Overview of Incident Detection and Analysis
Introduction
- The session focuses on incident detection and analysis, highlighting its importance in security operations.
- A guest speaker, Maha Mahal Lai, will discuss the relationship between governance, risk, and compliance (GRC) and security operations center (SOC).
Agenda
- Duration: 40 minutes on incident detection.
- Guest speaker session on GRC and its relevance to SOC.
Importance of GRC in SOC
- Understanding GRC is crucial for career advancement in security roles. For a deeper dive into this topic, check out our summary on Comprehensive Overview of Incident Response and Handling in CCNA Cyber Ops.
- Analysts should be equipped to handle inquiries from GRC and audit departments.
Incident Detection and Analysis Cycle
- Detection and analysis are interconnected; detection alone is insufficient without analysis. For more on the analysis aspect, see our summary on Incident Response and Digital Forensics: A Comprehensive Overview.
- Analysts must determine if an incident is a false positive or a true threat.
- Collaboration with other teams (e.g., reverse engineering, application teams) is essential for effective incident management.
Tools for Incident Detection
- Various tools are deployed to detect malicious activities, including:
- Firewalls
- Intrusion Detection Systems (IDS)
- Antivirus software
- Security Information and Event Management (SIEM) systems
- Alerts are generated based on suspicious activities detected by these tools.
Indicators of Compromise (IoCs)
- Analysts should be aware of both probable and definite indicators of threats. For insights on how to handle these indicators, refer to our summary on Types of Digital Forensic Evidence in Cybersecurity Investigations.
- Probable indicators may require validation, while definite indicators suggest malicious activity.
Detection Methods
- Signature-Based Detection: Utilizes unique identifiers for known threats.
- Heuristic Analysis: Monitors behavior of files to identify potential threats without relying on signatures.
Use Cases for Detection
- Creating use cases is vital for monitoring activities and detecting anomalies. For a broader understanding of the implications of these use cases, see our summary on Defending Against Nation-State Cyber Threats: Insights from Tailored Access Operations.
- Examples include monitoring authentication activities, account management, and connection activities.
Conclusion
- The session emphasizes the need for a layered approach to security, combining various tools and methods for effective incident detection and response.
- The importance of continuous learning and adaptation in the field of cybersecurity is highlighted.
all right so we are going to start now and others they can join so our today's uh topic is incident
detection um let's move to the next slide so our agenda for today is I'll be taking today less time around 40 minutes
discussing incident detection and then from 7:45 we will have a guest speaker Maha Mahal
Lai she has very good experience in the GRC part governance risk and compliance so she will be talking about
some part of governance and then what is the relation between sock and governance so these things are very important to
know because when you're working in an organization as I mentioned before also that you're not working only in so
you're not just um the investigation or monitoring but your uh capabilities should be more than
that in case or if you want to Excel or if you want to move ahead in your career so you should have understanding of the
other things around which are happening you should have some knowledge you should be able to you know manage them
or at least uh answer if somebody comes from the GRC department or comes from the audit department so you must must be
able to handle uh the cues so that is why I'm just trying to provide you a different kind of flavors of sock and uh
all the other departments which are engaged in day-to-day activity with sock I'll skip the slide about the
profile our technology partner Splunk uh thday and wedness Friday we'll have labs and uh tomorrow I'm going to share you
uh link how to download Splunk and some material related to Splunk so we can all download uh the material from the Splunk
website uh the Splunk software application installation is very easy it's window space And Then There are PDF
documents explaining you how to access the application in case you have any issues in that you can drop an email at
trainings. Okay so so incident detection and Analysis um our topic is about detection
how to detect any uh threat any vulnerability but when once you detect something you have to analyze it so
incident detection and Analysis they are linked together it's not like you just detect something and simply you forward
it to the L2 or you send an email to the IT team uh mentioning that there is an incident we detect once you detect
something you have to do some analysis you have to perform some investigation in order to uh uh make sure that if this
incident is U uh false positive or true positive so if the the threat is real or if there is a false alarm so that is
part of the analysis done by the analyst or if there is something which is like more than your capability so then you
refer to your which is L2 or soof manager so they can help you in that so then again incident
detection and response so it's a full cycle uh remember we are going to discuss the other parts of uh response
inent response in the last day of my um presentation that would be on Thursday so we'll be discussing in full detail
how the Cycle Works what are the phases of incident response so overall Whenever there is any threat
or there is a suspicious activity or malicious activity so you have different tools uh deployed in the network and
