I consider it should be a good idea to start with a quick overview or list of Attack Vectors before we dive right into what goes into the Detection and Analysis phase.
Companies should be able to prepare and have plans around common attack vectors, and what to do in those cases, we went over that in our previous post, but this time as a refresher, here is a non-exhaustive list of common attack vectors:
Attack Vectors
External/Removable Media –> An attack executed from removable media (e.g., flash drive, CD) or a peripheral device.
Attrition –> An attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services.
Web –>An attack executed from a website or web-based application.
Email –> An attack executed via an email message or attachment.
Improper Usage –> Any incident resulting from a violation of an organization’s acceptable usage policies by an authorized user, excluding the above categories.
Loss or Theft of Equipment –> The loss or theft of a computing device or media used by the organization, such as a laptop or smartphone.
Other –> An attack that does not fit into any of the other categories.
Now that we identified what are we looking for, and we understand at a high level the type of attacks we will be responding or defending against, let’s list what are the things that we should be doing in this phase, as well as getting a quick list of tools used during the process:
Cybersecurity IR (Detection and Analysis) – Gather evidence
The first step in detection and analysis is to gather evidence that can help to identify the cause of the incident and the extent of the damage. This may include reviewing logs, network traffic, and system configurations, as well as collecting and analyzing data from intrusion detection systems, antivirus software, and other security tools.
Cybersecurity IR (Detection and Analysis) – Identify indicators of compromise
Once the evidence has been collected, the next step is to look for indicators of compromise (IOCs), which are signs that an incident has occurred. IOCs can include unusual network traffic, suspicious file modifications, or other anomalies that may indicate the presence of malware or other malicious activity.
Cybersecurity IR (Detection and Analysis) – Confirm the incident
Once potential IOCs have been identified, the IR team will need to confirm that an incident has indeed occurred. This may involve conducting additional analysis, such as running forensic tools on compromised systems or analyzing network traffic in more detail.
Intrusion detection and prevention systems (IPS/IDS)
- Snort: Snort is an open-source network intrusion detection and prevention system that can analyze network traffic for suspicious activity and alert network administrators to potential threats. It includes a rule-based system for identifying known threats and can also be customized for specific network environments.
- Suricata: Suricata is an open-source network threat detection engine that is designed for high-speed intrusion detection and prevention. It can analyze network traffic for a wide range of threats and includes a rule-based system for identifying known threats.
- Bro/Zeek: Bro/Zeek is an open-source network security monitoring system that can analyze network traffic in real time for potential threats. It includes a powerful scripting language for customizing analysis and can detect a wide range of threats
.
There are other popular IPS and IDS systems, such as Cisco Firepower, Palo Alto Firewalls, and Fortinet among others. The idea of these platforms is that on top of providing IPS and IDS capabilities, they also provide URL Filtering, Antivirus, Malware Protection as well as SSL Decryption. These solutions are known by the industry as Next Generation Firewalls.
Security information and event management (SIEM) systems
- Splunk: Splunk is a popular SIEM tool that collects and analyzes security-related data from various sources, including logs, events, and network traffic. It uses machine learning and advanced analytics to detect and respond to security threats in real time.
- IBM QRadar: QRadar is a SIEM tool that provides real-time visibility into network security events and activity. It includes advanced analytics and correlation features, as well as threat intelligence and automated response capabilities.
- LogRhythm: LogRhythm is a SIEM tool that uses machine learning and behavioral analysis to detect and respond to security threats in real time. It includes advanced correlation and analytics features, as well as automated response and forensic analysis capabilities.
- McAfee Enterprise Security Manager (ESM): ESM is a SIEM tool that provides real-time visibility into security events and activity across the network. It includes advanced analytics and correlation features, as well as automated response and compliance reporting capabilities.
- Elastic SIEM: Elastic SIEM is a SIEM tool that provides real-time security analytics and threat detection capabilities. It is built on the Elastic Stack, which includes Elasticsearch, Logstash, and Kibana, and can collect and analyze security data from a wide range of sources.
- AT&T Cybersecurity AlienVault USM: AlienVault USM is a SIEM tool that provides real-time threat detection and response capabilities. It includes advanced correlation and analytics features, as well as automated response and compliance reporting capabilities.
Endpoint detection and response (EDR) tools
- Cisco Secure Endpoint: Cisco Secure Endpoint provides real-time visibility and control over endpoints, as well as advanced threat detection and response features. It includes endpoint protection and response capabilities, as well as threat-hunting and forensic analysis capabilities. The platform also provides integration with other Cisco security products for a more comprehensive security solution.
- CrowdStrike Falcon: CrowdStrike Falcon is a cloud-based EDR platform that uses machine learning to detect and prevent threats on endpoints. It includes advanced threat detection and response features, as well as threat intelligence and hunting capabilities.
- Carbon Black: Carbon Black is an EDR platform that uses behavioral analysis and machine learning to detect and prevent threats on endpoints. It includes advanced threat hunting and response features, as well as endpoint protection and response capabilities.
