WEBVTT

00:07.220 --> 00:12.650
And our last episode, we talked about the different network systems associated with malware and indicators

00:12.650 --> 00:13.430
of compromise.

00:13.430 --> 00:18.380
We discovered different perspectives on how those network symptoms could be utilized from an analytic

00:18.380 --> 00:19.130
point of view.

00:19.160 --> 00:21.380
In this course we're going to talk about host symptoms.

00:21.410 --> 00:25.730
We're going to dive a little bit more in depth about the different indicators of compromise, and what

00:25.730 --> 00:31.790
you should know in order to prepare yourself for the signs exam associated with both the windows platform

00:31.790 --> 00:38.090
as well as the Linux platform and the overall direction you should take as an analyst in order to perform

00:38.090 --> 00:39.410
well on this exam.

00:39.440 --> 00:45.650
Host related symptoms are specific symptoms that are associated with the host or the client that the

00:45.650 --> 00:47.090
user most likely sees.

00:47.120 --> 00:53.330
Now, that doesn't just say the user as in the administrative assistant or the operations guy.

00:53.330 --> 00:55.250
It's you as the IT person as well.

00:55.250 --> 01:00.580
You need to understand that as an analyst, a lot of those symptoms that we see, we usually delegate

01:00.580 --> 01:01.900
back to the IT world.

01:01.900 --> 01:05.950
But as a cybersecurity professional, you need to be able to identify those as well.

01:05.980 --> 01:09.940
Remember, as a cybersecurity professional, you're supposed to have a background or a foundational

01:09.940 --> 01:11.710
knowledge in it as well.

01:11.710 --> 01:16.840
And so those host related symptoms that we're going to talk about today really play a role in how you

01:16.840 --> 01:19.420
proceed with your career in cybersecurity.

01:19.450 --> 01:24.280
So the different related host systems that you need to be associated with are unauthorized applications.

01:24.310 --> 01:26.440
Now, this seems pretty cut and dry, right?

01:26.440 --> 01:31.450
We're talking about applications that we didn't authorize as a company or an organization that maybe

01:31.450 --> 01:32.950
an employee put on their device.

01:32.980 --> 01:38.830
Usually this is something simple like, I don't know, minesweeper or Solitaire, and we don't really

01:38.830 --> 01:44.350
authorize those applications usually on our company devices, because employees usually play those games

01:44.350 --> 01:47.380
instead of doing their work, and it comes from high that they shouldn't have them.

01:47.440 --> 01:52.120
Now, while those can be nuisance applications that we need to get rid of, there's other applications

01:52.120 --> 01:54.070
that we should be aware of as well.

01:54.070 --> 02:00.900
There's a licensed applications, i.e. something maybe like Adobe Acrobat, where the individual employee

02:00.930 --> 02:04.530
downloaded it and provided that application for them to do their job better.

02:04.530 --> 02:08.130
But it's a licensed copy, but not licensed to the organization.

02:08.130 --> 02:09.750
This could pose legal issues.

02:09.750 --> 02:15.450
It could also pose issues where we have licenses specifically for an organization, but the employee

02:15.450 --> 02:17.310
decided to download their own version.

02:17.430 --> 02:22.800
This could pose problems with both HR where they're coming in and saying, hey, you're using your own

02:22.800 --> 02:26.940
money to buy company assets, which is not a good thing in to start with.

02:26.940 --> 02:29.460
But also we don't know where that software came from.

02:29.460 --> 02:33.420
There's also unlicensed software if we take that same application.

02:33.420 --> 02:34.470
Yet they didn't pay for it.

02:34.470 --> 02:36.360
They got it off some random website.

02:36.360 --> 02:41.130
That application could potentially have unwanted malware or backdoors associated with it.

02:41.130 --> 02:43.470
So it's better just to cut that off all from the start.

02:43.470 --> 02:47.550
And that's why we don't give admin access to a lot of computer users.

02:47.550 --> 02:51.060
So unauthorized applications can include anything from Facebook.

02:51.060 --> 02:55.740
It could be LinkedIn, it could be solitaire, it could even be proprietary software that we utilize

02:55.740 --> 02:56.940
on a day to day basis.

02:56.940 --> 02:58.380
But it didn't come from us.

02:58.380 --> 02:59.760
It came from an outside vendor.

02:59.790 --> 03:04.920
These are all unauthorized applications that you need to be aware of as a cybersecurity professional.

