CISCO Cyberops Associate 3 - Cybersecurity investigation techniques

In

Endpoint-based attacks

  • Buffer overflows:
    • Too much data!
    • Know what buffers, access and modify.
    • Know where to look.
    • Know what it can do.
  • Command and Control (C2):
    • Establish a control endpoint.
    • Connects to server.
    • Data theft.
    • Shutdown or reboot.
    • Look for unusual outbound activity.
    • Know purpose and role of the endpoint.
    • Visibility.
    • Data analysis of malware.
  • Malware:
    • Any malicious intent on software systems.
    • Endpoint antivirus.
    • Regular scans.
    • 2nd opinion.
  • Ransomware:
    • Encrypts all data on your systems.
    • Monitor known ransomware extensions.
    • Large volumen of file renames.
    • AI based systems.

Windows 10 components

  • Task manager:
    • Check task performance (check volumen, link to resource monitor).
    • Check startup tasks (check injections).
  • Performance monitor (better than performance).
  • Reliability monitor (critical events).
  • Event viewer (postmortema analysis):
    • Logs (application, security, setup, system, forward events from other Windows systems).

Ubuntu components

  • Know your machine version:
    1
    uname -a
  • Find components on shell
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    # go al the way back to root directory
    cd ..
    # list
    ls
    # look for logs
    cd var
    cd log
    # check content
    vim auth.log
    :q! # exit
  • KSysGuard:system monitor.
  • Htop: resource intensive process monitor.
  • Network details: netstat -ano | less .
  • Remove process using its id: kill PID.

Attribution in an investigation

  • Atribution: who did it?
    • Follow an attack.
    • Cyber attribution.
    • Difficult task, not a lot of physical clues.
  • Investigation:
    • Goals to find:
      • Assets compromised.
        • Digital / physical.
        • Hidden and open.
      • Threat actor (who did it).
        • Individual, groups or organizactions.
        • Leverage assets to target attackers.
        • Motibes, capabilities, goals and resources.
    • Evidence:
      • Indicators of compromise:
        • breadcrumbs.
        • Log entires or files.
        • Not easy to detect what happened.
      • Indicators of attack (IOA):
        • Detect what attack is trying to accomplish.
        • What is happening and why?
        • Cyber kill chain:
          1. Reconnaissance: Intruder selects target, researches it, and attempts to identify vulnerabilities in the target network.
          2. Weaponization: Intruder creates remote access malware weapon, such as a virus or worm, tailored to one or more vulnerabilities.
          3. Delivery: Intruder transmits weapon to target (e.g. via e-mail attachments, websites or USB drives).
          4. Exploitation: Malware weapon’s program code triggers, which takes action on target network to exploit vulnerability.
          5. Installation: Malware weapon installs an access point (e.g. “backdoor”) usable by the intruder.
          6. Command and Control: Malware enables intruder to have “hands on the keyboard” persistent access to the target network.
          7. Actions on Objective: Intruder takes action to achieve their goals, such as data exfiltration, data destruction, or encryption for ransom.
      • Chain of custody:
        • Collection.
        • Examination.
        • Analysis.
        • Reporting.

Types of evidence based on logs

  • Evidence:
    • Basis for factual statements.
    • Collected data to verify the factual statement.
    • Obtained through proper investiagtion.
    • Best evidence = unaltered data.
  • Corroborative evidence:
    • Additional evidence to support presented evidence (e.g. attack demo).
  • Indirect evidence:
    • Circumstancial evidence.
    • Inferred.

Disk Images

  • Perform tests on copy of a disk, to preserve original data as evidence.
    • Use Gnome Disks.
    • Use the shell:
      1
      2
      3
      4
      5
      6
      7
      8
      9
      # compare disks sdb and sdc
      sudo fdisk -l /dev/sdb /dev/sdc
      # generate the hashes and compare them
      # if it is the same result, you already copied it
      sudo shasum -a 256 /dev/sdb
      sudo shasum -a 256 /dev/sdc
      # copy, if= input-file, of=output-file, status to show output
      sudo dd if=/dev/sdb of=/dev/sdc status=progress
      # after this, check shasum again to verify they are copies

Interpret output from a malware analysis tool

Fire Power Management Center: threats dashboard:

  • Indications of compromise:
    • Host.
    • User.
    • Security intelligence (follow up url, is it blocked? Commpare it to VirusTotal).
    • Malware (check sha hash is useful to follow up redistribution).