Indicators of Compromise
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Indicators of compromise.
00:00
The learning objectives for this lesson,
00:00
are to define an indicator of compromise,
00:00
detail where indicators of compromise can be found,
00:00
and respond to indicators of compromise.
00:00
Let's get started. Indicators of compromise or IOC
00:00
can be thought of as a clue or a sign
00:00
that an intrusion has taken place in some way.
00:00
For example, if an attacker were
00:00
using the technique of password spraying,
00:00
you might see that many accounts
00:00
were being locked out at the same time.
00:00
In addition, your log files are going to be
00:00
filled with invalid credential events.
00:00
If an attacker has breached
00:00
your network and is in the process of stealing data,
00:00
you might see an abnormal amount of
00:00
traffic exiting your network.
00:00
Finally, you may see privileged accounts being
00:00
created or used in abnormal ways.
00:00
The root or administrator level account
00:00
is the crown jewels for most attackers.
00:00
What they're looking for is to get in,
00:00
gain access to that level of account and then start
00:00
using it in ways that you wouldn't be using it.
00:00
They also want to create additional accounts that are at
00:00
the same level in case their main access gets cut off.
00:00
Logging. Most devices on
00:00
your network will generate logs in some form.
00:00
These logs will always contain
00:00
valuable information on locating potential IOCs.
00:00
Some examples of log files would be
00:00
your operating system events such as
00:00
your window event logs and
00:00
your Syslog on Linux and Unix systems.
00:00
Routers and switches will also generate their own logs,
00:00
as do access points and printers.
00:00
The problem with logs is that they're
00:00
all scattered across your network and
00:00
you have to go to each one to
00:00
look for them and then look through
00:00
many events to find those very few fleeting IOCs.
00:00
We can also use packet capture for looking for IOCs.
00:00
This is when we're looking at the network traffic
00:00
down to the packet level.
00:00
This requires the use of a special tool known as
00:00
a snipping tool or also a protocol analyzer.
00:00
Examples of these would be Wireshark and TCP dump.
00:00
IOC notification sources are devices
00:00
that send us the information when they detect IOCs,
00:00
rather than us having to go and look through
00:00
all those logs scattered through our network.
00:00
Examples of these would be SIEM devices,
00:00
intrusion detection or prevention systems,
00:00
file integrity monitoring systems,
00:00
data leak or loss prevention systems,
00:00
and antivirus or antimalware software.
00:00
How do we respond to an IOC?
00:00
The first thing we have to do, is prioritize.
00:00
It should not be a first-come, first-serve basis.
00:00
It should be based on the following factors.
00:00
The severity and the priority.
00:00
The functional impact to your organization.
00:00
The information impact. What is being stolen,
00:00
what data is being affected?
00:00
Then the recoverability. We can
00:00
also use our existing security infrastructure
00:00
in our responses.
00:00
For example, firewall rules can
00:00
be quickly created to block off
00:00
traffic from leaving a network or traffic from coming in.
00:00
We can also use our intrusion
00:00
prevention or intrusion detection system rules,
00:00
or access control lists rules.
00:00
Endpoint protection can be updated to look for
00:00
certain files that have been added to
00:00
a system that contain malicious content
00:00
or to block specific attacks as they're occurring.
00:00
We can also update our DLP rules.
00:00
We can use scripts that contain
00:00
regular expressions to help
00:00
us automate some of these activities.
00:00
Triage and incident response.
00:00
During triage, your first goal
00:00
is to determine the scope of the breach,
00:00
how many systems have been impacted and
00:00
what has been affected?
00:00
Then you need clearly defined processes
00:00
for identifying incidents,
00:00
classifying those in incidents,
00:00
and then responding to
00:00
the incidents in the appropriate way.
00:00
The key is this needs to be
00:00
created before these type of things are
00:00
occurring so that you have
00:00
everything in a documented manner.
00:00
When these incidents happen,
00:00
you're not going to be thinking with a clear head.
00:00
It's crucial to have
00:00
these processes already identified ahead of time.
00:00
Event classification.
00:00
We have four categories of events.
00:00
The first is false positive.
00:00
This is something identified as an issue, but it's not.
00:00
Then we have false negative.
00:00
This is a potential issues that weren't identified.
00:00
True positives are an issue that is correctly identified.
00:00
Finally, we have true negative.
00:00
This is informational item that
00:00
is flagged as a non-issue.
00:00
We need a communications plan in our incident response.
00:00
We need to define who are the stakeholders.
00:00
This usually involves the human
00:00
relations part of the company,
00:00
public relations, senior leadership,
00:00
legal, law enforcement and regulators.
00:00
We also need to decide who needs to be notified.
00:00
We also need to know how we're going to notify them
00:00
and how are we going to control
00:00
the release of information about the incident?
00:00
It's critical that we don't
00:00
release sensitive information about the breach.
00:00
These are the types of things that
00:00
also need to be planned ahead of time.
00:00
You don't want to be deciding these on the fly,
00:00
after an incident has already happened.
00:00
Then the incident response process
00:00
we first start with preparation.
00:00
We harden our systems,
00:00
we create policies and procedures,
00:00
and then we create an incident response procedure plan.
00:00
Again, all of this needs to be done ahead of time.
00:00
Detection analysis.
00:00
We need to decide if an incident has
00:00
occurred and then how serious it is,
00:00
from there we notify our stakeholders.
00:00
After that, we begin to contain the incident.
00:00
We limit the scope of the breach.
00:00
Once we've contained everything,
00:00
we move to the eradication and recovery phase.
00:00
This is where we remove the cause of
00:00
the breach and bring things back to where they were.
00:00
Then we have a post incident activity.
00:00
This is an after action review.
00:00
What can we improve? What did we do?
00:00
Well, what did we not do so well in,
00:00
and then what lessons can we learn and
00:00
then document those for the future?
00:00
Let's summarize. We went over indicators of compromise.
00:00
We discussed logging,
00:00
and where log files come from.
00:00
Then we discussed the sources of IOCs,
00:00
and we moved to triaging and incident response.
00:00
How to classify incidents and
00:00
then coming up with a communications plan.
00:00
Let's do some example questions.
00:00
Question 1.
00:00
This stage of the incident response process is
00:00
focused on controlling how far the incident has spread,
00:00
this is Phase 3 or containment.
00:00
Question 2. Which of the following
00:00
would you not include in your communications plan?
00:00
One, legal counsel, two,
00:00
human resources, three,
00:00
financial department, four, law enforcement.
00:00
This is three, the finance department.
00:00
Question 3. Which of the
00:00
following would not likely be an IOC?
00:00
Ransomware demand found on PCs,
00:00
a user account being locked out,
00:00
abnormal bandwidth leaving the network,
00:00
excessive log entries for invalid credentials.
00:00
A user account being locked out.
00:00
A single user account is
00:00
a normal occurrence in
00:00
the day-to-day operations of a network.
00:00
One user account would not necessarily be an IOC.
00:00
Several user accounts being
00:00
locked out around the same time
00:00
would be. Question 4.
00:00
This technology allows for the capture of
00:00
network traffic data so that it can
00:00
be analyzed at the packet and frame level.
00:00
Sniffer or protocol analyzer.
00:00
I hope this lesson was helpful
00:00
for you, and I'll see you in the next one.
Up Next
Instructed By
