WEBVTT 1 00:00:00.000 --> 00:00:01.380 In this lesson, 2 00:00:01.380 --> 00:00:03.990 we will learn about counterintelligence 3 00:00:03.990 --> 00:00:06.270 and operational security. 4 00:00:06.270 --> 00:00:09.390 Counterintelligence and operational security 5 00:00:09.390 --> 00:00:13.410 are identifying and mitigating efforts by adversaries 6 00:00:13.410 --> 00:00:16.920 to gather intelligence or exploit weaknesses. 7 00:00:16.920 --> 00:00:20.310 Counterintelligence and operational security concepts 8 00:00:20.310 --> 00:00:25.020 include cyber deception as well as monitoring and response. 9 00:00:25.020 --> 00:00:27.930 Cyber deception is a proactive strategy 10 00:00:27.930 --> 00:00:31.290 that uses decoy systems, false data, 11 00:00:31.290 --> 00:00:34.650 or misleading information to confuse attackers 12 00:00:34.650 --> 00:00:37.740 and lure them away from critical assets, 13 00:00:37.740 --> 00:00:41.670 while monitoring and response ensures real-time tracking 14 00:00:41.670 --> 00:00:43.260 of potential intrusions 15 00:00:43.260 --> 00:00:47.040 and enables prompt action against detected threats. 16 00:00:47.040 --> 00:00:49.560 Let's learn more about cyber detection 17 00:00:49.560 --> 00:00:52.350 as well as monitoring and response. 18 00:00:52.350 --> 00:00:54.780 First, we have cyber deception. 19 00:00:54.780 --> 00:00:58.530 Cyber deception is a proactive defense strategy 20 00:00:58.530 --> 00:01:02.400 that involves creating fake assets, false data, 21 00:01:02.400 --> 00:01:05.160 or misleading pathways within a network 22 00:01:05.160 --> 00:01:07.950 to confuse and divert attackers. 23 00:01:07.950 --> 00:01:10.920 The main goal is to mislead adversaries 24 00:01:10.920 --> 00:01:13.650 into interacting with decoy systems, 25 00:01:13.650 --> 00:01:16.080 making it difficult for them to distinguish 26 00:01:16.080 --> 00:01:18.810 between real and fake targets. 27 00:01:18.810 --> 00:01:21.510 By setting up this deceptive environment, 28 00:01:21.510 --> 00:01:24.690 organizations can protect their critical assets 29 00:01:24.690 --> 00:01:26.820 from being directly targeted. 30 00:01:26.820 --> 00:01:31.380 So, cyber deception adds an extra layer of security 31 00:01:31.380 --> 00:01:34.050 by disrupting an attacker's ability 32 00:01:34.050 --> 00:01:37.380 to plan and execute a successful breach. 33 00:01:37.380 --> 00:01:41.400 The importance of cyber deception in enterprise networks 34 00:01:41.400 --> 00:01:45.780 lies in its ability to create uncertainty for attackers 35 00:01:45.780 --> 00:01:48.300 making their job more difficult. 36 00:01:48.300 --> 00:01:50.730 Unlike traditional security measures 37 00:01:50.730 --> 00:01:52.680 that aim to block access, 38 00:01:52.680 --> 00:01:55.890 deceptive tools actively engage attackers, 39 00:01:55.890 --> 00:01:57.510 forcing them to reveal 40 00:01:57.510 --> 00:02:00.270 their tactics, techniques and procedures. 41 00:02:00.270 --> 00:02:04.350 This strategy gives security teams valuable time 42 00:02:04.350 --> 00:02:08.580 to detect, observe, and analyze attacker methods 43 00:02:08.580 --> 00:02:13.200 often without the adversary realizing they're being tracked. 44 00:02:13.200 --> 00:02:17.520 As a result, cyber deception can be a powerful tool 45 00:02:17.520 --> 00:02:20.820 for reducing the chances of a successful breach 46 00:02:20.820 --> 00:02:24.930 and for gathering actionable intelligence on threats. 47 00:02:24.930 --> 00:02:29.460 Now, let's define an important decoy term, honey. 48 00:02:29.460 --> 00:02:31.020 When we use the word, honey, 49 00:02:31.020 --> 00:02:34.380 as part of a compound word like honeypot, 50 00:02:34.380 --> 00:02:36.240 we're referring to a decoy 51 00:02:36.240 --> 00:02:38.790 meant to lure an attacker to it. 52 00:02:38.790 --> 00:02:41.970 Using the term, honey, in compound words, 53 00:02:41.970 --> 00:02:44.580 there are four concepts to discuss: 54 00:02:44.580 --> 00:02:48.960 honeypot, honeynet, honeyfile, and honeytoken. 