Chapter 10: Incident Detection and Analysis Flashcards

1
Q

IOC

A

Indicators of compromise consist of information gathered about activity, events, and behaviors that are commonly associated with potentially malicious behavior

Some common IoC inclde, but aren’t limited to:
* Unusual network traffic, including unusual outbound network traffic, unexpected p2p traffic, activity to abnormal ports or IPs
* Increases in database or file share read volume
* Susupicious file changes to filesystems, the Windows Registry, and configuration files
* Traffic patterns that are unusual for human usage of a system
* Login and rights usage irregularities, including geographic and time-based anomalies
* DoS activities and artifacts
* Unusual DNS traffic
* Internal and external personnel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IOC Feeds

A

Provide community information about threats and threat actors, like:
* IPs and hostnames associated with malicious actors or active threats
* Domain names used by malware, C2 servers, and infected websites
* Hashes of malicious software
* Behavior-based information for threat actors and malware

IoC feeds are available as either commercial subscription feeds and as open, free feeds like those found on the OTX

Always determine the level of reliability for the feed and any data used from it, as well as what data to act on, how you’ll use it, and how it can be integrated into your environment

Explore Alienvault’s Open Threat Exchange https://otx.alienvault.com/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Unusual Network Traffic

A

One of the most common IoC, but also challenging to identify due to adversarial techniques intended to make it difficult to see

Attackers will use encrypted protocols like TLS to protect web traffic, encapsulate traffic in otherwise innocuous data flow, and try to conceal their activity to avoid detection

Ports
* One network and system-based IoC profile focuses on the use of abnormal ports for traffic
* Typical service ports for common services are well-documented
* While orgs may use alternate ports to run multiple indepenednet services or limit impact of default port scans, services receiving traffic on unusual reports may indicate a compromise

Unexpected Communications
This isn’t just beaconing—it also includes:
* Attack or information gathering traffic like port and vulnerability scans
* P2P traffic in a datacenter where systems should be communicating outbound, not to each other
* Any traffic scenarios that don’t fit typical patterns
* Behavior and pattern recognition can help identify unexpected communication
* Firewalls and appropriate trust boundaries can help detect issues via firewall logs and limit impact by not allowing unexpected traffic to successfully traverse the network

Monitoring outbound traffic can help identify IoC, like:
* Traffic to unexpected locations
* Unusual types of outbound traffic like RDP, SSH, or file transfer
* Unusual volumes of outbound traffic
* Outbound DNS queries
* DNS queries for unexpected domains or domains flagged as malicious by reputation tools
* Outbound traffic at unusual times

Ch: 3 explains how to capture this data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Increases in Resource Usage

A

Resource-based IoC are often used to help identify unusual behavior, because resource utilization can indicate actions taken by an attacker:
* CPU and memory are consumed due to their use of tools or utilities
* Disk space is used up as they gather data
* Network usage increases as data is transferred, scans are run, etc

Databse Read Volume
* Unusual spikes may indicate an attacker gathering data from the database
* Difficult to identify as related to an attack or compromise without additional information about what’s driving the increased databse usage

Ch: 3 explains how to monitor usage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Unusual User and Account Behaviors

A

Behavior-based IoC are powerful, as attackers almost always have to do something that users, services, and systems won’t typically do

If you can identify normal behaviors using profiling, baselines, or similar techniques, you can more easily identify potential behavior-based IoC

Common examples of behavior-based IoC include:

Unusual Privileged Account Behaviors
* Privileged accounts are more likely to perform unusual activities, like system admins using superuser commands, which can lead to alerts
* Still, monitoring the use of privileged accounts is critical to security operations

Escalation of Privileges and Adding New Users to New Groups
* Especially if new users are granted greater rights
* New privileges being added should be flagged as part of IoC monitoring
* Admin privileges in particular need to be monitored, audited, and reported on

Bot-like Behaviors
* Humans typically don’t run commands at high speed, so looking for occurrences that happen faster than a human typically works can identify compromise
* Logging into multiple systems and performing actions can also be a flag
* Be aware that legitimate scripts and tools can also have similar behavior patterns

User and Account Behavior-Based Identification
* Requires an understanding of how users perform their jobs and what their rights and privileges should be
* Combine this a process and capability to analyze unusual events to determine if they’re simply a user doing something new or infrequent, or if malicious activity is occurring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

File and Configuration Modification

A

Changes to any file can be an IoC, but it’s particularly important to pay attention to configuration files, log files, or other files that might be useful to an attacker

Filesystem monitoring tools like OSSEC (Open Source HIDS SECurity) and Tripwire serve as HIDS that monitor for intrusion behavior, like unauthorized file or system modificaitons

Attackers can also use your filesystems for their own purposes
* Unexpected data aggregation or collection may indicate attackers have gathered data from elsewhere in your org and are collecting it in a location before transferring it out

Unexpected patching can also be an IoC
* Attackers sometimes patch systems to ensure that others can’t follow them through a flaw that they themselves have exploited

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Login and Rights Usage Anomalies

