WEBVTT

1
00:00:00.210 --> 00:00:01.380
In this lesson,

2
00:00:01.380 --> 00:00:04.680
we will learn about Indicators of Attack.

3
00:00:04.680 --> 00:00:08.010
Indicators of Attack are observable behaviors

4
00:00:08.010 --> 00:00:13.010
and patterns that suggest an ongoing or imminent attack.

5
00:00:13.230 --> 00:00:17.160
Indicators of Attack focus on the Tactics, Techniques,

6
00:00:17.160 --> 00:00:22.160
and Procedures, or TTPs, that adversaries use.

7
00:00:22.350 --> 00:00:26.820
TTPs outline specific methods attackers employ

8
00:00:26.820 --> 00:00:30.330
to accomplish their goals such as spear-phishing

9
00:00:30.330 --> 00:00:32.280
to gain Initial Access,

10
00:00:32.280 --> 00:00:35.880
using PowerShell scripts for Privilege Escalation

11
00:00:35.880 --> 00:00:38.400
or leveraging remote desktop protocol

12
00:00:38.400 --> 00:00:41.430
for Lateral Movement across systems.

13
00:00:41.430 --> 00:00:44.490
By identifying attacker TTPs,

14
00:00:44.490 --> 00:00:48.000
threat hunters can quickly detect malicious activities

15
00:00:48.000 --> 00:00:52.620
on their network and predict an attacker's next steps.

16
00:00:52.620 --> 00:00:55.560
Let's learn more about the Tactics, Techniques

17
00:00:55.560 --> 00:01:00.560
and Procedures, or TTPs, that adversaries use.

18
00:01:00.660 --> 00:01:04.423
Tactics, techniques, and procedures refer to the methods

19
00:01:04.423 --> 00:01:09.300
and strategies attackers use to carry out attacks.

20
00:01:09.300 --> 00:01:13.980
Tactics represent the overarching goal of the attack.

21
00:01:13.980 --> 00:01:17.340
Techniques are the specific actions taken

22
00:01:17.340 --> 00:01:19.710
to achieve these goals.

23
00:01:19.710 --> 00:01:23.700
And procedures describe the exact methods used

24
00:01:23.700 --> 00:01:26.010
to execute the techniques.

25
00:01:26.010 --> 00:01:30.930
Understanding TTPs enables threat hunters to search for

26
00:01:30.930 --> 00:01:33.960
and identify Indicators of Attack

27
00:01:33.960 --> 00:01:37.350
by recognizing patterns and behaviors.

28
00:01:37.350 --> 00:01:41.760
Then, by monitoring these behaviors with security tools,

29
00:01:41.760 --> 00:01:46.760
security teams can predict, detect and prevent attacks.

30
00:01:47.070 --> 00:01:49.658
Let's follow some specific TTPs

31
00:01:49.658 --> 00:01:52.440
through the threat hunting process

32
00:01:52.440 --> 00:01:57.330
and understand how Indicators of Attack may be discovered.

33
00:01:57.330 --> 00:02:02.330
The TTPs we will specifically follow our Initial Access,

34
00:02:02.400 --> 00:02:07.400
Privilege Escalation, Lateral Movement, Exfiltration,

35
00:02:07.470 --> 00:02:11.100
Command and Control, and Persistence.

36
00:02:11.100 --> 00:02:14.370
First, we have Initial Access.

37
00:02:14.370 --> 00:02:17.970
Initial Access is the first step attackers take

38
00:02:17.970 --> 00:02:19.980
to penetrate a network.

39
00:02:19.980 --> 00:02:22.920
Common techniques include phishing,

40
00:02:22.920 --> 00:02:27.480
exploiting vulnerabilities, and using stolen credentials.

41
00:02:27.480 --> 00:02:31.170
Threat hunters must detect these tactics quickly

42
00:02:31.170 --> 00:02:34.590
to prevent attackers from establishing a foothold

43
00:02:34.590 --> 00:02:35.850
in the network.

