Comprehensive Overview of Incident Detection and Analysis

all right so we are going to start now and others they can join so our today's uh topic is incident

detection um let's move to the next slide so our agenda for today is I'll be taking today less time around 40 minutes

discussing incident detection and then from 7:45 we will have a guest speaker Maha Mahal

Lai she has very good experience in the GRC part governance risk and compliance so she will be talking about

some part of governance and then what is the relation between sock and governance so these things are very important to

know because when you're working in an organization as I mentioned before also that you're not working only in so

you're not just um the investigation or monitoring but your uh capabilities should be more than

that in case or if you want to Excel or if you want to move ahead in your career so you should have understanding of the

other things around which are happening you should have some knowledge you should be able to you know manage them

or at least uh answer if somebody comes from the GRC department or comes from the audit department so you must must be

able to handle uh the cues so that is why I'm just trying to provide you a different kind of flavors of sock and uh

all the other departments which are engaged in day-to-day activity with sock I'll skip the slide about the

profile our technology partner Splunk uh thday and wedness Friday we'll have labs and uh tomorrow I'm going to share you

uh link how to download Splunk and some material related to Splunk so we can all download uh the material from the Splunk

website uh the Splunk software application installation is very easy it's window space And Then There are PDF

documents explaining you how to access the application in case you have any issues in that you can drop an email at

trainings. Okay so so incident detection and Analysis um our topic is about detection

how to detect any uh threat any vulnerability but when once you detect something you have to analyze it so

incident detection and Analysis they are linked together it's not like you just detect something and simply you forward

it to the L2 or you send an email to the IT team uh mentioning that there is an incident we detect once you detect

something you have to do some analysis you have to perform some investigation in order to uh uh make sure that if this

incident is U uh false positive or true positive so if the the threat is real or if there is a false alarm so that is

part of the analysis done by the analyst or if there is something which is like more than your capability so then you

refer to your which is L2 or soof manager so they can help you in that so then again incident

detection and response so it's a full cycle uh remember we are going to discuss the other parts of uh response

inent response in the last day of my um presentation that would be on Thursday so we'll be discussing in full detail

how the Cycle Works what are the phases of incident response so overall Whenever there is any threat

or there is a suspicious activity or malicious activity so you have different tools uh deployed in the network and

these tools are supposed to detect those malicious behavior those suspicious activities those attackers okay so once

they detect they will notify you notify you means the notification will be sent to the Sim through the logs

then the Sim it will show you an alarm an alert okay or maybe based on its own machine learning because the these new

uh applications they are doing part of machine learning also so they are uh looking at the logs understanding

the logs and based on that they are also generating some machine Bas alarms so you will have an alert or

alarm so this alarm will tell you that there is some malicious activity happen or is going to happen

or something is happening at the current moment okay so once you detect something okay so along with the detection and

Analysis you need team members because it's not a onean job because you need to engage uh different people uh maybe if

your organization they have like uh a reverse engineer so and you found a malware uh which seems suspicious so

your reverse engineer need to analyze the code of that malware sometimes what happened um your application team they

custom developed uh one small application but your antivirus or your firewall uh it flagged it as malicious

it's an executable file and it flagged it as malicious so now in your reverse engineer or your the application team

they have to analyze actually what what went wrong what happened due to which there was a alarm or there was a alert

or there's a detection from the security tools okay so you need different teams sometimes you perform these

activities within the sock sometimes if you find like for example you have an antivirus which flagged uh a custom

application as malas then so then you have to you know submit the hash or submit the application to the antivirus

vendor to the antivirus uh manufacturer so they can then evaluate this file they can um review the file and based on that

they can Whit list the file from their antivirus otherwise every time you will be having a false positive alarm Okay so

this is the full cycle of the incident response I was talking so it starts from preparation preparation means like you

already have uh prepared your policies procedures your framework uh you know about your team their

capabilities then you have the technology you have the business processes defined you have the Strategic

uh policies defined so this is all part of preparation along with the preparation you will also bring the

technology into your environment which will be helpful or which will be uh there to uh make your job easy make your

work easy the detection and response part so from from preparation you move to detection which we are going to study

today uh about and then the next phase is containment eradication and Recovery this and then post incident activity

this two phases we discuss on Thursday in detail so moving to the next part which is related to

detection so as an analyst what would be the indicators which will uh help you to identify any kind of activity if it is

malicious if it is a threat how you can identify so there there are two kind of possibilities one is the probable

indicator which may be a threat or which may not be a threat it could be a false positive then the other is definite

