WEBVTT 00:00:00.000 --> 00:00:06.288 align:middle line:90% 00:00:06.288 --> 00:00:08.580 align:middle line:84% In this video, we're going to be going over what we can 00:00:08.580 --> 00:00:09.788 align:middle line:90% learn from malicious hackers. 00:00:09.788 --> 00:00:12.670 align:middle line:90% 00:00:12.670 --> 00:00:14.560 align:middle line:84% Now, as we learned in the previous video, 00:00:14.560 --> 00:00:19.270 align:middle line:84% hackers generally go through a certain series of steps 00:00:19.270 --> 00:00:23.300 align:middle line:90% in a very specific order. 00:00:23.300 --> 00:00:26.850 align:middle line:84% And this order is called the five phases of hacking. 00:00:26.850 --> 00:00:31.580 align:middle line:84% So let's go over what we can actually learn from this. 00:00:31.580 --> 00:00:36.740 align:middle line:84% So understanding the methodology is going to be huge for us. 00:00:36.740 --> 00:00:40.730 align:middle line:84% The order of the attacks, how these attacks work, 00:00:40.730 --> 00:00:43.280 align:middle line:84% and the type of attacks, all these things 00:00:43.280 --> 00:00:46.010 align:middle line:84% are going to help us in order to secure ourselves. 00:00:46.010 --> 00:00:48.850 align:middle line:90% So let's break this down. 00:00:48.850 --> 00:00:52.300 align:middle line:84% Understanding the type of scanning that hackers could 00:00:52.300 --> 00:00:56.700 align:middle line:84% use, the things that they're trying 00:00:56.700 --> 00:01:00.420 align:middle line:84% to probe our networks for, things like open ports, 00:01:00.420 --> 00:01:04.870 align:middle line:84% IP addresses, we could use this to train our users. 00:01:04.870 --> 00:01:10.250 align:middle line:84% And we could also view our network as a bad actor. 00:01:10.250 --> 00:01:14.800 align:middle line:84% So in the reconnaissance phase, what type of information 00:01:14.800 --> 00:01:16.235 align:middle line:90% are they looking for? 00:01:16.235 --> 00:01:17.860 align:middle line:84% Knowing the type of information they're 00:01:17.860 --> 00:01:19.652 align:middle line:84% looking for during the reconnaissance phase 00:01:19.652 --> 00:01:21.850 align:middle line:84% can help us identify the type of information hackers 00:01:21.850 --> 00:01:24.320 align:middle line:90% are going to be looking for. 00:01:24.320 --> 00:01:29.740 align:middle line:84% This gives us an opportunity to try to minimise our exposure. 00:01:29.740 --> 00:01:31.900 align:middle line:84% We can begin locking down our information that's 00:01:31.900 --> 00:01:34.910 align:middle line:84% being shared on things like social media, our websites, 00:01:34.910 --> 00:01:40.270 align:middle line:84% and whatnot as we tend to leak a lot of information 00:01:40.270 --> 00:01:43.650 align:middle line:90% if we're not careful. 00:01:43.650 --> 00:01:46.310 align:middle line:84% We also want to be wary of the type of photos that we share, 00:01:46.310 --> 00:01:48.590 align:middle line:84% details on our calendars, and other items that 00:01:48.590 --> 00:01:50.420 align:middle line:90% could be used against us. 00:01:50.420 --> 00:01:53.090 align:middle line:84% Now, a prime example of this would be 00:01:53.090 --> 00:01:54.830 align:middle line:90% you put a new server room in. 00:01:54.830 --> 00:01:58.280 align:middle line:84% You put your new servers in, new network switches, whatnot. 00:01:58.280 --> 00:02:02.180 align:middle line:84% You're really proud, and you post a photo online. 00:02:02.180 --> 00:02:05.810 align:middle line:84% Now, a malicious hacker doing reconnaissance, 00:02:05.810 --> 00:02:08.943 align:middle line:84% finding that photo, what type of information 00:02:08.943 --> 00:02:09.860 align:middle line:90% are they going to get? 00:02:09.860 --> 00:02:12.080 align:middle line:84% Well, they're going to know what type of switches 00:02:12.080 --> 00:02:14.300 align:middle line:84% you're using, what type of servers 00:02:14.300 --> 00:02:17.540 align:middle line:84% you're running, how many servers you're running, 00:02:17.540 --> 00:02:20.570 align:middle line:90% at least in that area there. 00:02:20.570 --> 00:02:23.090 align:middle line:84% Things like that are going to actually help the hacker 00:02:23.090 --> 00:02:24.043 align:middle line:90% map your network. 00:02:24.043 --> 00:02:26.210 align:middle line:84% So you do want to be careful about things like that. 00:02:26.210 --> 00:02:29.210 align:middle line:84% Things like sharing your calendar, if you're 00:02:29.210 --> 00:02:33.110 align:middle line:84% sharing that, well, we're doing an upgrade on this date, 00:02:33.110 --> 00:02:35.660 align:middle line:84% then that can actually help a hacker break in your network, 00:02:35.660 --> 00:02:40.700 align:middle line:84% or things like, well, so-and-so is going to be on vacation. 