WEBVTT 1 00:00:00.000 --> 00:00:01.950 In this section of the course, 2 00:00:01.950 --> 00:00:05.160 we are going to discuss indication analysis. 3 00:00:05.160 --> 00:00:07.590 The indication analysis section of the course 4 00:00:07.590 --> 00:00:10.890 focuses on domain four, security operations. 5 00:00:10.890 --> 00:00:13.650 Specifically objective 4.4. 6 00:00:13.650 --> 00:00:17.010 Objective 4.4 states that given a scenario, 7 00:00:17.010 --> 00:00:19.890 you must be able to analyze data and artifacts 8 00:00:19.890 --> 00:00:22.830 in support of incident response activities. 9 00:00:22.830 --> 00:00:24.810 Indication analysis focuses on 10 00:00:24.810 --> 00:00:27.300 understanding potential security threats 11 00:00:27.300 --> 00:00:29.040 by examining various components 12 00:00:29.040 --> 00:00:30.960 and behaviors within a system. 13 00:00:30.960 --> 00:00:34.470 This approach involves investigating digital infrastructure, 14 00:00:34.470 --> 00:00:36.090 analyzing data patterns, 15 00:00:36.090 --> 00:00:38.550 and scrutinizing different forms of storage 16 00:00:38.550 --> 00:00:40.560 for hidden threats or anomalies. 17 00:00:40.560 --> 00:00:43.770 By diving deeper into malicious software and code, 18 00:00:43.770 --> 00:00:45.810 it is possible to uncover insights 19 00:00:45.810 --> 00:00:48.180 about the methods the attackers use. 20 00:00:48.180 --> 00:00:51.090 This comprehensive analysis helps organizations 21 00:00:51.090 --> 00:00:53.010 protect critical environments, 22 00:00:53.010 --> 00:00:55.230 including cloud-based systems. 23 00:00:55.230 --> 00:00:58.320 It also strengthens their overall security posture 24 00:00:58.320 --> 00:01:00.270 against evolving threats. 25 00:01:00.270 --> 00:01:01.740 As we go through this section, 26 00:01:01.740 --> 00:01:05.040 we will cover many topics related to indication analysis, 27 00:01:05.040 --> 00:01:09.180 including infrastructure analysis, metadata analysis, 28 00:01:09.180 --> 00:01:12.720 volatile and non-volatile storage analysis, 29 00:01:12.720 --> 00:01:16.533 reverse engineering, malware analysis, code stylometry, 30 00:01:17.430 --> 00:01:20.670 and the code workload protection platform. 31 00:01:20.670 --> 00:01:24.060 First, we will look at infrastructure analysis. 32 00:01:24.060 --> 00:01:27.360 Infrastructure analysis involves examining the hardware, 33 00:01:27.360 --> 00:01:30.210 software, and network components of a system 34 00:01:30.210 --> 00:01:33.480 to detect vulnerabilities or signs of compromise. 35 00:01:33.480 --> 00:01:36.060 Infrastructure analysis concepts include 36 00:01:36.060 --> 00:01:39.630 Joint Test Action Group or JTAG interfaces, 37 00:01:39.630 --> 00:01:42.330 host analysis and network analysis. 38 00:01:42.330 --> 00:01:46.590 JTAG is a hardware interface used for debugging and testing. 39 00:01:46.590 --> 00:01:50.640 JTAG interfaces can be used for low-level hardware analysis 40 00:01:50.640 --> 00:01:53.880 to identify vulnerabilities in embedded systems. 41 00:01:53.880 --> 00:01:56.310 Next, host analysis focuses on 42 00:01:56.310 --> 00:01:59.520 scrutinizing a system's endpoints, such as servers 43 00:01:59.520 --> 00:02:03.120 or workstations for malware, misconfigurations, 44 00:02:03.120 --> 00:02:04.740 or suspicious activity. 45 00:02:04.740 --> 00:02:08.130 Finally, network analysis looks at traffic patterns, 46 00:02:08.130 --> 00:02:09.990 data flows and connections 47 00:02:09.990 --> 00:02:13.920 to uncover malicious communications or intrusion. 48 00:02:13.920 --> 00:02:16.950 Next, we will explore metadata analysis. 