WEBVTT 1 00:00:00.090 --> 00:00:02.040 Internal intelligence sources 2 00:00:02.040 --> 00:00:04.830 include the data and insights gathered 3 00:00:04.830 --> 00:00:09.420 from within an organization's own network and systems 4 00:00:09.420 --> 00:00:12.180 to identify potential threats. 5 00:00:12.180 --> 00:00:14.190 Internal intelligence sources 6 00:00:14.190 --> 00:00:17.700 include adversary emulation engagements, 7 00:00:17.700 --> 00:00:20.280 honeypots, and honeynets. 8 00:00:20.280 --> 00:00:22.710 Adversary emulation engagements 9 00:00:22.710 --> 00:00:25.950 simulate real-world attacker behavior 10 00:00:25.950 --> 00:00:27.480 within the network 11 00:00:27.480 --> 00:00:29.160 to observe how attackers 12 00:00:29.160 --> 00:00:32.250 might actually exploit vulnerabilities, 13 00:00:32.250 --> 00:00:35.700 enabling defenses to be put in place. 14 00:00:35.700 --> 00:00:39.540 Next, honeypots are decoy systems set up 15 00:00:39.540 --> 00:00:42.600 to attract and detect real attackers 16 00:00:42.600 --> 00:00:45.330 by mimicking valuable assets. 17 00:00:45.330 --> 00:00:47.850 Finally, honeynets are networks 18 00:00:47.850 --> 00:00:51.000 of honeypots designed to be attacked. 19 00:00:51.000 --> 00:00:55.080 Let's learn more about adversary emulation engagements, 20 00:00:55.080 --> 00:00:57.720 honeypots, and honeynets. 21 00:00:57.720 --> 00:01:02.070 First, we have adversary emulation engagements. 22 00:01:02.070 --> 00:01:04.380 Adversary emulation engagements 23 00:01:04.380 --> 00:01:07.200 are simulations designed to mimic 24 00:01:07.200 --> 00:01:09.990 the tactics, techniques, and procedures 25 00:01:09.990 --> 00:01:11.880 of real-world attackers 26 00:01:11.880 --> 00:01:14.550 within an enterprise's network. 27 00:01:14.550 --> 00:01:17.670 The goal is to provide security teams 28 00:01:17.670 --> 00:01:19.380 with an opportunity to see 29 00:01:19.380 --> 00:01:21.480 how a specific attacker 30 00:01:21.480 --> 00:01:23.610 would exploit vulnerabilities, 31 00:01:23.610 --> 00:01:25.740 and move within the network 32 00:01:25.740 --> 00:01:29.580 without any actual threat to the organization. 33 00:01:29.580 --> 00:01:32.460 These engagements allow the security team 34 00:01:32.460 --> 00:01:34.260 to test their defenses, 35 00:01:34.260 --> 00:01:36.240 identify weaknesses, 36 00:01:36.240 --> 00:01:39.180 and improve their response strategies 37 00:01:39.180 --> 00:01:42.000 by observing how their systems hold up 38 00:01:42.000 --> 00:01:44.790 under realistic attack scenarios, 39 00:01:44.790 --> 00:01:47.640 organizations can ensure they are prepared 40 00:01:47.640 --> 00:01:49.650 for genuine threats. 41 00:01:49.650 --> 00:01:53.310 To implement adversary emulation engagements, 42 00:01:53.310 --> 00:01:56.790 a security team would first select or design 43 00:01:56.790 --> 00:01:59.790 a scenario based on a known threat actor 44 00:01:59.790 --> 00:02:01.620 or attack vector. 45 00:02:01.620 --> 00:02:02.640 To do this, 46 00:02:02.640 --> 00:02:04.650 they could use tools that simulate 47 00:02:04.650 --> 00:02:07.890 common attack behaviors like lateral movement, 48 00:02:07.890 --> 00:02:11.700 privilege escalation, or data exfiltration, 49 00:02:11.700 --> 00:02:14.640 all within a controlled environment. 