they've never surfed before, or maybe their opening email attachments

05:04.450 --> 05:05.770
that they've never opened before.

05:05.800 --> 05:10.990
This could be an indicator of compromise, where somebody has gotten access into their account and is

05:10.990 --> 05:16.000
remotely accessing different websites or different emails in order to download malicious activity or

05:16.000 --> 05:17.080
malicious malware.

05:17.110 --> 05:20.680
This comes into that abnormal user behaviour that we need to be aware of.

05:20.710 --> 05:22.960
It could also be a sign of an eternal threat.

05:22.960 --> 05:28.330
If we've got a user that is normally a stellar employee as far as cybersecurity is coming into play,

05:28.330 --> 05:31.900
but now they're starting to access servers that they've never accessed before.

05:31.930 --> 05:35.020
Maybe they're hitting file structures they've never messed with before.

05:35.020 --> 05:36.520
We need to be aware of that.

05:36.550 --> 05:39.760
Could it be abnormal user behaviour or is it part of their job.

05:39.760 --> 05:44.890
Maybe they've got promoted, maybe their, uh, their requirements for their job that they currently

05:44.890 --> 05:46.300
are in have expanded.

05:46.330 --> 05:49.930
Those are perfectly legitimate uses for the new behaviour that we're seeing.

05:49.930 --> 05:51.430
But we need to be aware of that.

05:51.460 --> 05:55.710
Abnormal user behaviour could also mean that they're frustrated with their job and they're getting ready

05:55.710 --> 05:59.940
to quit, and they're trying to download the latest and greatest information from different servers

05:59.940 --> 06:01.800
so that they could sell it on the black market.

06:01.830 --> 06:03.750
That doesn't mean that's what they're going to do.

06:03.780 --> 06:08.490
It could be perfectly legitimate, but it's something that we need to be aware of as cybersecurity professionals.

06:08.520 --> 06:10.980
There's also something called unusual network traffic.

06:11.010 --> 06:13.110
This is where they're accessing different websites.

06:13.110 --> 06:14.940
Maybe they're accessing websites.

06:14.940 --> 06:15.810
They shouldn't.

06:15.870 --> 06:17.640
For instance, Facebook or Twitter.

06:17.640 --> 06:23.190
When we've locked down those machines yet they're using a VPN to get around our our network infrastructure.

06:23.220 --> 06:25.170
Maybe they're accessing a VPN website.

06:25.170 --> 06:28.740
And we see that that would be something that's unusual network traffic.

06:28.770 --> 06:30.900
It could also be inside our own internal network.

06:30.930 --> 06:32.820
It doesn't necessarily have to be something outside.

06:32.850 --> 06:37.650
It could also be inside where again, they're accessing those servers that they don't normally access.

06:37.680 --> 06:42.120
You can see where abnormal user behavior interlines with unusual network traffic.

06:42.150 --> 06:46.440
There's also unexpected system changes where the user is going in.

06:46.440 --> 06:48.180
And maybe they're changing their permissions.

06:48.180 --> 06:54.160
Maybe they're going through the process and suddenly deleting files or adding new files that they normally

06:54.160 --> 06:54.910
don't add on.

06:54.940 --> 06:59.410
There there's basic users where they go in and they create a new file and they upload a lot of to word

06:59.410 --> 06:59.980
docs.

06:59.980 --> 07:01.060
But what have we got?

07:01.060 --> 07:05.110
A bunch of new files being uploaded and they're going into the windows system directory files.

07:05.110 --> 07:09.250
That's abnormal system behavior and unexpected system changes.

07:09.250 --> 07:11.650
We could also see traffic to known malware sites.

07:11.650 --> 07:16.690
This kind of corresponds with that unusual network traffic and of course known malware signatures where

07:16.690 --> 07:18.670
we've got employees clicking on phishing links.

07:18.670 --> 07:22.240
Or maybe they're purposely going onto these websites and downloading new malware.

07:22.240 --> 07:27.400
We once saw where an employee actually brought a USB drive and it had malware associated with it, and

07:27.400 --> 07:28.660
they plugged it into their machine.

