WEBVTT 1 00:00:00.120 --> 00:00:01.440 In this lesson, 2 00:00:01.440 --> 00:00:05.700 we will learn about behavior and data analysis. 3 00:00:05.700 --> 00:00:07.800 Behavior and data analysis 4 00:00:07.800 --> 00:00:11.190 involves examining patterns and anomalies 5 00:00:11.190 --> 00:00:14.010 in system and user activities 6 00:00:14.010 --> 00:00:18.540 to detect signs of potential threats or malicious behavior. 7 00:00:18.540 --> 00:00:21.240 Behavior and data analysis concepts 8 00:00:21.240 --> 00:00:24.300 include internal intelligence sources, 9 00:00:24.300 --> 00:00:26.790 such as internal reconnaissance, 10 00:00:26.790 --> 00:00:29.070 hypothesis-based searches, 11 00:00:29.070 --> 00:00:31.890 and user behavior analytics. 12 00:00:31.890 --> 00:00:33.420 Internal reconnaissance 13 00:00:33.420 --> 00:00:37.080 enables the identification of attacker efforts 14 00:00:37.080 --> 00:00:40.260 to gather information within a network. 15 00:00:40.260 --> 00:00:43.920 Next, hypothesis-based searches are driven 16 00:00:43.920 --> 00:00:46.980 by specific assumptions or scenarios 17 00:00:46.980 --> 00:00:51.000 about how an attacker might operate within the network. 18 00:00:51.000 --> 00:00:55.170 Finally, user behavior analytics, or UBA, 19 00:00:55.170 --> 00:00:59.910 monitors user actions and flags unusual behavior. 20 00:00:59.910 --> 00:01:03.000 Let's learn more about internal reconnaissance, 21 00:01:03.000 --> 00:01:05.250 hypothesis-based searches, 22 00:01:05.250 --> 00:01:08.100 and user behavior analytics. 23 00:01:08.100 --> 00:01:11.640 First, we have internal reconnaissance. 24 00:01:11.640 --> 00:01:13.620 Internal reconnaissance refers 25 00:01:13.620 --> 00:01:16.590 to the activities an attacker conducts 26 00:01:16.590 --> 00:01:20.100 after gaining initial access to a network, 27 00:01:20.100 --> 00:01:23.250 but before continuing with an attack. 28 00:01:23.250 --> 00:01:25.770 The purpose of internal reconnaissance, 29 00:01:25.770 --> 00:01:27.960 from an attacker's perspective, 30 00:01:27.960 --> 00:01:29.760 is to gather information 31 00:01:29.760 --> 00:01:32.610 about the target's internal network, 32 00:01:32.610 --> 00:01:36.750 such as system vulnerabilities, user privileges, 33 00:01:36.750 --> 00:01:38.640 and critical assets, 34 00:01:38.640 --> 00:01:42.660 in order to map out that attacker's next moves. 35 00:01:42.660 --> 00:01:44.430 This stage of an attack 36 00:01:44.430 --> 00:01:47.560 often includes scanning for open ports, 37 00:01:47.560 --> 00:01:49.890 identifying running services, 38 00:01:49.890 --> 00:01:53.100 and locating sensitive data or resources 39 00:01:53.100 --> 00:01:54.990 that could be exploited. 40 00:01:54.990 --> 00:01:59.010 Overall, threat hunting is a defensive exercise 41 00:01:59.010 --> 00:02:00.990 that assumes a known threat 42 00:02:00.990 --> 00:02:04.620 and assumes that a breach has already occurred, 43 00:02:04.620 --> 00:02:07.410 then defenders search the network 44 00:02:07.410 --> 00:02:11.010 for indicators of attack and compromise. 45 00:02:11.010 --> 00:02:12.570 In threat hunting, 46 00:02:12.570 --> 00:02:15.750 internal reconnaissance is a key indicator 47 00:02:15.750 --> 00:02:19.380 that a network breach has already occurred 48 00:02:19.380 --> 00:02:22.290 because it reveals the attacker's attempt 49 00:02:22.290 --> 00:02:24.300 to gather information 50 00:02:24.300 --> 00:02:27.240 on the internal network infrastructure. 