Network Security Monitoring

Chapter 5: Indication of Compromise (IoC)

Content
In this Chapter, we will cover the following topics:
 Indication of Compromise and its role in SOC operations.
 IOC vs Attack signatures
 IOC Examples
Indicators of Compromise (IOC) Definition

 Indicators of compromise (IOCs) refer to data that indicates a system may have been
intruded by a cyber threat. They provide cybersecurity teams with crucial knowledge
after a data breach or another breach in security.

34
 Computer security incident response teams (CSIRTs) use IOCs for malware
detection, to enhance Sandbox security, and to verify the effectiveness of heuristic
analysis. They are also used to detect and prevent attacks or to limit the damage
done by stopping the attacks early on.

Source: Fortinet
How Do Indicators of Compromise Work?

 IOCs act as flags that cybersecurity professionals use to detect unusual activity that is
evidence of or can lead to a future attack. There are several different types of IOCs. Some
include simple elements like metadata and others are more complex, such as complicated
code of malicious content.
 It is often helpful for information security professionals to gather several IOCs and then see if
there is a correlation between them indicating details of a possible attack.

Source: Fortinet
Indicator of Compromise (IoC) vs Attack Signature

 Indicator of Compromise (IoC):

 Evidence left behind by a malicious actor or malware that suggests a potential security breach has occurred. It's a sign
that a system might be compromised.
 Specificity: IoCs can be very specific (e.g., a particular file hash) or more general (e.g., unusual network traffic patterns).

S
 IoCs can be used to trigger security alerts, initiate investigations, or implement containment measures to mitigate
potential damage.
g
 Examples: Diss
o A suspicious registry entry created by malware.

 Attack Signature:
 An attack signature is a specific pattern or characteristic used by a known attack or exploit. It's like a fingerprint for a
particular malicious activity.
 Attack signatures are highly specific and designed to detect a particular type of attack.
 Security software like intrusion detection systems (IDS) or antivirus programs use attack signatures to identify and
potentially block malicious activity.
 Examples:
o A pattern of network packets used in a specific denial-of-service attack.
Indicator of Compromise (IoC) vs Attack Signature…(examples)

 IoCs focus on evidence of a potential attack: The examples, like unusual database queries or
suspicious file uploads, are signs that something might be wrong but don't necessarily pinpoint a specific
attack technique.
 IoCs can be more general: like unexpected login attempts or unauthorized resource access, could be
indicators of various types of attacks, not just a single signature.
 Attack signatures (known attack patterns): Attack signatures are designed to detect a specific
sequence of events or malicious code used in a particular exploit or attack method.
 Attack signatures (active blocking): Security software like intrusion detection systems (IDS) or
antivirus programs leverage attack signatures to identify and potentially block known malicious activity.

IoCs are broader indicators of potential compromise, while attack signatures are specific patterns
used to detect known malicious activity. Security professionals often use a combination of IoCs and
attack signatures to create a more comprehensive security posture.
Advantages of IOCs

 Early Detection: IoCs can help identify malicious activity in its early stages, before significant damage is caused.
By detecting suspicious signs like unusual network traffic or specific file hashes, security teams can investigate and
take action to contain the threat.
 Proactive Defense: IoCs enable a proactive approach to security. Security teams can update their security tools
(firewalls, intrusion detection systems) with IoCs to actively block or flag suspicious activity associated with known
threats.
 Improved Incident Response: When a security breach does occur, IoCs can be used to identify the scope of the
attack and expedite the incident response process.
 Threat Intelligence Sharing: IoCs are often shared within the security community. This collaboration allows
organizations to benefit from the collective knowledge of others and stay updated on the latest threats and their
associated IoCs.
 Reduced Risk: By enabling early detection, proactive defense, and improved incident response, IoCs ultimately
help reduce the risk of successful cyberattacks and minimize potential damage to systems and data.
IoC for Application Security Threats

You can monitor such indicators and detect the web application threats or compromise at an early
stage. Listed below are some general examples of the IoCs of web application security threats:
 Unavailability of Website, Web service, or applications
 Alerts and notification from tools like WAF, SIEM, and IDS
 Redirection of URLs to incorrect sites
 Unusually slow network or application performance
 Frequent rebooting of the server
 Abnormal behavior in web applications such as pop-ups and spam messages
 Search engines flag the website as insecure
 Inappropriate login attempts from various geographical locations
 Variation in the sizes of the HTTP request and response
 Getting too many requests for accessing the same file
Injection Attacks (SQL Injection, XSS) IOC

