The Cyber Pilfer Chain: detecting and disrupting post-exploitation data theft

Channel:
United States SANS Cyber Defense
Subscribers:
23,600
Published on ● Video Link: https://www.youtube.com/watch?v=6TeqSjNmRQo


Duration: 28:52
92 views
2

SANS Blue Team Summit 2023
The Cyber Pilfer Chain: detecting and disrupting post-exploitation data theft
Speaker: Gerard Johansen, Manager - Incident Handling, Red Canary

At the center of many network intrusions is data theft. From confidential research to customer data, the life blood of many organizations are often put up for sale to the highest bidder or held hostage by ransomware gangs. As post-exploitation activity, the process of data theft goes through a similar kill chain where threat actors need to identify data to compromise, access it, aggregate it and finally get it out of the environment. Much like the Cyber Kill Chain, each one of these stages provides opportunities for defenders to stop or otherwise inhibit a threat actor's ability to exfiltrate pilfered data. In this talk, Gerard Johansen will cover the four key phases of the Cyber Pilfer Chain:
- Discovery: How do threat actors find your open shares and other data repositories? This section will focus on how threat actors use post-exploitation tools to identify vulnerable data.
- Access: How do threat actors gain access to open shares? Valid credentials are critical in this phase. This section will focus on how detecting malicious credential use is critical to detecting data theft.
- Aggregation: Threat actors will leverage a compromised system or systems to aggregate compromised data. There they can compress the data and prepare it for exfiltration.
- Exfiltration: Threat actors use a variety of methods to get the data out of the network. This section will focus on network Courses of Action. For each of the stages, common threat actor TTPs are discussed along with Courses of Action that blue teams can take to prevent the theft of data. The overall goal is gaining an understanding of how threat actors carry out data exfiltration and examine the ways that blue teams can identify their activity and shut them down before those confidential memos are up on Pastebin.

View upcoming Summits: http://www.sans.org/u/DuS



Other Videos By SANS Cyber Defense


2023-07-28The Risk to Space: Satellite Communications Systems and Ground Networks as Attack Targets
2023-07-28Drop It Like It's Qbot Separating malicious droppers, loaders, and crypters from their payloads
2023-07-28Panel | 1%: Tiny Gains producing Big Improvements
2023-07-28Zero Trust Architecture: Beyond Proxy or Point Solutions
2023-07-28Ecosystem of Insights: Building Operation Dashboards That Enable Teams
2023-07-28Bridging the Gap: Improving Rules Effectiveness by Integrating Detection and Response
2023-07-28Blueprint Live - 11 Strategies of a World-Class Cybersecurity Operations Center
2023-07-28Cloudy with a Chance of Breaches: OSINTAdventures in Tracing Exposed Credentials
2023-07-28Hunting OneNote Malware: A Practical Guide for Blue Teams
2023-07-28BlueHound: Blue Teams of the World Unite!
2023-07-28The Cyber Pilfer Chain: detecting and disrupting post-exploitation data theft
2023-07-28Keynote | How to Save Your SOC from Stagnation
2023-07-28Keynote | Leave Only Footprints: When Prevention Fails
2023-07-28Blurple Teaming: Open Source Continuous Security Testing in the SOC
2023-07-18Strategies of a World-Class SOC | Host: John Hubbard | July 18, 2023
2023-07-17Strategy 11: Turn up the Volume by Expanding SOC Functionality
2023-07-14Threat Hunting via DeepBlueCLI v3
2023-07-10Strategy 10: Measure Performance to Improve Performance | SANS Blueprint Podcast
2023-07-03Strategy 9: Communicate Clearly, Collaborate Often, Share Generously | SANS Blueprint Podcast
2023-06-26Strategy 8: Leverage Tools and Support Analyst Workflow | SANS Blueprint Podcast
2023-06-19Strategy 7: Select and Collect the Right Data | SANS Blueprint Podcast


Tags:
cyber defense
cyber security
cyber defense training
cyber security training
cybersecurity
cybersecurity training
cyber pilfer chain
pilfer chain
Gerard Johnson
blue team summit
sans blue team summit
blue teaming
cyber kill chain
network intrusions
stages of cyber pilfer chain
cyber pilfer chain stages
phases of cyber pilfer chain
cyber pilfer chain phases
discovery
access
aggregation
exfiltration