Cisco - CyberOps Associate - Module 01 - The Danger

00:00

welcome and in this video course we are

00:02

looking

00:03

at the cyber ops associate version one

00:06

course

00:07

this course is going to cover the skills

00:09

and knowledge

00:10

needed for successfully handling the

00:12

tasks and duties responsibilities

00:15

of an associate level security analyst

00:18

working at a security operations center

00:20

the goal of this video series is to help

00:22

prepare learners

00:24

for the cisco 200-201

00:27

certification that's focusing on

00:29

understanding the cisco

00:31

cyber security operation fundamentals

00:34

course

00:35

known as c b r o p

00:38

s

00:41

welcome module one the dangers to the

00:44

network

00:46

so we're going to be looking at why we

00:48

have to do this some basic war stories

00:51

we're going to be looking at threat

00:52

actors and what they are that includes

00:55

the motivations kind of why they're

00:57

doing specific

00:58

things and we're going to look at the

01:00

threat impact

01:02

and again threat impact we're looking at

01:04

potential impact

01:06

not always direct impact

01:09

because keep in mind the goal is to

01:11

mitigate

01:12

the threats so that they're not actually

01:15

realized

01:16

that's why we discuss things in

01:18

potential

01:19

as opposed to actually occurring

01:23

so first off some basic war stories

01:27

one of the fun ones is this hijacked

01:29

people

01:30

and essentially hackers can set up rogue

01:34

wireless networks for example you're at

01:36

starbucks you connect to the wi-fi

01:39

are you really connecting to the

01:40

starbucks wi-fi or are you connecting to

01:43

a rogue wireless network that is

01:46

mimicking

01:47

starbucks wi-fi so

01:51

this is actually known as an evil twin

01:54

and this is actually fairly simple to do

01:57

you have a lot of networking devices on

02:01

the market today that do this so

02:04

when we're talking technical ability it

02:07

used to be

02:08

a little higher to do these types of

02:10

attacks but not necessarily

02:12

so it's the purpose of an evil twin well

02:15

if you actually connect to an evil twin

02:18

instead of the original network

02:20

and again you probably won't even

02:21

realize it's an evil twin

02:24

everything that you do can be monitored

02:26

could be stripped

02:27

so even https sessions can have the

02:31

encryption

02:32

stripped from the data so they can be

02:35

readable

02:36

so we have to be extremely careful what

02:39

we

02:39

are doing now granted not all instances

02:43

of

02:43

ssl can be stripped a lot of them can

02:47

not all of them so you have to be a

02:49

little more careful

02:50

when you're at starbucks maybe not check

02:52

your banking maybe not

02:53

check specific financial uh

02:58

backing up options you're on facebook

03:02

so i'd be concerned with that because if

03:05

someone

03:06

is actually able to gain access to my

03:08

social media

03:09

would that cause an issue and if the

03:11

answer is yes you probably don't want to

03:13

be checking that with open wi-fi

03:16

so another danger is ransomed companies

03:21

so it is a growing concern

03:24

when you have companies that are lured

03:27

to

03:27

open attachments to have infections

03:32

that will hold their devices ransom

03:35

typically called ransomware and

03:38

essentially it will encrypt everything

03:40

and it will force the user or the

03:43

business to pay a ransom

03:45

it's really interesting because

03:47

ransomware has been around for a number

03:49

of years

03:51

and we're starting to see more and more

03:53

concern

03:54

with ransomware and we're also seeing

03:59

ransomware kind of shift a few years ago

04:02

60 minutes did a great special on a

04:05

small

04:06

county i think in oklahoma that had

04:09

ransomware

04:11

the ransom was 10 grand the mayor was

04:14

like we can't afford that we could pay

04:15

you five

04:16

grand the ransomware group was like okay

04:19

they took five grand unlocked everything

04:21

and moved forward

04:24

because somebody some money was better

04:25

than no money in that

04:27

situation however in that same 60 minute

04:31

episode a larger city had a

04:34

2 million dollar ransom they had the

04:38

money

04:38

but they refused to pay it because if

04:41

they paid it

04:42

then it would promote individuals to

04:44

keep doing this

04:46

so the large city was like no we're not

04:48

going to pay it and they

04:49

lost data for years

04:52

they lost security camera footage they

04:55

lost

04:56

dash cam footage from police i mean they

04:58

lost a lot of information

05:01

so with ransomware some companies are

05:04

paying some companies are not paying

05:06

it really just depends on can you

05:09

survive

05:10

without that data or can you survive

