CyberSec First Responder: Threat Detection & Response CFR210

Identify the importance of risk management, explain the risk equation, and explore enterprise risk management, risk exposure, and risk analysis methods facing modern enterprises.

Explore the legacy perimeter model: assets inside, threats outside, and attacks that exploit vulnerabilities, with moats and gates illustrating external controls.

Explore the endpoint cybersecurity model that accounts for BYOD, wireless, and cloud threats from multiple locations, and apply distributed security controls to protect distributed assets.

Apply the risk equation by linking threats, vulnerabilities, and consequences to illustrate how a hacker using malware can exploit a vulnerable web server and cause outages.

Explore risk management by weighting different risks, balancing high-probability low-impact events with low-probability high-impact ones, and communicating technical risk to nontechnical decision makers while weighing rewards.

Identify risks on our network, assess their consequences and likelihood, and analyze whether we need to take action to drive an active response.

Master enterprise risk management by evaluating, measuring, and mitigating risk to achieve business objectives while securing 24/7 systems against attackers and user-driven threats.

Implement ERM to protect confidential customer information and trade secrets, prevent financial losses, ensure legal compliance, maintain brand reputation, and support continuity of operations and stakeholder objectives.

Identify how risk exposure shapes organizational vulnerability by quantifying the probability of an incident and its potential impact, and learn why risk remains inevitable and ignoring it hurts your business.

Explore qualitative, quantitative, and semi-quantitative risk analysis methods, comparing word-based likelihood and impact with numeric and dollar-value assessments to capture comprehensive risk.

Identify and manage enterprise risks across legal, financial, and operational domains. Protect physical assets, infrastructure, intellectual property, and employee safety while safeguarding reputation and branding.

Assess risk through enterprise security architecture frameworks and the ESEA assessment process, considering changing business models, network edge de parameterization, and new technologies, then document risk determinations and guidelines.

Explore enterprise security architecture frameworks to define baseline goals and methods for securing the business. Learn how EASA assesses risk, quantifies threats, and mitigates vulnerabilities to save time and resources.

Apply the enterprise security architecture framework assessment process to establish a baseline, review current security policies, and assess physical elements, internal network, X Turnell network connectivity, and third-party relationships.

Assess wireless connectivity, resource accessibility, and host operating systems, and examine infrastructure devices and human factors to evaluate security awareness training under the ESA framework part 2.

Explore how new and changing business models, driven by evolving technology, introduce new risks and opportunities—from partnerships and outsourcing to cloud services, social networking, and mergers—and impact enterprise risk management.

Explore de-perimeterization by examining how mobility, remote access, cloud services, and BYOD shift data locations and redefine network perimeter, while outsourcing and device theft introduce new security risks.

Explore how new products, technologies, and user behaviors introduce vulnerabilities and social engineering risks; apply enterprise risk management with HR and legal input to assess threats and evolving attack methods.

Analyze internal and external influences on enterprise risk management, ensure RDRAM compliance, auditing, and top-level management buy-in for client, Iams, and partner requirements.

Perform system-specific risk analysis by examining how systems are used and how confidentiality, integrity, and availability could be threatened; assess attack methods, mitigations, targets, likelihood, and ramifications.

Estimate risk by evaluating likelihood, attacker motivation, source, apply exposure factor and annual rate of occurrence, then use single loss expectancy to decide whether to insure or accept the risk.

Document the results of a risk assessment by clarifying tasking, authority, reporting lines, and scope, then summarize findings and what they mean.

Implement enterprise security architecture to assess risk and evaluate new products and technologies. Audit outsourced assets and cloud providers, test user behavior with phishing campaigns, and consider BYOB impacts.

Explore information classification within the CIA framework, apply technical controls, compute an aggregate CIA score, and implement CVSS/CVEs, risk response techniques, continuous monitoring, and IT governance for effective risk mitigation.

Identify the four classes of organizational information—public, private, restricted, and confidential—and apply access controls to protect availability, privacy, PIII, and other sensitive data.

Classify data into confidentiality, integrity, and availability, then apply controls like file permissions and encryption for confidentiality, hashing and digital signatures for integrity, and load balancing for availability.

Identify three categories of security controls: technical controls such as firewalls, policies, and antivirus; physical controls such as locks and cameras; and administrative controls such as audits and penetration testing.

Assess technical controls by asking if they uphold confidentiality, integrity, or availability, with examples like user permissions, web server load balancers, and message authentication codes or digital signatures.

Enforce user permissions on a network share to uphold confidentiality, route traffic via load balancers to available hosts for availability, and compare expected versus actual message digests to verify integrity.

apply the aggregate CIA score to rank threats by risk, multiplying value of information by confidentiality, integrity, and availability threat values, and compare denial of service with database intrusion.

Explain how CVSS uses base metrics—access vector, access complexity, authentication, and impacts on confidentiality, integrity, and availability—plus temporal and environmental metrics like exploit ability and collateral damage potential.

Explore how the common vulnerabilities and exposures dictionary enables vulnerability data sharing among organizations using VSS, with each entry identified by the CV-YYYY-N format maintained by the Miter Corporation.

Explore the common vulnerability scoring system by navigating the national vulnerability database, examining CVSS v2 base score calculations, impact and exploitability metrics, and the environmental score options.

