Analysis of Network IOCs (OBJ 4.3) Analysis of network IOCs. In this lesson we’re going to talk about analyzing network related indicators of compromise. Now, when we look at this, a lot of our network activity is going to be used as some of the best sources of indicators when we’re trying to analyze a compromise of a suspected incident. Now in this lesson, what I’m going to do is I’m going to set up a simple DNS tunneling mechanism. This will help us illustrate how a task hackers can…

UDP Ports (OBJ 4.3) UDP ports or user datagram protocol ports. In this lesson we are going to talk about all the UDP ports because we just spent the last lesson talking about all the TCP ports. As a cybersecurity analyst, you have to know UDP port numbers for the registered ports that are commonly scanned against just like the TCP ones. Now, the only difference between the TCP ports and the UDP ports is what they’re used for. And UDP is more of a fire and forget protocol. There…

Nonstandard Port Usage (OBJ 4.3) Nonstandard port usage. Now, before we can start talking about nonstandard port usage, we have to know what is a port? Well, the Internet Assigned Numbers Authority or Iana maintains a list of well known and registered TCP and UDP port mappings. Now each of these ports are basically an opening on a computer. Now they’re logical openings, but essentially they work as a door. For instance, if you live in an apartment building, you all have the exact same address. You might be living…

Rogue Devices (OBJ 4.3) Rogue devices. One of the things you have to be concerned about on your network are rogue devices. Now, anytime a device is connected to your network, these network devices are identified using the hardware interface, Mac address and their IP address. So if I connect my smartphone to the network, or I connect a laptop to the network or a smart TV, all these devices, if they have a network card, have a Mac address and will hopefully be assigned an IP address. When that…

Beaconing (OBJ 4.3) Beaconing. Now, when your computer gets infected with some kind of malware, it can have that malware run commands on it. But it’s only going to be a one way street. For an attacker to be able to have twoway control, it needs to reach back to a command and control server. One of the ways it does this is by using beaconing. Now beaconing is a means for a network node to advertise its presence and establish link with other nodes. So if we have somebody…

Analyzing Network IOCs (Introduction) In this section of the course, we’re going to discuss how we can detect and analyze network indicators of compromise. In this section, we’re going to continue our focus on domain four, but this time we’re going to be looking at Objective 4. 3. Objective 4. 3 states that given an incident, you have to analyze potential indicators of compromise. In this section of the course, we’re going to focus only on network IOCs, but then we’re going to move into host related, application related and…

Lateral Movement (OBJ 4.3) Lateral movement. Now, we talked about lateral movement already, and I already provided a couple of examples or techniques that we can use for lateral movement as an attacker. If you’re working as a pen, tester things like pass the hash or a golden ticket attack. But there are other ones out there, too. And the idea is that an attacker can use any remote access protocol to move from host to host. One of the most common ways they do this is by relying on…

Analyzing Lateral Movement and Pivoting IOCs (Introduction) In this section of the course, we’re going to discuss how we can detect and analyze lateral movement and Pivoting indicators of compromise. Now, in this section, we’re going to continue to focus on domain four with our focus on Objective 4. 3. Objective 4. 3 states once again that given an incident, you must analyze potential indicators of compromise. In this section, we’re going to focus on lateral movement and Pivoting IOCs. Now, as we move through this section, we’re going to…

Unauthorized Privilege (OBJ 4.3) Unauthorized privilege. In this lesson we’re going to talk about unauthorized privileges, which is something that an attacker tries to do once they exploit your system. Now one of the most common things an attacker will do once they get into a system is try to escalate their privileges and this is known as privilege escalation. Now simply put, privilege escalation is the practice of exploiting flaws in an operating system where other applications to gain a greater level of access than was intended for the…

Consumption (OBJ 4.3) Consumption. In the last lesson, we looked at how you can do a basic memory analysis to look at different processes and the memory usage. Now, this is actually a big task, especially if you’re trying to do it in real time, looking for signs of malicious code or malicious behavior. So you need to be able to find different ways to identify where you should focus your efforts. And one of those is by looking at consumption. Resource consumption is a key indicator of malicious activity….