WEBVTT 1 00:00:00.120 --> 00:00:03.319 Welcome to the Deep Dive, where we slice through your articles, 2 00:00:03.439 --> 00:00:07.839 research and notes to bring you the most potent nuggets 3 00:00:07.879 --> 00:00:08.519 of knowledge. 4 00:00:08.720 --> 00:00:09.320 That's a plan. 5 00:00:09.519 --> 00:00:12.560 Our mission today is to cut through the digital noise 6 00:00:12.800 --> 00:00:15.679 and give you a shortcut to truly understanding the ever 7 00:00:15.800 --> 00:00:17.920 evolving landscape of cybersecurity. 8 00:00:18.000 --> 00:00:19.280 This certainly evolves quickly. 9 00:00:19.480 --> 00:00:23.120 We're jumping into the fascinating and sometimes frankly alarming world 10 00:00:23.120 --> 00:00:26.160 of cyber threats, the minds behind them, and well the 11 00:00:26.239 --> 00:00:28.440 dynamic ways we're trying to defend against them. 12 00:00:28.480 --> 00:00:29.519 It's quite the battlefield. 13 00:00:29.640 --> 00:00:32.960 You've shared some incredibly insightful source material, giving us a 14 00:00:33.000 --> 00:00:37.079 deep look at the core concepts, real world attacks and 15 00:00:37.119 --> 00:00:39.880 the intricate dance between offense and defense. 16 00:00:40.240 --> 00:00:43.520 And what immediately becomes clear from this material is the 17 00:00:43.520 --> 00:00:47.000 intricate interconnectedness of all these elements. How so, we're talking 18 00:00:47.000 --> 00:00:50.719 about everything from the initial reconnaissance and attacker performs, to 19 00:00:50.799 --> 00:00:55.759 the specific types of malware they deploy, the cryptographic vulnerabilities 20 00:00:55.759 --> 00:01:01.159 they might exploit, and finally how organizations attempt to predict, detect, 21 00:01:01.200 --> 00:01:04.799 and mitigate these complex threats. We'll be breaking down these layers, 22 00:01:04.840 --> 00:01:08.040 connecting the dots and maybe uncovering some surprising facts along 23 00:01:08.040 --> 00:01:08.319 the way. 24 00:01:08.560 --> 00:01:10.680 So what does this all mean for you, whether you're 25 00:01:10.719 --> 00:01:13.560 prepping for a crucial meeting, catching up on the field, 26 00:01:13.760 --> 00:01:16.000 or just you know, insanely curious. 27 00:01:16.079 --> 00:01:17.719 Well, hopefully a clearer picture. 28 00:01:17.879 --> 00:01:20.239 We're going to unpack the who, what, and how of 29 00:01:20.280 --> 00:01:23.560 cyber attacks and then pivot to the cutting edge strategies 30 00:01:23.599 --> 00:01:26.480 for defense, giving you a much clearer view of this 31 00:01:26.680 --> 00:01:30.319 vital domain. Let's get started, Okay, let's unpack this. Our 32 00:01:30.400 --> 00:01:32.760 sources kick off by setting the stage with the vision 33 00:01:32.840 --> 00:01:36.000 of the Internet of things, you know, countless devices talking 34 00:01:36.040 --> 00:01:39.680 to each other, creating incredibly intelligent environments. 35 00:01:39.159 --> 00:01:41.239 Smart homes, smart cities exactly. 36 00:01:41.719 --> 00:01:45.439 But this technological revolution, as our material notes, opens up 37 00:01:45.599 --> 00:01:47.760 entirely new forms of sophisticated threats. 38 00:01:47.799 --> 00:01:51.120 Indeed, if we connect this to the bigger picture, the 39 00:01:51.239 --> 00:01:56.840 sheer complexity and vast diversity of these IoT networks create 40 00:01:57.120 --> 00:01:58.680 inherent security challenges. 41 00:01:58.799 --> 00:02:01.439 Makes sense. Too many different things talking, right, So. 42 00:02:01.359 --> 00:02:04.319 The first step towards an effective defense strategy then is 43 00:02:04.359 --> 00:02:07.560 to really understand the threats, not just what they are, 44 00:02:08.120 --> 00:02:10.680 but who is behind them, what drives them, and how 45 00:02:10.680 --> 00:02:11.280 they operate. 46 00:02:11.520 --> 00:02:14.599 And our sources give us a fantastic framework for understanding 47 00:02:14.680 --> 00:02:19.120 how these attacks unfold the cyber attack kil chain, Could 48 00:02:19.120 --> 00:02:21.560 you walk us through the key steps in that sequence? 49 00:02:21.840 --> 00:02:23.879 Sure, it maps the attacker's. 50 00:02:23.560 --> 00:02:26.879 Journey from the initial reconnaissance all the way to the 51 00:02:26.879 --> 00:02:30.520 final action on objective. It sounds like it truly maps 52 00:02:30.520 --> 00:02:31.919 out the attackers full journey. 