Cybersecurity Roles and Responsibilities PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document discusses various cybersecurity roles, focusing on the responsibilities of a cybersecurity analyst. It explains the importance of creative thinking and problem-solving skills in this role, emphasizing the need to analyze information, devise solutions, and communicate effectively to non-technical audiences. The document also covers the responsibilities of a Security Operations Center (SOC) and the necessary skills and characteristics of its personnel.
Full Transcript
Cybersecurity roles and responsibili es. In this lesson, we're going to talk about some of the various roles that are inside the cybersecurity space. Now, if you're taking this course, you're taking this Cybersecurity Analyst course and that is one of the roles that exists within this wide world of...
Cybersecurity roles and responsibili es. In this lesson, we're going to talk about some of the various roles that are inside the cybersecurity space. Now, if you're taking this course, you're taking this Cybersecurity Analyst course and that is one of the roles that exists within this wide world of cybersecurity. There are many different roles such as a specialist or technician, which is covered more by the security plus exam. These are people who will actually do the hands-on configura on of a system and do things under the direc on of a cybersecurity analyst. There's also cybercrime inves gators who work a lot in the digital forensics realm. We'll talk a li le bit about that inside this course as well. We'll also talk about instant response analysts, these are people who are focused on responding to a data breach or other type of cyber a ack that happens across your organiza on. We'll also cover this in this course as well. And then, there's this cybersecurity analyst, which is a large overall encompassing term for a lot of these other areas as well as a senior posi on inside most organiza ons. And then we'll talk about a penetra on tester. Now, a penetra on tester is somebody who breaks into somebody's systems with their permission to iden fy their vulnerabili es. We'll also talk about that inside this course as well because that is one of the roles that a cybersecurity analyst may fill. Addi onally, you might be in a management level, so you might be a manager or you might be an engineer, and an engineer is focused on building tools and techniques and designing the en re system at a big, large level for the organiza on. And then the analysts will operate the day-to-day systems to make sure those things are done correctly. And finally, we have the CISO, which is our Chief Informa on Security Officer. We'll talk a li le bit more about that in a second. Now, when I talk about a cybersecurity analyst, according to CompTIA, this is a senior posi on within an organiza on security team with the direct responsibility for protec ng sensi ve informa on and preven ng unauthorized access to electronic data and the systems that protect it. Essen ally, they are our network defenders. They are responsible for hardening and protec ng our networks, our servers, our laptops, our desktops our smartphones. Any device that processes or uses our informa on is covered by the role of a cybersecurity analyst. Now, cybersecurity teams will o en contain both junior and senior analysts. Now, this is important because if you're taking this course and you're brand new to cybersecurity, you're going to be looking for the role as a junior analyst working underneath somebody who's much more senior. Now, one of the things that is very troublesome for a lot of people is, they'll go out and get a cer fica on and think they're going to immediately get a job at an analyst level. And the problem is an analyst is an intermediate to senior level posi on. So even a junior level analyst tends to have two to four years of experience doing stuff as a cybersecurity specialist or technician first before ge ng hired into the role of an analyst. So keep that in mind when you start going out into the job market to figure out where you're going to fit. To be able to get a job as an analyst, you are going to be expected to have a couple of years of experience already working within IT and IT security at that lower level as a specialist or a technician first. Then, you'll work your way into being a junior analyst and eventually a senior analyst. And both of these roles will be encompassed on that cybersecurity team. A team might have five or 10 junior analysts and one or two senior analysts who are overseeing their ac ons. Now, all of these folks are going to respond upward in the chain of command inside your organiza on to the Chief Informa on Security Officer. This is a senior posi on that resides at the C level, which will be your Chief Execu ve Officer, your Chief Informa on Officer, your Chief Opera ng Officer, and your Chief Informa on Security Officer. All of these people work together to lead and provide governance for the organiza on. And the daily running of the analyst team is going to be le to those senior analysts or the senior cybersecurity managers. Those people are going to be the ones repor ng up to the Chief Informa on Security Officer. Now, what are some of the different func ons that a cybersecurity analyst might perform? Well, a cybersecurity analyst is going to be responsible for implemen ng and configuring security controls, things like your firewalls, your intrusion detec on systems and other threat management appliances and so ware. It's going to be your job to figure out what you're going to do to best protect the network using these technical controls. You may also be responsible for working within a SOC, a security opera on center, which we'll talk more about in the next lesson. You'll also will be working inside a Computer Security Incident Response Team, or a CSIRT. These are the people who worked to respond to those data breaches and cyber techs that occur within your organiza on. Another role you might see is something like audi ng security processes and procedures. This allows you to perform due diligence on your third par es that you're working with, providing employee training and doing assessments on your own systems and making sure your security controls are in place and working properly. Another func on you might do is conduc ng things like risk assessments, vulnerability assessments and penetra on tests. And when you do that you're going to gather all the details you get, look at that informa on, process it, and then make recommenda ons on how to be er secure the network by adding addi onal security controls or addi onal procedures to your organiza on. And finally, you're going to be responsible for maintaining up-to-date threat intelligence and awareness on all of the different issues that are out there in the marketplace. So if your company works in one sector and you see that that sector is being targeted by a ackers, you need to be aware of that so you can start pu ng in appropriate countermeasures in place to help protect your organiza on. Also, you may be asked to advise on legal compliance and regulatory issues 'cause that all is part of this idea of a cybersecurity analyst as well. Now, when you think about a cybersecurity analyst, what makes a good cybersecurity analyst? Well, they should have two key features. They should be crea ve thinkers and they should be problem solvers. Now, problem solving is really important to the job of a cybersecurity analyst because your job all day is taking all of these li le pieces of informa on from all these different systems, from all the different threat intelligence you have and your own common sense, pu ng it all together and trying to figure out exactly what the problem is how you can devise a solu on for it and how you can report those solu ons that you propose to a non-technical audience. For example, if you are asked to brief a senior manager or the chief execu ve officer who may not be a technician and may not understand IT, you need to be able to break down what the problem is in non- technical terms to explain to them the issue and what you propose to do to solve their challenge. Finally, when you put all this together and you start dealing with things like instant responses things happen fast and you have to think on your feet, be able to problem solve and be able to deal with these things in a high pressure situa on calmly and s ll use good decision making and problem solving to solve your issues. Transcript If you get a job as a cybersecurity analyst, you are most likely going to start work at a Security Opera ons Center, also known as a SOC. Now, a SOC is a loca on where security professionals monitor and protect cri cal informa on assets within the organiza on. Essen ally, this is a single point of contact area where all the data comes in and we have analysts on duty who can go through the informa on and try to find what things are happening within the network. Essen ally, think about this as a security monitoring center. Inside this, you're going to have a lot of junior analysts overseen by a senior analyst who are going to be looking daily through all of the logs and all the other informa on on the network to try to find what's known as an indicator of compromise. Now, we're going to talk more about indicators of compromise later, but essen ally, think about them as a fingerprint of something bad. This is an indica on that something bad has happened within your network and an instant response may be needed. Now, SOCs are usually going to exist for larger corpora ons, government agencies, and healthcare organiza ons. This is because there is a lot of cost to establish, maintain, and run one of these SOCs. For this reason, a lot of smaller companies will not have their own SOC, but instead, they can outsource this service to a third-party commercial SOC who can monitor their network and provide security as a service for that organiza on. Now, there are a couple of things that every SOC needs to have in order to be successful. First, they must have the authority to operate and they get this through organiza onal policies and procedures that gives them the authority to be able to do their job and tell other parts of the organiza on what needs to happen. This is important because if you're dealing with an instant response and you need to shut down a server to stop the infec on, that can have effects on the business and so the SOC has to be empowered to make those decisions if needed. Second, we need to make sure that we contain mo vated and skilled professionals within our SOC. It's not enough to just have somebody si ng in a seat watching a screen. They need to know what they're looking at. They need to be able to think cri cally. If we could just automate this, we wouldn't need people, but we can't. We need to have people who can do the analysis and figure out what is good and what is bad inside this mountain of data we're going to be collec ng. Third, we need to incorporate processes into a single center. Now, this is going to happen for some business processes, but mostly for security processes and IT. Now, the one thing you need to make sure is that your SOC doesn't become your service desk. That's not their job. You should have a service desk that works on the IT side, but if you start dealing with things like access management and iden ty management and any kind of instant responses, all of that should be handled by the SOC, and so your SOC is going to be your single opera on center for all of your security issues. Also, they need to be equipped to perform incident response because bad things are going to happen, and when they do, the SOC is going to lead the charge in ge ng those things resolved and ge ng the network back to secure and back to a good known baseline. Also, the SOC needs to be able to protect itself and the organiza on because the SOC isn't just outward facing and looking at all the bad guys and what they're trying to do to the organiza on's network, but the SOC itself could become under a ack. Now, if the SOC itself becomes under a ack, and their systems become compromised, they're not going to be able to see all the bad things that are happening on the organiza on's network too, so it's important that they also protect their own systems and this is o en something that some SOCs will overlook, so keep that in mind as you start building out your own SOC. Addi onally, we want to make sure that the SOC can