The Ticket To Adventure: A Security Analyst's Journey by B4nd1t0

good morning babystone glad to be here and glad to have you all here i'm going to go over the life of a security analyst in our adventure the ticket to adventure the security analyst analyst journey i am your dungeon master and guide so we'll be going over the prologue of the story how the soxben envisioned and those role those expectations involved with being a sock working at a sock and being a sock analyst and the typical tools and expectations required and we'll even have some encounters where we get the biphone monster and these are based off of real incidents that we've had so the first step is always scariest but as a stock analyst you're stepping into a role of i.t security and there are things levied upon you responsibilities of any problem that you are to help out the organizations so about me about me so previously uh before i work at a sock i've been with the military for i would say 14 years of my life 12 years was enlisted working from food service to military intelligence then i eventually left the government or left the military worked as a civilian supporting cyber operations rather as a contractor or a government civilian and then i was like you know what i want to be more hands-on so i jump out of the government entirely to do stock analyst work for secure works so i am an information senior information insurance advisor on the side i do video game development with the starchase's theme i am with the blue team village distinct pixels and curated intelligence and my hobbies as you can see are all fantasy related so hence the way how this is formed we'll have time so let's go over to stock and how socks are envisioned so here you have your have a way that the military likes to depict it it does look like that at times and then for the civilian side you either may go to this route at the very first or you go to the middle which is more like an office space that's also very common but now that we move to the virtual sock with the pandemic and everyone being worked from home you're still connected through the virtual environment but you're able to support it and that's thanks to the cloud services that are that enable sock to continue to operations so let's go over to what a security operation center is and how it fits into the picture it is the nexus of all security related matters it is the hub where everyone receives information from either the telemetry or the people within the organization bringing forth issues such as credential uh default credentials and they get a repository or missing computers and the socks are generally actually the coordinators with other organizations so they work with the vulnerability management team with sock we work with the service desk active directory team those will be key players when incidents happen now we want to look into how does it fit in so the sock is the eyes and ears the extension of the policies so all the governance and i.t policies that happen it supports the actual policies just a computer means to it so the soxies use that telemetry to see what goes on to the network and that will come into part of the day-to-day life of a soft analyst so we're going to look into this this little graph here that goes into the the how the data is processed so all the logs endpoint data the everything is correlated going from the preliminary investigation to the triaging those have different layers and that's where the tier processes talked about and that tier process so when they said i need a tier 1 stock analyst tier 2 sock analysts or l1 zl2s those actually go back to the i.t terms for the it service management levels in uh part of itil foundation because you're still providing the service as a stock analyst now that tier to zero is the automation there's been a portion to have all most of those functions automated but there's also the tier one side the side the tier one side analyst who takes those information whether it is from the people that are calling in about it or the service desk or even the thread intel it usually comes to them while some actions can be automated there's still also the need to have the user provide the interaction and then they'll start triaging which one looks looks more important that needs to go into the investigations that's where the tier 2 comes in the tier 2 is the investigating arm they will go over the investigate go over to prove it is either a false positive or it is something that needs to be escalated and responded to but the tier 2 has the ability to do root cause analysis of why that alert happened and sometimes it may be just an i.t configuration now we got the tier three who are the responders so they handle the containing slash quarantining and pushing for the remediation and they'll coordinate that update now the reason why tier 2 tier 3 aligns with tier 2 to a degree because tier 2 generally comes to tier 3 as the subject matter expert for guidance so it's not always going to be escalation when it comes to the going forth from the tier 2 tier 3. they'll ask for inputs from the tier 3 to help them with the investigation and tier 2 can still finish it on their own so that's why there's a bit of a blend between the extended investigation and the containing response now it's not to say that tier 2 cannot respond as well they're limited though surely what i've seen in environments that has generally been related to emails that can be contained but there's rare occasions when they can contain the host but that's not normal everything you do keep a ticket the ticket is what says you are the owner of the incident or the investigation so if you do not have a ticket it did not count because all the work you do that is your receipt saying i've done this job that goes into metrics which is the dreaded word for stock analyst metrics or kpis now let's meet our heroes now these are the components that are typically associated with uh security operation center typically atypically in different departments now the left most side are the typical side from your security analysts who are generally your l1 and l2 sock analysts the specialization tends to come into the digital forensics incident responder and threat hunters you can count the security engineers as well but the security engineers have a different role entirely in that component of the sock but they are still a good they are still a huge component because they built those detections and also the sock can eventually pivot when they learn the environment long enough as well as the tooling now your atypical side are your threat intelligence analysts and your