General IOC:
 Unusual Database Queries: Look for database queries with unexpected syntax,
characters, or encoding that might indicate attempts to exploit vulnerabilities.
 Suspicious Input Validation Failures: Monitor for instances where user input bypasses
validation checks, potentially allowing for injection of malicious code.
SQL Injection IOC example

 Normal Login
[timestamp] "POST /login.php HTTP/1.1" 200 345 "https://yourwebsite.com/products.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
Content-Type: application/x-www-form-urlencoded
username=johndoe&password=securepassword123

 Explanation of Normal Login:

 Method: This is a POST request, typically used for submitting form data like login credentials.
 Path: The request targets the /login.php script specifically designed for handling login attempts.
 Status Code: The server responds with a 200 code, indicating successful processing of the request.
 Referrer: The referrer header shows the user came from the products page
(https://yourwebsite.com/products.php).
 User-Agent: This remains similar to the previous example, indicating the user's browser information.
 Content-Type: This header specifies the data format being sent, which is URL-encoded form data in this case.
 Login Data: The actual content of the request body contains the username (johndoe) and password
(securepassword123) sent through the form.
SQL Injection IOC example cont..

 Suspicious SQL Injection Attempt (compared to Normal Login):

[timestamp] "GET /products.php?id=1+AND+username='hackzor'&password='123456' HTTP/1.1" 400 234 "-" "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"
Key Differences:
 Method: This is a GET request, often used for retrieving data from a server. It's unusual for a login attempt to use GET.
 A normal login request uses the designated login script (/login.php) with appropriate methods (POST) and data formats to send
username and password for authentication.
 Normal scenario: The id parameter in a product listing page might typically hold a numeric product ID (e.g., id=25).
 Attacker's attempt: In this case, the attacker has crafted a malicious string for the id parameter. It includes:
1+AND+username='hackzor'&password='123456': This is a classic SQL injection attempt.
1+AND: This part is likely intended to evaluate to a non-zero value (true) and bypass a basic check on the id parameter.
username='hackzor'&password='123456': This injects a conditional statement to potentially check if a username "hackzor" exists with a
password "123456" in the database.

 HTTP/1.1: This is the HTTP protocol version used.

 400: This is the status code returned by the server, indicating a "Bad Request". This could be due to the server recognizing the
malformed query or due to the specific logic of the application.
 234: This is the number of bytes sent by the server in response.
 "-": This field might represent the referrer header, which is empty in this case.
 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36":
This is the user-agent string sent by the attacker's browser, indicating the operating system and browser version.
 Missing Login Data: There's no standard username or password field used for login within this request.
 Suspicious id Parameter: The presence of a complex string within the id parameter is a red flag. It injects SQL code
(1+AND+username='hackzor'&password='123456') to potentially bypass authentication or access unauthorized data.
.
 -
when the user input is sent back to the browser insecurely
.
> allows
- attackers to run malicious code
.

Cross-Site Scripting (XSS) >

-

Unexpected script tags or suspicious JS code

.

>
-
inject harmful code
.

 Reflected XSS Attempts: Look for instances where user input is reflected back to the browser without
proper escaping, potentially allowing for XSS attacks.
 Unusual Script Injection: Monitor for unexpected script tags or suspicious JavaScript code being injected
into web pages.

 XSS Attempts In Cross Site Scripting (XSS) attack, the attackers exploit the vulnerability in the web application by
injecting malicious script, such as JavaScript, HTML, or CSS markup in the web application code.
 Common XSS attacks use HTML tags, such as <script></script>, <IMG>, <INPUT>, and <BODY>. You should look for
HTML tags, other XSS signature words, and their equivalents in web access logs to check for XSS attacks.
 the attackers encode the injection data by using following obfuscation techniques:
 Hex Encoding Attackers use hex values of the characters to bypass the security mechanisms.
 Normal XSS script: <script>alert(“XSS”)</script> o Hex encoded XSS script:
%3cscript%3ealert(”XSS”)%3c/script%3e> - >hex encoded .

 In-line Comment Attackers use Inline comments in middle of attack strings to bypass security mechanisms.