51 00:02:27.240 --> 00:02:31.410 Identifying internal reconnaissance can prevent an attack 52 00:02:31.410 --> 00:02:34.920 from progressing to more damaging stages, 53 00:02:34.920 --> 00:02:39.660 such as data exfiltration or ransomware deployment. 54 00:02:39.660 --> 00:02:40.890 In this effort, 55 00:02:40.890 --> 00:02:45.300 threat hunters aim to identify internal reconnaissance 56 00:02:45.300 --> 00:02:47.940 by analyzing network logs, 57 00:02:47.940 --> 00:02:51.060 looking for unusual scanning activities, 58 00:02:51.060 --> 00:02:55.710 or observing anomalous access to sensitive resources. 59 00:02:55.710 --> 00:03:00.030 For example, if a user account starts accessing areas 60 00:03:00.030 --> 00:03:03.420 of the network it hasn't accessed before, 61 00:03:03.420 --> 00:03:06.450 or if there are many failed login attempts 62 00:03:06.450 --> 00:03:08.400 on different machines, 63 00:03:08.400 --> 00:03:11.970 this could be evidence of reconnaissance activity. 64 00:03:11.970 --> 00:03:16.260 Or if threat hunters notice an unusually high volume 65 00:03:16.260 --> 00:03:19.080 of port scanning from an unknown device, 66 00:03:19.080 --> 00:03:21.270 they may determine that an attacker 67 00:03:21.270 --> 00:03:23.850 is mapping out the internal network 68 00:03:23.850 --> 00:03:27.300 in preparation for continuing an attack. 69 00:03:27.300 --> 00:03:31.380 Identifying this behavior allows security teams 70 00:03:31.380 --> 00:03:36.090 to stop an attack before the intruder escalates their access 71 00:03:36.090 --> 00:03:38.910 or launches additional payloads. 72 00:03:38.910 --> 00:03:43.350 Second, we have hypothesis-based searches. 73 00:03:43.350 --> 00:03:46.830 Hypothesis-based searches in threat hunting 74 00:03:46.830 --> 00:03:50.490 are searches that begin with an assumption or theory 75 00:03:50.490 --> 00:03:54.900 about how an attacker might be operating within the network. 76 00:03:54.900 --> 00:03:58.710 The idea is to use available intelligence 77 00:03:58.710 --> 00:04:01.710 and knowledge of common attack techniques 78 00:04:01.710 --> 00:04:03.240 to guide the search 79 00:04:03.240 --> 00:04:07.500 for indicators of compromise or malicious activity. 80 00:04:07.500 --> 00:04:11.460 For example, a threat hunter may hypothesize 81 00:04:11.460 --> 00:04:15.360 that an attacker is exploiting a known vulnerability 82 00:04:15.360 --> 00:04:17.280 in a web application, 83 00:04:17.280 --> 00:04:19.500 and look for evidence that supports 84 00:04:19.500 --> 00:04:21.960 or disproves this theory. 85 00:04:21.960 --> 00:04:25.080 The importance of hypothesis-based searches 86 00:04:25.080 --> 00:04:28.620 lies in their focused and strategic nature. 87 00:04:28.620 --> 00:04:32.820 Instead of blindly searching through all network data, 88 00:04:32.820 --> 00:04:37.260 threat hunters form educated guesses of attack paths 89 00:04:37.260 --> 00:04:41.250 based on specific scenarios or threat models, 90 00:04:41.250 --> 00:04:44.610 which makes their investigations more efficient 91 00:04:44.610 --> 00:04:48.330 and likely to yield actionable results. 