00:02:40.700 --> 00:02:43.820 align:middle line:84% A hacker might actually spoof an email, 00:02:43.820 --> 00:02:47.450 align:middle line:84% send a spear phishing email out under that person's account, 00:02:47.450 --> 00:02:49.430 align:middle line:84% and try to get more information or access. 00:02:49.430 --> 00:02:52.390 align:middle line:90% 00:02:52.390 --> 00:02:55.500 align:middle line:84% Now, the next phase, scanning, we 00:02:55.500 --> 00:02:57.430 align:middle line:84% can use the same tools hackers use 00:02:57.430 --> 00:03:01.290 align:middle line:84% to scan our own networks to try to find things 00:03:01.290 --> 00:03:04.040 align:middle line:90% a malicious hacker would find. 00:03:04.040 --> 00:03:05.600 align:middle line:84% In doing these scans, we can also 00:03:05.600 --> 00:03:07.220 align:middle line:84% potentially find vulnerabilities that 00:03:07.220 --> 00:03:09.360 align:middle line:90% would otherwise be exploited. 00:03:09.360 --> 00:03:13.790 align:middle line:84% Now, if we find potential vulnerabilities that come up 00:03:13.790 --> 00:03:16.130 align:middle line:84% in a network scan or vulnerability scan, 00:03:16.130 --> 00:03:19.070 align:middle line:84% we do want to test those and verify that they actually 00:03:19.070 --> 00:03:23.105 align:middle line:84% are real vulnerabilities, and not a false positive. 00:03:23.105 --> 00:03:25.980 align:middle line:84% The next step is when we find these things, 00:03:25.980 --> 00:03:28.050 align:middle line:84% we want to make sure that we patch, 00:03:28.050 --> 00:03:30.600 align:middle line:84% update firmware, whatnot to try to mitigate 00:03:30.600 --> 00:03:32.175 align:middle line:90% and prevent a data breach. 00:03:32.175 --> 00:03:35.210 align:middle line:90% 00:03:35.210 --> 00:03:38.270 align:middle line:84% Gaining access - so in this phase, 00:03:38.270 --> 00:03:40.670 align:middle line:84% a hacker is going to try to actually go out and break 00:03:40.670 --> 00:03:41.970 align:middle line:90% into your network. 00:03:41.970 --> 00:03:45.830 align:middle line:84% So what we want to do is we want to take 00:03:45.830 --> 00:03:47.060 align:middle line:90% a look at the previous steps. 00:03:47.060 --> 00:03:49.102 align:middle line:84% We want to follow the previous steps of scanning, 00:03:49.102 --> 00:03:51.860 align:middle line:84% and identifying patching, and mitigating, because this 00:03:51.860 --> 00:03:54.840 align:middle line:84% is largely going to help stop this particular phase, 00:03:54.840 --> 00:03:57.360 align:middle line:90% the gaining access phase. 00:03:57.360 --> 00:03:59.550 align:middle line:84% Another important thing is training, 00:03:59.550 --> 00:04:01.440 align:middle line:84% another key avenue for a malicious hacker 00:04:01.440 --> 00:04:04.480 align:middle line:90% to exploit our users. 00:04:04.480 --> 00:04:08.730 align:middle line:84% So unfortunately, we can't apply a patch to our users 00:04:08.730 --> 00:04:11.893 align:middle line:84% like we can our servers, our switches, or whatnot. 00:04:11.893 --> 00:04:13.560 align:middle line:84% So we do want to make sure that we train 00:04:13.560 --> 00:04:16.350 align:middle line:90% our users on best practises. 00:04:16.350 --> 00:04:20.130 align:middle line:84% Now, how you train your users, you generally 00:04:20.130 --> 00:04:22.019 align:middle line:84% want to make sure that it's informational, 00:04:22.019 --> 00:04:25.260 align:middle line:84% but not going to be so overwhelming that the users 00:04:25.260 --> 00:04:29.160 align:middle line:84% aren't going to understand it, or so draconian 00:04:29.160 --> 00:04:30.840 align:middle line:84% where that users really are going 00:04:30.840 --> 00:04:35.060 align:middle line:84% to push back against actually following these procedures. 00:04:35.060 --> 00:04:36.860 align:middle line:84% It's got to be user-friendly, and it's 00:04:36.860 --> 00:04:40.450 align:middle line:84% got to be easy to understand and very accessible. 00:04:40.450 --> 00:04:45.210 align:middle line:84% But again, trained heavy users understand 00:04:45.210 --> 00:04:46.740 align:middle line:90% why security is important. 00:04:46.740 --> 00:04:50.170 align:middle line:84% It's going to be huge in securing your network. 