The Ticket to Adventure: A Security Analyst's Journey (2025 Edition) - Danny Henderson Jr

my friend Danny who came over from Czech Republic, wasn't it? >> Yes. >> Yeah. So, he's a brilliant good friend of mine for several years. He's a a great analyst. Um you're going to hear about a bit of his journey and how you know how he got to where he is. So, you know, give him a give him a welcome. [Applause] Welcome everyone. Welcome everyone. All right. So actually just to get a gauge of people, how many people have worked in a sock before? Okay, good. We got some good hands. How many people are looking to work in a sock? Okay, we got a couple we got a couple of hands. Cool. This is for you. So it's

less about me per se, but more of what an analyst will do on a day-to-day basis. We're looking at their circle, the circle of life. Part of it is from my experience. So let's take adventure together. I am your DM, Bandido. That'd be dungeon master for those, but game master for others. So, just a quick overview. We're going to go how to sake a vision going through overview and various expectations and we will have some couple of scenarios and ski um way to for people to upscale.

Oh, there we go. So, let's start off in with a beginning of adventure. The first step is always the scariest. So, we're all going to take this journey together in the sock life. So, just a bit about me. You can see most of the stuff in the slides, but I'll cover some things that's not covered. So, before I was in the mil uh I was in the military, but I did not do it. That was not the start of my career. I did food service, so fitness center, lodging. So I all it's customer service related jobs that I did and then I went into more of operational support for various aircraft. So that's my background. And you can see

a couple things like I'm communities, the blue team village, if you all went to Defcon, the um the blue team village had their workshops which counted their CTFs. Those are the ones that I usually help out with. So, let's go into the deal. The socks um is envisioned so many ways. You always see this in the movies where you have your your multiple screens and dashboard up with seeing the world and then this you have your office space which kind of more of the reality. But over the years we have now gone into more of a virtualized sock where it's work from home and you're working from your uh from your computer. So let's start what a sock is. It's the

hub. It is the central nexus where all the analysts are working to monitor the network. They use on the telemetry every logs from every resource within the company to get a view of what's going on in the network because that is how we see things. We need to be able to touch that data to be able to act on it and sometimes the sock acts as coordinators. So when it comes to the incident response there will be coordination side with the IT support the v u vulnerability management and other organiz uh other organizations and we have the people uh we have this nice little people process and technologies which brings the who the mean the means and the how and that's

our way the road to success we are the as a sock you are technical eyes and ears of the policy where there's a policy you are this you are looking through those telemetry to find the violation of policies that can lead to security incidents.

So the model model of this uh when you hear tier one, tier 2, tier sorry L1, L2, L3, this mirrors the process for how the service desk operates because it's part of that IT service management aspect. So that's why you uh you hear that. And so we'll go to the tier zero which is generally automated. Those are the ones that those are ones where they're going to be uh in inputs that's going to go into the um ticket process. And those inputs are generally automated. And tier one is going to be where that linking, scoring, ranking goes because the tier ones are the ones that are looking at the dashboard and will um manually find something. Now, I've

worked in a couple of places where there's a reason why these intersect because the tier zero and tier one were all automated. I worked in a couple of organizations that automated that process. So, they needed L2s. So, those will be the scoping and enriching and just validating what goes on in the network. And then once they validate it that can raise to an incident that requires the containing and responding. Now there's an intersection between two and three because sometimes the tier 2 will have some limited capabilities too due to isolation generally emails from what I've experienced. And this is very important. Everything you do, you need a receipt. All of everything you do is with a

ticket. The ticket is your receipt. The ticket says you did it job. If you lose it, it never happened. So always carry a ticket. And these are our heroes. These are the various positions within a sock. You have your security analyst, incident responder, forensics examiners. And then you have the more atypical components such as threat analysts and malware analysts. Now technically these are part of the supporting role with a sock, but they are generally different departments which is going to be your penetration testing and red team or they could combine it into one function.

