WEBVTT 1 00:00:00.270 --> 00:00:01.860 In this section of the course, 2 00:00:01.860 --> 00:00:04.470 we are going to discuss threat-hunting. 3 00:00:04.470 --> 00:00:06.720 The threat-hunting section of the course 4 00:00:06.720 --> 00:00:10.170 focuses on Domain 2, Security Architecture, 5 00:00:10.170 --> 00:00:13.080 and Domain 4, Security Operations, 6 00:00:13.080 --> 00:00:17.640 specifically, Objectives 2.3 and 4.3. 7 00:00:17.640 --> 00:00:20.880 Objective 2.3 states that given a scenario, 8 00:00:20.880 --> 00:00:24.240 you must be able to integrate appropriate controls 9 00:00:24.240 --> 00:00:27.240 in the design of a secure architecture. 10 00:00:27.240 --> 00:00:30.570 And Objective 4.3 states that given a scenario, 11 00:00:30.570 --> 00:00:32.700 you must be able to apply threat-hunting 12 00:00:32.700 --> 00:00:34.860 and threat intelligence concepts. 13 00:00:34.860 --> 00:00:37.110 Threat-hunting is a proactive approach 14 00:00:37.110 --> 00:00:39.150 to identifying potential threats 15 00:00:39.150 --> 00:00:42.180 within an organization's network by assuming breach 16 00:00:42.180 --> 00:00:45.060 and then searching for signs of malicious activity. 17 00:00:45.060 --> 00:00:47.310 Threat-hunting involves analyzing patterns 18 00:00:47.310 --> 00:00:48.960 of behavior and data 19 00:00:48.960 --> 00:00:51.300 to detect anomalies and hidden threats 20 00:00:51.300 --> 00:00:54.390 that might go unnoticed by traditional defenses. 21 00:00:54.390 --> 00:00:58.080 Drawing on both internal and external intelligence sources, 22 00:00:58.080 --> 00:01:00.360 threat-hunters gather valuable information 23 00:01:00.360 --> 00:01:02.190 to track potential attackers 24 00:01:02.190 --> 00:01:04.320 and improve response strategies. 25 00:01:04.320 --> 00:01:07.050 The threat-hunting process is further enhanced 26 00:01:07.050 --> 00:01:09.120 by sharing indicators of compromise 27 00:01:09.120 --> 00:01:11.610 with trusted partners, industry groups, 28 00:01:11.610 --> 00:01:14.040 or threat intelligence platforms. 29 00:01:14.040 --> 00:01:15.720 As we go through this section, 30 00:01:15.720 --> 00:01:18.930 we will cover many topics related to threat-hunting, 31 00:01:18.930 --> 00:01:21.510 including Indicators of Attack, 32 00:01:21.510 --> 00:01:25.650 behavior and data analysis, internal intelligence sources, 33 00:01:25.650 --> 00:01:28.410 detection and threat-hunting enablers, 34 00:01:28.410 --> 00:01:30.420 external intelligence sources, 35 00:01:30.420 --> 00:01:32.490 Threat Intelligence Platforms, 36 00:01:32.490 --> 00:01:36.600 indicator of compromise sharing, rule-based languages, 37 00:01:36.600 --> 00:01:40.950 as well as counterintelligence and operational security. 38 00:01:40.950 --> 00:01:44.220 First, we will look at Indicators of Attack. 39 00:01:44.220 --> 00:01:47.250 Indicators of Attack are observable behaviors 40 00:01:47.250 --> 00:01:51.450 and patterns that suggest an ongoing or imminent attack. 41 00:01:51.450 --> 00:01:52.560 Indicators of Attack 42 00:01:52.560 --> 00:01:55.500 focus on the tactics, techniques, and procedures, 43 00:01:55.500 --> 00:01:58.860 or TTPs, that adversaries use. 44 00:01:58.860 --> 00:02:02.310 TTPs outline specific methods attackers employ 45 00:02:02.310 --> 00:02:04.020 to accomplish their goals, 46 00:02:04.020 --> 00:02:06.630 such as spear phishing to gain initial access 47 00:02:06.630 --> 00:02:09.540 using PowerShell scripts for privilege escalation, 48 00:02:09.540 --> 00:02:11.640 or leveraging remote desktop protocol 49 00:02:11.640 --> 00:02:14.160 for lateral movement across systems. 