WEBVTT

0:00:03.080000 --> 0:00:07.820000
 The role of detection and analysis
 in instant response.

0:00:07.820000 --> 0:00:09.980000
 So welcome everyone.

0:00:09.980000 --> 0:00:14.960000
 In this section, we're going to be,
 as the title suggests, understanding

0:00:14.960000 --> 0:00:19.860000
 or getting to understand a little bit
 better what the role of detection

0:00:19.860000 --> 0:00:25.580000
 and analysis is with regard
 to incident response.

0:00:25.580000 --> 0:00:31.160000
 So by this point, if you've gone through
 the previous two courses within

0:00:31.160000 --> 0:00:35.340000
 this learning part, you should already
 have a good idea of what the detection

0:00:35.340000 --> 0:00:37.260000
 and analysis phase is.

0:00:37.260000 --> 0:00:43.020000
 But given that this course is focused
 on this particular phase specifically,

0:00:43.020000 --> 0:00:48.380000
 it's time to take a deeper look as to
 the role of the detection and analysis

0:00:48.380000 --> 0:00:52.100000
 phase, and more importantly,
 what it entails.

0:00:52.100000 --> 0:00:55.800000
 And then once we've covered that, we'll
 then begin exploring detection

0:00:55.800000 --> 0:01:01.500000
 in its own right, and obviously analysis
 in the form of host or endpoint

0:01:01.500000 --> 0:01:04.280000
 analysis and then network analysis.

0:01:04.280000 --> 0:01:10.460000
 So with that being said, let's sort
 of go over it one more time.

0:01:10.460000 --> 0:01:12.180000
 It never hurts to do so.

0:01:12.180000 --> 0:01:16.760000
 So the detection and analysis phase
 of instant response is a critical

0:01:16.760000 --> 0:01:21.620000
 stage where security teams identify, validate
 and assess potential security

0:01:21.620000 --> 0:01:26.900000
 incidents. And the key point here is
 that it bridges the gap between the

0:01:26.900000 --> 0:01:31.880000
 preparation phase and active response,
 essentially ensuring that threats

0:01:31.880000 --> 0:01:37.080000
 are detected early, analyzed thoroughly,
 and escalated appropriately for

0:01:37.080000 --> 0:01:39.880000
 containment and remediation,
 as well as recovery.

0:01:39.880000 --> 0:01:44.360000
 But really as an instant responder,
 recovery is something that you, in

0:01:44.360000 --> 0:01:49.540000
 most cases, you do not be handling
 yourself as we explored in previous

0:01:49.540000 --> 0:01:54.540000
 courses. So what is the purpose of this
 phase, the detection and analysis

0:01:54.540000 --> 0:01:59.380000
 phase? Well, firstly, it goes without
 saying to detect suspicious activity

0:01:59.380000 --> 0:02:02.620000
 through automated systems
 or manual observation.

0:02:02.620000 --> 0:02:08.840000
 Of course, we'll get into that, but pretty
 much detect suspicious activity.

0:02:08.840000 --> 0:02:12.040000
 That's the first thing through various
 systems or even manually.

0:02:12.040000 --> 0:02:16.980000
 Secondly, to analyze and triage alerts
 and events to determine if they

0:02:16.980000 --> 0:02:20.680000
 constitute or represent a
 real security incident.

0:02:20.680000 --> 0:02:22.660000
 So the triage process.

0:02:22.660000 --> 0:02:27.140000
 And again, if you are an instant responder,
 you may be saying to yourself,

0:02:27.140000 --> 0:02:31.020000
 well, that's not really what we do here,
 because generally speaking, the

0:02:31.020000 --> 0:02:35.600000
 triage process would be done
 by the SOC tier one analyst.

0:02:35.600000 --> 0:02:37.880000
 And then it's escalated to
 the instant responder.

0:02:37.880000 --> 0:02:41.820000
 That is true. However, to a certain
 extent, you need to understand the

0:02:41.820000 --> 0:02:45.300000
 triage process because you'll be part
 of the process of improving it,

0:02:45.300000 --> 0:02:52.800000
 improving the detection side of
 things and then triage as well.