44
00:02:35.850 --> 00:02:39.090
Recognizing Initial Access TTPs,

45
00:02:39.090 --> 00:02:41.190
such as spear-phishing attempts

46
00:02:41.190 --> 00:02:45.510
or abnormal login activity allows security teams

47
00:02:45.510 --> 00:02:50.160
to block entry points and stop the attack from escalating.

48
00:02:50.160 --> 00:02:54.360
For example, security teams may detect a surge

49
00:02:54.360 --> 00:02:58.560
in login attempts from unfamiliar IP addresses

50
00:02:58.560 --> 00:03:01.590
or an increase in phishing reports.

51
00:03:01.590 --> 00:03:05.430
These signs could indicate an adversary's attempt

52
00:03:05.430 --> 00:03:07.200
to gain access.

53
00:03:07.200 --> 00:03:10.350
So tools like email filtering systems

54
00:03:10.350 --> 00:03:13.740
and multifactor authentication can be used

55
00:03:13.740 --> 00:03:16.740
to prevent successful phishing attempts,

56
00:03:16.740 --> 00:03:20.010
while Security Information and Event Management,

57
00:03:20.010 --> 00:03:22.260
or SIEM, systems can be used

58
00:03:22.260 --> 00:03:25.560
to track anomalies in login behavior.

59
00:03:25.560 --> 00:03:28.980
Second, we have Privilege Escalation.

60
00:03:28.980 --> 00:03:32.370
Privilege Escalation occurs when attackers attempt

61
00:03:32.370 --> 00:03:35.760
to elevate their access to higher levels,

62
00:03:35.760 --> 00:03:40.290
allowing them to control more sensitive data or systems.

63
00:03:40.290 --> 00:03:44.580
Common techniques include exploiting unpatched software,

64
00:03:44.580 --> 00:03:49.320
using malicious scripts or modifying user privileges.

65
00:03:49.320 --> 00:03:53.460
Detecting Privilege Escalation TTPs early

66
00:03:53.460 --> 00:03:54.990
helps prevent attackers

67
00:03:54.990 --> 00:03:58.740
from gaining deeper control over the network.

68
00:03:58.740 --> 00:04:01.410
To identify Privilege Escalation,

69
00:04:01.410 --> 00:04:05.430
threat hunters monitor suspicious PowerShell commands

70
00:04:05.430 --> 00:04:09.240
or unusual changes in user account privileges,

71
00:04:09.240 --> 00:04:13.230
which could signal and attempt to escalate privileges.

72
00:04:13.230 --> 00:04:15.990
Additionally, endpoint detection tools

73
00:04:15.990 --> 00:04:17.838
like CrowdStrike are useful

74
00:04:17.838 --> 00:04:21.300
for tracking abnormal script execution

75
00:04:21.300 --> 00:04:23.700
or privilege modifications.

76
00:04:23.700 --> 00:04:27.510
Detecting these behaviors enables security teams

77
00:04:27.510 --> 00:04:29.795
to lock down affected accounts

78
00:04:29.795 --> 00:04:33.150
and investigate malicious activities.

79
00:04:33.150 --> 00:04:36.120
Third, we have Lateral Movement.

80
00:04:36.120 --> 00:04:37.680
Lateral Movement refers

81
00:04:37.680 --> 00:04:40.380
to attackers shifting from one system

82
00:04:40.380 --> 00:04:45.300
to another within a network to reach high value targets

83
00:04:45.300 --> 00:04:47.310
or sensitive data,

84
00:04:47.310 --> 00:04:51.450
techniques such as exploiting Remote Desktop Protocol

85
00:04:51.450 --> 00:04:56.450
or using administrative tools like PSExec are commonly used

86
00:04:56.640 --> 00:04:58.320
in Lateral Movement.

87
00:04:58.320 --> 00:05:03.320
So recognizing Lateral Movement TTPs can stop attackers

88
00:05:03.990 --> 00:05:07.800
from expanding their access across the network.