50 00:02:14.160 --> 00:02:16.860 By identifying attacker TTPs, 51 00:02:16.860 --> 00:02:19.440 threat-hunters can quickly detect malicious activities 52 00:02:19.440 --> 00:02:23.130 on their network and predict an attacker's next step. 53 00:02:23.130 --> 00:02:25.560 For example, if threat-hunters identify 54 00:02:25.560 --> 00:02:27.900 an unusual use of PowerShell 55 00:02:27.900 --> 00:02:30.840 combined with attempts to disable security tools 56 00:02:30.840 --> 00:02:33.180 or suspicious process injections, 57 00:02:33.180 --> 00:02:36.960 they may recognize these as TTPs for privilege escalation, 58 00:02:36.960 --> 00:02:40.230 enabling a faster response to contain the attack. 59 00:02:40.230 --> 00:02:44.130 Next, we will explore behavior and data analysis. 60 00:02:44.130 --> 00:02:46.080 Behavior and data analysis involves 61 00:02:46.080 --> 00:02:48.150 examining patterns and anomalies 62 00:02:48.150 --> 00:02:50.520 in systems and user activities 63 00:02:50.520 --> 00:02:54.390 to detect signs and potential threats or malicious behavior. 64 00:02:54.390 --> 00:02:57.420 Behavior and data analysis concepts include: 65 00:02:57.420 --> 00:02:59.250 internal intelligence sources, 66 00:02:59.250 --> 00:03:01.260 such as internal reconnaissance, 67 00:03:01.260 --> 00:03:03.120 hypothesis-based searches, 68 00:03:03.120 --> 00:03:06.480 and User Behavior Analytics, or UBA. 69 00:03:06.480 --> 00:03:09.330 Internal reconnaissance enables the identification 70 00:03:09.330 --> 00:03:12.720 of attacker efforts to gather information within a network. 71 00:03:12.720 --> 00:03:14.880 Internal reconnaissance may be identified 72 00:03:14.880 --> 00:03:18.840 as malicious scanning for vulnerabilities or sensitive data. 73 00:03:18.840 --> 00:03:21.240 Next, hypothesis-based searches 74 00:03:21.240 --> 00:03:24.150 are driven by specific assumptions or scenarios 75 00:03:24.150 --> 00:03:27.240 about how an attacker might operate within the network. 76 00:03:27.240 --> 00:03:30.090 These assumptions guide the threat-hunter's search 77 00:03:30.090 --> 00:03:31.950 for relevant indicators. 78 00:03:31.950 --> 00:03:36.090 Finally, User Behavior Analytics monitors user actions 79 00:03:36.090 --> 00:03:38.430 and flags unusual behavior. 80 00:03:38.430 --> 00:03:40.380 Unusual behavior could include 81 00:03:40.380 --> 00:03:43.320 accessing sensitive data at odd hours 82 00:03:43.320 --> 00:03:45.870 or from unexpected locations. 83 00:03:45.870 --> 00:03:49.080 In application, if user behavior analytics detects 84 00:03:49.080 --> 00:03:52.200 an employee downloading large amounts of sensitive data 85 00:03:52.200 --> 00:03:54.180 outside normal working hours, 86 00:03:54.180 --> 00:03:56.730 threat-hunters might assume a breach has occurred 87 00:03:56.730 --> 00:03:59.520 and look further for signs of internal reconnaissance, 88 00:03:59.520 --> 00:04:02.070 such as unusual network activity 89 00:04:02.070 --> 00:04:04.110 or privilege escalation attempts. 90 00:04:04.110 --> 00:04:05.850 That would help them confirm 91 00:04:05.850 --> 00:04:08.610 whether credential compromise has occurred. 92 00:04:08.610 --> 00:04:12.480 After that, we will look at internal intelligence sources. 93 00:04:12.480 --> 00:04:15.960 Internal intelligence sources include the data and insights 94 00:04:15.960 --> 00:04:17.010 gathered from within 95 00:04:17.010 --> 00:04:19.800 an organization's own network and systems 96 00:04:19.800 --> 00:04:22.140 to identify potential threats. 97 00:04:22.140 --> 00:04:24.390 Internal intelligence sources include: 98 00:04:24.390 --> 00:04:28.890 adversary emulation engagements, honeypots, and honeynets. 