indicators okay so what could be probable indicators which will tell you about a certain

threat for example in sock you receive an alarm uh at midnight that one of the user normal user or administrator he log

into the system okay so this is unexpected time for them to access their work session so you have defined some

kind of criteria some kind of conditions that if you see this so there will be an alarm Okay so based on that alarm you

will got an indication of a threat now you need to validate it because analyzis and validation is must from the stock

analyst you need to verify it if if this what is happening it's legitimate it is authorized or it is unauthorized that

you can verify by looking at who log into the system who is the manager of that user you can contact that um users

manager you can call him and you can ask or you can see if there's any email sent from the Department that we have an

activity scheduled for tonight so by this you can validate about this indication that this is a threat or not

threat similarly sometimes you will find some new accounts are created user accounts so now these days um the

hrms human resource management system they are sort of automated now so when you add any new employee you create a

profile of the employee in the hrms see it is integrated with active directory at the same same time once you create

the profile a user account will be created for that user okay once a new user account create again you have set

some conditions which will tell you that there's a new account created it and then you need to verify it again you

need to validate by looking at the email by calling the HR team by sending an email to them to

validate so there could be a reported attack somebody report that there is an attack

but uh this attack again it could be false positive depending on what kind of indications or uh logs you are

seeing or you get notification from security detection tools you get uh notification from the firewall from the

IDS IPS antivirus as in the beginning I mentioned that there could be a file or application created by your uh internal

team which is flagged as malicious so you get that notification that there is a malicious files on the network whereas

this file is not malicious it is malicious because the tool thinks that its signature it code is uh matches with

the family of a virus or malware so these are the problem indicators then what about the definite

indicators so if you see that there was a user account which was disabled and all of all of a sudden uh this account

is enabled at a certain point or certain time maybe in the midnight so this is something which is not normal but again

you need to validate it you need to see that who enabled this account who was the user who performed this activity on

this dment account or if you see changes to logs log file are deleted okay so based on that your analysis you can see

that the files which are deleted these are routine activity or these are like um security log files which are

sensitive they should not be deleted this will establish that there is something malicious happening or for

sure if you see on one of the computer hacker tools okay like mimic ads or any other similar file some Powershell

scripts or any uh similar files which are malicious or which are which are not legitimate files so this will make uh

tell you that there is something uh malicious happening on your network okay then there is uh notification by a

partner or peer so we usually uh receiving um uh indicator of compr compromise or ioc from the national

regulator based on the experience of other companies uh which might have faced these kind of issues so then they

share these iocs with all the companies within the kingdom uh so we take these ioc's and we scan them these ioc's

within our Sim to see if any of our machine of if any of our system is compromised or there is a communication

between our system and those ioc's or the last one if you found a notification by a hacker on your

computer like saying that your system is um compromised or you see a R some screen so that is for sure it's definite

indicator so what are the tools which will tell you that something malicious is happening so there are two kind of

tools or two kind of sources one is active one is passive active ones are like firewalls firewall are there

because their function is to detect their function is to block so their function is to uh monitor the traffic

what is coming into the network what is going out to the network so definitely firewall uh they have their own

algorithms they have their own database of signatures or heuristic

based uh methods based on that they will tell you that there is something which is not normal email gateways again they

are created in a way that they will filter all your emails they will look for fishing content they will look for

abusive material they will see for the attachments coming sometimes uh that dment will be sent as PDF but the

content inside the file is executable so they send this to evade the uh email security solution uh so it

cannot detect this so then you have IDs IPS um IDs IPS can be built inside the firewall also but there are Standalone

products available as well you can have honey pots to trap uh the attackers you can have antivirus you

will have EDR solution andp detection and response and you will have xdr the network detection and response so with

the passage of time uh the vendors they are realizing the needs of different products so there's not a single tool or

product which will do the detection so you need a layer of tools uh a layer of Security Solutions

which will do this job so these are active but then there are passive also like if a new user account is

created ated on Windows no one is going to tell you that there is a new account is created

because this is a normal activity if you see for the system excuse

me from system perspective it's a normal activity user account creation or user account

delation or giving privileges to a user but then we set up certain conditions which are called use cases

these use cases will tell us that there is something happening on the network which is not normal otherwise you will

not get an alarm or notification from these sources so there are like passive tools and there are like active tools

active tools they are there to do this their job but passive tools they have different functions they are not

security tools so then you have to create cases to monitor them or detect malicious

activity so what are the detection methods so I'll just give you a high level uh detail about like detections