separate the signal from the noise. Now, what I mean by that is that there is so much data coming in. We're going to have gigabytes and terabytes of data every single day, and as a person, we can't go through all that data ourself individually reading every single line, so we're going to have to automate some things. We have to start separa ng out what is known good versus known bad, versus what we're not sure of, and the stuff we're not sure of is really where we're going to spend most of our me as a SOC analyst because if we already know something's bad, we should block it, and if we know something's good, we should allow it, but it's that stuff in the middle that we're not quite sure on that requires addi onal analysis by a SOC analyst. And finally, we need to make sure we're collabora ng with other SOCs to be able to share data between ourselves. Now, this is really important because if I see something bad on my network and I tell my buddy who works at another company, he now knows to be on the lookout for that in his network as well. The same thing happens if I have one of my friends and she finds something in her network, she should tell me about it so that I can know about it as well. So this is one of the things that SOCS do a lot is they do a lot of informa on sharing as part of threat intelligence so we all are using the same informa on. We all know what bad things are out there so we can be er protect ourself against them. Now, one big thing I want you to keep in mind when you think about a SOC, remember, the SOC should be your single point of contact for security, monitoring and instant response. Now you want to make sure you have good, skilled professionals working in your SOC so you can do these three func ons well and protect your organiza on. Transcript In this video, we're going to be talking about security control categories. But, we're not going to be diving too deep into them just yet. Instead, we'll return to them several mes throughout our me together in this course. But for now, we just need a basic understanding of these different security control categories so we can start to scope our discussions throughout the next couple of sec ons. Now, as far as cybersecurity is concerned, we have to go through a process of risk management to iden fy the different threats and vulnerabili es to our networks. And once we do that, we have to find a way to mi gate those risks. Now, how can we mi gate these risks? Well, we do that by implemen ng effec ve security controls. Now, a security control is a technology or procedure that's put in place to mi gate vulnerabili es and risk in order for us to ensure the confiden ality, integrity, availability, non-repudia on and authen ca on of that data and informa on. If you've taken your Security+ already, you're probably familiar with these terms known as the CIA Triad, or CIA NA. And they're really important to the Security+ exam as well as the CySA+ exam. Now, historically, we would take these security controls and we would just deploy them in any way that we could in order to be reac ve based on the threats we are seeing. So, if a new threat came out like people trying to break into your network, we would say, hey, we need a way to block that access. How can we do that? Okay, I know, we'll put up a firewall. And so, firewalls became a really big thing as a security control. A er a while though, this wasn't sufficient because we started seeing people going through those firewalls because they were using things like viruses, and worms, and exploits in order to break into the networks. So, what do we do? Well, we add an virus or an malware, and on and on it goes, where a ackers did something and then defenders did something else in order to try to stop the a ackers from being able to break into the network. Now, this hodgepodge way of being reac ve is not going to be great for us. It never lets us get ahead of the game and stop a ackers fully. And therefore, we're always one step behind the a ackers if we're using a reac ve posture. So it's really important for us to figure out a be er way to do security. And the way we do that is by using a risk management framework and being able to take our security controls and selec ng them and deploying them as part of that overall framework. If we know what all of our risks are, we can then priori ze those risks, we can then mi gate those risks, and then we can start pu ng in a holis c approach to security to be able to prevent somebody from breaking into our networks such as an illegal hacker or a acker. Now, this process is going to allow us to start selec ng primary controls and complimentary controls to help work together to provide us a layered security approach that we call defense in depth. Now, the way that we classify all these different security controls actually comes out of a publica on that's created by NIST, the Na onal Ins tute of Standards and Technology. This document, which is known as the NIST Special Publica on 800-53, is called the Security and Privacy Controls for Federal Informa on Systems and Organiza ons. Now, if you want to review this document in its en rety, you can download it as a PDF by going into Google or your favorite search engine and searching for NIST SP 800-53 and it will pop up and you'll be able to download it because this is considered a publicly available document. Now, for the exam, you are not expected to actually read this document and learn everything inside of it. But as a cybersecurity professional, you will use this document a lot when you're selec ng controls. Remember though, it's not required that you know everything in it, but you should look through it at least once so you can get an idea of the kind of things that are inside of it because that's things that you can look up on the job and then use in your daily life. Now, there are a couple of important things that I want to pull out from this document so you have a be er idea how we can select our security controls. For example, inside this document you'll see there are 18 families of controls that are broken out. This includes things like access control, accountability, incident response, and risk management, and many others. Now, as we go through each of these different categories, we can look at different controls underneath these categories. For example, if you look at a certain control, you could say is this focused on accountability, or is it focused on access control, or our ability to do an incident response, or whatever it is. And this allows us to bundle up these different controls under these different categoriza ons. Now, as I said, this document, Special Publica on 800-53, is something that was created by the US government and it is considered publicly available knowledge for us to be able to use. But, there's also an interna onal standard known as the ISO 27001 standard. This is a framework that's a proprietary framework and so it does cost some money if you want to use it. Now, because of that, we see that actually most organiza ons like to use the NIST standard instead because it's actually something that is free to use both here in the United States and around the world, and so it makes a great resource for anybody in the cybersecurity industry. Now, in earlier versions of the 800-53, each of these different families actually belong to a class or category that we could categorize these different controls and categories into. For example, we used to have things like technical, opera onal, and managerial as the three major classes or families of controls. Let's take a moment and define these three categories of technical, opera onal, and managerial controls. Now, when we talk about a technical control, this is a type of control where we're going to be able to implement something in a system. So, if I'm going to install something like a piece of hardware, so ware or firmware, we would call this a technical control. Now, another name you may hear technical control called is what's known as a logical control. They mean the same thing, and it just depends on which standard you're using on which one people will call it. But, technical and logical controls are really the same thing. For example, let's say I take a firewall and I install it in your network. That is a technical control. If I take an an virus piece of so ware and install it on your machine, that's a technical control. If I patch your opera ng system, that again is a technical control. And all of these technical controls are also considered logical controls. Now, the next category we have is what's known as opera onal controls. Now, an opera onal control is one that is implemented primarily by people instead of using technology or systems. So, in this case, we might be looking to add security guards to make sure people don't break into our building. We also might train all of our employees on how not to to fall for a phishing scam when they get an email in their inbox. Both of these would be considered opera onal controls and not technical controls because we're trying to solve it using people. Now, the third category we have is what's known as managerial controls. These managerial controls give oversight of your informa on systems. So, when we have things like risk iden fica on or using different tools to be able to evaluate and select different controls by using things like vulnerability scans and remedia ons, all of this would be considered oversight or an assessment, and therefore, they are considered managerial controls. Now, while these three categories of controls can be really useful for us to think about as we think about the different controls used inside of our organiza on or our networks, they actually were removed back in version four of the NIST Special Publica on 800-53, as well as all newer versions of the 800-53. Now, even though they're removed from the NIST Special Publica on, using these three categories is s ll a useful way of thinking of our different controls by classifying them as technical, opera onal, or managerial, and for that reason, CompTIA has s ll chosen to use them inside the CySA+ exam objec ves. Now, one thing that o en confuses my students is that these controls some mes don't seem to go cleanly into one category. They actually some mes merge together or cross different categories. And this is one of the reasons that NIST actually has done away with these types of control families inside of the NIST Special Publica on 800-53. Let me give you an example of this. Some things might be both opera onal and managerial. Now, if that happens, what would you call it? Well, because you have both of these categories, people started calling for addi onal categories. For instance, they started using the term administra ve control to talk about something that was both opera onal and managerial. Now, this administra ve control is really where you can't dis nguish between an opera onal and managerial control, and so we smash them together into this hybrid known as administra ve control. So, a good example of this might be something like a vulnerability management program inside of your organiza on. Now, I'm not talking about a so ware program like the thing you run on your computer like OpenVAS or Nessus. Instead, I'm talking about a program such as an organiza onal framework of the policies and the procedures and all the things it takes for you to do vulnerability management within a given company or organiza on. Now, if you have that in your organiza on, this is going to be governed by the managerial processes. That's the oversight of the informa on system, but it also has some opera onal controls that tells your technicians what they need to do and when they need to perform a scan, or how are they going to respond to a scan when they get some kind of results, and what do they do if something bad has happened? All these things are not necessarily just managerial controls, but they're also opera onal controls. Now, in addi on to that, there's also a technical part of all of this vulnerability management too, right? Because on the technical side, you s ll need to run those vulnerability scans using a so ware program like Nessus, or OpenVAS, or Qualys, or something like that. And then you're going to get your reports and do all of your automated scanning and patching, and all of those things have to work together. And for this reason, NIST has started to break away from using these three basic categories because a single control like a vulnerability