Lecture 05

00:10

[Music]

00:13

good morning everyone uh I have 92

00:16

students in the class but it seems like

00:19

25 people sitting

00:22

here uh I have to uh start uh asking for

00:26

fingerprint uh um attendance

00:32

in any case um we uh I assume that you

00:36

have watched the uh pre-recorded uh

00:38

video that was posted on

00:41

canvas um so I have uh few questions for

00:45

you before we

00:47

start so we'll

00:50

be looking at

00:52

that okay so uh if you haven't done so

00:57

go to mente.com on your phone use the

01:01

code 632

01:04

4165 and uh answer the

01:09

questions since this is completely

01:11

Anonymous you can be truthful if you

01:13

haven't watched you can decide

01:41

okay so uh looks like large number of

01:44

you have watched at Leist uh parti or

01:47

completely so now tell

01:50

me the command and control is not used

01:54

for which of the following activities by

01:56

the adversary right so I have four

02:00

different activities

02:03

here remember it's not

02:19

not okay so um suppose you are you are

02:23

the one sending a malware to somebody

02:25

else's

02:26

machine and you want to know if the

02:29

malware has has been installed there how

02:33

do you how would you do that you have to

02:35

have the malware communicate to you

02:38

right so then the first

02:41

choice is that the command and control

02:44

wants to know the uh adversary wants to

02:46

know if the malware has been installed

02:50

then it wants it will write the malware

02:52

in such a way so that the as soon as the

02:54

malware finds a uh Target and uh

02:58

executes it will call on the network

03:02

functions and communicate to the command

03:04

and control isn't it how else will the

03:08

adversary know that the malware actually

03:10

got

03:12

installed now once the adversary knows

03:17

that the that it has been installed then

03:20

it will want that uh the malware finds

03:25

something on that machine what

03:28

applications are running what what

03:29

versions are running what are the

03:32

different uh files in the file system

03:35

what are the uh if there are any

03:38

credentials uh uh somewhere in that

03:41

machine is there a weak implementation

03:44

of a protocol through which it can move

03:47

so all this information the malware will

03:50

send to the

03:52

adversary via the command and control

03:54

route then the adversary based on the

03:58

information it got it will customize a

04:02

payload that can exploit that particular

04:05

situation that the malware is telling C2

04:09

so therefore the second one is also

04:12

something that is used uh the C2 is used

04:15

for right to get better understanding of

04:18

its Target and

04:21

customize more virulent payload for the

04:24

Target now if you want to do data

04:27

exfiltration let's say you want to

04:29

filtered data from another person's uh

04:33

system using a

04:35

malware how will that

04:37

malware send the data where will it send

04:39

the

04:41

data it will read the data from the

04:44

target machine but it has to send it

04:47

somewhere so that has to be a command

04:49

and control server

04:51

right so so all these three choices are

04:54

not correct because I'm asking what is

04:58

which one of this is not an use of

05:01

command and control right I'm not asking

05:04

which one is is a Cho use of Comm and

05:07

control because that would make sense

05:09

because I have three different choices

05:11

all of which are actually use of command

05:14

and control so the last one the

05:16

privilege escalation is the Natural

05:19

Choice because privilege escalation is

05:21

nothing to do it's a very local thing it

05:23

has nothing to do with what happens

05:25

there like in the command and control

05:27

side if there is a weak program which

05:30

has a privilege escalation

05:33

vulnerability and your homework one will

05:37

make you do a privilege escalation so

05:39

you will understand how privilege

05:41

escalation happens right so so in terms

05:45

of homework you will get virtual

05:47

machines which you'll have to install on

05:49

your machine and do all these things

05:53

right on the on on that virtual

05:56

machine okay so next one

06:02

so this is an easy one use your finger

06:05

to push up and down and sort them in the

06:09

order in which they appear in CKC so

06:11

these are the seven stages of cyber kill

06:15

chain they're in a in a random

06:19

order so you have to basically push them

06:22

up and down to put them in the right

06:27

order so I see there are not many

06:31

responses

06:36

[Music]