 The following includes the malicious script

 <script>alert("XSS Attack!")</script>, which gets executed when you click the link.
More IOC examples…

 Broken Authentication:
 Brute Force Login Attempts: Monitor for a high number of failed login attempts from a single IP
address or using common credential combinations.
 Unusual Login Times or Locations: Identify login attempts originating from unexpected locations or
times outside of typical user behavior.
 Broken Authorization:
 Access Attempts to Unauthorized Resources: Monitor for attempts to access resources or
functionalities that a user's role shouldn't have access to.
 Unusual API Requests: Track unexpected or unauthorized API requests that might indicate attempts
to exploit authorization flaws.
IoC Detection Techniques: Directory Traversal Attempts

 Directory traversal attempts aim to access unauthorized files or directories on a web server. Here are
some IoCs you can look for in server logs to identify potential attempts:

 Suspicious Requests in Access Logs:

 Requests containing "../" or "..%2e%2e" sequences: These sequences represent attempts to navigate up the
directory tree structure. For example, a request like http://yourwebsite.com/admin/../config.php tries to access

navigate
the config.php file one level above the admin directory. up
the directory free

 Similarly, http://yourwebsite.com/files/..%252e%252e/sensitive_data.txt tries to access sensitive_data.txt using

URL encoding to bypass basic filtering.

 Requests for unusual files or directories: Look for requests targeting files or directories that shouldn't be
normally accessible from the web. For example, a request for http://yourwebsite.com/server.pem might
~
↳ Ey extension for storing
indicate an attempt to access the server's private key file. be accessed
shouldn't cryptographic KayS
.
on the web
 Errors related to file access: Monitor for errors indicating a user tried to access a file or directory outside the
intended access path. These might include messages before
- Monitor & look for errors

acces
the attacker gains
 Directory Traversal Attempts IOC from Wireshark

 check the log files or the web server traffic using log analysis or sniffing tools (such as
Wireshark) respectively and look for special characters in the data packets such as file=
../../../../etc/ or ..\..\..\etc\passwd.

 The attacker on
the IP 172.19.19.7
has exploited the
directory path
traversal
vulnerability and
downloaded
wpconfig.php file
residing on the
server.
IoC Detection Techniques: Dictionary Attacks

 Attackers use techniques and methods such as brute-force, dictionary, and rainbow
table to gain access to the passwords or other credentials of the web application.

 General IoC:
 High Volume of Login Attempts: A sudden surge in login attempts, particularly failed logins, can be a red flag.
Attackers often automate dictionary attacks, leading to a significant increase in login attempts within a short
period.
 Login Attempts from Unusual Locations or Times: Monitor for login attempts originating from IP addresses or
locations outside the typical user base. Additionally, be wary of attempts occurring at unusual times, like the
middle of the night. Attackers might use automated scripts that run 24/7.
 Brute Force Attempts with Common Credentials: If you see a pattern of login attempts using well-known
username and password combinations (e.g., "admin/password," "user/user123"), it suggests a potential
dictionary attack trying common credential pairs.
 Account Lockouts: A rise in account lockouts due to exceeding the allowed login attempts can indicate an
attacker is systematically trying various passwords for a specific account.
-
Data theft
(financial)-
IoC Detection Techniques: Dictionary Attacks … Detection
 Check for logs containing the login pages and their status codes unchanged as shown in the screenshot on the above slide.

The highlighted log in the screenshot

shows that the attacker on the IP
we
procee
172.19.19.7 has attempted to log in O
to the website
http://172.19.19.18/wordpress with
wrong passwords and was
unsuccessful till the log entry 116.
You can identify this observing the
request type (POST) and the status
code (200) between logs 102 to 116.
The attack was successful at log 117,
which displays the status code 302,
meaning URL redirection from wp-
login.php

Bauthenticated
IoC for Network Security Threats: DNS Footprinting

 It is a reconnaissance technique attackers use to gather information about a target organization's IT

infrastructure the focus is on revealing information about DNS zone. DNS zone data includes the DNS
domain names, computer names, IP addresses, and much more about a particular network.

 An attacker uses the DNS information to determine key hosts in the network, and then performs social
engineering attacks to gather even more information.

 When the attacker queries the DNS server using the DNS interrogation tool, the server responds with a
record structure that contains information about the target DNS.
 The information gathered through DNS footprinting can be used to plan more sophisticated attacks.
Attackers might learn about: Existing subdomains and potential vulnerabilities, Internal network architecture
and resource locations DNS footprinting is a method attackers use to gather information about a target organization's IT
infrastructure by examining DNS zone data. This data includes domain names, computer names,
and IP addresses.

Attackers use this information to identify key hosts and perform social engineering attacks to gather
more details. When they query the DNS server with a DNS interrogation tool, the server provides a
record structure with information about the target DNS.

This information helps attackers plan more advanced attacks, revealing subdomains, vulnerabilities,
and the internal network layout.
IoC for Network Security Threats: DNS Footprinting Attack

 It is a reconnaissance technique attackers use to gather information about a target

organization's IT infrastructure the focus is on revealing information about DNS zone. DNS
zone data includes the DNS domain names, computer names, IP addresses, and much more
about a particular network.

