Lecture 05
Summary
TLDRThe transcript from a cybersecurity class discusses the complexities of the Command and Control (C2) system used by adversaries, emphasizing the importance of understanding malware's communication for defense strategies. It delves into the Cyber Kill Chain (CKC) and MITRE ATT&CK framework, illustrating how attackers achieve their objectives through various tactics and techniques. The lecture also touches on the role of threat intelligence, the challenges of attribution, and the ethical implications of exploiting vulnerabilities, urging students to stay informed about the ever-evolving landscape of cyber threats.
Takeaways
- 📚 The instructor begins by addressing the class size and attendance, suggesting the use of fingerprint attendance to ensure participation.
- 👀 It is assumed that students have watched a pre-recorded video posted on Canvas, indicating the importance of pre-class preparation.
- 🔒 The lecture delves into the concept of Command and Control (C2) used by adversaries in cybersecurity, explaining its role in malware communication and data exfiltration.
- 🛡️ The class discusses the Cyber Kill Chain (CKC) model, emphasizing the importance of stopping an attack at any stage to prevent the adversary from achieving their final goal.
- 📈 The students are engaged in an interactive exercise to order the stages of the CKC correctly, highlighting the educational approach of the class.
- 🔎 The lecture touches on the significance of post-incident analysis, stressing the need to understand why defenses failed rather than just being relieved that an attack was unsuccessful.
- 🌐 The topic of Advanced Persistent Threat (APT) groups is introduced, with a focus on their resourcefulness and the difficulty of attribution.
- 🇷🇺 A correction is made regarding APT group AP28, clarifying that it is a Russian group responsible for the SolarWinds attacks, not Chinese.
- 📚 The importance of understanding the tactics, techniques, and procedures (TTPs) of adversaries is discussed, leading into the introduction of the MITRE ATT&CK framework.
- 🤖 The MITRE ATT&CK framework is described as a knowledge base that provides a structured way to understand and analyze the behavior of cyber adversaries.
- 🛠️ The lecture concludes with the purpose of the MITRE ATT&CK framework, which is to help defenders evaluate the adequacy of their defenses against known adversary tactics and techniques.
Q & A
What method does the professor suggest for students to answer questions anonymously in class?
-The professor suggests using mente.com with the code 6324165 to answer questions anonymously.
What is the purpose of the pre-recorded video posted on Canvas mentioned in the script?
-The pre-recorded video on Canvas is meant for students to watch before class, and the professor has questions related to its content for discussion.
What is the significance of the 'Command and Control' (C2) in the context of malware?
-The Command and Control (C2) is significant as it allows the adversary to communicate with the malware, understand if it has been installed, and customize payloads based on the information gathered by the malware.
Why does the professor emphasize the importance of incident analysis after a cyber attack?
-The professor emphasizes incident analysis to understand why the defense failed, to identify what the adversary did, and to improve security measures to prevent future attacks.
What is the role of 'privilege escalation' in the context of cybersecurity?
-Privilege escalation is a technique used by attackers to gain higher levels of access within a system, which is a local action and not directly related to the command and control side of an attack.
What is the Cyber Kill Chain (CKC) and how does it relate to the stages of a cyber attack?
-The Cyber Kill Chain (CKC) is a model that outlines the seven stages an adversary goes through during an attack, from initial reconnaissance to the final objective.
What is the difference between 'initial access' and 'execution' in the context of the CKC?
-In the CKC, 'initial access' refers to the first step where the attacker gains entry into the target system, while 'execution' is the stage where the attacker's payload is run to further the attack.
What is the role of 'MITER ATT&CK' in understanding and defending against cyber attacks?
-MITER ATT&CK is a knowledge base that provides a detailed framework for understanding the tactics, techniques, and procedures used by adversaries in cyber attacks, aiding defenders in assessing and improving their defenses.
Why is it important to map an incident to the MITER ATT&CK framework?
-Mapping an incident to the MITER ATT&CK framework helps in analyzing the attack, understanding the tactics and techniques used, and identifying potential gaps in the defense strategy.
What is the significance of understanding the tactics and techniques of APT groups?
-Understanding the tactics and techniques of APT (Advanced Persistent Threat) groups helps organizations to anticipate and prepare for potential attacks, ensuring they have adequate defenses in place.
How does the professor suggest students can find the book mentioned in the script?
-The professor suggests that students might find a PDF copy of the book online but requests they support the author by purchasing the book, which is not very expensive in India.