99 00:04:28.890 --> 00:04:30.870 Adversary emulation engagements 100 00:04:30.870 --> 00:04:34.200 simulate real-world attacker behavior within the network. 101 00:04:34.200 --> 00:04:37.680 Adversary emulation engagements allow security teams 102 00:04:37.680 --> 00:04:39.060 to observe how attackers 103 00:04:39.060 --> 00:04:41.430 might actually exploit vulnerabilities, 104 00:04:41.430 --> 00:04:43.860 enabling defenses to be put in place. 105 00:04:43.860 --> 00:04:46.260 Honeypots are decoy systems set up 106 00:04:46.260 --> 00:04:48.750 to attract and detect real attackers 107 00:04:48.750 --> 00:04:51.240 by mimicking valuable assets. 108 00:04:51.240 --> 00:04:55.800 Honeynets are networks of honeypots designed to be attacked. 109 00:04:55.800 --> 00:04:58.740 Both honeypots and honeynets are monitored 110 00:04:58.740 --> 00:05:02.310 to capture detailed information about attacker tactics. 111 00:05:02.310 --> 00:05:04.710 In application, if a honeypot detects 112 00:05:04.710 --> 00:05:08.130 an unauthorized login attempt or malicious activity, 113 00:05:08.130 --> 00:05:11.160 threat-hunters can analyze the attacker's behavior. 114 00:05:11.160 --> 00:05:12.990 Then, threat-hunters can use 115 00:05:12.990 --> 00:05:15.030 internally-generated intelligence 116 00:05:15.030 --> 00:05:17.490 to better protect production assets 117 00:05:17.490 --> 00:05:19.980 and refine their detection strategies. 118 00:05:19.980 --> 00:05:22.140 Next, we will explore detection 119 00:05:22.140 --> 00:05:24.030 and threat-hunting enablers. 120 00:05:24.030 --> 00:05:26.040 Detection and threat-hunting enablers 121 00:05:26.040 --> 00:05:28.020 are the tools and infrastructures 122 00:05:28.020 --> 00:05:30.630 that facilitate the discovery and investigation 123 00:05:30.630 --> 00:05:32.670 of threats within a network. 124 00:05:32.670 --> 00:05:35.550 Detection and threat-hunting enabler concepts include: 125 00:05:35.550 --> 00:05:38.940 sensor placement, continuous monitoring, alerting, 126 00:05:38.940 --> 00:05:40.770 and centralized logging. 127 00:05:40.770 --> 00:05:42.000 Sensor placement involves 128 00:05:42.000 --> 00:05:44.280 strategically positioning monitoring devices 129 00:05:44.280 --> 00:05:47.280 across the network to capture critical data. 130 00:05:47.280 --> 00:05:48.990 Continuous monitoring ensures 131 00:05:48.990 --> 00:05:51.930 that all network activities are consistently tracked 132 00:05:51.930 --> 00:05:54.150 for any signs of malicious behavior. 133 00:05:54.150 --> 00:05:56.400 Alerting is used to trigger notifications 134 00:05:56.400 --> 00:05:58.470 based on predefined criteria. 135 00:05:58.470 --> 00:06:00.720 Alerting can flag suspicious events 136 00:06:00.720 --> 00:06:02.490 for further investigation. 137 00:06:02.490 --> 00:06:05.160 Centralized logging aggregates logs 138 00:06:05.160 --> 00:06:07.740 from various sources into a single platform 139 00:06:07.740 --> 00:06:10.500 for easier and more efficient analysis. 140 00:06:10.500 --> 00:06:13.530 In practice, a security team might place sensors 141 00:06:13.530 --> 00:06:15.330 at key network junctions, 142 00:06:15.330 --> 00:06:18.750 use continuous monitoring to track real-time activity, 143 00:06:18.750 --> 00:06:21.210 and rely on alerting and centralized logging 144 00:06:21.210 --> 00:06:24.240 to detect and investigate abnormal traffic patterns 145 00:06:24.240 --> 00:06:27.120 that could indicate a potential network breach. 146 00:06:27.120 --> 00:06:28.650 Following that, we will look 147 00:06:28.650 --> 00:06:31.110 at external intelligence sources. 