03:04.950 --> 03:07.080
There's also unauthorized processes.

03:07.080 --> 03:13.770
This is usually indicative to malware or to a application that's behaving abnormally, that maybe was

03:13.770 --> 03:17.760
taken advantage of or updated in a way that we didn't authorize.

03:17.790 --> 03:23.190
When we talk about unauthorized processes, these processes play havoc with our internal systems because

03:23.190 --> 03:27.060
they can actually cause the operating system to crash or cause logs within the system.

03:27.060 --> 03:31.650
That's why we sandbox everything before we roll out the software to the general public.

03:31.650 --> 03:37.110
So again, unauthorized processes, usually an indicator of an unauthorized application, but it could

03:37.110 --> 03:42.570
also be an unauthorized application that's been taken advantage of or fraught with malicious activity.

03:42.600 --> 03:44.250
There's unauthorized privileges.

03:44.250 --> 03:52.200
This usually comes into play where a user or an employee has permissions that they shouldn't normally

03:52.200 --> 03:52.860
have.

03:52.890 --> 03:58.040
Usually, this is indicative of an employee that's moving from one position over to a new position,

03:58.040 --> 04:00.860
usually in promotion or even a lateral transfer.

04:00.890 --> 04:06.410
For instance, in our own world with IT or cybersecurity, if I'm a cybersecurity professional and my

04:06.410 --> 04:11.990
job is cybersecurity, but I only work on host devices, but I may transfer it over to the network portion

04:11.990 --> 04:16.250
i.e. routers, firewalls, IPS, IDs, that sort of thing.

04:16.430 --> 04:21.590
I really don't need to have access to those client based machines anymore, and my permissions should

04:21.590 --> 04:24.380
be stripped so they don't have access to those anymore.

04:24.410 --> 04:28.820
However, a lot of times what will end up happening is I get promoted or laterally transferred over

04:28.820 --> 04:33.140
and I maintain those passed permissions and nobody went through and actually sliced those off.

04:33.170 --> 04:36.200
This happens more outside of it than anywhere else.

04:36.230 --> 04:41.600
Uh, maybe they're an administrative assistant that got moved to HR, but they maintained access to

04:41.630 --> 04:46.940
systems and folders and files and even in finances that they don't really need access to anymore.

04:46.970 --> 04:49.730
You may be thinking to yourself, okay, well, what's the big deal?

04:49.730 --> 04:50.780
They can still utilize it.

04:50.780 --> 04:52.070
They're still proficient in it.

04:52.070 --> 04:54.620
But you have to remember, we're not really worried about our employees.

04:54.620 --> 04:57.010
So much I say that with a grain of salt.

04:57.250 --> 05:00.910
But what happens if that account is taken advantage of or actually hacked?

05:00.940 --> 05:03.340
Somebody has unauthorized access to that account.

05:03.340 --> 05:09.130
We've expanded their network of availability within our own organization, which could play havoc with

05:09.130 --> 05:09.850
our systems.

05:09.850 --> 05:12.310
It's better to just give people permissions for what they need.

05:12.340 --> 05:14.560
This is where least privilege comes into play.

05:14.590 --> 05:17.560
Then there's data exfiltration.

05:17.560 --> 05:20.710
This is where data is leaving machine that was unauthorized.

05:20.710 --> 05:25.360
This can take in the form of the network, where somebody is actually uploading information from their

05:25.360 --> 05:29.620
client computer to a third party website, or maybe they're sending it via email.

05:29.620 --> 05:32.440
It could also be on a USB or even an external drive.

05:32.470 --> 05:38.470
These are all problems with a host related symptoms associated with malware on a device, or malicious

05:38.470 --> 05:40.420
activity on a device that we need to be aware of.

05:40.450 --> 05:45.910
As an analyst, you need to be associated and aware of these different layers and understand that the

05:45.910 --> 05:47.320
rules are the rules or the rules.

05:47.320 --> 05:49.870
There are no special permissions when it comes into play.

05:49.900 --> 05:55.270
Unauthorized privileges, processes, applications and data exfiltration are common problems that you

05:55.270 --> 05:59.530
should expect to see as a data analyst or as a cyber analyst within this role.

05:59.770 --> 06:00.850
Host related systems.

06:00.850 --> 06:07.360
On the processes side, we can see here a screenshot of a windows processing system where it identifies

06:07.360 --> 06:12.550
very quickly the different processes associated within the confines of a CPU.

