Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:12,360 --> 00:00:14,230 And we'll go back to another episode on How to Hack. 2 00:00:14,850 --> 00:00:17,570 So today we'll be discussing about this cyber attack chain. 3 00:00:18,120 --> 00:00:23,010 The reason why we have to understand about a cyber attack is because there are a lot of questions about 4 00:00:23,370 --> 00:00:27,750 what goes on in the penetration testing, how our security assessment being carried out. 5 00:00:28,050 --> 00:00:32,430 And the best way to actually describe that is to look at cyber attack chain. 6 00:00:33,000 --> 00:00:38,910 So in this case, cyber protection is, of course, developed by Lockheed Martin, and it is to help 7 00:00:38,910 --> 00:00:46,110 us understand and visualize the step by step process of how hackers actually go after specific individuals, 8 00:00:46,410 --> 00:00:51,990 a particular enterprise that they have been hired to go after, or if they are state funded hackers, 9 00:00:52,290 --> 00:00:58,350 state sponsored hackers, and they have a particular agency in mind and they are supposed to go after 10 00:00:58,350 --> 00:00:58,620 them. 11 00:00:59,130 --> 00:01:04,740 So there are so many tutorials and so many different kind of hacking videos available. 12 00:01:04,900 --> 00:01:08,370 But the whole idea is doing what you have or you're doing a penetration testing. 13 00:01:08,700 --> 00:01:15,390 It's important to follow this step by step process and it will really help you be able to control and 14 00:01:15,390 --> 00:01:20,660 manage how far you're going into cyber attack chain and how far are you going to penetrate the testing. 15 00:01:21,160 --> 00:01:26,090 So on the left side, we actually have the different phases and of course, we have seven phases. 16 00:01:26,340 --> 00:01:32,580 So here we go, reconnaissance, which is about finding out information on publicly available websites. 17 00:01:32,910 --> 00:01:35,100 And of course, we are weaponization is number two. 18 00:01:35,110 --> 00:01:42,180 So this is about how we can create the payload, whether it is a fully undetectable payload, a microwave 19 00:01:42,180 --> 00:01:42,540 cell. 20 00:01:42,690 --> 00:01:45,810 It's about how we can weaponize it and delivery. 21 00:01:45,840 --> 00:01:47,550 Are we going to use a USB? 22 00:01:47,760 --> 00:01:49,800 Are we going to send a phishing email? 23 00:01:49,920 --> 00:01:51,350 Are we going to send Seabass? 24 00:01:51,450 --> 00:01:56,790 So again, those are the delivery mechanisms that we'll be using in terms of putting the weaponization 25 00:01:56,790 --> 00:01:58,800 or the weaponized payload into the system. 26 00:01:59,430 --> 00:02:01,280 And of course, we have our exploitation. 27 00:02:01,290 --> 00:02:05,850 So exploitation is a way for us to actually attack into the system. 28 00:02:05,850 --> 00:02:11,640 So we will execute you will execute the particular exploit that we have created in number two, which 29 00:02:11,640 --> 00:02:14,760 is to weaponize of payload and number five installation. 30 00:02:14,760 --> 00:02:20,640 So we'll install the malware into the system, into the mobile device or any assets that we have on 31 00:02:20,640 --> 00:02:21,210 hand on. 32 00:02:21,670 --> 00:02:24,600 And this is when we go into number six, where we have command and control. 33 00:02:24,990 --> 00:02:30,240 So whenever you're looking at the tutorials, you're looking at that display framework as the command 34 00:02:30,240 --> 00:02:33,840 and control center to manage and control many of these devices. 35 00:02:34,110 --> 00:02:37,000 And of course, the final thing is on actions and objectives. 36 00:02:37,170 --> 00:02:40,050 So this is what are we trying to accomplish? 37 00:02:40,080 --> 00:02:41,340 Have we achieve our goal? 38 00:02:41,550 --> 00:02:42,220 What was the goal? 39 00:02:42,240 --> 00:02:44,100 Was it for personal data? 40 00:02:44,100 --> 00:02:45,540 Was it for credit card information? 41 00:02:45,570 --> 00:02:46,790 Was it for financial data? 42 00:02:47,040 --> 00:02:49,200 Was it for state secrets? 43 00:02:49,230 --> 00:02:53,160 So, again, all these are the things that we're looking at in terms of the cyber attack chain. 44 00:02:54,780 --> 00:02:58,000 So, of course, we discussed the cyber security Kuching. 45 00:02:58,050 --> 00:03:02,340 So it's really important what you're talking about, the chain of cyber attack chain, because many 46 00:03:02,640 --> 00:03:07,020 enterprises or users can be victimized by many of these cyber breaches. 47 00:03:07,020 --> 00:03:10,630 And over here we can see the different companies that have been compromised. 