00:04
So how did organizations analysts
00:06
categorize suspicious activity once they've identified it?
00:11
It could be a lot of different questions that might be asked that there's some high level ones, which makes sense right off the bat.
00:16
It's certainly important to know if this was an insider or an outsider performing the attack
00:22
or generating threat wherever methodology you want to use.
00:27
This brings us back to the importance of network based
00:33
working in conjunction with host based on yes and I ps.
00:37
This way you can see the events coming from the public. Internet, for instance, may be going through the D m Z,
00:44
trying to connect two systems that are within the Internet.
00:50
those host based and network based detection methods will
00:54
provide good value once you can properly correlate that information.
00:57
Also, the there should be some understanding of whether or not the
01:00
attacker was a regular user or
01:04
Did they perform their actions within regular account,
01:08
thereby indicating that there are some other weaknesses in the environment that should be addressed?
01:15
Or were they able to escalate their privileges to become an administrator or root
01:19
studying the way that the privilege was escalated would reveal a lot of good information as well.
01:25
Could be that the attacker brought some tool
01:27
with them and implanted on the victim's system, and that allowed them to escalate the privileges.
01:34
they might have taken advantage of an existing vulnerability on the victim's system.
01:40
Escalated privileges.
01:41
You know what? They should be well understood so that there could be
01:45
some indication of how powerful this adversary is.
01:49
You know what kind of capabilities to the habit kind of tools are they using?
01:53
Maybe they are an individual. Or maybe they are part of a larger group that's well funded,
01:59
perhaps even state sponsored
02:00
hacking from another country.
02:04
So once the capabilities are better understood, there could be another layer of analysis done to try to infer their intentions.
02:14
You could do this based on what was targeted.
02:15
If it's people, if it's,
02:19
information in the database, if that's not enough service attack,
02:23
maybe someone's trying to hijack
02:24
a session to a cloud computing environment
02:29
so they can get in with administrative credentials and destroy
02:31
the infrastructure that was
02:35
set up for the customer.
02:37
Maybe their intent is to deny service
02:39
for one particular user because they are spear fishing or their wailing,
02:45
or that the service to be much broader in scope.
02:47
Where is he distributed? Denial of service
02:54
as part of the body that could be controlled to direct their traffic towards a public website or something of this nature.
03:01
In all these scenarios, it could be just one person doing the work
03:07
more likely than not with larger scale attacks. They're going to be more than one person, but not always
03:13
this time. Kind of activities very asymmetrical.
03:15
One person with enough skill and technique
03:20
can accomplish a lot of these goals by themselves.
03:23
Can't FORGET Sequel Junction
03:25
It's a very powerful technique, which allows an adversary to get access to a vacuum database.
03:31
The methods of doing it are quite widely varied. It could be
03:36
trying to inject sequel code into a log in field or email field
03:40
the phone number, search field.
03:44
Any place on public facing
03:46
Web app that does not
03:49
performed proper and for validation could be vulnerable.
03:52
And for validation, as some of you already know
03:55
is the process of in wasn't
04:01
to make sure that it conforms exactly to what the application expects.
04:06
For instance, if you were entering in a phone number
04:10
in a field on a Web form,
04:12
think what validation should verify that you're only ending. Entering digits
04:16
should not be any letters.
04:17
They're probably shouldn't be any special characters besides the dash and maybe parentheses.
04:24
Those were the only characters that make up
04:26
a phone number as it's normally represented.
04:30
So these air other indications that adversarial activity is taking place.
04:34
There might even be methods to use sequel injection to interact with the underlying operating system
04:41
to run commands in a shell or two.
04:44
Two things like a numerator network.
04:46
All these clues should be used in conjunction with other monitored events to see if
04:53
the adversary is doing something beyond what was initially anticipated
05:00
so far is where the data comes from.
05:01
Already touched on the outer perimeter,
05:04
the network based I. D s Night PS can provide such a great amount of data because
05:10
you could monitor all the traffic into and out off your public facing network like the D. M Z,
05:17
between the D. M. Z Zone and your and your Intranet Zone
05:21
and any other adjacent security zones.
05:25
Network based tools for this are invaluable,
05:29
and, as I pull it up before, sometimes that
05:30
the needs of the nips is on either side of a firewall
05:34
to capture all the information going through from one's own toe. Another which, whichever direction it is
05:45
might also be correlated with network dated but
05:47
could also be correlated with anti virus
05:56
was installed on a host and tried to make a up on connection to call its command and control server.
06:02
Maybe the Ballard got quarantine,
06:04
and maybe the hips prevented the connection.