There's a lot of technologies and a lot of expectations that's required for an analyst. If you look at the confused analyst and look at all of these various domains, this is goes back to sometimes you're going to be the jack or jail of all trades. You're going to have to know what how to um understand those domains and how to respond to it. You may have heard from our keynote speaker that there was um the she had the role of the jack or jail of all trades and that's the role that a sock analyst will always have. You can specialize eventually but you're going to be expected to be that all trades and at that role you're as you're

the eyes and ears of the uh of everything that goes in the organization. you have the ability to see what goes on and if it's violated or if it leads to an incident. Cyber defense is that aspect and sometimes you need to improve the capabilities. There's recommend you can recommend how if the file if the if there's a gap you can make recommendations to improve the security controls. You can make recommendations to improve the process based off those observations and that telemetry to prove it. And this is non-escapable for those that do not want to interact with people as the to be in computers. You're going to be re you're going to be interacting with a lot of people. You're going to be

talking to the users sometimes. You're going to be c talking to the stakeholders sometimes. So there's that coordination function. And there's that customer service function that is really expected for people. And and just as I mentioned on the right side, there's those emerging technologies. The latest one is artificial intelligence. Another one before then was cloud and going deeper far back which is exists old old age time but it's coming back to um to bite some organizations operational technology because old technology that still required to operate because of the impact it has physically and also researching research capabilities is very important be able to research on emerging threats research on the vulnerabilities Those are um all important skills to

have as a sock analyst. So we go over typical tools. We have our SIM, our EDR, XDR, gateway, sore. Those are generally the sore is generally what helps automate some of the processes that could sometimes be your ticketing system which generally is going to be because this is show all the steps that you do. Sometimes it's going to be um part of your playbook so you can document everything you've done in there. And then there's some external um analysis tools that are very important to u to your library of capabilities.

Our tool however this is going to be our this is going to be our fantasy tool called the eyes of fcana. This is our sim. This handles everything for our organization that we're all part of. So, what does a daybyday look like? A typical day, email investigations. They're fishing. There's fishing every day. There's spag guys sending emails every day. Sometimes mostly just scam. Sometimes spam. Sometimes worse. Policy violations. It happens. No matter uh how many how good your organization is, there's still people that try to do uh either do things to get by on their job or sometimes they do deliberate violations. Network monitoring, that's part of the role. Part of the role looking for

anything bad happening and sometime uh data loss prevention support. It's becoming more important to support data. That's one of the domains because with GDPR and other aspects u the sock's job is to protect that data that's um for every other company for every company and atypical cases has been website credential theft that's going to be more likely now with steelers which will be talked about but um as our keynote speaker two of our keynote speakers actually have touched up on third party investigations because there's a lot of u trusted connectivity. There's trusted relations where sometimes those third parties are responsible for um fishing because their accounts got compromised and stolen devices because sometimes is um the sock

needs to know what got stolen because that may be going up to the leadership. So the evolving climate the so over the years we have seen security companies that are primarily security gone from offering various services and capabilities to more of the software as a service in development which you can see on the bottom right of the various type of solutions that are that exist and many of those companies have gone to that. Then it is a growing need to understand your organization's environment and that includes the policies not only just the policies but the entire infrastructure what's more what's important and lately with with the change of that model going towards the MDR side

organizations are now investing in their internal sock to to have that capabilities. people that work in their network to understand it. So this is this is borrowed from the pyramid of pain. However, this is more of an observation frequency triangle as at the bottom are the most frequently observed. So legacy malware such as key loggers from n um 2009 2011 those type of legacy uh malware have you often see in the systems fishing and fishing some rising ones are quishing and stealers but you're not but and the reason why the other two on top is you will rarely observe it but That doesn't mean you need to be complacent. It's just a this is the frequency of what you

see dayto day.