53 00:02:32.039 --> 00:02:35.879 Absolutely. It's a sequence of interconnected steps. Reconnaissance that's the 54 00:02:35.919 --> 00:02:40.560 info gathering, okay, then weaponization, delivery, exploitation, installation, command and 55 00:02:40.599 --> 00:02:43.680 control C and C. Got it, and finally action upon 56 00:02:43.719 --> 00:02:46.400 the objective. Each phase builds on the last. 57 00:02:46.599 --> 00:02:47.680 That lays it out clearly. 58 00:02:47.879 --> 00:02:52.280 Building on that concept, a crucial question that emerges, Who 59 00:02:52.560 --> 00:02:54.800 exactly are these attackers we're talking about? 60 00:02:54.840 --> 00:02:55.439 Good question. 61 00:02:55.719 --> 00:02:59.759 Our material categorizes them by their location relative to an 62 00:02:59.840 --> 00:03:03.159 order organization internal, external, or sometimes mixed. 63 00:03:02.879 --> 00:03:04.280 Groups inside jobs too. 64 00:03:04.360 --> 00:03:08.039 Huh oh definitely. But more importantly, it breaks them down 65 00:03:08.080 --> 00:03:10.159 by their skills, motives, and targets. 66 00:03:10.400 --> 00:03:13.599 And digging into the profiles of these actors, our sources 67 00:03:13.680 --> 00:03:17.560 identify seven distinct types. That's quite a few. It is 68 00:03:17.599 --> 00:03:21.000 from the highly skilled virus and hacking tools coders who 69 00:03:21.039 --> 00:03:24.360 build these digital weapons for financial gain, the real pros 70 00:03:24.400 --> 00:03:27.800 all the way to script kitties who, despite being non 71 00:03:27.879 --> 00:03:31.479 experts simply using off the shelf tools, well, they still 72 00:03:31.520 --> 00:03:32.479 cause problems, right. 73 00:03:32.520 --> 00:03:35.879 They contribute significantly to the sheer volume of attacks and 74 00:03:35.960 --> 00:03:38.919 background noise, often making it harder to spot the more 75 00:03:38.960 --> 00:03:40.120 sophisticated threats. 76 00:03:40.159 --> 00:03:43.479 It's a full ecosystem, an ecosystem, that's a good way 77 00:03:43.520 --> 00:03:43.840 to put it. 78 00:03:43.919 --> 00:03:46.280 And a key takeaway here is the economics of these 79 00:03:46.319 --> 00:03:51.159 digital weapons. Our material delves into the vulnerability markets. 80 00:03:51.520 --> 00:03:54.120 Vulnerability markets you mean like places to buy and sell 81 00:03:54.159 --> 00:03:55.960 ways to break into systems exactly. 82 00:03:56.000 --> 00:03:58.719 You have regulated markets like bug bounty programs from tech 83 00:03:58.759 --> 00:04:02.199 giants like Apple, Google, Amazon, Microsoft, Right, I've. 84 00:04:02.039 --> 00:04:04.840 Heard of those companies pay you to find. 85 00:04:04.560 --> 00:04:08.080 Flaws, Yes, and even institutions like the US Pentagon and 86 00:04:08.240 --> 00:04:09.199 MIT run. 87 00:04:09.039 --> 00:04:13.960 Them, and the payouts can be staggering. Our sources mentioned, 88 00:04:13.960 --> 00:04:18.399 for example, a zero quick persistence vulnerability for Android mobiles. 89 00:04:18.040 --> 00:04:21.040 Zero click, meaning the victim doesn't have to do anything. 90 00:04:21.160 --> 00:04:24.839 That's terrifying. An attacker can gain and maintain control of 91 00:04:24.839 --> 00:04:27.279 your device without you even tapping on a link or 92 00:04:27.319 --> 00:04:30.720 opening a file, a direct takeover, precisely, and that could 93 00:04:30.759 --> 00:04:33.319 go for up to two point five million dollars. 94 00:04:33.040 --> 00:04:34.720 USD that's what the sources suggests. 95 00:04:34.759 --> 00:04:37.759 Yet or a Windows remote code execution for up to 96 00:04:37.879 --> 00:04:40.480 one million dollars, that's a serious incentives. 97 00:04:40.639 --> 00:04:44.399 Is absolutely is serious money involved. But then you have 98 00:04:44.439 --> 00:04:47.759 the unregulated markets, the gray and black markets. 99 00:04:47.839 --> 00:04:49.319 Okay, the shadier side. 100 00:04:49.360 --> 00:04:53.160 Our sources highlight that even governmental agencies like the FBI 101 00:04:53.839 --> 00:04:57.279 also buy vulnerabilities through these markets for both offensive and 102 00:04:57.399 --> 00:04:58.439 defensive purposes. 103 00:04:58.519 --> 00:05:00.920 Really, government's buying on the black market. 