WEBVTT 0:00:03.440000 --> 0:00:07.860000 Raging the gap, detection and analysis. 0:00:07.860000 --> 0:00:13.260000 So welcome everyone to the next section of this course that will be focused 0:00:13.260000 --> 0:00:20.880000 on the analysis phase or process of the detection and analysis process 0:00:20.880000 --> 0:00:27.800000 or phase. So we've covered detection because that is in its own right, 0:00:27.800000 --> 0:00:33.800000 an area that needs to be explored independently in order for you to understand 0:00:33.800000 --> 0:00:40.260000 what it means and what it entails and how it feeds into analysis because 0:00:40.260000 --> 0:00:45.700000 they are related and should not be treated as one. 0:00:45.700000 --> 0:00:51.540000 That's a common mistake that a lot of beginners make in terms of understanding 0:00:51.540000 --> 0:01:05.700000 what each of feeds of the results or of information from the detection 0:01:05.700000 --> 0:01:07.500000 phase or process. 0:01:07.500000 --> 0:01:13.120000 So we've covered detection and we did that in quite a bit of detail so 0:01:13.120000 --> 0:01:16.220000 we're now turning our attention to analysis. 0:01:16.220000 --> 0:01:20.100000 So in this section I'm going to be introducing you to the analysis section 0:01:20.100000 --> 0:01:27.160000 or process within instant response, the instant response lifecycle. 0:01:27.160000 --> 0:01:34.760000 In order to do that we need to bridge the gap between detection or from 0:01:34.760000 --> 0:01:36.680000 detection to analysis. 0:01:36.680000 --> 0:01:38.920000 So let's do that first. 0:01:38.920000 --> 0:01:43.600000 So as I mentioned in the previous sections of this course, you learned 0:01:43.600000 --> 0:01:49.420000 how logs are collected, passed, correlated and triaged so that only credible 0:01:49.420000 --> 0:01:52.520000 alerts reach an instant responder. 0:01:52.520000 --> 0:01:57.040000 So detection answers the questions or the question something suspicious 0:01:57.040000 --> 0:01:59.880000 just happened, do we care? 0:01:59.880000 --> 0:02:07.000000 And that may seem like a very pernicious question if you will or very 0:02:07.000000 --> 0:02:12.480000 lax question in terms of the attitude but that in essence is what detection 0:02:12.480000 --> 0:02:18.540000 is all about. Now the moment a tier two analyst or an incident responder 0:02:18.540000 --> 0:02:26.260000 as it were, when the moment that they confirm yes we do, or they answer 0:02:26.260000 --> 0:02:31.620000 that particular question with the response yes we do, the workflow or 0:02:31.620000 --> 0:02:38.780000 the instant response process pivots to analysis, which consequently turns 0:02:38.780000 --> 0:02:45.720000 that alert or incident into a precise understanding of what happened, 0:02:45.720000 --> 0:02:49.920000 how far it happened and how to stop it if it's still ongoing. 0:02:49.920000 --> 0:02:57.940000 So you essentially, detection pretty much covers or involves finding out 0:02:57.940000 --> 0:03:05.040000 malicious stuff that's going on or detecting that type of activity. 0:03:05.040000 --> 0:03:10.700000 And then that is escalated or communicated to an instant responder. 0:03:10.700000 --> 0:03:16.360000 And they are supposed to, if they confirm that this is something that 0:03:16.360000 --> 0:03:21.960000 we should care about, that's the initial validation of an incident, which 0:03:21.960000 --> 0:03:24.600000 is part of the analysis process. 0:03:24.600000 --> 0:03:31.840000 Anyway, without going on to a tangent, once they've sort of validated 0:03:31.840000 --> 0:03:37.700000 that yes this is an incident, the workflow pivots now into proper analysis 0:03:37.700000 --> 0:03:44.320000 and the goal here is to take that alert or incident and gain a precise 0:03:44.320000 --> 0:03:49.580000 understanding of what happened, how far it spread and of course how to 0:03:49.580000 --> 0:03:54.940000 stop it if it's still ongoing, which when we say how to stop it that will 0:03:54.940000 --> 0:03:59.040000 obviously involve eradication and stuff like this. 0:03:59.040000 --> 0:04:04.040000 So the best way to understand detection and analysis and sort of bridge 0:04:04.040000 --> 0:04:09.380000 the gap between the two is through the use of an example or a scenario 0:04:09.380000 --> 0:04:21.800000 that I typically like using when you may be asking yourself, okay, I know 0:04:21.800000 --> 0:04:29.660000 that detection feeds into analysis and we as instant responders get the 0:04:29.660000 --> 0:04:33.800000 incidents from the threat detection phase or process. 0:04:33.800000 --> 0:04:37.240000 So best way to understand it is through this scenario. 0:04:37.240000 --> 0:04:40.820000 So picture a modern museum at night. 0:04:40.820000 --> 0:04:43.620000 And this is an example of what it looks like. 0:04:43.620000 --> 0:04:48.900000 You can see we have a few, we have an exhibit hall here with some cases 0:04:48.900000 --> 0:04:57.680000 that have various valuable artifacts and we can see a laser grid that's 0:04:57.680000 --> 0:05:04.960000 produced by various lasers the consequent or subsequent sensors receiving 0:05:04.960000 --> 0:05:10.240000 them. So from a security perspective within this museum, intrusion detection 0:05:10.240000 --> 0:05:17.140000 is facilitated by the laser grid sensors in the exhibit halls. 0:05:17.140000 --> 0:05:22.180000 So these laser sensors are used, these laser grid sensors are used for 0:05:22.180000 --> 0:05:27.200000 detection and what are they detecting intruders right or individuals to 0:05:27.200000 --> 0:05:31.280000 put it bluntly who want to steal some of these artifacts. 