Chapter 10: Incident Detection and Analysis Flashcards
IOC
Indicators of compromise consist of information gathered about activity, events, and behaviors that are commonly associated with potentially malicious behavior
Some common IoC inclde, but aren’t limited to:
* Unusual network traffic, including unusual outbound network traffic, unexpected p2p traffic, activity to abnormal ports or IPs
* Increases in database or file share read volume
* Susupicious file changes to filesystems, the Windows Registry, and configuration files
* Traffic patterns that are unusual for human usage of a system
* Login and rights usage irregularities, including geographic and time-based anomalies
* DoS activities and artifacts
* Unusual DNS traffic
* Internal and external personnel
IOC Feeds
Provide community information about threats and threat actors, like:
* IPs and hostnames associated with malicious actors or active threats
* Domain names used by malware, C2 servers, and infected websites
* Hashes of malicious software
* Behavior-based information for threat actors and malware
IoC feeds are available as either commercial subscription feeds and as open, free feeds like those found on the OTX
Always determine the level of reliability for the feed and any data used from it, as well as what data to act on, how you’ll use it, and how it can be integrated into your environment
Explore Alienvault’s Open Threat Exchange https://otx.alienvault.com/
Unusual Network Traffic
One of the most common IoC, but also challenging to identify due to adversarial techniques intended to make it difficult to see
Attackers will use encrypted protocols like TLS to protect web traffic, encapsulate traffic in otherwise innocuous data flow, and try to conceal their activity to avoid detection
Ports
* One network and system-based IoC profile focuses on the use of abnormal ports for traffic
* Typical service ports for common services are well-documented
* While orgs may use alternate ports to run multiple indepenednet services or limit impact of default port scans, services receiving traffic on unusual reports may indicate a compromise
Unexpected Communications
This isn’t just beaconing—it also includes:
* Attack or information gathering traffic like port and vulnerability scans
* P2P traffic in a datacenter where systems should be communicating outbound, not to each other
* Any traffic scenarios that don’t fit typical patterns
* Behavior and pattern recognition can help identify unexpected communication
* Firewalls and appropriate trust boundaries can help detect issues via firewall logs and limit impact by not allowing unexpected traffic to successfully traverse the network
Monitoring outbound traffic can help identify IoC, like:
* Traffic to unexpected locations
* Unusual types of outbound traffic like RDP, SSH, or file transfer
* Unusual volumes of outbound traffic
* Outbound DNS queries
* DNS queries for unexpected domains or domains flagged as malicious by reputation tools
* Outbound traffic at unusual times
Ch: 3 explains how to capture this data
Increases in Resource Usage
Resource-based IoC are often used to help identify unusual behavior, because resource utilization can indicate actions taken by an attacker:
* CPU and memory are consumed due to their use of tools or utilities
* Disk space is used up as they gather data
* Network usage increases as data is transferred, scans are run, etc
Databse Read Volume
* Unusual spikes may indicate an attacker gathering data from the database
* Difficult to identify as related to an attack or compromise without additional information about what’s driving the increased databse usage
Ch: 3 explains how to monitor usage
Unusual User and Account Behaviors
Behavior-based IoC are powerful, as attackers almost always have to do something that users, services, and systems won’t typically do
If you can identify normal behaviors using profiling, baselines, or similar techniques, you can more easily identify potential behavior-based IoC
Common examples of behavior-based IoC include:
Unusual Privileged Account Behaviors
* Privileged accounts are more likely to perform unusual activities, like system admins using superuser commands, which can lead to alerts
* Still, monitoring the use of privileged accounts is critical to security operations
Escalation of Privileges and Adding New Users to New Groups
* Especially if new users are granted greater rights
* New privileges being added should be flagged as part of IoC monitoring
* Admin privileges in particular need to be monitored, audited, and reported on
Bot-like Behaviors
* Humans typically don’t run commands at high speed, so looking for occurrences that happen faster than a human typically works can identify compromise
* Logging into multiple systems and performing actions can also be a flag
* Be aware that legitimate scripts and tools can also have similar behavior patterns
User and Account Behavior-Based Identification
* Requires an understanding of how users perform their jobs and what their rights and privileges should be
* Combine this a process and capability to analyze unusual events to determine if they’re simply a user doing something new or infrequent, or if malicious activity is occurring
File and Configuration Modification
Changes to any file can be an IoC, but it’s particularly important to pay attention to configuration files, log files, or other files that might be useful to an attacker
Filesystem monitoring tools like OSSEC (Open Source HIDS SECurity) and Tripwire serve as HIDS that monitor for intrusion behavior, like unauthorized file or system modificaitons
Attackers can also use your filesystems for their own purposes
* Unexpected data aggregation or collection may indicate attackers have gathered data from elsewhere in your org and are collecting it in a location before transferring it out
Unexpected patching can also be an IoC
* Attackers sometimes patch systems to ensure that others can’t follow them through a flaw that they themselves have exploited