06:40

yet it's almost

06:48

correct it's almost

06:51

correct where is it not exactly

06:54

correct see you have to do exploitation

06:58

of a weakness in the system

07:00

before you can do installation right so

07:03

your exploitation and installation order

07:05

for majority basically is in the

07:08

opposite order but otherwise you got the

07:11

other ones right but this one has gotten

07:14

a little bit you know in the reverse

07:17

order okay so now go to the next one

07:21

here I'm asking like uh suppose you you

07:25

disrupt remember like in CC seven stages

07:27

and claim of CC is that if your defense

07:30

can actually stop them in one of the

07:32

seven stages then you win right you

07:35

cannot get get it the adversary do the

07:39

final thing that it wants to

07:42

do now the question here is that

07:46

uh whether uh you you know whether you

07:49

stop it or not you have to do po

07:51

incident

07:53

analysis and there are three reasons

07:56

given why and you have to basically say

07:58

which one is more important important

08:00

reason why I would like to do the PO

08:03

incident analysis and not be happy that

08:06

okay you know the bad thing didn't

08:09

happen also well that end well is

08:12

doesn't work right I mean here you have

08:13

to uh actually analyze why it could

08:17

actually do what it could do okay so so

08:21

this uh ordering is not uh you know it's

08:24

it's rather subjective of course you

08:26

have to know where the defense failed

08:28

right and then you have to fix that

08:31

because your defense must have failed in

08:33

one of at least whichever stage up to

08:36

whichever stage the adversary could come

08:38

in until that stage you your defense

08:41

didn't work at least against that

08:43

particular adversary so so you have to

08:45

figure out what failed and then

08:47

accordingly fix those now there is a

08:51

there is a you can debate about second

08:53

and third which is uh of course you need

08:56

to learn more about the

08:57

adversary but also so you have to do

09:00

root cause analysis and in a

09:02

well-governed cyber security

09:05

environment every incident root cause

09:07

analysis is presented to the highest uh

09:10

you know Authority in order for um you

09:14

know for the highest authority to know

09:16

where uh the possible risks are in the

09:20

organization right so so that's kind of

09:23

uh you know you can have a second and

09:26

third kind of a risk condition

09:32

now this one I have put uh intentionally

09:34

I haven't uh really told you about all

09:37

possible AP groups advanced persistent

09:40

thread groups I have said that advanced

09:42

persistent thread groups are very

09:44

resourceful thread groups usually

09:47

supported or funded by nation state

09:50

governments and uh it's actually quite

09:54

difficult to tell whether a particular

09:57

thread group is uh working for a

10:00

specific government uh this process is

10:03

called attribution so it's an

10:05

attribution is difficult but there are

10:08

some which are kind you know which have

10:09

been analyzed by a lot of threat

10:11

intelligence companies and there are we

10:14

kind of

10:15

know which one you know is correct uh

10:19

and some of them we do not know as fully

10:22

correct okay so in this case so I wanted

10:25

to see if you got interested beyond the

10:28

class and actually did some studies

10:30

about this uh nation state adversaries

10:33

in any case ap28 is not a Chinese AP

10:37

it's actually a Russian AP they were

10:41

responsible for uh the solar wind

10:44

attacks in 2020 in the US many US

10:48

government uh entities their

10:50

organization were infiltrated by the uh

10:53

supply chain attack on a software system

10:57

uh that for network monitoring called

10:59

toar wind uh so ap28 is not a Chinese

11:04

group so so most of you are have avoided

11:07

that and indeed ap3 is a Chinese thread

11:10

group right so so most of you have

11:13

looked at that so uh so that's good now

11:16

for each of these you have to say

11:17

whether it's true or

11:19

false so well first one I have already

11:24

disclosed so for the other two

11:41

so AP 28 nobody got

11:47

wrong so AP 37 indeed is a North Korean

11:52

group and sometimes it is considered

11:54

that this is also the same as the

11:57

Lazarus group

11:59

uh they actually go after countries like

12:02

South Korea uh

12:04

us uh they have been found in India also

12:08

uh they are pretty uh resourceful very

12:11

skilled set of uh

12:13

hackers a33 is also correctly uh in

12:17

Iranian group right so

12:20

cd33 uh is an Iranian hacker group as

12:24

you uh can imagine that uh countries

12:27

like North Korea Russia Iran are some of

12:31

the most uh and Chinese are some of the

12:34

most notorious thread groups they have

12:37

multiple different thread groups not

12:38

just one thread groups now remember that

12:42

uh when I say something like ep3 is

12:44

Chinese thread group right and AP1 is

12:47

also a Chinese thread group it may be in