92 00:04:48.330 --> 00:04:50.280 Hypothesis-based searches 93 00:04:50.280 --> 00:04:54.690 can also help detect advanced persistent threats, 94 00:04:54.690 --> 00:04:57.240 where attackers remain in the network 95 00:04:57.240 --> 00:04:59.400 for long periods of time, 96 00:04:59.400 --> 00:05:01.320 using advanced techniques, 97 00:05:01.320 --> 00:05:05.460 without triggering traditional security alerts. 98 00:05:05.460 --> 00:05:09.300 So by formulating specific hypotheses, 99 00:05:09.300 --> 00:05:14.300 security teams can uncover stealthy or sophisticated attacks 100 00:05:14.610 --> 00:05:17.730 that would otherwise go unnoticed. 101 00:05:17.730 --> 00:05:20.610 For instance, imagine a scenario 102 00:05:20.610 --> 00:05:23.610 where a threat hunter receives intelligence 103 00:05:23.610 --> 00:05:25.950 about a recent vulnerability 104 00:05:25.950 --> 00:05:29.370 in a popular database management system. 105 00:05:29.370 --> 00:05:31.140 They may hypothesize 106 00:05:31.140 --> 00:05:34.350 that attackers are exploiting this vulnerability 107 00:05:34.350 --> 00:05:38.370 to gain access to sensitive data in their network. 108 00:05:38.370 --> 00:05:41.310 Then threat hunters might search logs 109 00:05:41.310 --> 00:05:44.250 for evidence of unusual queries, 110 00:05:44.250 --> 00:05:46.290 privilege escalation attempts, 111 00:05:46.290 --> 00:05:49.770 or unauthorized access to the database 112 00:05:49.770 --> 00:05:54.240 around the time the vulnerability was made publicly known. 113 00:05:54.240 --> 00:05:56.700 If the hypothesis is correct, 114 00:05:56.700 --> 00:06:00.060 this targeted search could allow the threat hunter 115 00:06:00.060 --> 00:06:03.150 to identify and mitigate the attack 116 00:06:03.150 --> 00:06:06.270 before significant damage occurs. 117 00:06:06.270 --> 00:06:09.450 At minimum, the threat hunter would identify 118 00:06:09.450 --> 00:06:11.460 their in-place defenses 119 00:06:11.460 --> 00:06:14.610 were either sufficient or not sufficient 120 00:06:14.610 --> 00:06:18.660 to identify indicators of attack or compromise 121 00:06:18.660 --> 00:06:21.840 for the specific hypothesized attack. 122 00:06:21.840 --> 00:06:26.840 Third, and last, we have user behavior analytics, or UBA. 123 00:06:27.930 --> 00:06:32.580 UBA is the process of analyzing user activity 124 00:06:32.580 --> 00:06:36.960 to detect patterns that deviate from normal behavior, 125 00:06:36.960 --> 00:06:40.650 potentially indicating malicious intent. 126 00:06:40.650 --> 00:06:44.910 UBA tracks a user's interactions with systems, 127 00:06:44.910 --> 00:06:48.060 networks and data over time, 128 00:06:48.060 --> 00:06:52.890 creating a baseline of normal day-to-day actions. 129 00:06:52.890 --> 00:06:56.130 When deviations from this baseline occur, 130 00:06:56.130 --> 00:06:59.130 such as accessing sensitive information 131 00:06:59.130 --> 00:07:01.650 outside of regular work hours, 132 00:07:01.650 --> 00:07:06.000 or logging in from unusual geographic locations, 133 00:07:06.000 --> 00:07:10.680 UBA tools raise alerts for further investigation. 134 00:07:10.680 --> 00:07:13.560 So UBA is a powerful tool 135 00:07:13.560 --> 00:07:18.560 for identifying insider threats or compromised accounts. 