management program could actually fit into opera onal and managerial, making administra ve, or, we can even add into the technical as well if we start talking about the so ware tools, and in that case, we're now talking about technical and logical controls too. So, you can see how all these things start to get mixed up, and this causes a lot of problems for students when they're star ng out because they're having trouble separa ng these things out into the individual categories. Now, in general for the exam, you shouldn't get a lot of ques ons saying here's a control, which of these three is it? But, you should be thinking about these controls and how they could be categorized because it could help you to start figuring out what the solu on is to a given problem, especially in the real world. Now, when it comes to the exam, let me give you a quick p. You do not need to go and read the en re 800-53 as I said before, but it is a good thing to use as an on-the-job resource, and so, it's something you should be aware of, and you should at least look through the table of contents to get an idea of the different designa ons that are used inside of those different controls. Also, when it comes to the exam, do not fight the exam. We understand that since revision four, the NIST Special Publica on 800-53 does not have these specific control families anymore. But, your exam will s ll talk about control families and these different categories. So I don't want you to get hung up on that when you take the exam. Remember, for the exam you do not need to memorize the different family designa ons, but you should be familiar with the basic concepts that are presented inside the 800-53, such as the fact that there are controls and there are categories of these controls. Now, you may remember back in your Security+ studies that you talked about some other types of security controls too, and these are known as func onal types or func onal categories. Now, just because we've abandoned the idea of categories or families, as I said, it s ll can be helpful to categorize things according to the goal or func on that they perform. And so we have three different types that we can use here, which are known as preventa ve, detec ve, and correc ve. Now, when we talk about a preventa ve control, this is a control that acts to eliminate or reduce the likelihood that an a ack can be successful. So, for example, let's say I put an access control list on my firewall. This would be a preventa ve type control. I'm trying to prevent you from accessing my network by checking you against my access control list. Will it stop you 100% of the me? No, but it's going to prevent a lot of a acks before they can take place. And so, when we deal with things like ACLs, or firewalls, or an virus, or an - malware solu ons, or intrusion detec on, or intrusion protec on systems, all of these are things that can go in this preventa ve category. Now, a detec ve control is any control that may not prevent or deter access, but it will help iden fy and record any a empted or successful intrusion. The most common one that we're going to use is known as logs. Any me you log something that's happening, you're using a detec ve control because you can go back and review those logs and iden fy what happened and then put the pieces back together. Another good example of this in the physical world might be using a security camera. If you have a security camera in your house, it really won't stop me from smashing your window, jumping through that window and stealing your TV. But, you could record the fact that I was doing it, and then you can go back a erwards, put the pieces back together, and say, ah, Jason broke into my house and stole my TV. Here's the proof. I have detec ve evidence from it because I have a video that I could see what happened, and I recorded that a empt and I can show it to the police. Now, the third type we have is what's known as a correc ve control. Now, these correc ve controls act as a way to eliminate or reduce the impact of an intrusion event. So, the idea of a correc ve control is that we might have something like a backup system, and if I back up all of my files to an offsite backup, even if my system was compromised or stolen, I s ll have all of my data successfully stored offsite and I can correct this issue by restoring the system and restoring the data back onto that system or some new hardware just like it was before the intrusion occurred. Another good example of this might be using a patch management system. Once we know that there's a vulnerability out there and it's being exploited, we can then push out a patch to correct that across all of our systems and all of our networks to be able to prevent that same thing from being exploited again. Now, the big thing you have to think about when you deal with security controls here is that there really is no single security control that's going to be perfect and solve all of your problems. Everything has some kind of vulnerability associated with it. And so we need to measure security controls for their effec veness, and we really need to determine how long it can delay an a ack, and the longer it can delay the a ack, the more effec ve that security control is going to be for us, and that way we can actually use all of these controls together to build a good defensive in-depth posture for our organiza on and our networks. Now, in addi on to these preventa ve, detec ve, and correc ve controls, there's a couple of other ones that we should men on too. These are known as physical, deterrent, compensa ng and responsive. Now, when I talk about a physical control, these are the types of security controls that act against an in-person intrusion a empt. This includes things like alarms, gateways, locks, bollards, ligh ng, security systems, security guards, and all the other things that can deter and detect access to our physical premises and the hardware contained within those physical premises and our buildings. So, when you think about a physical control remember, it can actually be a detec ve control, a preventa ve control, or a correc ve control. These are not an either/or. It can be many of these different things. So, you can have a preventa ve control that's also physical. For example, I have a lock on the front of my house. This lock is a preventa ve control, but it's also a physical control because it's protec ng what's inside my house. You can also have something that's detec ve and physical. For example, you might have a security camera. That's a detec ve control, but we're also monitoring your physical area and therefore it becomes a physical control too. Now, the second one we have to cover is what's known as a deterrent control. Now, a deterrent control is any type of security control that discourages an intrusion a empt. Now, the control itself may not be physical or logically there to prevent the access, but it can tell other people that there is something there and for that reason, you shouldn't a ack us. For instance, have you ever driven through a neighborhood and you see a lot of signs in front of people's houses saying this house is protected by so-and-so security? Now, it doesn't really mean there's a security system on that house. Instead, it's just a sign. The sign there is ac ng as a deterrent control. This means as a burglar or somebody who wants to rob your house, as I'm driving by, if I see that sign I may not go a er your house, instead go a er your neighbors because your neighbor doesn't have that sign. Because that sign is telling me, hey, this house is protected by a security system, I am now being deterred and told I shouldn't go in that house and I may make my decision to go somewhere else. That's the idea of a deterrent control. Now, the next one we have is what's known as a compensa ng control. Now, a compensa ng control is a type of security control that acts as a subs tute for a principle control. Now, what I mean by that when I talk about a principle control, is that this is the best level of protec on you can get. But, maybe you can't afford that best level of protec on and so you need to do something else that isn't quite as good but it s ll gives you some benefit, and therefore, we call it a compensa ng control. Generally, a compensa ng control is going to be recommended by a security standard and it's going to give you an equivalent level of protec on to what the be er technology might be used for if we had a way to achieve it. For example, let's say you wanted to increase the security of your authen ca on systems and you want to make sure your password security is really good. Well, you can achieve that a couple of different ways. You can have a really long and complex password that's changed every 30 days, and that might be something that's 16 characters with uppercase, lowercase, special characters, numbers and all that stuff. Now, that's a really good, strong password, but it's going to be really hard for your users to remember. Or you might give them a smart card and a PIN, and by doing that, they have to remember a four digit or eight digit number and put their card into the system to log in. Now, that's actually a lot easier for our user, and it's actually much be er for our security than the original control of having a long, strong, complicated password. And the reason for that is we're now using two-factor authen ca on by having something we have, that card, and something you know, that PIN number. So, even though the standard might tell us we need to have a long, strong password, we could subs tute that with a compensa ng control of using a smart card and a PIN number because that gives us equivalent or be er protec on, and so we can subs tute that in as that compensa ng control. Now, the fourth type of control we have is what's known as a responsive control. A responsive control is a system that ac vely monitors for poten al vulnerabili es or a acks and then takes ac on to mi gate them before they can cause damage. A great example of a responsive control is a network firewall. A firewall is a system that monitors all incoming and outgoing network traffic and blocks anything that looks suspicious or malicious. This can include blocking traffic from known malicious IP addresses or preven ng the execu on of files that contain known malware. Another good example of responsive controls would be an intrusion detec on system, an IDS, or an intrusion preven on system known as an IPS. These devices can monitor network traffic for pa erns that indicate an intrusion is occurring, such as a repeated failed log on a empt. When an intrusion is detected, the intrusion preven on system will then take some kind of ac on to block that intrusion and alert assistant administrator. Generally, a responsive control is going to be an important aspect of cybersecurity because it allows you to quickly iden fy and respond to different threats, reducing the risk of a successful a ack. These responsive controls can be a mixture of technical, managerial, and opera onal controls too. Therefore, as you're inves ng in a comprehensive security solu on, this will help include things like responsive controls, and that can give you a lot be er protec on for your sensi ve informa on and assets within your organiza onal networks. Selec ng security controls. Now, as we covered in the last lesson, there are lots of different security controls out there and we just talked about the general categories, but under each category there are hundreds and thousands of different controls. And lots of these controls will do the same thing or give you the same benefit. So how do you select the security controls you want to use? Well, one of the best ways to do that is to think in terms of CIA. If you think about the confiden ality, integrity, and availability, you can make sure you have proper coverage over each of those areas to make sure you're crea ng security for your system. Let's consider the following example of some technical controls. First, what if I had an encrypted hard drive on a laptop? Which type of control is this? Am I upholding confiden ality, integrity, or availability? Well, if you think back to your Security Plus studies, you'll remember that any me we're dealing with encryp on, we really are dealing with confiden ality, because we're trying to make sure that nobody's prying eyes can see our data. If we encrypt our drive, nobody can access the informa on on that drive without that encryp on key. And that