12:51

reality that the AP1 and ap3 might be

12:53

the same set of people based on the uh

12:57

the attacks they use the malware use the

12:59

command and control infrastructure they

13:02

use the kind of uh targets they actually

13:06

choose uh all these things U allow a

13:10

threat intelligence company uh or

13:13

organization to Cluster these attacks

13:16

many attacks together and name them as a

13:18

AP group now it may so happen that uh uh

13:23

what we are calling

13:25

ap28 maybe actually two different groups

13:28

who are all using similar set of malware

13:32

similar set of attack motor supper and

13:34

so on or it can also be the case that uh

13:38

AP1 and ap3 are the same group thus they

13:41

are using two different sets of

13:43

infrastructure two different types of

13:45

malware to different types of things so

13:47

so all these things are shrouded in

13:49

mystery right so we do not really know

13:52

that uh you know that ap28 is uh being

13:56

uh directly uh talking to for example

14:00

Putin right we do not know that but uh

14:04

the the threat intelligence companies

14:06

over time have analyzed and found that

14:09

uh they they found fragments of Russian

14:11

language uh uh comments in their in

14:14

their code they found uh command and

14:17

control infrastructure that are uh not

14:21

necessarily in Russia but actually have

14:23

been found to be used by Russians in

14:25

other places they also find that uh that

14:29

this time of the day when they were most

14:31

active uh they also find the targets

14:35

that they choose uh like Ukraine us

14:39

these are mostly their targets from that

14:42

they actually came up with this uh uh

14:45

you know uh idea that uh this is uh

14:49

Russian now in India we do not have uh

14:54

this capability of

14:55

attribution so in cab we are doing aot

14:59

lot of work on this attribution but in

15:01

general uh we haven't developed this

15:03

attribution capabilities so far uh in

15:08

India the last question so this is a

15:11

book I already

15:12

mentioned uh this is a uh this is a book

15:16

by uh New York time

15:20

cyber security

15:23

reporter uh if you remember uh well you

15:26

are probably too young to remember

15:29

how many of you heard about Snowden so

15:32

Snowden was a consultant employee in the

15:36

uh I I believe in buo alen Hamilton uh

15:39

which is a defense

15:41

contractor and then he exfiltrated a lot

15:45

of data uh during uh early

15:48

2000s about many secret

15:51

programs uh that us where you know

15:54

military and and the intelligence

15:56

agencies were

15:57

doing uh including spying on its own

16:02

citizens so what he did is that he then

16:05

gave this information to certain news

16:09

organizations New York Times was one of

16:11

them and nicool Parra worked on that

16:16

team and since then she found that there

16:19

are lot of programs by governments and

16:23

not necessarily only Russian and Chinese

16:27

and and Ukraine the usual suspects it's

16:29

not the only The Usual Suspects it's

16:32

actually governments like the US

16:34

government like our government like uh

16:37

the European uh governments they all

16:41

have programs to find

16:45

vulnerabilities in and of course Israel

16:48

uh find vulnerabilities in uh will uh

16:53

very highly used software systems right

16:56

for example in in iOS or in uh Android

17:00

or in Windows or in uh uh Windows Office

17:04

or things which are widely

17:06

used and uh governments

17:09

buy this

17:12

vulnerabilities from hackers who are

17:15

blackhead hackers who are not

17:17

necessarily considered responsible

17:19

hackers so responsible hackers they

17:22

actually go and when they find a

17:24

vulnerability they do an what what we

17:26

call a responsible disclosure they go

17:29

and tell the company look uh you have

17:31

this problem I'm going to publish this

17:33

in uh blackhead conference or uh

17:37

whatever conference but I will wait

17:39

until you fix it right so that's what

17:41

responsible disclosure they won't

17:43

disclose it to the world until it is

17:46

fixed unfortunately the uh blackhead

17:49

hackers are the opposite they find

17:52

vulnerabilities but they do

17:54

not uh disclose to the organization that

17:57

is responsible for that software

17:59

Hardware Etc they will go and sell it in

18:02

the black market and one of the biggest

18:05

buyer of this black market are

18:07

governments so governments actually buy

18:10

this

18:11

exploits uh for example National

18:13

Security Agency in the US and then they

18:16

actually use it right so uh use it

18:19

against uh other uh countries uh like uh

18:24

important uh Personnel like their Prime

18:27

Ministers or uh you know whatever uh

18:30

this is and now uh there are companies

18:34

who actually uh uh also create this uh

18:38

use this um exploits and create a

18:41

complete Comm and control system so you

18:44

can buy the entire command and control

18:46

system from them and one of this famous