50 00:02:14.640 --> 00:02:17.220 Then the security team can monitor 51 00:02:17.220 --> 00:02:19.740 how the network and its defenses 52 00:02:19.740 --> 00:02:22.800 respond to the emulated engagement, 53 00:02:22.800 --> 00:02:26.100 recording any gaps or delays in detection, 54 00:02:26.100 --> 00:02:27.840 and then correcting them. 55 00:02:27.840 --> 00:02:30.930 This helps refine detection capabilities 56 00:02:30.930 --> 00:02:32.550 and improves the response 57 00:02:32.550 --> 00:02:35.340 to future real-world incidents. 58 00:02:35.340 --> 00:02:38.790 Overall, adversary emulation engagements 59 00:02:38.790 --> 00:02:41.670 reveal how well current security measures 60 00:02:41.670 --> 00:02:44.520 work against known threats. 61 00:02:44.520 --> 00:02:47.550 The advantage of adversary emulation 62 00:02:47.550 --> 00:02:49.170 is that these scenarios 63 00:02:49.170 --> 00:02:51.930 mimic real attacker behavior, 64 00:02:51.930 --> 00:02:54.180 meaning that defenses are tested 65 00:02:54.180 --> 00:02:56.070 against the same methods 66 00:02:56.070 --> 00:02:58.800 attackers will use in the wild. 67 00:02:58.800 --> 00:03:01.860 So the insights gathered allow teams 68 00:03:01.860 --> 00:03:04.290 to make necessary adjustments 69 00:03:04.290 --> 00:03:06.900 before an actual attack occurs, 70 00:03:06.900 --> 00:03:09.900 improving the overall security posture 71 00:03:09.900 --> 00:03:11.760 of the organization. 72 00:03:11.760 --> 00:03:14.490 Second, we have honeypots. 73 00:03:14.490 --> 00:03:17.700 Honeypots are decoy systems or devices 74 00:03:17.700 --> 00:03:21.120 set up within an organization's network 75 00:03:21.120 --> 00:03:24.810 to attract attackers and study their behavior. 76 00:03:24.810 --> 00:03:27.270 Honeypots mimic real assets 77 00:03:27.270 --> 00:03:30.180 such as servers or databases, 78 00:03:30.180 --> 00:03:32.610 but are intentionally left vulnerable, 79 00:03:32.610 --> 00:03:36.540 or appear as high-value targets to attackers. 80 00:03:36.540 --> 00:03:41.070 Honeypots are designed to detect unauthorized access, 81 00:03:41.070 --> 00:03:44.370 gather information about attack methods, 82 00:03:44.370 --> 00:03:48.690 and divert attackers away from actual systems. 83 00:03:48.690 --> 00:03:52.950 So by luring attackers into attacking a honeypot, 84 00:03:52.950 --> 00:03:56.520 organizations can collect detailed information 85 00:03:56.520 --> 00:04:00.450 about their tactics without risking actual damage 86 00:04:00.450 --> 00:04:02.730 to important infrastructure. 87 00:04:02.730 --> 00:04:04.310 To set up a honeypot, 88 00:04:04.310 --> 00:04:07.680 an organization would place the decoy asset 89 00:04:07.680 --> 00:04:09.750 in an area of the network 90 00:04:09.750 --> 00:04:13.200 where it is likely to be discovered by attackers, 91 00:04:13.200 --> 00:04:15.990 such as within a screened subnet, 92 00:04:15.990 --> 00:04:19.410 also known as a demilitarized zone, 93 00:04:19.410 --> 00:04:22.620 or close to other visible systems. 