0:05:31.280000 --> 0:05:34.100000 Okay, so that's what detection is all about. 0:05:34.100000 --> 0:05:40.660000 Now, let's say someone breaks in right, so the moment a beam or one of 0:05:40.660000 --> 0:05:48.960000 these laser beams is broken or disrupted, a silent alarm is triggered 0:05:48.960000 --> 0:05:54.420000 right. In this case, we can call an alarm an alert if we were sort of 0:05:54.420000 --> 0:05:58.440000 transposing what this means in the context of incident response. 0:05:58.440000 --> 0:06:03.860000 So the moment a beam is broken or disrupted a silent alarm tells or alerts 0:06:03.860000 --> 0:06:10.060000 the security personnel working for in the museum that something is moving 0:06:10.060000 --> 0:06:14.860000 where it shouldn't be within one of these exhibit halls of course. 0:06:14.860000 --> 0:06:19.740000 Now if this is what I wanted to communicate to you during the detection 0:06:19.740000 --> 0:06:24.980000 section of this course is that if you have security or your monitoring 0:06:24.980000 --> 0:06:32.160000 is set up let's say very poorly or not rigorously, then the security team 0:06:32.160000 --> 0:06:34.480000 in the context of the museum. 0:06:34.480000 --> 0:06:39.960000 For example, if they only have CCTV cameras in certain exhibit halls and 0:06:39.960000 --> 0:06:46.160000 not in others or they only have laser grids in certain exhibit halls as 0:06:46.160000 --> 0:06:52.960000 opposed to others and they don't, the alerting system or their intrusion 0:06:52.960000 --> 0:06:59.260000 detection system as it were when communicating or alerting them does not 0:06:59.260000 --> 0:07:04.040000 tell them where the alert is coming from in terms of what exhibit hall 0:07:04.040000 --> 0:07:11.240000 is being intruded on, then they pretty much have to, they pretty much 0:07:11.240000 --> 0:07:19.360000 need to perform a search that is not specific or is not they essentially 0:07:19.360000 --> 0:07:24.920000 start off by performing a very wide sweep of all exhibits and so that's 0:07:24.920000 --> 0:07:30.760000 one of the reasons why understanding the whole process of threat detection 0:07:30.760000 --> 0:07:36.920000 and the tools and technologies that facilitate it whether that be, let 0:07:36.920000 --> 0:07:41.340000 me correct that more specifically things like detection rules and how 0:07:41.340000 --> 0:07:49.360000 specific or how fine-tuned they are improve your ability to not only detect 0:07:49.360000 --> 0:07:54.000000 threats but also tell you exactly where they're coming from and if you're 0:07:54.000000 --> 0:07:58.560000 to, if I was to elaborate on this analogy a little bit more and sort of 0:07:58.560000 --> 0:08:08.560000 transpose it on to or into the context of incident response you know and 0:08:08.560000 --> 0:08:14.040000 and what what that looks like you would essentially be trying to answer 0:08:14.040000 --> 0:08:19.200000 the question that okay something's wrong what system is it coming from 0:08:19.200000 --> 0:08:26.560000 or what system is this malicious activity going on or happening on as 0:08:26.560000 --> 0:08:31.920000 it were in any case the this silent alarm continuing on with the explanation 0:08:31.920000 --> 0:08:37.100000 this silent alarm triggers the security team to investigate or indeed 0:08:37.100000 --> 0:08:44.180000 analyze the cause of the alarm so you know there's an alarm and let's 0:08:44.180000 --> 0:08:48.600000 say in this case they know where it's coming from or where the intrusion 0:08:48.600000 --> 0:08:54.480000 is in terms of what exhibit hall but now that is that the alarm has been 0:08:54.480000 --> 0:08:59.420000 triggered it needs to be investigated you might be asking yourself why 0:08:59.420000 --> 0:09:06.260000 do we need to investigate or analyze the cause of the alarm and this is 0:09:06.260000 --> 0:09:09.720000 where we are now bridging from detection to analysis so this is a very 0:09:09.720000 --> 0:09:16.480000 key point here so analysis or investigation of the root cause of the alarm 0:09:16.480000 --> 0:09:23.260000 or the alert if you will involves or you know involves the security team 0:09:23.260000 --> 0:09:29.360000 that works for the museum or in the museum panning out with flashlights 0:09:29.360000 --> 0:09:34.320000 and reviewing CCTV playback so those are very basic examples of the type 0:09:34.320000 --> 0:09:39.080000 of analysis or investigation you can perform but why are they doing this 0:09:39.080000 --> 0:09:44.040000 well this is done to determine whether there actually is a legitimate 0:09:44.040000 --> 0:09:49.380000 intrusion because again they could be a false it could be a false alarm 0:09:49.380000 --> 0:09:56.160000 or you know if we talk about the threat detection parlance it could be 0:09:56.160000 --> 0:10:01.540000 a false positive which means that an alarm was triggered or an alert was 0:10:01.540000 --> 0:10:06.600000 created or triggered but the activity was benign or there's nothing malicious 0:10:06.600000 --> 0:10:11.020000 going on so that's when you talk about analysis what you're trying to 0:10:11.020000 --> 0:10:16.620000 do is you know something is going on but before you if you start jumping 0:10:16.620000 --> 0:10:21.800000 to conclusions you're trying to firstly identify or determine or validate 0:10:21.800000 --> 0:10:26.840000 if you will whether you know something malicious is actually going on 0:10:26.840000 --> 0:10:33.740000 so in the case of this museum example you know the security team is you 0:10:33.740000 --> 0:10:38.340000 know panning out with flashlights checking you know CCTV playback all 0:10:38.340000 --> 0:10:42.260000 of that you know good stuff in order firstly to