is going to maintain confiden ality, but it doesn't really do anything for integrity or availability. So it only upholds the C in CIA. What if I decided I wanted to use digital signatures on my emails? Well, again, thinking back to Security Plus, a digital signature is essen ally a hash of the email you're going to send, encrypted with your digital private key. Now, if you remember, a digital signature doesn't encrypt the email itself, it encrypts the hash. And when we talk about hashes, we're always talking about integrity. And so, what we're dealing with here is upholding integrity by using a digital signature. It doesn't do anything for confiden ality and it doesn't do anything for availability. So again, we're only dealing with the I in CIA. How about a third example? What if I'm dealing with a cloud product and it has the ability to instantly scale up or scale down using its elas city to meet demand? Which would it be? Would it be confiden ality, integrity, or availability? Well, it'll be availability, right? Because we'll have the ability to take on as much traffic as somebody can send to us, because we can instantly scale up and accept that load. So again, this doesn't give me anything for confiden ality, it gives me nothing for integrity, but it's all about availability. So each of these three things in their own can give me C, I or A, but they can't give me all three. And that's the idea here, is none of these technologies alone can give us confiden ality, integrity, and availability, but if I combine them all together, I can get the tenets of security. And that is why using your risk management framework is really important to figure out what risk you're trying to solve. Is it a confiden ality risk? Is it an integrity risk? Or is it an availability risk? Or is it all three? And if so, you may need to select mul ple controls to be able to deal with that. So how do you decide which security control you're actually going to apply? Well, again, this is going to depend on your risk and what you're trying to mi gate. Let's walk through an example together. Dion Training, my company, has recently implemented rou ne backups of our databases to ensure that we can quickly recover if a database is ever corrupted or infected. Now, our backup solu on also uses hashing to validate the integrity of each entry as it's being wri en to that backup device. Which technical control would you recommend adding to ensure the tenets of CIA are upheld? Now, I'm not even giving you mul ple choice here, but I want you to think about this. If you have a backup solu on and that backup solu on is backing up a database, that's going to be availability, right? And then, if we're dealing with the hashing, that's going to give us integrity. So I have the I and the A covered, but I don't have confiden ality. So what could I do to give me confiden ality? There's lots of answers out there, but I'm going to present you with just two. First, I might think about adding an access control system. By having an access control system, I can control which users can access that backup and be able to have access to the data. Because remember, that backup has all of our live data as well. And so by using the right user permissions, that would be one way to maintain confiden ality. Now another way we could do it is we can encrypt those backups, because if those backups get lost and somebody could read them, that would be bad. That would breach our confiden ality. So we can use encryp on as a way to uphold confiden ality or we might use both of these controls, because we're worried about the wrong people accessing the data and we're worried about the loss of the data if somebody took the database out and by having it encrypted, that would solve that problem too. So that's the idea of when you start thinking about these security controls. And as a cybersecurity analyst, you are going to do this a lot in your job. You're going to look at a problem, you're going to look at a vulnerability, and then you're going to have to decide what can I do to solve this vulnerability? How can I mi gate this risk? And by going through and thinking through the CIA part of it, you can think of what controls can help in each of these areas and give you a more holis c coverage over the en re vulnerability and how you can best mi gate it. Security and threat intelligence. These days, we have to use our intelligence-driven defense to create a solid defensive posture. We can't rely on the way we've done things historically. Now, historically, our focus was on configura ons. We would set up the right firewalls, the right ACLs, install the right an virus, and then we would say, "Hey, we're protected." But these days, that simply isn't enough. While all these technologies are very important, they don't by themself give you enough defense against a thinking adversary that uses modern cyber a acks. So instead, it's really important for us to think about the idea of security intelligence and cyber threat intelligence. And that's what we're going to focus on in this lesson. Now, security intelligence is the process through which data is generated in the ongoing use of the informa on system. And that data is going to be collected, processed, analyzed and disseminated to provide us with insights into the security status of those systems. So if you think of a standard system administrator, they log things on their system and they review those logs. That is a form of security intelligence. It's for them to be able to understand what is their system doing. As they go through their firewall logs, their intrusion detec on alerts and other things like that, you're understanding what your posture is internally inside your network and what your organiza on's security posture is now set at. Now, on the other hand, we have to consider our cyber threat intelligence as well. Now, cyber threat intelligence is the process of inves ga ng, collec ng, analyzing and dissemina ng informa on about the emerging threats and threat sources to provide data about the external threat landscape. So when we're talking about security intelligence, we're thinking inward, how are our systems looking? But when we think about cyber threat intelligence, we're looking outward. We're thinking about the a acker groups, we're thinking about malware outbreaks. We're thinking about zero-day exploits and things like that. All those bad things that are out there that can a ack us and hurt us, that is what we're focused on when we're doing cyber threat intelligence. And we need both of these. We need to know our posture with security intelligence, but we also have to know what can a ack us using cyber threat intelligence. Now, when we look at cyber threat intelligence, it really does come to us in two forms. It can come in the form of a narra ve report or a data feed. Now, when we're dealing with a narra ve report, this is going to give us the analysis of a certain adversary group or a certain type of malware, and we're going to get a wri en report based on that. There are a lot of places you can buy these from, and these come in a format that is really manually created by some threat analyst. And so if you get a job as an intelligence analyst or a threat analyst, you may spend all day going through different packet captures, and going through honeypots, and learning about some kind of adversary or malware, and then wri ng a report on it. And these reports are then sold to all the different SOCs around the world who use that in their defense of their networks. Now, this is very useful at a strategic level. This gives you intelligence about what the bad guys are doing, and that can help us decide where we want to put money and which security controls we want to have to be able able to defend ourself from these bad guys and their types of a acks. Now, on the other hand, we also have data feeds. And data feeds can be a list of known bad indicators, things like indicators of compromises, domain names, IP addresses, it might be something like hashes of exploit malware code. All of these type of things are tac cal level informa on. This gives us something that is very opera onal. It's something we can do something with. If you tell me that this IP address is a known bad IP, I can block it in my firewall so no connec ons can go to it, right? That's the idea with a data feed. Now, which one is be er? Do we want data feeds or narra ve reports? Well, we want both. We don't want to use just one or the other. We have to use both to get the best security for our networks. We're going to use those narra ve reports to get the big picture of what the landscape looks like and then we're going to use the data feeds to get those specific tac cal things that we can program our sensors and our defenses against to be able to protect ourselves. Now, the combina on of both of these is very useful to us and it allows us to have a be er security posture for our organiza on. Now, if you want to be able to sign up for some of these data feeds or these narra ve reports, your organiza on can do that. And most of this is done as a monthly subscrip on or a yearly subscrip on. There are a lot of companies out there that do this, like McAfee, FireEye, Red Canary, and many, many other ones. For example, if you want to learn more about a specific adversary or a certain tac c, you could search for that on Google or use your subscrip on to one of these services. In one of my previous organiza ons, we had a subscrip on to FireEye service. And so if I wanted to learn more about APT28, which happens to be a group of Russian hackers, I could learn more about them and the techniques they use. And in that report, it tells me what type of targets they're going a er. Are they going a er military or commercial targets? Are they going a er the banking sector or the film industry? And then we can see how that affects me and my industry and how we can be er defend against it. If you want to see an example of one of these reports, if you go to Google and type in APT28 FireEye PDF, this report will come up and you can see what these look like. They're generally around 20 to 30 pages and they give you a lot of great informa on about a par cular adversary group or a specific malware type. Transcript The security intelligence cycle. Now, intelligence is a process. It's not just about collec ng data but you have to collect that data, you have to plan to collect that data and you have to go through and process that data and get it through. So, when you look at the process, it's going to start out with requirements, planning and direc on. This is where we're going to be focused on what do we want to collect and figure out how we can best do that. Then we move into our second phase which is collec on and processing. Now that we know what we want to collect, we have to go about actually collec ng it. Third, we need to move into analysis where we start taking all that data we got and we start looking through it to try to make some decisions based on it. And then we move into our fourth phase, which is dissemina on. This is how we take that informa on that we've analyzed and present it to other people. And then we move into our fi h phase, which is feedback. This is how we look back through the cycle, see what went right, what went wrong and what we could do be er and then we started all over again. Let's take a li le bit more in-depth look at each of these five phases as we move through the security intelligence cycle. First, we want to talk about the requirements phase. Now requirements is also planning and direc on. The requirements phase is going to set out the goals for the intelligence gathering effort. At this point, we need to figure out what is it that we want to collect. That way we can figure out what are the things we care about? What do we want to spend the me, money and resources to gather? This is really important to have your goals set because if you don't understand what your goals are and you don't understand what your use case is for this data, you're going to be spending a lot of me and a lot of money collec ng a lot of data for no reason at all. For example, if I worked for an auto manufacturer like Tesla or Honda or Ford, I would probably want to make sure that we are gathering intelligence on any threats to automobile systems. Especially if you're somebody like Tesla that is trying to work towards self-driving cars, there's a big cyber threat component to that. And so we'd want to be