07:28.660 --> 07:32.530
At first they tried to play it off as, oh, I didn't know where the USB came from.

07:32.530 --> 07:37.720
But on further investigation, we started to realize that the employee was actually using that USB drive

07:37.750 --> 07:42.490
to constantly upload new malware into the different computer systems which they were accessing.

07:42.490 --> 07:48.340
This is before we started locking off USB drives or USB connections, but you can kind of see the point.

07:48.340 --> 07:53.110
There's that careful consideration that you really have to come into play with which what is usual versus

07:53.110 --> 07:57.700
unusual, and is the employee truly doing it on accident versus on purpose?

07:57.700 --> 08:02.050
Internal threats are that careful balancing act of figuring out what the employee is attempting to do

08:02.080 --> 08:03.820
versus what they're trying to do?

08:03.850 --> 08:06.850
Here you can see the Pyramid of Pain developed by David Bianco.

08:06.880 --> 08:12.520
This was developed by him to kind of identify the different aspects of indicators of compromise and

08:12.520 --> 08:17.260
how they came into play with different levels of knowledge and also skill set.

08:17.260 --> 08:20.350
You can see at the very top where we have tactics, techniques and procedures.

08:20.350 --> 08:25.570
This is considered to be tough or challenging or very challenging, I should say, which is something

08:25.570 --> 08:27.940
that we don't normally see out of malicious actors.

08:28.060 --> 08:31.750
That doesn't mean that they're not always there, it just means they're highly skilled and understand

08:31.750 --> 08:32.740
what they want to do.

08:32.770 --> 08:34.300
We can also see different tools.

08:34.300 --> 08:35.260
These can be challenging.

08:35.260 --> 08:40.510
These tools can include something like, I don't know, Metasploit framework utilizing those different

08:40.510 --> 08:45.760
tools, maybe orbital strike to pull off a DDoS attack, or maybe even some password cracking tools

08:45.760 --> 08:48.610
that we may see fairly often, like Jack the Ripper.

08:48.610 --> 08:53.780
We can see these different tools and applying within our own network, and those are tough or challenging

08:53.780 --> 08:58.160
in order for us to not only prevent, but actually defend against.

08:58.190 --> 09:02.630
We can also see network or host artifacts, which are somewhat annoying to the cyber defense.

09:02.630 --> 09:09.080
And this provides us a different aspect of hey, while Ttps are very tough and they take a lot of legwork

09:09.080 --> 09:13.700
and tools can be somewhat challenging, network artifacts are just plain out annoying.

09:13.700 --> 09:17.210
That doesn't mean that they can't be costly in time or even resources.

09:17.210 --> 09:19.640
In fact, they can be very costly in time and resources.

09:19.640 --> 09:22.730
But they're annoying because there's so many of them that could come into play.

09:22.760 --> 09:24.410
Then we have something called domain names.

09:24.410 --> 09:25.580
These are simple and simple.

09:25.580 --> 09:27.830
We put in a firewall rule and we get rid of it.

09:27.860 --> 09:30.950
We also have IP addresses which are considered to be easy.

09:30.980 --> 09:34.370
Again, firewall could stop that, even an IPS or an IDs.

09:34.370 --> 09:35.720
And then of course trivial.

09:35.750 --> 09:40.580
These are the hash values associated with different viruses or malware, which are antivirus programs

09:40.580 --> 09:42.710
can pick up and stop this pyramid of pain.

09:42.710 --> 09:48.360
Really kind of denotes the ability of our cyber task force or our cybersecurity team to deal with different

09:48.360 --> 09:51.960
methodologies that attackers may utilize against us as a cyber workforce.

09:51.990 --> 09:54.690
That doesn't mean that they're actually going against us every time.

09:54.690 --> 09:59.280
Sometimes, as you can see with an IP addresses, it's just a known variant that we have to deal with

09:59.280 --> 10:00.570
on a day to day basis.