these tools are supposed to detect those malicious behavior those suspicious activities those attackers okay so once
they detect they will notify you notify you means the notification will be sent to the Sim through the logs
then the Sim it will show you an alarm an alert okay or maybe based on its own machine learning because the these new
uh applications they are doing part of machine learning also so they are uh looking at the logs understanding
the logs and based on that they are also generating some machine Bas alarms so you will have an alert or
alarm so this alarm will tell you that there is some malicious activity happen or is going to happen
or something is happening at the current moment okay so once you detect something okay so along with the detection and
Analysis you need team members because it's not a onean job because you need to engage uh different people uh maybe if
your organization they have like uh a reverse engineer so and you found a malware uh which seems suspicious so
your reverse engineer need to analyze the code of that malware sometimes what happened um your application team they
custom developed uh one small application but your antivirus or your firewall uh it flagged it as malicious
it's an executable file and it flagged it as malicious so now in your reverse engineer or your the application team
they have to analyze actually what what went wrong what happened due to which there was a alarm or there was a alert
or there's a detection from the security tools okay so you need different teams sometimes you perform these
activities within the sock sometimes if you find like for example you have an antivirus which flagged uh a custom
application as malas then so then you have to you know submit the hash or submit the application to the antivirus
vendor to the antivirus uh manufacturer so they can then evaluate this file they can um review the file and based on that
they can Whit list the file from their antivirus otherwise every time you will be having a false positive alarm Okay so
this is the full cycle of the incident response I was talking so it starts from preparation preparation means like you
already have uh prepared your policies procedures your framework uh you know about your team their
capabilities then you have the technology you have the business processes defined you have the Strategic
uh policies defined so this is all part of preparation along with the preparation you will also bring the
technology into your environment which will be helpful or which will be uh there to uh make your job easy make your
work easy the detection and response part so from from preparation you move to detection which we are going to study
today uh about and then the next phase is containment eradication and Recovery this and then post incident activity
this two phases we discuss on Thursday in detail so moving to the next part which is related to
detection so as an analyst what would be the indicators which will uh help you to identify any kind of activity if it is
malicious if it is a threat how you can identify so there there are two kind of possibilities one is the probable
indicator which may be a threat or which may not be a threat it could be a false positive then the other is definite
indicators okay so what could be probable indicators which will tell you about a certain
threat for example in sock you receive an alarm uh at midnight that one of the user normal user or administrator he log
into the system okay so this is unexpected time for them to access their work session so you have defined some
kind of criteria some kind of conditions that if you see this so there will be an alarm Okay so based on that alarm you
will got an indication of a threat now you need to validate it because analyzis and validation is must from the stock
analyst you need to verify it if if this what is happening it's legitimate it is authorized or it is unauthorized that
you can verify by looking at who log into the system who is the manager of that user you can contact that um users
manager you can call him and you can ask or you can see if there's any email sent from the Department that we have an
activity scheduled for tonight so by this you can validate about this indication that this is a threat or not
threat similarly sometimes you will find some new accounts are created user accounts so now these days um the
hrms human resource management system they are sort of automated now so when you add any new employee you create a
profile of the employee in the hrms see it is integrated with active directory at the same same time once you create
the profile a user account will be created for that user okay once a new user account create again you have set
some conditions which will tell you that there's a new account created it and then you need to verify it again you
need to validate by looking at the email by calling the HR team by sending an email to them to
validate so there could be a reported attack somebody report that there is an attack
but uh this attack again it could be false positive depending on what kind of indications or uh logs you are
seeing or you get notification from security detection tools you get uh notification from the firewall from the
IDS IPS antivirus as in the beginning I mentioned that there could be a file or application created by your uh internal
team which is flagged as malicious so you get that notification that there is a malicious files on the network whereas
this file is not malicious it is malicious because the tool thinks that its signature it code is uh matches with
the family of a virus or malware so these are the problem indicators then what about the definite
indicators so if you see that there was a user account which was disabled and all of all of a sudden uh this account
is enabled at a certain point or certain time maybe in the midnight so this is something which is not normal but again