looking out there at the en re landscape to figure out what adversaries are out there, what APTs are out there and what type of malware and vulnerabili es are out there for our type of systems that could affect the safety of our systems. Consequently, we might also look at any kind of things that would affect our supply chain. We have to buy those computers from somewhere, right? And so we need to make sure we understand what threats exist there and how we can mi gate those risks. There's a lot of informa on out there and what the idea here in requirements gathering the planning and direc on is figuring out what are the things we want to measure? That's what we have to deal with here. Now, another thing we have to think about here is thinking about any kind of special factors or constraints we might have. For example, if you work for the government, there are certain things you can and cannot collect on your ci zens depending on what government you are in the world. For example, I'm in the United States. The US has a policy that they cannot collect informa on on US ci zens. So if you work for the NSA or the CIA, they are not allowed to collect informa on on me as a US ci zen. No ma er if I'm si ng in the United States or if I'm si ng abroad, if I'm a US ci zen, they can't collect on me. That's part of the rules. And so there are legal restric ons on what they can and cannot do. For instance, if they wanted to collect informa on on me, they would have to go and get a warrant to do that because as a US ci zen, I am protected by the fourth amendment against unlawful search and seizure. Every country has different rules, every loca on has different rules. So your organiza on is going to have to consider that as you're planning what your collec on process is going to be. So now that we've considered all of that and we've figured out what we want a plan to do, we now need to actually move into collec on. And the second phase is collec on and processing. The collec on process is implemented by so ware tools such as SIEMS and then it's processed for later analysis. Now, when we collect things, this is where we're gathering all the data. So if I put a network sensor out there that's collec ng PCAP data, packet capture data, it can collect all that informa on and send it back to a centralized server. I may collect logs from a router from an intrusion detec on system, from a firewall, from servers, from endpoints. All that data has to be collected and then sent someplace. Generally, we'll put this into a SIEM which is a security informa on and event management system and then we can use that as our center point of all the collec on. Now, the one challenge we have though is that all this data is coming from different systems, right? Well, when all this stuff is coming from different systems, it might come in a different format. So we need to normalize that data and that is the processing part. This is where we'll convert all the data into a standard format that a single solu on like a single SIEM can actually use. This means all the source IP addresses will be in a certain column all the des na ons will be in another column, all the mestamps will be in a third column. And this way we can search and index all this informa on and use it as we search for those things later on in our analysis cycle. Now, another considera on you have to think about is how are you going to keep all this data secure? So we just took all this data from across our network and all of our sensors and put it in the SIEM. Well, we need to make sure we protect that SIEM too. And so we might be using things like encryp on on the SIEM, we might be using things like access control in the SIEM and we might be using things for integrity like hashing on the SIEM. All that data needs to be protected as well, because if it's useful to us, it could also be useful to an a ack. The third step we're going to have is going into the analysis process. Now, the analysis phase is performed against the giving use cases that we had from our planning phase and we can u lize things like automated analysis, ar ficial intelligence, and machine learning. Now, this is really important because there is so much data that we are collec ng at this point that a single person cannot read it and analyze it fast enough. So we have to use some sort of way to automate this. So these days one of the most common ways of a acking this problem is by separa ng our data first into three buckets. First, what do we know is good? Second, what do we know is bad? And third, what we're really concerned with is what we're not sure of because again, if it's known good, we're going to allow it, if it's known bad, we're going to block it, if we're not sure, that's where further analysis needs to be done. Now, because of there's so much data at this point, we have to use things like machine learning and ar ficial intelligence to help our humans go through this data data because there is just so much stuff going over our networks. This allows us, again, because of our processing, we've normalized it, and now in our analysis, we can filter it, we can organize it into a useful form and we can start doing our analysis on it. Now, all of the analysis we do should be done in the context of a use case. And these use cases are something that we developed all the way back in our planning phase. This says, I'm interested in this type of informa on for this reason because there might be some interes ng informa on but if it doesn't impact business decisions for you and your organiza on, why do you even care? And that's the idea here. Our job here is to go through these large data sets and we want to start figuring out what doesn't look right, what looks funky, what is not going to be good for our organiza on and we want to start building our models against that. For example, if I start looking through the domain authen ca ons that are occurring in your organiza on, and I know what good looks like and I know what bad looks like, there may be some things there that are suspect and it may be the indica on of an insider threat. And so if I'm looking at that through the lens of an insider threat use case, that will help me do my analysis be er and use the right filters and query strings to extract the relevant data that I need. Now, the fourth phase is dissemina on. And the dissemina on phase refers to publishing the informa on produced by an analyst to a consumer who needs to act on the insights developed. Now, this can take a lot of different forms, and it depends on your organiza on and what the intended audience is. You may have oral reports, you may have wri en reports, you may have a PowerPoint presenta on, you may have an email. It really does depend on your organiza on. Now, three of the most common ways we'd like to break up this dissemina on is into the level of intelligence. It can be strategic, opera onal, or tac cal. When strategic intelligence, this is going to address broad themes and objec ves and these usually affect projects and business priori es over weeks, months, and years. Most o en I see this done as a report to an execu ve or a PowerPoint presenta on in a large group. The second one we have is opera onal intelligence. Now, opera onal intelligence is going to address the day-to-day priori es of managers and specialists. O en mes, I'll see this put out as a checklist of these are the things you should be worried about today and these are the things we need to focus on today. The third type we have is tac cal intelligence. And tac cal intelligence informs real- me decisions made by staff as they encounter different alerts and system indica ons. So if you're si ng there on the SOC watch floor and you see an alert pop up on your screen that is considered tac cal intelligence. It needs to be dealt with right now, and it is real me. Our fi h and final phase of the cycle is feedback and review. Now, this phase is going to aim to clarify the requirements and improve the collec on, analysis, and dissemina on of informa on by reviewing the current inputs and outputs. Basically, how can we do things be er? That's our goal. We always want to improve the implementa on of our requirements, our collec on, our analysis and dissemina on, and how we can improve over me and get be er at what we do. For example, you might be doing things like lessons learned by figuring out what incidents occurred during the intelligence gathering this cycle so we can avoid those problems next cycle. We might want to figure out how we're going to measure success, what metrics are going to show us success or failure of the intelligence gathering. We also want to think about evolving threat issues. Maybe we've been looking a lot for phishing but now we're seeing that phishing isn't popular. Instead, people are going against bring your own devices and so we want to start shi ing our intelligence collec on towards that threat vector. These are the kind of things you want to think about as you move through the intelligence lifecycle. So one more me, as a quick review, the five phases of the intelligence lifecycle are: one, requirements planning and direc on, two, collec on and processing three, analysis, four, dissemina on, and five, feedback. Informa on Sharing and Analysis Centers, ISACS. Informa on Sharing and Analysis Centers began back in the 1990s as a form of a public-private partnership here in the United States. Now, for each cri cal industry, an ISAC was set up. An ISAC is a not-for-profit group set up to share sector specific threat intelligence and security best prac ces among its members. Now, these were set up here in the United States, but over in the UK they have a similar thing known as CSIP, which is the Cybersecurity Informa on Sharing Partnership. And this serves a similar purpose over there. Now, as I said there is an ISAC for many different industries. For instance, there's one for cri cal infrastructure. One for government. One for healthcare. One for financial. And one for avia on. These are the ones we're going to cover in this lesson but there are many other ones out there. For the exam you don't need to go too deep into an ISAC just to know that they exist and the basics of them. So let's talk about cri cal infrastructure first. What is cri cal infrastructure? Well, cri cal infrastructure is defined by the Department of Homeland Security here in the United States. They define it as any physical or virtual infrastructure that is considered so vital to the United States that their incapacita on or destruc on would have a debilita ng effect on security, na onal economic security, na onal public health or safety, or any combina on of these. Basically, these are really important things. These include the chemical sector, the commercial facility sector, the communica on sector, the cri cal manufacturing sector, the dam sector, the defense industrial based sector, the emergency services sector, the energy sector, the financial services sector, food and agriculture sector, government facility sector, healthcare and public health sector, informa on technology sector, nuclear reactors, materials and waste sector, transporta on systems sector and water and wastewater systems sector. These are the 16 cri cal infrastructures that are listed by the Department of Homeland Security. Again, for the exam, you do not need to memorize all 16 of these, but you should understand that these are really important things and we want to make sure they're secure. And so as a cybersecurity analyst, there are a lot of people working in these 16 sectors around the country. Now, if you happen to be working for one of these 16 sectors you're probably going to be dealing with a lot of ICS, SCADA and embedded systems because these are a main focus within cri cal infrastructure and therefore the threats against them are a big concern for you as a cybersecurity analyst. The next ISAC we want to talk about is the government. Now, the government has their own, and we're not talking about the federal government here. Instead, this government ISAC is focused on serving non-federal governments in the United States. Such as the state, local, tribal and territorial governments. For example, my company is based out of Puerto Rico which is a territory of the United States. So our government is a territorial government and they work as part of this ISAC with the federal government in this public-private partnership to make sure they're being served and they understand what threats are