Week 1 Lecture Notes- NPTEL- Practical Cyber Security for Cyber Security Practitioners.pdf

Full Transcript

CS 668: Practical Cyber Security for Cyber Practitioners Sandeep K. Shukla IIT Kanpur What do you need to know? If you are a Chief Information Security Officer (CISO) or a member of CISO’s team If you are part of a team responsible f...

CS 668: Practical Cyber Security for Cyber Practitioners Sandeep K. Shukla IIT Kanpur What do you need to know? If you are a Chief Information Security Officer (CISO) or a member of CISO’s team If you are part of a team responsible for cyber security governance in an organization figuring out what cyber threats an organization faces doing cyber risk assessment of an organization evaluating cyber resilience of an organization carrying out cyber security audit of an organization planning cyber security controls to be implemented to manage cyber risk creating Incident Response Playbook creating Cyber Crisis Management Playbook planning cyber crisis drill at the organization What is Cyber Security? Identify Protect Detect Respond Recover Govern Who are the Attackers? Script Kiddies Hacktivists Cyber Criminals Organized Criminal Gangs Nation State Sponsored Advanced Persistent Threat Groups (APTs) Why do they attack? Curious to display their skills Protesting an Organization and a Government’s actions and policies Making monetary gains Disabling a nationally critical organization or system Banking System Telecommunication Systems Power Grid Water Treatment and Sewage Processing Plants Manufacturing Transportation systems Government services Defence systems Not all Targets are Equal Not all organizations and systems are equal targets Impact is a part of the equation for targeting Not every system or asset within an organizations are equal Systems/subsystems/assets involved in critical business processes can yield higher impact Not every individual are equal targets Depends on the yield an attack can produce Understanding the Geopolitics For large scale or high impact attacks on organizations or systems Geopolitics plays a major role Attack on Iranian Nuclear Uranium enrichment plant in 2009 - Stuxnet Ukrainian Power Distribution Systems – 2015 and 2016 US Government Departments – Solarwind 2020 Indian Power Systems Operators and Ports in 2020-21 Indian government websites -- 2023 What not to expect from this class? How to hack or do VAPT? (CS 628 – Computer Systems Security) How to analyse malware? (CS 658 – Malware Analysis and Intrusion Detection) How to protect critical infrastructure from cyber-attacks?(CS631 – Cyber Security of Critical Infrastructure) How to analyse cryptographic protocols and algorithms? (CS 641 – Modern Cryptology) How to check for side channels in cryptography implementation? (CS666 – Hardware Security for IoT) Cryptography after Quantum Computing (CS 674 – Post Quantum Cryptography) Privacy and Cryptography (CS 670 – Crypto techniques for privacy preservation) CS 668: Module 2 Lockheed-Martin Cyber Kill Chain What is Cyber Kill Chain Framework The Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for the identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective. Stopping adversaries at any stage breaks the chain of attack! Adversaries must completely progress through all phases for success; this puts the odds in our favor as we only need to block them at any given one for success. Every intrusion is a chance to understand more about our adversaries and use their persistence to our advantage. E. M. Hutchins, M. J. Cloppert, R. M.Amin, “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chain” – Lockheed Martin Corp. Cyber Kill Chain Steps The kill chain model is designed in seven steps: Reconnaissance Weaponization Delivery Exploitation Installation Command and Control (C2) Actions on Objectives Defender’s goal: understand the aggressor’s actions Understanding is Intelligence Intruder succeeds if, and only if, they can proceed through steps 1-6 and reach the final stage of the Cyber Kill Chain®. RECONNAISSANCE Identify the Targets ADVERSARY DEFENDER The adversaries are in the Detecting reconnaissance as it happens can be very difficult, but planning phase of their operation. when defenders discover recon – even well after the fact – it can They conduct research to reveal the intent of the adversaries. understand which targets will Collect website visitor logs for enable them to meet their alerting and historical searching. Collaborate with web objectives. administrators to utilize their Harvest email addresses existing browser analytics. Identify employees on social media networks Build detections for browsing Collect press releases, contract awards, behaviours unique to conference attendee lists reconnaissance. Discover internet-facing servers Prioritize defences around technologies or people based on recon activity. WEAPONIZATION Prepare the Operation Adversary Defender Obtain a weaponizer, either in-house or Conduct full malware analysis – not just obtain through public or private channels what payload it drops, but how it was For file-based exploits, select “decoy” made. document to present to the victim. Build detections for weaponizers – find Select backdoor implant and appropriate new campaigns and new payloads only command and control infrastructure for because they reused a weaponizer operation toolkit. Designate a specific “mission id” and Analyze timeline of when malware was embed in the malware created relative to when it was used. Old malware is “malware off the shelf” but Compile the backdoor and weaponize the new malware might mean active, tailored payload operations. Collect files and metadata for future analysis. Determine which weaponizer artifacts are common to which APT campaigns. Are they widely shared or closely held?

Use Quizgecko on...
Browser
Browser