49 00:02:16.950 --> 00:02:19.020 Metadata analysis is examining 50 00:02:19.020 --> 00:02:23.610 the underlying data about files, media or communications. 51 00:02:23.610 --> 00:02:26.820 Metadata analysis is used to uncover information 52 00:02:26.820 --> 00:02:29.370 about the origin, manipulation 53 00:02:29.370 --> 00:02:32.190 or potential malicious intent of files, 54 00:02:32.190 --> 00:02:34.440 media or communications. 55 00:02:34.440 --> 00:02:38.760 Metadata analysis concepts include files and filesystems, 56 00:02:38.760 --> 00:02:43.020 images and audio, and video and email header analysis. 57 00:02:43.020 --> 00:02:45.120 Within files and filesystems, 58 00:02:45.120 --> 00:02:48.750 metadata analysis can reveal file creation dates, 59 00:02:48.750 --> 00:02:52.110 modification times, and user permissions. 60 00:02:52.110 --> 00:02:54.750 This analysis can help identify tampered 61 00:02:54.750 --> 00:02:58.620 or suspicious files by highlighting inconsistencies, 62 00:02:58.620 --> 00:03:02.550 unauthorized changes, or unusual access patterns. 63 00:03:02.550 --> 00:03:05.430 Metadata from images, audio, and video 64 00:03:05.430 --> 00:03:08.100 can include information about device models, 65 00:03:08.100 --> 00:03:11.070 GPS coordinates or editing history. 66 00:03:11.070 --> 00:03:14.280 This analysis can assist in tracing the source of media 67 00:03:14.280 --> 00:03:18.060 by identifying where and how it was created or altered. 68 00:03:18.060 --> 00:03:20.850 Email headers provide details about the sender, 69 00:03:20.850 --> 00:03:23.220 recipient and transmission path. 70 00:03:23.220 --> 00:03:26.070 This analysis can help identify phishing attempts 71 00:03:26.070 --> 00:03:27.990 or spoofed communications. 72 00:03:27.990 --> 00:03:31.830 For example, an investigator might use metadata analysis 73 00:03:31.830 --> 00:03:35.640 of an email header to examine the email's received fields, 74 00:03:35.640 --> 00:03:37.890 which trace the path the email took 75 00:03:37.890 --> 00:03:39.810 through various email servers. 76 00:03:39.810 --> 00:03:43.410 By analyzing details such as the originating IP address, 77 00:03:43.410 --> 00:03:46.230 the sending domain, and the message ID, 78 00:03:46.230 --> 00:03:48.900 the investigator could discover that the email, 79 00:03:48.900 --> 00:03:51.600 although it appears to be from a trusted source, 80 00:03:51.600 --> 00:03:53.820 was actually sent from a suspicious 81 00:03:53.820 --> 00:03:55.680 or malicious IP address 82 00:03:55.680 --> 00:03:58.680 outside of the expected geographic region 83 00:03:58.680 --> 00:04:00.330 of the organization. 84 00:04:00.330 --> 00:04:02.580 After that, we will look at volatile 85 00:04:02.580 --> 00:04:04.800 and non-volatile storage analysis. 86 00:04:04.800 --> 00:04:07.170 Volatile and non-volatile storage analysis 87 00:04:07.170 --> 00:04:10.440 examines both temporary and permanent data storage 88 00:04:10.440 --> 00:04:13.890 to identify evidence of compromise or malicious activity. 89 00:04:13.890 --> 00:04:16.770 Volatile and non-volatile storage analysis concepts 90 00:04:16.770 --> 00:04:20.460 include the order of volatility and forensic imaging. 91 00:04:20.460 --> 00:04:24.750 Volatile storage such as CPU cash holds temporary data 92 00:04:24.750 --> 00:04:26.580 that is lost almost immediately 93 00:04:26.580 --> 00:04:28.320 when a system is powered off. 94 00:04:28.320 --> 00:04:31.020 The order of volatility prioritizes capturing 95 00:04:31.020 --> 00:04:35.220 highly ephemeral data such as CPU cache first. 