104 00:05:00.720 --> 00:05:03.680 It seems so. According to the material and exploit kits. 105 00:05:03.720 --> 00:05:06.680 Back in the early twenty tens could rent for thousands per. 106 00:05:06.560 --> 00:05:08.160 Month renting attack tools. 107 00:05:08.240 --> 00:05:11.240 Yeah, so the staggering price tag on these zero day 108 00:05:11.319 --> 00:05:15.199 vulnerabilities isn't just a number. It reveals a critical truth. 109 00:05:15.600 --> 00:05:18.680 The most potent digital weapons are primarily accessible to nation 110 00:05:18.759 --> 00:05:21.920 states and the most resourced criminal enterprises. 111 00:05:22.079 --> 00:05:24.680 So not your average hacker generally. 112 00:05:24.720 --> 00:05:29.639 No, this fundamentally reshapes the defense challenge, forcing organizations to 113 00:05:29.680 --> 00:05:33.360 contend with adversaries operating on an entirely different playing field. 114 00:05:33.439 --> 00:05:36.480 Okay, so, once an attacker has their weapons and a 115 00:05:36.519 --> 00:05:39.720 target in mind, the very first phase of that quel 116 00:05:39.839 --> 00:05:43.000 chain is reconnaissance, basically gathering info. 117 00:05:43.319 --> 00:05:47.040 Correct. Our sources describe this as potentially a lengthy process 118 00:05:47.360 --> 00:05:51.839 from days to months, designed to map out in organization's digital. 119 00:05:51.439 --> 00:05:54.279 Assets days to months just looking around. 120 00:05:54.000 --> 00:05:57.759 Sometimes, Yeah, patience is key. This process can be passive 121 00:05:57.839 --> 00:06:02.920 or active. Passive meaning passive reconnaissance involves gathering information without 122 00:06:02.959 --> 00:06:06.319 directly interacting with the target system. I think using public 123 00:06:06.399 --> 00:06:09.279 databases like wuh was search engines. 124 00:06:08.879 --> 00:06:10.399 Stuff that's already out there. 125 00:06:10.240 --> 00:06:14.240 Exactly, or even just eavesdropping on communications outside a networks perimeter. 126 00:06:14.680 --> 00:06:16.399 It's truly undetectable, okay. 127 00:06:16.439 --> 00:06:21.319 But active reconnaissance involves launching probes directly against the target system. 128 00:06:21.480 --> 00:06:22.439 You're knocking on the door. 129 00:06:22.680 --> 00:06:25.600 This is where tools come in. Our sources describe applications 130 00:06:25.639 --> 00:06:29.439 like recondog, which can perform NS lookups to find a 131 00:06:29.519 --> 00:06:34.160 domains records like ANS or MX records, or uncover subdomains 132 00:06:34.279 --> 00:06:40.000 like PCDESX or backupserver, dot scantis, dot up, dot gr. 133 00:06:40.120 --> 00:06:43.920 Finding all the connected pieces. Yes, and Recondog's ability to 134 00:06:43.959 --> 00:06:46.920 pipeline operations. Passing the output of one command as the 135 00:06:46.920 --> 00:06:50.079 input to the next makes information gathering much more. 136 00:06:49.920 --> 00:06:54.160 Efficient, streamlines the process it does, though our material does 137 00:06:54.199 --> 00:06:57.480 caution that header's intended for human reading can sometimes be 138 00:06:57.600 --> 00:07:01.079 misinterpreted as scan targets, leading to erroneous outputs. 139 00:07:01.079 --> 00:07:04.920 So not fool proof, right, potential glitches. Beyond just domain info, 140 00:07:04.959 --> 00:07:07.040 attackers move to network scanning. 141 00:07:06.920 --> 00:07:08.519 Trying to see what's actually running on the network. 142 00:07:08.560 --> 00:07:11.240 Our sources explain that tools like end maps send specially 143 00:07:11.240 --> 00:07:14.480 crafted packets to determine what devices are active, what services 144 00:07:14.480 --> 00:07:17.399 and versions they're running, what operating system they're operating systems, 145 00:07:17.399 --> 00:07:20.160 and even security measures like firewalls. Wow, that's a lot 146 00:07:20.160 --> 00:07:21.800 of info from just sending packets. 147 00:07:22.199 --> 00:07:24.120 En map is the de facto tool for this. It's 148 00:07:24.279 --> 00:07:28.279 very powerful. It can perform port scanning to identify open, 149 00:07:28.439 --> 00:07:30.079 filtered or closed. 150 00:07:29.720 --> 00:07:32.680 Ports, open ports being the unlocked doors we mentioned. 