0:02:52.800000 --> 0:02:57.080000
 Moving on, thirdly, to scope and classify
 incidents, establishing their

0:02:57.080000 --> 0:02:59.160000
 severity, impact and priority.

0:02:59.160000 --> 0:03:00.940000
 That's very, very important.

0:03:00.940000 --> 0:03:05.480000
 Not because you'll be necessarily doing
 that, but because you need to

0:03:05.480000 --> 0:03:12.900000
 be able to again work with your team
 to determine what needs to be done

0:03:12.900000 --> 0:03:18.760000
 in the event of a particular event based
 on particular severity, impact,

0:03:18.760000 --> 0:03:22.360000
 et cetera. Don't worry about too much
 about what that means at this point

0:03:22.360000 --> 0:03:26.160000
 if that's new to you.

0:03:26.160000 --> 0:03:29.860000
 But by this point, we have actually
 covered that to a certain extent in

0:03:29.860000 --> 0:03:30.540000
 previous courses.

0:03:30.540000 --> 0:03:34.020000
 In any case, I'm sort of giving
 you a lay of the land here.

0:03:34.020000 --> 0:03:39.280000
 And then finally, but not least, I should
 say, to enable timely response

0:03:39.280000 --> 0:03:44.500000
 by ensuring only confirmed, prioritized
 incidents are escalated, right?

0:03:44.500000 --> 0:03:49.140000
 So this primarily deals with
 the detection side of things.

0:03:49.140000 --> 0:03:53.900000
 Now, let's actually break this down by
 understanding what the key activities

0:03:53.900000 --> 0:03:58.460000
 within the detection and analysis
 phase of incident response are.

0:03:58.460000 --> 0:04:05.000000
 So based on that, the previous list,
 the actual purpose of detection and

0:04:05.000000 --> 0:04:10.520000
 analysis, we can extrapolate from
 that what the key activities are.

0:04:10.520000 --> 0:04:16.380000
 So based on that, the first one is most
 likely going to be event collection.

0:04:16.380000 --> 0:04:18.860000
 So what does this entail?

0:04:18.860000 --> 0:04:19.960000
 What does it involve?

0:04:19.960000 --> 0:04:25.360000
 So the first thing you need to understand
 is that security tools like

0:04:25.360000 --> 0:04:32.640000
 firewalls, EDRs, seams, IDSs, IPSs,
 collect raw telemetry in the form

0:04:32.640000 --> 0:04:38.340000
 of logs, events, flows, and system alerts,
 and where do they collect these

0:04:38.340000 --> 0:04:46.740000
 logs from? They collect them from various
 systems, whether it be a laptop,

0:04:46.740000 --> 0:04:49.540000
 desktop, server, so on and so forth.

0:04:49.540000 --> 0:04:58.260000
 So their job is to ingest these logs and
 then come up or pretty much ascertain

0:04:58.260000 --> 0:05:04.140000
 which ones are considered incidents
 or which ones are suspicious, so on

0:05:04.140000 --> 0:05:08.620000
 and so forth. And of course, you, as
 an incident responder, but more so

0:05:08.620000 --> 0:05:14.100000
 as a SOC analyst would be responsible
 for setting up these security systems

0:05:14.100000 --> 0:05:15.420000
 or security tools, right?

0:05:15.420000 --> 0:05:19.740000
 Then the case of a firewall block malicious
 activity, but in the case

0:05:19.740000 --> 0:05:24.980000
 of a monitoring tool like a seam to
 essentially configure or fine-tune

0:05:24.980000 --> 0:05:30.220000
 the seam to again inform you when
 something fish is going on.

0:05:30.220000 --> 0:05:36.660000
 So to sort of tie up this particular
 aspect, you may be asking, what are

0:05:36.660000 --> 0:05:39.080000
 some of these common data sources?

0:05:39.080000 --> 0:05:43.940000
 Well, in the case of operating systems,
 you're going to have, you know,

0:05:43.940000 --> 0:05:46.320000
 window in the case of windows, you're
 going to have the windows event

0:05:46.320000 --> 0:05:51.420000
 logs, sysmon to a certain extent, and
 then as an example, in Linux, you

0:05:51.420000 --> 0:05:53.360000
 have Linux syslog.

