Cyber Threat Intelligence Platforms | OpenCTI | TryHackMe

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
what's going on guys welcome back to this video Happy New Year I wish you guys all the success and I will wish you guys you will learn more in 2024 than you have learned in 2023 and be more successful so let's get started with the first day of this year with this video open CTI open CTI so basically here we have the CTI in red because first we're going to talk about briefly of course it's not the subject of this video but it is related and we're going to need to touch on this cyber okay T threat and I for intelligence okay so open CTI first open CTI is a platform so it is a platform for the CTI which is cyber threat intelligence now what are these platforms used for so why do we use op I mean cyber threat intelligence platforms or threat intelligence platforms um we use these platforms to collect first okay we want to collect input store manage and most importantly share but what we share what with we share threat intelligence data meaning We Share info about threats and that is the Cornerstone of cyber threat intelligence we studi threats and we share the information with the community so how these platforms work open CTI we have open CTI other open source or other uh cyber threat intelligence platforms are misp malware information sharing platform we have the hiive and we have Frameworks also miter you have covered this before now these Frameworks and these platforms the ultimate objective is to manage and share thread intelligence data now where do threat intelligence data come from threat intelligence data come from first we have okay so first um the incident response engagements so if you work in an inent Response Team you will be called regularly to handle incidents now while handling the incident you will discover the root cause of the incident it could be Mal Ware it could be ransomware so on and so forth so you discovered the r malware okay and the manware has ioc's such as hash domain names we talked about these so much previously um hash domain IP and additionally we try to identify the AP group or the attack ERS so at the end what happens after the instant response at the learning fa the Lessons Learned Lessons Learned this is the last stage in the instant response process here we wrap up everything uh we did during the incident and among the things is classifying the malware okay classifying the advanced persistence group according to the mitro framework and therefore we have now threat data the threat data now will be stored in a threat intelligence platform such as open CTI misp The Hive it depends on the organization so we store now the threat data from an instant response engagement however we cannot rely only on data coming from your team's engagements we need to rely on another source which is the community feeds Community feeds basically Community feeds uh contain threat data as well so it's not something strange it is threat data shared by other instant responders about malare new threats emerging threats and again the thread data is digested into the thread intelligence platform open CTI MP the high MIT at the end we will have huge data about threats whether it is coming from local engagements or from Community feeds and we'll be able to share reports share insights and ultimately we want to predict predict threats and use that to to um perform risk assessments all right so now it's time to jump to open CTI and study its components now let's log into the open CTI and for crediting information I'm using the lab offered by this room open CTI this is so level one room or part of the so level one pathway we can along in now using these credentials okay going to save okay so we have an investigative scenario here before we Deep dive into this dissec of scenario let's first go over the components of the open CTI as you can see we have the dashboard that's what you see when you first log in Das contains a summary of the data digested by all entities we have total entities entities are the threats and the attacker groups combined together they are 15,000 relationships for every threat and for every attacker group we have relationships the reports coming from other open-source uh report communities and Platforms in addition to local reports they are 2,000 or close to 3,000 and we have the observ Ables we're going to talk about the observables as well so the dashboard is a summary of the data found in your uh account or the installation now first let's talk about the we have two main tabs the activities and we have the knowledge so the activity stab contains information about the threats so basically in the analysis section if you click on the analysis section we can see the reports coming from different um organizations in threat intelligence about recent threats for example we can see here um miter ATN SEC report we can click on the report and we can see information here above here we can see we can navigate through this report using the overview the knowledge content entities observables and data now how are these reports digested into the open CTI it is through something called the connectors the connectors they are external connectors and internal connectors the external connectors connect the platform to other open source to other threat intelligence communities and in the analysis tab we can see the uh these reports okay now if we go to events as you can see it doesn't have anything now why is that because events it is the section in the activity stab where we register the events that are handled locally so here we talked about this earlier in this video that some data about threats uh come from your uh instant response engagements so whenever there is an incident you will have the data gathered and you will register the information about the events or the incident here in this section by clicking on the plus icon and you will name the incident the confidence level and other information so here the the this section here is about the local instant response data okay the observ observations all right so the observations is the section that contains the technical elements mostly it is the ioc's or the indicators of compromise hashes IPS domains email addresses on the left on the right side we can see the filters we can use to narrow down the results for example if you want to search for domain names we can take a look at the domain names these domain names represent uh technical elements discovered during an incident and they could be also C2 domains you can also look for um IP addresses nothing if you take a look at some of these entries we can see it is a hash and it is related to an executable file discovered by malware bizar which is another website used for sharing information and intelligence about malare scrolling down we can see other information as well such as the report about the report is uploaded by someone who discovered the malware basically so observations it is a section that contains the indicators of compromise now if we head over to the knowledge so the knowledge has three tpes the threats Arsenal and entities usually we will deal with threats and and Arsenal so the threats tab click on the threats here we can see the information about the threat actors okay the group of attackers that were observed you know conducting a Cyber attack and we can navigate the uh here the threats clicking on intrusion sets intrusion sets it is the tools the techniques techniques procedures and other infrastructure used by the attackers classified according to the attacker group but as you can see here the entries mostly are attacker groups AP1 apt2 andreal Ajax security team so we can see here attacker groups and we can see also if you click on an example AP1 this is a an advanced persistent group and this is the description of the group scrolling down we can see the relationships the attack patterns used by the group and the reports that were submitted