05:14

with paying the ransom

05:16

and those are things that are growing in

05:18

concern and they're

05:20

not an easy answer it's not as cut and

05:23

dry as

05:24

don't pay because you will keep

05:27

encouraging this

05:28

if you don't have your data can you

05:30

operate simple as that

05:34

another huge issue is these targeted

05:39

nations so when we look at key

05:41

infrastructure

05:43

power water the other key infrastructure

05:48

transit all of this

05:51

should have a certain level of security

05:54

but the question is

05:55

do they power plants after you've

05:58

already been

05:59

shown that they can be taken down with

06:02

malware

06:03

we've seen that malware such as uh

06:06

stuxnetworm

06:08

which was introduced to a non-networked

06:11

or

06:12

it was introduced to a power plant or

06:14

power grid

06:15

through a usb device that then

06:17

ultimately led

06:19

to the crash of a power plant

06:22

basically the software was designed to

06:25

jump from machine to machine

06:27

until it reached a programmable logic

06:30

controller a plc and from the plc

06:34

it took down very specific critical

06:37

systems for that power plant

06:40

however you see the same thing in water

06:43

where i come from in northern california

06:48

we've actually seen that our water pumps

06:50

are susceptible to ransomware attacks

06:54

and people may think well what's the big

06:56

deal if we turn off a water pump here or

06:59

there

07:00

well in some large cities the water

07:03

pumps control

07:06

fresh water to everyone's homes

07:09

so if you can imagine a city like la or

07:12

las vegas

07:13

having water pumps turned off or reduced

07:17

how quickly would the water dry up in

07:19

those cities

07:21

in la i think rough estimates were five

07:25

days

07:26

in vegas rough estimates were if key

07:29

water systems were compromised less than

07:32

three days

07:35

granted these issues have been addressed

07:37

by dhs

07:39

and recent audits but

07:43

before those audits those two large

07:46

cities

07:46

were critical i mean that water pump

07:49

could have accidentally

07:51

killed you know hundreds of thousands of

07:53

people

07:54

if they were infected so key

07:57

infrastructure is

07:58

definitely being targeted and we've seen

08:02

that because our

08:04

infrastructure is very vulnerable

08:07

not just the water system not just power

08:09

grid not just

08:10

infrastructure like roadways train

08:13

systems

08:14

transit systems all of those are being

08:17

targeted

08:18

for disruption

08:22

so in our course we do actually have

08:25

a video discussing the anatomy of an

08:28

attack

08:29

and essentially this is what's known as

08:33

a kill chain

08:36

so the kill chain can be broken down in

08:38

a few different steps

08:40

in a very basic model we have a

08:42

four-step process for

08:44

a cyber attack reconnaissance attack

08:48

expansion obfuscation

08:51

basically you do some recon you figure

08:54

out where you can attack them you attack

08:56

them

08:56

and you expand once you have attacked

08:59

and gained access

09:01

once you have expanded you can start

09:03

obfuscating what you're doing

09:05

hide your tracks that is the general

09:09

agreed-upon anatomy however we can dive

09:13

a lot deeper in those types of

09:15

attacks than just four steps

09:19

that is the general model that most

09:21

organizations use

09:23

however there have been a lot more

09:25

research done in

09:27

a seven phase attack instead

09:30

reconnaissance is always going to be the

09:32

beginning

09:35

except here we take the attack phase and

09:37

we break it down to two additional

09:38

phases

09:39

weaponization and delivery essentially

09:43

you do the reconnaissance you figure out

09:45

what is what

09:46

how things are are associated how things

09:48

are

09:49

vulnerable what systems there are what

09:52

operating systems there are

09:53

and you can weaponize that information

09:56

if you know they are running

09:58

a unpatched version of windows server

10:01

2012

10:02

well you can weaponize that information

10:04

you can craft an

10:05

exploit that will be able to exploit

10:08

that system

10:10

the third step again that after

10:12

weaponization is that delivery

10:15

now that you know what exploit to run

10:17

you can figure out ways to deliver that

10:20

exploit to

10:21

that target the

10:24

delivery could be an email could be

10:26

infecting a website

10:28

could be sending a phishing could be

10:31

social engineering it could be as simple

10:32

as

10:33

calling a secretary and saying that

10:36

you're your boss's boss

10:37

and that you need her to look at an

10:39

email again that's going to be more of a

10:41

phishing email

10:42

but you can deliver the

10:46

malware in multiple ways so after you've