determine whether there 0:10:42.260000 --> 0:10:46.280000 is a legitimate intrusion and the only way you can do it in a museum is 0:10:46.280000 --> 0:10:51.500000 to physically go to any of these exhibit halls and you know for example 0:10:51.500000 --> 0:10:56.920000 look around can you find anyone who shouldn't be there is anything missing 0:10:56.920000 --> 0:11:02.160000 from you know any of the cases the exhibit cases so on and so forth so 0:11:02.160000 --> 0:11:07.280000 this is done to determine whether there actually is a legitimate intrusion 0:11:07.280000 --> 0:11:11.940000 or whether it is a false alarm or a false positive now if it is legitimate 0:11:11.940000 --> 0:11:17.480000 and you spot something so let's say one of the security offices or security 0:11:17.480000 --> 0:11:22.280000 guards you know spot something on the CCTV they spot someone running or 0:11:22.280000 --> 0:11:26.880000 stuff like this and of course they're watching a playback right so it's 0:11:26.880000 --> 0:11:31.800000 a recorded it happened maybe five minutes before the alarm was triggered 0:11:31.800000 --> 0:11:38.500000 then so if there is there is a legitimate intrusion the next thing is 0:11:38.500000 --> 0:11:43.580000 to determine where the currently is so where are they are they still within 0:11:43.580000 --> 0:11:48.580000 the the confines of the museum or have they left you need to you need 0:11:48.580000 --> 0:11:55.460000 to conclusively or concretely determine that and more importantly then 0:11:55.460000 --> 0:12:00.500000 you know this happens in parallel and more importantly what has been stolen 0:12:00.500000 --> 0:12:04.280000 or what has been taken what is the impact of this intrusion why would 0:12:04.280000 --> 0:12:10.880000 someone want to you know break into a museum or intrude onto or into a 0:12:10.880000 --> 0:12:14.680000 museum right in this case it's fairly obvious they want to get their hands 0:12:14.680000 --> 0:12:20.740000 on some of those artifacts right so that's when we're talking about you 0:12:20.740000 --> 0:12:24.460000 know impact and the scope and so on and so forth because they may have 0:12:24.460000 --> 0:12:29.180000 stolen more than one artifact and so you need to determine the full extent 0:12:29.180000 --> 0:12:35.160000 of the theft or the intrusion so as part of the investigation or analysis 0:12:35.160000 --> 0:12:44.480000 the security team trace the intruder's path note which which display cases 0:12:44.480000 --> 0:12:48.840000 were opened and they check for missing artifacts and decide which galleries 0:12:48.840000 --> 0:12:54.620000 or exhibits to seal off before the thief can escape right so that's in 0:12:54.620000 --> 0:13:01.000000 this case presuming you know that the they're sort of making an assumption 0:13:01.000000 --> 0:13:04.720000 that the intrude is still within the confines of the museum they just 0:13:04.720000 --> 0:13:09.460000 they probably maybe don't know where but they need to contain they need 0:13:09.460000 --> 0:13:13.760000 to contain this threat or this intrude so hopefully with this analogy 0:13:13.760000 --> 0:13:20.420000 all the phases are coming together not just you know preparation which 0:13:20.420000 --> 0:13:26.440000 in in the case of this example would essentially deal with you know setting 0:13:26.440000 --> 0:13:33.560000 up your security policy determining what security mechanisms that need 0:13:33.560000 --> 0:13:39.280000 to be put in place and in this case laser grid you know closed circuit 0:13:39.280000 --> 0:13:52.640000 CCTV hiring a security team so that's the preparation phase if I was I've 0:13:52.640000 --> 0:13:58.440000 already covered detection that's the process of you know having these 0:13:58.440000 --> 0:14:03.200000 security mechanisms alert the security team when there is an intrusion 0:14:03.200000 --> 0:14:11.140000 detected and then in you know analysis involves the the security team 0:14:11.140000 --> 0:14:17.080000 that was assembled remember in the preparation phase you know using that 0:14:17.080000 --> 0:14:22.420000 methodology having the you know it essentially involves the security team 0:14:22.420000 --> 0:14:27.420000 investigating this intrusion and determining whether you know whether 0:14:27.420000 --> 0:14:33.140000 a there was an intrusion you know whether it was a whether or not it was 0:14:33.140000 --> 0:14:38.960000 a false positive if there is an intrusion as I just stated here they need 0:14:38.960000 --> 0:14:43.440000 to determine whether the intrude is still within the confines of the museum 0:14:43.440000 --> 0:14:51.260000 what has been stolen how much has been stolen you know have missing artifacts 0:14:51.260000 --> 0:14:57.900000 stuff like this and then from that point on if we you know if we had to 0:14:57.900000 --> 0:15:03.640000 use the final phase or you know that one of the final key phases of the 0:15:03.640000 --> 0:15:08.600000 instant response process or lifecycle that is containment eradication 0:15:08.600000 --> 0:15:13.520000 and recovery containment would essentially be in the case of this example 0:15:13.520000 --> 0:15:21.720000 you know sealing off the museum you know so the the entrance is the exits 0:15:21.720000 --> 0:15:29.420000 all the galleries etc of course it doesn't really this example really 0:15:29.420000 --> 0:15:34.820000 doesn't transpose well in the context of computing systems it could either 0:15:34.820000 --> 0:15:39.740000 be you know sealing off the galleries or the museum could serve two purposes 0:15:39.740000 --> 0:15:45.360000 a to contain everything as it is to preserve evidence all of that good 0:15:45.360000 --> 