how the detections happen this is very important in case if in your future you wanted to like go into the field of uh

malware analysis or reverse engineering so you should understand this how the security tools work so basically there

are two methods one is signature based and other is heuristic analysis in a signature based uh process you have like

a unique identifier okay for example semantic antivirus today they found a file okay and they execute this

file within their environment to see what this file is doing what kind of process is it creating if there is any

communication to the external uh IPS or something like this so after testing based on that what they do they create a

signature or hash for this file and they enter this hash into their database now whenever there is any file

coming with any different name what they will do they will check the hash of that file if the hash matches or if the

signature matches so it will tell that this file is malicious whereas heuristic analysis it

works in a different way it examine the code of the attached file it doesn't have a specific hash or signature for

that file but what it will do it will try to uh uh run this file execute this file

within its own environment and it will monitor the behavior of that file based on that it will flag it as malicious but

it will not flag it malicious based on the signature so this is the difference now in signature based

methods you develop signatures for different kind of detections like if there is an intrusion uh So based on

signature it can detect okay I'll tell you when there is intrusion uh detection or prevention you

use signature in that one antivirus anti- mwes they use signatures for the traffic patterns um signatures are used

to detect uh for applications there are signatures to use for detection so what are the characteristic of these

signatures how you develop them how you build them so you have like different kind of U uh patterns uh or content like

bite patterns if you have worked on Assembly Language okay so all the code all the source code which are uh uh

written in maybe C language or in any other programming language once they are compiled so they are converted into

machine language or Machine level code so Machine level code uh it's very easy uh to modify it if you have like um good

command on assembly so what happens uh for example if a certain packet if you change one bite in that packet Network

packet so this bite will become something else so by this way the signature is changed so you monitor

those bytes or you check the file types like XY files com files these files are for sure their purpose is executable to

execute so if the network uh sorry if the your security tool like antivirus they detect such kind of file like

executable f file or com file immediately they will flag it as suspicious for the port there are

certain ports which are used by hackers uh like if somebody is trying from outside to accessport 22 so this could

be like a signature was detection then protocols TCP UDP or any other and hashes so what is a hash basically uh

for each file whether it is a JPEG file whether it is executable file PDF file text file for each file the system or

software they create a smaller code which is called hash this hash is basically a unique value for that file

so whenever uh like any file is flagged as malicious executable file so the antivirus it will get hash of that file

it will had the hash of that file into its database as well because based on that it's easy to uh compare for any

other file to see if it's the same file or if it's a different file now for the sendbox

uh why do we use sendbox there are certain conditions for example you receive an attachment a PDF file okay

and the user says that uh he was not expecting that file through the email now you want to

check that file the problem is that as soon as you click that file the file will be executed

execution mean it will open once the file is opening so there is a code which is for the adob PDF but the hacker it

can attach extra code with that file hidden so this code will also be executed so it will write some values to

the registry it will create a new folder in your C drive or in your temp folder or it will look for places where it can

you know have it can write uh the files with without having administrative privileges so now the user said that he

doesn't expect this file but he wanted to know what is inside the file so in that case if you are just

like executing this file directly on your work session or the user work session so there are chances that this

file is malicious and you can um breach your uh Network or you can get compromised so you take this file into

sandbox so sandbox is an isolated environment okay so in the sand boox when once you

run this file in this isolated environment it will try to monitor the behavior of this

file so it's like theistic um uh base method so it will monitor or observe what is happening once you execute this

file based on these observations it will give you a report showing what happened once you open this file so in send box

you can open the file you can see the content and you will also get to know that what executed at the back end of

that file so that is why we use handbox I hope I answer the question

now the advantages of signature based detection U you will find updates uh regularly from the vendors because as

soon as there's any new file uh or any um uh um suspicious file there so these uh vendors they try to uh study those

file and they try to get new uh definition files for these and you can download them uh in a single day or

every single day so your signatures are updated uh on regular basis so signatures they they can return also for