151 00:07:32.399 --> 00:07:38.199 Essentially yes a key technique. The tcpsyn scan is particularly 152 00:07:38.240 --> 00:07:41.959 fast and stealthy because it never fully completes a TCP connection. 153 00:07:42.120 --> 00:07:42.920 How does that work? 154 00:07:43.759 --> 00:07:45.279 Think of it like a quick knock on the door. 155 00:07:45.319 --> 00:07:48.480 If someone answers sends back a SENEC packet. Yeah, you 156 00:07:48.519 --> 00:07:51.839 know they're home, the port's open, but you leave said 157 00:07:51.839 --> 00:07:54.680 an RST packet before you're formally invited inside. 158 00:07:54.800 --> 00:07:58.120 Ah, so you get the info without completing the traceable handshake. 159 00:07:58.560 --> 00:07:59.199 Very sneaky. 160 00:07:59.240 --> 00:08:01.839 Makes it incredible difficult to trace effectively. 161 00:08:01.399 --> 00:08:04.279 So an attacker can quickly map open doors without raising 162 00:08:04.319 --> 00:08:07.519 too much suspicion, essentially doing a quick, quiet walkthrough of 163 00:08:07.560 --> 00:08:08.519 your digital house. 164 00:08:08.680 --> 00:08:09.600 Pretty good analogy. 165 00:08:09.839 --> 00:08:14.680 After scanning comes vulnerability scanning, identifying actual weaknesses. 166 00:08:14.360 --> 00:08:16.759 Finding the exploitable doors or windows. 167 00:08:16.879 --> 00:08:21.399 Our sources differentiate between non intrusive scans, which simply log 168 00:08:21.519 --> 00:08:25.600 vulnerabilities without interacting to taking goats, and intrusive ones, which 169 00:08:25.680 --> 00:08:27.360 actually attempt to exploit them. 170 00:08:27.600 --> 00:08:30.519 Now you're trying to dere not maybe jiggling the window. 171 00:08:30.360 --> 00:08:33.000 Right and intrusive scans of course carry the risk of 172 00:08:33.080 --> 00:08:38.000 damic data loss, service disruption, or even injecting new vulnerabilities. 173 00:08:38.200 --> 00:08:40.679 It's a risky move for an attack or two potentially 174 00:08:40.720 --> 00:08:45.559 noisier Building on that, a crucial consideration for attackers is 175 00:08:45.600 --> 00:08:48.120 how to avoid detection during all this reconnaissance? 176 00:08:48.240 --> 00:08:49.360 Yeah, how do they stay hidden? 177 00:08:49.799 --> 00:08:53.919 Our sources detail several evation techniques. For instance, they can 178 00:08:53.919 --> 00:08:58.360 try to detect firewalls using methods like firewalking. Firewalking it 179 00:08:58.440 --> 00:09:02.960 involves sending packets with spec time to live or TTL values. 180 00:09:03.639 --> 00:09:07.639 If the packet expires after the suspected firewall location, it 181 00:09:07.679 --> 00:09:10.840 can reveal if the firewall allowed the traffic through, effectively 182 00:09:10.879 --> 00:09:14.519 mapping the security perimeter without directly attacking the firewall itself. 183 00:09:14.679 --> 00:09:20.120 Clever, or they can look for intrusion detection systems IDSS systems. 184 00:09:19.679 --> 00:09:21.360 Designed to spot suspicious activity. 185 00:09:21.559 --> 00:09:24.600 A common indication. Our sources say that if an IDs 186 00:09:24.639 --> 00:09:27.200 is part of the network route, a trace route utility 187 00:09:27.279 --> 00:09:29.480 might display an incomplete line for that HOP. 188 00:09:29.639 --> 00:09:33.159 Because IDs typically don't respond with the usual hop information 189 00:09:33.480 --> 00:09:35.200 like a normal router would, it's. 190 00:09:35.000 --> 00:09:36.759 A subtle clue, little giveaways. 191 00:09:37.200 --> 00:09:40.840 One surprising aspect here is the concept of a honeypot ah. 192 00:09:40.960 --> 00:09:44.639 Yes, I've heard of these, like bait for hackers exactly. 193 00:09:44.960 --> 00:09:49.279 These are systems intentionally set up to appear exposed and vulnerable, 194 00:09:49.600 --> 00:09:52.080 designed specifically to attract attackers. 195 00:09:52.360 --> 00:09:54.159 Why would you want to attract them. 196 00:09:54.279 --> 00:09:57.279 Well, since no legitimate user would ever interact with them. 197 00:09:57.679 --> 00:10:02.039 Any probes or communications immediately indicate a reconnaissance or attack. 198 00:10:01.799 --> 00:10:03.960 Attempt ah like a silent alarm. 199 00:10:04.120 --> 00:10:07.720 Precisely, they are used to detect and prevent attacks, but 200 00:10:07.919 --> 00:10:12.080 also crucially for information gathering and research into attacker methods. 