0:05:53.360000 --> 0:05:58.000000
 We also have network traffic, so think
 of netflow and traffic captures

0:05:58.000000 --> 0:06:02.520000
 or PCAPs as it were, and then you have
 application logs, so think of third

0:06:02.520000 --> 0:06:03.820000
-party applications.

0:06:03.820000 --> 0:06:07.600000
 In most cases, it's going to be a
 web server, VPN stuff like this.

0:06:07.600000 --> 0:06:11.000000
 So within an organization, you're going
 to have window systems, Linux

0:06:11.000000 --> 0:06:13.200000
 systems, even in the cloud.

0:06:13.200000 --> 0:06:18.020000
 It's not really important where this
 infrastructure is situated, or you

0:06:18.020000 --> 0:06:21.680000
 could even have a hybrid environment,
 but you also have a network, right?

0:06:21.680000 --> 0:06:28.180000
 Every bit of enterprise infrastructure,
 you know, companies' infrastructure

0:06:28.180000 --> 0:06:32.460000
 needs to be connected together somehow,
 and it's most likely through a

0:06:32.460000 --> 0:06:34.460000
 traditional network.

0:06:34.460000 --> 0:06:37.540000
 So you're going to have network traffic,
 and network traffic is very,

0:06:37.540000 --> 0:06:43.760000
 very important. So yeah, common data
 sources will be getting into these

0:06:43.760000 --> 0:06:47.600000
 shortly within this section, but
 that's the first activity.

0:06:47.600000 --> 0:06:51.920000
 The second is alert generation, which
 I sort of alluded to in a few seconds

0:06:51.920000 --> 0:06:57.180000
 ago. So events are analyzed by detection
 tools, for example, seems to

0:06:57.180000 --> 0:07:04.600000
 generate alerts based on
 a signature-based rule.

0:07:04.600000 --> 0:07:09.220000
 So you have behavioral analytics, or through
 the use of correlation engines

0:07:09.220000 --> 0:07:14.540000
 or machine learning, which we actually
 touched on in other courses, in,

0:07:14.540000 --> 0:07:16.540000
 you know, theoretically speaking.

0:07:16.540000 --> 0:07:22.400000
 You then have alert triage, which again,
 by this point, you should be

0:07:22.400000 --> 0:07:26.780000
 familiar with. So this is where analysts
 review incoming alerts to A,

0:07:26.780000 --> 0:07:31.500000
 validate their legitimacy, B, eliminate
 false positives, which will actually,

0:07:31.500000 --> 0:07:37.200000
 you know, touch on within this course,
 and then prioritize based on severity

0:07:37.200000 --> 0:07:41.460000
 and impact. And you know, what
 are the uses of triage?

0:07:41.460000 --> 0:07:44.520000
 Or, you know, why would
 you perform triage?

0:07:44.520000 --> 0:07:46.740000
 Well, firstly, context enrichment.

0:07:46.740000 --> 0:07:51.940000
 So think of things like asset value use identity,
 as well as threat intelligence.

0:07:51.940000 --> 0:07:57.100000
 So known IOCs, or, you know, pretty
 much putting or leveraging threat

0:07:57.100000 --> 0:08:06.020000
 intelligence to assist or aid, or I should
 say augment the triage process.

0:08:06.020000 --> 0:08:10.540000
 So, yes, I mentioned known
 IOCs, malware hashes, etc.

0:08:10.540000 --> 0:08:14.160000
 And then you have incident identification
 or detection.

0:08:14.160000 --> 0:08:25.120000
 So here I'm switching between the NIST
 instant response process or but

0:08:25.120000 --> 0:08:27.660000
 you have incident identification.

0:08:27.660000 --> 0:08:31.320000
 So, you know, confirmed alerts are
 escalated into incidents when they

0:08:31.320000 --> 0:08:35.720000
 meet certain criteria, which are these
 criteria is usually defined in

0:08:35.720000 --> 0:08:38.120000
 the incident response plan.

0:08:38.120000 --> 0:08:42.700000
 So policy and plan, I should say to
 various extents, or, you know, to

0:08:42.700000 --> 0:08:44.200000
 varying degrees.

