- Define “ Antivirus (AV) “:, - Software capable of detecting and removing virus infections and (in most cases) other types of malwares, such as worms, Trojans, rootkits, adware, spyware, password crackers, network mappers, DoS tools, and others., - Define “ Host-based IDS/IPS (HIDS/HIPS) “:, - A type of IDS or IPS that monitors a computer system for unexpected behavior or drastic changes to the system's state on an endpoint., - Define “ Endpoint Protection Platform (EPP) “:, - A software agent and monitoring system that performs multiple security tasks such as anti-virus, HIDS/HIPS, firewall, DLP, and file encryption., - Define “ Endpoint Detection and Response (EDR) “:, - A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats., - Define “ User and Entity Behavior Analytics (UEBA) “:, - A system that can provide automated identification of suspicious activity by user accounts and computer hosts., - UEBA solutions are heavily dependent on advanced computing techniques like artificial intelligence (AI) and machine learning (ML)., - Many companies are now marketing advanced threat protection (ATP), advanced endpoint protection (AEP), and NextGen AV (NGAV) which is a hybrid of EPP, EDR, and UEBA.

- Define “ Sandboxing “:, - This is a computing environment isolated from a host system to guarantee that the environment runs in a controlled, secure fashion and that communication links between the sandbox and the host are usually completely prohibited., - Used to:, - Determine if the file is malicious, - Determine effects on the system., - Identify dependencies, - Sandboxing allows you to quickly test malware in multiple environments., - Define “ Features of sandboxing tools “:, - Monitor system changes, - Identify process changes, - Monitor network activity, - Monitor system calls, - Create snapshots, - Record file creation/deletion, - Dump virtual machine’s memory, - The sandbox host (virtual machine) should not be used for any other purpose except malware analysis., - Common Sandbox Tools:, - Define “ FLARE VM “:, - This allows you to run a Windows binary on the system and see what the status is and all the different changes the malware is doing., - Define “ Cuckoo “:, - Allows you to automatically run different malware samples and see what they do inside of a Linux, Windows, or a Mac environment., - Define “ Joe Sandbox “:, - This allows a security research or cybersecurity analyst to analyze and understand the behavior of malware samples in a safe and controlled environment., - Joe Sandbox emulates the environment of a real computer and allows malware samples to be run and analyzed in a safe and isolated environment., - One of the key features of Joe Sandbox is its ability to detect and analyze malware across multiple platforms, including Windows, Mac OS, Linux, and Android., - Joe Sandbox provides a user-friendly interface to easily view and analyze collected data from these malware samples., - Another important feature of Joe Sandbox is the ability to automatically classify malware based on its behavior.), - For complex analysis, you may need to create a honeypot lab with multiple sandboxed machines and Internet access to study malware and its C2.

- Define “ Reverse Engineering “:, - This is the process of analyzing the structure of hardware or software to reveal more about how it functions., - A malware reverse engineer can determine who actually wrote the code by learning their patterns., - Malware writers often obfuscate the code before it is assembled or compiled to prevent analysis., - Define a “ Disassembler “:, - This is a computer program that translates machine language into assembly language., - Define a “ Machine Code “:, - This is the binary code executed by the processor, typically represented as 2 hex digits for each byte., - Define a “ File Signature (or Magic Number)”:, - This is the first two bytes of a binary header that indicates it file type., - This is the first two bytes of a Windows portable executable file (EXE, DLL, SYS, DRV, or COM), it will always start with 4D 5A in HEX, MZ in ASCII, or TV in Base64 encoding., - Define “ Assembly Code “:, - This is the native processor instructions used to implement the program., - Define a “ Decompiler “:, - This is a software that translate a binary or low-level machine language code into higher level code., - Define a “ High-level Code “:, - This is a Real or pseudocode in human readable form that makes it easier to identify functions, variables, and programming logic used in the code., - This is a Real or pseudocode in human readable form that makes it easier to identify functions, variables, and programming logic used in the code., - Reverse engineers attempt to identify malware by finding strings to use as a signature for rule-based detection., - Define “ Strings “:, - Any sequence of encoded characters that appears within the executable file., - If the malware contains a string with a function called InternetOpenUrl and another string that is a URL, you can reasonably guess that it probably attempts to download something from that web address., - The Strings tool will dump all strings with over three characters in ASCII or Unicode encoding., - Define a “ Program Packer “:, - A method of compression in which an executable is mostly compressed and the part that isn’t compressed contains the code to decompress the executable., - A packed program is a type of self-extracting archive., - REMEMBER:, - Just because a program is packed, that doesn’t mean it is malicious since many proprietary software also uses packing to deter theft and piracy., - Until it is unpacked, packed malware can mask string literals and effectively modify its signatures to avoid triggering signature-based scanners.