Plan for extreme and worst-case scenarios, including denial of service and encryption-key theft, by gathering intelligence, assessing likelihood and motives, mapping vectors, protecting critical assets, and mitigating risk.

Apply risk response techniques by avoiding risk via eliminating the source, transferring risk to a third party, mitigating with patches and firewalls, or accepting risk within the organization’s appetite.

Identify exemptions for legacy systems like Windows XP and deter threats with firewalls and honeypots. Assess inherent and residual risk after mitigation to decide which controls to deploy.

Implement continuous monitoring as a recurring process to detect changing risk, adapt with improvements, and address newly arising threats. Leverage software tools that automate parts of this process.

align IT resources to objectives to add value and enforce governance strategies, while preparing to communicate how we measure, respond to, and mitigate risk for stakeholders.

Categorize information with CIA principles and apply controls across technical, physical, and administrative domains, incorporating stakeholder input and deterrents; monitor continuously to decide risk avoidance, transfer, mitigation, or acceptance.

Integrate documentation into risk management by aligning policy development and procedure development with best practices for security policies and procedures, including essential topics and business documents that support security initiatives.

Learn how to structure security architecture from policy to procedures, covering high-level security posture, Acceptable Use Policy, and data classification, through standards, guidelines, and step-by-step procedures.

Explore an example acceptable use policy, its overview and purpose, and discover how templates from organizations like the Sands Institute simplify policy creation.

Develop processes and procedures in detail, noting that the process has different phases to clarify the procedural structure.

Demonstrates how to find free information security policy templates online and customize them for your organization, including password and lab security policies, with document formats and revision steps.

Identify topics to include in security policies and procedures, including policy scope, information classification, secure handling and disposal, relationship to other management policies, incident handling, designated responsibilities, and noncompliance consequences.

Enforce separation of duties and least privilege by assigning backups to one administrator and restores to another, while implementing job rotation, mandatory vacation, and incident response in security policies.

Develop robust security policies and procedures from onboarding to termination, enabling forensics, continuous digital and video monitoring, log auditing, and user and IT administrator training.

Identify security documents that support initiatives, including statement of playability, business impact analysis, interconnection security agreements, memoranda of understanding, service level agreements, operating level agreements, non-disclosure agreements, and partnership agreements.

Integrate documentation into risk management with clear, concise language; leverage policy templates from SANS Institute, involve human resources, legal counsel, management, and keep policies, processes, and procedures living and compliant.

Identify sensitive piii and clearly explain how it will be used to clients, and draft a business continuity plan, regularly testing the vcp components at risk with sla-backed partnerships.

Identify the importance of risk management and understand the ramifications of not having it. Explore assessment methodologies, mitigation strategies, and how to integrate documentation into risk management.

Identify threats and threat profiles by analyzing threat actors, motives, attack vectors, and attack technique criteria, then conduct qualitative threat and impact analysis to guide classification guidelines.

Identify threat actors and their motives, from insiders with access to credentials to script kiddies using downloaded tools. Recognize recreational hackers and professional hackers paid to breach organizations.

Identify threat actors, including cyber criminals seeking money and PII fraud, hacktivists driven by social issues, and state-sponsored hackers hired to disrupt systems and spread fear.

Identify threat motives such as money, power, control of systems, reputation, association, and thrill, including emotionally driven attacks and attackers seeking to showcase their skills.

Explore threat intentions behind attacks, including theft of financial information and PII, espionage by government entities, revenge, defamation, blackmail, hacktivism, and political motives.

Identify attack vectors as the methods or paths attackers use, analyze how a breach was carried out, and recognize how vulnerabilities in systems or networks are exploited.

Explore attack technique criteria by contrasting targeted and non-targeted attacks, direct versus indirect methods, stealth versus non-stealth approaches, and client-side versus server-side attacks, including implications for obtaining PII.

Identify a cyber criminal targeting a financial institution by exploiting vulnerabilities with a stealthy Trojan horse delivered via email, who may sell stolen financial information or API access.

Classify threats and threat profiles by identifying threat actor motives, goals, and vectors, then categorize threat techniques and perform qualitative analyses of threats and impacts to build profiles.

Perform ongoing threat research by analyzing situational awareness, targeted assets, vulnerabilities, and exploits, using security technologies and research resources, trend data, and guidelines to qualify threats.

Engage in continuous threat research to stay up to date, seeking industry expert sources, security mailing lists, social media, vulnerability databases, and cross-reference vendor announcements; exercise discretion with unverified sources.

Recognize evolving threats and hone critical thinking to support situational awareness, adapt reactions for different threats, and develop awareness through log analysis with the latest technology and ongoing research.

Identify commonly targeted assets such as financial information, online banking, online vendors, credentials, PII/PHI, and intellectual property to understand how attackers exploit these assets via social engineering.

Encounter rising vulnerabilities across social engineering, mobile and IoT ecosystems, including Stagefright Android flaw, IP cameras, and conferencing services, as attackers exploit insecure devices and users.

Examine the latest threats and exploits, including ransomware, botnet device control, back doors in encryption, watering hole attacks, and rising cyber espionage and hacktivism.

Upgrade and replace security technologies by adopting auditing and monitoring systems like security information and event management, risk intelligence, and compliance assessment systems, while following FCC comments and ISO standards.

