WEBVTT

1
00:00:00.000 --> 00:00:01.470
In this lesson,

2
00:00:01.470 --> 00:00:04.890
we will learn about Infrastructure Analysis.

3
00:00:04.890 --> 00:00:08.970
Infrastructure analysis involves examining the hardware,

4
00:00:08.970 --> 00:00:12.450
software, and network components of a system

5
00:00:12.450 --> 00:00:16.470
to detect vulnerabilities or signs of compromise.

6
00:00:16.470 --> 00:00:19.620
Infrastructure analysis concepts include

7
00:00:19.620 --> 00:00:23.745
Joint Test Action Group or JTAG interfaces,

8
00:00:23.745 --> 00:00:25.245
host analysis,

9
00:00:25.245 --> 00:00:27.210
and network analysis.

10
00:00:27.210 --> 00:00:32.183
JTAG is a hardware interface used for debugging and testing.

11
00:00:32.183 --> 00:00:35.850
Next, host analysis focuses on scrutinizing

12
00:00:35.850 --> 00:00:39.780
a system's endpoints, such as servers or workstations

13
00:00:39.780 --> 00:00:42.270
for malware, misconfigurations,

14
00:00:42.270 --> 00:00:44.280
or suspicious activity.

15
00:00:44.280 --> 00:00:48.330
Finally, Network Analysis looks at traffic patterns,

16
00:00:48.330 --> 00:00:50.460
data flows, and connections

17
00:00:50.460 --> 00:00:54.660
to uncover malicious communications or intrusions.

18
00:00:54.660 --> 00:00:57.643
Let's learn more about Joint Test Action Group

19
00:00:57.643 --> 00:01:01.285
or JTAG interfaces, host analysis,

20
00:01:01.285 --> 00:01:03.368
and network analysis.

21
00:01:03.368 --> 00:01:08.368
First, we have Joint Test Action Group or JTAG interfaces.

22
00:01:08.670 --> 00:01:12.990
JTAG is a hardware interface standard used primarily

23
00:01:12.990 --> 00:01:16.230
for testing and debugging embedded systems.

24
00:01:16.230 --> 00:01:20.100
Embedded systems are specialized computing systems

25
00:01:20.100 --> 00:01:23.220
designed to perform dedicated functions

26
00:01:23.220 --> 00:01:26.130
within larger devices or machines,

27
00:01:26.130 --> 00:01:28.950
often with real-time constraints.

28
00:01:28.950 --> 00:01:32.580
JTAG allows direct access to the internals

29
00:01:32.580 --> 00:01:33.930
of an embedded system

30
00:01:33.930 --> 00:01:37.890
or hardware device, enabling low-level diagnostics

31
00:01:37.890 --> 00:01:39.870
and hardware analysis.

32
00:01:39.870 --> 00:01:43.980
Engineers use JTAG to monitor and control signals

33
00:01:43.980 --> 00:01:46.110
within integrated circuits,

34
00:01:46.110 --> 00:01:49.680
identifying defects or anomalies.

35
00:01:49.680 --> 00:01:54.180
So, JTAG is important to enterprise security

36
00:01:54.180 --> 00:01:55.740
because it can be leveraged

37
00:01:55.740 --> 00:01:59.160
to detect vulnerabilities at the hardware level,

38
00:01:59.160 --> 00:02:01.770
such as insecure firmware,

39
00:02:01.770 --> 00:02:04.140
or circuits that have been tampered with,

40
00:02:04.140 --> 00:02:06.750
which could be exploited by attackers

41
00:02:06.750 --> 00:02:09.420
to compromise embedded systems.

42
00:02:09.420 --> 00:02:12.930
In an enterprise setting, JTAG can be used

43
00:02:12.930 --> 00:02:16.980
to assess the security of critical hardware such as routers,

44
00:02:16.980 --> 00:02:20.580
switches, or industrial control systems.

45
00:02:20.580 --> 00:02:25.550
For example, a security team might use a JTAG interface

46
00:02:25.550 --> 00:02:29.430
to investigate an anomaly in an embedded device

47
00:02:29.430 --> 00:02:32.220
like a network switch where it appears

48
00:02:32.220 --> 00:02:36.210
that the firmware was modified without authorization.

49
00:02:36.210 --> 00:02:39.330
By accessing the system via a JTAG,

50
00:02:39.330 --> 00:02:42.150
the team can conduct a thorough analysis

51
00:02:42.150 --> 00:02:45.540
of the device's firmware and configurations,

52
00:02:45.540 --> 00:02:49.260
determining for sure if the hardware had been tampered with

53
00:02:49.260 --> 00:02:51.330
by a malicious actor.

54
00:02:51.330 --> 00:02:55.230
JTAG also enables the recovery of detailed logs

55
00:02:55.230 --> 00:02:58.200
and trace signals at the hardware level,

56
00:02:58.200 --> 00:03:02.880
often offering deeper insights into unauthorized changes.

57
00:03:02.880 --> 00:03:06.900
This access allows the team to restore the device

58
00:03:06.900 --> 00:03:08.850
to a known secure state

59
00:03:08.850 --> 00:03:12.510
and implement stronger protections, such as

60
00:03:12.510 --> 00:03:16.770
firmware validation checks to prevent future tampering.