IDs or IPS or application as well then another thing is that signature usually they point to a family of

malicious content like for example if uh one or one hacker he wrote a virus then

another criminal he took the code of that virus and he modify that virus uh for evasion purpose or make some changes

in the behavior but if he change the full code so then there is something new but if he change part of that code so it

means that there is a relation between the old virus and the new virus so on signature based detection you can

identify that this virus belong to that finally and since it works on the false positive uh sorry signatures so you'll

not get too many false positive because it will match the signature and it will give you the result the disadvantages is

that it can be evaded the attackers as every passing day they are coming with new techniques so they can uh make

the antivirus full they can uh let the antivirus think that this is a normal file so evasion can be

avoided then if there is a zero day threats so you will not find um immediately signatures for them because

this is something which is still not uh uh established so there is a flaw in one of the let's say windows and nobody

knows about that one attacker accidentally or he was like trying to infiltrate infiltrate and he discovered

something so this is something which is not in the market so even the vendor Microsoft they themselves doesn't know

that there is a flaw in their program so this zero day they can sell to the uh on the dark web uh to the hackers who are

willing to pay for these kind of uh threats so these threats will not be um identified or will not be detected by

the antivirus because they don't have signature for that since it works uh based on the

signatures deployment of updates may be slow if there are more updates it will take some time to update okay and the

more you check for the more data you have to match so it's like because it's signature based so it will take more

process you know or more time to match the files So herotic based detection it's

usually faster scanning because it's not looking at the signature but it looks only at the behavior how the file is

like uh working what is the functions of that file okay secondly uh evion can be more

difficult since malware can follow patterns so in that case um to evade from the tool from the antivirus or from

the firewall will be difficult because it's working on the pattern or it's working on different algorithms but not

on the signatures okay and then the disadvantages also like uh it will not give you detail information

it will give you generic information because it just uh observes the behavior of a file and based on that it flag it

as malicious or suspicious but it will not do the detail investigation that will be done on by the uh antivirus part

or by the signature uh based method so you'll have more details from there but this is good uh to stop or detect

protect any malicious activity immediately okay then evasion can still be performed even if it is more

difficult but still you can evade theistic detection uh since it's based on the

behavior so your false positives may go up so you'll get alarms which are not real and your false negatives might also

go up so there are things which are not detected at all so these are the like disadvantages so that is why as I

mentioned that you use a layer of security tools so you have a firewall which will be working on htic or

signature or hybrid then you have antivirus which is working on signature based then you can have IDs IPS now

yesterday somebody asked about Yara rules so Yara rules also B working on signature base let try to match okay so

these are different kind of techniques that you use for detection now as you discussed before

that so there are two kind of uh ways active detection and passive detection so what we were discussing

before this was active uh detection the tools the those will sending will be sending

notifications uh the other way is to create use cases that is very important because without the use cases your

detection will be not complete you'll have uh only that information which you getting from your security tools uh as a

notification but you will not have any other information so here comes a part of creating use cases I have given some

example of use cases like you can create a use case which will be monitoring the authentication

activities so what does mean authentication activities you can set a condition that uh to a certain uh

critical system only the following users one 2 three are allowed to log in so if anyone else try to log into that system

create an alert or raise an alert or alarm for similarly you can set a threshold that

if somebody is trying to like log into the system and the failed login attempts are three four five or six so a certain

threshold reaches it will give you an alarm because in case of broad forcing uh the hacker or attacker will try to

log in again and again again again so you need to set a threshold that after this threshold there should be an

alarm another uh kind of use case could be account management so by this as I mentioned earlier that if you create an

account at Windows an account at windows or you delete an account if an employee left or you do modify an account so

nobody's get to know that so for that what you do you will create alarm these alarm what will this do they will try to

look for the logs which have this information like user account creation user account deletion uh user account on

modification so the alarms or the Sim solution they will look at those logs and then there is a criteria so once it

matches that criteria it will trigger the alarm so by this on on your dashboard you can see alarms which will

be telling you that authentication failures are there you'll see alarms that will tell you about account

management account creation or delation similarly you can have another kind of alarm which will tell you about like

connection activities okay uh to internal or to external uh sources also their

direction if the connection was from external to internal or from internal to outbound or external or within the

network uh the origin IP from what is the IP from where the connection is coming what is the destination IP uh

what kind of uh ports were used the host name the impacted machine uh name of a uh country from where the IP is coming

or the destination all these things you can get from this this kind of alarms from the connection

activities then you can have another uh use case policy related activities so this will be related especially if there

are any changes to the audit or authentication or authorization or filtering or any kind of these kind of

uh policies which are there in the systems so for example if somebody changes the audit policy of domain

controller so you will have an alarm so you can then check the alarm you can investigate and you can take certain

action so what we did we create a detection for a passive action okay then there are use cases for threats malware

and vulnerability detection so again you need to create or Define certain kind of conditions like indicator of compromise

so there are like uh threat intels or threat feeds available from uh different vendors like alien wult yesterday I