Explore blogs and websites like Schneier on Security, Krebs on Security, Dark Reading, and threat post, plus the National Vulnerability Database and Department of Homeland Security security alerts for research.

Explore organizations that support security research, such as ISACA, sec-list.org, and net sac communities on Reddit.

Explore web resources for threat research, including Krebs on Security and Schneier on Security, and learn to download security tools like Wireshark and Cain and Abel for vulnerability research.

Explore the global cybersecurity community of organizations and collaborative folks like Surt and US-CERT, covering incident response, hacker conferences, and threat intelligence websites from McAfee or VeriSign.

Analyze trend data on CV severity scores to recognize rising critical security issues from 2014 to 2016, informing threat detection and response strategies.

Analyze trend data to qualify threats across the current world and industry vertical, compare real-world espionage and DDoS risks across multiple companies, and discuss actions with decision makers.

Follow industry accepted and reputable sources and collaborate across multiple websites, blogs, and books for ongoing threat research, then analyze trends to identify threats and sources affecting assets.

Analyze the threat landscape and classify threats and threat profiles, and examine threat actor motivations. Outline ongoing threat research methods and essential blogs, websites, and books to consult.

Implement threat modeling to understand the diverse threats and the anatomy of a cyber attack, learn the process, construct an attack tree, and explore threat categories and tools.

Identify the diverse nature of threats that target technical controls and policies, exploit poor physical security, social engineering, and weak security culture, and emphasize considering all threats in risk management.

Explore the three-stage anatomy of a cyber attack—reconnaissance, attack, and post-attack—covering information gathering, passive and active reconnaissance, detecting vulnerabilities, exploiting them, and log cleaning to maintain access.

Identify and assess attack vectors through threat modeling to evaluate risk and mitigation strategies for attacks. Learn attacker-focused and asset-focused perspectives to apply to general security or specific systems.

Implement threat modeling to proactively mitigate threats, enabling proactive security rather than reactive responses, and create visual threat representations that non-technical audiences can understand.

Identify security objectives, assess system architecture, and map threats to confidentiality, integrity, and availability, then plan mitigations in a repeating threat modeling process.

Analyze an attack tree that maps threat vectors to controls, such as malware prevention, authorization checks, and upgrading instant messaging to ssl encryption.

Compare threat modeling tools, noting open source and free options like Treich and Monster, alongside paid Microsoft offerings for app security threat modeling.

Identify and classify threat categories such as reconnaissance, social engineering and phishing, systems hacking, web-based and mail threats, hijacking and impersonation, dos/ddos, mobile, and cloud threats.

Assess the impact of reconnaissance incidents by exploring footprinting, scanning, and enumeration methods, along with evasion techniques to hide tracks. Examine reconnaissance tools and perform packet trace analysis with Wireshark.

Footprinting gathers information about a network using public resources and passive methods to avoid detection. Scanning uses network scanners to identify hosts, systems, and services, and enumeration probes for vulnerabilities.

Discover passive footprinting methods using whois data, search engines, social media, metadata tools like FOCA, and techniques such as dumpster diving and social engineering.

Develop network and system scanning methods to identify IP addresses, open ports, and services, locate network access points, and uncover vulnerabilities using scanning tools and ranges.

Enumerate and map networked systems by querying DNS, DHCP, and SNMP, perform reverse lookups and host fingerprinting, and assess operating systems, patch levels, Active Directory, and web apps for vulnerabilities.

Analyze how attackers evade network intrusion detection systems during reconnaissance by altering packets, encrypting traffic, and using denial of service to exhaust nids.

Explore reconnaissance tools across passive and active. Use domain ownership lookups, whois, and Google search modifiers to identify emails, DNS exposure with tools such as nmap, ping, traceroute, and telnet.

Analyze packet traces with Wireshark, a free utility, to glean information about networked systems and traffic patterns. Identify direct interactions with the host and broadcast traffic that reaches all systems.

Learn network reconnaissance with Kali Linux tools like Nmap to discover devices, enumerate operating systems, and identify active services and ports on a subnet.

Examine reconnaissance from the victim’s standpoint using wireshark to analyze icmp and arp traffic, then use kali linux and nmap to discover live hosts and open ports.

Assess the impact of social engineering by examining its types, phishing with delivery media, common components, and its use for reconnaissance.

Explore how social engineering tricks users into revealing credentials or access, from help desk impersonations to phone based scams that pressure password changes and security breaches.

Explore impersonation, hoaxes, and phishing varieties—spear phishing, smishing, and pharming—and how attackers manipulate trust to prompt action.

Explore phishing, telephone-based social engineering, baiting with infected USB drives, look-alike domains, and spam or instant messaging that trick users into revealing credentials or credit card details.

Explore shoulder surfing, dumpster diving, tailgating, and piggybacking as social engineering techniques used to obtain passwords, pin access, sensitive data, or access to secure areas.

Identify multiple phishing delivery media, including email with hyperlinks or attachments, instant messaging, text messages, social media, blogs, comments, and QR codes that redirect to malicious sites.

Examine how phishing emails spoof from addresses and names, include attachments and hyperlinks, and impersonate known contacts to deceive users into opening risky content.