06:06
So there should be some logged events
06:10
for both of those different products to show that that this actually occurred and
06:14
understand its significance in the greater examination
06:20
And then we can't forget the same device
06:24
because all the other end points, like Browder's firewall, switches proxies
06:29
all these other things could could also be sending some events so that should be brought into
06:34
the network and host based data collection process to see if there's anything useful there
06:41
that could be helped could be used to help with the investigation.
06:46
Now, if we think about
06:47
Incident Response Team's,
06:50
there are some considerations for how these should be used. As I pointed out in previous conversations, some decision maker needs to decide whether to invoke the incident Response team that should not be taken lightly.
07:02
credible information that proves that this incident goes beyond just some unrelated
07:12
So naturally, the only policies and procedures created
07:15
to notify all of the appropriate stakeholders.
07:18
This could be done through various means. Simple email
07:23
text messages going in conjunction with email calling an emergency meeting
07:30
The response was very depending on the stroke of the incident that's that's been discovered.
07:36
It wants the Incident Response team has been put into motion. It's natural that some sort of triage will take place,
07:45
and this means that certain individuals will be
07:47
assuming a intermediary role between management
07:51
and the technical staff and perhaps even the
07:58
when a large scale that happens,
08:01
there needs to be good communication. For instance, senior management wants to know that
08:05
that all the appropriate people are on the job and that they're doing what they're supposed to be doing.
08:09
They might also request updates every 15 minutes every 30 minutes every 60 minutes
08:15
to see what the progresses
08:16
for containment of the problem or
08:20
even recovery or resolution of the problem.
08:24
So the person's doing the triage function
08:26
need to keep management informed.
08:28
But they also need to communicate with the people that are doing the technical work
08:31
to find out if they've managed to fix the problem yet or if they managed to discover the source of the infection, or
08:39
does he have been able to keep the problem contained? And therefore it's not a danger to any other hosts on the network.
08:46
He's a very important considerations,
08:50
be a primary focus of triage.
08:52
Has to keep everybody well informed. The technical people know what matters that wants. Management knows what the technical people are finding out,
09:01
and maybe your public relations or your legal departments are also involved
09:05
because they've got to start preparing some response for a public announcement. Perhaps
09:13
then last night, we can think about male wear reverse engineer.
09:18
One of the biggest requirements here is to make sure that the
09:22
the sandbox or the reverse engineering lab is properly isolated
09:28
because if Mel was discovered,
09:30
it needs to be studied
09:31
in an environment that prohibits that malware from spreading to other systems.
09:39
the forensics work station on the forensics lab that might have multiple systems should be
09:45
air gapped from any other networks.
09:48
You should not be any path from
09:50
from a production network to the
09:52
the The Malware on Forensics Lab.
09:56
This makes all the sense you don't want something accidentally spreading, too
10:01
production systems if it was already isolated in quarantine.
10:05
Typically, virtual machines are used for this purpose
10:09
because it's very easy to set them up with very restrictive networking
10:13
so that the malware could now be studied in its natural habitat, so to speak.
10:18
The malware might be allowed to run,
10:20
and various monitoring solutions are put into place to see what kind of network connections it's making
10:26
to see which domain names or I P addresses are
10:30
encoded in the malware, perhaps to contact a command control system,
10:37
So the behavior of the malware
10:39
should indicate what it's trying to do if it's trying to change registry settings.
10:46
Jean system configuration files and so on.
10:50
So if the code can be brought into a disassemble Rory do bugger,
10:56
it might be able to be examined
10:58
in a static mode. This means that the program's not running
11:03
and the code is looked at.
11:05
We're like, what? We're seeing the image here. You've got a bunch of HTML. You got some assembler or some C
11:09
c++ Ruby python. You name it.
11:13
Well, where could be created with many, many different tools?
11:18
So that static analysis is
11:20
give some indication as to what
11:22
the mount, where is capable of
11:24
maybe even some clues about who designed it.
11:26
Sometimes malware authors will leave their call sign
11:31
hoping that someone will find it and they can get credit.
11:35
Trying to trace that call sign or that tag back to the actual individual can be a challenge. But
11:41
it is something that has been done before, and it's worth
11:46
There's also dynamic analysis
11:50
where the code is is monitored to the mallards, monitored while it's running and violence doing
11:56
what it's supposed to be doing.
11:58
as I said a few minutes ago, this could involve network connections,
12:03
actions to write or read data from storage, whether its USP storage or ah spindle disc SST storage
12:11
actions that read and write data from
12:16
or the colonel or drivers. All these things could be areas
12:20
and I'll see might be detected.
12:24
I hope even joined the chapter on,
12:30
deeper don a deeper dive into the Cyprus
12:33
So you're the next module. Thank you.