about this group by different communities here also references can click on knowledge to see a summary of the information as you can see they use 28 attack patterns 11 tools and six malw observed from this group we can also filter using the right hand pane if you want to see what are the Mal classes used by this group you can click on attack PS for example and we can check out the ttps of this group as you can see we have the Cyber kill chain according to cyber kill chain the the techniques used by this group are highlighted here according to the Cyber kill chain phase for example in the Discovery they use account Discovery we can also deep dive in into more detail by clicking on the technique and we can see that apt1 used um account Discovery against these platforms going back the knowledge tab also shows a timeline of the ttps used by this group here we can see reports from other open source from other uh communities as well indicators okay no indicators so here the data Tab supposed to contains the files uploaded or generated for the export but no files or uploaded here for export and the history here we can see the changes made to the element meaning the ABT group the changes made by the you know the administrator of this platform okay now let's go back to threats so threats is the information about the attackers the tools techniques they have used used now if you go to Arsenal here we can see that about malware as you can see here 4H rat ABK we can also filter if you're looking for a specific uh name for a specific malware you can use the search box here we have the attack patterns so basically again we go back to what is called ttps tactics techniques and proc procedures here we can take a look at the details of uh the ttps according to the malware uh you know classification so if you go back to Arsenal take an example such as um let's see agent btz so here we click on the knowledge you can see we have six attack patterns go back to overview we can see description of this malware is a worm that primarily spreads itself via the movable devices such as USB drives okay let's click on now on attack patterns here you can see the details of the command line interface and relationships as well so activate firmer update we click on this and we can see more details about it go back to Arsenal we have also the CHS of action what can be done to prevent an attack technique so as you can see have all the attacks attacks technique here we can click on every single one to have a look at the mitigation the tools we have here the tools developed for network maintenance you know monitoring and management also attackers can use these tools as well during the attack as you can see you have blood hound crack map exec all of these tools were witnessed while conducting an attack and we have the vulnerabilities that also were used okay now mainly we will deal with the malware section okay so now having explained both these sections we're going to go now and have a look at the investigative scenario as a so analyst you have been tasked with investigations on malware and AP groups rampaging throughout the world your assignment is to look into the Cy wiper malware and ab37 group gather information for open CTI to answer the questions let's start with the caddy wiper so we want to research a specific family of malare we're going to go to Arsenal and click on search so we found the M we're looking for let's have a look at the description Cy wiper is a destructive data wiper that has been used in attacks against organizations in Ukraine since at least March 2022 all right what is the early State recorded related to caddy wiper so we're going to look at the first date of discovery definitely it is not this one because this is the creation date of the entry in the platform so we're going to take a look at the knowledge tab this is the timeline we can see that in March 2022 the first attack technique was native API but when exactly did this happen we just don't know yet we want more details like exactly at what day in March so the first thing to learn is at first it was discovered uh March 2022 now we're going to go to analysis see reports submitted by different organizations you can see the oldest report was submitted in 15 March 202 22 Cisco caddy wiper so inde it was in March but exactly we want the the day it is 15 March 15 March 2022 which attack technique is used by the malware for the execution now we're going to research the techniques used by the malare so you're going to go back to knowledge and click on attack patterns on the right here you can see the attack techniques according to the Cyber kill chain phase during the execution phase we have the native API we going to click on Native API to have a look at more details as you can see the answer is native API and then how many malare relations are linked to this attack technique meaning the native API so now we are in the native API we want to know how many Mal relations here we can see the relationships and Mal relations are 1 two 3 4 5 6 but definitely the answer cannot be found from here so we're going to have to go to knowledge and then we have can see the whole number of relationships so on Mal we have 113 which three tools were used by the attack technique in 2016 which three tools were used by the attack technique in 2016 so we click on tools and here we can see the date and time of every tool in 2016 we have shimrat reporter blood hound and Empire these tools were used by the malware on that date what country is ap37 associated with now we head over to threats we want to research attack groups so we're going to filter for ab37 if you don't find anything in thir actors you can head over to intrusion sets and research ab37 so we have an entry can answer this question what country okay so ap37 is a North Korean state sponsored cyber Espionage group that has been active since at least 2012 so it is North Korea which attack techniques are used by the group for initial access so we want to take a look at their techniques we're going to go to knowledge and we're going to head over to attack patterns to have a look at the techniques classified Accord according to the Cyber killchain since we want to answer with the uh shorthand name we're going to fil using this use this filter killchain View and we want to see which attack techniques are used by the group for initial access so initial access here we have two techniques drive by compromise and spear fishing attachment can answer with the shorthand name so this can includes the answers for the scenario and also the subject of this video attempt to gather all I could have gathered about the thirat intelligence platforms I just created a new Note file third intelligence platforms it houses information about uh three third intelligence platforms the misb and the hiive as well an open CTI you can find it in the uh Google drive if you are subscribed to channel membership so that was it and I'm going to see you the next video
Info
Channel: Motasem Hamdan
Views: 1,016
Rating: undefined out of 5
Keywords:
Id: rw_-6rlu5EA
Channel Id: undefined
Length: 23min 8sec (1388 seconds)
Published: Mon Jan 01 2024
Related Videos
OpenCTI - Tryhackme -
Djalil Ayed
6.8K
Webinar - Advanced Threat Analysis with OpenCTI
Filigran
946
A Practical Case of Threat Intelligence – From IoC to Unraveling an Attacker Infrastructure
SANS Digital Forensics and Incident Response
4.3K
OpenCTI Install - Install Your Own OpenCTI Stack!
Taylor Walton
37K
Webinar - Optimize Incident Response and Investigations with OpenCTI Case Management
Filigran
2.1K
Phishing Email Analysis with PhishTool | Part One | TryHackMe Threat Intelligence Tools
Motasem Hamdan
7.4K
Wireshark Basics | Complete Guide | TryHackMe Wireshark The Basics & Packet Operations
Motasem Hamdan
932
Introduction to YARA Part 1 - What is a YARA Rule
OALabs
2.5K
Try Hack Me: YARA
stuffy24
3.9K
Try Hack Me: MISP
stuffy24
2K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.