Identify and Research Behaviors
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
2 hours 24 minutes
Difficulty
Intermediate
CEU/CPE
3
Video Transcription
00:00
>> Welcome to Lesson 2.2,
00:00
Identifying and Researching Behaviors.
00:00
We'll kick off the mapping process
00:00
in this lesson by walking through
00:00
some examples of how to
00:00
>> recognize behaviors in raw data.
00:00
>> Next, we'll move on to step 2 in
00:00
researching the identified behaviors.
00:00
In this stuff,
00:00
we're also going to talk about the need for
00:00
multiple data sources and the types of
00:00
data sources that may contribute to your research.
00:00
Step 1, finding the behavior.
00:00
Walking through this data,
00:00
we see a couple of commands captured by Sysmon that
00:00
are being run interactively via
00:00
command.exe by an adversary.
00:00
Next, we have some data from a couple of flows.
00:00
This is from malware being run in a sandbox environment.
00:00
Finally, there are some registry keys that we're
00:00
seeing being added during an incident.
00:00
All of these commands are being run by an adversary,
00:00
and each of them is possibly a behavior.
00:00
Some of the flows can be behaviors that we're
00:00
actually seeing from the piece of software itself,
00:00
and the register keys being added,
00:00
can be either a behavior coming from
00:00
the adversary or the software.
00:00
We're going to be researching these potential behaviors
00:00
over the next couple of slides.
00:00
Our next step in the process is researching the behavior.
00:00
Before we start looking into
00:00
the potential behaviors that we just
00:00
found in the raw data,
00:00
I want to go into the analysis process
00:00
for raw data a bit more.
00:00
Depending on your Intel requirements
00:00
at the data you're reviewing,
00:00
this step can mirror their approach to
00:00
analyzing data in near to reporting,
00:00
but it can also present some different aspects.
00:00
As we discussed with the pros and cons of mapping
00:00
from the two different sources in the last lesson,
00:00
raw data can require a deeper level of
00:00
expertise in order to follow
00:00
what's happening in a specific datatype.
00:00
This can require that an analyst has
00:00
experience in looking at network packets
00:00
and forensic data or understanding
00:00
what different Windows commands do.
00:00
As you're working with raw data,
00:00
you may realize that supplementary
00:00
data sources are needed for
00:00
you to glean enough context
00:00
to understand what the behavior is.
00:00
This might require further
00:00
queries and leveraging your incident
00:00
responders or collaborating with
00:00
the analysts that are providing this data.
00:00
Also in some cases,
00:00
the research can be very straightforward.
00:00
You might be able to quickly find
00:00
some relevant results and additional insights
00:00
on your favorite search engine or you can search
00:00
the attack website for a specific command,
00:00
and often the description of the command will provide
00:00
a good idea of what technique that behavior falls under.
00:00
Other times, it might be a little more
00:00
difficult to determine a behavior,
00:00
especially if a command line is
00:00
complex and the contents is sparse.
00:00
In this case, unpacking the complexity by pulling in
00:00
other data sources is needed.
00:00
You might have to use the sandbox,
00:00
perform further file analysis,
00:00
or leverage a search engine to pull in
00:00
that extra insight into the technical details.
00:00
As we just discussed,
00:00
researching potential behaviors from
00:00
raw data on the attack website can often give us
00:00
an idea of what the behavior
00:00
is and where we can likely map it.
00:00
For example, if you start searching through
00:00
the attack website for IP config/all,
00:00
it appears in one technique,
00:00
specifically under a procedure example for
00:00
system network configuration discovery.
00:00
This provides a description of what's going on and it can
00:00
help us gain an understanding of
00:00
what the adversary's goal is.
00:00
You might have an assessment of
00:00
what technique that behavior
00:00
is going to map to and what tactic it aligns with,
00:00
but it can also be a little more complex.
00:00
The other command line that was in the data was running
00:00
recycler.exe and there were also some command-line flags.
00:00
We see something with a VSDX file,
00:00
but there isn't necessarily enough detail right now.
00:00
Although we might be able to make
00:00
an initial assessment of what one of the behaviors is,
00:00
somatic context is required at this step.
00:00
We'll pull in and review another data source.
00:00
If we put this command into
00:00
a sandbox and perform file analysis,
00:00
exists the following output.
00:00
It's likely looking more familiar.
00:00
The output displays a banner that is showing us
00:00
that this is a war, so an archiver.
00:00
At this point, we'll leverage a search engine for
00:00
some additional research on the flags
00:00
and to gain more insight into what's occurring.
00:00
After researching that -HP,
00:00
we can determine that it's being used to
00:00
compress and encrypt the file.
00:00
Now, for the final piece of the puzzle, that VSDX file.
00:00
We're going to leverage a search engine again,
00:00
and from the first result,
00:00
we can see that it's a Visio file.
00:00
We know that a Visio file is
00:00
not going to be coming out of a RAR.
00:00
This actually provides us with
00:00
some valuable contexts to what's potentially happening.
00:00
From our research, we can deduce that someone is likely
00:00
pretending that this information
00:00
is being compressed and encrypted
00:00
as a Visio diagram.This
00:00
could be an attempt to exfiltrate data,
00:00
but some further details would be
00:00
beneficial for our analysis.
00:00
We'll be discussing that in the next lesson.
00:00
In Lesson 2.2, we walked through a couple of
00:00
examples of identifying the behaviors in raw data.
00:00
We discussed how to research the behaviors,
00:00
highlighting that in many cases,
00:00
multiple data sources are going to be required.
00:00
In the next lesson,
00:00
we'll discuss how to translate behaviors into
00:00
tactics techniques and sub-techniques.
Up Next
Similar Content