malware analysis because those are specializations that sometimes the socket may have but most of that probably won't have directly and remote from what i've seen has always been in a different department have been either the red team or pin testers pen testers are usually external organization or if this is an internal it's still going to be in a different department each have their own particular skill sets as you see the most notable thing about them so if you want to know the most notable thing about the security analyst they detect you want to know the most of the notable thing about the threat intelligence they attribute to what actor did it now we go to the expectations of a sock analyst as i mentioned earlier they are the technical eyes and ears of the policies and in most cases if the bad guys in the network they act as the cyber defense and drive the bag out of the network and the most important thing that the stock can bring to the table that helps the organizations is bringing bringing the recommended security controls they are the ones that see a gap in the security measures and that goes into why they must mirrors it familiarize with the policy that goes on an organization each organization has a different set of priorities that they expect the stock analyst to know and maintain the order in the company because soccer is still part of the security just a cyber arm of it and that actually fits in line with the user engagement of enforcing the policy so there is still a customer service aspect to working at a sock so if you are not looking forward to talking to people yeah you're gonna have to buckle up on it because that's part of a sock analyst role now the technical expertise it comes with knowing how to research so knowing your olson knowing your sources being able to investigate having that curiosity being able to put those puzzles together and another aspect of it is as the technology impact evolves you have to evolve too because new technologies are being brought in like the cloud services so if you are not smart up on the cloud that's going to be in your future i'll start getting smart up on the cloud infrastructure because that's what's going to be expected for the sock to monitor and protect that's just an example of one we've all seen github's involved now the typical tools you have your sim which is your little glass pane glass of metrics that are going on the network you see anomalies and the l1 typically finds what looks more worthy of doing a network traffic or worthy of investigating so it is like this little dashboard here and the soar which is the security orches orchestration and automatic automated tool it is useful for now the app is typically advertised as the one-stop shop of automating all the functions of the security operating center but realistically i've it's mostly used as a playbook in terms of what steps the stock should be at and no no taking their actions because while the two from while the various solutions do talk about this is what they can bring the table like automatic virus total lookups that's something we'll probably do manually regardless now end point to endpoint solutions now you've heard of edrs and xdrs the endpoint detection and response and the extended detection response the key difference of that once the extended has networking data that it brings in but that's limited i've mostly seen domain related ones there are sometimes there are some that will give you the telemetry of the actual url but that's very few and far and then you have your external tools like url scan virus total those awesome tools that will help uh help you in the library now we go into the day-to-day cases that we handle as a sock now the typical ones are always phishing network monitoring dlp support data loss prevention the key thing like the socks going to see day-to-day in their um check their email see what tickets going on most of the things that are have typically happened day-to-day dealing with policy violations whether someone is sending an email or that contain sensitive information to their personal email that falls in line with data loss prevention support or sometimes it's downloading and unauthorized software which can lead to a major incident because that unauthorized software may tend to have malware or maybe a trojan eyes malware but in the end it comes with it goes back to the policy violations because that's how that's become part of security gaps atypical cases now these examples are pulled from the assistance of threat intelligence that you that either the company has internally or externally some services but create a website credential theft so investigating accounts being sold on the dark web or third-party investigations which that's more of a partnership thing and making sure the company's data is not impacted by that that loss because ransomware is everywhere at this point 2021 has been a year the ransomware tier 22 is going strong and then stolen devices devices get stolen and the socks arm in this is just to make sure that that uh what data was lost from the like if the computer had data in it that is permanent to the company so those are some atypical sort of cases but it all goes back to having a ticket now we go into the sock encounters now the stock encounters in this scenario you are the thought that uh tier two stock and i was working for a financial organization the important consideration when handling these types of cases are when should you do the puzzle solving and when should you focus on the incident itself so encounter one phishing the l1 identify someone clicked on a malicious link flagged by the email securities analytics so we got here highlighted in red that yogurt clicked on something from zeon fanboy that email so what do we do the first things always do in an investigation is a validity validate isn't malicious validate is it uh do they really click on it mostly the um the important part is is the site malicious because you already got the metrics telling me that there was a click now in order to do that you have to do some information gathering so doing the surface level finding out the originating email either the skit also the scale of it so how you get the original email either the automation tool will give it to you sometimes you got to get the email itself from the user or it is um collected through third-party solutions so we're going to use the eye of volcanon that is our xor sim roll into one this gives us god eye view into the network that we're protecting so we got the key artifacts here we got the sender recipient subject of the email and the url that was clicked and a