94 00:04:22.620 --> 00:04:26.100 The honeypot should appear as an attractive target, 95 00:04:26.100 --> 00:04:29.640 perhaps by emulating a critical server, 96 00:04:29.640 --> 00:04:32.670 or containing seemingly valuable data. 97 00:04:32.670 --> 00:04:34.740 It can then be configured to log 98 00:04:34.740 --> 00:04:37.500 all interactions and activity, 99 00:04:37.500 --> 00:04:39.330 allowing security teams 100 00:04:39.330 --> 00:04:43.560 to monitor any suspicious behavior in real time. 101 00:04:43.560 --> 00:04:45.180 The honeypot's purpose 102 00:04:45.180 --> 00:04:48.450 is not to actively defend the network, 103 00:04:48.450 --> 00:04:50.700 but to serve as a decoy tool 104 00:04:50.700 --> 00:04:52.320 for gathering intelligence, 105 00:04:52.320 --> 00:04:54.990 and identifying actual attack patterns 106 00:04:54.990 --> 00:04:56.790 and attack strategies. 107 00:04:56.790 --> 00:05:00.300 For instance, a company might deploy a honeypot 108 00:05:00.300 --> 00:05:02.700 designed to mimic a file server 109 00:05:02.700 --> 00:05:05.700 containing sensitive financial information. 110 00:05:05.700 --> 00:05:08.430 Then when an attacker tries to access 111 00:05:08.430 --> 00:05:11.010 or manipulate files in the honeypot, 112 00:05:11.010 --> 00:05:13.350 the security team can observe 113 00:05:13.350 --> 00:05:16.560 the exact methods that are being used. 114 00:05:16.560 --> 00:05:19.710 This real-time intelligence allows the team 115 00:05:19.710 --> 00:05:21.780 to then adjust firewalls, 116 00:05:21.780 --> 00:05:25.440 detection systems, and internal policies 117 00:05:25.440 --> 00:05:27.690 to prevent similar attack techniques 118 00:05:27.690 --> 00:05:30.780 on their actual production systems. 119 00:05:30.780 --> 00:05:34.500 Third and last, we have honeynets. 120 00:05:34.500 --> 00:05:38.310 Honeynets take the decoy concept a step further 121 00:05:38.310 --> 00:05:41.953 by creating entire networks of honeypots. 122 00:05:41.953 --> 00:05:44.580 A honeynet is a highly controlled 123 00:05:44.580 --> 00:05:48.090 and monitored network of multiple honeypots 124 00:05:48.090 --> 00:05:50.160 that work together to simulate 125 00:05:50.160 --> 00:05:53.190 an organization's production network. 126 00:05:53.190 --> 00:05:57.630 Honeynets appear as a legitimate network to attackers, 127 00:05:57.630 --> 00:06:01.590 but all systems within a honeynet are fake, 128 00:06:01.590 --> 00:06:04.470 serving only to trap, delay, 129 00:06:04.470 --> 00:06:08.070 and allow observation of attack methods. 130 00:06:08.070 --> 00:06:10.020 The idea behind honeynets 131 00:06:10.020 --> 00:06:13.560 is to provide an environment that entices attackers 132 00:06:13.560 --> 00:06:17.100 to reveal more complex tactics and techniques, 133 00:06:17.100 --> 00:06:21.150 offering deeper insights into their operations. 134 00:06:21.150 --> 00:06:22.650 Setting up a honeynet 135 00:06:22.650 --> 00:06:26.430 involves creating a realistic network architecture 136 00:06:26.430 --> 00:06:29.040 that includes different types of honeypots, 137 00:06:29.040 --> 00:06:33.090 such as web servers, email servers, and databases. 138 00:06:33.090 --> 00:06:35.580 Each of these components is designed 139 00:06:35.580 --> 00:06:39.120 to appear as a legitimate part of a network, 140 00:06:39.120 --> 00:06:40.560 luring attackers in, 141 00:06:40.560 --> 00:06:42.750 and capturing their actions. 