Explore how attackers use social engineering for reconnaissance, impersonating employees, probing via bogus interviews, crafting fake profiles, and tailgating to access premises and personal information.

Explore how social engineering tricks users into revealing credentials through a staged phishing email and a fake login site, using the social engineering toolkit on Kali Linux to harvest passwords.

Demonstrates assessing phishing impact through a hands-on email scam using a fake sender, attachments, and links, and shows how mail servers flag deception.

Explore threat modeling and its importance, assess passive and active reconnaissance and the tools used, and examine how social engineering can be leveraged against organizations.

Assess the impact of system hacking attacks by examining passwords sniffing, cracking, privilege escalation, and social engineering, plus in-system hacking tools and exploitation frameworks.

Attackers start with a goal and follow a process. Defacing a site may be an explicit attacker goal, while non-specific intents emerge after vulnerabilities are seen.

Discover how an attacker plans a breach by footprinting attack surfaces—operating systems, applications, servers—and using Google, whois lookups, and DNS queries to map what a company runs.

Perform additional reconnaissance, footprinting, and scanning to identify targets and crawl websites. Use Google to perform new rl searches in other public sites and tools and identify software versions.

Identify vulnerabilities by mapping the running software, such as server 2008 without service packs, and cross-check with vulnerability databases to determine weaknesses.

Exploitation follows, with attackers stopping or starting services to load malware, pull information from the organization, cover their tracks, deface data on a website, and gain access to resources.

Explore how to cover tracks by clearing logs and audio events to erase traces of the attack. Learn how such traces can identify the attacker.

Discover how password sniffing exposes usernames and passwords by monitoring network traffic, revealing clear-text credentials on HTTP connections to non-secure sites; see why SSL/TLS encryption mitigates exposure.

learn how attackers crack encrypted passwords using brute force, dictionary, and hybrid attacks, and why rainbow tables and salts affect effectiveness.

Demonstrates cracking passwords with a password file and top 1000 password list, including updating tools on Kali Linux and testing SSH access.

Examine how attackers use privilege escalation, including vertical escalation to reach admin rights by compromising a lower level user, and horizontal escalation to access different resources with another credential set.

Explore how social engineering enables systems hacking by tricking users into revealing credentials for servers, routers, switches, or network systems, granting access to databases and sensitive information.

Explore system hacking tools and exploitation frameworks, including password sniffers and crackers such as Cain and Abel and John the Ripper, plus frameworks like Madis and Canvas.

Assess the impact of web-based attacks by distinguishing client-side and server-side threats, and examining cross-site scripting, cross site forgery, sql injection, directory traversal, file inclusion, and web services exploits.

Client-side attacks use social engineering to trick users into clicking embedded links or buttons, like a Facebook like button, while server-side attacks infect the host server with malicious code.

Explore three cross-site scripting attacks—stored XSS, reflected XSS, and direct object model (dom-based) XSS—where malicious code runs in the victim's browser.

This lecture explains cross-site request forgery (XSRF) by showing how a malicious link can exploit a logged-in bank session and an authentication cookie to transfer funds to the attacker.

Learn how SQL injection, a common database attack, manipulates web requests to bypass queries, reveal data such as usernames and passwords, and exploit legacy and vulnerable services.

Explore directory traversal vulnerabilities that let attackers access server files outside web content, using dot dot forward slash techniques or encoded paths to reach system folders and remote command prompts.

Explain file inclusion attacks that allow executing code on a web server or web application, risking data theft, contrasting remote file inclusion and local file inclusion with PHP examples.

Explore additional web application vulnerabilities such as session fixation, session prediction, clickjacking, cookie hijacking, and cookie poisoning to understand how attackers compromise sessions and tokens.

Explore web services exploits, including soap xml base requests and SML schema manipulation, to trigger denial of service, modify data, and permit sequel injection via malicious links or macros.

Explore web-based attack tools and frameworks, such as Mehta's spoilt, nikto, and Perros proxy, and understand how these tools populate the landscape of web security testing.

Assess the impact of web-based threats by analyzing insecure login error messages, lack of rate limiting, exposed administration accounts, and server paths on a safe demo site.

Assess the impact of malware by examining categories such as trojan horses, polymorphic viruses, spyware, and supply chain attacks, and explore common malware tools used by attackers.

Survey common malware categories such as viruses, worms, adware, spyware, trojan horses, root kits, logic bombs, and ransomware, and learn how they spread, hide, or disrupt data.

Illustrates a Trojan horse infection via an executable and social engineering, including email-based fishing attempts and user training to avoid falling victim.

Explore how a polymorphic virus uses encryption and alters itself as it moves between machines to bypass antivirus signatures.

Detect spyware that may monitor your activity, log keystrokes, and collect browsing history and credentials, often bundled with legitimate software; recognize its subtle performance impact and prevalence with adware.

A supply chain attack infects hardware or software early in the supply chain, allowing malware to propagate from supplier to manufacturer, distributor, and vendor to the consumer.

Explore common malware tools attackers use, including NetBus, Sub7, Back Orifice, Zeus, FinFisher, PAC, and remote control systems.

Demonstrate malware detection and removal with Windows Defender on Windows 10, updating virus definitions, testing with an anti-malware file, scanning, and removing threats while toggling real-time protection.