48 00:03:10,650 --> 00:03:12,930 And again, it all follows the same steps. 49 00:03:12,930 --> 00:03:17,730 So if you read up about the hacks that have happened, you'll recognize that many of these hacks that 50 00:03:17,730 --> 00:03:19,980 have happened follow this specific step. 51 00:03:19,990 --> 00:03:26,070 So if you manage to get a detailed report on it, you'll be able to see how the hackers actually attack. 52 00:03:26,190 --> 00:03:31,050 And it is very similar to what you see in a cyber attack chain, all the cybersecurity cuchi. 53 00:03:33,410 --> 00:03:38,150 So the first step is about reconnaissance, a reconnaissance is about finding publicly available information, 54 00:03:38,420 --> 00:03:45,770 using who is using domain name servers, information, lookout on your servers, and be able to find 55 00:03:45,770 --> 00:03:51,710 out what data they have using Net Kroloff using all these different kind of publicly available information, 56 00:03:51,710 --> 00:03:57,170 including also on Google searching to find out usernames, passwords, more tanks of all the domains 57 00:03:57,560 --> 00:04:03,590 going into dark web, finding accounts, data or passwords of this particular enterprise and getting 58 00:04:03,590 --> 00:04:04,040 those data. 59 00:04:04,910 --> 00:04:10,490 So, again, the characteristics of this, it could range from minutes all the way to weeks and months 60 00:04:10,490 --> 00:04:12,020 trying to find out all this data. 61 00:04:12,290 --> 00:04:14,960 And because a lot of users have social media accounts. 62 00:04:14,990 --> 00:04:20,570 Again, those are good places to also start all that to find out more details about enterprise, about 63 00:04:20,570 --> 00:04:22,320 individuals working in the enterprise. 64 00:04:22,580 --> 00:04:24,610 So this is what we call passive reconnaissance. 65 00:04:24,860 --> 00:04:30,080 We are trying to file all publicly available information, not directly interacting with the enterprise. 66 00:04:30,080 --> 00:04:31,880 So do not on debt. 67 00:04:33,570 --> 00:04:37,610 And of course, this is where we have the active reconnaissance, so active reconnaissance means we 68 00:04:37,620 --> 00:04:38,610 are probing the system. 69 00:04:38,610 --> 00:04:44,130 So whenever you'll look at and map that we have been using in a number of the tutorials, we are trying 70 00:04:44,130 --> 00:04:47,840 to get details about the services of the systems and servers. 71 00:04:47,840 --> 00:04:50,900 They're available in site, that particular enterprise. 72 00:04:51,150 --> 00:04:56,940 So we are actually trying to prop directly into the system, looking at fingerprinting, reconnaissance. 73 00:04:57,210 --> 00:05:01,210 We are working and we are pinging the system to find out more details and data. 74 00:05:01,560 --> 00:05:04,580 So this are information that we can find out immediately from. 75 00:05:04,950 --> 00:05:11,010 So again, active reconnaissance and passive reconnaissance are very different in terms of trying to 76 00:05:11,010 --> 00:05:12,330 find out all these details. 77 00:05:15,190 --> 00:05:19,300 So, of course, this is where we go into the weaponization stage, so the weaponization stage would 78 00:05:19,300 --> 00:05:24,880 actually allow us to see what kind of payload we can create sort of first and most use is actually using 79 00:05:24,880 --> 00:05:29,770 Emmis of venom, or you could actually use a different kind of tubes to create a payload so you could 80 00:05:29,770 --> 00:05:36,130 write your own script or your own malicious software if you know C programming and so on, or you want 81 00:05:36,130 --> 00:05:37,480 to put it up on the shell. 82 00:05:37,480 --> 00:05:40,240 You want to get a reverse shell on it, you want to get a seashell on it. 83 00:05:40,270 --> 00:05:43,420 So again, all these are available as part of weaponization. 84 00:05:43,600 --> 00:05:49,320 And in terms of weaponization, we are also thinking about how can we make it fully undetectable so 85 00:05:49,330 --> 00:05:54,640 that we'll use encoding matter to use different kind of Métis to mask the capability from detection 86 00:05:54,640 --> 00:05:55,900 by antivirus systems. 87 00:05:56,320 --> 00:05:59,600 And of course, ultimately this would bring us into the delivery stage. 88 00:05:59,890 --> 00:06:04,750 So in the delivery phase, this is the part where we're thinking about how are we going to deliver the 89 00:06:04,750 --> 00:06:06,400 payload into the user's machine? 90 00:06:06,820 --> 00:06:11,380 So, again, over here we go to social engineer has seen a number of tutorials. 91 00:06:11,620 --> 00:06:13,350 So it's about website attacks. 