10:49

done the delivery

10:51

the exploitation portion will uh

10:54

happen the exploit has been delivered it

10:57

needs to be executed without being

10:59

detected

11:01

so that's why phishing emails are

11:03

becoming more popular

11:05

most organizations still lack decent

11:08

phishing user training some

11:11

organizations are actually doing

11:13

proper training but most are not so

11:16

after the exploit has

11:18

ran we have a command and control that's

11:21

phase

11:22

five essentially once the exploit has

11:26

been

11:26

executed the exploit should then

11:29

communicate with the threat actor to

11:32

figure out what to do next to download

11:35

newer versions of malware

11:37

to run certain scripts or

11:40

to expand or lots of other

11:43

options and that is done through a

11:45

command and control

11:47

server once that

11:50

actually occurs phase six will be

11:53

internal

11:54

reconnaissance again we're doing

11:56

reconnaissance again

11:58

they may start looking to see

12:01

what is internal what networks are

12:03

available what workstations are

12:05

available

12:07

in order to move lateral through the

12:09

organization

12:11

you need to have a decent map of the

12:13

infrastructure

12:14

how to the different devices connect to

12:17

one another

12:18

are there networks inside of networks

12:20

are there systems inside systems

12:22

we're not quite sure so that's where

12:24

that internal reconnaissance has to take

12:26

place

12:27

are there internal security measures

12:31

is there an ips is there an ids

12:34

is there a network for iot or plc-based

12:38

devices not quite sure that's why

12:41

that reconnaissance is so important

12:45

the last step is maintain and obfuscate

12:50

hide your track and stay as long as

12:52

possible

12:53

the deeper you dig inside the network

12:58

the harder it is for them to

13:01

remove you or find you things like being

13:04

able to install

13:05

root kits in very specific files

13:09

is a great way for things not to be able

13:12

to detect you

13:14

also with root kits we could uh

13:17

have a slave of computers

13:21

slaves zombies can actually slowly build

13:25

a

13:25

bot network or a bot kit

13:29

bots or bot network is just a bunch of

13:31

slave computers

13:33

that can do whatever the command and

13:35

control server says

13:37

these are all ways that a cyber attack

13:41

can move forward and again this is not a

13:45

complete list like this kill chain is

13:48

ever evolving ever changing

13:50

because these steps are always being

13:53

modified and refined

13:54

for easier attack ability

13:59

so the important part is why do hackers

14:01

do this

14:03

gain information gain data

14:06

because they're mad at a company there's

14:08

a huge

14:09

list it could be that you're being paid

14:11

to do this for some reason

14:14

the reason hackers do what they do is a

14:17

pretty long

14:18

list a threat actor is typically defined

14:22

as a malicious actor also known as a

14:25

threat actor

14:27

that is an entity that is partially or

14:30

wholly responsible for a security

14:32

incident that

14:33

impacts or has the potential to impact

14:37

an organization's security

14:40

oftentimes threat actors come in four

14:43

main flavors

14:44

they are going to be cyber criminal like

14:46

hackers

14:48

hacktivists state-sponsored attackers

14:51

or possible insider threats those are

14:54

the main four

14:55

types of threat actors that is not a

14:58

complete list that's just the main

15:01

i did this before going to the next

15:03

slide because

15:05

as information as days go by

15:08

everything changes cisco defines

15:12

five major groups hacktivists

15:15

organized crime hackers state sponsors

15:19

terrorist groups but they're also now

15:22

including

15:24

amateurs so amateurs are going to be

15:27

anyone that

15:28

doesn't have any real skill that is able

15:30

to compromise security like a script

15:32

kitty

15:36

so kind of what are their purposes

15:39

again amateurs script kitties they use

15:41

built-in tools

15:43

and they have basic understanding how to

15:45

do things

15:46

so they can still be pretty dang

15:48

devastating to a business

15:50

even though their skill level is

15:51

relatively low

15:53

hacktivists are hackers who publicly

15:56

protest against

15:57

a reason and they use that

16:00

ideological difference and they're

16:04

actually targeting individuals opposed

16:06

to that difference

16:08

they could be posting articles videos

16:11

leaking information

16:14

for example just an example let's say

16:17

that i'm against cosmetics that use

16:20

animal testing i'm targeting a company

16:23

that says they don't

16:25

uh use animals but i know they do

16:27

because i broke into their server

