CTIA-2

CH1

what

  1. 攻擊專業化
  2. 威脅情資

introduce

  • KYE (Know Your Enemy) => 敵人

    • Why
    • Why
    • hoW
  • Incident =>事件

    • When
    • Where
    • What
    • 全面的資訊
  • cyber threat

  • vulnerability

    • 0 Day

      Image Not Showing Possible Reasons
      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported
      Learn More →
      an attack that exploits computer application vulnerabilities before the software developer supply a patch

    • 1 Dxay
      • binary diffing
      • 組織上 patch 無法及時
    • N Day
  • Exploit(駭客剝削漏洞)

  • Advance Persistant Threats

    定義
    ​​​​​​> An attack that is fouced on stealing information from the victim machine without the user being aware of it 
    
  • Risk

    • 注意威脅言論
    • 可能性+可能傷害=>風險
  • Information

  • 例子

    • uber was hacked again
  • 6W

  • 情報三階 =>認知理解程度 (看山不是山 看山是山)

    • Known Knowns
    • Known UnKnowns
      • 不知
    • UnKnown UnKnowns
      • 無知=>夏蟲不語冰
        Image Not Showing Possible Reasons
        • The image file may be corrupted
        • The server hosting the image is unavailable
        • The image path is incorrect
        • The image format is not supported
        Learn More →
  • 因知道而有辦法做些什麼

    • alert
    • 預測
  • TTPS

    • 戰術(tactic): 指的是以宏觀層次描述描述網路攻擊
    • 技巧(technique): 比戰術的細節更多,提供完整的脈絡
    • 程序(procedure): 說明完整的攻擊過程,較技巧所提供的資訊更詳細
  • 情報類型

    • 知道自己所要面對的對象
      • 國家機器
        • APT
        • 規格不同
      • ISP(獨立組織)
        • 提供資源(攻擊服務)
        • 依雇主需求
規模 情報 時間 階級 對象 內容 分析 格式
戰爭 戰略 將 CXO 營運風險、策略方向 Who/Why Report (threat landscape report(長時間 趨勢) )
戰役 行動 官 manager 威脅、攻擊 who/why/how(解決方案) Report(ex:apt report)
戰鬥 戰術 中低 士官 Admin TTP how messages
作戰 技術 兵 staff 攻擊者的資源(成本) how messages
  • 戰略情報

    • ISAO/ISAC (情報交流)
    • OSINT

    策略上的營運決策

  • 行動情報

    • specific threat
    • report:sercrity manager
    • SRC:humans,social media
  • 戰術情報

    • TTP(戰術、技術程序)
    • 解決立即性的目標
    • 對目標有明確認知
    • report:cyber sercurity professional
    • ex: shadowHammer
  • 技術情資

    • short lifespan
    • ex:iP,domains,email header
  • sercurity information and event management
    => information processing =>threat intelligence platform

strategic >exposure idenrification risk assement

  • operational=> sensor/filter Enrichment / impact assement
  • tactical=>TTP anlysis /Current insvestigation
  • Technical=>identify active vcampaigns/IoCs
  • organization

    • Security Prevention ISAC 預警 TIP > CTI
      Detection SOC 監控 SIEM >IOC
      Correction CSIRT 應變 SOAR> Runbook
    • 分工且合作
    • 情資導向的決策模式
  • Incident response

    • Pre-planning
    • Event
    • indecator of threats
      • ip address
      • domain
      • URLs
      • malware hash &file name
  • 情報利用

    • 特徵篩選
    • IR
    • Alarms Event prioritization
  • 情資的生命週期

    1. planning &direction
    2. Collection(資料)
    3. processing &Exploitation(資訊)
    4. analysis&production(情報)
      1. object
      2. timely
      3. accurate
      4. actionable
    5. Dissemination and integration
  • 威脅情資策略