small render of what that email looked like microsoft security warning you have some un undelivered emails clustered released to the inbox so in order to do that we want to look at two things either we investigate the email itself or investigate where the url is going to because we're focusing on incident itself and the timeliness of the maliciousness we're going to investigate the url itself first so some internal um always use your internal tools first whatever the company whatever the organization gives you use their tools first however some noteworthy tools that are useful externally is url scan do the search function because someone may have already dealt with this before and you can use that to get uh get the time of when it probably started as well that could be useful for the cti team otherwise you can also um use that to validate if it's malicious or not if it's if you have if it's not been done before yeah you may consider buying a bullet and doing a b in the first guinea pig to do uh the verification of the email and there's also virustotal that's also useful one now always do it in the sandbox if you are at work however do not use browserlink because browserlink will have the uri that still has the email of the url associated which can be flagged by the company i've seen it happen it's not pretty it evolves see some talk and those are not pretty now in this case it renders it renders to a very suspicious credential harvester the thread has been confirmed role initiative now we got the fish we've got the lead and we got the security analyst who has to react now the it is the threat actors first turn and with that first turn he already has credentials so he's gonna roll for being able to crack into the uh to the person's account however he wrote a four and he failed because why multi-factor authentication prevented him from being able to access the account so now the the stock analyst has has the ability to make their move and make the remediations before it gets worse now the responses you're in the response phase of an incident so in this you're going to be containing now the containment part actually before we move to containment we still need to collect some information so order to impact the recipients in this case it's only been one person who received it and if you had more you approach prioritize on any clickers and you can validate the logins with the proxy log even the input um even the endpoint solutions can get a tracking of how many people clicked on it but sometimes you choose which ones ever faster and then after you do that you do the credential reset and purging of those emails that was the turn of the sock analysts now this is actually so part of this has been a real response but also this has been also part of a real incident that had happened i want to say about last year or so the chipotle emails were used as lures someone compromised the messaging service that chipotle uses which is mail gunner and that mel gunner account was used to send a mass marketing email to the people that are signed up on them but it was a phishing email and that was how so that was a very big case now now that the situation's been contained you can do some pulse and uh pulse incident analysis so this is the time where you can go back into the puzzle solving side of things because this information can that being collected can be sent to the cti now some considerations use a text editor because some cases like the i will actually share a case that i had with um the mail gunner was used as an example because i had to deal with the case with that before and upset fell on my part was that i opened up the email itself even though the image did not render it did not render it still sent a call out to the tracker but it was blocking the proxy but this would have been like a big notice of the bad guy like hey either someone is they got some clickers or if they know something that is more than usual someone's probably doing some analysis so always um try to render with the text editor and review offline too so you don't get exposed on that tracker and yeah also pay attention to custom headers because that's going to be important in identifying what tool was used so a bit of extra credit or bonus stage oh no this we'll call this extra credit for now so for the extra credit in this case we look at the example here for the headers it was using the spm and dkim pass for chipotle and then at the very bottom is where you see the mail gun custom headers so small gun custom headers are useful to know what tool is being used is not used for attribution because in this case that ip address goes back to mail gunner instead of the bad guy who used it but it's good to know like what tools were leveraged during that now we gotta go to bonus stage so remember that url that we saw that was clicked on it that was clicked on well most of those uris are generally written in base64 either is written in base64 or base64 deflated so we're going to resolve this to see what it was going to because that can actually reveal the extra ioc involved with this so we're going to use cyber shot cyber chef is a definitely an awesome tool that every stock analyst should have in their repository now if you are within the company um it's probably recommended to see if you can have it in a server of your own or in your it that way the company data does not go out to the cloud now for this case we're going to put the uri in everything that began and then to cheat a bit i use magic and then for that i want to do a z z library inflate we get an extra set of ioc that it goes out to oh pause for a little breather see the cute little own critter throwing all my weapons that away say hi to the mimic it'll be guarding myself okay now we'll move to encounter two encounter two hours after dealing with the phishing campaign it seemed like it was time to rest but this time these alert picks up on the sim regarding a suspicious process on a business laptop so here you now see microsoft office spawning and abnormal process we go back to the audible comment so research what's going on you can already see in here the user that that was involved speedy hedgehog and the powershell script that triggered here's the power shell so we go back to our old friend cyber chef cyber chef is useful to help us and we're going to render it do our search we picked up some ioc's that are associated you see here that's go that's going out to various um domains or various urls so it can pull out the file demonstrations draken fern role initiative this time the threat's even bigger we got immo chat now emil ted takes his first attack on