looking at all that data there could be. Okay, we've got some IOC's. We see some evidence that
information is now coming from and going to
some of our systems, and we need to do something about this.
One of the most insidious things to try and track down and eradicate would be a key logger.
Key Logger is a tremendous advantage for the attacker because they can
capture credentials directly.
They don't have to worry about breaking
encryption or cracking passwords
because they've got a presence on the victim machine and they're just captured the keystrokes as they have.
the act of installing the key logger when the key locker tries to send its data back to the attacker. That might generate additional activity in the network, which could then be used to point
to that activity as an IOC.
Same thing could be said about remote access Trojan.
This is, except exceptionally dangerous if this happens in your environment,
and really it's a very challenging goal for the attacker as well.
But if a rat does in fact victims machine, the attacker may gain complete full control as if they were sitting right there in front of it,
got control over the mouse that got control of the keyboard,
they'll depending on how, when the attack takes place,
the intruder may also
be lucky. And the victim was logged in with escalated privilege count when the attack occurred.
So the victim was log in as administrator or as a as route
when the rat takes control.
Now, the intruder also has administrative or bree privileges.
There could be detections of this activity that could be IOC's that are generated
in order to say that we know that certain points are in action. We saw certain gated moving around, so that looks like
Ah, well, no rats. Unless Jerry and IOC, for this information
and make it part of our knowledge base,
think there could be clues like applications that we're not running. The four are now running. When the victim returns to the machine,
they see that some other programs have started. Or perhaps programs that were running have been shoved out.
There might be new service is, or new network connections that that we're not there before, so
any one of these neat might be investigated as a possible IOC
This takes in many different forms
everything from monitoring all traffic coming in and out of the USB port.
That's a great type of spyware. If you're able to get down to a system
is now a thumb drive or an external hard drive, all the data go into and film can be monitored.
It's extremely useful for the attacker.
Let's find where also might be something more
more traditional, like
trying to look at all of your email trying to discover all of your Web browsing history.
Since these can reveal reveal
tantalizing clues for the attacker to go further with their attempts to fish somebody or steal an identity or steal credentials,
they could, For instance, if they have an attacker gains control of an email account,
the victim might notice something's going on because it seems like they're not getting certain messages, which they,
we're assured, have been sent.
Maybe there's evidence on a bunch of messages being deleted,
and the victim knows they didn't do that, So
that raises suspicions yet again.
Untold trick for a compromise email count would be to try to figure out all of the websites that the victim goes to
and then request password resets from those websites.
The intruder then wouldn't intercept those password resets,
change the password to something that they like and then delete that e mail.
Now the victim doesn't know that the password reset has even occurred
unless they have some other out of band notification, like a text to your mobile phone.
That sometimes don't is a secondary check.
Just to make sure that
the activity was authorized by the the actual
other types of spyware involves
microphones and Web gems.
This has obvious implications for anyone working in a
high security environment.
And one thing that could be done as a way of system hardening is to just administratively disabled
microphones and cameras when they're not needed,
if they're if they're not needed for official business purposes and they can just remain disabled.
This gives a clue how, however, once someone just the investigation
and says, Okay, well, I've determined that the Web camera and microphone have been re enabled.
Therefore, this is a possible IOC and should be investigated.
You can kind of see how
the common attack techniques might leave behind some clues or some residual information, which can point to a compromise.
Then we move on to social engineering,
one of my favorite topics.
Social engineering is supposed to be most effective face to face,
and the reasons for this are
are very wide and varied.
But the main idea is that
it's the social engineer
change their voice as needed. They can change their appearance as needed
and change their behavior as well. Because they're trying to play the role of
a component of the attack
I'm putting on a uniform and carrying some equipment to make it look like you're an electrician's are some other kind of repair man.
carrying a clipboard
a bunch of books to make it look like you're doing some auditing or some other kind of checking.
Very simple things like this can be effective
against an unwitting victim.
Now, how we detect that
if you're a victim of social engineering attack, that's face to face.
How would you notice that
interacting with you instead of a legitimate
One of the easiest ways to to do This is to think about people's different levels of sensitivity
to the unusual or two
people that they might consider to be
We all heard the expression, you know, had a gut feeling about this person or had a gut feeling about what they said.
Gut feelings are typically very,
they should be paid attention to, especially if you're working environment that has high security.
Perhaps the social engineer approaches the victim and asks for information, which seems out of place
responding with a simple question, such as, Who are you again? Can I see your badge?
Who authorized you to request this information from me?
Anything that that constitutes some kind of a probing question back to social engineer that's performing the attack
might reveal the fact that it is, in fact, an attack
because the engineers most likely to try to change the subject
you know, leave the area
so that they can escape from further questioning.
tried escalate the attack
by claiming that they have authority
given to them from someone else higher up the chain.
You know, if you don't help me with this, I'm gonna report you to your boss
or the classic Jean, Do you know who I am? Or do you know who I work for?
Thes intimidation tactics may be successful against a wide range of people.
Not everybody is going to stand their ground and demand an answer
because they might not want to appear to be rude or uncooperative or unprofessional.
Other types of social engineering attacks take place over email.
We might think of these as just phishing attacks,
but generally there are some social engineering components. There's some kind of enticement,
some kind of scenario
and maybe even the A, uh,
the potential for danger. You get an email saying that your your bank account is
has been shown to have suspicious activity. Better log in right away and verify these transactions.
A lot of people might click that link
and take that action, not realizing that they've just been tricked into going to
of their banks website, which is only there to to harvest their credentials.
So, you know, it could be a powerful tool
for this purpose. But on the other hand,
frequently phishing emails of social engineering emails have mistakes in them.
Could be missing words.
the email just has something that seems off about. It doesn't appear to be an official correspondence from that vendor.
So this goes back to the idea of getting proper security awareness, training
testing people once in a while of my performing fishing exercises, which are intended
to illicit a response to the user
so that people can be better trained to say Okay, I did not click the link. Therefore, I passed the test.
Someone else over here did click the like. They thought this was a legitimate email and they flunked the test.
Now there's a learning opportunity. You're learning moment there,
and lastly we have the telephone,
probably the oldest one of the oldest tools for social engineering.
Because all the attacker has to do is focus on what they want to say,
how you want to say it, how they want to use their voice.
They might have a script in front of them with a bunch of topics
and the script my branch in two different directions, depending on the response of the victim.
This is very similar to the way that telemarketers work or anyone that sells
They've got a certain thing that they need to say and then
depending on with the victim says, or what their potential customers says, they can adapt their techniques.
This could be a lot less challenging to do than doing this in person, because
the attacker has to do the same task. They still have to adjust their
their verbal techniques, but they also have to control their body language and use it effectively.
Whereas doing this over the phone does not require a strong sense of body language just had to keep your voice
controlled so that it conveys the correct sentiment to the person on the other end.