201 00:10:12.360 --> 00:10:13.159 You learn how they. 202 00:10:13.039 --> 00:10:16.720 Operate, fascinating an attackers in turn look for signs of 203 00:10:16.720 --> 00:10:17.399 a honeypot. 204 00:10:17.480 --> 00:10:19.720 They do things like too many open ports, may be 205 00:10:19.840 --> 00:10:23.919 suspiciously slow service responsiveness because of extensive logging happening in 206 00:10:23.960 --> 00:10:24.639 the background, or. 207 00:10:24.639 --> 00:10:26.720 Even traffic redirection that seems unnatural. 208 00:10:26.840 --> 00:10:28.759 Right. It truly is a cat and mouse game at 209 00:10:28.759 --> 00:10:29.240 every level. 210 00:10:29.480 --> 00:10:32.039 It reminds you that in this digital realm, nothing is 211 00:10:32.080 --> 00:10:35.679 quite what it seems, and both sides are constantly innovating 212 00:10:35.720 --> 00:10:36.600 to outsmart the. 213 00:10:36.559 --> 00:10:37.840 Other constant evolution. 214 00:10:38.080 --> 00:10:41.639 So, after all that meticulous reconnaissance and evasion, once the 215 00:10:41.639 --> 00:10:44.799 attacker has identified the weak points, they move to the 216 00:10:44.919 --> 00:10:46.759 action upon objective phase. 217 00:10:46.879 --> 00:10:48.120 This is where the damage happens. 218 00:10:48.200 --> 00:10:51.200 This is where the threats become undeniably real, as our 219 00:10:51.240 --> 00:10:55.600 sources immediately pivot to system threats and the devastating impact 220 00:10:55.720 --> 00:10:57.320 of malicious software attacks. 221 00:10:57.360 --> 00:10:59.919 And this is precisely where the scale of modern cyber 222 00:11:00.120 --> 00:11:04.600 threats becomes well terrifyingly clear. With such a large part 223 00:11:04.639 --> 00:11:07.720 of the global population online via powerful. 224 00:11:07.240 --> 00:11:09.840 Devices, bones, laptops, everything, the. 225 00:11:09.840 --> 00:11:13.000 Value of personal data and our reliance on computing resources 226 00:11:13.159 --> 00:11:16.960 makes us prime targets IBM's cost of data. Breek study 227 00:11:17.120 --> 00:11:20.279 puts the average cost of just one incident at what. 228 00:11:20.399 --> 00:11:23.559 Was it a staggering three point nine two million dollars 229 00:11:23.759 --> 00:11:24.480 average costs. 230 00:11:24.600 --> 00:11:26.240 Yeah, that's huge, and we see. 231 00:11:26.080 --> 00:11:28.639 This play out in notorious cases like the twenty seventeen 232 00:11:28.720 --> 00:11:30.759 WannaCry and not Petty ransomware attack. 233 00:11:30.840 --> 00:11:32.000 Those were major incidents. 234 00:11:32.279 --> 00:11:36.840 Both targeted Windows systems and shockingly used exploit code and 235 00:11:36.919 --> 00:11:40.159 a backdoor developed by the US National Security Agency and 236 00:11:40.240 --> 00:11:42.519 that essay, yes, which were leaked by a group called 237 00:11:42.600 --> 00:11:46.960 shadow Brokers. This really underscores how vulnerabilities can weaponize from 238 00:11:47.000 --> 00:11:48.080 surprising sources. 239 00:11:48.159 --> 00:11:51.159 Absolutely one to cry encrypted user files and demanded a 240 00:11:51.159 --> 00:11:55.120 three hundred dollars fee, though interestingly the keys were later 241 00:11:55.159 --> 00:11:58.200 found to be recoverable due to an API misuse by 242 00:11:58.200 --> 00:11:58.879 the attackers. 243 00:11:59.000 --> 00:12:02.519 A small bit of luck there. But not Petya, not Picty. 244 00:12:02.399 --> 00:12:06.759 Was different, Originating from a compromised tax software updating Ukraine. 245 00:12:06.919 --> 00:12:10.600 It affected sixty four countries wow, and caused just one 246 00:12:10.679 --> 00:12:14.360 single company, the shipping giant miller Marisk, and estimated two 247 00:12:14.440 --> 00:12:16.960 hundred three hundred million dollars in damages. 248 00:12:16.759 --> 00:12:18.639 Just one company. That's incredible. 249 00:12:18.759 --> 00:12:21.720 This wasn't just data loss, it was massive operational disruption 250 00:12:21.840 --> 00:12:23.799 that crippled global logistics for a while. 251 00:12:24.000 --> 00:12:27.080 Right and beyond keycs, the Internet of Things paradigm has 252 00:12:27.120 --> 00:12:29.679 brought entirely new vectors. We talked about IoT earlier. 253 00:12:29.720 --> 00:12:31.360 The thread surface just keeps expanding. 