- Tanium: Tanium is an EDR platform that provides real-time visibility and control over endpoints. It includes advanced threat detection and response features, as well as endpoint management and compliance capabilities.
- SentinelOne: SentinelOne is an EDR platform that uses machine learning to detect and prevent threats on endpoints. It includes advanced threat detection and response features, as well as endpoint protection and response capabilities.
- Cylance: Cylance is an EDR platform that uses artificial intelligence to detect and prevent threats on endpoints. It includes advanced threat detection and response features, as well as endpoint protection and response capabilities.
- Symantec Endpoint Protection: Symantec Endpoint Protection is an EDR platform that includes advanced threat detection and response features, as well as endpoint protection and response capabilities. It uses machine learning and behavioral analysis to detect and prevent threats on endpoints.
- McAfee Endpoint Security: McAfee Endpoint Security is an EDR platform that includes advanced threat detection and response features, as well as endpoint protection and response capabilities. It uses machine learning and behavioral analysis to detect and prevent threats on endpoints
.
Network traffic analysis tools
- Cisco Secure Network Analytics: Formerly Stealthwatch, is a network traffic analysis tool that uses behavioral analysis and machine learning to detect and prevent threats on the network. It provides visibility into network traffic and identifies anomalous behavior that may indicate a security threat.
- tcpdump: tcpdump is a command-line network packet capture tool that can capture and display network traffic in real time. It is available on multiple platforms, including Linux and macOS.
- Snort: Snort is an open-source network intrusion detection system that can analyze network traffic for suspicious activity and alert network administrators to potential threats.
- Zeek: Zeek (formerly known as Bro) is an open-source network analysis framework that can capture and analyze network traffic in real time. It includes a powerful scripting language for customizing analysis.
- Nmap: Nmap is a network mapping and scanning tool that can be used to discover devices on a network and identify potential vulnerabilities.
- NetFlow Analyzer: NetFlow Analyzer is a network traffic analysis tool that can provide insights into traffic patterns, application usage, and network performance.
- PRTG Network Monitor: PRTG Network Monitor is a network monitoring tool that can capture and analyze network traffic in real time. It can also provide alerts and reports on network performance and usage.
What tools are commonly used for Forensic Analysis?
- EnCase: EnCase is a popular digital forensic tool that allows investigators to collect, analyze, and report on digital evidence.
- FTK (Forensic Toolkit): FTK is another digital forensic tool that enables the analysis of a wide range of digital devices, including hard drives, mobile devices, and cloud storage.
- Autopsy: Autopsy is an open-source digital forensic tool that allows investigators to recover and analyze data from a wide range of sources, including hard drives, network traffic, and mobile devices.
- X-Ways Forensics: X-Ways Forensics is a digital forensic tool that is known for its fast and efficient processing of large volumes of data.
- Volatility: Volatility is a memory analysis tool that allows forensic investigators to analyze the memory of a computer or other digital device.
- Wireshark: Wireshark is a network protocol analyzer that is often used in forensic investigations to analyze network traffic and identify potential security issues.
- The Sleuth Kit: The Sleuth Kit is an open-source digital forensic tool that allows investigators to analyze file systems and recover deleted files.
What tools are commonly used for Malware Analysis?
- Cisco Secure Malware Analytics (Threat Grid): is a cloud-based malware analysis and threat intelligence platform that uses advanced analytics and sandboxing techniques to detect and prevent malware threats. It provides real-time threat intelligence and forensic analysis capabilities to help security teams identify and respond to advanced threats
- IDA Pro: IDA Pro is a popular disassembler and debugger that is often used in malware analysis. It allows analysts to disassemble and analyze the code of an executable file or malware sample.
- OllyDbg: OllyDbg is a debugger that allows analysts to step through the execution of a program or malware sample, view and modify memory, and identify potential vulnerabilities.
- Radare2: Radare2 is an open-source reverse engineering framework that includes disassemblers, debuggers, and other tools for analyzing malware.
- Ghidra: Ghidra is a free and open-source reverse engineering tool that includes a disassembler and decompiler, as well as tools for analyzing and visualizing code.
- PEiD: PEiD is a tool for detecting packers and other obfuscation techniques used by malware authors to evade detection.
- VirusTotal: VirusTotal is a web-based malware analysis service that allows analysts to upload malware samples and receive reports on their behavior and characteristics.
- Cuckoo Sandbox: Cuckoo Sandbox is an automated malware analysis tool that allows analysts to run malware samples in a controlled environment and analyze their behavior.
About the Author:
Andres Sarmiento, CCIE # 53520
With over 18 years of professional experience, Andres is a specialist in Unified Communications and Collaboration technologies, Enterprise Networks, and Network Security. He has consulted for numerous companies in South Florida, including Financial Institutions, on behalf of Cisco Systems. Andres has played a key role in several high-profile implementations, utilizing Cisco technologies such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security, and Hosted IPT Service Provider infrastructures.