- Define a “ Exploit Technique “:, - This describes the specific method by which malware code infects a target host., - Most modern malware uses fileless techniques to avoid detection by signature-based security software., - How does an APT use modern malware to operate?, - Dropper or downloader, - Maintain access, - Strengthen access, - Actions on objectives, - Concealment, - Define “ Dropper “:, - Malware designed to install or run other types of malwares embedded in a payload on an infected host., - Define “ Downloader “:, - This is a piece of code that connect to the Internet to retrieve additional tools after the initial infection by a dropper., - Define “ Shellcode “:, - EXAM TIP:, - Shellcode originally referred to malware code that would give the attacker a shell (command prompt) on the target system, but for the exam use the more generic definition provided previously., - Define “ Code Injection “:, - Exploit technique that runs malicious code with the identification number of a legitimate process., - What are some other techniques?, - Masquerading, - DLL Injection, - DLL Sideloading, - Process Hollowing, - Droppers are likely to implement anti-forensics techniques to prevent detection and analysis., - Define “ Living Off the Land “:, - This is an Exploit technique that use standard system tools and packages to perform intrusions., - Detection of an adversary is more difficulty when they are executing malware code within standard tools and processes.

- Threat hunting and security monitoring must use behavioral-based techniques to identify infections., - Define and Categorize “ Sysinternals “:, - A suite of tools designed to assist with troubleshooting issues with Windows, and many of the tools are suited to investigating security issues., - This is a Process Explorer can filter out legitimate activity (known-good) to look for signs of anomalous behavior., - You must first understand what legitimate processes are used by a system to identify the suspicious ones., - Define and Categorize “ Legitimate processes “:, - System Idle (PID 0) and System (PID 4):, - kernel-level binaries that is the parent of the first user-mode process (Session Manager SubSystem – smss.exe)., - Client Server Runtime SubSystem (csrss.exe):, - Manages low-level Windows functions and it is normal to see several of these running (as long as they are launched from %SystemRoot%\System32 and have no parent)., - Define “ WININIT (wininit.exe) “:, - Manages drivers and services and should only have a single instance running as a process., - Drive and Categorize “ Services.exe “:, - Hosts nonboot drivers and background services, this process should only have one instance of services.exe running as a child of wininit.exe, with other service processes showing a child of services.exe or svchost.exe., - Services will be started by the SYSTEM, LOCAL SERVICE, or NETWORK SERVICE accounts 3., - Define “ Local Security Authority SubSystem (lsass.exe) “:, - This Handles authentication and authorization services for the system, and should have a single instance running as a child of wininit.exe., - Define “ WINLOGON (winlogon.exe) “:, - Manages access to the user desktop and should have only one instance for each user session with the Desktop Window Manager (dwm.exe) as a child process in modern versions of Windows., - “ USERINIT (userinit.exe) “:, - Sets up the shell (typically explorer.exe) and then quits, so you should only see this process briefly after log-on., - Define “ Explorer (explorer.exe) “:, - This is the typical user shell, launched with the user's account privileges rather than SYSTEM's, and is likely to be the parent for all processes started by the logged-on user., - What might make a process look suspicious?, - This is a process name that you do not recognize., - Any process name that is similar to a legitimate system process (e.g., scvhost)., - Processes that appear without an icon, version information, description or company name., - Processes that are unsigned, especially if from a well-known company like Microsoft., - Any process whose digital signature doesn’t match the identified publisher., - Any process that does not have a parent/child relationship with a principal Windows process., - Any process hosted by Windows utilities like Explorer, Notepad, Task Manager, ..., - Any process that is packed (compressed), highlighted purple in Process Explorer., - What do you do when you find a suspicious process?, - Identify how the process interacts with the Registry and file system., - How is the process launched?, - Is the image file located in the system folder or a temp folder?, - What files are being manipulated by the process?, - Does the process restore itself upon reboot after deletion?, - Does a system privilege or service get blocked if you delete the process?, - Is the process interacting with the network?, - While this lesson focused on manual analysis, there are many UEBA products that can automate this process.

