1 00:00:07,100 --> 00:00:10,630 - In the industry, there are dozens of options for tools 2 00:00:10,630 --> 00:00:14,340 and many documented methods that could be used to 3 00:00:14,340 --> 00:00:18,230 develop how your organization categorize an incident 4 00:00:18,230 --> 00:00:22,570 which is actually core of an incident management practice. 5 00:00:22,570 --> 00:00:27,450 Now, the CCNA cyber ops sec exam was designed to 6 00:00:27,450 --> 00:00:29,810 follow industry best practices. 7 00:00:29,810 --> 00:00:33,280 And Cisco selected the diamond model of intrusion 8 00:00:33,280 --> 00:00:37,740 as a trusted approach to categorizing security incidents. 9 00:00:37,740 --> 00:00:40,467 Now, the reason behind creating the diamond model 10 00:00:40,467 --> 00:00:45,210 was to develop a repeatable way to characterize 11 00:00:45,210 --> 00:00:50,180 and organize threats, and also to consistently, you know 12 00:00:50,180 --> 00:00:52,550 track the identified threats 13 00:00:52,550 --> 00:00:55,670 and eventually develop counter measures. 14 00:00:55,670 --> 00:00:58,960 The diamond model of intrusion provides a structured methods 15 00:00:58,960 --> 00:01:01,630 for cybersecurity analysts to follow 16 00:01:01,630 --> 00:01:03,970 and to protect their organization. 17 00:01:03,970 --> 00:01:07,480 The Diamond model is designed to represent an incident 18 00:01:07,480 --> 00:01:10,520 and is made up of four different core parts, 19 00:01:10,520 --> 00:01:12,520 starting with an adversary, 20 00:01:12,520 --> 00:01:14,530 which is actually targeting a victim 21 00:01:14,530 --> 00:01:16,410 which is a second part, 22 00:01:16,410 --> 00:01:20,860 And then the adversary will use various capabilities 23 00:01:20,860 --> 00:01:23,760 which is a third part, along with some form 24 00:01:23,760 --> 00:01:26,630 of infrastructure, which is the fourth part, to 25 00:01:26,630 --> 00:01:30,570 actually launch an attack against the victim. 26 00:01:30,570 --> 00:01:34,670 Now capabilities are the different tools and techniques 27 00:01:34,670 --> 00:01:38,770 and also the procedures that the adversary actually uses 28 00:01:38,770 --> 00:01:41,370 while the infrastructure is what is actually 29 00:01:41,370 --> 00:01:45,170 connecting the adversary and the victim. 30 00:01:45,170 --> 00:01:48,100 Now, the lines connecting each part, you know 31 00:01:48,100 --> 00:01:51,660 illustrate how an analyst can actually map how 32 00:01:51,660 --> 00:01:54,100 one point reach another. 33 00:01:54,100 --> 00:01:58,320 Right? So moving between each part of an attack is also 34 00:01:58,320 --> 00:02:01,170 called pivoting, right? 35 00:02:01,170 --> 00:02:04,330 And this is actually key for modeling the event 36 00:02:04,330 --> 00:02:06,120 or the incident. 37 00:02:06,120 --> 00:02:09,290 The diamond model also includes additional meta features 38 00:02:09,290 --> 00:02:14,010 of an event such as a timestamp, the kill chain phase 39 00:02:14,010 --> 00:02:18,130 the results of that attack, the direction of that attack. 40 00:02:18,130 --> 00:02:22,300 They actually attack methods and resources that were used 41 00:02:22,300 --> 00:02:24,220 by the adversary. 42 00:02:24,220 --> 00:02:28,910 Now, an example of a meta feature list is a time stamp of 43 00:02:28,910 --> 00:02:31,600 let's say, you know, a log at two o'clock 44 00:02:31,600 --> 00:02:34,750 in the morning that actually highlights communication 45 00:02:34,750 --> 00:02:36,860 to an embar a country, right? 46 00:02:36,860 --> 00:02:40,940 And then the kill chain phase could be the actual 47 00:02:40,940 --> 00:02:44,420 exploitation. You know, the, and the result can be, you know 48 00:02:44,420 --> 00:02:48,400 the successful exploitation of that and the direction 49 00:02:48,400 --> 00:02:51,880 could be the adversary, you know, to the victim itself. 50 00:02:51,880 --> 00:02:54,510 And the attack method could be the, you know 51 00:02:54,510 --> 00:02:58,760 let's say a spear fishing attack and resources 52 00:02:58,760 --> 00:03:00,990 will be a specific vulnerability 53 00:03:00,990 --> 00:03:03,506 on the victim's Hosti system that is actually 54 00:03:03,506 --> 00:03:07,340 being exploited or, you know, taken advantage of, right? 