Outlines
📚 Class Attendance and Pre-recorded Video Discussion
The instructor addresses the class, noting the discrepancy between the expected and actual attendance, and the need for fingerprint attendance verification. They assume students have watched a pre-recorded video on canvas and plan to discuss it. The focus then shifts to an interactive question about the command and control (C2) structure used by adversaries in cyber attacks, specifically how malware communicates back to its operator. The instructor guides the students through understanding the different uses of C2, including checking malware installation, gathering information about the target system, and data exfiltration. The correct answer to the question is that privilege escalation is not a use of C2, as it is a local action unrelated to remote communication. The segment ends with a prompt for students to engage with a platform called mente.com for anonymous responses to questions.
🔒 Cyber Kill Chain and Incident Analysis
The instructor discusses the Cyber Kill Chain (CKC), a model that outlines the stages of a cyber attack. Students are asked to reorder the stages into the correct sequence, with a focus on the importance of incident analysis after a potential attack. The discussion highlights the need to understand why an attack was successful or unsuccessful, emphasizing the necessity of learning from defensive failures and conducting root cause analysis. The segment also touches on the challenges of attributing cyber attacks to specific threat groups, using the example of APT (Advanced Persistent Threat) groups, which are often state-sponsored and difficult to identify accurately.
🌐 Understanding Advanced Persistent Threat Groups
The segment delves into the specifics of APT groups, correcting misconceptions about their national affiliations. It clarifies that APT28 is Russian, not Chinese, and was responsible for the SolarWinds attack in 2020. The discussion also covers other APT groups like APT3, which is Chinese, and APT37, which is North Korean and sometimes associated with the Lazarus Group. The instructor emphasizes the complexity of attributing cyber attacks to specific groups, as multiple groups may share similar tactics, malware, and infrastructure, making it difficult to pinpoint a single source.
📖 Book Discussion on Government Cyber Programs
The instructor introduces a book by a New York Times cybersecurity reporter, which explores government cyber programs and their implications. The book discusses how governments, including those of the US, China, Russia, and Israel, find vulnerabilities in widely used software systems and purchase exploits from hackers. It also touches on the controversial company NSO, known for creating the Pegasus malware, which has been used for surveillance and espionage. The book warns of the potential for catastrophic events if such cyber capabilities are not controlled, advocating for the responsible disclosure of vulnerabilities.
💡 The Role of MITRE ATT&CK Framework in Cybersecurity
The instructor introduces the MITRE ATT&CK framework, a knowledge base that provides a detailed understanding of how adversaries attack systems. The framework is more comprehensive than the Cyber Kill Chain, offering a breakdown of tactics, techniques, and procedures used by attackers. The segment explains the importance of the framework for defenders to assess the adequacy of their defenses, respond to threat intelligence, analyze collected data, and evaluate cybersecurity tools. The framework is continually updated by the community, including contributions from MITRE Corporation and others, making it a valuable resource for understanding and combating cyber threats.
🛠️ Analyzing the Stuxnet Worm and Its Impact
The segment discusses the Stuxnet worm, a sophisticated malware designed to sabotage Iran's nuclear program by causing centrifuges to malfunction. The discussion covers the development and delivery of the worm, the challenges it posed to the targeted systems, and the broader implications of its discovery. The Stuxnet attack is used as a case study to illustrate the complexity of cyber attacks, the importance of understanding the tactics and techniques involved, and the potential for such attacks to spread beyond their intended targets.
🎯 The Importance of Tactics and Techniques in Cybersecurity
The instructor explains the concept of tactics and techniques in the context of cyber attacks, using the example of the Stuxnet worm. Tactics refer to the short-term goals an attacker sets to achieve their final objective, such as gaining initial access or moving laterally within a network. Techniques are the specific methods used to implement these tactics, such as exploiting vulnerabilities or using social engineering. The segment emphasizes the non-linear and iterative nature of these tactics and techniques, highlighting the importance of understanding them for effective cyber defense.
🌐 Community-Driven Knowledge Base of Cyber Threats
The segment highlights the community-driven aspect of the MITRE ATT&CK knowledge base, which includes contributions from various experts in the field. It discusses the categorization of tactics into enterprise, mobile, and ICS (Industrial Control Systems), each with its unique set of techniques. The instructor provides an overview of the techniques available for different tactics, such as privilege escalation and initial access, and emphasizes the importance of this knowledge base for understanding and defending against cyber threats.
🕵️♂️ Threat Intelligence and Analysis of APT Groups
The instructor discusses the use of the MITRE ATT&CK framework for analyzing threat intelligence and APT groups. The segment provides examples of how different APT groups, such as APT1, are attributed to specific military units and how their tactics, techniques, and procedures are documented. The discussion includes the analysis of specific campaigns and attacks, such as the 2015 Ukrainian power grid attack, to demonstrate how the framework can be used to understand the methods and tools used by these groups.
