Thursday, April 23, 2020

How Cybersecurity Analysts Use Threat Intelligence Platforms

Now that I have Yeti installed, let’s take a look at how to use it. Let’s suppose that I worked for a hospital. I could record information about attacks specific to my organization using Yeti. For example, if I was worried about an attacker obtaining a Kerberos Golden Ticket via Mimikatz, then I would start storing information about this particular form of attack. Or if I discovered several attack attempts, I could record the information easily inside of Yeti.

Many organizations are enduring Distributed Denial of Service (DDoS) attacks. Let’s suppose that I was a cybersecurity professional asked to record DDoS attacks specific to the Memcached service, which is often used to speed up web applications by storing information in memory.

Attackers use poorly configured Memcached services to wage DDoS attacks. So, if I wanted to record information about actual Memcached attacks, I would log on to Yeti, then go to Investigations > Import to upload information.

From here, I can edit the information I wish to import. I would only want to include relevant information that helps my fellow workers recover from this specific attack.

For example, I could focus on a specific technique, such as investigating the IP address 188.138.125.254 and its relationship to the Cloudflare organization. I might find that it’s completely non-threatening and standard. Or, I might decide it’s an indicator of attack. This is an example of the types of decisions made by cybersecurity analysts.

Based on this information, I could then create links from one system to another to uncover useful information about the source of the attack. Figure 6 below shows how I attempted to link several sites to try and identify a specific cause of an attack. It’s a pretty messy map, but cybersecurity professionals are expected to sift through and sort messy information so that it’s more useful.
More Info: comptia jobs

No comments:

Post a Comment