55 00:03:07,340 --> 00:03:09,900 These meta features provide useful context 56 00:03:09,900 --> 00:03:11,910 but they're not core to the model 57 00:03:11,910 --> 00:03:16,020 and can be either disregarded or augmented, you know 58 00:03:16,020 --> 00:03:17,480 as necessary. 59 00:03:17,480 --> 00:03:20,600 Here I'm actually showing a graphical view 60 00:03:20,600 --> 00:03:24,810 of the diamond model with the metadata features, an example 61 00:03:24,810 --> 00:03:29,130 of a technology meta feature could be, let's say DNS, right? 62 00:03:29,130 --> 00:03:31,160 And DNS, as you know, you know 63 00:03:31,160 --> 00:03:34,900 can be used by malware to determine, you know 64 00:03:34,900 --> 00:03:36,290 where is actually the command 65 00:03:36,290 --> 00:03:37,290 and control server that it 66 00:03:37,290 --> 00:03:39,470 should be communicating with right? 67 00:03:39,470 --> 00:03:43,400 Also there's the social political meta feature, right? 68 00:03:43,400 --> 00:03:45,210 And it represents the relationship 69 00:03:45,210 --> 00:03:48,120 between the adversary and the victim. 70 00:03:48,120 --> 00:03:50,920 And this is actually somehow critical 71 00:03:50,920 --> 00:03:52,340 and specifically, you know 72 00:03:52,340 --> 00:03:55,720 in order to determine the intent behind the attack. 73 00:03:55,720 --> 00:03:58,670 So the analyst can actually understand the reason 74 00:03:58,670 --> 00:04:00,710 the victim was selected. 75 00:04:00,710 --> 00:04:03,587 It also helps understand the value the adversaries sees 76 00:04:03,587 --> 00:04:08,587 in the victim and sometimes identify a shared threat space. 77 00:04:09,100 --> 00:04:12,040 In other words, this may be a situation where 78 00:04:12,040 --> 00:04:16,600 multiple victims link back to the same adversary, right? 79 00:04:16,600 --> 00:04:20,680 So in this case, a shared threat space, you know 80 00:04:20,680 --> 00:04:24,375 equates to threat intelligence that can be even be 81 00:04:24,375 --> 00:04:28,300 you know, shared among the victims to successfully 82 00:04:28,300 --> 00:04:31,010 mitigate that attack and respond to that, 83 00:04:31,010 --> 00:04:32,680 to that attack right? 84 00:04:32,680 --> 00:04:35,270 An example of this, you know, can be that, you know 85 00:04:35,270 --> 00:04:38,110 specific threat actors identified 86 00:04:38,110 --> 00:04:42,970 or launching an attack against financial services companies. 87 00:04:42,970 --> 00:04:43,803 So, you know 88 00:04:43,803 --> 00:04:47,260 these companies actually can share threat information 89 00:04:47,260 --> 00:04:50,780 among them in order to one, understand the attack. 90 00:04:50,780 --> 00:04:54,880 And second, of course, remitigate and mitigate that attack. 91 00:04:54,880 --> 00:04:58,080 Now, the relationships between the diamonds are known 92 00:04:58,080 --> 00:05:00,130 as the activity threads 93 00:05:00,130 --> 00:05:03,500 and activity threads can be spread across the same attack 94 00:05:03,500 --> 00:05:06,170 and also can connect other attacks depending 95 00:05:06,170 --> 00:05:09,110 on the threat intelligence gather right. 96 00:05:09,110 --> 00:05:13,780 Here I'm actually showing an example of an activity thread 97 00:05:13,780 --> 00:05:14,613 right? 98 00:05:14,613 --> 00:05:17,900 This visibility into the specific attack 99 00:05:17,900 --> 00:05:20,870 information gives the analyst the ability to 100 00:05:20,870 --> 00:05:24,534 integrate any hypothesis that can be tested 101 00:05:24,534 --> 00:05:28,200 as additional evidence is actually gather right. 102 00:05:28,200 --> 00:05:31,320 Now the activity threat process displays the current 103 00:05:31,320 --> 00:05:35,950 research status, which can help identify knowledge gaps 104 00:05:35,950 --> 00:05:39,370 and adversary campaigns through documentation. 105 00:05:39,370 --> 00:05:44,320 And also by testing proposed attack hypotheses. 