Mindmap
Keywords
💡Fingerprint Attendance
💡Command and Control (C2)
💡Cyber Kill Chain
💡Privilege Escalation
💡MITER ATT&CK
💡Advanced Persistent Threat (APT)
💡Incident Analysis
💡Root Cause Analysis
💡Exploits and Vulnerabilities
💡Stuxnet
💡Programmable Logic Controllers (PLCs)
Highlights
Introduction of a new module on MITRE ATT&CK, a knowledge base for understanding adversary tactics and procedures in cyber attacks.
The class has 92 students but only 25 are present, prompting the use of fingerprint attendance.
Students are expected to have watched a pre-recorded video on Canvas before class.
Engagement with mente.com is used for anonymous in-class polling to gauge student understanding and participation.
Explanation of the Command and Control (C2) structure used by adversaries in cyber attacks, including its role in malware communication.
Clarification that Command and Control is not used for local activities like privilege escalation within a system.
Discussion on the importance of incident analysis after a cyber attack to understand defense failures and improve security measures.
The Cyber Kill Chain (CKC) model is critiqued for being too simplistic and linear, leading to the development of the more comprehensive MITRE ATT&CK framework.
Misunderstandings about APT groups are corrected, such as APT28 being Russian, not Chinese, and their involvement in the 2020 SolarWinds attacks.
The role of threat intelligence in attributing cyber attacks to specific state-sponsored groups and the challenges therein.
The book by New York Times reporter Nicole Perlroth on the risks of uncontrolled cyber warfare leading to potential global disasters.
The commercial aspect of cyber attacks, including the sale of exploits and command and control systems to governments by companies like NSO Group.
The use of MITRE ATT&CK framework by defenders to assess the adequacy of their defenses against known adversary tactics, techniques, and procedures.
The dynamic nature of cyber attacks where tactics and techniques are not linear and can be reused in various orders to achieve an attacker's goals.
The Stuxnet worm case study illustrating the multi-stage goals of an attack, from initial infection to causing physical damage in an industrial control system.
Community contribution to the MITRE ATT&CK knowledge base, making it an extensive and constantly evolving resource for the cybersecurity community.
The structure of the MITRE ATT&CK framework, including its 14 tactics, over 300 techniques, and associated procedures for a comprehensive view of cyber attack methods.
Transcripts
[Music]
good morning everyone uh I have 92
students in the class but it seems like
25 people sitting
here uh I have to uh start uh asking for
fingerprint uh um attendance
in any case um we uh I assume that you
have watched the uh pre-recorded uh
video that was posted on
canvas um so I have uh few questions for
you before we
start so we'll
be looking at
that okay so uh if you haven't done so
go to mente.com on your phone use the
code 632
4165 and uh answer the
questions since this is completely
Anonymous you can be truthful if you
haven't watched you can decide
okay so uh looks like large number of
you have watched at Leist uh parti or
completely so now tell
me the command and control is not used
for which of the following activities by
the adversary right so I have four
different activities
here remember it's not
not okay so um suppose you are you are
the one sending a malware to somebody
else's
machine and you want to know if the
malware has has been installed there how
do you how would you do that you have to
have the malware communicate to you
right so then the first
choice is that the command and control
wants to know the uh adversary wants to
know if the malware has been installed
then it wants it will write the malware
in such a way so that the as soon as the
malware finds a uh Target and uh
executes it will call on the network
functions and communicate to the command
and control isn't it how else will the
adversary know that the malware actually
got
installed now once the adversary knows
that the that it has been installed then
it will want that uh the malware finds
something on that machine what
applications are running what what
versions are running what are the
different uh files in the file system
what are the uh if there are any
credentials uh uh somewhere in that
machine is there a weak implementation
of a protocol through which it can move
so all this information the malware will
send to the
adversary via the command and control
route then the adversary based on the
information it got it will customize a
payload that can exploit that particular
situation that the malware is telling C2
so therefore the second one is also
something that is used uh the C2 is used
for right to get better understanding of
its Target and
customize more virulent payload for the
Target now if you want to do data
exfiltration let's say you want to
filtered data from another person's uh
system using a
malware how will that
malware send the data where will it send
the
data it will read the data from the
target machine but it has to send it
somewhere so that has to be a command
and control server
right so so all these three choices are
not correct because I'm asking what is
which one of this is not an use of
command and control right I'm not asking
which one is is a Cho use of Comm and
control because that would make sense
because I have three different choices
all of which are actually use of command
and control so the last one the
privilege escalation is the Natural
Choice because privilege escalation is
nothing to do it's a very local thing it
has nothing to do with what happens
there like in the command and control
side if there is a weak program which
has a privilege escalation
vulnerability and your homework one will
make you do a privilege escalation so
you will understand how privilege
escalation happens right so so in terms
of homework you will get virtual
machines which you'll have to install on
your machine and do all these things
right on the on on that virtual