55 00:02:48.960 --> 00:02:52.290 A honeypot is a decoy system or server 56 00:02:52.290 --> 00:02:55.800 that appears to be a legitimate target within a network, 57 00:02:55.800 --> 00:03:00.120 but its sole purpose is to lure attackers into attacking it, 58 00:03:00.120 --> 00:03:02.430 then analyze their behavior. 59 00:03:02.430 --> 00:03:06.630 A honeypot serves no operational role in the organization, 60 00:03:06.630 --> 00:03:10.710 meaning any interaction with it is automatically suspicious. 61 00:03:10.710 --> 00:03:14.880 Next, a honeynet is a series of honeypots 62 00:03:14.880 --> 00:03:18.600 meant to simulate an entire network environment. 63 00:03:18.600 --> 00:03:23.100 A honeynet is set up to attract and deceive attackers, 64 00:03:23.100 --> 00:03:26.490 allowing security teams to observe attacks, 65 00:03:26.490 --> 00:03:30.450 and tactics, techniques and procedures, or TTPs, 66 00:03:30.450 --> 00:03:33.840 as they are launched at different decoy systems 67 00:03:33.840 --> 00:03:38.160 and services within the honeynet. 68 00:03:38.160 --> 00:03:42.690 Next, a honeyfile is a specific type of bait, 69 00:03:42.690 --> 00:03:45.660 typically a fake document or data file 70 00:03:45.660 --> 00:03:48.210 that is placed on a network or system 71 00:03:48.210 --> 00:03:51.900 with the goal of being accessed by attackers. 72 00:03:51.900 --> 00:03:54.390 Honeyfiles contain hidden triggers 73 00:03:54.390 --> 00:03:56.700 that notify the security team 74 00:03:56.700 --> 00:03:58.770 when they are opened or moved, 75 00:03:58.770 --> 00:04:02.370 providing an early warning of malicious activity. 76 00:04:02.370 --> 00:04:07.290 Last, a honeytoken is similar in concept to a honeyfile, 77 00:04:07.290 --> 00:04:09.570 but it can take on many forms, 78 00:04:09.570 --> 00:04:12.150 such as fake user credentials 79 00:04:12.150 --> 00:04:15.450 or a piece of data embedded in a database. 80 00:04:15.450 --> 00:04:18.540 When the honeytoken is accessed or used, 81 00:04:18.540 --> 00:04:22.050 it acts as a signal that an unauthorized party 82 00:04:22.050 --> 00:04:24.930 is interacting with sensitive systems. 83 00:04:24.930 --> 00:04:27.000 Each of these decoy systems 84 00:04:27.000 --> 00:04:29.610 are meant to take an attacker's attention 85 00:04:29.610 --> 00:04:33.030 so that production systems remain untouched. 86 00:04:33.030 --> 00:04:36.240 Additionally, by monitoring the TTPs 87 00:04:36.240 --> 00:04:38.220 used on the decoy systems, 88 00:04:38.220 --> 00:04:42.330 an organization can prepare more effective defenses 89 00:04:42.330 --> 00:04:44.340 on their production networks 90 00:04:44.340 --> 00:04:47.430 and provide intelligence back to the community 91 00:04:47.430 --> 00:04:50.100 if novel attacks are observed. 92 00:04:50.100 --> 00:04:53.310 Second, we have monitoring and response. 93 00:04:53.310 --> 00:04:55.050 Monitoring and response 94 00:04:55.050 --> 00:04:58.020 is continuously observing network traffic 95 00:04:58.020 --> 00:04:59.730 and system activity 96 00:04:59.730 --> 00:05:03.930 to detect potential security incidents in real time. 97 00:05:03.930 --> 00:05:06.330 The idea is to catch intrusions 98 00:05:06.330 --> 00:05:10.260 or other suspicious behavior as soon as possible 99 00:05:10.260 --> 00:05:13.710 so that the organization can respond swiftly 100 00:05:13.710 --> 00:05:15.660 to neutralize any threats. 101 00:05:15.660 --> 00:05:17.640 Effective monitoring tools 102 00:05:17.640 --> 00:05:20.190 such as intrusion detection systems, 103 00:05:20.190 --> 00:05:23.220 security information and event platforms, 104 00:05:23.220 --> 00:05:25.980 and behavioral analytics tools 105 00:05:25.980 --> 00:05:30.120 are designed to detect anomalies within a network. 