142 00:06:42.750 --> 00:06:45.300 A honeynet is usually placed 143 00:06:45.300 --> 00:06:46.980 in a part of the network 144 00:06:46.980 --> 00:06:49.830 where attackers are likely to interact, 145 00:06:49.830 --> 00:06:53.730 such as the same space as public-facing servers, 146 00:06:53.730 --> 00:06:55.620 within a screened subnet, 147 00:06:55.620 --> 00:06:58.230 or even within an internal network. 148 00:06:58.230 --> 00:07:00.420 By observing the movement of attackers 149 00:07:00.420 --> 00:07:01.950 within the honeynet, 150 00:07:01.950 --> 00:07:05.400 security teams can analyze patterns of attack 151 00:07:05.400 --> 00:07:08.730 that may not be visible in similar setups 152 00:07:08.730 --> 00:07:10.800 like single honeypots. 153 00:07:10.800 --> 00:07:11.940 In this way, 154 00:07:11.940 --> 00:07:14.820 honeynets can provide in-depth intelligence 155 00:07:14.820 --> 00:07:18.120 on how attackers escalate privileges, 156 00:07:18.120 --> 00:07:19.920 pivot between systems, 157 00:07:19.920 --> 00:07:22.650 and attempt to extract data. 158 00:07:22.650 --> 00:07:24.510 This helps organizations 159 00:07:24.510 --> 00:07:26.400 bolster their defenses, 160 00:07:26.400 --> 00:07:31.320 particularly against complex multi-stage attacks. 161 00:07:31.320 --> 00:07:35.520 For example, an enterprise might deploy a honeynet 162 00:07:35.520 --> 00:07:38.520 that mimics their entire internal network, 163 00:07:38.520 --> 00:07:42.060 including workstations and databases. 164 00:07:42.060 --> 00:07:45.180 Over time, after initial compromise, 165 00:07:45.180 --> 00:07:47.610 attackers may attempt to move laterally 166 00:07:47.610 --> 00:07:49.140 within the honeynet, 167 00:07:49.140 --> 00:07:51.750 testing different attack vectors. 168 00:07:51.750 --> 00:07:54.060 The enterprise's security team 169 00:07:54.060 --> 00:07:56.820 can then analyze the tactics, techniques, 170 00:07:56.820 --> 00:07:59.730 and procedures used by the attackers, 171 00:07:59.730 --> 00:08:03.180 allowing them to strengthen real network defenses 172 00:08:03.180 --> 00:08:06.450 based on what they learned from the honeynet. 173 00:08:06.450 --> 00:08:11.070 So remember, internal intelligence sources 174 00:08:11.070 --> 00:08:13.800 refer to the data and insights 175 00:08:13.800 --> 00:08:17.100 gathered from within an organization's network 176 00:08:17.100 --> 00:08:19.830 to identify potential threats. 177 00:08:19.830 --> 00:08:24.180 These sources include adversary emulation engagements, 178 00:08:24.180 --> 00:08:26.850 honeypots, and honeynets. 179 00:08:26.850 --> 00:08:29.340 Adversary emulation engagements 180 00:08:29.340 --> 00:08:32.400 simulate real-world attacker behavior 181 00:08:32.400 --> 00:08:35.730 to test how well an organization's defenses 182 00:08:35.730 --> 00:08:39.030 hold up against potential vulnerabilities. 183 00:08:39.030 --> 00:08:42.570 Next, honeypots are decoy systems 184 00:08:42.570 --> 00:08:44.910 designed to attract attackers, 185 00:08:44.910 --> 00:08:48.540 allowing security teams to study their tactics 186 00:08:48.540 --> 00:08:52.290 without exposing critical assets to risk. 187 00:08:52.290 --> 00:08:56.550 Finally, honeynets are networks of honeypots 188 00:08:56.550 --> 00:08:59.610 that provide a more comprehensive view 189 00:08:59.610 --> 00:09:01.140 of attack methods 190 00:09:01.140 --> 00:09:04.710 by simulating an entire network environment 191 00:09:04.710 --> 00:09:07.023 for attackers to target.