18:49

company that you might have heard of is

18:51

NSO right NSO is the company that is was

18:54

responsible for Pegasus Pegasus was a

18:57

malware that was a zero click and zero

19:01

day malware uh and they basically sell

19:04

to the

19:06

governments uh to this whole command and

19:09

control infrastructure through which you

19:10

can actually see what is happening in

19:13

somebody else's phone uh and actually uh

19:16

from that you can uh spy on them right

19:19

you can spy on them you can also put in

19:23

incriminating evidence in their phone or

19:25

in their desktop Etc which will let

19:28

later on be used against them so there

19:31

there is a whole uh business around this

19:35

uh vulnerabilities and exploits there

19:38

are also open companies where you can

19:41

find uh not even in the dark web in the

19:44

in the in the regular web surface web

19:47

there are companies which will pay you

19:50

over million dollar if you find an iOS

19:53

vulnerability that is zero zero click

19:56

and zero day right so this is the

19:58

situation so what this book basically

20:01

says that you know we already have seen

20:06

stocket being used by other countries in

20:09

Iranian nuclear plants what stops Iran

20:13

to use the same on other countries and

20:15

they have tried and Iran has actually

20:19

attacked dams water like the hydro

20:24

uh systems in in the US uh by mistake

20:28

they did as very small dam so it didn't

20:30

work but the same name dam was also in

20:34

Oregon if they had they had done the

20:36

same attack on that then thousands of

20:39

people would be flooded away right if

20:42

the the gates open in the dam by uh

20:45

remote control similarly uh the uh uh

20:50

North Koreans are doing this all the

20:52

time to South Koreans and uh Russians

20:55

are doing this to Ukraine they did shut

20:57

down their power and uh you know various

21:00

things so so what this book is saying is

21:02

that if we do not have control on this

21:06

uh we are going to uh basically at this

21:08

at some point we'll create a nuclear

21:11

disaster or some kind of a weapon system

21:14

misfiring and that could create a entire

21:17

you know worldwide uh uh war and and the

21:20

world uh end this is a very uh dystopian

21:24

view of things uh I don't want to scare

21:27

you but it's a serious thing to be taken

21:31

uh very seriously and I would highly

21:33

suggest reading this book if you can if

21:37

you if you try hard you will find a PDF

21:40

copy somewhere on the net on the

21:44

internet but I would request you to not

21:47

use that and buy it it's not very

21:50

expensive it's like 500 rupees or

21:52

something in

21:54

India Okay so

21:58

so now I'm going to

22:00

start our new uh

22:03

module miter at and

22:07

CK so miter ATN CK is a knowledge based

22:12

of how

22:14

adversaries attack our

22:17

systems and to remember like in in CC

22:21

what we saw is that they said they're

22:23

very simplistic they said these are the

22:24

seven stages through which an attack

22:27

adversary has to get into your system

22:30

install things make it permanent

22:32

persistent then may actually go into uh

22:36

uh communicate to the command and

22:37

control then eventually do something

22:40

that is harmful

22:42

right so miter actually is came much

22:46

later than CKC so they actually analyzed

22:49

you know thousands and thousands of

22:51

attack

22:53

incidents papers and so on and they said

22:55

okay this is not uh as simplistic and as

23:00

linear as CKC might give you an idea of

23:05

so I'm going so they created a knowledge

23:07

base now this knowledge base is actually

23:11

uh very extensive it has uh 14 tactics

23:15

and 300 over 300 techniques and then

23:19

more process procedures right so it's a

23:22

is basically what is called TTP tactics

23:25

techniques and

23:26

procedures so what

23:30

uh so we'll talk about what this ATN CK

23:34

is all about and then we'll uh uh teach

23:38

you how to

23:41

map a an incident like an attack

23:45

incident into uh at and CK framework and

23:50

we can do it from reports from analysts

23:53

or we can do it from raw data the data

23:56

that we collect as evidence uh from

23:59

there and then we'll talk about a tool

24:01

that uh miter has provided to do this

24:04

kind of work and then uh we'll see that

24:10

of course uh this is not to teach you

24:12

how to attack this is actually for

24:14

Defenders to understand the attacker so

24:17

that they can actually uh figure out for

24:21

each of these techniques if my defense

24:24

is adequate or do I have to do something

24:25

else so so to kind of wrap your head

24:28

around what can happen to my system and

24:33

figuring out how would I stop or how

24:35

would I detect that uh when it h when it

24:42

happens

24:44

so as a

24:46

Defender I want to know various things

24:48

right so I want to know whether the my

24:51

current um uh defense is adequate right

24:56

and the controls that I have like I I

24:58