10:00.600 --> 10:06.660
VirusTotal was developed by Google and provides a 70 plus antivirus scanners and URL domain blacklisting

10:06.660 --> 10:12.090
services to identify whether a URL or even a file has malicious activity within it.

10:12.120 --> 10:13.680
Let's take a look at one right now.

10:13.710 --> 10:16.230
Here you can see the website virustotal.com.

10:16.260 --> 10:18.450
Now this is the landing page for this website.

10:18.450 --> 10:20.760
And you can see here that we have file that we can upload.

10:20.760 --> 10:25.980
We have URL and we can even do a search factor for different IP addresses or other content that we want

10:26.010 --> 10:26.970
to be aware of.

10:27.000 --> 10:31.890
VirusTotal provides us kind of a seamless intervention within different aspects that we may or may not

10:31.890 --> 10:32.610
be aware of.

10:32.640 --> 10:37.860
I'm going to pull up a known site that we know is somewhat malicious and concerning.

10:37.860 --> 10:39.270
It's called Weekapaug.

10:39.270 --> 10:41.790
It's weekapaug.

10:41.820 --> 10:45.000
I'm going to hit the enter button right there, and it's going to go through the process.

10:45.000 --> 10:51.200
And here we can see that it's providing a CDF with malicious activity and it was considered malicious.

10:51.230 --> 10:54.080
We can also see something called gridinsoft.

10:54.080 --> 10:55.580
It's suspicious.

10:55.580 --> 10:57.140
And again it's clean.

10:57.140 --> 10:59.420
This is a somewhat easy tool to utilize.

10:59.420 --> 11:02.150
Here at the very top you can see we can reanalyze.

11:02.150 --> 11:02.870
We can search.

11:02.900 --> 11:05.210
If we've got a paid subscription or a login.

11:05.240 --> 11:10.430
You can use the graph or even the API that you can utilize within your standard security set.

11:10.580 --> 11:16.340
This website provides us some good information for threat intelligence specific towards the files and

11:16.340 --> 11:19.760
URLs, but it provides us a good outlook of what's going on.

11:19.760 --> 11:24.410
And you can see here just by scrolling down, it gives me a lot of information at my fingertips.

11:24.410 --> 11:28.430
Very easy to use, very detailed and it's process.

11:28.430 --> 11:33.590
And we can see here CI radar, for instance, is the commercial off the shelf product that first discovered

11:33.590 --> 11:34.160
this.

11:34.160 --> 11:35.600
So that's VirusTotal.

11:35.630 --> 11:40.550
And this episode we discussed intelligence levels and how they correspond with you as a cyber analyst.

11:40.580 --> 11:44.300
We also talked about different threat intelligence and how that corresponds to the different threat

11:44.340 --> 11:46.140
intelligence levels that you need to be aware of.

11:46.170 --> 11:50.280
Cisa takes a very high level overview of what we discussed today.

11:50.280 --> 11:55.680
You don't need to know the ins and outs of every single idiosyncrasy that comes along with threat intelligence,

11:55.890 --> 12:00.720
but you do need to have a high understanding or a high level overview of what you're trying to accomplish

12:00.720 --> 12:01.020
here.

12:01.050 --> 12:05.970
For instance, I wouldn't expect to see a lot of information or questions specific towards VirusTotal,

12:06.000 --> 12:11.010
but I would expect to see different levels of, say, intelligence levels and how they correspond with

12:11.010 --> 12:12.300
what you're trying to achieve.

12:12.330 --> 12:18.600
You may also get some information or have questions specific to the different aspects of where threat

12:18.600 --> 12:23.400
intelligence is actually sourced from those confidence levels that we discussed in earlier episodes,

12:23.400 --> 12:30.450
and then how that interplays with how you, an analyst, would go into intersection with threat intelligence

12:30.450 --> 12:31.350
as a whole.

12:31.380 --> 12:36.660
Again, we're really not looking at the idiosyncrasies or the deep dive in this aspect, but you do

12:36.660 --> 12:42.720
need to have a high level understanding of how threat intelligence corresponds with you as a cyber cyber

12:42.720 --> 12:43.590
analyst.