254 00:12:31.440 --> 00:12:33.000 Our sources discussed the Miri. 255 00:12:33.039 --> 00:12:36.600 Botnet Ahmuri, famous or infamous. 256 00:12:36.720 --> 00:12:41.559 It infected an estimated six hundred thousand systems, primarily vulnerable 257 00:12:41.679 --> 00:12:45.720 IoT devices like cameras and routers, things people don't always. 258 00:12:45.440 --> 00:12:47.559 Secure default passwords usually. 259 00:12:47.440 --> 00:12:52.039 And launched distributed denial of service. Ordidas attacked wreaking peak 260 00:12:52.120 --> 00:12:55.159 traffic sizes of one point one terabits per second. 261 00:12:55.279 --> 00:12:57.639 One point one terabits. Just think about that volume. It 262 00:12:57.759 --> 00:12:59.240 overwhelmed major. 263 00:12:59.000 --> 00:13:02.879 Sites unbelievable, gill So. To effectively combat these, we need 264 00:13:02.879 --> 00:13:05.360 to understand malware categories. 265 00:13:05.480 --> 00:13:08.000 Got to know your enemy. Our sources classify them in 266 00:13:08.000 --> 00:13:12.519 a few ways by target like mass versus targeted attacks. 267 00:13:12.159 --> 00:13:14.799 Spray and prey versus spearfishing. 268 00:13:14.279 --> 00:13:17.799 Kind of yeah, by their networking paradigm such as command 269 00:13:17.879 --> 00:13:20.919 and control C and C models where central server issues 270 00:13:21.039 --> 00:13:24.759 orders the mothership, or peer to peer PDP where infective 271 00:13:24.759 --> 00:13:27.399 machines communicate directly making them harder to take. 272 00:13:27.279 --> 00:13:29.200 Down, decentralized attacks right. 273 00:13:29.440 --> 00:13:33.480 And they also categorize by behavior, including social engineering tactics 274 00:13:33.519 --> 00:13:37.440 like phishing or impersonation, tricking people, ransomware, which we just discussed, 275 00:13:37.440 --> 00:13:40.559 and rootkits which are designed specifically to hide their presence 276 00:13:40.559 --> 00:13:43.200 on a system, making them very difficult to find. 277 00:13:43.039 --> 00:13:46.960 Deeply hidden malware. Okay, So turning to the practicalities of 278 00:13:47.000 --> 00:13:51.919 defense our material details. The malware Incident Response procedure defined 279 00:13:52.000 --> 00:13:52.559 by NIST. 280 00:13:52.799 --> 00:13:54.879 NIST provides a lot of these useful frameworks. 281 00:13:54.919 --> 00:13:59.200 It's a robust six phase process from preparation all the 282 00:13:59.200 --> 00:14:03.240 way to post incident activity, learning lessons. 283 00:14:02.799 --> 00:14:07.080 Preparation, detection, containment, eradication, recovery, post mortem. 284 00:14:07.240 --> 00:14:10.519 A key part of this is malware analysis. How do 285 00:14:10.600 --> 00:14:13.480 you figure out what this malicious software actually does? 286 00:14:13.720 --> 00:14:17.799 Two main ways Studying the software without running it that's static. 287 00:14:17.480 --> 00:14:19.799 Analysis, looking at the code itself. 288 00:14:19.600 --> 00:14:22.720 Or running it in a controlled, isolated environment a sandbox 289 00:14:22.799 --> 00:14:26.120 to observe its behavior. That's dynamic analysis, like washing it 290 00:14:26.159 --> 00:14:28.879 in a cage. Pretty much For static analysis, analysts can 291 00:14:28.919 --> 00:14:32.440 examine portable executable or PE files the standard format for 292 00:14:32.480 --> 00:14:36.519 Windows programs OKA, or simply extract readable strings sequences of 293 00:14:36.559 --> 00:14:37.840 text from the binary code. 294 00:14:37.919 --> 00:14:38.960 What can strings tell you? 295 00:14:39.120 --> 00:14:41.919 Sometimes quite a lot. Our sources give a specific example, 296 00:14:41.960 --> 00:14:45.399 from a watera crise sample, analysts could spot strings related 297 00:14:45.399 --> 00:14:47.600 to SMB communications. 298 00:14:46.879 --> 00:14:48.559 Windows file sharing right. 299 00:14:48.840 --> 00:14:52.840 Also strings pointing to Windows cryptography APIs showing it intended 300 00:14:52.879 --> 00:14:56.240 to encrypt files, and even a unique kill switch. 301 00:14:56.279 --> 00:14:58.559 You are O the kill switch? I remember that. 302 00:14:58.799 --> 00:15:02.399 Yeah. A researcher found registered the domain and when wantacriy 303 00:15:02.480 --> 00:15:05.679 checked that URL and saw it was live, it stop spreading, 304 00:15:06.159 --> 00:15:10.320 pointing it to a sinkhole a controlled server effectively halted 305 00:15:10.360 --> 00:15:11.039 the epidemic. 