mentioned uh different names so these providers they're also providing uh ioc's indicator of compromises uh which

contains IP addresses hashes domain names um email addresses URLs uh these kind of details there so that can be

incorporated into your sim okay so based on that you can create an alarm that if any of your machine

uh it's communicating to one of these ioc's you will have an alarm okay then you can have operational insights like

uh day-to-day activities happening in the organization data usage as I mentioned yesterday for example if

you're doing uh Zoom or uh Microsoft teams activity so it will tell you like what is happening what amount of data is

sent to the external party this will give you an detail or information then you can have

anomalous behaviors uh so the anomalous Behavior they they they they are based on the

user Behavior or profiling so you create profile of the users uh about their daily usage so if they deviate from this

activity so you will uh see an alarm that this user his actions are not like routine so what it does the same it has

a machine learning techniques so it will monitor you on daily basis your activities so for example uh in your

day-to-day operations you visit Google you visit some other websites but you never visit

yahoo.com so after few days or few weeks uh all of a sudden if should visit yahoo.com so this is like anomalous for

it so it will just give you an alarm you can validate you can identify that because it's not necessary that user

will not go to Yahoo or he will go to but to validate it sock is there so once you have an alarm you need to gather the

evidences the artifacts uh the actions then you once you gather all those evidences based on that you have to

decide whether you need to call the user whether you need to block the IP uh whether you need to perform a network

scan whether you need to perform uh endpoint computer scanning uh with the antivirus so these are the actions which

should will be decided based on the detection then you can have alerting and incident

response this is basically here we are talking about some sort of automation for example uh in in organizations sock

is working 24 by7 but other departments they are working in straight shifts so if uh and let's say your team only have

the monitoring part of sock you don't have any other privileges to perform any kind of incident response activity you

are just monitoring and alerting So You observe or your analyst observe that at a night time a dment account become

active and it was active by a certain user so you create a threshold or you create a rule which Define certain

conditions once these conditions are met we will Define the action also so if you see that dment account was activated by

a user who is not authorized so what will happen as action it will again uh change the state of that user account

which was enabled to disabled and also it will disable that account from which this activity was done so this is sort

of uh automated incident response so this can also be managed through the Sim then you have compliance or

regulation or audit requirements uh so Sim uh they do incorporate uh the requirements of for

example either 27,000 one or gdpr or PCA DSS or Hippa so what they do they create use cases based on the requirement of

these Regulators so these use cases can also be uh import or integrated into the Sim depending on what kind of industry

you are working in if you are into medical industry you will use Hippa if you are into banking or financial you

will use PCA DSS and gdpr and if you are any other organization which follow ISO so you can use the iso module

then you can have advanced cor relation and enrichment so this is something like you uh do some Advanced kind of you know

uh operations or aggregations so to have advanced analytics so these are different kind of rules but I just

mention here a few of the use cases or few of the uh rules uh moving to the next slide I'm talking about meter

attack okay so meter it's a framework okay uh comprehensive metrics of tactics and

techniques used by thread Hunters red teamers and Defenders to better classify attack and assess an organization

risk what meter did basically if you want to uh uh visit the Metter framework you can go to this

website attack. metter.org I have put a snapshot here even though it's not readable but what M did it created the

each phase of uh Cyber attack into a framework so here the very first thing they are talking about initial exess

then execution then persistence uh privilege

escalation uh defense evion credential access Discovery lateral movement collection command and control

exfiltration impact so basically what they are trying to do in this framework because whenever hacker want to

compromise or access any system he has to choose uh he has to do Recon okay so the Recon is part of

initial exess so they have defined different kind of ways through which an attacker it can try to access the

organization from phase one you move to phase two that is execution so here they have mentioned different kind of

techniques which he can use to execute the payload then the Third part is persistence how the attacker he can make

sure that uh his access will be there for a longer period of time so we will discuss in more detail about this

framework uh tomorrow again for uh few minutes I'll try to open the link as well if

possible to give you more idea but this framework is very useful for the sock team sock analyst in order to develop

their understanding of the attack uh chain then there is another frame framework called

magma uh I haven't added the link here I'll update the next slide tomorrow I'll add the link there so you can also visit

magma framework that is also very helpful uh to understand how you can um monitor or how you can detect the

incidents and respond to them within the organization um that's it uh from my side today uh you will receive again an

email uh with the uh quiz link so I hope that all of you that they try to uh answer the quiz I will take uh pause now

for a few minutes five minutes and then my colleague uh Maha uh she will join and uh she will present her topic for

today thank you