    1. 需求、目標訂定
    2. 建立蒐集計畫
    3. 保護資產項目
      1. asset identification
      2. threat report
      3. threat threading
      4. intellegence BUY-in
  • maturity

    • level0
    • level1
      • pilter&aggregate
      • consume TI
    • level2
      • generate actionable TI
    • level3
      • establish TI process&workflows
      • generate strategic & tactical TI
    • level4
      • Efficient & matured threat intellegence program
  • Case

    • CIF architechect
    • TC complete
    • Yeti
    • RiskIQ
    • logrhythm
  • 相關資料

    • APT 34(對能源公司)

CH2

Cyber threat

  • 分類

    • Hacktivist
    • Cyber Terrorists
    • 國家級駭客
    • suicide hacker
    • state-sponsored hacker
    • organized hacker
    • script kiddes
  • Threat

    • Intenet(動機)
    • Capability(能力)
      • TTPS(Tactics. Techniques Procedures)
    • Opportunity Triad
    • 資源
      => Attack=Motivate + method + vulunbility
  • 相關資料

    • blueleak
    • sea eletronic army
    • nsa tao
    • 震網病毒
    • NSA猶他州(稜鏡計畫)

APT

  • special

    • 高度目標性
    • 高度目的性
    • 低調、緩慢
    • Image Not Showing Possible Reasons
      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported
      Learn More →
      客製化攻擊
  • Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →
    apt lifecycle

    1. preparation
    2. initial intrusion
      1. 釣魚
    3. expansion(橫向移動)
    4. persistence

      持續化

    5. Search & Exdiltration
      ->高度目的性
    6. cleanup
      • 偽裝
  • 相關資料

    • RSA secure ID

Cyber kill chain(阻殺鏈)

  • Methodology
    • recon
    • weapon
    • deliver
    • expolite
    • installation
    • communicate
    • action and objective

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

CKC COA
Reconnaissance ?
Weaponization Doc
Delivery Email
Expoitation VBA -> PowerShell
Installation Downloader -> exe
Command & Control(C2) T,H,C
AOB ?
  • 防禦量化
  • Tactics

  • Technique

    • imediate result
  • Procedures

  • behaviar

    • internet Reconnasisance
    • use of powershell
    • Unspecified Proxy activities(非特定代理)
    • Use of command-line interface
    • Http user agent
    • command & control server
    • Use 0f DNS tuneling
    • use of web shell
      • china chopper
      • 404starlink
      • antisword
    • data staging
  • 參考資料

    • lockheed martin
      • 正統作戰方式放在網路中實現
    • oilrig DNS-over-https
    • citrix

IoC(入侵指標)

  • 攻擊結束後所留下的

  • 規格

    • OpenIoC
      • XML
    • STIX
      • 1.x:XML
      • 2.x:JSON
  • 四大維度

    • EMAIL
      • sender
      • address
      • subject
    • Network indicators
    • host-based indicators
    • Behavioral indicators
  • 常見IOC

    • unusual Outbound Network traffic
    • unusual activity through Priviliged User account
    • Geographical Anomalies
    • Multiple Login Failures
    • Increase in Database Read Volume
    • Large HTML response size
    • mutiple requests for the same file
      • 缺乏作業安全意識
    • mismatched port-application trffic
    • suspicious Registry or system file changes
    • unusual DNS requests
    • Unexpected patching of systems
      • 獨佔控制權(搶地盤)
      • 好用的漏洞
    • signs of DDoS activity
    • bundles of Data in wrong places
      • 作業安全
    • web trffic with superhuman behavior
      • 腳本
  • Pyramid of pain
    Image Not Showing Possible Reasons
    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported
    Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

圖片

  • 調查過程中遇到的困難

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
資料

  • 來源收集=>資料=>資訊=>情報
    • 冷靜客觀
  • 情報要運用才有意義
    • 追劇 VS 讀書

CTIA 考試 3/28

  • 50選擇
  • 2HR