Assess the impact of hijacking and impersonation attacks, including ARP spoofing, DNS poisoning, ICMP redirect, DHCP spoofing, MBA spoofing, and session hijacking.

Learn how spoofing uses software to pretend to be something else, how impersonation relies on person-to-person deception, and how session hijacking exploits active sessions to take over or extract data.

Learn how ARP spoofing disrupts IP-to-MAC mappings by sending spoofed replies, creating a man-in-the-middle router that intercepts and relays traffic between hosts.

Explore DNS poisoning, where a faster attacker replies to the local DNS server with misinformation, redirecting users to a malicious site that harvests Google usernames and passwords.

Explore how ICMP redirect attacks modify ICMP type 5 information to misdirect routing, potentially causing denial of service or network connectivity loss.

Dhcp spoofing enables a rogue dhcp server to provide invalid default gateway information. This causes a man-in-the-middle attack; mitigate with rogue dhcp detection and port-based filtering.

NBNS spoofing mirrors DNS spoofing by exploiting NetBIOS name resolution; attackers may answer first with a fraudulent IP to trick the client into logging in.

Explore session hijacking risks by stealing session cookies through unsecured wifi or malware, including cross-site scripting, to enable denial of service and man-in-the-middle attacks.

Explore hijacking and spoofing tools used to test networks and understand attacker capabilities, including Cain and Abel, DroidSheep, Cookie Monster, and Cookie catcher.

Assess the impact of denial of service incidents and examine denial of service attacks, including distributed denial of service attacks and evasion techniques, plus common tools found online.

Explore how denial of service attacks disable services by saturating bandwidth, exploiting application flaws, and exhausting CPU, memory, or disk resources with multiple connections and email floods.

Explore common denial-of-service techniques, including ICMP and UDP floods, SYN floods, buffer overflows, reflected DoS attacks, and permanent DoS that damage hardware, with emphasis on detection and response.

Learn how a distributed denial of service attack uses multiple compromised systems—zombies or bots, including malware-infected devices and iOS devices—under a command and control program to overwhelm a target network.

Investigate DoS evasion techniques and botnets for hire that fuel denial of service attacks, tracing challenges, malformed packets, and the Slashdot effect on overwhelmed web servers.

Explore denial of service attack tools used by attackers and for testing defenses, including hoic, loic, slowloris, Tor's hammer, and http unbearable load king.

Assess the impact of denial of service attacks using live visualizations from the digital attack map and Norse attack map, examining attacker IPs, spoofed sources, bandwidth, ports, and botnet scenarios.

Assess the impact of threats to mobile security and learn trends, wireless threats, BYOD risks, and platform-specific threats for Windows, iOS, and Android, plus mobile infrastructure hacking tools.

Explore trends in mobile security as BYOB devices connect wirelessly, access network shares, and raise data ownership and remote wipe considerations for policy and legal compliance.

Identify common wireless threats, including weak legacy protocols and PIN-based connections, and emphasize exposure from signal leakage and device theft; implement wireless security and strong device protection.

Identify BYOD threats across multiple access points and secure all entry points; address unpatched devices, update responsibility, denial of service risks, and forensic and encryption concerns.

Explore mobile platform threats across Android, iOS, and Windows, including unpatched devices and third-party apps with potential malware. Identify malware risks in official stores; use up-to-date patches and apps.

Explore mobile device hacking tools, highlighting Android-dominated options like Droid Box and Dreux rat, and other commonly used tools.

Assess the impact of threats to cloud security by examining cloud infrastructure challenges, threats to virtualized environments, threats to big data, and cloud platform security, with an illustrative cloud attack.

Explore cloud infrastructure, including the provider and client link, and how breaches, weak authentication, and insecure connections enable attacker access. Learn how cloud-based attacks complicate forensics and tracking.

Explore threats to virtualized environments, including vm escape on the hypervisor, privilege elevation, live virtual machine migration exploitation, and data remnants that expose virtual machine data.

Explore the threats to big data, including privacy breaches, access control failures, and forensic challenges, and learn how traditional tools struggle to monitor and audit massive datasets.

Examine a real-world cloud infrastructure attack where an attacker uses an automated sign-up script to create multiple accounts, spin up virtual machines, and form a cloud-based botnet for targeting networks.

Assess cloud platform security: firewall controls, logically isolated networks, cross-project credential sharing, PCI DSS readiness, encryption between compute instances and hosts, secure remote access via VPN/HTTPS, and monitoring.

Assess the impact of system hacking, web-based attacks, malware, hijacking, impersonation, and denial of service, plus threats to mobile and cloud security.

Assess command and control techniques and define the concept, then examine channels used for command and control, including IRC, DNS, ICMP, HTTP, and nontraditional options.

Command and control infrastructure directs and controls malware, enabling attackers to maintain access and issue commands through control channels across internal systems.

Explore Internet Relay Chat (IRC) as a group communication protocol enabling private messaging and file sharing, used for command and control traffic, while administrators block it and attackers seek alternatives.

Explore http and https traffic evading blocks, attackers using web servers for command and control, and why firewalls rely on ip addresses that attackers bypass by changing domains.

Understand dns-based command and control, including attacker dns servers and cleartext traffic, and how internal queries can forward to external servers, enabling blocking via internal firewalls.

