Effective Threat Investigation for SOC Analysts: The ultimate guide to examining various threats and attacker techniques [Team-IRA]

Cover
Copyright
Contributors
Table of Contents
Preface
Part 1: Email Investigation Techniques
Chapter 1: Investigating Email Threats
	Top infection vectors
	Why do attackers prefer phishing emails to gain initial access?
	Email threat types
		Spearphishing attachments
		Spearphishing Link
		Blackmail email
		Business Email Compromise (BEC)
	Attacker techniques to evade email security detection
	Social engineering techniques to trick the victim
	The anatomy of secure email gateway logs
	Investigating suspicious emails
		Investigating the email sender domain and SMTP server reputation
		Spoofing validation
		Email sender behavior
		Email subject and attached filename
		Investigating suspicious email content
	Summary
Chapter 2: Email Flow and Header Analysis
	Email flow
	Email header analysis
		Email message content and metadata
		Email X-headers
		The header that was added by the hop servers
		Email authentication
	Investigating the email header of a spoofed message
	Summary
Part 2: Investigating Windows Threats by Using Event Logs
Chapter 3: Introduction to Windows Event Logs
	Windows event types
		Security event log types
		System event log types
		Application event log types
		Other event log types
	Windows event log analysis tools
	The investigative approach for this part of the book
		HELK installation
	Summary
Chapter 4: Tracking Accounts Login and Management
	Account login tracking
		Windows accounts
		Tracking successful logins
		Tracking successful administrator logins
		Tracking logon sessions
		Tracking failed logins
	Login validation events
		Login validation Event IDs (NTLM protocol)
		Login validation Event IDs (Kerberos protocol)
	Account and group management tracking
		Tracking account creation, deletion, and change activities
		Tracking creation and account adding to security groups
	Summary
Chapter 5: Investigating Suspicious Process Execution Using Windows Event Logs
	Introduction to Windows processes
	Windows process types
		Common standard Windows processes
	Windows Process Tracking events
		Creator Subject
		Target Subject
		Process Information
	Investigating suspicious process executions
		Hiding in plain sight
		Living Off The Land (LOTL)
		Suspicious parent-child process relationships
		Suspicious process paths
	Summary
Chapter 6: Investigating PowerShell Event Logs
	Introducing PowerShell
		Why do attackers prefer PowerShell?
		PowerShell usage in different attack phases
	PowerShell execution tracking events
	Investigating PowerShell attacks
		Fileless PowerShell malware
		Suspicious PowerShell commands and cmdlets
	Summary
Chapter 7: Investigating Persistence and Lateral Movement Using Windows Event Logs
	Understanding and investigating persistence techniques
		Registry run keys
		Windows scheduled tasks
		Windows services
		WMI event subscription
	Understanding and investigating lateral movement techniques
		Remote Desktop connection
		Windows admin shares
		PsExec – a Sysinternals tool
		PowerShell remoting
	Summary
Part 3: Investigating Network Threats by Using Firewall and Proxy Logs
Chapter 8: Network Firewall Logs Analysis
	Firewall logs value
	Firewall logs anatomy
		Log Timestamp
		Source IP
		Source Port
		Destination IP
		Destination Port
		Source Interface Zone
		Destination Interface Zone
		Device Action
		Sent Bytes
		Received Bytes
		Sent Packets
		Received Packets
		Source Geolocation country
		Destination Geolocation country
	Summary
Chapter 9: Investigating Cyber Threats by Using the Firewall Logs
	Investigating reconnaissance attacks
		Public-facing IPs and port scanning
		Internal network service discovery
	Investigating lateral movement attacks
		Remote desktop application (RDP)
		Windows admin shares
		PowerShell Remoting
	Investigating C&C and exfiltration attacks
		Investigating suspicious traffic to external IPs
		Investigating DNS tunneling
		Investigating data exfiltration
	Investigating DoS attacks
	Summary
Chapter 10: Web Proxy Logs Analysis
	Understanding the value of proxy logs
	The significance of proxy log investigation
	The anatomy of proxy logs
		The source IP (src)
		The source port (srcport)
		The destination IP (dst)
		The destination port (dstport)
		The username (username)
		The log timestamp (devicetime)
		The device action (s-action)
		The response status code (sc-status)
		The HTTP method (cs-method)
		The received bytes from the server by the client (sc-bytes)
		The sent bytes from the client to the server (cs-bytes)
		The web domain (cs-host)
		The MIME type (Content-Type)
		The user agent (cs(User-Agent))
		The referrer URL (cs(Referer))
		The website category (filter-category)
		The accessed URL (cs-uri)
	Summary
Chapter 11: Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs
	Suspicious outbound communications alerts
	Investigating suspicious outbound communications (C&C communications)
		Investigating the web domain reputation
		Investigating suspicious target web domain names
		Investigating the requested web resources
		Investigating the referrer URL
		Investigating the communications user agent
		Investigating the communications' destination port
		Investigating the received and sent bytes, the HTTP method, and the Content-Type
		Investigating command and control techniques
	Summary
Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats
Chapter 12: Investigating External Threats
	Investigating web attacks
		The command injection vulnerability
		The SQL injection vulnerability
		Path traversal vulnerability
		XSS vulnerability
		Investigating WAF logs
	Investigating suspicious external access to the remote services
		Investigating unauthorized VPN and RDP access
		Investigating compromised mailboxes
		Investigating suspicious authentications to web services
	Summary
Chapter 13: Investigating Network Flows and Security Solutions Alerts
	Investigating network flows
	Investigating IPS/IDS alerts
	Investigating endpoint security solutions alerts
		Investigating AV alerts
		Investigating EDR alerts
	Investigating network sandbox and AV alerts
	Summary
Chapter 14: Threat Intelligence in a SOC Analyst’s Day
	Introduction to threat intelligence
		Strategic level
		Operational level
		Tactical level
		The role of threat intelligence in SOCs
	Investigating threats using VirusTotal
		Investigating suspicious files
		Investigating suspicious domains and URLs
		Investigating suspicious outbound IPs
	Investigating threats using IBM X-Force Exchange
		Investigating suspicious domains
		Investigating suspicious IPs
		Investigating the file hash
	Investigating suspicious inbound IPs using AbuseIPDB
	Investigating threats using Google
	Summary
Chapter 15: Malware Sandboxing – Building a Malware Sandbox
	Introducing the sandbox technology
		Sandbox types
		Sandbox installation requirements
	Required tools for analysis
		Static analysis tools
		Dynamic analysis tools
	Preparing the guest VM
		Guest preparation steps
		Tips to evade the sandbox’s detection
	Analysis tools in action
		Static analysis phase
		Dynamic analysis phase
	Hands-on demo lab
		Scanning the file using YARA
		Conducting static analysis
		Conducting dynamic analysis
		Analyzing the outputs
	Summary
Index
Other Books You May Enjoy