machine okay so next one
so this is an easy one use your finger
to push up and down and sort them in the
order in which they appear in CKC so
these are the seven stages of cyber kill
chain they're in a in a random
order so you have to basically push them
up and down to put them in the right
order so I see there are not many
responses
[Music]
yet it's almost
correct it's almost
correct where is it not exactly
correct see you have to do exploitation
of a weakness in the system
before you can do installation right so
your exploitation and installation order
for majority basically is in the
opposite order but otherwise you got the
other ones right but this one has gotten
a little bit you know in the reverse
order okay so now go to the next one
here I'm asking like uh suppose you you
disrupt remember like in CC seven stages
and claim of CC is that if your defense
can actually stop them in one of the
seven stages then you win right you
cannot get get it the adversary do the
final thing that it wants to
do now the question here is that
uh whether uh you you know whether you
stop it or not you have to do po
incident
analysis and there are three reasons
given why and you have to basically say
which one is more important important
reason why I would like to do the PO
incident analysis and not be happy that
okay you know the bad thing didn't
happen also well that end well is
doesn't work right I mean here you have
to uh actually analyze why it could
actually do what it could do okay so so
this uh ordering is not uh you know it's
it's rather subjective of course you
have to know where the defense failed
right and then you have to fix that
because your defense must have failed in
one of at least whichever stage up to
whichever stage the adversary could come
in until that stage you your defense
didn't work at least against that
particular adversary so so you have to
figure out what failed and then
accordingly fix those now there is a
there is a you can debate about second
and third which is uh of course you need
to learn more about the
adversary but also so you have to do
root cause analysis and in a
well-governed cyber security
environment every incident root cause
analysis is presented to the highest uh
you know Authority in order for um you
know for the highest authority to know
where uh the possible risks are in the
organization right so so that's kind of
uh you know you can have a second and
third kind of a risk condition
now this one I have put uh intentionally
I haven't uh really told you about all
possible AP groups advanced persistent
thread groups I have said that advanced
persistent thread groups are very
resourceful thread groups usually
supported or funded by nation state
governments and uh it's actually quite
difficult to tell whether a particular
thread group is uh working for a
specific government uh this process is
called attribution so it's an
attribution is difficult but there are
some which are kind you know which have
been analyzed by a lot of threat
intelligence companies and there are we
kind of
know which one you know is correct uh
and some of them we do not know as fully
correct okay so in this case so I wanted
to see if you got interested beyond the
class and actually did some studies
about this uh nation state adversaries
in any case ap28 is not a Chinese AP
it's actually a Russian AP they were
responsible for uh the solar wind
attacks in 2020 in the US many US
government uh entities their
organization were infiltrated by the uh
supply chain attack on a software system
uh that for network monitoring called
toar wind uh so ap28 is not a Chinese
group so so most of you are have avoided
that and indeed ap3 is a Chinese thread
group right so so most of you have
looked at that so uh so that's good now
for each of these you have to say
whether it's true or
false so well first one I have already
disclosed so for the other two
so AP 28 nobody got
wrong so AP 37 indeed is a North Korean
group and sometimes it is considered
that this is also the same as the
Lazarus group
uh they actually go after countries like
South Korea uh
us uh they have been found in India also
uh they are pretty uh resourceful very
skilled set of uh
hackers a33 is also correctly uh in
Iranian group right so
cd33 uh is an Iranian hacker group as
you uh can imagine that uh countries
like North Korea Russia Iran are some of
the most uh and Chinese are some of the
most notorious thread groups they have
multiple different thread groups not
just one thread groups now remember that
uh when I say something like ep3 is
Chinese thread group right and AP1 is
also a Chinese thread group it may be in
reality that the AP1 and ap3 might be
the same set of people based on the uh
the attacks they use the malware use the
command and control infrastructure they
use the kind of uh targets they actually
choose uh all these things U allow a
threat intelligence company uh or
organization to Cluster these attacks
many attacks together and name them as a
AP group now it may so happen that uh uh
what we are calling
ap28 maybe actually two different groups
who are all using similar set of malware
similar set of attack motor supper and
so on or it can also be the case that uh
AP1 and ap3 are the same group thus they
are using two different sets of
infrastructure two different types of
malware to different types of things so
so all these things are shrouded in
mystery right so we do not really know
that uh you know that ap28 is uh being
uh directly uh talking to for example
Putin right we do not know that but uh
the the threat intelligence companies
over time have analyzed and found that
uh they they found fragments of Russian
language uh uh comments in their in
their code they found uh command and
control infrastructure that are uh not
necessarily in Russia but actually have
been found to be used by Russians in
other places they also find that uh that
this time of the day when they were most
active uh they also find the targets
that they choose uh like Ukraine us
these are mostly their targets from that
they actually came up with this uh uh