0:15:51.720000 stuff or you know to ensure that the the intruder does not leave the museum 0:15:51.720000 --> 0:15:55.140000 so that they can be apprehended of course in computing it's not really 0:15:55.140000 --> 0:16:00.400000 the same but you know in the context of recovery and then finally the 0:16:00.400000 --> 0:16:05.400000 post incident activity or analysis that's when you know there's an investigation 0:16:05.400000 --> 0:16:12.080000 timelines are constructed as to when the alert was triggered initially 0:16:12.080000 --> 0:16:17.100000 it's you know very clear using the example that I laid out here that one 0:16:17.100000 --> 0:16:22.140000 of the officers saw some suspicious activity when viewing or reviewing 0:16:22.140000 --> 0:16:26.480000 CCTV playback so you build a timeline you determine what happens and then 0:16:26.480000 --> 0:16:32.640000 this is you know formalized and reported and so using this example you 0:16:32.640000 --> 0:16:39.140000 can see that it pretty much transposes or you know converts really well 0:16:39.140000 --> 0:16:46.940000 you know into incident response or into you know an incident and how you 0:16:46.940000 --> 0:16:51.160000 would respond to it so hopefully using this example you have a better 0:16:51.160000 --> 0:16:54.860000 idea or a better understanding as to how we go from detection to analysis 0:16:54.860000 --> 0:16:59.740000 but more importantly hopefully it's given you an idea as to what your 0:16:59.740000 --> 0:17:05.040000 role is or what you will be required to do so when it comes down to analysis 0:17:05.040000 --> 0:17:10.360000 so that brings us now to the analysis phase of instant response I need 0:17:10.360000 --> 0:17:15.060000 to you know formally introduce it to you so what is the analysis phase 0:17:15.060000 --> 0:17:18.900000 of incident response so we're leaving that example alone we're no longer 0:17:18.900000 --> 0:17:23.300000 talking about museums we're now focusing on you know digital infrastructure 0:17:23.300000 --> 0:17:28.080000 so the analysis phase of incident response is the disciplined investigation 0:17:28.080000 --> 0:17:33.180000 that begins the moment an escalated alert is accepted as a credible security 0:17:33.180000 --> 0:17:38.620000 event or incident so detection determines that something suspicious occurred 0:17:38.620000 --> 0:17:44.560000 or is occurring analysis determines what how where and how far it went 0:17:44.560000 --> 0:17:49.480000 and you know working from a combination of evidence sources such as scene 0:17:49.480000 --> 0:17:54.220000 events endpoint elementary memory captures disk images network packet 0:17:54.220000 --> 0:17:58.840000 captures and open source intelligence OSIN does it's abbreviated as responders 0:17:58.840000 --> 0:18:04.280000 validate the incident reconstruct the attackers actions or the steps that 0:18:04.280000 --> 0:18:09.580000 they took and assess business impact right so that's pretty much what 0:18:09.580000 --> 0:18:13.620000 analysis is all about now there's a lot more that we need to unpack here 0:18:13.620000 --> 0:18:19.500000 so let's get into that so why does analysis exist right why do we need 0:18:19.500000 --> 0:18:24.460000 to investigate or analyze an incident if it you know if it isn't already 0:18:24.460000 --> 0:18:30.360000 obvious to you by this point well analysis exists first and foremost or 0:18:30.360000 --> 0:18:35.860000 I should say primarily to remove uncertainty right so if you get if you're 0:18:35.860000 --> 0:18:39.580000 alerted to something you know whether it's through a scene or whether 0:18:39.580000 --> 0:18:45.180000 you're a security officer working for a museum if you get an alert you 0:18:45.180000 --> 0:18:50.220000 need to investigate it not under the guise that oh my god there's an intrusion 0:18:50.220000 --> 0:18:55.380000 but to actually validate whether there actually is an intrusion or not 0:18:55.380000 --> 0:19:02.240000 because false positives are a possibility so an analysis or investigation 0:19:02.240000 --> 0:19:07.380000 exists to remove uncertainty false positives are eliminated true positives 0:19:07.380000 --> 0:19:12.520000 are confirmed and silent false negatives are uncovered by pivoting through 0:19:12.520000 --> 0:19:17.880000 related logs and artifacts so by accurately scoping the affected hosts 0:19:17.880000 --> 0:19:24.100000 or systems users data sets and timelines responders prevent both overreaction 0:19:24.100000 --> 0:19:29.300000 which is what I alluded to earlier on where the security officer the security 0:19:29.300000 --> 0:19:33.680000 guard says oh my god there's an incident there's an intrusion someone's 0:19:33.680000 --> 0:19:37.840000 in and you know it's just they've just received one alert or alarm right 0:19:37.840000 --> 0:19:42.680000 so prevent both overreaction needless outages in the case of computers 0:19:42.680000 --> 0:19:51.620000 right and underreaction which is where the museum and a security guard 0:19:51.620000 --> 0:19:56.460000 if they're viewing the you know if they get an alert or an alarm that 0:19:56.460000 --> 0:20:00.980000 tells them hey there's something going on in exhibit a for example and 0:20:00.980000 --> 0:20:04.500000 they say ah well I'll get to that in the next 15 minutes when I'm making 0:20:04.500000 --> 0:20:10.180000 you know my rounds that is an underreaction right so now that you understand 0:20:10.180000 --> 0:20:15.720000 that and hopefully this example is helping you bridge the gap as it were 0:20:15.720000 --> 0:20:21.860000 no pun intended the phase also seeks to identify the root cause of the 0:20:21.860000 --> 0:20:27.320000 incident