106 00:05:44,320 --> 00:05:47,650 Once the incident management team builds a good 107 00:05:47,650 --> 00:05:50,330 activity group, the team can actually better 108 00:05:50,330 --> 00:05:53,930 analyze the data to fill in missing knowledge gaps 109 00:05:53,930 --> 00:05:56,880 and start to potentially predict future attacks path 110 00:05:56,880 --> 00:05:58,720 you know, of course, in the future. 111 00:05:58,720 --> 00:06:01,810 So these threat intelligence can actually be built 112 00:06:01,810 --> 00:06:05,690 into a graph known as the attack graph 113 00:06:05,690 --> 00:06:08,370 and this attack graph represents the path 114 00:06:08,370 --> 00:06:11,873 an adversary could actually take against the victim. 115 00:06:12,810 --> 00:06:15,810 Now, an activity attack graph is useful 116 00:06:15,810 --> 00:06:19,270 for highlighting the attacker's preferences 117 00:06:19,270 --> 00:06:21,610 for attacking the victim as well 118 00:06:21,610 --> 00:06:24,390 as alternative paths that can actually can be 119 00:06:24,390 --> 00:06:26,970 used to carry that attack. 120 00:06:26,970 --> 00:06:30,860 This gives the incident response team a way to focus effort 121 00:06:30,860 --> 00:06:33,390 on defending against the adversary 122 00:06:33,390 --> 00:06:37,400 by knowing where to likely expect the attack 123 00:06:37,400 --> 00:06:41,540 as well as be able to be aware 124 00:06:41,540 --> 00:06:45,620 of other possible risk on the victim's environment. 125 00:06:45,620 --> 00:06:50,620 Right? So the first and by far, the most critical step 126 00:06:50,620 --> 00:06:54,720 into an attack is the quality of the reconnaissance 127 00:06:54,720 --> 00:06:58,560 you know, made by the actual attacker or the adversary. 128 00:06:58,560 --> 00:07:03,560 Right? So reconnaissance in, in short is actually a research 129 00:07:04,430 --> 00:07:08,140 on the target and typically is the most time 130 00:07:08,140 --> 00:07:12,530 consumed yet most rewarding step towards, you know, that 131 00:07:12,530 --> 00:07:15,240 that attack and part of that kill chain, right? 132 00:07:15,240 --> 00:07:16,320 So the goal 133 00:07:16,320 --> 00:07:21,121 for this phase is to identify different targets association 134 00:07:21,121 --> 00:07:23,520 to the targets and as much data 135 00:07:23,520 --> 00:07:26,980 as possible about each of those targets, right? 136 00:07:26,980 --> 00:07:28,860 The more data found, you know 137 00:07:28,860 --> 00:07:33,257 provides options for planning, a more effective attack. 138 00:07:33,257 --> 00:07:36,410 Let's say, for example, you know, if I'm an attacker 139 00:07:36,410 --> 00:07:39,563 and I actually see a multiple web facing servers 140 00:07:39,563 --> 00:07:43,160 then I may actually uncover one, what is the version 141 00:07:43,160 --> 00:07:45,940 of software that is actually installing those servers? 142 00:07:45,940 --> 00:07:47,910 And second, if they're actually vulnerable 143 00:07:47,910 --> 00:07:49,340 to either non vulnerabilities 144 00:07:49,340 --> 00:07:50,990 or I may actually have knowledge 145 00:07:50,990 --> 00:07:53,610 of a zero day attack that I can actually, you know 146 00:07:53,610 --> 00:07:55,620 launch against that environment. 147 00:07:55,620 --> 00:07:59,470 Right. Another thing about reconnaissance is that I 148 00:07:59,470 --> 00:08:02,410 I can not only do it from a technical perspective 149 00:08:02,410 --> 00:08:06,200 and looking at the technical posture of that victim 150 00:08:06,200 --> 00:08:11,200 but also understandings the victim's structure as far as 151 00:08:12,200 --> 00:08:14,330 you know, human structure, right? 152 00:08:14,330 --> 00:08:17,180 The board of directors keep people 153 00:08:17,180 --> 00:08:20,690 within the organization that I can steal data from. 154 00:08:20,690 --> 00:08:24,610 I can leverage things like LinkedIn launch attack against 155 00:08:24,610 --> 00:08:26,500 you know, specific individuals. 156 00:08:26,500 --> 00:08:28,789 And whenever I mention attacks, you know 157 00:08:28,789 --> 00:08:29,660 it can be a, a combination 158 00:08:29,660 --> 00:08:32,593 of social engineering and also technical attacks.