Professional Documents
Culture Documents
--Temporal trends = show patterns related to time. Eg; Breach happened late Friday Night where traffic is low & not many people working, most likely
incident will not be detected until 3 days later.
--Spatial trends = exists in specific place/region. It is a common practice, for instance, to give staff members a “burner” laptop when they travel to
certain countries. This device is not allowed to connect to the corporate network, stores a limited set of files, and is digitally wiped immediately upon
the user’s return. This practice is the result of observing a trend of sophisticated compromises of devices traveling to particular countries. Another
example would be the increasing connection of devices to free Wi-Fi networks at local coffee shops.
*trend analysis helps predict future events, and historical analysis helps compare new observations to past ones.
• Heuristics
-Heuristic analysis focuses on behaviors, allowing a tool using it to identify malware behaviors instead of looking for a specific package.
-is used to detect threats based on their behavior. Unlike signature detection, heuristic detection can detect unknown threats since it focuses on what
the threat does rather than attempting to match it to a known fingerprint.
-Antimalware tools often use heuristic analysis to analyze suspected malware - detect unknown malware.
• Anomaly
-Anomaly analysis looks for differences from established patterns or expected behaviors (baseline). Anomaly detection requires knowledge of what
“normal” is to identify differences to build a base model. IDSs and IPSs often use anomaly detection as part of their detection methods.
- Reverse engineering
- Reverse engineering malware requires using tools like disassemblers, debuggers, monitoring tools, unpackers, and code and binary analysis tools to
pull apart malware packages to determine what they do, who wrote them, and other details of their functionality and construction.
- common types of tools used for reverse engineering:
(i)Debuggers - allow you to run programs in a controlled environment, modifying variables and how the program is running, including adding
stop points and monitoring what it is doing.
(ii)Disassemblers - used to convert machine code into assembly language, whereas decompilers attempt to convert machine code into a high-level
language like C or Java.
(iii)Unpackers and packer identifiers - used to identify what packing and encryption techniques were used to obfuscate a program and then to
undo the packing process.
)iv)System monitoring tools - used to monitor impact to a system like changes to the filesystem, registry, or other settings or configuration
changes.
(2)Memory Analysis
-For Windows systems, the Resource Monitor (resmon), can be a useful built-in tool -- show processes, PID, memory being used.
-For Linux, use 'top' or 'ps' command-line tools.
* Tools like Amazon's AWS Inspector tool check for expected behaviors and settings and then flag when they aren't correct.
(4)File system monitoring
-Monitoring filesystems can help detect unauthorized or unexpected changes.
-Tools like Tripwire, OSSEC, and commercial host intrusion detection system (HIDS) tools are used to monitor and report on filesystem changes.
- Uniform Resource Locator (URL) and Domain name system (DNS) analysis
-URLs (uniform resource locators) are used to point web browsers and other tools to their destinations. That means that you need to know how to
identify suspect URLs and the domains that they may point to.
-Manual analysis starts with a review of the URL itself. Does it appear to be a legitimate domain name, or does it have suspect elements like a
deceptive hostname or domain name or an uncommon top-level domain (TLD).
-Google's Safe Browsing tool (safebrowsing.google.com) is one example of a tool that analyzes URLs. It also provides information about malicious
content hosted on domains, allowing domain administrators to receive notifications if their domains are hosting malware.
- Malware
-Identifying malware on your network through packet and protocol analysis relies on a strong knowledge of what traffic should look like and what
behaviors and content are abnormal.
-Finding malware traffic when you can't see the content of the packets due to encryption can be more challenging. In cases where packets are
encrypted, you may have to rely on behavior-based analysis by looking at traffic patterns that are indicative of malware like visiting known-bad sites,
sending unexpected traffic on uncommon ports, or other abnormal behaviors.
• Log review
Security analysts need to know what logs exist by default on systems, how to access them, how to find information about the content of those logs,
and how to interpret that content.
- Event logs
- Windows event log can be viewed directly on workstations using the Event Viewer.
- By default, Windows includes Application, Security, Setup, and System logs, which can all be useful for analysts.
- Syslog
-Used by Linux, typically in the /var/log directory.
-Eg; auth.log file shows sudo events. indicating all enabled logging activity on a Linux server. Auditing and analysis of login events.