right so in in in the context of you know computers and digital 0:20:27.320000 --> 0:20:31.820000 infrastructure this would be something like a phishing email an unpacked 0:20:31.820000 --> 0:20:36.580000 web vulnerability so on and so forth and why is this done why do you want 0:20:36.580000 --> 0:20:40.400000 to identify the root cause of the instance so that remediation addresses 0:20:40.400000 --> 0:20:46.340000 the real weaknesses or flaws of vulnerabilities rather than just the symptoms 0:20:46.340000 --> 0:20:53.180000 so that's why the you know analysis or investigation exists and you know 0:20:53.180000 --> 0:20:58.620000 that's why it's important so I just mentioned briefly in the previous 0:20:58.620000 --> 0:21:02.820000 slide pivoting through logs and you may have been you may have asked yourself 0:21:02.820000 --> 0:21:07.740000 well what exactly does that mean well again that's a very good question 0:21:07.740000 --> 0:21:11.060000 and I hope to answer it here so when we talk this is a very important 0:21:11.060000 --> 0:21:17.040000 concept in incident response more specifically analysis because again 0:21:17.040000 --> 0:21:21.340000 it's it's something that you'll be doing and it's a term that is frequently 0:21:21.340000 --> 0:21:25.620000 used so you'll hear it quite a lot and you need to understand what it 0:21:25.620000 --> 0:21:30.700000 means so pivoting through logs is the investigative practice of starting 0:21:30.700000 --> 0:21:42.620000 with one piece of evidence in your log data like you URL etc and or indicative 0:21:42.620000 --> 0:21:48.120000 compromise as it were and using this as a pivot point right to discover 0:21:48.120000 --> 0:21:53.000000 related events that broaden the picture of an incident so what this means 0:21:53.000000 --> 0:21:57.760000 is if you're going through logs right and you know you're just looking 0:21:57.760000 --> 0:22:02.420000 at them you really you know unless you pick out one of them that looks 0:22:02.420000 --> 0:22:07.620000 suspicious you you pretty much you know you're not able to understand 0:22:07.620000 --> 0:22:14.260000 you what's going on in terms of malicious activity and I'll explain this 0:22:14.260000 --> 0:22:20.200000 I'll sort of make the point here or emphasize what I mean here because 0:22:20.200000 --> 0:22:23.860000 it may not make sense to you know looking through logs that's typically 0:22:23.860000 --> 0:22:29.020000 how you detect things but what I mean is when we talk about pivoting through 0:22:29.020000 --> 0:22:35.540000 logs is let's say you find a you know log with an IOC like an IP address 0:22:35.540000 --> 0:22:39.220000 that's a starting point right that's something an IP address is something 0:22:39.220000 --> 0:22:44.980000 that you can use to then discover other related events you know that broaden 0:22:44.980000 --> 0:22:49.900000 the picture of an incident or tell you whether you know the attack is 0:22:49.900000 --> 0:22:54.660000 you know is more widespread or to give you a clearer picture of what you're 0:22:54.660000 --> 0:22:59.540000 dealing with so for example if you find you know if you're looking at 0:22:59.540000 --> 0:23:02.560000 some logs and you discover there's a brute force attack or what appears 0:23:02.560000 --> 0:23:06.580000 to be a brute force attack by by virtue of the fact that you're seeing 0:23:06.580000 --> 0:23:11.980000 failed authentication attempts every five seconds coming into the scene 0:23:11.980000 --> 0:23:17.000000 and you you know what you do is you take the IP address so the indicator 0:23:17.000000 --> 0:23:22.380000 of compromise as it were from one of these logs and you'd use it you know 0:23:22.380000 --> 0:23:29.340000 to determine whether the attacker is trying is trying anything else or 0:23:29.340000 --> 0:23:34.460000 they're targeting another service or another server stuff like this in 0:23:34.460000 --> 0:23:40.080000 the case of you know a file hash or you know anything like that you get 0:23:40.080000 --> 0:23:43.060000 the idea you're using one piece of information that you've identified 0:23:43.060000 --> 0:23:48.960000 as a little bit as possibly malicious and using that again as stated he 0:23:48.960000 --> 0:23:53.080000 has a pivot point to discover related events that broaden the picture 0:23:53.080000 --> 0:23:57.020000 of an incident doesn't mean that they're you know that the incident is 0:23:57.020000 --> 0:24:02.000000 broad or is always broad it just allows you to verify that you've identified 0:24:02.000000 --> 0:24:06.820000 you know what you're dealing with in totality of course not a hundred 0:24:06.820000 --> 0:24:14.200000 percent but that's what pivoting through logs means so now I want to talk 0:24:14.200000 --> 0:24:19.440000 about the goals of analysis you know more broadly put why it exists or 0:24:19.440000 --> 0:24:25.100000 why this phase exists within incident response so firstly it's for verification 0:24:25.100000 --> 0:24:30.860000 which by this point you are drilled into your heads you know quite a few 0:24:30.860000 --> 0:24:35.840000 times in this video so you're ensuring that the incident is real all right 0:24:35.840000 --> 0:24:41.660000 so that means eliminating false positives secondly scoping so you're doing 0:24:41.660000 --> 0:24:47.020000 analysis to identify all affected hosts users data and timelines you're 0:24:47.020000 --> 0:24:51.480000 also doing analysis to you know for root cause discovery to understand 0:24:51.480000 --> 0:24:58.560000 the entry vector and exploited weaknesses or misconfigurations of how 0:24:58.560000 --> 0:25:04.160000 the intruder got in in the in the context of the museum