against their government. The next ISAC we're going to talk about is healthcare. This ISAC serves healthcare providers that are o en targets of criminals who are seeking to blackmail them or looking for ransom opportuni es by compromising pa ent data records or interfering with medical devices. As you saw earlier, healthcare is considered one of the cri cal infrastructures inside this country. But then we have this separate ISAC here to help support healthcare providers directly. Next, we have financial and this serves the financial sector to prevent fraud and extor on of both the consumer and the financial ins tu ons. For example, we want to make sure we're ge ng informa on about anybody who's trying to affect a major trading pla orm like the NASDAQ or the stock market or somebody who might be able to go a er ATMs to have them give out money for free. All of these could pose a na onal security risk or an economic risk to our country. And finally, we have avia on. Avia on is focused on serving the avia on industry to prevent fraud, terrorism, service disrup ons and unsafe opera ons of air traffic control systems. Again, this is an area we don't want to have problems in because if somebody could take over the air traffic control system they could start crashing planes into each other and that would be a really bad day for us. So obviously these are things that we have to worry about and so there's an ISAC set up to help support the avia on industry in the fight against this. Threat intelligence sharing. Now, in addi on to being part of an ISAC, if that's part of one of your industries, you also need to think about threat intelligence sharing within your organiza on. As we start iden fying this mely, relevant and accurate sources of threat intelligence we need to think about how do we make that data ac onable? And one of the ways we do that is by dissemina ng this informa on to different people within our organiza on, or even outside our organiza on. That's the idea that we're going to talk about in this lesson. We're going to talk about how we can use this through risk management and security engineering, incident response, vulnerability management and detec on and monitoring. First, risk management. What is risk management? Well, risk management is the process of iden fying, evalua ng and priori zing different threats and vulnerabili es in order for us to reduce their nega ve impact. Now, the reason that threat intelligence is important to risk management is it tells us how risky a certain thing is based on outside threats, because we know our own vulnerabili es through our vulnerability management and our scanning, but if we don't know what a ackers are coming a er us we can't really think about the threat. And so pu ng those two together is really important. Now, the reason why we put risk management and security engineering together is because by pu ng them together we can start designing the architecture of the hardware, the so ware, and the network pla orms to respond to these different threats and reduce our a ack surface. This way we can start figuring out what a acks we're vulnerable to and what controls we can put in place. For instance, if we're looking at strategic threat intelligence and we start seeing that people are going a er Linux systems more than Mac or Windows systems for instance that may mean that if we're running a lot of Linux servers we need to make sure we're prepared for those addi onal a acks. This is the idea of thinking strategically of what changes we can make inside our organiza on for the long term to try to outsmart or out-maneuver the different bad actors that are out there. Now, the second area we have to use threat intelligence for is incident response. Incident response is an organized approach to addressing and managing the a ermath of a cybersecurity breach or a ack. So if somebody has been successful in penetra ng our network, we need intelligence to help keep them out. Now, the best type of intelligence here is going to be tac cal-level intelligence though, because we need to know where they are in our networks, what IP address are they coming from, what are they doing once they're in our network, and all those tac cal pieces of threat intelligence will help us iden fy where they are and how we can get them out of our network and prevent them from coming back. Then we can start using those strategic insights to prevent them from coming back over and over again in the future. But right now, we're really focused on the tac cal threat intelligence to get this incident response resolved. The third one we have is vulnerability management. Now, when we deal with vulnerability management this is the prac ce of iden fying, classifying, priori zing, remedia ng, and mi ga ng so ware vulnerabili es. Now, as we start thinking about vulnerability management at a strategic level we're going to use our threat intelligence to iden fy unrecognized sources of vulnerabili es that we may not have thought of. For instance, do we have a WiFi enabled thermostat? That's an IoT device, an internet of things and that's something we have to consider. And many people don't think about that inside their organiza ons. What about the concept of deepfakes? That is a big issue these days. What about AI facilitated fuzzing to discover zero day vulnerabili es? There are lots of different things out there and if we think about them from a strategic level we can make sure that we're doing a good vulnerability management program that addresses those concerns. Also, we can be thinking about things at a more tac cal level, like we know that a certain piece of malware is now in the market. Are we vulnerable to it? And so we can do a scan, specifically looking for that one thing. This is very popular once there's a big well-known malware a ack that goes out there. For instance, when WannaCry came out that was something you'd want to do a vulnerability management of your own network and see if you were vulnerable to it and what mi ga ons you could put in place before you were a acked. And using threat intelligence allows you to do that. Finally, we have detec on and monitoring. This is the prac ce of observing ac vity to iden fy anomalous pa erns for further analysis. Now, as we think about detec on and monitoring we need to also use threat intelligence here too, because as we know what threats are out there we can then tune our sensors be er. This will allow us to add more rules and defini ons based on different observed incidences that have happened either to our organiza on or partner organiza ons, or one of those commercial data feeds that we're subscribed to. By ge ng that informa on, we can tune our sensors be er and we can have a lot more true posi ves and a lot less false posi ves. So this is why it's a good idea to make sure you're on the dissemina on chain for threat intelligence if you work in detec on and monitoring. Overall, our goal here is to share our threat intelligence within our organiza on so we can improve our organiza onal capabili es and protect ourselves from addi onal threats. Back in your Security+ studies, you learned a lot about the different types of threats that occur to the safety and security of our networks and our systems. In this lesson, we're going to talk about the two highest levels of threat classifica on categories that we have. These are known as known threats and unknown threats. Now, known threats are any threat that can be iden fied using basic signature or pa ern matching. These are things like malware and documented exploits. When I talk about malware, I'm talking about any so ware that inten onally is designed to cause damage to a computer, a server, a client, or a computer network. These are things like viruses, and rootkits, and Trojans, and botnets, all the things you talked about back in Security+. Now, these are very straigh orward to iden fy and scan for because we have a matching signature in our database that can help us detect it. This brings us to the idea of a documented exploit. Now a documented exploit is a piece of so ware, data, or a sequence of commands that takes advantage of a vulnerability to cause unintended behavior, or to gain unauthorized access to sensi ve data. If we're using a vulnerability scanner, we can look for certain things in our environments that we know have documented exploits against them, and therefore we can detect those things, making them a known threat. These are very sta c and we deal with known threats, these are things that are easily detected using signatures, hash values, or other things like that. Now, the next thing we want to talk about is the other category, which is unknown threats. And this is a more dangerous area for us as cybersecurity analysts. An unknown threat is any threat that cannot be iden fied using basic signature or pa ern matching. Now, when we talk about unknown threats, there are lots of these things out there. We have zero-day exploits, we have obfuscated malware code, we have behavior-based detec on, we have recycled threats, we have known unknowns, and we have unknown unknowns. We're going to talk about each of those through the rest of this lesson. A zero-day exploit is any unknown exploit in the wild that exposes a vulnerability in the so ware or hardware, and it can create complicated problems for us well before anyone realizes that something is wrong. When we are dealing with a zero-day vulnerability, this is something that somebody found out in the wild and they said, "Ah, I found a new way to break in on something." And we don't have a way to detect that or to stop it yet. And so it is a zero-day because the a ack happens on day zero, the first day it was discovered. And this becomes a big problem, and is one of the most dangerous areas for us as cybersecurity analysts. The next area we want to talk about is Obfuscated Malware Code. This is malicious code whose execu on the malware author has a empted to hide through various techniques such as compression, encryp on, or encoding to severely limit our a empts to sta cally analyze that malware. Now, when you do this, you're essen ally scrambling the code or changing it slightly, and if you keep doing this randomly at different intervals you're going to be able to take a known threat and essen ally make it unknown, because you con nually are scrambling that code making those signatures inaccurate and they won't detect it anymore. The next thing we want to talk about is behavior-based detec on. Now, behavior- based detec on is really important when we're trying to get unknown threats and discover them. The reason is we can't use a signature because they're unknown, but using behavior-based detec on this is a malware detec on method that evaluates an object based on its intended ac ons before it can actually execute that behavior. For example, if you send me a piece of email with an a achment in it, that a achment may be opened in a sandbox first, evaluated based on its behavior, see if it's malicious or not, and if it isn't malicious then be sent into my inbox, and if it is malicious, it can be sent out and be destroyed. That's the idea of a behavior-based detec on. When we're looking at behavior-based detec on, we're going to be doing things heuris cally. We're looking at all the different things that are around this, what ports are being opened, what calls are being made in the so ware, and based on that, we can determine if it's good or if it's bad, and whether we should allow it or not. Now the next one we're going to talk about is what's known as a recycled threat. Now, recycled threat refers to the process of combining and modifying parts of exis ng exploit code to create new threats that are not as easily iden fied by automated scanning. Again, if we take different pieces and parts of different malware code and we put them together, we can now bypass the signature-based detec on of a known threat because it is now something new. We've recycled it, we've changed it, and now we might be able to get it through that system and pass the an -malware scans. The next two we're going to talk about is known unknowns and unknown unknowns. Now known unknowns is a classifica on of malware that contains obfuscated techniques to circumvent signature matching and detec on. When we talk about unknown unknowns, this is a classifica on of malware that contains completely new a ack vectors and exploits. Now, these both come from this chart, and you'll see here I have four quadrants