92 00:06:13,360 --> 00:06:15,880 We want to create website hoster, particular payload. 93 00:06:16,120 --> 00:06:22,390 Do you want to create infectious media generator put into a USB drive executed moment of user plug it 94 00:06:22,390 --> 00:06:23,330 into the computer. 95 00:06:23,740 --> 00:06:24,730 Do you want to have a payload? 96 00:06:24,730 --> 00:06:29,710 You want a mass mailer to all these options are here inside a social engineer toolkit and we'll be exploring 97 00:06:29,710 --> 00:06:30,790 a lot more later on. 98 00:06:31,090 --> 00:06:32,860 So this is about the transmission of the attack. 99 00:06:33,070 --> 00:06:37,260 How do we get the payload, a weaponized payload into the user's computer? 100 00:06:37,270 --> 00:06:43,960 So, again, another key point in terms of sending out a face in order to talk about is also what kind 101 00:06:43,960 --> 00:06:44,920 of payload are you doing? 102 00:06:45,220 --> 00:06:47,960 Because some of these delivery mechanisms can be very different. 103 00:06:48,250 --> 00:06:53,740 So, one, you could be using a lot of phishing emails that could be blasted out to millions of users 104 00:06:54,130 --> 00:06:54,700 or two. 105 00:06:54,700 --> 00:07:00,430 It could be a very targeted, very specific format of the email that is sent to one person where we 106 00:07:00,580 --> 00:07:05,110 just want that person to click onto it so that we can go after that particular entity. 107 00:07:07,220 --> 00:07:12,110 And this is on the exploitation stage, so this is what happens once you're weaponized, you've delivered 108 00:07:12,380 --> 00:07:15,500 the user clicks onto it and you get a revised shell immediately. 109 00:07:15,530 --> 00:07:17,270 So this is the detonation of the attack. 110 00:07:17,660 --> 00:07:21,860 So once the exploit happens, we are in we are into the system. 111 00:07:22,070 --> 00:07:25,470 And this allow us to have control of their environment. 112 00:07:25,670 --> 00:07:30,290 So, again, this is all about gaining access, bypassing security mechanisms. 113 00:07:30,290 --> 00:07:32,450 So this is the detonation of the payload. 114 00:07:34,540 --> 00:07:37,960 And of course, once you hit a destination, this is where we go into the installation. 115 00:07:37,990 --> 00:07:40,970 So this is where we want persistance inside the system. 116 00:07:41,030 --> 00:07:46,600 We want to have the ability to persist inside the mobile device, inside the server, inside a computer 117 00:07:46,600 --> 00:07:47,140 device. 118 00:07:47,650 --> 00:07:50,950 So, again, this is what we call a payload again on the screen. 119 00:07:51,250 --> 00:07:52,830 So this is a Microsoft disable. 120 00:07:53,080 --> 00:07:59,710 Once the user click on enable content immediately will get access and we'll install a pilot into the 121 00:07:59,710 --> 00:08:05,260 system and we will actually create persistance so that we can be able to latch onto the computer system 122 00:08:05,260 --> 00:08:07,270 no matter how much the update to it. 123 00:08:09,520 --> 00:08:13,510 And of course, this is the command and control and command control, we have a number of options in 124 00:08:13,510 --> 00:08:17,530 sight, the channel where we discuss about how we can actually control the system. 125 00:08:17,530 --> 00:08:22,900 So the first one that is most use a lot of time is using a supply framework and as of flow, of course, 126 00:08:22,900 --> 00:08:24,340 on empire power shell. 127 00:08:24,340 --> 00:08:28,300 So Ampara directly to manage based on the power shell scripting. 128 00:08:28,300 --> 00:08:32,320 So and not a great way for us to manage many, many of these computers and systems. 129 00:08:32,560 --> 00:08:34,170 So this is what we call the bots. 130 00:08:34,540 --> 00:08:39,150 So any of these computers that have been hacked into, we call them to barter, we controlling them. 131 00:08:39,400 --> 00:08:41,590 And on the top you can see we got a bot herders. 132 00:08:41,590 --> 00:08:48,040 So the bot herder actually allows you, which is you to control what the bots will do as a result of 133 00:08:48,040 --> 00:08:50,290 them being hijacked into. 134 00:08:53,340 --> 00:08:55,870 So, of course, the focus can be very different. 135 00:08:55,920 --> 00:09:00,770 So if you're a state funded hacker, chances are you're going for sensitive data, confidential data, 136 00:09:00,930 --> 00:09:05,010 top secret data, top secret data, meaning they have grave danger to a nation. 