 An attacker uses the DNS information to determine key hosts in the network, and then
performs social engineering attacks to gather even more information.

 When the attacker queries the DNS server using the DNS interrogation tool, the server
responds with a record structure that contains information about the target DNS.

 The information gathered through DNS footprinting can be used to plan more sophisticated
attacks. Attackers might learn about: Existing subdomains and potential vulnerabilities,
Internal network architecture and resource locations
IoC for Network Security Threats: IOCs DNS Footprinting

 Unusual DNS Traffic Patterns: Monitor for a sudden increase in DNS queries, especially for
subdomains or domains you don't recognize. Attackers might be probing for non-public or
internal hostnames within your organization.
 Zone Transfer Requests: Zone transfer requests allow retrieving a complete list of records
for a specific domain. While legitimate uses exist, a sudden increase in zone transfer
requests, especially from unknown sources, could indicate DNS footprinting.
 DNS Queries for Internal Resources: If your DNS logs show queries for internal resources
(e.g., servers, applications) from external IP addresses, it could be an attacker trying to
identify your internal network structure.
IoC for Network Security Threats: DNS Poisning

 is a process in which the user is misdirected to a fake website by providing fake data to the DNS server.
 The attacker performs this type of attack by manipulating the DNS table entries in the DNS system.
 Suppose the victim wants to access the website 123.com, the attacker manipulates the entries in the DNS table in
such a way that the victim is being redirected to the attacker’s server instead. This can be done by changing the
IP address of 123.com to the attacker’s malicious server IP address.

IoC for DNS Poisoning:

 Unexpected DNS Resolution: Users on your network report issues resolving websites or experiencing redirection to unfamiliar
websites. This could indicate DNS poisoning altering DNS records and directing traffic to malicious servers.
-
 Discrepancies in DNS Responses: If you have access to internal DNS resolvers, compare their responses to public DNS
resolvers for the same domain names. Inconsistencies might suggest DNS poisoning on your network.
 Suspicious Entries in DNS Logs: Monitor your DNS server logs for unusual queries or updates to DNS records, especially for
critical internal resources.

Discrepancies in DNS Responses (Real-world Example): An organization's IT team notices a discrepancy when comparing the
IP address returned by their internal DNS server for a specific domain (e.g., "https://www.salesforce.com/") to the IP address
returned by a public DNS server like Google DNS. This inconsistency suggests potential DNS poisoning on their internal network.
IoC for Network Security Threats: ARP Poisoning

 is an attack in which the attacker tries to associate their own MAC address with the victim’s IP address so that the traffic
meant for that IP address is sent to the attacker.
 ARP (Address Resolution Protocol) is a TCP/IP protocol that maps IP network addresses to the addresses (hardware
addresses) used by the data link protocol.
 If the machine sends an ARP request, it normally considers that the ARP reply comes from the right machine. ARP
provides no means to verify the authenticity of the responding device. In fact, many operating systems implement ARP
so trustingly that devices that have not made an ARP request still accept ARP replies from other devices.
 An attacker can craft a malicious ARP reply that contains an arbitrary IP and MAC address. Since the victim’s computer
blindly accepts the ARP entry into its ARP table, an attacker can force the victim’s computer to think that the IP is related
to the MAC address they want.

ARP poisoning is an attack where an attacker associates their MAC address

with a victim's IP address, redirecting traffic meant for that IP to themselves.
ARP (Address Resolution Protocol) maps IP addresses to hardware addresses.
When a machine sends an ARP request, it assumes the ARP reply is
legitimate, as ARP lacks verification mechanisms. Attackers can send
malicious ARP replies with arbitrary IP and MAC addresses, which the victim's
computer accepts without verification, making it think the attacker's MAC
address is associated with the target IP.
IoC for Network Security Threats: IoC for ARP Poisoning

 Network Performance Issues: Users on your network experience slowdowns, unexpected

disconnections, or difficulty accessing network resources. This could indicate ARP poisoning
disrupting communication between devices on the network.
 Duplicate IP Addresses: ARP poisoning involves sending spoofed ARP messages claiming a
different device's MAC address. Tools like arpwatch or network monitoring software might identify
inconsistencies in MAC addresses associated with specific IP addresses.