you need to validate it you need to see that who enabled this account who was the user who performed this activity on
this dment account or if you see changes to logs log file are deleted okay so based on that your analysis you can see
that the files which are deleted these are routine activity or these are like um security log files which are
sensitive they should not be deleted this will establish that there is something malicious happening or for
sure if you see on one of the computer hacker tools okay like mimic ads or any other similar file some Powershell
scripts or any uh similar files which are malicious or which are which are not legitimate files so this will make uh
tell you that there is something uh malicious happening on your network okay then there is uh notification by a
partner or peer so we usually uh receiving um uh indicator of compr compromise or ioc from the national
regulator based on the experience of other companies uh which might have faced these kind of issues so then they
share these iocs with all the companies within the kingdom uh so we take these ioc's and we scan them these ioc's
within our Sim to see if any of our machine of if any of our system is compromised or there is a communication
between our system and those ioc's or the last one if you found a notification by a hacker on your
computer like saying that your system is um compromised or you see a R some screen so that is for sure it's definite
indicator so what are the tools which will tell you that something malicious is happening so there are two kind of
tools or two kind of sources one is active one is passive active ones are like firewalls firewall are there
because their function is to detect their function is to block so their function is to uh monitor the traffic
what is coming into the network what is going out to the network so definitely firewall uh they have their own
algorithms they have their own database of signatures or heuristic
based uh methods based on that they will tell you that there is something which is not normal email gateways again they
are created in a way that they will filter all your emails they will look for fishing content they will look for
abusive material they will see for the attachments coming sometimes uh that dment will be sent as PDF but the
content inside the file is executable so they send this to evade the uh email security solution uh so it
cannot detect this so then you have IDs IPS um IDs IPS can be built inside the firewall also but there are Standalone
products available as well you can have honey pots to trap uh the attackers you can have antivirus you
will have EDR solution andp detection and response and you will have xdr the network detection and response so with
the passage of time uh the vendors they are realizing the needs of different products so there's not a single tool or
product which will do the detection so you need a layer of tools uh a layer of Security Solutions
which will do this job so these are active but then there are passive also like if a new user account is
created ated on Windows no one is going to tell you that there is a new account is created
because this is a normal activity if you see for the system excuse
me from system perspective it's a normal activity user account creation or user account
delation or giving privileges to a user but then we set up certain conditions which are called use cases
these use cases will tell us that there is something happening on the network which is not normal otherwise you will
not get an alarm or notification from these sources so there are like passive tools and there are like active tools
active tools they are there to do this their job but passive tools they have different functions they are not
security tools so then you have to create cases to monitor them or detect malicious
activity so what are the detection methods so I'll just give you a high level uh detail about like detections
how the detections happen this is very important in case if in your future you wanted to like go into the field of uh
malware analysis or reverse engineering so you should understand this how the security tools work so basically there
are two methods one is signature based and other is heuristic analysis in a signature based uh process you have like
a unique identifier okay for example semantic antivirus today they found a file okay and they execute this
file within their environment to see what this file is doing what kind of process is it creating if there is any
communication to the external uh IPS or something like this so after testing based on that what they do they create a
signature or hash for this file and they enter this hash into their database now whenever there is any file
coming with any different name what they will do they will check the hash of that file if the hash matches or if the
signature matches so it will tell that this file is malicious whereas heuristic analysis it
works in a different way it examine the code of the attached file it doesn't have a specific hash or signature for
that file but what it will do it will try to uh uh run this file execute this file
within its own environment and it will monitor the behavior of that file based on that it will flag it as malicious but
it will not flag it malicious based on the signature so this is the difference now in signature based
methods you develop signatures for different kind of detections like if there is an intrusion uh So based on
signature it can detect okay I'll tell you when there is intrusion uh detection or prevention you
use signature in that one antivirus anti- mwes they use signatures for the traffic patterns um signatures are used
to detect uh for applications there are signatures to use for detection so what are the characteristic of these