96 00:04:35.220 --> 00:04:37.740 Non-volatile storage like hard drives, 97 00:04:37.740 --> 00:04:41.790 contains permanent data that persists even after power loss 98 00:04:41.790 --> 00:04:45.000 and is often analyzed through forensic imaging. 99 00:04:45.000 --> 00:04:48.030 For example, during a forensic investigation, 100 00:04:48.030 --> 00:04:50.430 an analyst might first capture the contents 101 00:04:50.430 --> 00:04:53.580 of volatile memory to retrieve active processes, 102 00:04:53.580 --> 00:04:56.400 network connections, or encryption keys 103 00:04:56.400 --> 00:05:00.240 before turning to forensic imaging of non-volatile storage 104 00:05:00.240 --> 00:05:03.030 to examine deleted files or logs. 105 00:05:03.030 --> 00:05:06.060 Next, we will explore reverse engineering. 106 00:05:06.060 --> 00:05:08.070 Reverse engineering breaks down software 107 00:05:08.070 --> 00:05:11.250 or hardware components to understand their structure, 108 00:05:11.250 --> 00:05:14.460 functionality, and potential vulnerabilities. 109 00:05:14.460 --> 00:05:18.780 Reverse engineering concepts include byte code, binary code, 110 00:05:18.780 --> 00:05:21.960 as well as disassembly and decompilation. 111 00:05:21.960 --> 00:05:25.470 Byte code is a low level representation of code 112 00:05:25.470 --> 00:05:28.290 that can be executed by virtual machines. 113 00:05:28.290 --> 00:05:30.720 Binary refers to machine level code 114 00:05:30.720 --> 00:05:33.000 that the computer directly executes, 115 00:05:33.000 --> 00:05:35.400 and it is made up of ones and zeros. 116 00:05:35.400 --> 00:05:37.080 Disassembly is the process 117 00:05:37.080 --> 00:05:40.260 of converting binary code into assembly language 118 00:05:40.260 --> 00:05:42.900 to analyze how the software operates. 119 00:05:42.900 --> 00:05:45.840 Assembly language is a low level programming language 120 00:05:45.840 --> 00:05:48.660 that provides a human readable representation 121 00:05:48.660 --> 00:05:51.060 of a computer's machine code instructions. 122 00:05:51.060 --> 00:05:54.360 Decompilation goes a step further than disassembly 123 00:05:54.360 --> 00:05:57.060 and attempts to translate executable code 124 00:05:57.060 --> 00:06:00.540 into higher level language for easier understanding. 125 00:06:00.540 --> 00:06:03.630 For example, an analyst might reverse engineer 126 00:06:03.630 --> 00:06:07.080 a piece of malware by disassembling its binary code 127 00:06:07.080 --> 00:06:09.030 decompiling portions of the code 128 00:06:09.030 --> 00:06:11.130 to understand its functionality 129 00:06:11.130 --> 00:06:14.550 and analyzing byte code to identify any hidden routines 130 00:06:14.550 --> 00:06:16.200 or malicious behaviors. 131 00:06:16.200 --> 00:06:19.020 Then we will look at malware analysis. 132 00:06:19.020 --> 00:06:21.900 Malware analysis is examining malicious software 133 00:06:21.900 --> 00:06:24.660 to understand its behavior, impact, 134 00:06:24.660 --> 00:06:27.150 and potential Indicators of Compromise. 135 00:06:27.150 --> 00:06:30.690 Malware analysis concepts include sandboxing, 136 00:06:30.690 --> 00:06:35.370 malware detonation, and Indicator of Compromise extractions. 137 00:06:35.370 --> 00:06:38.580 Sandboxing is a technique that isolates applications 138 00:06:38.580 --> 00:06:41.340 or processes in a controlled environment 139 00:06:41.340 --> 00:06:44.130 to prevent them from affecting the rest of the system. 140 00:06:44.130 --> 00:06:46.650 This isolation allows the safe execution 141 00:06:46.650 --> 00:06:49.680 and analysis of potentially harmful code. 142 00:06:49.680 --> 00:06:54.300 Sandboxing tools include Joe Sandbox and Cuckoo Sandbox. 