148 00:06:31.110 --> 00:06:33.240 External intelligence sources include data 149 00:06:33.240 --> 00:06:36.060 and insights gathered from outside an organization 150 00:06:36.060 --> 00:06:37.710 that are used to help identify 151 00:06:37.710 --> 00:06:40.050 potential threats or vulnerabilities. 152 00:06:40.050 --> 00:06:41.460 External intelligence sources 153 00:06:41.460 --> 00:06:44.550 include Open-source Intelligence, or OSINT, 154 00:06:44.550 --> 00:06:48.600 Information Sharing and Analysis Centers, or ISACs, 155 00:06:48.600 --> 00:06:52.560 reliability factors, and dark web monitoring. 156 00:06:52.560 --> 00:06:56.190 OSINT includes collecting publicly available information 157 00:06:56.190 --> 00:06:59.940 from websites or forums to spot emerging threats. 158 00:06:59.940 --> 00:07:02.070 ISACs provide threat intelligence 159 00:07:02.070 --> 00:07:04.350 and collaboration among industries. 160 00:07:04.350 --> 00:07:07.140 Reliability factors assess the trustworthiness 161 00:07:07.140 --> 00:07:08.760 of external sources, 162 00:07:08.760 --> 00:07:11.370 ensuring that the gathered intelligence is credible. 163 00:07:11.370 --> 00:07:14.220 And dark web monitoring tracks criminal activities 164 00:07:14.220 --> 00:07:15.630 and potential data leaks 165 00:07:15.630 --> 00:07:18.120 that could signal a targeted attack. 166 00:07:18.120 --> 00:07:21.840 For example, a threat-hunting team may use OSINT 167 00:07:21.840 --> 00:07:23.400 to track a new vulnerability 168 00:07:23.400 --> 00:07:25.500 being discussed on public forums, 169 00:07:25.500 --> 00:07:28.650 validate the intelligence through ISAC reports, 170 00:07:28.650 --> 00:07:30.240 and monitor the dark web 171 00:07:30.240 --> 00:07:32.370 for signs of compromised credentials 172 00:07:32.370 --> 00:07:34.680 linked to their organization. 173 00:07:34.680 --> 00:07:38.370 Then, we will explore Threat Intelligence Platforms. 174 00:07:38.370 --> 00:07:40.380 Threat intelligence platforms are tools 175 00:07:40.380 --> 00:07:43.740 that gather, analyze, and distribute threat data 176 00:07:43.740 --> 00:07:48.000 to help organizations detect and respond to security risks. 177 00:07:48.000 --> 00:07:49.770 These platforms pull intelligence 178 00:07:49.770 --> 00:07:51.780 from various third-party vendors 179 00:07:51.780 --> 00:07:54.990 who offer comprehensive threat feeds with information 180 00:07:54.990 --> 00:07:59.100 on emerging threats, vulnerabilities, and attacker tactics. 181 00:07:59.100 --> 00:08:00.810 Examples of third-party vendors 182 00:08:00.810 --> 00:08:05.340 include Recorded Future, FireEye and CrowdStrike. 183 00:08:05.340 --> 00:08:07.800 Threat intelligence platforms allow organizations 184 00:08:07.800 --> 00:08:10.110 to cross-reference external intelligence 185 00:08:10.110 --> 00:08:12.060 with internal logs and data 186 00:08:12.060 --> 00:08:16.140 to enhance their ability to identify and respond to threats. 187 00:08:16.140 --> 00:08:18.660 For example, a threat intelligence platform 188 00:08:18.660 --> 00:08:21.390 might integrate intelligence from FireEye 189 00:08:21.390 --> 00:08:23.700 to identify a new phishing campaign 190 00:08:23.700 --> 00:08:25.710 targeting specific industries 191 00:08:25.710 --> 00:08:28.320 by using compromised email accounts. 192 00:08:28.320 --> 00:08:30.750 This intelligence could allow the security team 193 00:08:30.750 --> 00:08:33.120 to update their email security gateway 194 00:08:33.120 --> 00:08:34.830 with the latest indicators, 195 00:08:34.830 --> 00:08:37.710 including known malicious sender addresses, 196 00:08:37.710 --> 00:08:40.140 URLs and attachment hashes. 