306 00:15:11.600 --> 00:15:14.320 Amazing that such a huge attack had such a simple 307 00:15:14.360 --> 00:15:15.919 off switch found in the strings. 308 00:15:16.159 --> 00:15:19.519 Sometimes luck plays a part. Moving to defense at a 309 00:15:19.519 --> 00:15:23.639 more fundamental level, our sources explain cryptography. 310 00:15:22.960 --> 00:15:26.120 Threats encryption the bedrock of online security. 311 00:15:26.200 --> 00:15:29.480 Right, it's absolutely crucial, yes, but it's not fool proof. 312 00:15:29.919 --> 00:15:33.840 The sources highlight weaknesses in common cryptographic algorithms and protocols. 313 00:15:33.919 --> 00:15:35.879 Okay, so even encryption can be attacked. 314 00:15:36.000 --> 00:15:38.039 If we connect this to the bigger picture, the man 315 00:15:38.080 --> 00:15:40.960 in the middle win TM attack is a significant concern. 316 00:15:40.679 --> 00:15:43.399 Where someone intercepts the communication exactly. 317 00:15:43.840 --> 00:15:46.519 Our sources show how an attacker can substitute their public 318 00:15:46.600 --> 00:15:51.720 key during an exchange, essentially positioning themselves between two communicating. 319 00:15:51.120 --> 00:15:54.120 Parties, so each party thinks they're talking directly to the other, 320 00:15:54.120 --> 00:15:56.279 but they're actually talking to the attacker. 321 00:15:55.919 --> 00:15:59.919 Correct The Effecker relays messages, potentially reading or altering them. 322 00:16:00.320 --> 00:16:03.799 They also detail vulnerabilities in the Transport Layer Security TAILS 323 00:16:03.840 --> 00:16:06.480 protocol itself, which secures most web traffic. 324 00:16:06.559 --> 00:16:10.399 Each TTPs wait tilS itself can be vulnerable. 325 00:16:10.080 --> 00:16:13.720 Older versions or specific configurations. Yes, like the Drown attack 326 00:16:13.759 --> 00:16:17.000 from twenty sixteen. Our sources state that it affected web 327 00:16:17.039 --> 00:16:22.519 servers still supporting older, outdated SSL versions, alongside newer TLS. 328 00:16:22.279 --> 00:16:24.120 AH backward compatibility issues. 329 00:16:24.159 --> 00:16:28.120 Precisely, this allowed attackers to decrypt modern TLS one point 330 00:16:28.200 --> 00:16:32.279 two RSA ciphertext. The attack involved observing about one thousand 331 00:16:32.279 --> 00:16:35.919 TLS handshakes and initiating around forty thousand connections using the 332 00:16:35.919 --> 00:16:37.840 weak older SSLv two protocol. 333 00:16:38.000 --> 00:16:40.080 That sounds complex it was, but feasible. 334 00:16:40.320 --> 00:16:43.279 It could decrypt a twenty forty eight bit RSATLS handshake 335 00:16:43.440 --> 00:16:45.600 in under eight hours for about four hundred and forty 336 00:16:45.639 --> 00:16:47.080 dollars in cloud computing. 337 00:16:46.759 --> 00:16:50.679 Costs Wow four hundred and forty dollars to break modern encryption. 338 00:16:50.480 --> 00:16:53.600 In that specific scenario. Yes, this clearly shows why TLS 339 00:16:53.639 --> 00:16:56.000 one point three. The latest version no longer allows RSA 340 00:16:56.039 --> 00:16:59.519 for the initial key exchange. It mandates methods with forward secrecy. 341 00:17:00.000 --> 00:17:03.919 Breaking one key doesn't compromise pass or future sessions exactly. 342 00:17:04.319 --> 00:17:07.759 So the next logical step is to consider how do 343 00:17:07.799 --> 00:17:09.480 we get smarter about defense? 344 00:17:09.720 --> 00:17:10.920 We have to clearly. 345 00:17:11.039 --> 00:17:15.119 Our sources introduce risk management, which is about framing, assessing, 346 00:17:15.319 --> 00:17:19.240 responding to, and monitoring risk. It's a continuous cycle. 347 00:17:19.119 --> 00:17:20.759 Not just a one time fix. No. 348 00:17:21.240 --> 00:17:25.200 They describe the Common Vulnerability Scoring System CBSS as a 349 00:17:25.240 --> 00:17:28.880 standardized way to quantify vulnerability severity. 350 00:17:28.599 --> 00:17:34.799 Giving vulnerabilities a score right using metrics like attack sector, network, local, physical, physical, 351 00:17:34.960 --> 00:17:41.359 attack complexity low high, and user interaction none required required, so. 352 00:17:41.279 --> 00:17:44.279 You can prioritize fixing the worst ones first. 