143 00:06:54.300 --> 00:06:56.880 Next, malware detonation is the process 144 00:06:56.880 --> 00:06:59.670 of running the malware within the sandbox 145 00:06:59.670 --> 00:07:01.710 to trigger its full functionality. 146 00:07:01.710 --> 00:07:04.470 Finally, Indicator of Compromise extraction 147 00:07:04.470 --> 00:07:08.790 identifies key artifacts such as file hashes, IP addresses, 148 00:07:08.790 --> 00:07:10.680 and domain names that can be used 149 00:07:10.680 --> 00:07:13.020 to detect or block future attacks. 150 00:07:13.020 --> 00:07:16.380 For example, an analyst may use Cuckoo sandbox 151 00:07:16.380 --> 00:07:20.010 to detonate suspected malware in an isolated environment 152 00:07:20.010 --> 00:07:22.380 while closely monitoring its behavior. 153 00:07:22.380 --> 00:07:25.350 Monitored behavior may include file modifications, 154 00:07:25.350 --> 00:07:28.290 registry changes, and network communications. 155 00:07:28.290 --> 00:07:30.330 By specifically observing the malware's 156 00:07:30.330 --> 00:07:32.100 attempted outbound connections, 157 00:07:32.100 --> 00:07:35.970 an analyst may extract malicious domain names, IP addresses, 158 00:07:35.970 --> 00:07:39.030 or file hashes as Indicators of Compromise. 159 00:07:39.030 --> 00:07:41.640 These indicators of compromise may then be fed 160 00:07:41.640 --> 00:07:44.580 into the organization threat detection systems, 161 00:07:44.580 --> 00:07:47.520 such as firewalls or intrusion detection systems 162 00:07:47.520 --> 00:07:49.380 to block similar threats. 163 00:07:49.380 --> 00:07:52.410 After that, we will explore code stylometry. 164 00:07:52.410 --> 00:07:54.150 Code stylometry is the process 165 00:07:54.150 --> 00:07:56.850 of analyzing a developer's coding style 166 00:07:56.850 --> 00:07:59.400 to identify unique patterns that can be used 167 00:07:59.400 --> 00:08:01.020 for malware attribution 168 00:08:01.020 --> 00:08:04.020 or to trace the origin of specific software. 169 00:08:04.020 --> 00:08:07.290 Code stylometry concepts include variant matching, 170 00:08:07.290 --> 00:08:10.260 code similarity, and malware attribution. 171 00:08:10.260 --> 00:08:12.360 Variant matching looks for similarities 172 00:08:12.360 --> 00:08:13.650 between different versions 173 00:08:13.650 --> 00:08:16.110 or variants of the same malware family. 174 00:08:16.110 --> 00:08:18.900 In this way, variant matching helps security teams 175 00:08:18.900 --> 00:08:21.240 quickly identify evolving threats 176 00:08:21.240 --> 00:08:23.910 by recognizing patterns in new malware strains 177 00:08:23.910 --> 00:08:25.770 from the same malware family. 178 00:08:25.770 --> 00:08:30.030 Next, code similarity focuses on comparing segments of code 179 00:08:30.030 --> 00:08:33.960 across multiple samples to detect shared structures, 180 00:08:33.960 --> 00:08:36.120 functions, or techniques. 181 00:08:36.120 --> 00:08:39.720 Finally, malware attribution uses these findings 182 00:08:39.720 --> 00:08:41.130 to potentially link malware 183 00:08:41.130 --> 00:08:43.260 to a specific threat actor or group 184 00:08:43.260 --> 00:08:46.770 by recognizing unique coding habits or reused code. 185 00:08:46.770 --> 00:08:48.600 For example, if threat hunters 186 00:08:48.600 --> 00:08:50.520 identify similar coding patterns 187 00:08:50.520 --> 00:08:54.210 between a new malware sample and previous attacks, 188 00:08:54.210 --> 00:08:56.730 code stylometry might attribute the malware 189 00:08:56.730 --> 00:09:00.480 to a known threat group, providing valuable insights 190 00:09:00.480 --> 00:09:03.000 into the attacker's tactics and techniques. 