197 00:08:40.140 --> 00:08:42.180 As a result, the security team 198 00:08:42.180 --> 00:08:44.580 can proactively block phishing emails 199 00:08:44.580 --> 00:08:47.220 preventing them from reaching users' inboxes 200 00:08:47.220 --> 00:08:48.390 and reducing the risk 201 00:08:48.390 --> 00:08:51.120 of credential theft or malware discovery. 202 00:08:51.120 --> 00:08:54.630 Next, we will look at Indicator of Compromise sharing. 203 00:08:54.630 --> 00:08:56.250 Indicator of Compromise sharing 204 00:08:56.250 --> 00:08:58.050 is the exchange of data related 205 00:08:58.050 --> 00:08:59.940 to potential security threats. 206 00:08:59.940 --> 00:09:01.890 Indicator of Compromise sharing 207 00:09:01.890 --> 00:09:03.870 includes malicious IP addresses 208 00:09:03.870 --> 00:09:07.200 or file hashes shared between organizations 209 00:09:07.200 --> 00:09:10.980 to improve individual detection and response efforts. 210 00:09:10.980 --> 00:09:14.220 Indicator of Compromise sharing concepts include 211 00:09:14.220 --> 00:09:17.850 Structured Threat Information eXpression, or STIX, 212 00:09:17.850 --> 00:09:19.500 Trusted Automated eXchange 213 00:09:19.500 --> 00:09:22.080 of Intelligence Information, or TAXII, 214 00:09:22.080 --> 00:09:25.770 and Automated Indicator Sharing, or AIS. 215 00:09:25.770 --> 00:09:27.840 STIX is a standardized language used 216 00:09:27.840 --> 00:09:29.910 to represent threat information. 217 00:09:29.910 --> 00:09:31.500 TAXII provides the protocol 218 00:09:31.500 --> 00:09:34.980 for sharing threat information securely and efficiently. 219 00:09:34.980 --> 00:09:38.790 Automated Indicator Sharing, a US government initiative, 220 00:09:38.790 --> 00:09:41.940 enables the real-time sharing of cyber threat indicators 221 00:09:41.940 --> 00:09:44.370 between public and private sectors. 222 00:09:44.370 --> 00:09:47.760 For example, an organization might use STIX 223 00:09:47.760 --> 00:09:49.440 to format threat data, 224 00:09:49.440 --> 00:09:52.170 share it via TAXII with other companies, 225 00:09:52.170 --> 00:09:55.350 and participate in the Automated Indicator Program 226 00:09:55.350 --> 00:09:56.550 to receive alerts 227 00:09:56.550 --> 00:09:59.610 about emerging threats targeting their industry. 228 00:09:59.610 --> 00:10:03.030 After that, we will explore rule-based languages. 229 00:10:03.030 --> 00:10:04.560 Rule-based languages are used 230 00:10:04.560 --> 00:10:06.480 to create patterns and detection rules 231 00:10:06.480 --> 00:10:10.110 to identify specific malicious activities or behaviors 232 00:10:10.110 --> 00:10:12.030 within systems and networks. 233 00:10:12.030 --> 00:10:14.940 Rule-based language examples include Sigma, 234 00:10:14.940 --> 00:10:18.900 Yet Another Recursive Acronym, or YARA, and Rita. 235 00:10:18.900 --> 00:10:21.090 Sigma is a generic rule-based language 236 00:10:21.090 --> 00:10:23.100 for defining security event patterns 237 00:10:23.100 --> 00:10:25.110 across multiple platforms. 238 00:10:25.110 --> 00:10:27.870 YARA is designed to help researchers identify 239 00:10:27.870 --> 00:10:32.070 and classify malware by defining specific patterns in files. 240 00:10:32.070 --> 00:10:34.710 Rita is an open-source framework used 241 00:10:34.710 --> 00:10:36.930 for detecting network anomalies. 242 00:10:36.930 --> 00:10:40.200 Snort is an open-source network intrusion detection 243 00:10:40.200 --> 00:10:41.370 and prevention system 244 00:10:41.370 --> 00:10:44.340 that analyzes network traffic in real-time 245 00:10:44.340 --> 00:10:46.890 to detect and block malicious activity 246 00:10:46.890 --> 00:10:49.920 using a set of predefined rules and signatures. 