00:04:50.170 --> 00:04:52.960 align:middle line:84% And in the worst case scenario, develop a plan 00:04:52.960 --> 00:04:54.910 align:middle line:84% that if your network gets breached, 00:04:54.910 --> 00:04:57.472 align:middle line:84% how you can identify it, and recover and mitigate it 00:04:57.472 --> 00:04:58.055 align:middle line:90% in the future. 00:04:58.055 --> 00:05:00.840 align:middle line:90% 00:05:00.840 --> 00:05:04.170 align:middle line:84% Maintaining access - so in this phase, as we know, 00:05:04.170 --> 00:05:06.780 align:middle line:84% hackers will try to maintain their access. 00:05:06.780 --> 00:05:08.820 align:middle line:90% So what can we do in this phase? 00:05:08.820 --> 00:05:10.830 align:middle line:84% We want to keep an eye on our log files 00:05:10.830 --> 00:05:13.320 align:middle line:84% for suspicious activities, such as missing 00:05:13.320 --> 00:05:16.360 align:middle line:90% entries, or odd login hours. 00:05:16.360 --> 00:05:18.100 align:middle line:84% It also helps to audit your users. 00:05:18.100 --> 00:05:21.610 align:middle line:84% Keep an eye out for unknown admin accounts and unusual 00:05:21.610 --> 00:05:26.020 align:middle line:84% login times, especially if users are logging in after hours when 00:05:26.020 --> 00:05:27.910 align:middle line:90% they normally don't. 00:05:27.910 --> 00:05:30.355 align:middle line:84% These might be flags that a malicious hacker 00:05:30.355 --> 00:05:32.190 align:middle line:90% is on your network. 00:05:32.190 --> 00:05:35.790 align:middle line:84% Also, we want to run regular security checks on our servers, 00:05:35.790 --> 00:05:38.370 align:middle line:84% our workstations to help keep our network safe. 00:05:38.370 --> 00:05:41.590 align:middle line:90% 00:05:41.590 --> 00:05:44.860 align:middle line:84% And the last phase is hackers will generally 00:05:44.860 --> 00:05:46.930 align:middle line:90% try to clear their tracks. 00:05:46.930 --> 00:05:49.330 align:middle line:90% So be sure to read your logs. 00:05:49.330 --> 00:05:53.020 align:middle line:84% Also, you'll probably want to have a backup of your log. 00:05:53.020 --> 00:05:55.660 align:middle line:84% That way if someone does tamper with it, 00:05:55.660 --> 00:05:58.510 align:middle line:84% you can potentially get a good copy of it, 00:05:58.510 --> 00:06:00.010 align:middle line:90% and find out what happened. 00:06:00.010 --> 00:06:02.680 align:middle line:84% And try to go through periodically 00:06:02.680 --> 00:06:06.340 align:middle line:84% and verify any sort of tampering - again, 00:06:06.340 --> 00:06:10.220 align:middle line:84% missing entries, odd timestamps, things like that. 00:06:10.220 --> 00:06:12.670 align:middle line:84% If you're missing certain times, then someone 00:06:12.670 --> 00:06:15.700 align:middle line:84% may have gone in there and start deleting out the logs 00:06:15.700 --> 00:06:19.040 align:middle line:84% that they were ever on your network. 00:06:19.040 --> 00:06:23.030 align:middle line:84% So in wrapping up, the five phases are very important. 00:06:23.030 --> 00:06:24.880 align:middle line:84% You want to pay attention to the five phases 00:06:24.880 --> 00:06:26.920 align:middle line:84% a hacker is going to use against you. 00:06:26.920 --> 00:06:29.230 align:middle line:84% Understanding these phases will help us understand 00:06:29.230 --> 00:06:32.720 align:middle line:90% a hacker's methodology. 00:06:32.720 --> 00:06:35.090 align:middle line:84% Also, we could use much of the tools 00:06:35.090 --> 00:06:37.520 align:middle line:84% that they're going to use to help identify 00:06:37.520 --> 00:06:40.560 align:middle line:90% exploits of our own network. 00:06:40.560 --> 00:06:42.060 align:middle line:84% We want to try to learn from this. 00:06:42.060 --> 00:06:44.370 align:middle line:84% And we won't try to tidy up our online presence 00:06:44.370 --> 00:06:46.780 align:middle line:84% and mitigate as much as possible. 00:06:46.780 --> 00:06:49.620 align:middle line:84% In other words, reduce our attack surface. 00:06:49.620 --> 00:06:51.330 align:middle line:84% And also, we want to make sure that we're 00:06:51.330 --> 00:06:54.390 align:middle line:84% patching and practicing best security practises. 00:06:54.390 --> 00:06:56.985 align:middle line:90% 00:06:56.985 --> 00:06:58.360 align:middle line:84% So in the next video, we're going 00:06:58.360 --> 00:07:00.832 align:middle line:84% to take a look at scanning tools and methodology. 00:07:00.832 --> 00:07:01.790 align:middle line:90% Thank you for watching. 00:07:01.790 --> 00:07:03.840 align:middle line:90% I'll see you in the next video. 00:07:03.840 --> 00:07:05.000 align:middle line:90%