② Increased ARP Traffic: A significant rise in ARP requests or gratuitous ARP messages within
your network traffic could be a sign of ARP poisoning activity.
 Duplicate IP Addresses: The network monitoring software identifies multiple devices with the
same IP address (e.g., 192.168.1.100) but different MAC addresses.
IoC for Network Security Threats: DHCP Starvation Attack

 Attacker floods the DHCP server by sending a large number of DHCP requests and uses all the
available IP addresses that the DHCP server can issue.
 As a result, the server cannot issue any more IP addresses, leading to a denial of service (DoS)
attack. Because of this issue, valid users cannot obtain or renew their IP addresses, and thus fail to
access their network.
 The DHCP starvation attack is similar to the Synchronization (SYN) flood attack. The victim network
suffers a starvation of DHCP resources as the attackers are continuously broadcasting fake DHCP
requests. The attackers can also place a rogue DHCP server in their system and respond to the
DHCP requests from the victims or users.
IoC for Network Security Threats: DHCP Starvation Attack

 Loss of Network Connectivity for New Devices: If new devices attempting to connect to your network are unable to
obtain IP addresses due to a lack of DHCP leases, it could be a DHCP starvation attack consuming all available leases.
 High Volume of DHCP Requests: Monitor your DHCP server logs for a sudden surge in DHCP requests, particularly if
they originate from a single source or unfamiliar MAC addresses.
 Exhaustion of DHCP Lease Pool: If your DHCP server logs indicate that the available lease pool is depleted despite a
normal number of connected devices, it suggests a potential DHCP starvation attack.
 High Volume of DHCP Requests: The DHCP server logs show a sudden influx of DHCP requests exceeding the
typical volume, all originating from the same IP address (e.g., 10.0.0.1).
 Exhaustion of DHCP Lease Pool: The DHCP server logs indicate that the available lease pool is depleted despite a
relatively constant number of connected devices on the network.
 UN SUIE
IoC for Malwares: Sources =>

 Un-patched Computers The majority of attacks on a host are due to the lack of proper patching or the
use of outdated software installed on the host.
 Email Host system security can be compromised through sending unsolicited emails such as phishing,
malicious attachments, and spam emails.
 Network File Sharing permits the users to share files between their individual systems over the Internet.
 Internet Downloads from untrusted sources can lead the users in downloading malware onto their
systems.
 Social Engineering Attackers use social engineering techniques to gain sensitive information which may
help them further to gain
 unauthorized access, malware infection, and so on.
IoC for Malwares: Examples

1. Abnormal network traffic flows

2. Unexplained bounced emails
3. Displays of irrelevant alerts, ads, and pop-ups
4. Logs showing malicious attempts of port scanning, unauthorized access, and so on
5. Modification, deletion, or relocation of files
6. Blue screen of death (BSOD)
7. Sudden freeze, shutdown, and crash of system, System slowdown and longer reboot times
8. Inability to install updates
9. Automatically disable security programs
10. Web browser configuration changes
11. Running of suspicious processes at system startup
12. Unexplained and frequent crashing or instable behavior of system
13. Unapproved installation, launch and closure of programs
IoC for Malwares: Examples

1. Consumption of storage space

2. Large number of unwanted emails and social posts
3. Unavailable programs or system resources
4. Failure in connection attempts
5. Unknown running processes
6. Strange dialog box appears requesting permission to run any program
7. Router, firewall, and network IDS alert regarding the Trojan horse client-server communications
8. Host and unknown remote systems network connections (reverse connections by Trojans)
9. Unusual open ports (ports used by Trojans)
10. An increase in the outgoing web traffic though user is not working ▪ Unknown registry entries
11. Unusual off-hour usages
12. Unknown use of protocols
13. Presence of unknown malicious software
14. The computer screen blinks, flips upside-down, or is inverted, so that everything is displayed backward
15. The Task Manager is disabled. The attacker, or Trojan, may disable the
IoC for Malwares: Detection Techniques
1. Live System/Dynamic Analysis Live system analysis or dynamic analysis.

2. Static analysis in a controlled environment.

Dynamic Analysis:

 Behavioral analysis since it detects the presence of malware based on the malicious behavior or functioning
of malware.
 Involves monitoring activities that include monitoring ports, processes, and registries for any abnormal or
malicious activities.
Activity examples:
 Port monitoring
 Process monitoring
 Registry monitoring
 Windows services monitoring
 Event logs monitoring
 Files and folder monitoring
 Device drivers monitoring
 Network traffic monitoring
 DNS monitoring/resolution
Why Ports Monitoring?
 Open ports act as communication channels for malware. They open unused ports on the victim’s machine to connect
back to the malware handlers.