Learn how ICMP can enable attacker command and control by exchanging ping packets between hosts, where data contains commands like dir and file transfer is hindered by ICMP tap packets.

Attackers use additional channels for command and control, including social media such as Twitter, media file metadata, peer-to-peer networks, and cloud services like OneDrive and Google Drive.

Demonstrates assessing command and control techniques by using ICMP traffic for a covert C2 channel between a Kaleo Linux master and a server, with traffic analysis in Wireshark.

Explore persistence techniques attackers use to maintain long-term access to resources and networks. Examine advanced persistent threats, root kits, backdoors, logic bombs, and the dangers of rogue accounts.

Advanced persistent threat (APT) is a stealth attacker group that targets organizations storing PII or PHI, uses sophisticated knowledge to craft custom exploits, and maintains access for months or years.

Rootkits run with administrative access, hide in core OS components, and evade detection by antivirus, often concealing keyloggers, malware, and bot controllers installed through social engineering.

Learn how back doors bypass authentication to access systems, including deliberate back doors by nations or vendors and rootkit behavior, and how advanced persistent threats exploit them against security professionals.

Explore how a logic bomb automates post-attack actions on a target system, remains dormant during investigations, and can trigger data destruction after the fact.

Watch a live demo of detecting rootkits using tools like Deemer and TTSS killer, as they download, run scans, and reveal evasive behaviors.

Detect rogue accounts created after credential theft or malware, and parse logs to reveal who created them and when.

define lateral movement and examine pivoting techniques, including pass the hash, the golden ticket, remote access services, and technologies like port forwarding, ssh pivoting, and routing tables.

illustrates how attackers use lateral movement to reach a domain controller by compromising a DMZ system, performing port scans and enumeration, sweeping the network, with traffic that may look legitimate.

Learn how pass the hash exploits cached SAM credentials to log in when the domain controller is offline, allowing attacker access with reused hash credentials.

Demonstrates how a golden ticket attack in active directory exploits the kerberos ticket granting ticket to forge tickets, granting persistent, admin-like access for years.

Remote access services pose internal risk as attackers pivot between systems using protocols like vpn, RTP, or remote desktop protocol. Encrypted traffic can hide malicious activity and exfiltration attempts.

Explore how Windows management instrumentation command line enables remote access for attackers, requiring admin credentials and encrypted traffic, to create remote shares and deploy malware.

PsExec enables remote execution of binaries or code via a standalone Microsoft utility running under system or compromised accounts, potentially opening firewall ports.

Explore how port forwarding lets an attacker reach a host behind a firewall by using an intermediary host to initiate a remote desktop connection via the rdp port 3389.

Explains how an attacker pivots from an exploited internal host by installing a VPN server, creating a VPN tunnel, and routing traffic to remote devices.

Discover how ssh pivoting lets attackers reach internal hosts beyond a firewall by using a compromised dmz host as a port proxy and tunneling over port 80.

Explore how routing tables and pivoting enable attackers to compromise a system by creating routing entries on a host to redirect traffic.

Explore how attackers exfiltrate data from networks by using covert channels, steganography, and file sharing services to covertly move information.

Understand how data exfiltration moves data between systems and outside networks, and how attackers use compromised credentials to decrypt or encrypt data to evade monitoring and intrusion detection systems.

Covert channels enable attackers to exfiltrate data by evading intrusion detection, using unblocked firewall ports and protocols like DNS, ICMP, HTTP with certificates and encryption.

Explore steganography by hiding data inside images, showing how data embeds in a skyline photo, and how sites like mobile phished dot com demonstrate concealment beyond data loss prevention.

Demonstrates steganography by embedding a hidden message inside a cover image to exfiltrate data, and shows encrypting, sharing, and decrypting the image to reveal the content.

Learn how attackers exploit file sharing services like Dropbox and Google Drive to upload data and bypass detection, and how to monitor and control traffic in organizations.

Analyze anti-forensic techniques used to complicate forensic investigations, including the golden ticket concept, buffer overflows, memory-resident programs, packers, virtual machines, sandbox detection, and alternate data streams.

Disrupt investigations by tampering with evidence, deceiving investigators, and exploiting system weaknesses to escape notice, frame others, or waste the organization's time and money.

Analyze the golden ticket attack and forged tickets, noting how newer software fixes this, impacting automated detection and how investigators determine when the domain controller was compromised.

This demonstration examines anti-forensics techniques where attackers erase evidence by clearing the Windows application log using WMI and wevtutil from a remote shell after initial SSH password cracking.

Explore how attackers weaponize buffer overflows in forensic tool kits by leaving malicious files that exploit investigators' software, and mitigate by using modern, patched tools that stay up to date.

Identify how memory residents persist after applications terminate, allowing attackers to hide malware and scripts in memory, evade detection, and keep control of the system.

Learn how a program packer compresses software to evade detection systems and forensic tools, reduces size, slows reverse engineering, and can hide malware from anti-malware solutions inside a sandbox.

Explore how sandboxing isolates suspected mail in a virtual environment to monitor behavior, and how malware detects the sandbox and activates only outside it.

Learn how attackers use NTFS alternate data streams to hide files and malware, and how file classification and forensic tools reveal content in the alternate data streams on Windows systems.