Do research.
- Firewall logs
-They typically identify the source and destination IP address, the port and protocol, and what action was taken on the traffic.
- Proxy logs
-Proxies are often used to either centralize access traffic or to filter traffic. Thus, proxy logs will contain the source and destination IP address, the
source and destination port, the requested resource, the date and time, and often the content type and HTTP referrer as well as details about the
content, such as the amount of traffic that was sent.
-When analyzing proxy logs, you should look for data such target host IP, HTTP request method, unusual user agent & protocol versions.
*SNORT - Open source NIDS/NIPS system. Snort rules have 2 parts; header and options.
Header (action alert or drop, protocol,IP,port no, direction), while Options (what to look in the content and message to display to user).
• Impact analysis
The results of an attack are referred to as impact.
-A localized impact = means that the scope is limited to a single department, small user group, or one or two systems.
- Dashboard
-SIEM systems typically provide the ability to create a dashboard, which shows the status of rules, data sources, actions taken, and other critical
operational and analytic information that the SIEM provides.
• Query writing
-Ability to use query for terms of interest to search data is a core function of any data aggregation platform.
- String search
- The platform’s features and functions are often heavily driven from searches.
-Search languages - Splunk Search Processing Language (SPL), Kibana Query Language (KQL), and Apache Lucene
-Each of these languages enables analysts to perform simple string searches or queries for terms of interest, to more advanced search techniques using
Boolean logic.
- Script
-Depending on the platform used, you may be able to search and then perform automated actions such as alert delivery via scripting.
-The most commonly supported types include shell, batch, Perl, and Python scripts.
-When creating automation scripts, using the appropriate working directories, configuring the environment correctly, and ensuring that arguments are
passed correctly ----Eg, use script to initiate searches and retrieve results automatically.
- Piping
-Passing data using built-system functionalities such as piping and redirection can be used to test functionality quickly or for low-volume
processing.
-Piping is a useful function in that it enables the standard output (stdout) of a command to be connected to standard in (stdin) of another
command.
• E-mail analysis
- Malicious payload
-Attackers attach malicious file to email or conceal malware inside doc, zip files, PDF files.
-Attackers embed a malicious script or macro into a legitimate looking document and try to trick the user into enabling functionality to get their
malware in the door.
-Upon receiving a message, the destination server will look up the previously published public key and use this key to verify the message.
-With this process, DKIM can effectively protect against spam and spoofing, and it can also alert recipients to the possibility of message tampering.
-Importantly, DKIM is not intended to give insight into the intent of the sender, protect against tampering after verification, or prescribe any actions
for the recipient to take in the event in a verification failure.
-Do research
- Phishing
-In a social engineering campaign, an attacker uses deception, often influenced by the profile they’ve built about the target, to
manipulate the target into performing an act that may not be in their best interest.
-Despite the most advanced technical countermeasures, the human element remains the most vulnerable part of the network.
- Forwarding
-Users provide the most useful information to a security team by forwarding an e-mail in its entirety, with headers and body intact, rather than just
copying and pasting the text within it the e-mail. Or attach multiple e-mails in a forwarded message.
- Digital signature
- digital signature provides verification of the sender’s authenticity verification, message integrity, and nonrepudiation (the assurance that a sender
cannot deny having sent a message.)
-This kind of signature requires the presence of public and private cryptographic keys
- S/MIME and PGP can both provide authentication, message integrity, and nonrepudiation. In practice, S/MIME is often used in commercial setting,
while PGP tends to be used by individuals.
- Embedded links
-Some security devices perform real-time analysis of inbound messages for the presence of URLs and domains and modify the messages so that links
are either disabled or redirected to a valid domain.
- Impersonation
-Impersonation attacks are highly targeted efforts designed to trick victims into performing actions such as wiring money to attacker accounts.
-By pretending to be a CEO, for example, an attacker may use tailored language to convince her targets to perform the requested task without thinking
twice.
-Key staff must be aware of current attacker trends and take the required training to resist them.
- Header
-An e-mail header is the portion of a message that contains details about the sender, the route taken, and the recipient.
-Analysts can use this information to detect spoofed or suspicious e-mails that have made it past filters.
-Note the SPF and DKIM verdicts are also captured in the header information along with various server addresses.