Now we can move on to
Naturally, an indicator compromise must be discovered
through whatever means it could be through reviewing logs. It could be assumed device.
It could be through doing some auditing or some just general maintenance.
As we saw earlier module.
An indicator compromise could take many different forms,
they are when something interesting is discovered. It's not always
to be treated suspiciously.
There should be some level of checking to verify that something is good or bad or
or slightly suspicious, for instance, and then you must dig deeper in order to make that determination. That's where the analysis comes in.
And as I already mentioned, the concept of crying wolf
if and and I'll see is too quickly interpreted to be a true threat.
And now you've put some forces into motion for incident response.
It's very wasteful and embarrassing even to do that when it's not working. So the analysis phase should be done carefully with a solid methodology that's repeatable
the organization doesn't waste time,
and so that analysts don't lose credibility
once an IOC has been discovered and it's been confirmed or validated by by some means
that it can be leveraged.
And by this, what we What we mean is that the
since we can prove, for instance, that
that must mean that other events, like event be an event. See, for instance,
might be related. You might be able to establish some correlation between these different events
because you've got a solid foundation to work from
other conclusions and other,
even other estimates of validity can also carry a little bit more weight such an important thing to think about.
All right, so let's think about some free tools.
There's a great company called Fire. I have some links here
and bring up their website really quick,
actually bring it up in just a moment, but
ah, fire i dot com. They've got free tools for creating
tools that help you display them.
You can run some scans on systems. I'll demonstrate that tool here in just a moment,
and you're collecting information from the file system from
Web browsing from memory, for instance,
others tools to analyze the information
and then lastly, we'll look at some cyberthreat maps which are freely available
all right. So here's Fireeye.
They've got a lot of different products, and service is
one area that is interesting to look at. Right away, though, is under resource is will go to free software downloads.
And here's where you can get to really useful tools. The one that will be looking at
And as it sounds, it's a free utility
and lets you look at
and ah, system that's been compromised.
I'm gonna run it just on my local machine here, which is an option you can use.
But, General, you're going to launch this tool
try to get to run on a remote machine so that you can see
what some suspicious activity might be doing on a system in your network.
We also have this memorized tool for members run six
looking at information gathered from the other tools
and then got some other ones here like D. N s response. Looking at your heap
looking at Microsoft database files.
And then there's some IOC tools.
as far as these tools are concerned, is just a small collection of information typically in XML format,
and you just create some details about
what? The indicator of compromises,
the more detail you can put into the entry, the more useful it might be.
and the finder and writer tools allow you to manipulate this information so that you can better
utilize the information better utilize the IOC data within your environment.
We'll have a look at that, those in a little bit as well.
And there's a couple more tools they provide,
like doing room our reverse engineering work,
setting up a reverse proxy,
It was a really good stuff here.
So before I demonstrate the tool,
a couple of these different cyberthreat naps.
Uh, one of them is from Fire. I themselves you confined this link on their on their website, go full screen.
As you can see, it's showing different actions going on in the world. Right now.
We can see that there's financial service is is the
the top industry that's being attacked right moment.
Consulting service is insurance companies,
and these were all going on in real time,
and it gives you some information about how many attacks have been seeing today we can see some other information the top here.
It's a decent tool just to kind of get a very big picture view of what's happening
on the Internet right now.
But this tool does not give a whole lot of detailed information
so we can go to another one by North Technologies
actually has quite a bit of data. Did you conceal it? It kind of looks a little bit like
the movie wargames when there's
simulations of thermonuclear war between different countries, because we can see
the attacks going from the source to the destination.
And very helpfully, it also provides the origins of where the attacks came from, listed by country What kind of attack?
It actually is. But the destination looks like,
and we could see a little more detail in I P addresses and so on,
and you can even zoom in on certain areas
if you want. For instance, you want to focus on the United States.
and you could pause the activity
get more information about
mouse over certain things, you can get information about
where that country is or what kind of attack? Waas
And you could also set filters
so I could just say I want to only look at us and China related to tax.
Go back to playing that
that way you're not cluttering up your interface with
information. Not really interested in. Maybe I'm only interested in http attacks between
how the U. S. And China
actually doesn't look like it lets me do that exactly what I wanted to.
and it could give you some additional information
when you're trying to confirm that something's really going up. Maybe there's a, you know, de dos attack happening,
and quite a few of these attacks might actually be de dos related.
All right, so let's bring up our
This is freely installed.
I'm sorry. Freely downloaded from
and you'll find it underneath. The resource is free software
area that I showed earlier.
You want to run this as administrator
because it's going to give you a lot more detail of thinking and have full of mystery privileges when it's running on that system
so you can create what are known as collectors
a more detailed, comprehensive collector
search collector. These will go out to a target system
ah, go look for information that's been generated
the ability to edit the script that will run.
And this basically lets you define what kinds of information you're interested in. Collecting a lot of choices.
A lot of different information about processes,
hooks, which are one program hooking into another program. Thio. Use some function
like a DLL library recall, for instance,
and also acquire a memory image.
And we can see this is just the memory cap. We also have information related to disk.
So a new rating, different kinds of files, disk volumes themselves,
information about the system
that logs registry and so on
and then some other areas. There's even advanced parameters, which will give a little bit more detail for these
a little bit more granularity as far as what you're looking at hand,
what kind of data you can actually gather.
and it's pretty amazing when you think about the fact that this is a free tool.
I gotta cancel this.
And what I really want to do
is if I wanted to, I could save the collector after I've configured it, and then send that to a
once that's run, then you can analyze the results
so I can open the previous analysis I was working on or analyze the results from a recent stand
in this case. But I wanted to do was running on my local machine. So from this little menu appear
we get these other choices, which is the same thing we just saw from the main interface.
Except I get the chance to analyze this local computer
so I can add a script to make sure it's gonna have everything I want.
I'll get my memory image.
Uh, usually the defaults are pretty, uh, pretty good, but you may want to tweet thes
the more things that you select,
obviously, the longer
your scan will take to run.
So I'm gonna look at my digital signatures.
Look at deleted files, look for file anomalies.
Look at my discs and my volumes.
We'll analyze my sister and restore points. Look at my registry and event logs,
Port information was like most of these
All this could be relevant for an investigation because
any one of these areas could contain artefacts or events
that indicates the compromise happen
and that there's something there that that needs to be investigated further.
And it goes without saying that if you do this kind of work on a system that that is
that you want to do it all system is still up and running because obviously, you're gonna lose the memory image if you reboot
so I can verify signatures. And when I look at my
OK, it's a lot to quite a few options here.
I'm more or less randomly selected these right now because I just want to get some information.
You need to look at the documentation for this tool and dig in deeper
to decide how much of this date is really useful,
the more options that you select, of course, the more time it will take to run the scan.
So I'm gonna go ahead and
uh, this ready set to save to my desktop,
So I'm gonna go ahead and click okay again to get this to start running
and you see that it's it'll countdown the different sections
as needed. North Run the tool.
So I'm gonna go ahead and pause the video here because this will take some time to run.
It could take up maybe 15 20 minutes or more. So
come back in a little bit and have a look.