Attackers cover their tracks by erasing evidence such as event logs and command histories in Windows and Linux, including shredding, altering logs, and using alternate data streams.

Review post-attack techniques such as command and control to maintain access, persistence, lateral movement and pivoting to reach deeper into our network, data exfiltration, and anti-forensic methods that hinder investigations.

Explore vulnerability assessments, contrast them with penetration testing, and cover implementation, tooling, port scanning, fingerprinting, sources of vulnerability information, and operating system and software patching.

Conduct a vulnerability assessment to evaluate system security for compliance, covering hardware, software, operating system, services; collect, store, organize, analyze data, and report findings to reveal gaps and missing patches.

Differentiate penetration testing from vulnerability assessment by simulating attacker-led real-world attacks. Follow recon, attack, and post-attack phases to drive remediation from findings.

contrast vulnerability assessment versus penetration testing, focusing on known vulnerabilities and automated scans versus manual exploits and social engineering, with differing impact on systems and frequency.

Implement a standardized vulnerability assessment by installing scanning software, establishing a baseline, remediating findings (patches and config changes), re-scanning, and documenting results for management across all systems.

Explore vulnerability assessment tools, including Nessus, MBSA, port and protocol analyzers, and Wireshark. Learn to use Nmap, Cain and Abel, fuzzing, HTTP interceptors, and exploitation frameworks for intelligence gathering.

Explore popular assessment tools such as Nessus, BeyondTrust, BSA, and GFI LanGuard. BSA focuses on Microsoft-based information and may miss third-party apps, while some tools offer remediation features.

Perform port scanning and fingerprinting to assess vulnerabilities using end map utility and icmp ping to identify live hosts and ports such as Kerberos on 88 and DNS on 53.

Gather vulnerability information from live system scans, including credentialed and non-credentialed tests. Assess with active, passive, and agent-based approaches, report findings, and note false positives and negatives requiring penetration testing.

Automate operating system and software patching to keep systems updated and reduce exposure to exploits; update documentation, policies, configurations, and baselines, and perform re-assessments after patching with WSUS and SCCM.

Ensure systems are secure at every level, from hardware to services, by scanning all components and testing their interactions to reveal multi-component vulnerabilities through penetration testing.

Demonstrates performing a vulnerability scan with Nessus by creating a basic network scan, adding credentials, and scanning a target host. View remediation tips, history comparisons, and export options.

Demonstrate performing a vulnerability scan with the Microsoft Baseline Security Analyzer (mbsa) to assess local and remote Windows systems for updates, passwords, and misconfigurations.

Explore penetration testing on network assets by applying rules of engagement, defining phases, and using data mining, attack surface mapping, packet manipulation for enumeration, simulated attacks, and password attacks.

Explore the rules of engagement for penetration testing, detailing purpose, scope, risks, logistics, tool usage, roles, communication, outage procedures, target scope, reporting, and required sign-offs.

Pen test phases mirror an attack, including reconnaissance, footprinting (active and passive), targeted scanning, exploitation, and maintaining access, with reporting for remediation at the end.

Clarify the rules of engagement for pen testing, including allowed tools and techniques, social engineering scope, production vs non-production testing, downtime risk, and back-off criteria.

Compare external and internal pen testing to balance attacker perspective, cost, and trust; leverage external consultants for insights and references while internal staff can test more often.

Explore pen testing techniques like wardriving for open wireless networks, eavesdropping, network sniffing, social engineering, and physical security testing, with emphasis on authorization and ethics.

Explore penetration testing tools that scan networks and identify vulnerabilities, including map, Nessus, John the Ripper, Cain and Abel, and commercial options like Core Impact and Canvas.

Explore Kali Linux, a prepackaged Linux flavor with hundreds of open source tools for information gathering, network scanning, and password cracking used by penetration testers.

Explore data mining with search engines to uncover sensitive information such as usernames and passwords, default device credentials, and vulnerable servers, using terms from the Google hacking database.

Scan and map the attack surface to view systems from an attacker’s perspective, identify access-enabling vulnerabilities, and prioritize testing and remediation, including scripts, web forms, plugins, cookies, and databases.

Learn how packet manipulation enables enumeration by observing target system responses to crafted packets, revealing applications, services, operating system, device type, updates, directories, shares, user accounts, and APIs.

Conduct simulated attacks by crafting packets to firewall ports to identify open reports, revealing that port 88, Kerberos port for Active Directory, was unexpectedly open during testing.

Explore online password attacks against live systems and offline attacks on captured traffic, comparing brute force, dictionary, and rainbow table methods.

Explore penetration test considerations, including internal versus external testing, timing and notification, rules of engagement, scope from vulnerability assessment to breaching systems, and readiness for VPN, wireless, and social engineering.

Follow up on penetration testing by mastering effective reporting and documentation, identifying target audiences, detailing information collection methods, and clarifying report classification and distribution.

learn to craft effective penetration test reports from preparation to presentation, detailing objectives, audience, time synchronization, test methodology, results, analysis, mitigation techniques, and compliant, readable documentation.

Identify target audiences by evaluating their responsibilities, technical knowledge, engagement with rules of engagement, and decision-making authority to tailor the report content for effective threat detection and response.