Login and Rights Usage Anomalies
Geographic Concerns
* A common IoC pattern is to look for a single user or account logging in from multiple different geographic locations in a short period of time
* A similar detection technique looks for users who are logged in and active from different geographic locations at the same time
* It’s possible that this indicates a VPN, but simultaneous login and activity is alwas worth investigating further
Time-Based
* Combine geographic and time-based analyses to determine when someone has apparently traveled further than is physically possible in a given time
* Most orgs will also have defined work hours for employees, so monitor after-hours activity
* Can result in false positive indicators
Logins and Rights Usage
* This focuses on when a user is typically likely to perform an action like logging in, if they’re performing specific tasks, or even what their work hours are
In all situations here, pattern recognition, baselining, and anomaly detection are critical when privilege and account usage are being analyzed
DoS
Denial of Service attacks can be a direct attack from a single system or they can be distributed (DDoS)
DDoS can be particularly challenging to to differentiate from legitimate high-traffic scenarios, attribute, and stop
DoS that originates from systems within your network are another example of an IoC, but it’s not always an indicator that the specific system itself is compromised
That’s because amplification attacks have historically leveraged service vulnerabilities that amplified traffic without requiring the underlying service or system to be compromised
* EX: DNS Amplification attack
* Malicious actors use open DNS resolvers to increase attack volume by sending many small queries that require large responses
NOTE: The occurrence of a DoS attack is in and of itself an IoC
* Additionally, an IoC that looks like a DoS but is actually associated with exploit attempts and other non-DoS activity is repeated requests for the same file or directory
Unusual DNS Traffic
Many orgs monitor queries sent to their DNS servers, comparing them to lists of malicious sites using threat and reputation feeds
IoC feeds may include specific IPs and hostnames that are commonly used by active threats, allowing DNS query and server monitoring to help identify compromised systems
Monitoring for DNS-related IoC often focuses on the following:
* Abnormal levels of DNS queries, particularly to unusual domain names
* Unusual domain name queries, often to randomly generated or machine generated hostnames like jky845 . com
* Large numbers of DNS query failures may indicate use of automatically generated DNS names embedded in malware
Depending on the complexity of the malware, DNS and hostname IoC may be useful for some time or updated quickly as the malware rotates new names based on an algorithm or C2 updates
DNS tunneling is another potential issue
* Use tools like IDS/IPS to monitor for this
* Tunneling C2 information via DNS queries, or DNS queries that include encoded or encrypted data, are potential IoC to watch for
Fast Flux DNS
* This quickly changes IPs for a domain
* You have 1 domain name, but multiple IPs associated with it
* If you block IPs, they can change back end to route comms to C2 server still
* Attackers use fast flux to keep their C2 infrastructure active, even if some hosts are taken down
* Observing queries that are involved in fast-flux DNS could indicate the system might be compromised, or that a user has clicked a link to a malicious site
Combining IoC
Effectively using IoC requires combining data and anlysis from multiple IoC to identify a compromise
It’s less likely for a single IoC to occur in isolation in a compromise scenario, although it can happen
Look for ways to combine information and threat feeds, log and log analysis tools, and IoC feeds and detection mechanisms into comprehensive systems that remain up to date and check to see whether multiple IoC add up to a compromise
Evidence Acquisition and Preservation
Evidence acquisition during incident response activities can take a number of forms, from making copies of files to taking snapshots of VMs and even using forensic file or drive copies
The key terms to know are:
* Preservation
* Chain of Custody
* Legal Hold
* Validating Data Integrity
Preservation
Regardless of the data types and acquisition methods, you must preserve the data
You must first acquire it, then validate the acquisition of the data, and store it in a secure and documented manner
If the evidence is required for a legal case, or if LEO are involved, preservation will require chain of custody documentation
Chain of Custody
Tracks the evidence through its lifecycle:
* Collection
* Preservation
* Analysis
This requires documentation of who has access to the data, when, where, and how it’s stored, used, or transferred
Complete documentation of a chain of custody helps ensure that the data wasn’t inappropriately accessed or modified
Legal Hold
Part of the eDiscovery process, legal counsel may issue a legal hold notice when litigation is about to start, or is underway
Data custodians in the impacted org will be notified to preserve data, including data that might otherwise have been deleted or removed as part of normal business processes
The org is obligated to preserve and produce data as part of the legal process
Orgs may also undertake legal hold processes themselves if they expect to face lawsuits or other legal action
Validating Data Integrity
- Verifies that the capture process didn’t inadvertantly create changes
- Ensures that the data captured and retained matches the original data
This is critical for evidence and legal cases, but it’s also important for organizational investigations to ensure that bad data doesn’t lead to incorect conclusions
Integrity is held up with hashing tools, like FTK Imager or hash algorithms