- Endpoint detection and response (EDR) requires tuning to reduce false positives., - Define “ VirusTotal (virustotal.com) “:, - This is a tool that inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content., - Malware samples may also submitted to your antivirus or cyber threat intelligence vendor., - Your organization may also create custom malware signatures or detection rules , - Common Schemes, - Malware Attribute Enumeration and Characterization (MAEC) Scheme:, - A standardized language for sharing structured information about malware that is complementary to STIX and TAXII to improve the automated sharing of threat intelligence., - Define “ Yara “:, - - A multi-platform program running on Windows, Linux and Mac OS X for identifying, classifying, and describing malware samples., - A Yara rule is a test for matching certain string combinations within a given data source (binary, log file, packet capture, or email).

- Define “ Blocklisting “:, - The process of blocking known applications, services, traffic, and other transmissions to and from your systems., - A security configuration where access is permitted unless the entity appears on a blocklist., - Block lists are useful in incident response for their ability to block the source of malware., - What limitations do block lists have?, - Risk of false positives could block legitimate traffic., - You don’t know everything that should be blocked., - Define “ Allowlisting “:, - The process of allowing only known applications, services, traffic, and other transmission to and from your systems., - Allowlisting can be an effective fallback posture to use while conducting an incident response., - WARNING:, - Allow lists are incredibly restrictive and can prevent users and systems from transmitting data to new or changing recipients, so they need to be constantly fine-tuned to avoid interference with business operations., - Using IP addresses on your allow list can also cause issues as many servers use multiple IP addresses and do load balancing , - Use a block list method on a day-to-day basis., - Define “ Execution Control “:, - The process of determining what additional software may be installed on a client or server beyond its baseline., - Execution control can be configured in an allowlisting or blocklisting approach., - Ways to implement Execution Control on Windows:, - Software Restriction Policies (SRP):, - Creates an allow list file for different system locations, where your executable and scripts are allowed to be launched from., - Another way you can do this is by setting up rules configured by hash files on those programs., - Define “ AppLocker “:, - Used to improve the configuration options and defaults of the SRP., - Windows Defender Application Control (WDAC):, - Allows to create a code integrity policy, and this can be used on its own or in conjunction with AppLocker., - Ways to implement Execution Control for Linux:, - Mandatory Access Control (MAC), - Linux Security Module (LSM), - SELinux and AppArmor are two well-known Linux security modules., - Define “ Configuration Management “:, - Allows for having a process in place of how we're going to update all of our block lists and our allow lists for any of those changes., - Large changes should be preceded by a risk assessment and business impact analysis.

- Endpoint monitoring, in the context of ISO 27001, primarily falls under the:, - Technological Controls** section of **Annex A**:, - Specifically, it aligns with several controls within this section, particularly those focused on protecting information assets and ensuring secure operations of user devices., - Here's a more detailed breakdown:, - A.8.1 User Endpoint Devices:, - This control directly addresses the security of user devices (laptops, desktops, mobile phones, etc.) that access, process, or store organizational information., - Endpoint monitoring is a key technical measure to implement this control effectively. It helps in:, - Detecting and responding to security incidents on endpoints., - Monitoring the health and security posture of devices., - Identifying potential vulnerabilities and misconfigurations., - Enforcing security policies., - A.8.16 Monitoring Activities:, - This control emphasizes the need to monitor networks, systems, and applications for unusual behavior and potential security incidents. , - Endpoint monitoring is a crucial component of this overall monitoring strategy, providing visibility into user device activities., - A.8.7 Protection Against Malware:, - Endpoint monitoring often includes the deployment and management of anti-malware solutions and the monitoring of their effectiveness on user devices., - A.8.8 Management of Technical Vulnerabilities:, - Monitoring endpoints helps identify software vulnerabilities and ensures timely patching to reduce risks., - A.8.15 Logging:, - While not solely focused on endpoints, logging activities on these devices is a vital aspect of endpoint monitoring for forensic analysis and incident investigation., - While the primary focus is within **Annex A.8 Technological Controls**, endpoint monitoring also supports other areas of ISO 27001:, - Clause 8 | Operation:, - Implementing endpoint monitoring contributes to the operational security processes of the organization., - Clause 9 | Performance Evaluation:, - The data gathered through endpoint monitoring can be used to evaluate the effectiveness of security controls related to user devices., - Clause 10 | Improvement:, - Insights from endpoint monitoring can drive continuous improvement of security measures and policies., - In summary, while several Annex A controls relate to endpoint security,, - A.8.1 User Endpoint Devices** and **A.8.16 Monitoring Activities:, - are the most directly applicable, with endpoint monitoring being a significant technical implementation for achieving their objectives.