So how did organizations analysts
categorize suspicious activity once they've identified it?
It could be a lot of different questions that might be asked that there's some high level ones, which makes sense right off the bat.
It's certainly important to know if this was an insider or an outsider performing the attack
or generating threat wherever methodology you want to use.
This brings us back to the importance of network based
working in conjunction with host based on yes and I ps.
This way you can see the events coming from the public. Internet, for instance, may be going through the D m Z,
trying to connect two systems that are within the Internet.
those host based and network based detection methods will
provide good value once you can properly correlate that information.
Also, the there should be some understanding of whether or not the
attacker was a regular user or
Did they perform their actions within regular account,
thereby indicating that there are some other weaknesses in the environment that should be addressed?
Or were they able to escalate their privileges to become an administrator or root
studying the way that the privilege was escalated would reveal a lot of good information as well.
Could be that the attacker brought some tool
with them and implanted on the victim's system, and that allowed them to escalate the privileges.
they might have taken advantage of an existing vulnerability on the victim's system.
You know what? They should be well understood so that there could be
some indication of how powerful this adversary is.
You know what kind of capabilities to the habit kind of tools are they using?
Maybe they are an individual. Or maybe they are part of a larger group that's well funded,
perhaps even state sponsored
hacking from another country.
So once the capabilities are better understood, there could be another layer of analysis done to try to infer their intentions.
You could do this based on what was targeted.
If it's people, if it's,
information in the database, if that's not enough service attack,
maybe someone's trying to hijack
a session to a cloud computing environment
so they can get in with administrative credentials and destroy
the infrastructure that was
set up for the customer.
Maybe their intent is to deny service
for one particular user because they are spear fishing or their wailing,
or that the service to be much broader in scope.
Where is he distributed? Denial of service
as part of the body that could be controlled to direct their traffic towards a public website or something of this nature.
In all these scenarios, it could be just one person doing the work
more likely than not with larger scale attacks. They're going to be more than one person, but not always
this time. Kind of activities very asymmetrical.
One person with enough skill and technique
can accomplish a lot of these goals by themselves.
Can't FORGET Sequel Junction
It's a very powerful technique, which allows an adversary to get access to a vacuum database.
The methods of doing it are quite widely varied. It could be
trying to inject sequel code into a log in field or email field
the phone number, search field.
Any place on public facing
Web app that does not
performed proper and for validation could be vulnerable.
And for validation, as some of you already know
is the process of in wasn't
to make sure that it conforms exactly to what the application expects.
For instance, if you were entering in a phone number
in a field on a Web form,
think what validation should verify that you're only ending. Entering digits
should not be any letters.
They're probably shouldn't be any special characters besides the dash and maybe parentheses.
Those were the only characters that make up
a phone number as it's normally represented.
So these air other indications that adversarial activity is taking place.
There might even be methods to use sequel injection to interact with the underlying operating system
to run commands in a shell or two.
Two things like a numerator network.
All these clues should be used in conjunction with other monitored events to see if
the adversary is doing something beyond what was initially anticipated
so far is where the data comes from.
Already touched on the outer perimeter,
the network based I. D s Night PS can provide such a great amount of data because
you could monitor all the traffic into and out off your public facing network like the D. M Z,
between the D. M. Z Zone and your and your Intranet Zone
and any other adjacent security zones.
Network based tools for this are invaluable,
and, as I pull it up before, sometimes that
the needs of the nips is on either side of a firewall
to capture all the information going through from one's own toe. Another which, whichever direction it is
might also be correlated with network dated but
could also be correlated with anti virus
was installed on a host and tried to make a up on connection to call its command and control server.
Maybe the Ballard got quarantine,
and maybe the hips prevented the connection.
So there should be some logged events
for both of those different products to show that that this actually occurred and
understand its significance in the greater examination
And then we can't forget the same device
because all the other end points, like Browder's firewall, switches proxies
all these other things could could also be sending some events so that should be brought into
the network and host based data collection process to see if there's anything useful there
that could be helped could be used to help with the investigation.
Now, if we think about
Incident Response Team's,
there are some considerations for how these should be used. As I pointed out in previous conversations, some decision maker needs to decide whether to invoke the incident Response team that should not be taken lightly.
credible information that proves that this incident goes beyond just some unrelated
So naturally, the only policies and procedures created
to notify all of the appropriate stakeholders.
This could be done through various means. Simple email
text messages going in conjunction with email calling an emergency meeting
The response was very depending on the stroke of the incident that's that's been discovered.
It wants the Incident Response team has been put into motion. It's natural that some sort of triage will take place,
and this means that certain individuals will be
assuming a intermediary role between management
and the technical staff and perhaps even the
when a large scale that happens,
there needs to be good communication. For instance, senior management wants to know that
that all the appropriate people are on the job and that they're doing what they're supposed to be doing.
They might also request updates every 15 minutes every 30 minutes every 60 minutes
to see what the progresses
for containment of the problem or
even recovery or resolution of the problem.
So the person's doing the triage function
need to keep management informed.
But they also need to communicate with the people that are doing the technical work
to find out if they've managed to fix the problem yet or if they managed to discover the source of the infection, or
does he have been able to keep the problem contained? And therefore it's not a danger to any other hosts on the network.
He's a very important considerations,
be a primary focus of triage.
Has to keep everybody well informed. The technical people know what matters that wants. Management knows what the technical people are finding out,
and maybe your public relations or your legal departments are also involved
because they've got to start preparing some response for a public announcement. Perhaps
then last night, we can think about male wear reverse engineer.
One of the biggest requirements here is to make sure that the
the sandbox or the reverse engineering lab is properly isolated
because if Mel was discovered,
it needs to be studied
in an environment that prohibits that malware from spreading to other systems.
the forensics work station on the forensics lab that might have multiple systems should be
air gapped from any other networks.
You should not be any path from
from a production network to the
the The Malware on Forensics Lab.
This makes all the sense you don't want something accidentally spreading, too
production systems if it was already isolated in quarantine.
Typically, virtual machines are used for this purpose
because it's very easy to set them up with very restrictive networking
so that the malware could now be studied in its natural habitat, so to speak.
The malware might be allowed to run,
and various monitoring solutions are put into place to see what kind of network connections it's making
to see which domain names or I P addresses are
encoded in the malware, perhaps to contact a command control system,
So the behavior of the malware
should indicate what it's trying to do if it's trying to change registry settings.
Jean system configuration files and so on.
So if the code can be brought into a disassemble Rory do bugger,
it might be able to be examined
in a static mode. This means that the program's not running
and the code is looked at.
We're like, what? We're seeing the image here. You've got a bunch of HTML. You got some assembler or some C
c++ Ruby python. You name it.
Well, where could be created with many, many different tools?
So that static analysis is
give some indication as to what
the mount, where is capable of
maybe even some clues about who designed it.
Sometimes malware authors will leave their call sign
hoping that someone will find it and they can get credit.
Trying to trace that call sign or that tag back to the actual individual can be a challenge. But
it is something that has been done before, and it's worth
There's also dynamic analysis
where the code is is monitored to the mallards, monitored while it's running and violence doing
what it's supposed to be doing.
as I said a few minutes ago, this could involve network connections,
actions to write or read data from storage, whether its USP storage or ah spindle disc SST storage
actions that read and write data from
or the colonel or drivers. All these things could be areas
and I'll see might be detected.
I hope even joined the chapter on,
deeper don a deeper dive into the Cyprus
So you're the next module. Thank you.