have firewalls I have endpoint detection

25:00

I have network monitoring I have uh you

25:03

know uh strong authentication I have

25:07

two- Factor authentication I have uh

25:09

Network segmentation I have all these

25:12

things but is this enough does so if if

25:16

the question is this enough can only be

25:18

answered if you know what the other site

25:20

can do right if you if you assume that

25:23

the other side is very stupid you know

25:26

they can they will only try to do

25:27

something that that you know fishing and

25:29

nothing else right so then of course you

25:32

do not have to do a whole lot right you

25:33

can may stop that by by giving a lot of

25:38

training to your employees and users

25:41

that don't click on this kind of things

25:43

don't download this kind of things and

25:44

continue to say such things and you will

25:47

be fine but the adversary is not simple

25:51

right so they are much like as I said

25:53

that they're backed by government have

25:55

lot of funding lot of good hackers what

25:58

for them and so on and so forth so

26:00

therefore I cannot really depend on uh

26:04

uh this uh small uh or ad hoc

26:08

implementation of uh defense like

26:11

sometimes people do not think about

26:13

adversity and all they just put a

26:15

firewall they just put a uh you know

26:17

proxy and they they just put some

26:19

antivirus and think that everything is

26:21

fine but actually it is not until you

26:24

actually figure out what the attacker

26:26

might do and then compare uh whether uh

26:30

whether you have adequate defense so

26:32

that is something every Defender wants

26:34

to

26:35

know and then so uh second thing is that

26:40

um let's say I get I read in the news

26:43

that educational institutes are now

26:46

being targeted by let's say

26:49

aptx right so sometimes like you know

26:52

they attack some AP groups Target Health

26:55

sector some AP groups attack the um the

26:59

oil and gas sector and some nuclear

27:02

plants so there could be an AP Group

27:04

which might be attacking uh let's say

27:07

educational sector so as as iitk I will

27:11

be then immediately worry about whether

27:14

I can be a Target and if I am the target

27:18

I have to read all all the information

27:20

that from other incidents what what how

27:23

they got in what did they do whether

27:25

they did any kind of data exfiltration

27:27

whether they do ransomware attack and so

27:30

on then I have to check whether against

27:32

all my defense controls whether I can

27:36

handle that particular AP so so this

27:39

question here is not just about ap3 or

27:41

let's say 29 29 is also Russian threes

27:44

Chinese you know but uh actually uh this

27:49

uh uh for any kind of threat

27:52

intelligence that you get in the in the

27:55

news and in from your from let's say

27:58

or other places that this EP group is

28:01

now focusing on this particular sector

28:04

then I have to check against my defenses

28:07

whether uh that EP group can be uh can

28:10

be theed by my defenses and to do that I

28:13

have to understand the what that AP

28:16

group

28:17

does uh and uh so this is the question

28:21

like you know can I stop AP

28:24

attacks uh and then the question other

28:27

question is that

28:28

when I collect so I do uh so

28:30

organizations collect a lot of data from

28:33

their own infrastructure right so for

28:35

example if they have a network

28:37

monitoring they have a um endpoint

28:40

monitoring lots of data logs logs from

28:43

all the all the systems firewall logs

28:46

and and web server logs and so on so

28:48

it's a huge amount of data we collect

28:51

and then we analyze it and we display uh

28:53

the main uh findings on a screen like in

28:57

an see now the question is that is that

29:00

data that I'm

29:02

collecting is useful in protection

29:05

detection or uh uh response right so

29:08

this is the other question that I may

29:11

have the other question is that am I

29:14

actually overdoing it am I actually

29:16

having many tools which have overlapping

29:19

functionality they they meant to do the

29:21

same they're meant to detect or they're

29:24

meant to defend against the same thing

29:27

maybe I'm just unnecessarily buying two

29:30

different tools paying their license fee

29:32

and so on so that's another question I

29:34

may want to

29:35

know and then other thing is that when

29:37

the vendors come to you the cyber

29:39

security tool vendors they will tell you

29:42

all kind of things right so but you have

29:44

to actually you know formulate the right

29:48

questions in your mind that what is this

29:51

tool for what you know with respect to

29:54

this uh uh type of adversarial activity

29:57

will this tool help

29:58

and these kind of questions can be

30:00

answered better if you actually think uh

30:03

formulate everything in terms of miter

30:04

at and CK so so these are the reasoning

30:08

why MIT ATN CK was created

30:14

right so so ATN CK is a knowledge base

30:20

it's actually not a tool it's a