 Scanning for suspicious ports will help in identifying this malware. You can also find if malware is trying to access a
particular port during live system analysis by installing port monitoring tools such as TCPView and Windows command
line utility tools such as netstat.
Port Monitoring Tool: Netstat

 Performs the following:

 Active TCP connections
 Ports on which the computer is listening,
 Ethernet statistics,
 the IP routing table,
 IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols),
 IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols).
 netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval]
Port Monitoring Tool: Netstat Parameters

 -a: Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
 -e: Displays Ethernet statistics, such as the number of bytes and packets sent and received. This
parameter can be combined with -s.
 -n: Displays active TCP connections; however, addresses and port numbers are expressed numerically,
and no attempt is made to determine names.
 -o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find
the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be
combined with -a, -n, and -p.
 -p Protocol: Shows connections for the protocol specified by Protocol.
 In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display
statistics by protocol, Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.
 -s: Displays statistics by the protocol.
 -r: Displays the contents of the IP routing table. This is equivalent to the route print command.
Why Registry Monitoring

 Windows registry stores OS and program configuration details, such as settings

and options. If the malware is a program, the registry stores its functionality.
 The malware uses the registry to perform harmful activity continuously by storing
entries into the registry and ensuring that the malicious program run whenever
computer or device boots automatically.
 When an attacker installs a type of malware on the victim’s machine, it generates
a registry entry.
 Scanning for suspicious registries will help to detect malware.
Static analysis in a controlled environment.
 Also know as Memory Dump/Static or static analysis is the process of analyzing a suspicious file or an application to find its
functionality, making, metadata, and other details.
 It involves code analysis, since it involves going through the executable binary code without actually executing it to have a better
understanding of the malware and its purpose.
 Analyzing the binary code provides information about the malware functionality, its network signatures, exploit packaging
technique.
 It is the process of investigating an executable file without running or installing it. It is safe to conduct static analysis because the
incident responder does not install or execute the suspect file.
 It also gathers the information about the malware functionality and collects technical pointers or simple signatures it generates.
 Also involves the following:
 File fingerprinting Local and online malware scanning
 Performing strings search
 Identifying packing/obfuscation methods
 Finding the portable executables (PE) information
 Identifying file dependencies
IOCs of Insider Threats

General IOCs:
 Indicators of insider threats are generally abnormal user activities that deviate from regular work
activities. These represent unusual patterns of user behavior that require further analysis to identify the
malicious motives and intents.
 The most common indicator of insider threat is lack of awareness of employees against security
measures.
IOCs of Insider Threats

More specific IOCs for insider threats:

 Missing or Modified Network Logs: Insiders try to access the log files to delete, modify, and edit unauthorized access
events. Alerts of log modification deletion or access can represent attacks.
 Changes in Network Usage Patterns: Changes in network patterns of the network specific protocols, size of the
packets, sources and destinations, frequency of user application sessions, and usage bandwidth can indicate
malicious activity.
 Behavioral and Temporal Changes: Deviation from established behavior and temporal changes in employee behavior,
such as spending capacity, frequent travels, anger management issues, constant quarrels with colleagues.
 Missing or Modified Critical Data: Disgruntled employees can modify or delete sensitive data with an intention to
damage the reputation of the organization.
 Unauthorized Download or Copying of Sensitive: Data Insiders use legitimate and malicious tools to extract data
from the organization’s perimeter. Insiders can install malware, Trojans, and backdoors to steal the information.
 Sending Sensitive Information to Personal Email Account: Insiders may send organizational critical information to
their personal email accounts with malicious intention.
 Complaint on Sensitive Data Leak: Information or complaint regarding sensitive data leak can represent insider
attack. Check for customer reviews and concerns to identify anomalies and analyze them to detect the insider.
Network Attacks Methodology: Lockheed Martin's Cyber Kill Chain

It is a widely recognized framework used to understand and defend against cyberattacks. It
outlines the different stages attackers typically progress through when launching a cyber intrusion.

Seven stages in the Cyber Kill Chain: Reconnaissance, Weaponization, Delivery, Exploitation,
Installation, Command and Control (C2), Actions on Objectives:
Reconnaissance

 Attackers gather information about their target network. This might involve techniques like ping
sweeps, port scans, social engineering attempts, and DNS enumeration.
 Activities of the adversary include the following:
 Gathering information about the target organization by searching the Internet or through social engineering.
 Performing analysis of various online activities and publicly available information.
 Gathering information from social networking sites and web services
 Obtaining information about websites visited.
 Monitoring and analyzing the target organization’s website.
 Performing Whois, DNS, and network footprinting.
 Performing scanning to identify open ports and services.
Weaponization

 Based on the identified vulnerabilities during analysis on the data collected, adversary selects or
creates a tailored deliverable malicious payload (remote-access malware weapon) using an
exploit and a backdoor to send to the victim. This could involve creating custom malware,
modifying existing exploits, or purchasing them on the dark web.
 The following are the activities of the adversary:
 Identifying appropriate malware payload based on the analysis
 Creating a new malware payload or selecting/reusing/modifying the available malware
payloads based on the identified vulnerability
 Creating the phishing email campaign
 Leveraging exploit kits and botnets
Delivery