353 00:17:44.359 --> 00:17:48.480 That's the idea. It helps organizations allocate resources effectively. 354 00:17:48.000 --> 00:17:51.759 And the advanced tools for detection and mitigation are evolving fast, too, 355 00:17:52.000 --> 00:17:52.599 very fast. 356 00:17:52.960 --> 00:17:56.400 Our sources talk about machine learning being used extensively for malware. 357 00:17:56.119 --> 00:17:57.920 Detection AI finding the bad guys. 358 00:17:58.119 --> 00:18:02.279 Essentially, yes, it's crucial. We're finding zero day malware, brand 359 00:18:02.319 --> 00:18:06.799 new threats, or heavily obfuscated malware that traditional signature based systems. 360 00:18:06.880 --> 00:18:09.640 The ones looking for known fingerprints. 361 00:18:09.119 --> 00:18:14.079 Would completely miss mL looks for behavioral patterns, anomalies, things 362 00:18:14.079 --> 00:18:15.599 that just seem off. 363 00:18:15.640 --> 00:18:18.119 That makes sense, got to look for behavior not just 364 00:18:18.240 --> 00:18:18.920 known faces. 365 00:18:19.079 --> 00:18:24.279 One particularly compelling aspect the sources mentioned is malware visualization. 366 00:18:24.480 --> 00:18:26.799 Visualizing malware What does that even mean? 367 00:18:26.960 --> 00:18:30.480 Imagine converting a binary file the raw zeros and ones 368 00:18:30.480 --> 00:18:33.640 of a program into a two dimensional image like a picture. 369 00:18:33.799 --> 00:18:35.240 Okay, how does that help? 370 00:18:35.519 --> 00:18:39.440 Tools like benefs, dot io and vellows do this. Security 371 00:18:39.480 --> 00:18:43.920 analysts can then visually identify patterns. Packed or encrypted sections 372 00:18:43.960 --> 00:18:46.920 often look visually distinct, like areas of high entropy or 373 00:18:46.920 --> 00:18:48.240 repeating structures, so. 374 00:18:48.119 --> 00:18:50.599 They can spot suspicious parts just by looking at the 375 00:18:50.640 --> 00:18:53.400 picture without running the dangerous code exactly. 376 00:18:53.440 --> 00:18:56.720 It leverages our innate human ability to spot patterns and anomalies. 377 00:18:56.920 --> 00:19:00.000 It makes complex data suddenly much more accessible visually. 378 00:19:00.480 --> 00:19:03.319 That is amazing, a completely different approach. 379 00:19:02.960 --> 00:19:05.920 It really is, and taking innovation even further. Our sources 380 00:19:05.960 --> 00:19:08.559 discuss bioinspired. 381 00:19:07.640 --> 00:19:10.039 Computing inspired by biology. 382 00:19:09.599 --> 00:19:12.160 Yes, using things like neural networks which are inspired by 383 00:19:12.160 --> 00:19:14.359 the brain, or swarm intelligence algorithms. 384 00:19:14.680 --> 00:19:17.519 Swarm intelligence like ants. 385 00:19:17.599 --> 00:19:21.240 Inspired by things like bird flocking or ant colonies. Finding 386 00:19:21.279 --> 00:19:25.960 efficient paths. These algorithms are being adapted to improve malware 387 00:19:26.000 --> 00:19:27.720 detection and network defense. 388 00:19:27.960 --> 00:19:33.559 It's like turning nature's own problem solving methods into cybersecurity tools. Fascinating. 389 00:19:33.839 --> 00:19:37.039 Finally, our sources delve into attack graphs. 390 00:19:37.119 --> 00:19:38.920 Attack graphs sounds like a map. 391 00:19:39.000 --> 00:19:41.640 That's a great way to think about it. These are 392 00:19:41.680 --> 00:19:46.160 graphical models that explicitly map out and attackers possible pathways 393 00:19:46.400 --> 00:19:47.720 through a network. 394 00:19:47.400 --> 00:19:50.200 So not just single vulnerabilities, but how they connect. 395 00:19:50.480 --> 00:19:54.759 Precisely. They help defenders understand the dependencies between vulnerabilities and 396 00:19:54.799 --> 00:19:58.559 system assets, identify critical choke points or weaknesses. 397 00:19:58.119 --> 00:20:01.119 And prioritize where to apply security ca controls most effectively. 398 00:20:01.279 --> 00:20:04.519 Exactly. Think of it like a dynamic roadmap of potential breaches, 399 00:20:04.720 --> 00:20:07.039 showing you exactly how an attacker could move from point 400 00:20:07.079 --> 00:20:08.559 A to point B within your network. 401 00:20:08.680 --> 00:20:11.000