136 00:07:18.630 --> 00:07:20.100 In threat hunting, 137 00:07:20.100 --> 00:07:22.230 UBA can detect attacks 138 00:07:22.230 --> 00:07:26.070 that traditional signature-based systems might miss. 139 00:07:26.070 --> 00:07:29.520 This is because while signature-based defenses 140 00:07:29.520 --> 00:07:32.550 can recognize known attack patterns, 141 00:07:32.550 --> 00:07:37.200 the UBA can identify subtle indicators of compromise 142 00:07:37.200 --> 00:07:39.840 that suggest an attacker is operating 143 00:07:39.840 --> 00:07:43.110 under the guise of a legitimate user. 144 00:07:43.110 --> 00:07:47.670 This is particularly useful in detecting credential theft 145 00:07:47.670 --> 00:07:49.590 or insider threats, 146 00:07:49.590 --> 00:07:51.420 where malicious activities 147 00:07:51.420 --> 00:07:54.630 might appear legitimate at first glance, 148 00:07:54.630 --> 00:07:57.540 as the activities are being performed 149 00:07:57.540 --> 00:08:00.420 by legitimately issued accounts. 150 00:08:00.420 --> 00:08:03.540 But by flagging unusual behavior, 151 00:08:03.540 --> 00:08:05.730 UBA can provide threat hunters 152 00:08:05.730 --> 00:08:09.540 with valuable leads to investigate further. 153 00:08:09.540 --> 00:08:12.480 For example, suppose an employee's account 154 00:08:12.480 --> 00:08:16.650 suddenly starts downloading large volumes of data 155 00:08:16.650 --> 00:08:20.490 from a sensitive database during the late hours. 156 00:08:20.490 --> 00:08:23.160 This might be normal for some roles, 157 00:08:23.160 --> 00:08:25.830 but if this behavior is out of character 158 00:08:25.830 --> 00:08:28.080 for that specific user, 159 00:08:28.080 --> 00:08:31.410 it could indicate either an insider threat 160 00:08:31.410 --> 00:08:33.450 or a compromised account. 161 00:08:33.450 --> 00:08:35.910 UBA could flag this anomaly, 162 00:08:35.910 --> 00:08:39.180 prompting threat hunters to investigate further 163 00:08:39.180 --> 00:08:42.570 and potentially uncover malicious activity, 164 00:08:42.570 --> 00:08:45.900 such as an attacker using stolen credentials 165 00:08:45.900 --> 00:08:47.820 to exfiltrate data. 166 00:08:47.820 --> 00:08:51.930 So remember, behavior and data analysis 167 00:08:51.930 --> 00:08:55.890 involves examining system and user activity 168 00:08:55.890 --> 00:09:00.690 to detect signs of potential threats or malicious behavior. 169 00:09:00.690 --> 00:09:05.460 Key concepts in this process associated with threat hunting 170 00:09:05.460 --> 00:09:08.850 include discovering internal reconnaissance, 171 00:09:08.850 --> 00:09:11.250 hypothesis-based searches, 172 00:09:11.250 --> 00:09:15.210 and user behavior analytics, or UBA. 173 00:09:15.210 --> 00:09:18.960 Internal reconnaissance refers to an attacker's effort 174 00:09:18.960 --> 00:09:22.260 to gather information within a network 175 00:09:22.260 --> 00:09:24.990 after gaining initial access, 176 00:09:24.990 --> 00:09:29.990 helping threat hunters identify early stages of a breach. 177 00:09:30.060 --> 00:09:33.420 Next, hypothesis-based searches are guided 178 00:09:33.420 --> 00:09:38.280 by specific assumptions about how attackers might operate, 179 00:09:38.280 --> 00:09:42.450 allowing for more focused and efficient investigations. 180 00:09:42.450 --> 00:09:46.560 Finally, user behavior analytics, or UBA, 181 00:09:46.560 --> 00:09:49.080 analyzes user behavior, 182 00:09:49.080 --> 00:09:52.860 identifying deviations from normal activity 183 00:09:52.860 --> 00:09:56.913 to detect insider threats or compromised accounts.