signatures how you develop them how you build them so you have like different kind of U uh patterns uh or content like
bite patterns if you have worked on Assembly Language okay so all the code all the source code which are uh uh
written in maybe C language or in any other programming language once they are compiled so they are converted into
machine language or Machine level code so Machine level code uh it's very easy uh to modify it if you have like um good
command on assembly so what happens uh for example if a certain packet if you change one bite in that packet Network
packet so this bite will become something else so by this way the signature is changed so you monitor
those bytes or you check the file types like XY files com files these files are for sure their purpose is executable to
execute so if the network uh sorry if the your security tool like antivirus they detect such kind of file like
executable f file or com file immediately they will flag it as suspicious for the port there are
certain ports which are used by hackers uh like if somebody is trying from outside to accessport 22 so this could
be like a signature was detection then protocols TCP UDP or any other and hashes so what is a hash basically uh
for each file whether it is a JPEG file whether it is executable file PDF file text file for each file the system or
software they create a smaller code which is called hash this hash is basically a unique value for that file
so whenever uh like any file is flagged as malicious executable file so the antivirus it will get hash of that file
it will had the hash of that file into its database as well because based on that it's easy to uh compare for any
other file to see if it's the same file or if it's a different file now for the sendbox
uh why do we use sendbox there are certain conditions for example you receive an attachment a PDF file okay
and the user says that uh he was not expecting that file through the email now you want to
check that file the problem is that as soon as you click that file the file will be executed
execution mean it will open once the file is opening so there is a code which is for the adob PDF but the hacker it
can attach extra code with that file hidden so this code will also be executed so it will write some values to
the registry it will create a new folder in your C drive or in your temp folder or it will look for places where it can
you know have it can write uh the files with without having administrative privileges so now the user said that he
doesn't expect this file but he wanted to know what is inside the file so in that case if you are just
like executing this file directly on your work session or the user work session so there are chances that this
file is malicious and you can um breach your uh Network or you can get compromised so you take this file into
sandbox so sandbox is an isolated environment okay so in the sand boox when once you
run this file in this isolated environment it will try to monitor the behavior of this
file so it's like theistic um uh base method so it will monitor or observe what is happening once you execute this
file based on these observations it will give you a report showing what happened once you open this file so in send box
you can open the file you can see the content and you will also get to know that what executed at the back end of
that file so that is why we use handbox I hope I answer the question
now the advantages of signature based detection U you will find updates uh regularly from the vendors because as
soon as there's any new file uh or any um uh um suspicious file there so these uh vendors they try to uh study those
file and they try to get new uh definition files for these and you can download them uh in a single day or
every single day so your signatures are updated uh on regular basis so signatures they they can return also for
IDs or IPS or application as well then another thing is that signature usually they point to a family of
malicious content like for example if uh one or one hacker he wrote a virus then
another criminal he took the code of that virus and he modify that virus uh for evasion purpose or make some changes
in the behavior but if he change the full code so then there is something new but if he change part of that code so it
means that there is a relation between the old virus and the new virus so on signature based detection you can
identify that this virus belong to that finally and since it works on the false positive uh sorry signatures so you'll
not get too many false positive because it will match the signature and it will give you the result the disadvantages is
that it can be evaded the attackers as every passing day they are coming with new techniques so they can uh make
the antivirus full they can uh let the antivirus think that this is a normal file so evasion can be
avoided then if there is a zero day threats so you will not find um immediately signatures for them because
this is something which is still not uh uh established so there is a flaw in one of the let's say windows and nobody
knows about that one attacker accidentally or he was like trying to infiltrate infiltrate and he discovered
something so this is something which is not in the market so even the vendor Microsoft they themselves doesn't know
that there is a flaw in their program so this zero day they can sell to the uh on the dark web uh to the hackers who are
willing to pay for these kind of uh threats so these threats will not be um identified or will not be detected by
the antivirus because they don't have signature for that since it works uh based on the
signatures deployment of updates may be slow if there are more updates it will take some time to update okay and the
more you check for the more data you have to match so it's like because it's signature based so it will take more