30:24

framework to actually think and study

30:28

the adversary's behavior in a very

30:31

structured way right as I said that this

30:35

group miter Corporation has is a think

30:38

tank uh they have a group they they

30:41

formed a group and this group actually

30:43

went through a very large number of

30:45

incidents and what happened in those

30:48

incidences and and what uh was done and

30:51

so

30:52

on and then they came up with this

30:55

structured way of uh capturing all this

30:58

incidents right so so they said uh an

31:01

adversary actually has a final goal like

31:04

for example in case of stocket the final

31:07

goal was to actually uh change the

31:10

program of programmable logic

31:12

controllers such that the motor that

31:16

that rotates the

31:18

spindles for enriching uranium this

31:21

motor sometimes goes very fast and

31:24

sometimes goes very

31:25

slow and instead of going going in an

31:28

uniform speed and at at a critical speed

31:31

right the the whole nuclear enrichment

31:34

uh they had like thousands and thousands

31:36

of very large you know tubes in which

31:39

you know uranium was being rotated for

31:43

uh you know this uh you know enriching

31:46

the uranium so these spindles uh if they

31:49

rotate at a critical speed or Beyond a

31:52

critical speed only then it works that

31:54

was the whole

31:56

idea now what this attackers did is that

31:59

they said okay so who rotates the

32:02

spindles there are Motors right every

32:05

every a spindle has a motor right so

32:07

that motor rotates the spindle so they

32:10

said okay fine so what I'll do is I will

32:14

see how I can get to the PLC the

32:17

programmable logic controller which

32:19

tells the motor to you know run in what

32:22

speed and so on right so which basically

32:24

gives signal to the motor sets its speed

32:27

and and so

32:28

on so so how do I get to the PLC right

32:32

so PLC is actually is is within the

32:36

within the uh uh you know uh the the

32:40

place where the spindles are are

32:43

situated it's like a factory floor right

32:46

so these plcs are now uh actually being

32:50

controlled uh by uh scada systems uh

32:54

these are uh supervisory control and

32:57

data acquisition systems but plc's plc's

33:00

are are you plcs are not like regular

33:03

computers you cannot SE seat on them

33:05

there's no screen uh there is a there is

33:08

no like LCD display there is there may

33:10

be a small display and some stuff but

33:12

there is no large display and there's no

33:15

keyboard and stuff so you actually

33:17

create the PLC programs and put them

33:20

download them into the PLC right from

33:22

from Windows

33:23

machines so if I if I need the PLC

33:26

program to change

33:28

then I have to actually go to find those

33:30

windows machines from which the PLC

33:33

program is loaded right now how do I get

33:37

to that Windows machine right so that

33:40

Windows machine is uh within the uh

33:43

within the network uh but that Network

33:45

itself is not connected to the

33:48

internet so but uh this within this

33:53

network the office Network at which

33:56

regular uh uh you know officers were

33:58

working and the network uh at on which

34:02

that Windows machine was there from

34:05

which the PLC programs are loaded we in

34:07

the same segment same network

34:11

segment so so if I can get one of these

34:13

office

34:14

guys to carry the malware the malware is

34:18

written very very care carefully and

34:21

with lot of the Ground Intelligence

34:23

right they knew exactly which uh like it

34:26

was a cmen PLC that were that they were

34:28

using an S S7 right so so they knew

34:31

exactly make an model and how it works

34:34

how the PLC is loaded with programs from

34:36

Windows all this stuff they researched

34:39

so they then apparently uh they give

34:42

some free USB somewhere or something

34:45

where the actual malware was loaded and

34:48

one of the officers actually brought

34:50

that in plugged it in the malware got

34:53

copied into his machine same network by

34:57

us utilizing the connection between one

35:01

machine to the other it did a lateral

35:03

movement and then it actually went

35:05

eventually to find the machine where the

35:07

PLC program uh is loaded it replaced the

35:11

PLC program by a program that will um

35:15

make the mo motor run erratically and

35:19

these motors are very sophisticated so

35:22

if they run erratically for a while they

35:24

burn out so so the

35:28

main idea was to actually burn out as

35:31

many uh as many uh Motors in a very

35:35

short time as possible again and again

35:38

and uh the attacker the the defender is

35:42

thinking so Motors often Crash and Burn

35:46

right so but that percentage is very

35:48

small like uh you know maybe 1% Motors

35:52

uh also uh Crash and Burn quickly so

35:56

when they started started seeing that

35:58

Motors are crashing and burning but they

36:01

they saw that this Crash and Burn is is

36:03