61
00:03:16.770 --> 00:03:21.030
In the end, JTAG interfaces are used in proactive

62
00:03:21.030 --> 00:03:24.090
organizational defense strategies, allowing

63
00:03:24.090 --> 00:03:26.880
for continuous hardware testing to ensure

64
00:03:26.880 --> 00:03:30.570
that no unauthorized alterations have been made.

65
00:03:30.570 --> 00:03:33.960
And while it is primarily used for development,

66
00:03:33.960 --> 00:03:37.530
its application and security testing ensures that

67
00:03:37.530 --> 00:03:41.580
even the hardware layer of an infrastructure is secured,

68
00:03:41.580 --> 00:03:44.010
reducing the attack surface.

69
00:03:44.010 --> 00:03:46.890
Second, we have host analysis.

70
00:03:46.890 --> 00:03:49.590
Host analysis is the examination

71
00:03:49.590 --> 00:03:54.090
of individual endpoints such as servers, workstations,

72
00:03:54.090 --> 00:03:56.940
or other networked devices to detect

73
00:03:56.940 --> 00:04:00.330
signs of compromise or vulnerabilities.

74
00:04:00.330 --> 00:04:04.740
This type of analysis focuses on identifying indicators

75
00:04:04.740 --> 00:04:07.980
of compromise (IoCs), including malware infections,

76
00:04:07.980 --> 00:04:11.490
misconfigurations, and unusual behaviors

77
00:04:11.490 --> 00:04:14.610
that may indicate malicious activity.

78
00:04:14.610 --> 00:04:17.490
In the end, host analysis ensures

79
00:04:17.490 --> 00:04:19.860
that all endpoints are secure,

80
00:04:19.860 --> 00:04:23.880
protecting the broader network from potential breaches.

81
00:04:23.880 --> 00:04:26.640
For example, consider an organization

82
00:04:26.640 --> 00:04:30.180
where an endpoint is acting unusually slow,

83
00:04:30.180 --> 00:04:34.110
and files are being modified without authorization.

84
00:04:34.110 --> 00:04:35.820
Through host analysis,

85
00:04:35.820 --> 00:04:39.960
a security analyst could inspect logs, file changes,

86
00:04:39.960 --> 00:04:43.380
and processes on the affected system.

87
00:04:43.380 --> 00:04:46.950
This is often done using tools like Sysmon,

88
00:04:46.950 --> 00:04:49.650
which monitors system activities

89
00:04:49.650 --> 00:04:54.030
or forensic tools such as EnCase or Autopsy,

90
00:04:54.030 --> 00:04:58.020
to collect and analyze detailed system data.

91
00:04:58.020 --> 00:05:01.800
Through analysis, the security analyst might discover

92
00:05:01.800 --> 00:05:05.250
a piece of malware that opened an unauthorized

93
00:05:05.250 --> 00:05:07.650
communication channel leading to

94
00:05:07.650 --> 00:05:10.080
potential data exfiltration.

95
00:05:10.080 --> 00:05:13.200
So, by conducting host analysis,

96
00:05:13.200 --> 00:05:15.900
the compromised input can be isolated

97
00:05:15.900 --> 00:05:19.500
and cleaned, preventing further damage.

98
00:05:19.500 --> 00:05:21.780
In an enterprise environment,

99
00:05:21.780 --> 00:05:26.610
consistent host analysis helps maintain system integrity

100
00:05:26.610 --> 00:05:30.420
by detecting and responding to threats quickly.

101
00:05:30.420 --> 00:05:33.960
This type of analysis identifies malware,

102
00:05:33.960 --> 00:05:36.390
unauthorized software installations,

103
00:05:36.390 --> 00:05:38.310
and abnormal activities

104
00:05:38.310 --> 00:05:40.980
that could threaten sensitive information,

105
00:05:40.980 --> 00:05:43.290
or disrupt operations.

106
00:05:43.290 --> 00:05:46.680
Additionally, tools like antivirus software,

107
00:05:46.680 --> 00:05:49.230
file integrity monitoring systems,

108
00:05:49.230 --> 00:05:52.410
and Security Information and Event Management

109
00:05:52.410 --> 00:05:55.410
or SIEM platforms, are commonly used

110
00:05:55.410 --> 00:05:58.680
to automate the detection and investigation

111
00:05:58.680 --> 00:06:02.250
of suspicious activity on endpoints.

112
00:06:02.250 --> 00:06:06.210
Third and last, we have network analysis.

113
00:06:06.210 --> 00:06:10.500
Network analysis involves scrutinizing data traffic,

114
00:06:10.500 --> 00:06:12.210
communication patterns,

115
00:06:12.210 --> 00:06:14.640
and connections within a network

116
00:06:14.640 --> 00:06:19.170
to identify malicious activity or vulnerabilities.

117
00:06:19.170 --> 00:06:21.150
It focuses on monitoring

118
00:06:21.150 --> 00:06:25.380
and analyzing the flow of data between devices

119
00:06:25.380 --> 00:06:30.240
to detect anomalies such as suspicious data transfers

120
00:06:30.240 --> 00:06:32.520
or unauthorized connections.