process you know or more time to match the files So herotic based detection it's
usually faster scanning because it's not looking at the signature but it looks only at the behavior how the file is
like uh working what is the functions of that file okay secondly uh evion can be more
difficult since malware can follow patterns so in that case um to evade from the tool from the antivirus or from
the firewall will be difficult because it's working on the pattern or it's working on different algorithms but not
on the signatures okay and then the disadvantages also like uh it will not give you detail information
it will give you generic information because it just uh observes the behavior of a file and based on that it flag it
as malicious or suspicious but it will not do the detail investigation that will be done on by the uh antivirus part
or by the signature uh based method so you'll have more details from there but this is good uh to stop or detect
protect any malicious activity immediately okay then evasion can still be performed even if it is more
difficult but still you can evade theistic detection uh since it's based on the
behavior so your false positives may go up so you'll get alarms which are not real and your false negatives might also
go up so there are things which are not detected at all so these are the like disadvantages so that is why as I
mentioned that you use a layer of security tools so you have a firewall which will be working on htic or
signature or hybrid then you have antivirus which is working on signature based then you can have IDs IPS now
yesterday somebody asked about Yara rules so Yara rules also B working on signature base let try to match okay so
these are different kind of techniques that you use for detection now as you discussed before
that so there are two kind of uh ways active detection and passive detection so what we were discussing
before this was active uh detection the tools the those will sending will be sending
notifications uh the other way is to create use cases that is very important because without the use cases your
detection will be not complete you'll have uh only that information which you getting from your security tools uh as a
notification but you will not have any other information so here comes a part of creating use cases I have given some
example of use cases like you can create a use case which will be monitoring the authentication
activities so what does mean authentication activities you can set a condition that uh to a certain uh
critical system only the following users one 2 three are allowed to log in so if anyone else try to log into that system
create an alert or raise an alert or alarm for similarly you can set a threshold that
if somebody is trying to like log into the system and the failed login attempts are three four five or six so a certain
threshold reaches it will give you an alarm because in case of broad forcing uh the hacker or attacker will try to
log in again and again again again so you need to set a threshold that after this threshold there should be an
alarm another uh kind of use case could be account management so by this as I mentioned earlier that if you create an
account at Windows an account at windows or you delete an account if an employee left or you do modify an account so
nobody's get to know that so for that what you do you will create alarm these alarm what will this do they will try to
look for the logs which have this information like user account creation user account deletion uh user account on
modification so the alarms or the Sim solution they will look at those logs and then there is a criteria so once it
matches that criteria it will trigger the alarm so by this on on your dashboard you can see alarms which will
be telling you that authentication failures are there you'll see alarms that will tell you about account
management account creation or delation similarly you can have another kind of alarm which will tell you about like
connection activities okay uh to internal or to external uh sources also their
direction if the connection was from external to internal or from internal to outbound or external or within the
network uh the origin IP from what is the IP from where the connection is coming what is the destination IP uh
what kind of uh ports were used the host name the impacted machine uh name of a uh country from where the IP is coming
or the destination all these things you can get from this this kind of alarms from the connection
activities then you can have another uh use case policy related activities so this will be related especially if there
are any changes to the audit or authentication or authorization or filtering or any kind of these kind of
uh policies which are there in the systems so for example if somebody changes the audit policy of domain
controller so you will have an alarm so you can then check the alarm you can investigate and you can take certain
action so what we did we create a detection for a passive action okay then there are use cases for threats malware
and vulnerability detection so again you need to create or Define certain kind of conditions like indicator of compromise
so there are like uh threat intels or threat feeds available from uh different vendors like alien wult yesterday I
mentioned uh different names so these providers they're also providing uh ioc's indicator of compromises uh which
contains IP addresses hashes domain names um email addresses URLs uh these kind of details there so that can be
incorporated into your sim okay so based on that you can create an alarm that if any of your machine
uh it's communicating to one of these ioc's you will have an alarm okay then you can have operational insights like
uh day-to-day activities happening in the organization data usage as I mentioned yesterday for example if