And here's the typical common um initial compromise ch um yeah point of compromise. You typically have u fishing advertisements have been a growing thing. Um, and the one thing that's not talked about is that people will have USBs for their job that's needed. You you can try to block it all, but people will still need to do that for part of their job. Unfortunately, there are some violations that can happen and u they will introduce malware into the network and also service exploits. So we have our um domains, email, web app, computer, and network. So we're going to go into one of our examples. You are tier 2 analyst working for a financial organization. There's important considerations to how

we do uh how we do this job. Our SIM detected a malicious fishing that happened on the network. Let's look at our let's look at our tool. Well, first no. So this is important. We need to validate what happened because sometimes it could be a false positive because there could be some legitimate links that has happened. So surface level and scale those are the two aspects for the information gathering. And then you can collect the emails either with the automated capability get it from the user or the reporting tool. So we look at our eyes of Wakana. We have this little message that um that we collected. So for a deeper analysis, we're going to

validate this. We have some tools that we can do. We have some options over toolcraft. Euro scan or interactive sandbox. We're going to do the interactive sandbox. Ding. As the arrow points. So in the sandbox you have the initial uh initial page from the link. Then it redirects over to a part that appears to be like the end of the first phase where then it's going to request when you click on that it's going to request to fill out an email to retreat to get a document. There's uh what's interesting about this is that there's an interactive challenger where they use Cloudflare to verify that it's a human operating it rather than a sandbox and then once it's validated

threat confirmed for initiative we have a bad guy. So in this response, we want to do a collection. We want to review what's going on impacted recipients. Then we need to prioritize on the ones that actually clicked the link because you may have gotten the alert from one of the users, but it could have been more that that clicked on it. And once uh and to do that you can use the network logs the proxy logs to see if they went to the uh final payload website then it's going to be treated as if it was uh compromised and reset those credentials and purging the emails. As you see in the bottom, there was indications that the person tried to log

in but um MFA prevented the access. So we have some post analysis uh post instant analysis that you can do. So, some email considerations and some considerations when you're examining emails. Having a text editor, it can be helpful. And doing it in a sandbox and reviewing offline is also very helpful because sometimes those emails can have trackers. So, if you're if you're clicking on that on it, it can um it can go still um reach out to the enemy, let them know that someone um accessed the the email for and validated their target even though it may not be intended target. So, let's do some extra credit. So, we have some indicators of compromise. In

this case, there were multiple e uh there were multiple links. They were um they were attached to each other in a chain for redirection. But there's some more we can gather. At the end of that first phase, there was a second one. And the second one had something very interesting which we can go to our next one. Um next tool of trade, Euro scan, particularly the search function. Always use the f search function to see if someone else did it because there's nine times out of 10 there will be someone else who did that research. In this case, we have the malicious domain mislic

uh in the document object model. Scrolling down, here is a script that will require some decoding. So, extra credit on the puzzle solving. How are we going to do this? Well, we're going to have a new tool. We're choosing Cyberche for this. We have the entry. We have that data. We're going to decode it. remove the nose no bites and um turn it from hex and we gathered this malicious domain as the hidden one that was the one that did the challenge. So there's some um reflection on this. Um over the years there's been an increased use of redirectionctors from the bad guys and now they're starting to see more of the uses of Cloudflare's

challenge function to make sure that they have a human because sometimes there are some sites that u that have malicious payloads and trying to access it directly will be denied because the challenge was not fulfilled in order to prevent analysts from acquiring that data. So, we do do a little breather. Breathe it. How y'all feeling? How y'all feeling? Cool. Cool. We're going to jump into the next one. Just after dealing with a fishing campaign, it seemed like a good time to rest. Woo! No, no, no. There's another alert that popped up u on a business laptop. There's a spicious process running through our eyes for common. We can see that there's something going on sayingundertale

had went to some uh clicked on something and there appears to be a strange I'm not a robot recapture verification and some PowerShell command running. There was an initial bit of investigation on here that there was no file scene when observing what happened on on a laptop through the tool. We're trying to see if there was something dropped. There was no indicators that a file was dropped in there. So, we had to do some digging deeper. We have a couple of the um malicious do artifacts on the left side here as um something to document. So, we're going to revisit Cyershe for that PowerShell

