Lesson 13 - CertMaster

Lesson 13: Analyze Indicators of Malicious Activity

Lesson Introduction

• Preparation phase of incident response identifies data sources to support investigations.

• Tools for aggregating and correlating data assist in automated analysis for alerting and monitoring systems.

• Automated detection cannot identify all signs of malicious activity, emphasizing the need for incident responders to recognize specific indicators.

Lesson Objectives

• Analyze indicators of malicious activity.

• Classify various types of malware and identify signs of infection to prepare security teams for remediation.

Topic 13A: Malware Attack Indicators

• Malware is defined as software that performs unauthorized actions from the system owner's perspective.

• Malware classifications are often based on the installation method (e.g., Trojan, virus, worm).

• Malware Classification by Vector:

  • Trojan: Hidden in software installer packages.

  • Virus: Concealed within executable code and spreads without user authorization.

  • Worm: Memory-resident malware that replicates over networks without user intervention.

  • Potentially Unwanted Programs (PUPs): Installed alongside legitimate software; often seen as grayware or bloatware.

Computer Viruses

• Viruses replicate and spread from computer to computer without the user's consent.

• Classes of viruses:

  • Non-resident/File Infector: Infects executable files and attempts to propagate.

  • Memory Resident: Creates its own process and remains in memory after the host program ends.

  • Boot Virus: Executes when the operating system starts or USB media is connected.

  • Script and Macro Viruses: Utilizes local scripting/office automation features to infect.

Computer Worms and Fileless Malware

• Worms operate independently and can exploit network vulnerabilities, consuming bandwidth and causing denial of service attacks.

• Fileless Malware: Does not write code to disk; uses memory-resident techniques to evade detection and execute malicious actions, leveraging system scripting tools like PowerShell.

Spyware and Keyloggers

• Tracking Cookies: Used for monitoring web activity and gathering metadata.

• Adware: Browser reconfigurations and tracking using cookies; may be bundled with other software.

• Spyware: Monitors application activity, takes screenshots, activates microphones/cameras.

• Keyloggers: Capture keystrokes to steal sensitive data.

Backdoors and Remote Access Trojans (RATs)

• A backdoor allows unauthorized remote access, typically used in RATs, which mimic legitimate remote control software.

• A compromised host can be referred to as a zombie and may have one or more bots installed for malicious purposes.

Rootkits

• Gain local administrator privileges to conceal the presence of malware, complicating detection.

• Can manipulate system processes and may operate at the kernel level, compromising security.

Ransomware

• Ransomware: Extorts money from victims by restricting access to data.

• Crypto-Ransomware: Encrypts files and demands payment to restore access; often targets industry-specific files.

Logic Bombs

• Malware that executes based on specific conditions or events, often undetectable until triggered.

Tactics, Techniques, and Procedures (TTPs) & Indicators of Compromise (IoCs)

• TTPs are the behaviors and methods threat actors use, while IoCs indicate successful attacks or attempts.

• Examples include connections to command-and-control servers and modified registry entries.

Malicious Activity Indicators

• Automatic detection may fail; sandbox environments can analyze suspect code securely.

• Monitor for abnormal resource consumption, accessing restricted files, and signs of account compromise.

Topic 13B: Physical and Network Attack Indicators

• Understanding physical and network attack vectors helps prevent and remediate attacks.

Physical Attacks

• Indicators of physical tampering, theft, or infrastructure failure.

• Environmental attacks can compromise systems (e.g., disrupting power or cooling).

Network Attacks

• Includes reconnaissance, credential harvesting, DoS attacks, and lateral movement.

Topic 13C: Application Attack Indicators

• Exploiting vulnerabilities in applications often leads to unauthorized code execution.

• Privilege Escalation: Allows attackers to gain unauthorized access to higher privileges.

• Injection Attacks: Unsecured input processing that can lead to unauthorized actions.

• Session Hijacking: Attacks like CSRF and SSRF exploit authentication tokens or bypass security protocols.

Lesson Summary

1. Identify indicators of various malware types and physical/network/application attack indicators.

2. Implement enhanced detection mechanisms and threat intelligence feeds to improve security posture.

3. Correlate attack indicators and leverage logging data to identify compromise more accurately.