example or in 0:25:04.160000 --> 0:25:08.720000 that case you'd essentially be trying to find out how the intruder or 0:25:08.720000 --> 0:25:13.600000 how the thief got into the museum right so that's why root cause discovery 0:25:13.600000 --> 0:25:18.160000 is very important in the context of computers you're you know you're trying 0:25:18.160000 --> 0:25:21.760000 to identify the root cause could be something like a phishing email an 0:25:21.760000 --> 0:25:25.040000 unpashed vulnerability stuff like this is very important because that 0:25:25.040000 --> 0:25:32.820000 needs to be remediated the next um goal or objective is impact assessment 0:25:32.820000 --> 0:25:37.360000 right so you need to quantify business and regulatory ramifications of 0:25:37.360000 --> 0:25:42.220000 the incident so you need to you know be able to tell um senior management 0:25:42.220000 --> 0:25:48.720000 that this is uh what this incident means uh or the impact of the incident 0:25:48.720000 --> 0:25:53.480000 in terms of you know uptime and consequently business uh you saw business 0:25:53.480000 --> 0:25:58.060000 impact as well as the regulate uh the regulatory ramifications of the 0:25:58.060000 --> 0:26:02.260000 incident so was any personally identifiable information about customers 0:26:02.260000 --> 0:26:06.900000 leaked or stuff like this and then finally decision support so you need 0:26:06.900000 --> 0:26:10.700000 to provide actionable intelligence for containment eradication and recovery 0:26:10.700000 --> 0:26:15.100000 because as i said that's something that you're typically in in most cases 0:26:15.100000 --> 0:26:18.860000 you're not going to be dealing with in totality especially when we talk 0:26:18.860000 --> 0:26:22.900000 about recovery but in order for containment and eradication as well as 0:26:22.900000 --> 0:26:27.980000 recovery to be done correctly or you know in the way that it should they're 0:26:27.980000 --> 0:26:35.720000 relying or that relies on the the findings of your analysis right so very 0:26:35.720000 --> 0:26:44.380000 very important so what does analysis entail so you know we've talked about 0:26:44.380000 --> 0:26:52.140000 what analysis is um you know how you know how um how it relates to detection 0:26:52.140000 --> 0:26:56.920000 or you know how you go from detection to analysis what are the objectives 0:26:56.920000 --> 0:27:02.100000 of analysis so you may have been asking so well okay how do we now in 0:27:02.100000 --> 0:27:07.320000 the context of computers or computer security or digital infrastructure 0:27:07.320000 --> 0:27:14.580000 um how do we perform analysis um in order to you know as i said verify 0:27:14.580000 --> 0:27:23.620000 that an instant is real scope uh you know identify the root cause you 0:27:23.620000 --> 0:27:28.640000 know perform impact assessment um so on and so forth so how do you how 0:27:28.640000 --> 0:27:34.220000 do you perform analysis well um firstly or i should say what does analysis 0:27:34.220000 --> 0:27:39.060000 entail typically well firstly you have evidence preservation so just like 0:27:39.060000 --> 0:27:45.220000 a crime scene you you know you need to capture volatile memory or RAM 0:27:45.220000 --> 0:27:50.100000 as it were secure log exports and disk images in order to ensure data 0:27:50.100000 --> 0:27:54.900000 integrity right you then want to reconstruct the timeline so timeline 0:27:54.900000 --> 0:27:59.680000 reconstruction so this is where you merge endpoint network and you know 0:27:59.680000 --> 0:28:05.860000 cloud if um if applicable events into a minute by minute chronology of 0:28:05.860000 --> 0:28:11.420000 attack activity you also have ioc expansion and hunting so you extract 0:28:11.420000 --> 0:28:17.360000 new hashes domains ip's registry keys and you know beacon patterns um 0:28:17.360000 --> 0:28:22.220000 and you search enterprise wide to reveal additional compromise you then 0:28:22.220000 --> 0:28:26.080000 you know perform root cause and impact analysis so you determine the entry 0:28:26.080000 --> 0:28:31.280000 vector the exploited vulnerabilities lateral movement uh paths and any 0:28:31.280000 --> 0:28:35.720000 data that was accessed or exfiltrated and then business context mapping 0:28:35.720000 --> 0:28:40.860000 so you cross reference asset criticality and regulatory scope think of 0:28:40.860000 --> 0:28:45.820000 PCI, PHI, PII you know to assign the correct severity and compliance actions 0:28:45.820000 --> 0:28:53.400000 so building on to that because i mentioned you know what exactly um what 0:28:53.400000 --> 0:28:59.440000 um what i wanted to outline was um with regards to evidence preservation 0:28:59.440000 --> 0:29:04.120000 what type of activities and tools would you use to do that so in this 0:29:04.120000 --> 0:29:12.860000 slide i outline um you know these um these key activities here um and 0:29:12.860000 --> 0:29:19.020000 then outline you know the uh the activities within them and you know what 0:29:19.020000 --> 0:29:23.200000 you do for evidence preservation timeline reconstruction etc so in the 0:29:23.200000 --> 0:29:27.280000 case of evidence preservation um you know you have memory capture which 0:29:27.280000 --> 0:29:32.560000 i mentioned so you'd use a tool like velociraptor wind PMM um and for 0:29:32.560000 --> 0:29:37.120000 you know you then have disk imaging um log exports to secure bucket or 0:29:37.120000 --> 0:29:42.200000 destination in the context of timeline reconstruction you do things like 0:29:42.200000 --> 0:29:47.460000 merge sismon windows events EDR net flow uh you know z clogs into a unified 0:29:47.460000 --> 0:29:51.560000 chronology the