Malicious Web Activity

00:01

Hey, guys, watch another episode of the S S C P Exam Prep. Siri's I'm your host, Peter Simple in This is going to be the third lesson in the seventh to me

00:13

so far in the seventh to mean we've taken a look at this, see a triad and how it applies the Mount Code. We've also taken a look at the different ways that malware tries to infect your system and network, and now, in this lesson, we'll take a look at different kinds of malicious Web activity,

00:31

and we'll also take a deep dive into identify and analyzing infections in malware

00:37

and how to reduce the impact of any malware. Let's get started

00:43

Web based in tax or born of the most popular ways to spread malware in the wild. It's very important for an SSC practitioner to be familiar with different types of attacks and countermeasures when it comes to malware. To the first is cross site scripting,

01:00

which is simply a vulnerability that's found on the website

01:03

that allows the attacker to injectable wishes code into an application.

01:08

Here's how it works

01:10

on attacker ingest code into a Web server where it resides on the Web server.

01:17

After a while, a Web client or a person browsing the Internet will go and visit that website and then download information from the Webster

01:26

Well, once that connection happens, thesis, script or whatever. The malicious code is that sitting on the Web server then gets downloaded to the client so it gets down to the person's computer.

01:38

From there, the attacker can access the person's computer with privilege.

01:46

There are zero day exploits. This is an attack that has been that exploiting previously unknown vulnerability. This is something being seen for the very first time. And so there are no no patches. There are no remedies to fix this. Zero day exploits are very dangerous,

02:06

and there are advanced, persistent threat. See, A P. T. S

02:08

A. P T. S uses multiple phases to break in, avoid detection and collect information over a long period of time. They're very flexible and fluid with how they operate so very difficult to find them, trace them and actually remove them.

02:24

The five phases of an A P. T. Or reconnaissance

02:30

incursion.

02:30

Discovery

02:32

capture

02:34

an exfiltration.

02:36

There's also brute force, which is the act of trying every possible combination of a password until one is found.

02:44

Now there are a couple different types of payloads. Remember, payload is the main action that malware does. So when it executes whatever that main action is, that is considered the payload. So there are a backdoor Trojan. So these are programs that share the primary functionality

03:01

of enabling a remove attacker an attacker to have access to a compromise

03:07

computer. So the purpose of a back door is

03:09

for an attacker to get back into a computer at a leader deep. Regardless, if there are any

03:17

privileges or anything that's changed on, there might be some times might be scanning dawn or anything on the computer or regards to that back door will allow the attacker to still be able to get into that computer.

03:30

It's also man in the middle of Mount Code, where an attacker gets in the middle of a conversation between two parties and tries to gain information

03:39

now

03:40

kind of activity countermeasures. Do we have? Well, one of the biggest countermeasures is you have third party certifications. All right, You can use all the anti virus anti spam devices that you want, but you don't really know if they're any good or not, unless 1/3 party getting independently verified

04:00

that these are good products to use.

04:02

Ah, the website for one of the most popular third party certifications is a V test dot org's.

04:09

Another counter measure is to look at the process is in the Windows Task Manager. You always wanna look for new or unexpected processes. If you take a look good processes, you can kind of figure out whether associated with or you will see program names that you can associate the process with the application.

04:29

Now some of them have you looked for anything new or if you don't recognize, then that might be a sign that there's something else that's going on your computer.

04:38

Also, when looking at processes, you always want to take a look at Explorer. Got the exit? You wanna make sure that process is Their process should always be running explored. Got DXC manages the gooey on your best top, so it should always be running. So if you don't see it and that's a telltale sign

04:57

that something's wrong with your computer,

04:59

it's also the inspection off Windows Registry. You can look at the registry keys and This is just really a database A stores operating system settings during startup.

05:10

Once you may identify any files or anything like that, you might want to take a walk into the analysis of the malware, how it behaves and what it's trying to do

05:21

in order to properly analyze Malko did. Test system should be in place. That's meant four. Properly analyzing it at the same time that you could do certain things without actually running the malware itself. You could do static file analysis. So this is looking at 12 details

05:40

and characteristics to identify.

05:42

Investigate Kun. You can also look at file properties, right? Most files are more or less the same size. So if you see any really large files, for whatever reason with it maybe possibly a weird time stamp that doesn't add up. That might be an indication.

06:00

Ah, this blouse might be trying to do something

06:02

you don't see hash certain files and that will determine if it's been modified or not,

06:09

and you can also use a hack senator to look at the bits of a file to see any kind of information. Now the Hex editor just looks at the role bits, and you can see that the hex gets transferred

06:23

to a readable format on the right or a somewhat readable format. We're in kind of piece together. Information

06:30

about the bids.

06:30

Another way to look at the behavior analysis of malware is through virtual environments. You can set up a virtual environment for the malware, run like it's in the sandbox, and then you can kind of take a look and see what it does.

06:46

So once you have identified and analyzed now where we definitely want to get rid of it now there's two ways for implementing malware mitigation, and it's important that you do both.

06:58

So the first is strategic. This is management and planning, right? You wantto be prepared before you even get infected with malware. So this is Manu and Support Defence in Depth and Incident Response Team's. Now this is the planning aspect, and then the tactical is the actual action

07:16

that has been defined in the planning, speech and tactical. You have things such as hardening systems, backing up data

07:23

and using different security tools, such a CZ intrusion detection systems.

07:28

In today's lecture, we discussed weapon tax, malicious activity, countermeasures,

07:33

analysis of malware and malware mitigation

07:38

with Don.

07:39

In this attack, an attacker finds a Web vulnerability and injects malware into a website, which gets downloaded into the user's computer when they visit the website. Is it a cross eyed scripting? Be zero day exploit,

07:54

See advanced persistent threat or D brute force

08:01

If you sent a cross site scripting than you are correct, remember, the attacker inflicts the malware into the Web server and then, once the user,

08:13

visit that website they downloaded on a computer. And that's how the attacker is access to the person's computer.