00:04
Now we can move on to
00:12
Naturally, an indicator compromise must be discovered
00:17
through whatever means it could be through reviewing logs. It could be assumed device.
00:21
It could be through doing some auditing or some just general maintenance.
00:26
As we saw earlier module.
00:29
An indicator compromise could take many different forms,
00:34
they are when something interesting is discovered. It's not always
00:38
to be treated suspiciously.
00:40
There should be some level of checking to verify that something is good or bad or
00:45
or slightly suspicious, for instance, and then you must dig deeper in order to make that determination. That's where the analysis comes in.
00:54
And as I already mentioned, the concept of crying wolf
00:58
if and and I'll see is too quickly interpreted to be a true threat.
01:06
And now you've put some forces into motion for incident response.
01:11
It's very wasteful and embarrassing even to do that when it's not working. So the analysis phase should be done carefully with a solid methodology that's repeatable
01:23
the organization doesn't waste time,
01:25
and so that analysts don't lose credibility
01:30
once an IOC has been discovered and it's been confirmed or validated by by some means
01:34
that it can be leveraged.
01:37
And by this, what we What we mean is that the
01:40
since we can prove, for instance, that
01:46
that must mean that other events, like event be an event. See, for instance,
01:49
might be related. You might be able to establish some correlation between these different events
01:57
because you've got a solid foundation to work from
02:00
other conclusions and other,
02:02
even other estimates of validity can also carry a little bit more weight such an important thing to think about.
02:13
All right, so let's think about some free tools.
02:15
There's a great company called Fire. I have some links here
02:20
and bring up their website really quick,
02:23
actually bring it up in just a moment, but
02:24
ah, fire i dot com. They've got free tools for creating
02:30
tools that help you display them.
02:32
You can run some scans on systems. I'll demonstrate that tool here in just a moment,
02:38
and you're collecting information from the file system from
02:42
Web browsing from memory, for instance,
02:45
others tools to analyze the information
02:47
and then lastly, we'll look at some cyberthreat maps which are freely available
02:53
all right. So here's Fireeye.
02:55
They've got a lot of different products, and service is
02:59
one area that is interesting to look at. Right away, though, is under resource is will go to free software downloads.
03:09
And here's where you can get to really useful tools. The one that will be looking at
03:15
And as it sounds, it's a free utility
03:17
and lets you look at
03:22
and ah, system that's been compromised.
03:23
I'm gonna run it just on my local machine here, which is an option you can use.
03:28
But, General, you're going to launch this tool
03:30
try to get to run on a remote machine so that you can see
03:36
what some suspicious activity might be doing on a system in your network.
03:42
We also have this memorized tool for members run six
03:51
looking at information gathered from the other tools
03:54
and then got some other ones here like D. N s response. Looking at your heap
04:02
looking at Microsoft database files.
04:05
And then there's some IOC tools.
04:12
as far as these tools are concerned, is just a small collection of information typically in XML format,
04:17
and you just create some details about
04:21
what? The indicator of compromises,
04:25
the more detail you can put into the entry, the more useful it might be.
04:31
and the finder and writer tools allow you to manipulate this information so that you can better
04:39
utilize the information better utilize the IOC data within your environment.
04:45
We'll have a look at that, those in a little bit as well.
04:48
And there's a couple more tools they provide,
04:53
like doing room our reverse engineering work,
04:56
setting up a reverse proxy,
05:01
It was a really good stuff here.
05:06
So before I demonstrate the tool,
05:11
a couple of these different cyberthreat naps.
05:13
Uh, one of them is from Fire. I themselves you confined this link on their on their website, go full screen.
05:20
As you can see, it's showing different actions going on in the world. Right now.
05:27
We can see that there's financial service is is the
05:30
the top industry that's being attacked right moment.
05:33
Consulting service is insurance companies,
05:38
and these were all going on in real time,
05:42
and it gives you some information about how many attacks have been seeing today we can see some other information the top here.
05:48
It's a decent tool just to kind of get a very big picture view of what's happening
05:54
on the Internet right now.
05:57
But this tool does not give a whole lot of detailed information
06:01
so we can go to another one by North Technologies
06:06
actually has quite a bit of data. Did you conceal it? It kind of looks a little bit like
06:12
the movie wargames when there's
06:15
simulations of thermonuclear war between different countries, because we can see
06:18
the attacks going from the source to the destination.
06:23
And very helpfully, it also provides the origins of where the attacks came from, listed by country What kind of attack?