06:12.580 --> 06:19.480
You can identify the different CPUs as well as the network related traffic associated with the host.

06:19.510 --> 06:24.460
Now, oftentimes when it comes to network related traffic, we look at the baseline activity as the

06:24.460 --> 06:25.450
network as a whole.

06:25.450 --> 06:27.850
And we identify indicators of compromise like that.

06:27.880 --> 06:29.530
And we talked about that last course.

06:29.530 --> 06:31.720
But what about a single host machine.

06:31.720 --> 06:35.950
If I've got a single host that has all of a sudden producing five times the amount of traffic that it

06:35.950 --> 06:37.840
normally would, that's a problem.

06:37.840 --> 06:40.480
And that's an indicator of compromise we need to be aware of.

06:40.510 --> 06:47.830
This could also be associated with specific processes or even, uh, client traffic that's being utilized

06:47.830 --> 06:49.240
for data exfiltration.

06:49.270 --> 06:54.690
A lot of the systems that you see here, especially in the process of network or memory are indicative

06:54.690 --> 07:01.620
of a machine going and doing, um, different aspects of its applications and ways that we normally

07:01.620 --> 07:02.520
wouldn't see.

07:02.550 --> 07:07.710
For instance, if I'm an administrative assistant, my memory should not be ticking up to overflow maxims,

07:07.710 --> 07:08.100
right?

07:08.100 --> 07:10.050
I'm just using office and email.

07:10.050 --> 07:11.610
I'm not watching YouTube videos.

07:11.610 --> 07:13.410
I'm not playing the latest video games.

07:13.410 --> 07:16.380
I'm not doing all those things that are going to stress out my system.

07:16.380 --> 07:20.370
And so my memory should be at a baseline level of about 50%.

07:20.400 --> 07:27.120
However, in this you can see where we have extenuating circumstances, where our, um, memory is skyrocketing,

07:27.120 --> 07:30.030
meaning that it's utilizing way more Ram than we should.

07:30.030 --> 07:35.280
And we can also see our CPU is at a minimal level, but starting to see a peak right at the end.

07:35.310 --> 07:38.040
These are all indicators of compromise within a machine.

07:38.070 --> 07:40.350
Does it mean that there's a necessarily a problem?

07:40.350 --> 07:40.650
No.

07:40.650 --> 07:45.990
It could be legitimate traffic where a organization is downloading a new piece of software.

07:45.990 --> 07:50.160
Or maybe they're they're profiling a new software that they want to utilize.

07:50.160 --> 07:52.330
And that's causing the machine to override.

07:52.330 --> 07:57.730
We just need to be aware of it and then embark on an investigation to identify is it legitimate traffic

07:57.730 --> 07:59.170
or is it malicious traffic?

07:59.170 --> 08:00.940
And those come from a host related machine.

08:00.940 --> 08:06.520
In both ways, we can also see the different systems associated with it in a client based atmosphere,

08:06.550 --> 08:09.550
abnormal process behavior, which we've already beaten to death.

08:09.610 --> 08:15.430
That comes into play of where is the process is coming play coming into play, and how does it interact

08:15.430 --> 08:17.620
with other processes on our environment?

08:17.620 --> 08:19.120
There's file system changes.

08:19.120 --> 08:24.340
If we have our file systems suddenly moving around and changing, that's a problem.

08:24.340 --> 08:29.500
We expect to see minor influxes in file system changes where somebody goes in and they're like, oh,

08:29.500 --> 08:32.260
well, this this file name isn't something that I like.

08:32.290 --> 08:33.970
So let's change it to this file name.

08:33.970 --> 08:41.080
Or creating a new file within our desktop system to incorporate new, uh, work or new business features

08:41.080 --> 08:42.370
within our environment.

08:42.370 --> 08:43.810
That's all perfectly normal.

08:43.840 --> 08:49.660
But if we start to see the system 230, system 32 within a windows environment suddenly changing its

08:49.660 --> 08:51.270
file names or adding to it.

08:51.270 --> 08:57.480
Or maybe the size is changing dramatically, either for lesser files or more data.

08:57.510 --> 08:58.740
That could be an issue.

08:58.770 --> 09:03.840
Whenever we look at file system changes on a host machine, we really need to concentrate on the fact

09:03.840 --> 09:05.790
of, is this legitimate traffic?