 Attackers deliver their chosen weapon (malware, exploit) to the target network.
 This is a key stage that measures the effectiveness of the defense strategies implemented by the
target organization.
 The following are the activities of the adversary:
1. Sending phishing emails to the employees of the target organization
2. Distributing USB drives containing malicious payload to the employees of the target organization
3. Performing attacks such as watering hole on the compromised website
4. Implementing various hacking tools against operating systems, applications, and servers of the target
organization
Exploitation:

 Attackers control the delivered weapon to exploit vulnerabilities in the target system. This could
involve taking advantage of unpatched software, weak passwords, or misconfigured systems.
 An example include; exploiting software or hardware vulnerability to gain remote access to the
target system
 To prevent exploitation of such vulnerabilities, analysts can use mitigation strategies such as
hardening techniques.
Installation

 Once a vulnerability is exploited; the injection of the malicious code on one target system, spread the infection
to other end systems in the network. Also, the adversary tries to hide the presence of malicious activities from
security controls like firewalls using various techniques such as encryption.

 The following are the activities of the adversary:

 Downloading and installing malicious software such as backdoors.
 Gaining remote access to the target system.
 Leveraging various methods to keep backdoor hidden and running.
 Maintaining access to the target system.
Actions on Objectives

 The attackers establish communication channels with the compromised system to maintain control, issue commands,
and steal data.

 The adversaries implement techniques such as encryption to hide the presence of such channels. Using this channel, the
adversary performs remote exploitation on the target system or network.

 If the analyst can block the command and control channels of the adversary, the impact of the attack can be reduced.

 The following are the activities of the adversary:

 Establishing a two-way communication channel between victim’s system and adversary-controlled server
 Applying privilege escalation techniques
 Hiding the evidence of compromise using techniques such as encryption
Benefits of the Cyber Kill Chain

 Improved Threat Analysis: The framework helps organizations understand the attacker's
perspective and identify potential vulnerabilities at each stage.

 Targeted Defense Strategies: By focusing on specific stages, organizations can implement

targeted security controls to disrupt the attack chain and prevent attackers from achieving their
goals.

 Proactive Security Posture: Understanding the Cyber Kill Chain encourages organizations to
move beyond reactive security measures and adopt a more proactive approach to defense.

Remember: The Cyber Kill Chain is a conceptual model, and the actual attack sequence might vary depending
on the attacker's skill and goals. However, it remains a valuable tool for organizations to enhance their
cybersecurity posture and mitigate cyberattacks.
Example of Lockheed Martin Cyber Kill Chain: Spear Phishing attack

 Scenario: A cybercriminal targets the finance department of a company by impersonating a legitimate vendor.
1. Reconnaissance: The attacker gathers information through the company website, social media, and job postings. They
identify key employees in the finance department and learn about the company's vendors.
2. Weaponization: The attacker creates a spoofed email that appears to be from a known vendor the company uses. The
email might contain a link to a malicious website or a document with embedded malware.
3. Delivery: The attacker sends the spear phishing email directly to the targeted employees in the finance department.
4. Exploitation: The email content is crafted to trick the recipient into clicking the malicious link or opening the infected
document. This could involve exploiting a user's trust in the sender or their sense of urgency to address a seemingly
important issue.
5. Installation: If the user clicks the malicious link, they might be redirected to a fake login page designed to steal their
credentials. If they open the infected document, the malware embedded within it could install itself on their computer.
6. Command and Control (C2): Once malware is installed, it establishes a communication channel with the attacker's
server. This allows the attacker to remotely control the infected computer and potentially access the company's financial
network.
7. Actions on Objectives: Having gained access to the finance department's network, the attacker can perform various
malicious activities. They might steal sensitive financial data, initiate fraudulent wire transfers, or deploy ransomware to
disrupt operations.
 By understanding these stages, organizations can implement security measures like employee training on phishing awareness, email filtering
systems, and endpoint security software to disrupt this attack chain and protect themselves from financial losses and data breaches.
Example of Lockheed Martin Cyber Kill Chain: Ransome Attack

 Scenario: Hackers target a hospital with ransomware to disrupt critical operations and extort money.
1. Reconnaissance: Attackers research the hospital's network infrastructure, security posture, and employee training.
They might identify vulnerabilities in outdated software, weak password practices, or lack of user awareness about
phishing attacks.
 Open-source intelligence (OSINT): Attackers can gather information about an organization through publicly available
sources like the company website, social media profiles, job postings, and security reports. This information can reveal
details about the organization's network infrastructure, software used, and potential vulnerabilities.
 Network Scanning: Attackers use automated tools to scan the target network for vulnerabilities in operating systems,
applications, and network devices.
 Identifying unpatched systems or outdated software provides them with potential entry points to deploy their
ransomware.