06:30
It actually is. But the destination looks like,
06:34
and we could see a little more detail in I P addresses and so on,
06:39
and you can even zoom in on certain areas
06:43
if you want. For instance, you want to focus on the United States.
06:51
and you could pause the activity
06:56
get more information about
07:08
mouse over certain things, you can get information about
07:11
where that country is or what kind of attack? Waas
07:16
And you could also set filters
07:18
so I could just say I want to only look at us and China related to tax.
07:24
Go back to playing that
07:25
that way you're not cluttering up your interface with
07:30
information. Not really interested in. Maybe I'm only interested in http attacks between
07:35
how the U. S. And China
07:38
actually doesn't look like it lets me do that exactly what I wanted to.
07:43
and it could give you some additional information
07:48
when you're trying to confirm that something's really going up. Maybe there's a, you know, de dos attack happening,
07:54
and quite a few of these attacks might actually be de dos related.
08:01
All right, so let's bring up our
08:11
This is freely installed.
08:13
I'm sorry. Freely downloaded from
08:18
and you'll find it underneath. The resource is free software
08:22
area that I showed earlier.
08:24
You want to run this as administrator
08:28
because it's going to give you a lot more detail of thinking and have full of mystery privileges when it's running on that system
08:35
so you can create what are known as collectors
08:39
a more detailed, comprehensive collector
08:43
search collector. These will go out to a target system
08:48
ah, go look for information that's been generated
08:58
the ability to edit the script that will run.
09:01
And this basically lets you define what kinds of information you're interested in. Collecting a lot of choices.
09:07
A lot of different information about processes,
09:13
hooks, which are one program hooking into another program. Thio. Use some function
09:18
like a DLL library recall, for instance,
09:22
and also acquire a memory image.
09:26
And we can see this is just the memory cap. We also have information related to disk.
09:31
So a new rating, different kinds of files, disk volumes themselves,
09:37
information about the system
09:39
that logs registry and so on
09:46
and then some other areas. There's even advanced parameters, which will give a little bit more detail for these
09:56
a little bit more granularity as far as what you're looking at hand,
10:01
what kind of data you can actually gather.
10:07
quite sophisticated,
10:07
and it's pretty amazing when you think about the fact that this is a free tool.
10:15
I gotta cancel this.
10:16
And what I really want to do
10:18
is if I wanted to, I could save the collector after I've configured it, and then send that to a
10:26
once that's run, then you can analyze the results
10:31
so I can open the previous analysis I was working on or analyze the results from a recent stand
10:37
in this case. But I wanted to do was running on my local machine. So from this little menu appear
10:41
we get these other choices, which is the same thing we just saw from the main interface.
10:46
Except I get the chance to analyze this local computer
10:52
so I can add a script to make sure it's gonna have everything I want.
10:58
I'll get my memory image.
11:01
Uh, usually the defaults are pretty, uh, pretty good, but you may want to tweet thes
11:07
the more things that you select,
11:09
obviously, the longer
11:11
your scan will take to run.
11:15
So I'm gonna look at my digital signatures.
11:18
Look at deleted files, look for file anomalies.
11:24
Look at my discs and my volumes.
11:28
We'll analyze my sister and restore points. Look at my registry and event logs,
11:35
Port information was like most of these
11:41
All this could be relevant for an investigation because
11:43
any one of these areas could contain artefacts or events
11:48
that indicates the compromise happen
11:50
and that there's something there that that needs to be investigated further.
11:56
And it goes without saying that if you do this kind of work on a system that that is
12:03
that you want to do it all system is still up and running because obviously, you're gonna lose the memory image if you reboot
12:09
so I can verify signatures. And when I look at my
12:20
OK, it's a lot to quite a few options here.
12:22
I'm more or less randomly selected these right now because I just want to get some information.
12:28
You need to look at the documentation for this tool and dig in deeper
12:31
to decide how much of this date is really useful,
12:35
the more options that you select, of course, the more time it will take to run the scan.
12:41
So I'm gonna go ahead and
12:43
uh, this ready set to save to my desktop,
12:46
So I'm gonna go ahead and click okay again to get this to start running
12:50
and you see that it's it'll countdown the different sections
12:54
as needed. North Run the tool.
12:58
So I'm gonna go ahead and pause the video here because this will take some time to run.
13:01
It could take up maybe 15 20 minutes or more. So
13:03
come back in a little bit and have a look.