Lesson 13 - CertMaster

Lesson 13: Analyze Indicators of Malicious Activity

Lesson Introduction

  • Preparation phase of incident response identifies data sources to support investigations.

  • Tools for aggregating and correlating data assist in automated analysis for alerting and monitoring systems.

  • Automated detection cannot identify all signs of malicious activity, emphasizing the need for incident responders to recognize specific indicators.

Lesson Objectives

  • Analyze indicators of malicious activity.

  • Classify various types of malware and identify signs of infection to prepare security teams for remediation.

Topic 13A: Malware Attack Indicators

  • Malware is defined as software that performs unauthorized actions from the system owner's perspective.

  • Malware classifications are often based on the installation method (e.g., Trojan, virus, worm).

  • Malware Classification by Vector:

    • Trojan: Hidden in software installer packages.

    • Virus: Concealed within executable code and spreads without user authorization.

    • Worm: Memory-resident malware that replicates over networks without user intervention.

    • Potentially Unwanted Programs (PUPs): Installed alongside legitimate software; often seen as grayware or bloatware.

Computer Viruses

  • Viruses replicate and spread from computer to computer without the user's consent.

  • Classes of viruses:

    • Non-resident/File Infector: Infects executable files and attempts to propagate.

    • Memory Resident: Creates its own process and remains in memory after the host program ends.

    • Boot Virus: Executes when the operating system starts or USB media is connected.

    • Script and Macro Viruses: Utilizes local scripting/office automation features to infect.

Computer Worms and Fileless Malware

  • Worms operate independently and can exploit network vulnerabilities, consuming bandwidth and causing denial of service attacks.

  • Fileless Malware: Does not write code to disk; uses memory-resident techniques to evade detection and execute malicious actions, leveraging system scripting tools like PowerShell.

Spyware and Keyloggers

  • Tracking Cookies: Used for monitoring web activity and gathering metadata.

  • Adware: Browser reconfigurations and tracking using cookies; may be bundled with other software.

  • Spyware: Monitors application activity, takes screenshots, activates microphones/cameras.

  • Keyloggers: Capture keystrokes to steal sensitive data.

Backdoors and Remote Access Trojans (RATs)

  • A backdoor allows unauthorized remote access, typically used in RATs, which mimic legitimate remote control software.

  • A compromised host can be referred to as a zombie and may have one or more bots installed for malicious purposes.

Rootkits

  • Gain local administrator privileges to conceal the presence of malware, complicating detection.

  • Can manipulate system processes and may operate at the kernel level, compromising security.

Ransomware

  • Ransomware: Extorts money from victims by restricting access to data.

  • Crypto-Ransomware: Encrypts files and demands payment to restore access; often targets industry-specific files.

Logic Bombs

  • Malware that executes based on specific conditions or events, often undetectable until triggered.

Tactics, Techniques, and Procedures (TTPs) & Indicators of Compromise (IoCs)

  • TTPs are the behaviors and methods threat actors use, while IoCs indicate successful attacks or attempts.

  • Examples include connections to command-and-control servers and modified registry entries.

Malicious Activity Indicators

  • Automatic detection may fail; sandbox environments can analyze suspect code securely.

  • Monitor for abnormal resource consumption, accessing restricted files, and signs of account compromise.

Topic 13B: Physical and Network Attack Indicators

  • Understanding physical and network attack vectors helps prevent and remediate attacks.

Physical Attacks

  • Indicators of physical tampering, theft, or infrastructure failure.

  • Environmental attacks can compromise systems (e.g., disrupting power or cooling).

Network Attacks

  • Includes reconnaissance, credential harvesting, DoS attacks, and lateral movement.

Topic 13C: Application Attack Indicators

  • Exploiting vulnerabilities in applications often leads to unauthorized code execution.

  • Privilege Escalation: Allows attackers to gain unauthorized access to higher privileges.

  • Injection Attacks: Unsecured input processing that can lead to unauthorized actions.

  • Session Hijacking: Attacks like CSRF and SSRF exploit authentication tokens or bypass security protocols.

Lesson Summary

  1. Identify indicators of various malware types and physical/network/application attack indicators.

  2. Implement enhanced detection mechanisms and threat intelligence feeds to improve security posture.

  3. Correlate attack indicators and leverage logging data to identify compromise more accurately.