--- title: CTIA-1 tags: tutorials disqus: hackmd --- :::success [TOC] ::: [CTIA-2](/un_VD7KWSimrYNh4BQr20g) ## CH1 ### what 1. 攻擊專業化 2. 威脅情資 ### introduce - KYE (Know Your Enemy) => 敵人 - Why - Why - hoW - Incident =>事件 - When - Where - What - 全面的資訊 - cyber threat - vulnerability - 0 Day > :+1: an attack that exploits computer application vulnerabilities before the software developer supply a patch - 1 Dxay - binary diffing - 組織上 patch 無法及時 - N Day - Exploit(駭客剝削漏洞) - Advance Persistant Threats :::spoiler 定義 > An attack that is fouced on stealing information from the victim machine without the user being aware of it ::: - Risk - 注意威脅言論 - 可能性+可能傷害=>風險 - Information - 例子 - uber was hacked again - 6W - 情報三階 =>認知理解程度 (看山不是山 看山是山.....) - Known Knowns - 知 - Known UnKnowns - 不知 - UnKnown UnKnowns - 無知=>夏蟲不語冰  - 因知道而有辦法做些什麼 - alert - 預測 - TTPS - 戰術(tactic): 指的是以宏觀層次描述描述網路攻擊 - 技巧(technique): 比戰術的細節更多，提供完整的脈絡 - 程序(procedure): 說明完整的攻擊過程，較技巧所提供的資訊更詳細 - 情報類型 - 知道自己所要面對的對象 - 國家機器 - APT - 規格不同 - ISP(獨立組織) - 提供資源(攻擊服務) - 依雇主需求 :::success | 規模 | 情報 | 時間 | 階級 | 對象 | 內容 | 分析 | 格式 | | ---- | -------- | ---- | ---- | ---------- | ------------------ | --------------------- | --- | | 戰爭 | **戰略** | 年 | 高 | 將 CXO | 營運風險、策略方向 | Who/Why | Report (threat landscape report(長時間 趨勢) ) | | 戰役 | **行動** | 月 | 中 | 官 manager | 威脅、攻擊 | who/why/how(解決方案) | Report(ex:apt report) | | 戰鬥 | **戰術** | 周 | 中低 | 士官 Admin | TTP | how | messages | | 作戰 | **技術** | 天 | 低 | 兵 staff | 攻擊者的資源(成本) | how | messages | ::: :::info - 戰略情報 - ISAO/ISAC (情報交流) - OSINT > 策略上的營運決策 - 行動情報 - specific threat - report:sercrity manager - SRC:humans,social media - 戰術情報 - TTP(戰術、技術程序) - 解決立即性的目標 - 對目標有明確認知 - report:cyber sercurity professional - ex: **shadowHammer** - 技術情資 - short lifespan - ex:iP,domains,email header... ::: - 相關資料 - Emotet - [APT19](https://www.mandiant.com/resources/insights/apt-groups) - [APT41](https://www.ithome.com.tw/news/151611) - karperky apt report - US-CERT - https://mitre-attack.github.io/caret/#/ :::warning - sercurity information and event management => information processing =>threat intelligence platform strategic -->exposure idenrification risk assement - operational=> sensor/filter Enrichment / impact assement - tactical=>TTP anlysis /Current insvestigation - Technical=>identify active vcampaigns/IoCs ::: - organization - |Security|Prevention|ISAC 預警|TIP --> CTI| |-|-|-|-| ||Detection|SOC 監控|SIEM -->IOC| ||Correction|CSIRT 應變|SOAR--> Runbook| - 分工且合作 - 情資導向的決策模式 - Incident response - Pre-planning - Event - indecator of threats - ip address - domain - URLs - malware hash &file name - 情報利用 - 特徵篩選 - IR - Alarms Event prioritization - 情資的生命週期 1. planning &direction 2. Collection(資料) 3. processing &Exploitation(資訊) 4. analysis&production(情報) 1. object 2. timely 3. accurate 4. actionable 5. Dissemination and integration - 威脅情資策略 1. 需求、目標訂定 3. 建立蒐集計畫 4. 