on the screen I have the unknown knowns, the known knowns, the unknown unknowns, and the known unknowns. Now when I deal with all of these and we start looking at them, each one is going to tell us something different. And when we take our malware that we're looking at, we can put it in one of these four categories. For instance, if we start in the upper right corner we have the known knowns. These are things that we are certain of. We have a piece of malware, we have a good signature for it, and therefore it is a known threat. We know what it is, and when it comes into our system we immediately can stop it, we can block it, we can alert on it, whatever we need to do because we are certain, we are clear and transparent this is a bad thing. Now, the next one we have is what's known as an unknown known, this is on the top le. Now, an unknown known is something that is known to other people, but it may not be known to you. For example, there might be a signature out there inside the McAfee firewall, but there's not one inside your firewall. And so McAfee knows about it and they can stop it, it's a known thing, but to you it's unknown. And that's what an unknown known is, that top le corner. Now the two we really have to be concerned with is the bo om of this chart, and this is our known unknowns and our unknown unknowns. When we deal with a known unknown, this is where this is something that is an unknown thing, we don't have a signature for it. All the things here on the bo om where they are something unknown means we don't have a signature. Now if it's a known unknown, these are things that we can't predict so we need to start doing research to start reducing the uncertainty we have around this thing. This unknown has to become known at some point, and so what we do is we know that it's bad that's the known part of it, but we don't know any signatures that are related with it so we don't have an easy way to block it. And this is generally where you're going to see a lot of your behavior-based analysis being done. And then we have our unknown unknowns. Now when you do a unknowns unknowns, these are things that we don't know and we just don't have any way to know about it yet. And so we have to experiment more and more, and we have to do a lot more research, and try to figure these things out. For example, if there is a zero-day, we've never seen it before, and it's doing something that we never thought was malicious behavior, this is an unknown unknown. And eventually we might find out, oh, that thing they're doing with these 20 steps, when you put all those together, that is a bad thing. And so then it becomes a known unknown, and eventually if we can create a signature, we can make it a known known. And so that's the idea here, when we start dealing with these threat classifica ons. For the exam, no one is going to ask you to put a threat into one of these categories, but in the real world this is a good way to think about things as you start bucke ng pieces of malware and different behavior you're seeing within your network. And all of this is based on a concept known as the Johari Window. In the Johari Window, you have four quadrants again. We have open, blind, hidden, and unknown, and our whole goal is to try to get things known more by us. And so if it's something that is known to ourself and known to others, that's open. For instance, we all know that two plus two equals four, that is an open piece of knowledge that everybody knows. Now there are some things that are known to yourself but they're not known to others, and we call these hidden. For instance, I know a lot about cybersecurity and you may not know as much as I do, but if there's things that are known to me but not known to you, well, if I tell you about them it's going to move you from this hidden area up into the open area where you start learning about it too, and now it's known to me and you. When we start dealing with other things, there might be things that you know, but I don't know, and so I am blind to those things. For me to know about those things that I'm blind to, you have to tell me. And so if you tell me about it it's going to take me from blind into open. And then if we have an unknown, that means you don't know it and I don't know it, so it's not known to others and it's not known to me. And so in that area, we have to, one of us has to eventually discover it, and once we do, we can then tell the other and we can get ourself back up to open. The goal here is we always want to try to get to open if we can, and that's the idea here with malware. If we have something that is unknown but a security researcher learns about it, they can tell others about it, and when they do, that helps bring us into either the hidden or the blind, and then from hidden or blind over to open. Once we all know about it, it becomes open, it becomes very easy to know this as a known threat and it's something that we can build a signature or automa on to block that a ack. Got it. I will add lots of informa on from that to the mul ple choice test. Transcript In the world of cybersecurity, we refer to the a acker as a threat actor. Now, a threat actor is the term we use to describe these bad folks, those who want to do harm to your networks or steal your secure data. However, not all threat actors are created equal so there are different categories or ers of adversaries that you're going to encounter. Some of these are considered structured, some are considered unstructured, some are more skilled than others and there are many different things that actually mo vates each type of threat actor. Now in the media, you usually hear the terms hacker and cracker being used interchangeably but hacker has actually been the term most used in recent years and usually conjures up visions of somebody behind a laptop in a black hooded sweatshirt, si ng in a dark basement. Originally though, a hacker was simply a computer enthusiast and not considered a criminal. Crackers were hackers with malicious intent and those were the people who were criminals. The reason we got cracker is because it's a criminal hacker but due to the media coverage in the 1990s and early 2000s, the terms got blended together where hackers became known as these evil threat actors among us. But in the informa on security world, people try to retain the term hacker for computer enthusiasts and even for security professionals like cybersecurity analysts. And this led to the categoriza on of hackers by the different hats they wear. The term black hat hacker, also an unauthorized hacker, was developed to describe these criminal hackers or crackers. The good folks were then dubbed white hat hackers or ethical hackers or authorized hackers. But there's some hackers who some mes operate as good folks and some mes as bad folks and these are actually called gray hat hackers or semi authorized hackers. Now, regardless of the hat a par cular hacker is wearing, they're s ll going to perform the same basic ac vi es as part of their a acks if they're a black hat or a gray hat or a penetra on test if they're doing it as a white hat. Generally, the hacker is first going to start out by u lizing social media to profile a vulnerable employee within an organiza on. Then they'll conduct some kind of social engineering campaign against them using phishing or other mechanisms, and then the threat actors can also scan and enumerate the networks to find targets and use fingerprin ng and service discovery to iden fy vulnerable services that they can exploit and a ack. If they find one, they'll then be able to exploit it to gain access to the network and even set up things like packet captures from the vic m machines, key loggers or other things to learn more about the network and the computer, and then conduct lateral movement throughout the domain. Now, there are eight main types of threat actors that we're going to cover as we go through this lesson, including script kiddies, insider threats, compe tors, organized crime, hack vists, na on-state, APT, and supply chain threats. The first type of threat actor we have is known as a script kiddie. This is somebody who has the least amount of skill when it comes to being an a acker. Script kiddies tend to use other people's tools to conduct their a acks and they don't have the skills necessary to develop their own tools like more advanced a ackers might. Instead, a script kiddie is going to use freely available tools found on the internet or an openly available security tool sets that pen testers might also use. This includes things like Metasploit, Aircrack-ng, John the Ripper, and many others to conduct their a acks. Using these freely available vulnerability assessment and hacking tools, these script kiddies can conduct their a acks for profit to gain credibility or just for fun. For example, there's a tool out there called Low Orbit Ion Cannon. This is a really simple program that's used by a lot of script kiddies to conduct denial of service a acks. Essen ally, the script kiddie simply needs to enter a URL or IP address in the input box and then click on a bu on labeled go. Immediately, a barrage of traffic is going to begin to flood the vic m's system to a empt a denial of service a ack. It's really just that simple. There's no skill or underlying knowledge required. Instead, simply plug in a website address and hit go and now you're doing an a ack. Script kiddies o en also don't understand what tools they're actually using or the damage they can cause or even what ac ons they're really performing under the hood. That said, even these simple tools can create some really undesirable effects to your organiza on's network. So script kiddies are s ll a threat you need to think about. The second type of threat actor we have is what's known as an insider threat. Now, an insider threat is an employee or former employee who has knowledge of the organiza on's network, policies, procedures, and business prac ces. The insider threat is one of the most dangerous categories for an organiza on because these people actually have authorized access to the network if they're a current employee, and this makes them very dangerous and very difficult to find inside of your network. An insider threat could either be skilled or unskilled, depending on who they are. For example, an unskilled insider might try to copy the organiza on's files onto a thumb drive and walk out the front door with them. Even though they were authorized to access those files, they were not authorized to remove them from the network or post them online and this results in some kind of a data breach. Or you may have a very skilled insider threat who's able to elevate their own user account permissions so they can now access data from across the en re network as a system administrator and then try to grab all of that and sell it to a willing buyer. To prevent an insider threat, organiza ons really need to have policies and enforcement technologies in place, including things like data loss preven on systems to detect these insiders who a empt to remove data from the network. Also, all the organiza on's standard internal defenses need to be properly configured and cybersecurity analysts need to search through the security informa on and event management systems to iden fy any pa erns of abuse in order to catch these malicious insiders. Now, when we talk about insider threats, there's also two different types of insider threats. These are known as inten onal and uninten onal insider threats. Now, an inten onal insider threat is when an individual within an organiza on is deliberately seeking to cause harm, and this includes things like stealing sensi ve informa on, disrup ng opera ons, or even launching a cyber a ack against the organiza on. This can include malicious insiders who've been recruited or coerced by an outside party, or those who have personal or financial mo ves to cause harm to the organiza on. On the other hand, an uninten onal insider threat is going to refer to an individual within the organiza on who causes harm uninten onally because they're careless, they have a lack of knowledge, or it's just a simple human error. This can include ac ons such as falling for a phishing email, using weak passwords, or accidentally sharing sensi ve informa on with somebody outside of the organiza on. Now, both inten onal and uninten onal insider threats can have serious consequences for an organiza on's security, and therefore, it's important