is a very fast rate like you know very

36:06

large percentage of motors are crashing

36:08

and burning which basically halted their

36:12

uranium enrichment Pro uh program then

36:15

they realized something is not right and

36:18

then they did the analysis they looked

36:20

at the PLC program and they say this is

36:23

a different program uh this is this no

36:27

this is not

36:28

program that was already there then they

36:31

you know worked it out and they figured

36:33

out that they have been uh they have

36:35

been uh taken in for so uh so at this

36:39

point they actually started they figured

36:42

out and they started launching the same

36:45

thing saate everywhere else so in a in a

36:49

couple of months after after the

36:51

Iranians got got to know in a couple of

36:55

months staet was found a everywhere in

36:58

Europe then in uh in uh us uh South

37:03

America and also in India and Asia right

37:07

so within like that year we are seeing

37:09

stack net everywhere and various

37:11

variants of Stack net right so so at

37:14

this point uh the governments who

37:17

actually did this they got really afraid

37:20

that okay we have launched

37:23

something we have uh we have unbottled a

37:25

genie which cannot be put back into to

37:27

the bottle that is the situation like so

37:29

we thought that we'll just do it nobody

37:31

would know we'll delay their nuclear

37:34

program and they will not figure out how

37:38

how they were having so many motor uh

37:41

malfunctioning uh for a while they they

37:43

will replace it by then we have a large

37:47

uh gap between their uh you know in the

37:49

advancement of their nuclear program but

37:53

unfortunately the the the thing came out

37:56

open in the open and there are various

37:59

variants of stock net started coming and

38:01

also various variants of uh other

38:05

malware which seems to be from the same

38:08

um same group that actually started the

38:12

St net malware and it got you know

38:15

forked into multiple different uh uh

38:17

types of

38:19

malware I have a whole lecture on that I

38:21

will post that uh so uh so the

38:24

idea that I'm trying to tell you is that

38:27

the

38:28

has a eventual goal that is to destroy

38:32

their nuclear capabilities by delaying

38:34

it that is their final goal but they

38:37

don't get to the final goal just just

38:40

directly right you cannot get attain the

38:42

final goal directly so what you have to

38:44

do is that you have to do various uh

38:47

short um you know short range goals

38:50

right how do I get in right so there

38:54

this this system is not connected to the

38:56

internet so they don't read emails on

38:59

their computer so I cannot fish them so

39:01

I have to figure out how to how

39:04

to deliver the malware so so USB it is

39:09

right so once they got that they got one

39:11

goal done but to before doing that goal

39:15

they also had to do weaponization

39:17

because to write that stuck net worm was

39:20

a lot of work it probably years of work

39:23

right so weaponization was done and then

39:26

uh the reconnaissance which uh

39:28

Executives to actually uh you know

39:31

Target that I have to figure out right

39:34

so that that also I have to uh figure

39:36

out so so reconnaissance was done so

39:40

reconnaissance was done weaponization

39:42

was done in in in fact reconnaissance

39:44

was probably done after weaponization

39:47

right because you write the St net in

39:50

the lab you test it on a test bed then

39:54

you go and find who in that particular

39:56

facility

39:58

is amenable to a taking a USB inside

40:01

without suspecting anything so that is

40:04

reconnaissance uh then we find the

40:07

delivery delivery was through the USB

40:09

stick then that worm has to actually

40:12

figure out the uh the machine in which

40:16

that worm was initially executed it may

40:19

not be a high privileged account right

40:21

so it has to figure out maybe how to do

40:23

privilege escalation or it has to figure

40:26

out how to move across the that machine

40:28

to another

40:29

machine eventually in search of the

40:32

machine that has the PLC uh

40:35

system so these are small small goals

40:38

right so how to get in how to um move

40:42

from one machine to the other how to how

40:45

to collect the data about which machine

40:48

has the right target system all this

40:51

stuff has to be done and these are

40:53

called tactics so when an attacker even

40:57

eventually wants to execute a goal he

40:59

has to string together tactics right so

41:03

so and these tactics are not necessarily

41:06

in a linear fashion like as I said in

41:08

stocket probably the the reconnaissance

41:11

happened after weaponization right so it

41:13

does Tactics do not happen in a linear

41:16

order they may happen in multiple order

41:19

same tactic may be used multiple times

41:22

in the same chain of events but

41:24

eventually you want to execute the final

41:27

goal that is what this thing is about so

41:30

tactics uh are then now now to implement