tools that would be applicable here would be time sketch 0:29:51.560000 --> 0:29:56.720000 or plaza uh you then have ioc expansion and hunting so you extract new 0:29:56.720000 --> 0:30:01.160000 hashes ip's domains etc you know pivot enterprise wide with a seam search 0:30:01.160000 --> 0:30:07.980000 or EDR search um which is quite important um so this is where you have 0:30:07.980000 --> 0:30:11.860000 pivoting through logs i told you that would be important and then you 0:30:11.860000 --> 0:30:15.780000 have a host artifact analysis so this is where you now examine processes 0:30:15.780000 --> 0:30:22.780000 registry uh in the case of windows scheduled tasks persistence keys um 0:30:22.780000 --> 0:30:27.520000 you know and i've listed some examples there and then you also have malware 0:30:27.520000 --> 0:30:33.820000 and script triage so think of static analysis running malware in a sandbox 0:30:33.820000 --> 0:30:39.740000 identifying a c2 configuration and then of course uh mapping all of you 0:30:39.740000 --> 0:30:46.640000 know the the attack is activity to you know might attack uh ttp's or techniques 0:30:46.640000 --> 0:30:52.080000 as it were um and then you have network traffic verification so in this 0:30:52.080000 --> 0:30:57.120000 case the the key activities here will be to decrypt or examine p caps 0:30:57.120000 --> 0:31:03.240000 or traffic captures um you know for beakening um exaltration patterns 0:31:03.240000 --> 0:31:09.320000 uh all for the purpose or not all for the purpose but you know you know 0:31:09.320000 --> 0:31:13.180000 what would also be included there would be correlating with dns queries 0:31:13.180000 --> 0:31:17.380000 etc then you have business context mapping so what you'd be doing here 0:31:17.380000 --> 0:31:22.200000 is cross-referencing asset criticality via cm you know cmdb as an example 0:31:22.200000 --> 0:31:30.880000 and then um data sensitivity so i mentioned you know p um pii pci bhi 0:31:30.880000 --> 0:31:39.400000 user privilege and uh now i want to you know outline the outputs and deliverables 0:31:39.400000 --> 0:31:45.120000 so when we talk about the analysis phase as an instant responder um what 0:31:45.120000 --> 0:31:49.800000 are you required to do or what are your deliverables so the first one 0:31:49.800000 --> 0:31:54.620000 is the instant timeline this is very very important so what is an instant 0:31:54.620000 --> 0:31:59.440000 timeline this is a unified chronology of attacker actions and defender 0:31:59.440000 --> 0:32:05.020000 observations right the immediate use uh prioritize is you know to prioritize 0:32:05.020000 --> 0:32:11.040000 containment order and to support legal or audit uh review you then have 0:32:11.040000 --> 0:32:15.040000 your scope matrix uh what is this well this is a list of all compromise 0:32:15.040000 --> 0:32:19.320000 systems accounts and data types very very important as you would have 0:32:19.320000 --> 0:32:24.380000 guessed the use case here is that it guides in isolation or containment 0:32:24.380000 --> 0:32:31.660000 um eradication and recovery uh you then have the ioc package so this uh 0:32:31.660000 --> 0:32:36.460000 what is an ioc package this is a package that contains the validated hashes 0:32:36.460000 --> 0:32:44.460000 ip's domains yarl sigma rules etc um how is this used well it's used to 0:32:44.460000 --> 0:32:49.540000 um it's used for you know containment eradication but mainly containment 0:32:49.540000 --> 0:32:54.180000 also improves future detection so you know think of things like blocking 0:32:54.180000 --> 0:33:01.320000 c2 enable um enabling enterprise enterprise wide hunts and tuning detections 0:33:01.320000 --> 0:33:05.780000 and then a root cause report this is very important what is a root cause 0:33:05.780000 --> 0:33:10.080000 report as the name suggests this is a detailed explanation of the entry 0:33:10.080000 --> 0:33:14.680000 vector or the access vector and what weaknesses were exploited um the 0:33:14.680000 --> 0:33:22.020000 immediate use case here is it drives patching um patching efforts um you 0:33:22.020000 --> 0:33:26.320000 know also drives configuration changes and security control improvements 0:33:26.320000 --> 0:33:31.620000 and then this is not always the case but it's usually something that you 0:33:31.620000 --> 0:33:35.840000 you you should include if applicable and that is um you know your detection 0:33:35.840000 --> 0:33:40.620000 gap analysis so this way you outline or this is you know yeah where you 0:33:40.620000 --> 0:33:45.580000 outline a specified list of missed signals or noisy rules um and this 0:33:45.580000 --> 0:33:49.900000 feeds detection engineering uh the detection engineering backlog to reduce 0:33:49.900000 --> 0:33:58.640000 future um mttr or false positive rates um and finally to end this video 0:33:58.640000 --> 0:34:03.660000 i want to sort of explain the transition um from analysis into the next 0:34:03.660000 --> 0:34:09.200000 instant response phases and you know not that we're we're getting into 0:34:09.200000 --> 0:34:14.840000 those phases within this course but you need to understand um how those 0:34:14.840000 --> 0:34:20.760000 outputs from the analysis phase uh you know feed into the next instant 0:34:20.760000 --> 0:34:25.700000 response phases so the analysis phase hands off a fully scoped evidence 0:34:25.700000 --> 0:34:34.060000 rich incident um report as it were um or you know set of outputs to the 0:34:34.060000 --> 0:34:39.260000 containment and eradication teams so you know isolation commands firewall 0:34:39.260000 --> 0:34:43.400000 blocks EDR quarantines and patch instructions are grounded in the