09:05.790 --> 09:09.720
Because 90% of the time it's not not within a file system structure.

09:09.720 --> 09:15.000
And so if we start to see changes within our file system, we need to lock that down fairly quickly

09:15.000 --> 09:17.790
and maybe even have a knee jerk reaction associated with it.

09:17.820 --> 09:19.800
There's registry changes as well.

09:19.800 --> 09:23.640
If we see a registry being changed again, there could be a legitimate purpose for it.

09:23.640 --> 09:27.990
But more often than not, our average everyday user is not going to have that capability.

09:27.990 --> 09:32.040
And so if we see a registry change, we want to lock the system down because that is an indicator of

09:32.040 --> 09:32.850
compromise.

09:32.850 --> 09:36.600
There's unauthorized scheduled chats, usually within a windows environment.

09:36.600 --> 09:39.330
We schedule the task to take place.

09:39.330 --> 09:43.920
We are updating the machines, usually during the maintenance window, if we see unauthorized scheduled

09:43.950 --> 09:49.200
tasks where something comes into play and it's unauthorized, or a task comes into play, say at 10:00

09:49.200 --> 09:53.010
10 p.m. rather than 2 a.m. that could be an indicator of compromise.

09:53.010 --> 09:57.470
The same thing if it happens at 8 a.m. in the morning and our maintenance window is, say, 10 p.m.

09:57.470 --> 10:00.270
to 6 a.m., that could be an indicator of compromise.

10:00.300 --> 10:03.180
Well, it doesn't necessarily mean there's a malicious activity going on.

10:03.180 --> 10:04.860
It could develop towards a trend.

10:04.860 --> 10:10.860
And that one, uh, point could be indicative of a problem within the overarching system.

10:10.860 --> 10:12.600
So we just need to be able to keep an eye on it.

10:12.600 --> 10:17.280
And if we see these changes all taking place simultaneously, that's a big indicator of compromise that

10:17.280 --> 10:19.620
we need to really investigate as soon as possible.

10:19.650 --> 10:23.550
Throughout this course, we talked about the different host related systems and how it interplays with

10:23.550 --> 10:24.360
the networking.

10:24.390 --> 10:30.180
We identified how those hosts and those symptoms that we we utilize an indicator of compromise atmosphere.

10:30.180 --> 10:37.050
We also looked at how the systems as a whole really played with malicious activity, and what we should

10:37.050 --> 10:37.920
keep an eye on.

10:37.950 --> 10:42.510
You have to remember, just like networking, hosts are no different, and sometimes there's traffic

10:42.510 --> 10:46.740
that's legitimate and sometimes there's traffic that obviously is unauthorized.

10:46.770 --> 10:52.790
The important part of an analyst is to understand what permissions does each user have and what's the

10:52.790 --> 10:54.620
normal within that atmosphere.

10:54.650 --> 11:00.680
Obviously, if a normal system behaviour is to change file systems on a regular basis, that's not really

11:00.680 --> 11:01.850
an indicator of compromise.

11:01.850 --> 11:05.930
But if I have a laptop that hasn't been changed in three years and all of a sudden it's doing massive

11:05.960 --> 11:09.530
updates that we're unaware of, that's a big indicator of compromise.

11:09.560 --> 11:14.360
It really comes at a common sense versus technical skill, and that's really where your part comes into

11:14.360 --> 11:15.500
play as an analyst.

11:15.530 --> 11:20.420
You need to be able to mix that common sense theoretical understanding with the technical perspective

11:20.420 --> 11:21.500
of what you're seeing.

11:21.530 --> 11:23.120
Cisa is no different.

11:23.120 --> 11:28.640
You're going to expect exam questions such as, hey, you identified your CPU or memory being high.

11:28.670 --> 11:29.780
What are the next steps?

11:29.780 --> 11:31.280
Should you a investigate?

11:31.310 --> 11:32.660
B lock it down.

11:32.690 --> 11:33.800
C ignore it.

11:33.800 --> 11:35.270
You kind of get the point.

11:35.270 --> 11:39.920
Those different types of test questions you need to be familiar with, and be able to quickly identify

11:39.920 --> 11:41.480
what direction you should be able to go.

11:41.510 --> 11:46.760
Usually those questions are scenario based, and so just take the scenario from a common sense perspective

11:46.760 --> 11:47.990
and you should be fine.