137 00:09:05,160 --> 00:09:07,740 So you're going after those specific data. 138 00:09:08,190 --> 00:09:13,260 And if you are a cyber criminal who was going after for financial gains, then you have a very different 139 00:09:13,260 --> 00:09:13,770 set of data. 140 00:09:13,770 --> 00:09:18,030 You could be looking for credit card information, username passwords, doohickeys set on a dark web. 141 00:09:18,240 --> 00:09:24,180 So, again, the purpose, the action and the objective can be very different across many different 142 00:09:24,180 --> 00:09:26,970 kind of threats, many different kinds of attacks. 143 00:09:29,460 --> 00:09:33,480 So, of course, the question will be, if I'm a defender, I'm going on the blue team and I want to 144 00:09:33,480 --> 00:09:36,280 protect against this cyber attack, what can we do? 145 00:09:36,690 --> 00:09:40,860 So the whole idea goes back into the concept of defense, defense in depth. 146 00:09:40,860 --> 00:09:46,190 So defense in depth means that we must always have a way of slowing down the attacker. 147 00:09:46,530 --> 00:09:51,380 So if a state funded hacker or someone who is persistent in trying to get into enterprise, getting 148 00:09:51,390 --> 00:09:57,090 a data, what we can do is to slow down the person as much as possible and keep changing to different 149 00:09:57,090 --> 00:10:00,630 kind of security mechanisms or countermeasures that we have in place. 150 00:10:00,630 --> 00:10:04,920 That will take a very long time for the hacker to go after you. 151 00:10:04,950 --> 00:10:10,580 So if you're managing an enterprise, you may have thousands of computers and point servers and so on. 152 00:10:10,920 --> 00:10:16,080 So what you do is you will actually make sure that you have antivirus systems, you have a security 153 00:10:16,080 --> 00:10:21,360 monitoring platform, you have a web application, firewall database, firewall and many different of 154 00:10:21,360 --> 00:10:24,300 these security mechanisms in place that will slow down your hacker. 155 00:10:24,600 --> 00:10:30,030 So the hacker want to get in to you to USB and you realize that all of your end points have the USB 156 00:10:30,030 --> 00:10:33,930 disable, then a hacker have to try something else in order to gain access into a system. 157 00:10:34,230 --> 00:10:38,700 And this would take longer and longer for them to persist through in order to gain access into your 158 00:10:38,700 --> 00:10:39,580 sensitive data. 159 00:10:40,020 --> 00:10:45,360 So defense in depth is going to be a great way for you to actually stop many of these potential threats. 160 00:10:47,740 --> 00:10:52,720 So, of course, there are some potential flaws with the whole idea of the cyber attack chain and of 161 00:10:52,720 --> 00:10:58,750 course, thinking about a cyber Accutane is that the hacker has to go through every of this single phase. 162 00:10:59,140 --> 00:11:04,780 But the reality is that that's not the case because the hacker could perhaps be able to get all your 163 00:11:04,780 --> 00:11:10,090 usernames and passwords directly from publicly available information due to all the data breaches. 164 00:11:10,480 --> 00:11:15,430 And from there on, they could immediately get access into many of your accounts and credentials. 165 00:11:15,610 --> 00:11:20,770 So that could be a very quick way, because on point number two or seven steps must be successful for 166 00:11:20,770 --> 00:11:22,210 a successful cyber attack to occur. 167 00:11:22,500 --> 00:11:26,770 But that's not always the case, because once you got usernames, once you got passwords, you could 168 00:11:26,770 --> 00:11:33,640 morph your attack into other ways or other objectives in order to gain other kind of sensitive data. 169 00:11:34,420 --> 00:11:39,970 So, of course, on the finer point, the defender has seven opportunities to break the chain and minimize 170 00:11:39,970 --> 00:11:40,820 data exfiltration. 171 00:11:40,840 --> 00:11:45,340 So if you're playing blue team again, you recognize that you do have the advantage. 172 00:11:45,340 --> 00:11:51,910 If we are trying to conceptualize playing defense in terms of trying to stop the hacker from gaining 173 00:11:51,910 --> 00:11:54,570 full access or completing the full cyber attack chain. 174 00:11:55,420 --> 00:11:58,270 So once again, I hope you learned something valuable in today's lecture. 175 00:11:58,300 --> 00:12:02,170 So if you have any questions, feel free to comment below and I'll try my best to answer any of your 176 00:12:02,170 --> 00:12:02,770 questions. 177 00:12:03,040 --> 00:12:06,850 So we're going to, like, share subscribe the channel so that you can be kept abreast of the latest 178 00:12:06,850 --> 00:12:07,650 cybersecurity Tiriel. 179 00:12:07,870 --> 00:12:09,340 Thank you so much once again for watching. 20253