2. Weaponization: Attackers select or develop a ransomware variant specifically designed to encrypt healthcare
data.
 Attackers might choose a readily available ransomware-as-a-service (RaaS) offering or develop their own custom
variant tailored to specific vulnerabilities or targeting a particular industry.
 Modifying Existing Exploits: Attackers can purchase or modify existing exploits for known vulnerabilities in popular
software (e.g., operating systems, web browsers) to gain initial access to the target network.
Example of Lockheed Martin Cyber Kill Chain: Ransome Attack…Cont

3. Delivery:
 Malvertising: Malicious advertisements displayed on legitimate websites can trick users into clicking and downloading
ransomware.
 Drive-by-downloads: Attackers compromise legitimate websites to inject code that automatically downloads
ransomware onto a user's machine when they visit the site.
 Waterhole attacks: Attackers target websites frequented by a specific victim group (e.g., accounting firms) and inject
malicious code to infect their systems.
 Software vulnerabilities: Unpatched vulnerabilities in popular software (like web browsers, document readers) can be
exploited to deliver ransomware through drive-by downloads or social engineering tactics.
 Removable media: Infected USB drives or external hard drives left in strategic locations (e.g., parking lots) can entice
users to insert them, unknowingly installing ransomware.

4. Exploitation:
 Credential stuffing: Attackers attempt to use stolen usernames and passwords from previous data breaches to gain
access to user accounts within the network.
 Lateral movement: Once a system is compromised, attackers use various techniques to move sideways within the
network, searching for valuable data and escalating privileges. This could involve exploiting network vulnerabilities or
leveraging legitimate administrative tools.
 Vulnerability scanning: Attackers use automated tools to scan the network for vulnerable systems and identify potential
targets for further exploitation.
Example of Lockheed Martin Cyber Kill Chain: Ransome Attack…Cont

3. Delivery:
 Malvertising: Malicious advertisements displayed on legitimate websites can trick users into clicking and downloading
ransomware.
 Drive-by-downloads: Attackers compromise legitimate websites to inject code that automatically downloads
ransomware onto a user's machine when they visit the site.
 Waterhole attacks: Attackers target websites frequented by a specific victim group (e.g., accounting firms) and inject
malicious code to infect their systems.
 Software vulnerabilities: Unpatched vulnerabilities in popular software (like web browsers, document readers) can be
exploited to deliver ransomware through drive-by downloads or social engineering tactics.
 Removable media: Infected USB drives or external hard drives left in strategic locations (e.g., parking lots) can entice
users to insert them, unknowingly installing ransomware.

4. Exploitation:
 Credential stuffing: Attackers attempt to use stolen usernames and passwords from previous data breaches to gain
access to user accounts within the network.
 Lateral movement: Once a system is compromised, attackers use various techniques to move sideways within the
network, searching for valuable data and escalating privileges. This could involve exploiting network vulnerabilities or
leveraging legitimate administrative tools.
 Vulnerability scanning: Attackers use automated tools to scan the network for vulnerable systems and identify potential
targets for further exploitation.
Example of Lockheed Martin Cyber Kill Chain: Ransome Attack…Cont

5. Installation:
 File infectors: These ransomware variants directly target specific file types (e.g., documents, images) and encrypt them
upon execution.
 Bootkit installation: Some ransomware can install itself within the system's boot sector, ensuring it runs automatically
on every system startup, making data recovery more complex.
 Macro-enabled documents: Attackers might embed malicious macros within documents like Microsoft Word files. When
the user enables macros, the ransomware code is executed, encrypting files.
6. Command and Control (C2): The ransomware might establish a communication channel with the attacker's
server, allowing them to monitor the encryption process and potentially steal unencrypted data.
7. Actions on Objectives: With essential data encrypted, the hospital's operations are crippled. Patients might
be denied access to their medical records, and critical services like surgeries or diagnostic procedures might be
delayed.
Suggested Countermeasures for Ransome Attack

1. Employee training on phishing awareness and best practices for email security.
2. Regular security audits and vulnerability assessments to identify and patch weaknesses in the
network.
3. Data backups and recovery plans to restore critical data in case of a ransomware attack.
4. Network segmentation to limit the spread of ransomware if a system becomes infected.