121
00:06:32.520 --> 00:06:37.110
Overall, network analysis can reveal ongoing attacks

122
00:06:37.110 --> 00:06:39.150
such as data breaches

123
00:06:39.150 --> 00:06:42.720
or denial-of-service attacks, helping to secure

124
00:06:42.720 --> 00:06:47.160
an organization's most valuable asset, its data.

125
00:06:47.160 --> 00:06:50.310
Let's imagine a large company is experiencing

126
00:06:50.310 --> 00:06:54.960
unusual spikes in traffic during off peak hours.

127
00:06:54.960 --> 00:06:56.940
Through network analysis,

128
00:06:56.940 --> 00:07:00.300
the security team could inspect the traffic logs

129
00:07:00.300 --> 00:07:03.720
and find that a specific server is communicating

130
00:07:03.720 --> 00:07:07.230
with an external IP address at two in the morning,

131
00:07:07.230 --> 00:07:10.500
which is unusual for the organization.

132
00:07:10.500 --> 00:07:13.590
By digging deeper into the packet data,

133
00:07:13.590 --> 00:07:16.380
they could uncover a malware infection,

134
00:07:16.380 --> 00:07:21.380
exfiltrating sensitive company data to an external attacker.

135
00:07:21.510 --> 00:07:24.570
This insight would prompt immediate action

136
00:07:24.570 --> 00:07:26.550
to block the malicious traffic

137
00:07:26.550 --> 00:07:29.550
and secure the affected server.

138
00:07:29.550 --> 00:07:32.160
Next, in an enterprise setting,

139
00:07:32.160 --> 00:07:35.250
network analysis tools like Wireshark

140
00:07:35.250 --> 00:07:38.880
or NetFlow enable security teams to detect

141
00:07:38.880 --> 00:07:41.820
and respond to threats in real-time.

142
00:07:41.820 --> 00:07:45.930
These tools help identify anomalies in traffic patterns,

143
00:07:45.930 --> 00:07:48.600
ensuring that potential threats are dealt with

144
00:07:48.600 --> 00:07:51.870
before they can cause significant damage.

145
00:07:51.870 --> 00:07:54.810
Wireshark captures full packet data,

146
00:07:54.810 --> 00:07:57.300
including both the header and payload,

147
00:07:57.300 --> 00:08:00.090
allowing detailed analysis of the content

148
00:08:00.090 --> 00:08:03.690
and structure of each network packet, which is useful

149
00:08:03.690 --> 00:08:07.140
for investigating specific incidents or attacks,

150
00:08:07.140 --> 00:08:10.290
but capturing and storing full packet data

151
00:08:10.290 --> 00:08:13.560
can require a significant amount of storage

152
00:08:13.560 --> 00:08:15.240
and analyst time.

153
00:08:15.240 --> 00:08:19.680
So, in contrast, NetFlow captures metadata

154
00:08:19.680 --> 00:08:22.590
about network traffic, such as source

155
00:08:22.590 --> 00:08:26.640
and destination IP addresses, ports and protocol types,

156
00:08:26.640 --> 00:08:30.480
without recording the actual content of the data.

157
00:08:30.480 --> 00:08:32.730
This makes NetFlow more efficient

158
00:08:32.730 --> 00:08:35.700
for monitoring large networks over time,

159
00:08:35.700 --> 00:08:39.840
but less detailed compared to the packet-level information

160
00:08:39.840 --> 00:08:42.090
that Wireshark provides.

161
00:08:42.090 --> 00:08:46.590
So, remember, infrastructure analysis involves

162
00:08:46.590 --> 00:08:51.120
examining hardware, software, and network components

163
00:08:51.120 --> 00:08:55.320
to detect vulnerabilities or signs of compromise.

164
00:08:55.320 --> 00:08:59.820
Infrastructure analysis concepts include JTAG

165
00:08:59.820 --> 00:09:04.560
or Joint Test Action Group interfaces, host analysis,

166
00:09:04.560 --> 00:09:06.870
and network analysis.

167
00:09:06.870 --> 00:09:11.130
JTAG is a hardware interface used for testing

168
00:09:11.130 --> 00:09:13.980
and debugging embedded systems, helping

169
00:09:13.980 --> 00:09:17.520
to detect vulnerabilities at the hardware level.

170
00:09:17.520 --> 00:09:22.050
Next, host analysis focuses on examining individual

171
00:09:22.050 --> 00:09:26.310
endpoints to identify malware, misconfigurations,

172
00:09:26.310 --> 00:09:29.280
or other indicators of compromise.

173
00:09:29.280 --> 00:09:33.450
And finally, network analysis monitors data traffic

174
00:09:33.450 --> 00:09:36.660
and communication patterns to detect anomalies

175
00:09:36.660 --> 00:09:39.300
and uncover malicious activities,

176
00:09:39.300 --> 00:09:41.910
ensuring real-time protection

177
00:09:41.910 --> 00:09:45.535
for an organization's network and data.