0:08:44.200000 --> 0:08:49.200000
 So think of a policy violation,
 confirmed compromise, etc.

0:08:49.200000 --> 0:08:52.820000
 And this step typically involves
 a scoping the incident.

0:08:52.820000 --> 0:08:57.100000
 So the question you ask yourself is
 what systems or users are affected

0:08:57.100000 --> 0:08:58.640000
 or have been affected?

0:08:58.640000 --> 0:09:04.500000
 B determining the entry point attacker
 actions and the intent, which is

0:09:04.500000 --> 0:09:08.920000
 quite important in terms of understanding
 exactly what you might be dealing

0:09:08.920000 --> 0:09:14.720000
 with here, which again, may not make
 that much sense right now, but it

0:09:14.720000 --> 0:09:18.380000
 will trust me, whereas we progress
 within this learning path.

0:09:18.380000 --> 0:09:22.500000
 And then see assessing potential data
 loss or business impact, which is,

0:09:22.500000 --> 0:09:24.400000
 you know, very, very important here.

0:09:24.400000 --> 0:09:29.080000
 So incident identification and
 then host and network analysis.

0:09:29.080000 --> 0:09:34.680000
 So this is where you perform a deep
 dive investigation into endpoints

0:09:34.680000 --> 0:09:36.660000
 and network traffic.

0:09:36.660000 --> 0:09:41.100000
 So on endpoints, you know, examples here
 would be, you know, process trees,

0:09:41.100000 --> 0:09:46.140000
 file activity, file system activity and
 changes, you know, file integrity,

0:09:46.140000 --> 0:09:51.140000
 stuff like that registry changes and,
 you know, log in behavior on networks,

0:09:51.140000 --> 0:09:55.240000
 what you're looking for here, or you're
 going to be analyzing is unusual

0:09:55.240000 --> 0:10:00.520000
 communications that deviate
 from a baseline.

0:10:00.520000 --> 0:10:05.740000
 You know, think of lateral movement,
 see to traffic, so on and so forth.

0:10:05.740000 --> 0:10:11.860000
 So that is it then finally,
 documentation and a handoff.

0:10:11.860000 --> 0:10:16.500000
 So in this case, all findings are documented
 for handoff to containment

0:10:16.500000 --> 0:10:18.620000
 and eradication teams.

0:10:18.620000 --> 0:10:24.340000
 So you essentially say, okay, I perform,
 you know, we detected, you know,

0:10:24.340000 --> 0:10:30.600000
 we then analyze, we perform the analysis,
 so on and so forth, both host

0:10:30.600000 --> 0:10:34.860000
 and network will touch on digital
 forensics in its own course.

0:10:34.860000 --> 0:10:39.100000
 And then, you know, you document it here,
 you know, pretty much what we're

0:10:39.100000 --> 0:10:44.320000
 dealing with. And then you hand this over
 to the individual or team responsible

0:10:44.320000 --> 0:10:48.140000
 for containment and eradication,
 you may be responsible for that.

0:10:48.140000 --> 0:10:49.000000
 Really, it doesn't matter.

0:10:49.000000 --> 0:10:53.060000
 The bottom line is you need, there needs
 to be a handoff between one phase

0:10:53.060000 --> 0:10:55.660000
 to the other, typically speaking.

0:10:55.660000 --> 0:10:59.100000
 So handoff to containment
 and eradication teams.

0:10:59.100000 --> 0:11:03.200000
 And then, you know, you build timelines
 and attack paths, and you improve

0:11:03.200000 --> 0:11:04.860000
 the detection content.

0:11:04.860000 --> 0:11:10.860000
 So think of updating rules on, you
 know, the C, et cetera, as well as

0:11:10.860000 --> 0:11:14.160000
 playbooks, based on what you learned.

0:11:14.160000 --> 0:11:19.120000
 And then now this brings us to the key
 skills that are required in this

0:11:19.120000 --> 0:11:22.360000
 phase, the phase being
 detection and analysis.

0:11:22.360000 --> 0:11:27.840000
 So firstly, you need to be proficient
 in log analysis and C usage.

0:11:27.840000 --> 0:11:32.160000
 You need to have a working knowledge
 of Windows and Linux internals.