89
00:05:07.800 --> 00:05:10.710
Threat hunters may detect Lateral Movement

90
00:05:10.710 --> 00:05:14.790
through unusual remote desktop protocol connections,

91
00:05:14.790 --> 00:05:18.180
or the use of administrative tools on systems

92
00:05:18.180 --> 00:05:20.460
that don't typically communicate.

93
00:05:20.460 --> 00:05:23.700
SIEM systems and network traffic analyzers can

94
00:05:23.700 --> 00:05:27.840
also help identify these types of activities,

95
00:05:27.840 --> 00:05:29.760
allowing security teams

96
00:05:29.760 --> 00:05:33.240
to isolate affected systems and investigate

97
00:05:33.240 --> 00:05:37.080
before an attacker reaches their ultimate target.

98
00:05:37.080 --> 00:05:40.290
Fourth, we have Exfiltration.

99
00:05:40.290 --> 00:05:42.900
Exfiltration occurs when attackers attempt

100
00:05:42.900 --> 00:05:47.900
to steal sensitive data and transmit it outside the network.

101
00:05:48.210 --> 00:05:52.560
Exfiltration techniques include using encrypted channels,

102
00:05:52.560 --> 00:05:55.680
disguising the data as normal traffic,

103
00:05:55.680 --> 00:05:58.800
or leveraging legitimate cloud services

104
00:05:58.800 --> 00:06:01.980
to exfiltrate the data unnoticed.

105
00:06:01.980 --> 00:06:06.980
So recognizing Exfiltration TTPs prevents data theft.

106
00:06:08.340 --> 00:06:13.340
Indicators of Exfiltration include unusual outbound traffic

107
00:06:13.410 --> 00:06:18.210
or large file transfers to external cloud services.

108
00:06:18.210 --> 00:06:22.080
Data loss prevention tools are effective in monitoring

109
00:06:22.080 --> 00:06:26.010
and blocking unauthorized data transfers like these.

110
00:06:26.010 --> 00:06:29.700
So when Exfiltration attempts are detected,

111
00:06:29.700 --> 00:06:33.870
security teams can immediately sever network access

112
00:06:33.870 --> 00:06:37.680
or disabled accounts to prevent data loss.

113
00:06:37.680 --> 00:06:42.090
Fifth, we have Command and Control, or C2.

114
00:06:42.090 --> 00:06:43.710
C2 is the method

115
00:06:43.710 --> 00:06:47.100
by which attackers maintain communication

116
00:06:47.100 --> 00:06:49.110
with compromised systems,

117
00:06:49.110 --> 00:06:51.390
allowing them to control malware

118
00:06:51.390 --> 00:06:54.300
or exfiltrate data remotely.

119
00:06:54.300 --> 00:06:58.740
Common C2 techniques include DNS tunneling

120
00:06:58.740 --> 00:07:01.530
or connecting to malicious servers.

121
00:07:01.530 --> 00:07:05.190
So detecting C2 channels is vital

122
00:07:05.190 --> 00:07:07.680
to cutting off attacker's ability

123
00:07:07.680 --> 00:07:10.740
to control the compromise systems.

124
00:07:10.740 --> 00:07:14.010
Threat hunters can detect C2 activity

125
00:07:14.010 --> 00:07:18.480
through unusual outbound connections to suspicious domains

126
00:07:18.480 --> 00:07:21.570
or unexpected DNS queries.

127
00:07:21.570 --> 00:07:23.430
Intrusion detection systems

128
00:07:23.430 --> 00:07:26.970
and network monitoring tools can help identify

129
00:07:26.970 --> 00:07:29.580
and sever these C2 channels,

130
00:07:29.580 --> 00:07:31.860
disrupting the attacker's control

131
00:07:31.860 --> 00:07:34.320
and preventing further damage.

132
00:07:34.320 --> 00:07:38.010
Sixth and last, we have Persistence.