you know uh idea that uh this is uh
Russian now in India we do not have uh
this capability of
attribution so in cab we are doing aot
lot of work on this attribution but in
general uh we haven't developed this
attribution capabilities so far uh in
India the last question so this is a
book I already
mentioned uh this is a uh this is a book
by uh New York time
cyber security
reporter uh if you remember uh well you
are probably too young to remember
how many of you heard about Snowden so
Snowden was a consultant employee in the
uh I I believe in buo alen Hamilton uh
which is a defense
contractor and then he exfiltrated a lot
of data uh during uh early
2000s about many secret
programs uh that us where you know
military and and the intelligence
agencies were
doing uh including spying on its own
citizens so what he did is that he then
gave this information to certain news
organizations New York Times was one of
them and nicool Parra worked on that
team and since then she found that there
are lot of programs by governments and
not necessarily only Russian and Chinese
and and Ukraine the usual suspects it's
not the only The Usual Suspects it's
actually governments like the US
government like our government like uh
the European uh governments they all
have programs to find
vulnerabilities in and of course Israel
uh find vulnerabilities in uh will uh
very highly used software systems right
for example in in iOS or in uh Android
or in Windows or in uh uh Windows Office
or things which are widely
used and uh governments
buy this
vulnerabilities from hackers who are
blackhead hackers who are not
necessarily considered responsible
hackers so responsible hackers they
actually go and when they find a
vulnerability they do an what what we
call a responsible disclosure they go
and tell the company look uh you have
this problem I'm going to publish this
in uh blackhead conference or uh
whatever conference but I will wait
until you fix it right so that's what
responsible disclosure they won't
disclose it to the world until it is
fixed unfortunately the uh blackhead
hackers are the opposite they find
vulnerabilities but they do
not uh disclose to the organization that
is responsible for that software
Hardware Etc they will go and sell it in
the black market and one of the biggest
buyer of this black market are
governments so governments actually buy
this
exploits uh for example National
Security Agency in the US and then they
actually use it right so uh use it
against uh other uh countries uh like uh
important uh Personnel like their Prime
Ministers or uh you know whatever uh
this is and now uh there are companies
who actually uh uh also create this uh
use this um exploits and create a
complete Comm and control system so you
can buy the entire command and control
system from them and one of this famous
company that you might have heard of is
NSO right NSO is the company that is was
responsible for Pegasus Pegasus was a
malware that was a zero click and zero
day malware uh and they basically sell
to the
governments uh to this whole command and
control infrastructure through which you
can actually see what is happening in
somebody else's phone uh and actually uh
from that you can uh spy on them right
you can spy on them you can also put in
incriminating evidence in their phone or
in their desktop Etc which will let
later on be used against them so there
there is a whole uh business around this
uh vulnerabilities and exploits there
are also open companies where you can
find uh not even in the dark web in the
in the in the regular web surface web
there are companies which will pay you
over million dollar if you find an iOS
vulnerability that is zero zero click
and zero day right so this is the
situation so what this book basically
says that you know we already have seen
stocket being used by other countries in
Iranian nuclear plants what stops Iran
to use the same on other countries and
they have tried and Iran has actually
attacked dams water like the hydro
uh systems in in the US uh by mistake
they did as very small dam so it didn't
work but the same name dam was also in
Oregon if they had they had done the
same attack on that then thousands of
people would be flooded away right if
the the gates open in the dam by uh
remote control similarly uh the uh uh
North Koreans are doing this all the
time to South Koreans and uh Russians
are doing this to Ukraine they did shut
down their power and uh you know various
things so so what this book is saying is
that if we do not have control on this
uh we are going to uh basically at this
at some point we'll create a nuclear
disaster or some kind of a weapon system
misfiring and that could create a entire
you know worldwide uh uh war and and the
world uh end this is a very uh dystopian
view of things uh I don't want to scare
you but it's a serious thing to be taken
uh very seriously and I would highly
suggest reading this book if you can if
you if you try hard you will find a PDF
copy somewhere on the net on the
internet but I would request you to not
use that and buy it it's not very
expensive it's like 500 rupees or
something in
India Okay so
so now I'm going to
start our new uh
module miter at and
CK so miter ATN CK is a knowledge based
of how
adversaries attack our
systems and to remember like in in CC
what we saw is that they said they're
very simplistic they said these are the
seven stages through which an attack
adversary has to get into your system
install things make it permanent
persistent then may actually go into uh
uh communicate to the command and
control then eventually do something
that is harmful
right so miter actually is came much
later than CKC so they actually analyzed
you know thousands and thousands of
attack
incidents papers and so on and they said
okay this is not uh as simplistic and as
linear as CKC might give you an idea of
so I'm going so they created a knowledge
base now this knowledge base is actually
uh very extensive it has uh 14 tactics
and 300 over 300 techniques and then
more process procedures right so it's a
is basically what is called TTP tactics
techniques and