0:11:32.160000 --> 0:11:36.920000
 You need to have skills in, you know,
 performing network traffic capture,

0:11:36.920000 --> 0:11:39.740000
 to a certain extent, but mostly analysis.


0:11:39.740000 --> 0:11:44.300000
 So think of, you know, PCAPs, protocol
 decoding, those are very few examples

0:11:44.300000 --> 0:11:45.680000
 I'm providing there.

0:11:45.680000 --> 0:11:48.800000
 But don't worry, there is no, I'm showing
 you this is because it's sort

0:11:48.800000 --> 0:11:52.680000
 of laying the land for what we'll
 be covering in this course.

0:11:52.680000 --> 0:12:04.340000
 And in the case of the last two, you
 know, more so the digital threat

0:12:04.340000 --> 0:12:08.640000
 intelligence, which accounts for the
 final skill here, where, you know,

0:12:08.640000 --> 0:12:13.080000
 you need to have a familiarity with the
 MITOTAC framework to map behaviors

0:12:13.080000 --> 0:12:14.380000
 to known techniques.

0:12:14.380000 --> 0:12:18.640000
 In any case, sort of continuing on
 from where I left off, you need to

0:12:18.640000 --> 0:12:22.660000
 be skilled in the use of forensic and
 investigative tools, think of why

0:12:22.660000 --> 0:12:25.420000
 shark velociraptors, plunk, Zeke.

0:12:25.420000 --> 0:12:36.440000
 If you don't know what some of I would
 say, pretty much most of them we

0:12:36.440000 --> 0:12:40.500000
 will cover. And then of course, familiarity,
 as I mentioned with the MITOTAC

0:12:40.500000 --> 0:12:44.580000
 framework to map behaviors to known
 techniques, we'll be covering the

0:12:44.580000 --> 0:12:48.460000
 MITOTAC framework, threat intelligence,
 as well as threat hunting in its

0:12:48.460000 --> 0:12:50.440000
 own separate course.

0:12:50.440000 --> 0:12:53.340000
 It's going to be related to what we
 cover here, because, you know, we'll

0:12:53.340000 --> 0:13:00.840000
 be focusing on enriching the incident response
 process with threat intelligence.

0:13:00.840000 --> 0:13:06.720000
 And that will then lead us into threat
 hunting So that's those are the

0:13:06.720000 --> 0:13:10.460000
 skills required, you know,
 in detection and analysis.

0:13:10.460000 --> 0:13:12.400000
 And then that brings us to the outcome.

0:13:12.400000 --> 0:13:16.700000
 So what are the outcomes of this phase
 number one confirmed and scope

0:13:16.700000 --> 0:13:22.060000
 security incidents to timeline of attack
 activity three prioritized incident

0:13:22.060000 --> 0:13:25.660000
 classification. And then, you know, there's
 obviously going to be analysis

0:13:25.660000 --> 0:13:26.900000
 and stuff like that.

0:13:26.900000 --> 0:13:31.800000
 But the output we're focusing on the
 outcomes here, the final one being,

0:13:31.800000 --> 0:13:35.920000
 you know, hand off to containment eradication
 and recovery phase or the

0:13:35.920000 --> 0:13:38.460000
 teams responsible for that phase.

0:13:38.460000 --> 0:13:41.580000
 All right, so with that being said,
 that brings us to the end of this

0:13:41.580000 --> 0:13:46.320000
 video now that we have understand the
 role of detection and analysis or

0:13:46.320000 --> 0:13:51.480000
 the detection and analysis phase in
 instant response, we can proceed by,

0:13:51.480000 --> 0:13:54.800000
 you know, taking a look at a few more
 things that are quite important

0:13:54.800000 --> 0:14:01.920000
 concepts. And that'll set the stage for
 us in terms of covering detection

0:14:01.920000 --> 0:14:06.460000
 or the detection phase and detection
 engineering logging and all that

0:14:06.460000 --> 0:14:09.800000
 good stuff. And then once we're done
 with that, we'll then move on to

0:14:09.800000 --> 0:14:14.940000
 analysis, we will actually, you
 know, perform the analysis.

0:14:14.940000 --> 0:14:16.680000
 Yeah, so very, very exciting.