保護資產項目 1. asset identification 2. threat report 3. threat threading 4. intellegence BUY-in - maturity - level0 - level1 - pilter&aggregate - consume TI - level2 - generate actionable TI - level3 - establish TI process&workflows - generate strategic & tactical TI - level4 - Efficient & matured threat intellegence program - Case - CIF architechect - TC complete - Yeti - RiskIQ - logrhythm - ... - 相關資料 - APT 34(對能源公司) ---- ## CH2 ### Cyber threat - 分類 - Hacktivist - Cyber Terrorists - 國家級駭客 - suicide hacker - state-sponsored hacker - organized hacker - script kiddes - Threat - Intenet(動機) - Capability(能力) - TTPS(Tactics. Techniques Procedures) - Opportunity Triad - 資源 => Attack=Motivate + method + vulunbility - 相關資料 - blueleak - sea eletronic army - nsa tao - 震網病毒 - NSA猶他州(稜鏡計畫) ### APT - special - 高度目標性 - 高度目的性 - 低調、緩慢 - :fire:客製化攻擊 - :warning: apt lifecycle 1. preparation 2. initial intrusion 1. 釣魚 4. expansion(橫向移動) 5. persistence > 持續化 7. Search & Exdiltration ->高度目的性 9. cleanup - 偽裝 - 相關資料 - RSA secure ID ### Cyber kill chain(阻殺鏈) :::success - Methodology - recon - weapon - deliver - expolite - installation - communicate - action and objective :::danger :fire: |CKC||COA| |-|-|-| |Reconnaissance|?|...| | Weaponization|Doc|...| |Delivery|Email|...| |Expoitation|VBA -> PowerShell|...| |Installation|Downloader -> exe|...| |Command & Control(C2)|T,H,C|...| |AOB|?|...| - 防禦量化 ::: - Tactics - Technique - imediate result - Procedures - behaviar - internet Reconnasisance - use of powershell - Unspecified Proxy activities(非特定代理) - Use of command-line interface - Http user agent - command & control server - Use 0f DNS tuneling - use of web shell - china chopper - 404starlink - antisword - data staging - 參考資料 - [lockheed martin](https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf) - 正統作戰方式放在網路中實現 - oilrig DNS-over-https - citrix ### IoC(入侵指標) - 攻擊結束後所留下的 - 規格 - OpenIoC - XML - STIX - 1.x:XML - 2.x:JSON - 四大維度 - EMAIL - sender - address - subject - Network indicators - host-based indicators - Behavioral indicators - 常見IOC - unusual Outbound Network traffic - unusual activity through Priviliged User account - Geographical Anomalies - Multiple Login Failures - Increase in Database Read Volume - Large HTML response size - mutiple requests for the same file - 缺乏作業安全意識 - mismatched port-application trffic - suspicious Registry or system file changes - unusual DNS requests - Unexpected patching of systems - 獨佔控制權(搶地盤) - 好用的漏洞 - signs of DDoS activity - bundles of Data in wrong places - 作業安全 - web trffic with superhuman behavior - 腳本 :::info - Pyramid of pain :star:  [圖片](https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.attackiq.com%2F2019%2F06%2F26%2Femulating-attacker-activities-and-the-pyramid-of-pain%2F&psig=AOvVaw3CjF7UA0D17Cl8vCKI3CoN&ust=1669109045712000&source=images&cd=vfe&ved=0CA8QjRxqFwoTCNiEt-_5vvsCFQAAAAAdAAAAABAE) - 調查過程中遇到的困難 ::: ## :fire:資料 - 來源收集=>資料=>資訊=>情報 - 冷靜客觀 - 情報要運用才有意義 - 追劇 VS 讀書 ## CTIA 考試 3/28 - 50選擇 - 2HR