Week 1 Lecture Notes- NPTEL- Practical Cyber Security for Cyber Security Practitioners.pdf

Full Transcript

CS 668:
Practical Cyber Security for
Cyber Practitioners
Sandeep K. Shukla
IIT Kanpur
 What do you need to know?

If you are a
Chief Information Security Officer (CISO) or a member of CISO’s team
If you are part of a team
responsible for cyber security governance in an organization
figuring out what cyber threats an organization faces
doing cyber risk assessment of an organization
evaluating cyber resilience of an organization
carrying out cyber security audit of an organization
planning cyber security controls to be implemented to manage cyber risk
creating Incident Response Playbook
creating Cyber Crisis Management Playbook
planning cyber crisis drill at the organization
 What is Cyber Security?

Identify
Protect
Detect
Respond
Recover
Govern
 Who are the Attackers?
Script Kiddies
Hacktivists
Cyber Criminals
Organized Criminal Gangs
Nation State Sponsored Advanced Persistent Threat Groups (APTs)
 Why do they attack?
Curious to display their skills
Protesting an Organization and a Government’s actions and policies
Making monetary gains
Disabling a nationally critical organization or system
Banking System
Telecommunication Systems
Power Grid
Water Treatment and Sewage Processing Plants
Manufacturing
Transportation systems
Government services
Defence systems
 Not all Targets are Equal
Not all organizations and systems are equal targets
Impact is a part of the equation for targeting
Not every system or asset within an organizations are equal
Systems/subsystems/assets involved in critical business processes can yield
higher impact
Not every individual are equal targets
Depends on the yield an attack can produce
 Understanding the Geopolitics
For large scale or high impact attacks on organizations or systems
Geopolitics plays a major role
Attack on
Iranian Nuclear Uranium enrichment plant in 2009 - Stuxnet
Ukrainian Power Distribution Systems – 2015 and 2016
US Government Departments – Solarwind 2020
Indian Power Systems Operators and Ports in 2020-21
Indian government websites -- 2023
 What not to expect from this class?
How to hack or do VAPT? (CS 628 – Computer Systems Security)
How to analyse malware? (CS 658 – Malware Analysis and Intrusion Detection)
How to protect critical infrastructure from cyber-attacks?(CS631 – Cyber Security
of Critical Infrastructure)
How to analyse cryptographic protocols and algorithms? (CS 641 – Modern
Cryptology)
How to check for side channels in cryptography implementation? (CS666 –
Hardware Security for IoT)
Cryptography after Quantum Computing (CS 674 – Post Quantum Cryptography)
Privacy and Cryptography (CS 670 – Crypto techniques for privacy preservation)
 CS 668: Module 2
Lockheed-Martin Cyber Kill
Chain
 What is Cyber Kill Chain Framework
The Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for the
identification and prevention of cyber intrusions activity.
The model identifies what the adversaries must complete in order to achieve their
objective.
Stopping adversaries at any stage breaks the chain of attack!
Adversaries must completely progress through all phases for success;
this puts the odds in our favor as we only need to block
them at any given one for success.
Every intrusion is a chance to understand more about our adversaries and use their
persistence to our advantage.

E. M. Hutchins, M. J. Cloppert, R. M.Amin, “Intelligence-Driven Computer Network Defense Informed
by Analysis of Adversary Campaigns and Intrusion Kill Chain” – Lockheed Martin Corp.
 Cyber Kill Chain Steps
The kill chain model is designed in seven steps:
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and Control (C2)
Actions on Objectives
Defender’s goal: understand the aggressor’s actions
Understanding is Intelligence
Intruder succeeds if, and only if, they can proceed through steps
1-6 and reach the final stage of the Cyber Kill Chain®.
 RECONNAISSANCE Identify the Targets
ADVERSARY DEFENDER
The adversaries are in the Detecting reconnaissance as it
happens can be very difficult, but
planning phase of their operation. when defenders discover recon –
even well after the fact – it can
They conduct research to reveal the intent of the adversaries.
understand which targets will Collect website visitor logs for
enable them to meet their alerting and historical searching.
Collaborate with web
objectives. administrators to utilize their
Harvest email addresses existing browser analytics.
Identify employees on social media networks Build detections for browsing
Collect press releases, contract awards, behaviours unique to
conference attendee lists reconnaissance.
Discover internet-facing servers Prioritize defences around
technologies or people based on
recon activity.
 WEAPONIZATION Prepare the Operation
Adversary Defender
Obtain a weaponizer, either in-house or Conduct full malware analysis – not just
obtain through public or private channels what payload it drops, but how it was
For file-based exploits, select “decoy” made.
document to present to the victim. Build detections for weaponizers – find
Select backdoor implant and appropriate new campaigns and new payloads only
command and control infrastructure for because they reused a weaponizer
operation toolkit.
Designate a specific “mission id” and Analyze timeline of when malware was
embed in the malware created relative to when it was used. Old
malware is “malware off the shelf” but
Compile the backdoor and weaponize the new malware might mean active, tailored
payload operations.
Collect files and metadata for future
analysis.
Determine which weaponizer artifacts
are common to which APT campaigns.
Are they widely shared or closely held?