247 00:10:49.920 --> 00:10:53.850 For example, a threat-hunter might use Sigma rules 248 00:10:53.850 --> 00:10:56.610 to create platform agnostic alerts 249 00:10:56.610 --> 00:10:58.410 for known attack patterns, 250 00:10:58.410 --> 00:11:01.980 deploy YARA to scan for specific malware signatures, 251 00:11:01.980 --> 00:11:04.740 and use Snort to monitor network traffic 252 00:11:04.740 --> 00:11:07.230 for signs of ongoing attack. 253 00:11:07.230 --> 00:11:09.600 Finally, we will look at counterintelligence 254 00:11:09.600 --> 00:11:11.370 and operational security. 255 00:11:11.370 --> 00:11:13.530 Counterintelligence and operational security 256 00:11:13.530 --> 00:11:16.590 is identifying and mitigating efforts by adversaries 257 00:11:16.590 --> 00:11:19.500 to gather intelligence or exploit weaknesses. 258 00:11:19.500 --> 00:11:22.200 Counterintelligence and operational security concepts 259 00:11:22.200 --> 00:11:26.880 include cyber deception as well as monitoring and response. 260 00:11:26.880 --> 00:11:29.130 Cyber deception is a proactive strategy 261 00:11:29.130 --> 00:11:32.100 that uses decoy systems, false data, 262 00:11:32.100 --> 00:11:35.160 or misleading information to confuse attackers 263 00:11:35.160 --> 00:11:38.220 and lure them away from critical assets. 264 00:11:38.220 --> 00:11:41.070 Monitoring and response ensures real-time tracking 265 00:11:41.070 --> 00:11:42.480 of potential intrusions, 266 00:11:42.480 --> 00:11:46.140 and enables prompt action against detected threats. 267 00:11:46.140 --> 00:11:48.990 For example, an organization may deploy 268 00:11:48.990 --> 00:11:50.670 a network of honeypots 269 00:11:50.670 --> 00:11:53.130 designed to mimic high-value targets 270 00:11:53.130 --> 00:11:56.220 such as critical databases or admin servers. 271 00:11:56.220 --> 00:11:59.820 This would be a part of their cyber deception strategy. 272 00:11:59.820 --> 00:12:02.010 These honeypots could lure attackers 273 00:12:02.010 --> 00:12:03.810 into revealing their tactics 274 00:12:03.810 --> 00:12:06.420 while the organization's monitoring systems 275 00:12:06.420 --> 00:12:08.550 track their actions in real-time. 276 00:12:08.550 --> 00:12:11.340 As the attackers attempt to exploit the decoys, 277 00:12:11.340 --> 00:12:14.430 the security team can collect valuable intelligence 278 00:12:14.430 --> 00:12:16.410 on their methods and techniques, 279 00:12:16.410 --> 00:12:18.780 all while preventing any real damage 280 00:12:18.780 --> 00:12:20.460 to critical infrastructure. 281 00:12:20.460 --> 00:12:23.340 This proactive approach to operational security 282 00:12:23.340 --> 00:12:24.690 allows the organization 283 00:12:24.690 --> 00:12:27.330 to not only delay the attacker's progress, 284 00:12:27.330 --> 00:12:29.190 but also strengthen defenses, 285 00:12:29.190 --> 00:12:32.040 and prepare countermeasures for future attacks. 286 00:12:32.040 --> 00:12:34.680 To finish things off, we'll take a short quiz 287 00:12:34.680 --> 00:12:37.680 to see what you learned during this section of the course, 288 00:12:37.680 --> 00:12:41.490 and we will review each of those quiz questions fully 289 00:12:41.490 --> 00:12:44.580 to ensure you can explain why the right answers were right 290 00:12:44.580 --> 00:12:46.440 and the wrong answers were wrong. 291 00:12:46.440 --> 00:12:49.500 So, let's get ready to dive into threat-hunting 292 00:12:49.500 --> 00:12:51.393 in this section of the course.