191 00:09:03.000 --> 00:09:04.560 By understanding the attacker's 192 00:09:04.560 --> 00:09:06.390 code, style and preferences, 193 00:09:06.390 --> 00:09:09.360 organizations can also improve detection systems 194 00:09:09.360 --> 00:09:13.080 to spot future variants of the malware more effectively. 195 00:09:13.080 --> 00:09:14.550 Finally, we will look at 196 00:09:14.550 --> 00:09:18.300 the Cloud Workload Protection Platform or CWPP. 197 00:09:18.300 --> 00:09:21.900 A Cloud Workload Protection Platform is a security solution 198 00:09:21.900 --> 00:09:24.270 designed to detect, protect, 199 00:09:24.270 --> 00:09:27.450 and respond to threats targeting cloud-based workload. 200 00:09:27.450 --> 00:09:30.630 Cloud workload protection platform concepts include 201 00:09:30.630 --> 00:09:33.180 detection and response, integration 202 00:09:33.180 --> 00:09:35.130 and multi-cloud environments. 203 00:09:35.130 --> 00:09:36.840 Detection and response capabilities 204 00:09:36.840 --> 00:09:39.690 allow Cloud Workload Protection Platforms 205 00:09:39.690 --> 00:09:42.270 to monitor cloud workloads in real time, 206 00:09:42.270 --> 00:09:44.970 identifying suspicious activities or breaches 207 00:09:44.970 --> 00:09:47.190 and enabling rapid countermeasures. 208 00:09:47.190 --> 00:09:49.500 Integration refers to the platform's ability 209 00:09:49.500 --> 00:09:52.260 to work seamlessly with existing cloud infrastructure 210 00:09:52.260 --> 00:09:53.820 and security tool. 211 00:09:53.820 --> 00:09:56.331 Supporting multi-cloud environments 212 00:09:56.331 --> 00:09:57.164 ensures that workloads across 213 00:09:57.164 --> 00:09:58.770 various cloud service providers 214 00:09:58.770 --> 00:10:03.540 like AWS, Azure or Google Cloud are consistently protected. 215 00:10:03.540 --> 00:10:06.750 For example, a Cloud Workload Protection Platform 216 00:10:06.750 --> 00:10:09.660 might detect an unusually large data transfer 217 00:10:09.660 --> 00:10:12.930 from an S3 bucket in an AWS environment 218 00:10:12.930 --> 00:10:15.870 to an unrecognized external IP address, 219 00:10:15.870 --> 00:10:19.410 flagging it as a potential data exfiltration attempt. 220 00:10:19.410 --> 00:10:21.450 Cloud workload protection platform 221 00:10:21.450 --> 00:10:23.670 could then trigger an automated response 222 00:10:23.670 --> 00:10:25.170 to block the connection, 223 00:10:25.170 --> 00:10:27.960 revoke access to the compromised user, 224 00:10:27.960 --> 00:10:30.420 and isolate the affected instance. 225 00:10:30.420 --> 00:10:33.720 Simultaneously, the Cloud Workload Protection Platform 226 00:10:33.720 --> 00:10:36.240 could integrate with other security tools, 227 00:10:36.240 --> 00:10:39.360 such as Azure Security Center 228 00:10:39.360 --> 00:10:42.150 or Google Cloud's Security Command Center, 229 00:10:42.150 --> 00:10:44.850 to ensure that similar suspicious activities 230 00:10:44.850 --> 00:10:48.090 are monitored for and blocked across the organization's 231 00:10:48.090 --> 00:10:51.030 multi-cloud infrastructure and workloads. 232 00:10:51.030 --> 00:10:53.610 To finish things off, we'll take a short quiz 233 00:10:53.610 --> 00:10:56.520 to see what you learned during this section of the course, 234 00:10:56.520 --> 00:10:59.940 and we will review each of those quiz questions fully 235 00:10:59.940 --> 00:11:02.790 to ensure you can explain why the right answers were right 236 00:11:02.790 --> 00:11:04.620 and the wrong answers were wrong. 237 00:11:04.620 --> 00:11:08.070 So let's get ready to dive into indication analysis 238 00:11:08.070 --> 00:11:10.053 in this section of the course.