procedures so what
uh so we'll talk about what this ATN CK
is all about and then we'll uh uh teach
you how to
map a an incident like an attack
incident into uh at and CK framework and
we can do it from reports from analysts
or we can do it from raw data the data
that we collect as evidence uh from
there and then we'll talk about a tool
that uh miter has provided to do this
kind of work and then uh we'll see that
of course uh this is not to teach you
how to attack this is actually for
Defenders to understand the attacker so
that they can actually uh figure out for
each of these techniques if my defense
is adequate or do I have to do something
else so so to kind of wrap your head
around what can happen to my system and
figuring out how would I stop or how
would I detect that uh when it h when it
happens
so as a
Defender I want to know various things
right so I want to know whether the my
current um uh defense is adequate right
and the controls that I have like I I
have firewalls I have endpoint detection
I have network monitoring I have uh you
know uh strong authentication I have
two- Factor authentication I have uh
Network segmentation I have all these
things but is this enough does so if if
the question is this enough can only be
answered if you know what the other site
can do right if you if you assume that
the other side is very stupid you know
they can they will only try to do
something that that you know fishing and
nothing else right so then of course you
do not have to do a whole lot right you
can may stop that by by giving a lot of
training to your employees and users
that don't click on this kind of things
don't download this kind of things and
continue to say such things and you will
be fine but the adversary is not simple
right so they are much like as I said
that they're backed by government have
lot of funding lot of good hackers what
for them and so on and so forth so
therefore I cannot really depend on uh
uh this uh small uh or ad hoc
implementation of uh defense like
sometimes people do not think about
adversity and all they just put a
firewall they just put a uh you know
proxy and they they just put some
antivirus and think that everything is
fine but actually it is not until you
actually figure out what the attacker
might do and then compare uh whether uh
whether you have adequate defense so
that is something every Defender wants
to
know and then so uh second thing is that
um let's say I get I read in the news
that educational institutes are now
being targeted by let's say
aptx right so sometimes like you know
they attack some AP groups Target Health
sector some AP groups attack the um the
oil and gas sector and some nuclear
plants so there could be an AP Group
which might be attacking uh let's say
educational sector so as as iitk I will
be then immediately worry about whether
I can be a Target and if I am the target
I have to read all all the information
that from other incidents what what how
they got in what did they do whether
they did any kind of data exfiltration
whether they do ransomware attack and so
on then I have to check whether against
all my defense controls whether I can
handle that particular AP so so this
question here is not just about ap3 or
let's say 29 29 is also Russian threes
Chinese you know but uh actually uh this
uh uh for any kind of threat
intelligence that you get in the in the
news and in from your from let's say
or other places that this EP group is
now focusing on this particular sector
then I have to check against my defenses
whether uh that EP group can be uh can
be theed by my defenses and to do that I
have to understand the what that AP
group
does uh and uh so this is the question
like you know can I stop AP
attacks uh and then the question other
question is that
when I collect so I do uh so
organizations collect a lot of data from
their own infrastructure right so for
example if they have a network
monitoring they have a um endpoint
monitoring lots of data logs logs from
all the all the systems firewall logs
and and web server logs and so on so
it's a huge amount of data we collect
and then we analyze it and we display uh
the main uh findings on a screen like in
an see now the question is that is that
data that I'm
collecting is useful in protection
detection or uh uh response right so
this is the other question that I may
have the other question is that am I
actually overdoing it am I actually
having many tools which have overlapping
functionality they they meant to do the
same they're meant to detect or they're
meant to defend against the same thing
maybe I'm just unnecessarily buying two
different tools paying their license fee
and so on so that's another question I
may want to
know and then other thing is that when
the vendors come to you the cyber
security tool vendors they will tell you
all kind of things right so but you have
to actually you know formulate the right
questions in your mind that what is this
tool for what you know with respect to
this uh uh type of adversarial activity
will this tool help
and these kind of questions can be
answered better if you actually think uh
formulate everything in terms of miter
at and CK so so these are the reasoning
why MIT ATN CK was created
right so so ATN CK is a knowledge base
it's actually not a tool it's a
framework to actually think and study
the adversary's behavior in a very
structured way right as I said that this
group miter Corporation has is a think
tank uh they have a group they they
formed a group and this group actually
went through a very large number of
incidents and what happened in those
incidences and and what uh was done and
so
on and then they came up with this
structured way of uh capturing all this
incidents right so so they said uh an
adversary actually has a final goal like
for example in case of stocket the final
goal was to actually uh change the
program of programmable logic
controllers such that the motor that
that rotates the
spindles for enriching uranium this
motor sometimes goes very fast and
sometimes goes very
slow and instead of going going in an
uniform speed and at at a critical speed