A

Geographic Concerns
* A common IoC pattern is to look for a single user or account logging in from multiple different geographic locations in a short period of time
* A similar detection technique looks for users who are logged in and active from different geographic locations at the same time
* It’s possible that this indicates a VPN, but simultaneous login and activity is alwas worth investigating further

Time-Based
* Combine geographic and time-based analyses to determine when someone has apparently traveled further than is physically possible in a given time
* Most orgs will also have defined work hours for employees, so monitor after-hours activity
* Can result in false positive indicators

Logins and Rights Usage
* This focuses on when a user is typically likely to perform an action like logging in, if they’re performing specific tasks, or even what their work hours are

In all situations here, pattern recognition, baselining, and anomaly detection are critical when privilege and account usage are being analyzed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

DoS

A

Denial of Service attacks can be a direct attack from a single system or they can be distributed (DDoS)

DDoS can be particularly challenging to to differentiate from legitimate high-traffic scenarios, attribute, and stop

DoS that originates from systems within your network are another example of an IoC, but it’s not always an indicator that the specific system itself is compromised

That’s because amplification attacks have historically leveraged service vulnerabilities that amplified traffic without requiring the underlying service or system to be compromised
* EX: DNS Amplification attack
* Malicious actors use open DNS resolvers to increase attack volume by sending many small queries that require large responses

NOTE: The occurrence of a DoS attack is in and of itself an IoC
* Additionally, an IoC that looks like a DoS but is actually associated with exploit attempts and other non-DoS activity is repeated requests for the same file or directory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Unusual DNS Traffic

A

Many orgs monitor queries sent to their DNS servers, comparing them to lists of malicious sites using threat and reputation feeds

IoC feeds may include specific IPs and hostnames that are commonly used by active threats, allowing DNS query and server monitoring to help identify compromised systems

Monitoring for DNS-related IoC often focuses on the following:
* Abnormal levels of DNS queries, particularly to unusual domain names
* Unusual domain name queries, often to randomly generated or machine generated hostnames like jky845 . com
* Large numbers of DNS query failures may indicate use of automatically generated DNS names embedded in malware

Depending on the complexity of the malware, DNS and hostname IoC may be useful for some time or updated quickly as the malware rotates new names based on an algorithm or C2 updates

DNS tunneling is another potential issue
* Use tools like IDS/IPS to monitor for this
* Tunneling C2 information via DNS queries, or DNS queries that include encoded or encrypted data, are potential IoC to watch for

Fast Flux DNS
* This quickly changes IPs for a domain
* You have 1 domain name, but multiple IPs associated with it
* If you block IPs, they can change back end to route comms to C2 server still
* Attackers use fast flux to keep their C2 infrastructure active, even if some hosts are taken down
* Observing queries that are involved in fast-flux DNS could indicate the system might be compromised, or that a user has clicked a link to a malicious site

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Combining IoC

A

Effectively using IoC requires combining data and anlysis from multiple IoC to identify a compromise

It’s less likely for a single IoC to occur in isolation in a compromise scenario, although it can happen

Look for ways to combine information and threat feeds, log and log analysis tools, and IoC feeds and detection mechanisms into comprehensive systems that remain up to date and check to see whether multiple IoC add up to a compromise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Evidence Acquisition and Preservation

A

Evidence acquisition during incident response activities can take a number of forms, from making copies of files to taking snapshots of VMs and even using forensic file or drive copies

The key terms to know are:
* Preservation
* Chain of Custody
* Legal Hold
* Validating Data Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Preservation

A

Regardless of the data types and acquisition methods, you must preserve the data

You must first acquire it, then validate the acquisition of the data, and store it in a secure and documented manner

If the evidence is required for a legal case, or if LEO are involved, preservation will require chain of custody documentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Chain of Custody

A

Tracks the evidence through its lifecycle:
* Collection
* Preservation
* Analysis

This requires documentation of who has access to the data, when, where, and how it’s stored, used, or transferred

Complete documentation of a chain of custody helps ensure that the data wasn’t inappropriately accessed or modified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Legal Hold

A

Part of the eDiscovery process, legal counsel may issue a legal hold notice when litigation is about to start, or is underway

Data custodians in the impacted org will be notified to preserve data, including data that might otherwise have been deleted or removed as part of normal business processes

The org is obligated to preserve and produce data as part of the legal process

Orgs may also undertake legal hold processes themselves if they expect to face lawsuits or other legal action

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Validating Data Integrity

A
  • Verifies that the capture process didn’t inadvertantly create changes
  • Ensures that the data captured and retained matches the original data

This is critical for evidence and legal cases, but it’s also important for organizational investigations to ensure that bad data doesn’t lead to incorect conclusions

Integrity is held up with hashing tools, like FTK Imager or hash algorithms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Port Hopping

A

When an APT’s C2 application might use any port to communicate from

It might use port 22 right now, but if it thinks it’s being detcted it’ll jump to 53, and then 1258, or whatever port it’s going to use

By jumping through these ports it can try to evade detection