16:29

and i have video footage showing them

16:30

using animals for

16:32

testing i post their video

16:35

internal videos online that would be an

16:38

example of a hacktivist

16:41

and they can do this so many different

16:43

ways

16:44

they could be hacking they could be just

16:47

straight

16:48

using ddos denial services to

16:52

disrupt an organization's ability to

16:54

function

16:55

another thing is financial gain a lot of

16:58

what hackers do

16:59

is because they're getting paid it may

17:02

not be because

17:04

i'm philosophical against what you're

17:07

doing

17:08

it could just be because i'm getting

17:10

paid to do job

17:11

or task x and i need to make rent this

17:15

month so i do it

17:16

so motivated by financial gain is a huge

17:19

part

17:21

cyber criminals want to gain access to

17:24

information

17:25

banking information medical information

17:28

things that can be

17:29

leveraged to generate cash

17:33

that's always a huge portion of why

17:35

hackers hack

17:37

is to generate funding that is not the

17:40

only reason

17:41

for some hackers they want to prove that

17:44

they can do it

17:45

for some other hackers they want to make

17:48

money

17:50

there is private information

17:51

intellectual property i

17:53

p out there trade secrets that

17:56

should be protected at times some nation

18:00

states may disagree with that

18:02

intellectual property being private

18:04

so they target and publicly announce

18:07

what that ip is

18:10

so again other countries could also

18:12

interfere with political

18:14

systems can influence other political

18:16

systems

18:18

they may be interested in industrial

18:21

sabotage

18:22

i may want to go into the wind turbine

18:26

industry but i don't want to uh do the r

18:29

d i maybe go to the same industry but a

18:33

different organization

18:34

commit in industrial espionage or cyber

18:38

espionage

18:39

distill their plans i make a knockoff

18:42

version of it and sell that

18:45

i actually don't have to spend as much

18:46

money doing r d

18:48

so i actually can sell my product

18:50

cheaper

18:52

that's a great example of espionage

18:53

that's pretty dang common

18:56

basically the theft of intellectual

18:59

property

19:00

is a huge part of why some organizations

19:04

do commit espionage

19:08

intellectual property is actually a

19:11

billion dollar industry each year if i

19:14

have

19:15

the recipe to make product x or i've

19:18

got the plans to make product y

19:21

and if you can still them then you don't

19:24

have to put as much r d

19:26

which means you can run cheaper so

19:30

intellectual property theft is a huge

19:33

growing business and a huge growing

19:35

concern

19:36

again these are not a list of every

19:38

reason this is just a brief

19:39

overview of main reasons why

19:43

individuals hack and kind of the

19:45

different

19:46

groups of hackers and why they hack

19:50

so earlier we talked about iot and plcs

19:53

well iot is also known as internet of

19:56

things

19:57

and these iot devices basically help

20:00

individuals connect things to improve

20:02

quality of life could be a smart light

20:06

could be a smart refrigerator could be a

20:08

smart

20:10

garage door opener things of that nature

20:13

these types of devices connect to the

20:16

internet and they're not always

20:17

updated so that is why some of them

20:20

become a

20:21

gateway into the network threat actors

20:25

actually prey on these devices because

20:28

they create opportunities

20:30

for the threat actor to enter a network

20:35

we have another lab researching and

20:37

analyzing iot application

20:38

vulnerabilities

20:40

again labs are done in a separate video

20:43

last major section are threat impacts

20:46

what is the purpose of the threat how

20:49

does it impact the organization

20:52

so there's a key set of information that

20:56

organizations want to protect pii

20:59

personal identifiable

21:02

information that's one of the big ones

21:04

this is any information that can be used

21:06

to positively identify an individual

21:09

name and address name and phone number

21:11

name and social security birth date

21:13

credit card numbers

21:14

things of that nature cyber criminals

21:18

definitely try to obtain lists of pii so

21:21

that they could uh

21:22

steal people's identities that's one of

21:24

the big ones

21:25

or they can use this pii to create fake

21:28

accounts fake bank records

21:32

or open up legitimate bank accounts and

21:35

then

21:35

withdraw it or open up legitimate credit

21:38

card lines

21:39

and then not pay them or loans or things

21:43

of

21:43

that nature we also have

21:47

protected health information phi

21:50

and that's typically a subset of pii

21:53

we have a growing digital system of

21:57

