3.1.1 GIVEN A SCENARIO, ANALYZE DATA AS PART OF SECURITY MONITORING ACTIVITIES (part 1)

Heuristic Analysis

• Uses a rules created from a knowledge base and then determines likelihood of data being harmful

Signature Based Analysis

• Makes comparisons to traffic from known attack patterns in a database or file

Anomaly Based

• Compares traffic to what 'normal' looks like to determine if it is harmful

Trend Analysis

• Enhances security, growth planning and Risk Management by studying past results to understand future outcomes

Malware Analysis

• Analysing potentially harmful data in a safe environment to assess if it is a threat

Reverse Engineering Tools

Disassemblers, Decompilers, Unpackers and String Analysis are all types of this

Windows Memory Analysis Tools

2 Types which are Resource Monitor which shows Hardware and Software Memory usage and

• Autorun which shows executables that will run at login/startup

Linux Memory Analysis Tools

• ps: Show process statuses and information about them.

• -A or -e : Display all processes, not just the current user's.

• -ef or -ely : Similar to above, but displays detailed information.

System and Application Behaviour (Windows)

• There should only be one instance of winnit.exe and services.exe as they handle drivers and services

System and Application Behaviour Processess

• We can check for processes running under suspicious circumstances (netcat) or make sure the proper ports are being used

Dropper

• A Trojan Exploit Technique that will 'drop' a piece of malware onto a system, which is harder to detect because the payload is encrypted.

• Downloader is a type of this that requires internet access

Shell Code

• An exploit technique whereby instructions are injected onto and then run by the host

Masquerading (Code and Injection)

• An exploit technique where genuine code is replaced by malicious one

DLL Injection (Code and Injection)

• This is where a legit process is forced to run a malicious DLL

"Living off the Land" (Code and Injection)

• An exploit technique whereby malware takes over a legitimate processes and tools making it harder to detect as they are whitelisted

File System

• We need to monitor the integrity of files (tripware and checksums)

User and Entity Behavior Analytics (UEBA)

• A method that is useful to detect insider threats by tracking users and machine accounts and flagging anomalies

URL and DNS Analysis

• Commonly we blacklist/whitelist parts of the internet to control what internets with our internal network

Domain Generation Algorithm (DGA)

• Method used by attackers/malware to avoid blacklisting

URL Analysis and Percent Coding

• Changing Characters to a hexadecimal version to get around content filters and hide XSS and other attacks

Http Response Codes (URL Analysis)

• 100-199: Informational response • 200-299: Successful response (e.g. 200 \= OK)

• 300-399: Redirects (e.g. 307 \= Temporary redirect)

• 400-499: Client-side error (e.g. 404 \= Page/File not found)

• 500-599: Server-side error (e.g. 500 \= Internal server error)

Http methods

GET / POST / PUT / HEAD /

Flow Analysis

Looking at network traffic statistics instead of payloads and using a visualisation tool to map network connections

Flow Analysis Tools

• Net Flow/IPFlow Information expert (IPFIX)

• sFlow

• Zeek

• Multi Router Traffic Grapher (MRTG)

Packet and Protocol Analysis

• E.g. Wireshark allows us to analyse traffic, payloads, headers, frames to see if there is anything suspicious

Log Review Tools

• Event Logs

• Firewall Logs

• WAF

• Proxies

• IDS/IPS

Syslog

• Port 514 UDP

• A way to define severity levels from logs/event messages sent from various network devices to a central server