right the the whole nuclear enrichment
uh they had like thousands and thousands
of very large you know tubes in which
you know uranium was being rotated for
uh you know this uh you know enriching
the uranium so these spindles uh if they
rotate at a critical speed or Beyond a
critical speed only then it works that
was the whole
idea now what this attackers did is that
they said okay so who rotates the
spindles there are Motors right every
every a spindle has a motor right so
that motor rotates the spindle so they
said okay fine so what I'll do is I will
see how I can get to the PLC the
programmable logic controller which
tells the motor to you know run in what
speed and so on right so which basically
gives signal to the motor sets its speed
and and so
on so so how do I get to the PLC right
so PLC is actually is is within the
within the uh uh you know uh the the
place where the spindles are are
situated it's like a factory floor right
so these plcs are now uh actually being
controlled uh by uh scada systems uh
these are uh supervisory control and
data acquisition systems but plc's plc's
are are you plcs are not like regular
computers you cannot SE seat on them
there's no screen uh there is a there is
no like LCD display there is there may
be a small display and some stuff but
there is no large display and there's no
keyboard and stuff so you actually
create the PLC programs and put them
download them into the PLC right from
from Windows
machines so if I if I need the PLC
program to change
then I have to actually go to find those
windows machines from which the PLC
program is loaded right now how do I get
to that Windows machine right so that
Windows machine is uh within the uh
within the network uh but that Network
itself is not connected to the
internet so but uh this within this
network the office Network at which
regular uh uh you know officers were
working and the network uh at on which
that Windows machine was there from
which the PLC programs are loaded we in
the same segment same network
segment so so if I can get one of these
office
guys to carry the malware the malware is
written very very care carefully and
with lot of the Ground Intelligence
right they knew exactly which uh like it
was a cmen PLC that were that they were
using an S S7 right so so they knew
exactly make an model and how it works
how the PLC is loaded with programs from
Windows all this stuff they researched
so they then apparently uh they give
some free USB somewhere or something
where the actual malware was loaded and
one of the officers actually brought
that in plugged it in the malware got
copied into his machine same network by
us utilizing the connection between one
machine to the other it did a lateral
movement and then it actually went
eventually to find the machine where the
PLC program uh is loaded it replaced the
PLC program by a program that will um
make the mo motor run erratically and
these motors are very sophisticated so
if they run erratically for a while they
burn out so so the
main idea was to actually burn out as
many uh as many uh Motors in a very
short time as possible again and again
and uh the attacker the the defender is
thinking so Motors often Crash and Burn
right so but that percentage is very
small like uh you know maybe 1% Motors
uh also uh Crash and Burn quickly so
when they started started seeing that
Motors are crashing and burning but they
they saw that this Crash and Burn is is
is a very fast rate like you know very
large percentage of motors are crashing
and burning which basically halted their
uranium enrichment Pro uh program then
they realized something is not right and
then they did the analysis they looked
at the PLC program and they say this is
a different program uh this is this no
this is not
program that was already there then they
you know worked it out and they figured
out that they have been uh they have
been uh taken in for so uh so at this
point they actually started they figured
out and they started launching the same
thing saate everywhere else so in a in a
couple of months after after the
Iranians got got to know in a couple of
months staet was found a everywhere in
Europe then in uh in uh us uh South
America and also in India and Asia right
so within like that year we are seeing
stack net everywhere and various
variants of Stack net right so so at
this point uh the governments who
actually did this they got really afraid
that okay we have launched
something we have uh we have unbottled a
genie which cannot be put back into to
the bottle that is the situation like so
we thought that we'll just do it nobody
would know we'll delay their nuclear
program and they will not figure out how
how they were having so many motor uh
malfunctioning uh for a while they they
will replace it by then we have a large
uh gap between their uh you know in the
advancement of their nuclear program but
unfortunately the the the thing came out
open in the open and there are various
variants of stock net started coming and
also various variants of uh other
malware which seems to be from the same
um same group that actually started the
St net malware and it got you know
forked into multiple different uh uh
types of
malware I have a whole lecture on that I
will post that uh so uh so the
idea that I'm trying to tell you is that
the
has a eventual goal that is to destroy
their nuclear capabilities by delaying
it that is their final goal but they
don't get to the final goal just just
directly right you cannot get attain the
final goal directly so what you have to
do is that you have to do various uh
short um you know short range goals
right how do I get in right so there
this this system is not connected to the
internet so they don't read emails on
their computer so I cannot fish them so
I have to figure out how to how
to deliver the malware so so USB it is
right so once they got that they got one
goal done but to before doing that goal
they also had to do weaponization
because to write that stuck net worm was
a lot of work it probably years of work
right so weaponization was done and then