medical records

21:58

in the us and these are typically

22:01

electronic medical records

22:03

emr based systems the emr-based systems

22:08

protect the phi and this is going to be

22:11

procedures this is

22:13

anything medical done by an individual

22:17

well to an individual not by the

22:19

individual

22:20

doctors do the actual

22:24

procedures so pii

22:27

phi and then we have personal security

22:31

information

22:32

this is another common type of pii and

22:34

this includes

22:35

user names passwords any security

22:38

question

22:39

responses or challenge responses any

22:42

information that can

22:43

an individual can use to pretend to be

22:46

someone else

22:48

these are all main areas that can be

22:51

targeted and compromised

22:54

so who cares if someone steals pii or

22:57

phi or psi well all of these

23:00

one are expected to be protected

23:04

but individuals that have pii with

23:08

a organization and that organization

23:11

has the ability to leverage that pii as

23:14

a competitive advantage

23:16

so breach of pii or phi or psi

23:22

can result in the organization losing

23:24

their competitive advantage

23:26

if you go to a hospital and you know

23:29

that hospital

23:30

is constantly leaking out your pai

23:33

you're less likely to go to that

23:34

hospital

23:37

so the protection of the information

23:40

about you

23:41

is that organization's competitive

23:43

advantage we're going to ignore the fact

23:45

that

23:46

certain level or expected levels of

23:48

privacy are

23:49

mandates like phi is protected by ferpa

23:54

sorry purpose educational records it's

23:57

protected by

23:58

hipaa if you're in a school

24:01

and your grades are not protected that's

24:04

a violation of ferpa

24:06

if you are dealing with financial

24:08

information

24:10

there are compliances guarding financial

24:12

information

24:13

if you are or an organization storing

24:15

credit card information

24:17

and there's a breach there that's a pci

24:20

dss

24:21

violation so

24:24

certain types of data are protected by

24:27

industry

24:28

or by state and federal laws or

24:32

country laws so any

24:35

types of breach in that could lead to

24:37

that loss of competitive advantage

24:40

that means loss of intellectual property

24:43

to a competitor again we talked about

24:46

that earlier about industrial espionage

24:49

and how the competitor can now

24:52

improve their product without having to

24:54

pay for the r d that your organization

24:56

paid for

24:57

other concerns are loss of trust or

25:00

faith in that organization meaning or

25:04

individuals no longer want to go to that

25:06

organization so that organization

25:08

eventually will

25:09

fail

25:12

other threat impacts could be political

25:15

or

25:15

national security it's not just

25:18

businesses getting hacked government's

25:20

getting hacked all the time

25:22

in the news in the last several years

25:25

how many federal

25:26

organizations have had data breaches irs

25:30

is one of the big ones but it's not the

25:32

only one

25:34

state supported hackers are causing

25:37

disruptions and destruction

25:39

over digital services in the uk

25:43

you've actually had hackers target uk

25:45

internet providers

25:47

to shut down the internet and porch

25:49

portions of the uk

25:51

in eastern europe same thing

25:54

when you have hackers that disagree with

25:56

what the government's doing

25:57

hackers take down infrastructure the

26:00

internet has become essential

26:02

as medium for commercial

26:06

businesses for financial

26:09

activities for banking for

26:12

infrastructure

26:13

for users for sharing of information

26:18

all that's done through the internet so

26:21

with a disruption of internet services

26:25

it could actually devastate an

26:26

organization it could devastate

26:28

a country

26:32

if a business loses internet it could be

26:35

their complete cut off from the world

26:37

they may not be able to purchase things

26:38

or sell things or

26:40

connect with their vendors or consumers

26:43

if a country is cut off from the

26:45

internet that means everyone in the

26:47

country

26:48

individuals consumers businesses

26:51

government

26:52

all cut off from the outside world and

26:55

that definitely can destroy a country's

26:57

economy

26:59

another lab visualizing black cats

27:03

so let's go ahead and summarize what we

27:06

learned

27:08

in this module we learned about threat

27:11

actors how they

27:12

function why they do what they do we've

27:15

looked at iot we looked at different

27:17

types of

27:18

information pii phi psi

27:22

and why those are areas of concern we

27:25

talked about

27:26

overall kill chain structure

27:29

and that is it for this lecture if you

27:32

have any questions or concerns

27:34

please