41:33

the tactics you need techniques so there

41:36

are a lot of uh different techniques you

41:38

can use for example delivery by a USB is

41:41

one technique for for delivery but you

41:45

could also deliver it through a CD maybe

41:48

you could have delivered it through a um

41:51

you know email you could have delivered

41:54

delivered it through some other

41:56

mechanism like like uh finding um uh

42:00

weakness in their local network and by

42:03

uh sending a spy into the into the uh

42:07

facility all all the all kinds of stuff

42:10

can be actually done so so each tactic

42:14

has a multiple techniques by which that

42:16

tactic can be

42:18

realized and uh then techniques can be

42:23

described in terms of procedures how a

42:25

technique is actually applied so there

42:27

are procedures

42:29

so and this knowledge Bas is Community

42:32

Driven so it's not like done only by

42:34

miter people they invited uh everybody

42:37

to actually contribute to this and it's

42:39

it has become a very huge and very

42:42

useful knowledge base for

42:46

everybody okay so let me let me show you

42:48

the knowledge base because I don't think

42:50

I have a whole lot of time

42:52

here 5 minutes

42:56

so uh uh

42:59

so so attack. miter.org is where you

43:03

have to

43:05

go uh here you'll see the tactics right

43:08

so uh tactics here you see the tactics

43:12

that I'm going to talk about in the

43:14

class is Enterprise tactics so

43:16

Enterprise tactics there are 14 uh

43:19

tactics right now if you go into their

43:24

mobile tactics how mobile attacks on

43:26

mobile mobile phones happen then you

43:28

will see a a slightly different set of

43:32

tactics and if you go to their IC

43:36

tactics that is industrial control

43:38

system then they will see a slightly

43:40

different and a smaller number of

43:42

tactics doesn't mean that the attack on

43:46

IC requires less number of tactics but

43:49

so far the attacks that have been

43:52

analyzed has seen only these tactics

43:55

tomorrow there may be another tactics

43:57

added to this list but to far this uh

44:00

this are the tactics that have been seen

44:02

in

44:04

use then if you if you actually go into

44:06

the uh techniques so Enterprise

44:09

techniques so here is a list of

44:11

techniques there are 300 plus

44:14

techniques so here and then there are

44:16

sub techniques so for example here you

44:19

say that abuse elevation control

44:22

mechanism right so here uh this is uh

44:26

about privilege escalation right so

44:29

there are multiple different sub

44:30

techniques within privilege escalation

44:34

like uh you know those those of you who

44:37

know about set uid set G ID thing here

44:40

is the bypass of user account control

44:43

using Pudo or pseudo caching uh elevated

44:47

execution with prompt uh temporary

44:49

elevated Cloud access access token

44:52

manipulation so there are many different

44:54

ways you can actually do the privilege

44:58

escalation okay so similarly you can

45:00

have techniques that are associated with

45:02

let's say uh initial access so initial

45:06

access you can have content injection

45:08

drive by compromise uh exploit public

45:11

facing application external remote

45:13

services and so on so these are

45:16

techniques we'll we'll get into this uh

45:19

later but uh this uh thread intelligence

45:23

right so there are thread

45:24

groups so you can see all this different

45:27

thread groups like uh like we talked

45:29

about the AP1 right so AP1 is a Chinese

45:34

thread group attributed to the second

45:36

Bureau of people's Liberation Army

45:39

general staff departments third

45:41

Department commonly known its military

45:43

unit cover designator as unit 6 uh

45:47

61398 so this group has been analyzed

45:52

quite a bit by the various threat

45:54

intelligence agencies so that's why

45:56

they're being so specific right about

45:59

who might be behind the

46:01

AP1 some of the groups may not be

46:04

actually you know known that

46:07

definitely here you have all the

46:10

techniques that has been seen to be used

46:13

by this AP group the kind of software

46:16

they use for their attacks and so on and

46:19

then there are some of this uh analysis

46:23

and stories related to AP1 so this is

46:26

where you find find more information of

46:28

AP groups you can find about different

46:30

softwares used for attacks so you can

46:34

see uh and this this uh list continues

46:37

to grow as we know more campaigns there

46:41

are

46:42

campaigns uh which are basically uh the

46:45

what the AP groups take carry out so if

46:48

you want to know like you know how the

46:51

2015 Electric Power Attack then you can

46:54

go

46:55

here and you can actually see what

46:58

techniques were used and then you can

47:01

from that you can figure out what

47:02

tactics were used so you see that these

47:04

are some of the uh software that were

47:08

used for this uh Ukraine Electric uh

47:10

power grid attack and there are so many