to have measures in place to mi gate both of these types of insider threats. A solid cybersecurity strategy should include things like employee educa on and training, access controls, incident response planes, and regular monitoring of user ac vity to detect any unusual behavior. Addi onally, having an incident response team and adequate incident response processes in place can help to quickly detect, contain and deal with any kind of insider threat you may encounter. The third type of threat actor is known as a compe tor. Now, a compe tor is a rogue business that a empts to conduct cyber espionage against your organiza on. Compe tors are focused on stealing your proprietary data, disrup ng your business, or damaging your reputa on. O en, compe tors will seek to use an employee as an insider threat in your organiza on to steal the data from you or they may a empt to break into your network over the internet. The fourth type of threat actor we have is known as organized crime. Now, organized crime is a category of threat actor that's focused on hacking and computer fraud in order to receive financial gains. Now, due to the Internet's wide reach, a criminal in one part of the world can hack the computer of somebody on the other side of the globe with rela ve ease and organized crime gangs o en run different schemes or scams using social engineering or conduc ng more technical a acks using ransomware in order to steal money from their vic ms. Organized crime hackers tend to be well-funded and they use sophis cated a acks and tools as well. The fi h type of threat actor we have is known as a hack vist. Now, a hack vist tends to be comprised of poli cally mo vated hackers who target governments, corpora ons and individuals to advance their own poli cal ideologies or agendas. For instance, an environmentalist might be considered a hack vist if they hack into a logging company because they want to see that company's stock prices fall in effort to drive them out of business and thereby, save the forest. Here, it is an environmental hack vist who is really focused on taking this company out so the environment can have a be er chance of surviving. Hack vists can be individuals or they can be part of larger groups as well. For example, Anonymous is a really large and well-known hack vist group. Got it. I will add lots of informa on from that to the mul ple choice test. Hack vists tend to vary in levels of organiza on from loosely organized to highly structured and they can have a high level of sophis ca on in their a acks but they tend not to be well funded because most of these folks are doing it based on their ideology and not because they're trying to seek out financial gain. Now, the next type of threat actor we have is known as a na on-state. Now, a na on-state is one of the most skilled types of threat actors you're going to encounter and this group usually has people with excep onal capability, funding and organiza on and they have the intent to hack a par cular network or system. Na on-states don't simply pick a network at random to a ack but instead, they determine specific targets to achieve their poli cal mo ves. These incredibly organized teams of hackers conduct highly covert a acks over long periods in me, and so we o en will refer to them as an APT or an advanced persistent threat. Now, not all APTs are na on-states but almost all na on-states are going to be considered APTs and we'll talk a li le bit more about the differences between an APT and a na on- state in just a minute. Now, when we're talking about a na on-state or an APT, in general, they're going to be inside of a vic mized network for six to nine months before the network defenders even discover there's an intrusion and some have actually gone several years between their breach and the eventual discovery by a networks defenders. Na on-state actors are really, really good at what they do and they're very difficult to find once they're in your network. Over the years, many na on-states have also tried to present themselves as a threat actor inside of one of the other groups like hack vists or organized crime. This way, they can maintain a plausible deniability for the hacks they're conduc ng. O en mes, a na on-state might use the TTPs of a different na on-state as well in order to implicate them inside of an a ack. And when this is done, it's known as a false flag a ack. For example, back in 2015, there was a French TV network known as TV5 Monde that was taken off the air by a sophis cated cyber a ack. The network's website was also defaced by a group calling itself the Cyber Caliphate and they made the a ack look like it was launched by the Islamic State which is a poli cally mo vated hack vist group. Now, when security inves gators looked into the a ack though, they actually found the a ack was conducted in Russian because the code used in the a ack was typed with a Cyrillic keyboard during normal working hours in Moscow and St. Petersburg. If this was accurate, then it means that a Russian na on-state actor was actually trying to appear as an Islamic State hack vist and that way, they would get the blame for the a ack instead of Russia ge ng the blame and this makes this a false flag a ack. Another issue that has been seen in recent years is supply chain a acks and these are normally conducted by na on-state actors as well. For example, in 2020, there was an a ack on the company SolarWinds that was allegedly ed back to Russian na on-state actors. The threat actors hacked into the SolarWinds corporate network in order to add a backdoor into the code for SolarWinds. SolarWinds has numerous corpora ons and governments as their clients and users. So this backdoor that was embedded into their next update went out to all of these companies and government networks and effec vely compromised all of them. Now, this meant that the na on-state actors now had control over all of those networks and be able to access them. This a ack was not really directed at SolarWinds but instead, it was directed at SolarWind's customers. But to get to those customers, they had to get themselves into SolarWinds network and then put code into their distribu on channels. A similar supply chain access a ack was also conducted against the retailer Target in 2015 by criminal a ackers. Now in this case, an HVAC company that services the store's equipment was hacked, and that connec on between the HVAC company system and the Target systems allowed the a acker to steal data from the retailer's point of sale systems and credit card terminals. Another a ack credited to na on-states over the years that involves a supply chain was the embedding of root kits into Cisco routers and switches that were purchased from third party suppliers. And this again, is another reason why supply chain management and using trusted suppliers is so important to the security of your organiza on and its networks. Now in general, as I said, most na on-state actors are going to be classified as an APT but not all APTs or advanced persistent threats are going to be na on-state actors. Remember, a na on-state actor refers to a government or government affiliated group that conducts cyber a acks. These a acks can be used for a variety of reasons such as espionage, sabotage, or intelligence gathering. Na on-state actors are always going to be well-funded and well-equipped, and they have access to really sophis cated tools and techniques including zero day vulnerabili es. They're also highly mo vated by poli cal and strategic objec ves and they operate on a really large scale. Now, an APT or advanced persistent threat on the other hand, is a more generic type of cyber a ack where an a acker establishes a long-term presence on a network in order to gather sensi ve informa on. These types of a acks can be carried out by a variety of different actors, including na on-states, criminal organiza ons, and even individual hackers. APTs are known to be well-funded, well organized and have a high level of persistence and determina on in achieving their goals. APTs usually will infiltrate a network over a prolonged period from weeks to months or even years and they'll carefully hide their ac vity and blend in with normal network traffic and use a lot of tools that exist on the computer already which we refer to as living off the land. The main goal of an advanced persistent threat is really to harvest sensi ve data, intellectual property and other sensi ve informa on from the compromised network. So remember, the big difference here between a na on-state actor and an APT is that a na on-state actor is a group or organiza on that's affiliated with a government, while an APT is a type of cyber a ack that's characterized by its long-term presence on a given network. So always remember that na on-state actors are almost always APTs but not all APTs are na on-state actors. Got it. I will add lots of informa on from that to the mul ple choice test. Transcript Another part of threat classifica on is to describe the different types of adversary tools collec vely described as malware. Now, we're not going to cover the basic malware like viruses and worms and Trojans and root kits and ransomware because you should already be familiar with all of those from your a plus and your security plus studies and we are way beyond that inside this course. Instead, we're going to focus on three types, commodity, malware, zero day malware and command and control. When I talk about commodity malware, we're talking about malicious so ware applica ons that are widely available for sale and are easily obtained and used. Now, you can usually find these on the dark web or the dark net, and there are online marketplaces where you can buy remote access Trojans things like Poison ivy, dark Comet, and Extreme Rat and many other types of malware out there. These things are all available online for a fee where you can download them and then start using them as part of your a acks if you're a bad guy. Now, these are commodity malware because they are generic off the shelf pieces of malware, but there are also targeted or custom malware that can be developed and deployed with a target in mind. When you're dealing with commodity malware, it's generic it's going against everybody but when you're dealing with targeted or custom malware there is a specific target in mind and so knowing this can help you iden fy that malware and if you determine it's commodity or targeted this can help you determine the severity of an incident because if somebody is using targeted malware against your organiza on, there is a higher severity to that incident for you because you are being targeted. You're not just randomly hit by some drive-by piece of malware, and so this is something that's important for you to consider. Now, the next thing we have to think about here is a zero day vulnerability and a zero day vulnerability is any vulnerability that is discovered or exploited before the vendor can issue a patch for it. Now, this is where we get our zero day malware from is malware that a acks. This is zero day vulnerability. When we talk about zero day, this is usually applied to the vulnerability itself, but in recent years people talk about zero day malware as well as they start referring to the a ack or the malware that is exploi ng that zero day. You may see either term being used on the exam when they talk about zero day they may be talking about the vulnerability or the malware so read the ques on to understand the context. Now, the next thing we have to think about when we talk about this zero day malware is how serious is it? Well, zero day exploits are big business. These things cost a lot of money and a lot of me to develop. For example, if you're a bug bounty person and you start finding zero day vulnerabili es you can actually get lots of money for turning those over to the company because they don't want those out on the open market. But you can also sell those to different governments and law enforcement agencies, and even on the dark web and some of these zero day exploits have gone for millions of dollars. There is one that sold for over $1 million that targeted Apple iPhones. These things are big business now because they cost so much money most adversaries will only use a zero day vulnerability for a very high value a ack. They're not going to waste these and so generally what you're going to see is that people tend to try to a ack something with a generic or off the shelf piece of m