timeline 0:34:43.400000 --> 0:34:49.360000 and iuc package and recovery teams rely on the very same outputs to validate 0:34:49.360000 --> 0:34:55.380000 that systems are clean and to schedules a safe return to production if 0:34:55.380000 --> 0:35:00.820000 they were you know brought down or taken offline so the key point is that 0:35:00.820000 --> 0:35:07.280000 without a rigorous analysis phase downstream actions uh risk being mistargeted 0:35:07.280000 --> 0:35:12.000000 incomplete or out of proportion to the true impact leaving the organization 0:35:12.000000 --> 0:35:18.280000 still vulnerable to reinfection or regulatory penalties so the what i'm 0:35:18.280000 --> 0:35:22.680000 trying to communicate here is if you don't do thorough analysis and you 0:35:22.680000 --> 0:35:29.500000 say only these systems are affected the containment um and eradication 0:35:29.500000 --> 0:35:33.820000 containment eradication and recovery teams of course there might be different 0:35:33.820000 --> 0:35:38.400000 people responsible for each of those but those teams are going to rely 0:35:38.400000 --> 0:35:44.360000 on that information to again contain the threat um eradicated from the 0:35:44.360000 --> 0:35:48.960000 systems only the systems that you've told them have been affected and 0:35:48.960000 --> 0:35:53.180000 then you know recover those systems or you know use backups and you know 0:35:53.180000 --> 0:35:57.120000 perform a clean reset or you know using snapshots all that good stuff 0:35:57.120000 --> 0:36:04.580000 now if you didn't do that you know use your own particular incident and 0:36:04.580000 --> 0:36:13.800000 in reality they were 10 the pretty much nothing has been um you know the 0:36:13.800000 --> 0:36:19.700000 the incident hasn't been dealt with uh the organization is still at you 0:36:19.700000 --> 0:36:24.880000 know is still under attack so i just wanted to communicate that so that 0:36:24.880000 --> 0:36:29.120000 you understand the importance of analysis which is why analysis is getting 0:36:29.120000 --> 0:36:36.240000 its own dedicated section within this course so you may you may be saying 0:36:36.240000 --> 0:36:41.900000 to yourself well detection is more important than analysis based on what 0:36:41.900000 --> 0:36:46.900000 i've just said because if detection is poor then you're still not able 0:36:46.900000 --> 0:36:53.140000 to again as the incident responder analyze or determine the full scope 0:36:53.140000 --> 0:36:56.680000 of the attack and you're correct there which is why i also covered detection 0:36:56.680000 --> 0:37:02.120000 within this course um to you know to give you that understanding and you 0:37:02.120000 --> 0:37:06.280000 know practical experiences to what detection is all about and why it needs 0:37:06.280000 --> 0:37:11.440000 to be taken seriously but the key point here is that analysis needs to 0:37:11.440000 --> 0:37:18.400000 be thorough um in order for you know whatever threat whether it's malware 0:37:18.400000 --> 0:37:24.440000 or you know regardless of the nature of the of the threat it's very important 0:37:24.440000 --> 0:37:30.460000 that that threat gets contained is eradicated and the systems that it 0:37:30.460000 --> 0:37:37.040000 affected are restored right so you you need to ensure that analysis is 0:37:37.040000 --> 0:37:44.300000 done properly so that the incident is dealt with and in terms of the transition 0:37:44.300000 --> 0:37:49.000000 to the next incident response phase in the context of containment again 0:37:49.000000 --> 0:37:52.460000 i've mentioned this already but i need to outline it very clearly isolation 0:37:52.460000 --> 0:37:57.080000 decisions use the scope matrix and timeline to prioritize high value or 0:37:57.080000 --> 0:38:01.840000 actively beakening hosts as an example and blocking actions applied the 0:38:01.840000 --> 0:38:06.840000 ioc package that you will provide you know to firewalls proxies and edr's 0:38:06.840000 --> 0:38:11.740000 in the context of eradication removal scripts like you know to delete 0:38:11.740000 --> 0:38:17.580000 persistence keys that you have told them about scheduled tasks etc are 0:38:17.580000 --> 0:38:21.920000 crafted from artifacts found in host analysis so you're hopefully understanding 0:38:21.920000 --> 0:38:27.560000 it now patch guidance also leverages the root cause report to close or 0:38:27.560000 --> 0:38:32.000000 to patch exploited vulnerabilities in the context of the you know recovery 0:38:32.000000 --> 0:38:36.880000 validation checks rely on updated detection rules to confirm no further 0:38:36.880000 --> 0:38:41.240000 malicious activity and business impact reports he used the impact assessment 0:38:41.240000 --> 0:38:48.680000 to inform stakeholders and regulators so that is all i wanted to mention 0:38:48.680000 --> 0:38:53.880000 there now the final key takeaway here uh you know i've sort of summarized 0:38:53.880000 --> 0:38:58.640000 everything we've covered in this video you know as long as it is uh but 0:38:58.640000 --> 0:39:03.540000 this is very important so detection rings the alarm analysis turns that 0:39:03.540000 --> 0:39:08.560000 alarm into a clear actionable picture um without thorough analysis containment 0:39:08.560000 --> 0:39:14.440000 may be incomplete eradication mis-targeted and recovery short-lived mastering 0:39:14.440000 --> 0:39:20.800000 the analysis phase ensures every subsequent IR action is decisive efficient 0:39:20.800000 --> 0:39:25.620000 and fully justified so that's the final key takeaway and with that being 0:39:25.620000 --> 0:39:30.440000 said that's going to be it for this video and i will be seeing you in