you're doing uh Zoom or uh Microsoft teams activity so it will tell you like what is happening what amount of data is
sent to the external party this will give you an detail or information then you can have
anomalous behaviors uh so the anomalous Behavior they they they they are based on the
user Behavior or profiling so you create profile of the users uh about their daily usage so if they deviate from this
activity so you will uh see an alarm that this user his actions are not like routine so what it does the same it has
a machine learning techniques so it will monitor you on daily basis your activities so for example uh in your
day-to-day operations you visit Google you visit some other websites but you never visit
yahoo.com so after few days or few weeks uh all of a sudden if should visit yahoo.com so this is like anomalous for
it so it will just give you an alarm you can validate you can identify that because it's not necessary that user
will not go to Yahoo or he will go to but to validate it sock is there so once you have an alarm you need to gather the
evidences the artifacts uh the actions then you once you gather all those evidences based on that you have to
decide whether you need to call the user whether you need to block the IP uh whether you need to perform a network
scan whether you need to perform uh endpoint computer scanning uh with the antivirus so these are the actions which
should will be decided based on the detection then you can have alerting and incident
response this is basically here we are talking about some sort of automation for example uh in in organizations sock
is working 24 by7 but other departments they are working in straight shifts so if uh and let's say your team only have
the monitoring part of sock you don't have any other privileges to perform any kind of incident response activity you
are just monitoring and alerting So You observe or your analyst observe that at a night time a dment account become
active and it was active by a certain user so you create a threshold or you create a rule which Define certain
conditions once these conditions are met we will Define the action also so if you see that dment account was activated by
a user who is not authorized so what will happen as action it will again uh change the state of that user account
which was enabled to disabled and also it will disable that account from which this activity was done so this is sort
of uh automated incident response so this can also be managed through the Sim then you have compliance or
regulation or audit requirements uh so Sim uh they do incorporate uh the requirements of for
example either 27,000 one or gdpr or PCA DSS or Hippa so what they do they create use cases based on the requirement of
these Regulators so these use cases can also be uh import or integrated into the Sim depending on what kind of industry
you are working in if you are into medical industry you will use Hippa if you are into banking or financial you
will use PCA DSS and gdpr and if you are any other organization which follow ISO so you can use the iso module
then you can have advanced cor relation and enrichment so this is something like you uh do some Advanced kind of you know
uh operations or aggregations so to have advanced analytics so these are different kind of rules but I just
mention here a few of the use cases or few of the uh rules uh moving to the next slide I'm talking about meter
attack okay so meter it's a framework okay uh comprehensive metrics of tactics and
techniques used by thread Hunters red teamers and Defenders to better classify attack and assess an organization
risk what meter did basically if you want to uh uh visit the Metter framework you can go to this
website attack. metter.org I have put a snapshot here even though it's not readable but what M did it created the
each phase of uh Cyber attack into a framework so here the very first thing they are talking about initial exess
then execution then persistence uh privilege
escalation uh defense evion credential access Discovery lateral movement collection command and control
exfiltration impact so basically what they are trying to do in this framework because whenever hacker want to
compromise or access any system he has to choose uh he has to do Recon okay so the Recon is part of
initial exess so they have defined different kind of ways through which an attacker it can try to access the
organization from phase one you move to phase two that is execution so here they have mentioned different kind of
techniques which he can use to execute the payload then the Third part is persistence how the attacker he can make
sure that uh his access will be there for a longer period of time so we will discuss in more detail about this
framework uh tomorrow again for uh few minutes I'll try to open the link as well if
possible to give you more idea but this framework is very useful for the sock team sock analyst in order to develop
their understanding of the attack uh chain then there is another frame framework called
magma uh I haven't added the link here I'll update the next slide tomorrow I'll add the link there so you can also visit
magma framework that is also very helpful uh to understand how you can um monitor or how you can detect the
incidents and respond to them within the organization um that's it uh from my side today uh you will receive again an
email uh with the uh quiz link so I hope that all of you that they try to uh answer the quiz I will take uh pause now
for a few minutes five minutes and then my colleague uh Maha uh she will join and uh she will present her topic for
today thank you
Heads up!
This summary and transcript were automatically generated using AI with the Free YouTube Transcript Summary Tool by LunaNotes.
Generate a summary for free
If you found this summary useful, consider buying us a coffee. It would help us a lot!