133
00:07:38.010 --> 00:07:42.180
Persistence techniques allow attackers to maintain access

134
00:07:42.180 --> 00:07:47.100
to a system even after their initial presence is detected.

135
00:07:47.100 --> 00:07:49.740
Common Persistence methods include

136
00:07:49.740 --> 00:07:54.450
creating new administrative controls, installing back doors,

137
00:07:54.450 --> 00:07:57.150
or modifying system settings.

138
00:07:57.150 --> 00:08:01.560
So detecting Persistence TTPs can ensure

139
00:08:01.560 --> 00:08:04.170
attackers do not regain access

140
00:08:04.170 --> 00:08:07.020
after being removed from the network.

141
00:08:07.020 --> 00:08:10.800
Threat hunters can identify Persistence by monitoring

142
00:08:10.800 --> 00:08:14.490
for the creation of unauthorized user accounts

143
00:08:14.490 --> 00:08:18.570
or unexpected changes in system configurations.

144
00:08:18.570 --> 00:08:21.450
And Endpoint Detection and Response,

145
00:08:21.450 --> 00:08:24.120
or EDR, tools like Carbon Black

146
00:08:24.120 --> 00:08:28.230
or CrowdStrike can alert teams to these behaviors,

147
00:08:28.230 --> 00:08:32.670
allowing security teams to remove the attacker's foothold

148
00:08:32.670 --> 00:08:34.710
and prevent reentry.

149
00:08:34.710 --> 00:08:35.610
In the end,

150
00:08:35.610 --> 00:08:40.560
setting up alerts for known TTPs allow security teams

151
00:08:40.560 --> 00:08:43.620
to detect suspicious activity early

152
00:08:43.620 --> 00:08:47.010
and respond before the attack escalates.

153
00:08:47.010 --> 00:08:51.540
For instance, if an EDR tool detects a known malicious

154
00:08:51.540 --> 00:08:55.680
PowerShell script used for Privilege Escalation,

155
00:08:55.680 --> 00:08:59.850
teams can investigate and neutralize the threat swiftly.

156
00:08:59.850 --> 00:09:03.236
And by using a combination of these tools

157
00:09:03.236 --> 00:09:07.530
and threat intelligence, organizations can stay ahead

158
00:09:07.530 --> 00:09:11.670
of attackers and safeguard their critical assets.

159
00:09:11.670 --> 00:09:16.670
So remember, Indicators of Attack are patterns

160
00:09:16.680 --> 00:09:21.680
and behaviors that signal an ongoing or imminent attack.

161
00:09:21.780 --> 00:09:25.140
Indicators of Attack are based on the Tactics,

162
00:09:25.140 --> 00:09:28.680
Techniques and Procedures, or TTPs,

163
00:09:28.680 --> 00:09:33.480
that attackers use, which outline their goals and methods.

164
00:09:33.480 --> 00:09:35.190
In an enterprise setting,

165
00:09:35.190 --> 00:09:40.190
understanding TTPs helps security teams detect attacks

166
00:09:40.230 --> 00:09:42.150
before they escalate.

167
00:09:42.150 --> 00:09:45.540
So by actively searching for TTPs,

168
00:09:45.540 --> 00:09:49.320
such as Initial Access, Privilege Escalation,

169
00:09:49.320 --> 00:09:52.710
Lateral Movement, Data Exfiltration,

170
00:09:52.710 --> 00:09:55.920
Command and Control, and Persistence,

171
00:09:55.920 --> 00:09:58.620
security teams can prevent attackers

172
00:09:58.620 --> 00:10:01.230
from compromising critical systems

173
00:10:01.230 --> 00:10:04.020
or stealing sensitive information.

174
00:10:04.020 --> 00:10:06.840
This proactive approach combined

175
00:10:06.840 --> 00:10:10.590
with the right tools like Endpoint Detection and Response

176
00:10:10.590 --> 00:10:15.300
and SIEM platforms help keep organizations protected

177
00:10:15.300 --> 00:10:19.113
and one step ahead of potential threats.