uh the reconnaissance which uh
Executives to actually uh you know
Target that I have to figure out right
so that that also I have to uh figure
out so so reconnaissance was done so
reconnaissance was done weaponization
was done in in in fact reconnaissance
was probably done after weaponization
right because you write the St net in
the lab you test it on a test bed then
you go and find who in that particular
facility
is amenable to a taking a USB inside
without suspecting anything so that is
reconnaissance uh then we find the
delivery delivery was through the USB
stick then that worm has to actually
figure out the uh the machine in which
that worm was initially executed it may
not be a high privileged account right
so it has to figure out maybe how to do
privilege escalation or it has to figure
out how to move across the that machine
to another
machine eventually in search of the
machine that has the PLC uh
system so these are small small goals
right so how to get in how to um move
from one machine to the other how to how
to collect the data about which machine
has the right target system all this
stuff has to be done and these are
called tactics so when an attacker even
eventually wants to execute a goal he
has to string together tactics right so
so and these tactics are not necessarily
in a linear fashion like as I said in
stocket probably the the reconnaissance
happened after weaponization right so it
does Tactics do not happen in a linear
order they may happen in multiple order
same tactic may be used multiple times
in the same chain of events but
eventually you want to execute the final
goal that is what this thing is about so
tactics uh are then now now to implement
the tactics you need techniques so there
are a lot of uh different techniques you
can use for example delivery by a USB is
one technique for for delivery but you
could also deliver it through a CD maybe
you could have delivered it through a um
you know email you could have delivered
delivered it through some other
mechanism like like uh finding um uh
weakness in their local network and by
uh sending a spy into the into the uh
facility all all the all kinds of stuff
can be actually done so so each tactic
has a multiple techniques by which that
tactic can be
realized and uh then techniques can be
described in terms of procedures how a
technique is actually applied so there
are procedures
so and this knowledge Bas is Community
Driven so it's not like done only by
miter people they invited uh everybody
to actually contribute to this and it's
it has become a very huge and very
useful knowledge base for
everybody okay so let me let me show you
the knowledge base because I don't think
I have a whole lot of time
here 5 minutes
so uh uh
so so attack. miter.org is where you
have to
go uh here you'll see the tactics right
so uh tactics here you see the tactics
that I'm going to talk about in the
class is Enterprise tactics so
Enterprise tactics there are 14 uh
tactics right now if you go into their
mobile tactics how mobile attacks on
mobile mobile phones happen then you
will see a a slightly different set of
tactics and if you go to their IC
tactics that is industrial control
system then they will see a slightly
different and a smaller number of
tactics doesn't mean that the attack on
IC requires less number of tactics but
so far the attacks that have been
analyzed has seen only these tactics
tomorrow there may be another tactics
added to this list but to far this uh
this are the tactics that have been seen
in
use then if you if you actually go into
the uh techniques so Enterprise
techniques so here is a list of
techniques there are 300 plus
techniques so here and then there are
sub techniques so for example here you
say that abuse elevation control
mechanism right so here uh this is uh
about privilege escalation right so
there are multiple different sub
techniques within privilege escalation
like uh you know those those of you who
know about set uid set G ID thing here
is the bypass of user account control
using Pudo or pseudo caching uh elevated
execution with prompt uh temporary
elevated Cloud access access token
manipulation so there are many different
ways you can actually do the privilege
escalation okay so similarly you can
have techniques that are associated with
let's say uh initial access so initial
access you can have content injection
drive by compromise uh exploit public
facing application external remote
services and so on so these are
techniques we'll we'll get into this uh
later but uh this uh thread intelligence
right so there are thread
groups so you can see all this different
thread groups like uh like we talked
about the AP1 right so AP1 is a Chinese
thread group attributed to the second
Bureau of people's Liberation Army
general staff departments third
Department commonly known its military
unit cover designator as unit 6 uh
61398 so this group has been analyzed
quite a bit by the various threat
intelligence agencies so that's why
they're being so specific right about
who might be behind the
AP1 some of the groups may not be
actually you know known that
definitely here you have all the
techniques that has been seen to be used
by this AP group the kind of software
they use for their attacks and so on and
then there are some of this uh analysis
and stories related to AP1 so this is
where you find find more information of
AP groups you can find about different
softwares used for attacks so you can
see uh and this this uh list continues
to grow as we know more campaigns there
are
campaigns uh which are basically uh the
what the AP groups take carry out so if
you want to know like you know how the
2015 Electric Power Attack then you can
go
here and you can actually see what
techniques were used and then you can
from that you can figure out what
tactics were used so you see that these
are some of the uh software that were
used for this uh Ukraine Electric uh
power grid attack and there are so many
uh of these techniques were used so
we'll stop here
[Music]
[Music]
[Music]
تصفح المزيد من مقاطع الفيديو ذات الصلة
5.0 / 5 (0 votes)