106 00:05:30.120 --> 00:05:33.630 Anomalies include unusual login attempts, 107 00:05:33.630 --> 00:05:36.060 unauthorized data access, 108 00:05:36.060 --> 00:05:38.880 or unexpected network connections, 109 00:05:38.880 --> 00:05:41.970 each of which provide early warning signs 110 00:05:41.970 --> 00:05:43.230 of an attack. 111 00:05:43.230 --> 00:05:46.560 Response Mechanisms, which are predefined actions, 112 00:05:46.560 --> 00:05:49.260 are then taken to mitigate the threats 113 00:05:49.260 --> 00:05:51.060 that caused the anomaly. 114 00:05:51.060 --> 00:05:53.010 These actions could involve 115 00:05:53.010 --> 00:05:56.190 automatically isolating compromised systems, 116 00:05:56.190 --> 00:05:58.500 blocking malicious network traffic, 117 00:05:58.500 --> 00:06:00.690 or notifying the security team 118 00:06:00.690 --> 00:06:03.510 to perform a manual investigation. 119 00:06:03.510 --> 00:06:05.550 A well-structured response plan 120 00:06:05.550 --> 00:06:08.520 ensures that the organization can contain 121 00:06:08.520 --> 00:06:11.220 and resolve security incidents 122 00:06:11.220 --> 00:06:14.190 with minimal damage and downtime. 123 00:06:14.190 --> 00:06:17.970 The overall importance of monitoring and response 124 00:06:17.970 --> 00:06:21.630 for enterprise networks cannot be overstated. 125 00:06:21.630 --> 00:06:26.310 Early detection of security incidents allows organizations 126 00:06:26.310 --> 00:06:31.140 to minimize the impact of an attack by acting quickly. 127 00:06:31.140 --> 00:06:35.310 Timely response then reduces the potential damage 128 00:06:35.310 --> 00:06:40.310 such as data loss, system downtime, or financial loss. 129 00:06:40.500 --> 00:06:42.840 In large enterprise environments 130 00:06:42.840 --> 00:06:44.520 where sensitive information 131 00:06:44.520 --> 00:06:47.640 is constantly being processed and stored, 132 00:06:47.640 --> 00:06:51.300 robust monitoring and a fast response plan 133 00:06:51.300 --> 00:06:54.840 protect both the business and its customers. 134 00:06:54.840 --> 00:06:59.040 An example of monitoring and response in action 135 00:06:59.040 --> 00:07:01.200 is a security information 136 00:07:01.200 --> 00:07:04.140 and event management, or SIEM, system. 137 00:07:04.140 --> 00:07:07.770 This system collects and analyzes logs 138 00:07:07.770 --> 00:07:11.040 from various devices across the network, 139 00:07:11.040 --> 00:07:14.310 searching for indicators of compromise. 140 00:07:14.310 --> 00:07:17.010 For instance, if a user's account 141 00:07:17.010 --> 00:07:22.010 suddenly starts accessing sensitive files at unusual hours, 142 00:07:22.200 --> 00:07:25.260 the SIEM could flag this as suspicious. 143 00:07:25.260 --> 00:07:29.040 A security analyst could then investigate further, 144 00:07:29.040 --> 00:07:31.350 potentially locking down the account 145 00:07:31.350 --> 00:07:33.930 before any real damage is done. 146 00:07:33.930 --> 00:07:38.160 This real-time detection and response capability 147 00:07:38.160 --> 00:07:42.630 provides operational security in modern enterprises. 148 00:07:42.630 --> 00:07:47.630 So, remember, counterintelligence and operational security 149 00:07:48.300 --> 00:07:52.710 focus on identifying and mitigating threats from adversaries 150 00:07:52.710 --> 00:07:57.120 trying to gather intelligence or exploit weaknesses. 151 00:07:57.120 --> 00:08:00.570 Two important concepts in this area 152 00:08:00.570 --> 00:08:04.440 are cyber deception, and monitoring and response. 153 00:08:04.440 --> 00:08:08.190 Cyber deception involves using fake assets 154 00:08:08.190 --> 00:08:11.880 and misleading information to confuse attackers 155 00:08:11.880 --> 00:08:14.310 and protect critical systems. 156 00:08:14.310 --> 00:08:16.740 Monitoring and response is about 157 00:08:16.740 --> 00:08:21.120 continuously observing network activity in real time 158 00:08:21.120 --> 00:08:24.900 to detect suspicious behavior and respond quickly 159 00:08:24.900 --> 00:08:29.103 to minimize damage from any potential attack.