the badness. We got we got some more indicators here. Threat confirm this time. New bad guy for initiative. Now we're taking uh this is a stealer. This is a stealer that we're dealing with now. And we have to treat this as we do all the hostile malware. This will generally be escalated to the L3 at this point. If this was um as a L2, this will be escalated to the L3 for response. Generally, it's going to be isol um scoping based off of those OC's to see how far that spread if anyone else had clicked on uh had operated the um the malware and we're going to contain it. We're going to contain the threat,

disable it. Sometimes you'll have to disable the user account and notify their leadership u notify your leadership and the managers of the person as to why they're not able to work for the time being. So this this situation is actually part of click fix or uh yeah which was originally part of was known as uh fake capture. This was seen back in late 2024 October which conducts a clipboard hijacking. So browsers are it was mentioned that browsers are not safe anymore and part of the reason is that there are some websites that due the clipboard hijacking and this is involving Luma stealer and async rat steelers are growing to be the bigger threat. We've uh it this for

those that don't know steal uh info steelers targets the browser credentials but sometimes it will go after your discord and cryptocurrency wallet keys. It looks for anything that can be captured and sent to the dark web and it's rising to the popularity due to the in decrease of botn nets. So remember trickbot operation ingame ended that Imoteet that was also um dealt with before and with the fall of botn nets it's becoming easier to use steelers to get that those for the initial legit for legitimate initial access. So one report from Checkpoint is that from the uh Russian market, Luma Stealer was one of the biggest one of the biggest dealers. Another big um big stealer long ago was

actually Vidar that has um some presence and Red Line. Red Line was another one. But the situation with Steelers have gotten so bad that mainstream started covering it back in June that you have 16 billion login credentials to multiple platforms, Apple, Facebook and Google. So the sock has a the sock we have our hand we have our work cut out for us. And here's a detection that was created that I actually created myself um to find indic uh find these type of indicators. Now there is a bit um there's going to be some testing and validation needed for those because you'll find so this is to find someone who put in a um URL within the run dialog dialogue.

Well, you may find that someone actually does open the run dialogue and put in a regular link in so that will flag. We have a victory. So let's look at uh how we can up progress ourselves. The term that is also thrown these days is upscaling. So how do we handle some of these domains? the uh all the domain of the various technologies that we have to keep apprised of there. Um the ones on the left are considered more the fundamentals and that can be handled through a couple of training platforms in term um so anti-ciphon core sock skills is one of them uh security blue and try hackme there's two that I've seen in a cloud pun labs and

zentra those offer training courses and boot camps and for affordable ranges there is a plethora of them but I'm going to call to attention of two you because me uh our keynote speaker mentioned of try hackme but there's also two that I want to point out cyber edu was developed in Romania and it's uh it's a pop it's a good platform to to to work with and an additional one defer labs put on defer report developed the defer labs which gets you um doing an incident response going through uh going through their CTF And for AI, there's grace one that was recently talked about by a couple people as well. So these are ranges for you to work

with. So how do we level up in our life? So there's phases in here. Sec uh SEO ops creation is going to be you're just a um analyst that's handling it all. But as the stock matures, there's going to be roles that is going to be fulfilled up to the advanced function and specializations where you can go from the simple sock analyst to threat hunter and even build up to reverse engineer forensics various roles. This is the way that an analyst can level up in in in their skills going into various roles. So some outlook. So familiarization is going to be uh with your environment is going to be very important. Documenting your validated process so others can

learn from it. that builds a repository for the playbooks and automation will continue to be the forefront as part of the process improvement and capabilities. That's the future we're going towards. And these are my references and some special thanks to some of the people who did um artwork and pixel art for me. So got to gives him some credit for that. And here you can find me. Unfortunately, I'm not bringing the full ensemble this time. So compared to the one on the bottom right, that's only partial through. But y'all can forgive me. Questions. [Applause]