Compare information collection tools and their reports across formats and content. Practice active collection methods, including manual notes, screenshots, system images, and logging of network traffic and system events.

Identify vulnerable assets after the penetration test and remediate with updates, patches, or removing unnecessary services, then set new configuration baselines and document follow up reporting.

Classify and distribute reports by numbering hard copies, labeling ten intended recipients, and noting delivery date and time with sign-off. Encrypt emails, restrict network access, and securely erase pen-test data.

Evaluate your organization's security posture by conducting vulnerability assessments and penetration tests on network assets, then compare vulnerability assessments with pen tests and follow up with reporting and documentation.

Deploy a security intelligence collection and analysis platform and implement a security intelligence lifecycle and collection plan, defining what to monitor, data to collect, fields to log, and alert criteria.

Leverage security intelligence and threat intelligence to collect, process, and analyze data from information systems, distilling it into events that enable rapid detection, remediation, and regulatory compliance.

Identify relevant data amid vast data sets and process it to produce actionable intelligence. Manage the setup and maintenance of security tools and keep security data secure.

Collect data to drive the security intelligence collection life cycle. Process data into information, analyze, produce actionable security intelligence, and disseminate and integrate it to guide planning and direction.

Craft a security intelligence collection plan by identifying the required intelligence, selecting hardware and software sources for collection, verifying these sources, and involving all departments.

Activate continuous security monitoring to proactively collect information for risk management, track network traffic, communications, and host maintenance operations, and minimize potential damage by shifting from reactive to proactive intelligence.

Monitor vulnerabilities, configurations, and assets by collecting system state and comparing it to baselines for continuous security monitoring. Normalize and centralize logs to distill threat intelligence with automated tools.

Explore monitoring tools that automate with SIEM and SCAP, collecting data from multiple sources and interoperating with the help desk for scalable high- and low-level perspectives.

Balance data collection by identifying essential telemetry to protect performance and reduce review burden. Leverage industry resources and field experience to ensure data is secure and compliant with laws.

Aggregate security intelligence from change management, identity management, operating system administration, firewall and vpn logs, file system audits, malware detection, application and system logs, honeypots, intrusion systems, and threat intelligence.

Identify and prioritize risks such as malware and social engineering to determine data to collect for security intelligence, focusing on mail logs and antivirus servers.

Determine essential log fields by auditing event start and end times, who or what participated, and pertinent details like host, file system, and network port.

Outline logging configurations by system impact, specifying retention, rotation, transfer, and analysis cadences, while advocating digital signing and encryption for rotated logs in high impact systems.

Identify which events trigger immediate alerts versus those to review later, including faults affecting operations, security or availability changes, successful reconnaissance probes, likely attacks, and failed logins.

Process information from diverse log sources by normalizing data, aggregating logs, and using automation with pattern recognition to reconstruct timelines for threat detection and response.

Leverage external data sources, such as anti-malware feedback on malicious traffic and intrusion detection systems data, plus logs and schedules like vacation and travel for detection and response.

Leverage publicly available information from free and commercial registries, paid monitoring services, security blogs, social media, mailing lists, newsgroups, and vendor announcements to enhance threat detection and response.

Explore collection and reporting automation for system logs, risk and compliance management, and network forensics, using cloud and big data tools to provide instant security alerts with human review.

Set data retention policies for each data type, guiding when to dispose of data, how to preserve log files, and obtain legal counsel to avoid liability when industry requirements apply.

Collect data from network-based intelligence sources, including device configurations, switch and router logs, wireless logs, firewall and intrusion detection system logs, proxy logs, SDN traffic, and log tuning.

Explore how network device configuration files serve as baselines and backups, stored locally or remotely, revealing device behavior; backups help detect unauthorized changes signaling possible tampering.

Explore how network device state data reveals threats, including suspicious routing tables, CAM tables, NAT entries, DNS cache hints, and cache poisoning that enable man-in-the-middle attacks.

Explore switch and router logs to monitor incoming and outgoing traffic, understand ACL log entries, source and destination IPs, dropped traffic, protocols, ports, services, and balancing log detail with searchability.

Analyze wireless device logs to diagnose issues, monitor channel usage and frequencies, and detect denial-of-service threats. Aggregate logs from access points to a central controller for threat detection.

Learn to read Windows host-based firewall logs, noting date, time, action, protocol, source/destination ports and addresses, and packet size, including IPv4 and IPv6.

Explore how a web application firewall logs application layer traffic, recording source IP, matching rule, action, time, severity, http method, queries, path, and details to detect injection and web-based attacks.

Learn how intrusion detection and protection systems log alerts, standardize formats using the soap protocol for cross-device compatibility, and enable clients to authenticate to log server to request or subscribe.

Learn how proxy servers enable robust logging, caching, and web filtering. Read logs showing time, destination site, user, internal ip, http method, path, length, mime type, and request contents.

Treat personal mobile devices as attack vectors and use wireless carrier logs for threat detection, including call details, voicemail, text messages, images, IP addresses, session info, and geo location data.

Explore software defined networking (SDN) that separates control from forwarding, enabling programmable network management and real-time traffic adjustment, with data collection to detect anomalies and filter unwanted traffic.

Analyze network traffic and flow using tools like net flow to monitor entire sessions and trigger alerts. Visualize data and adjust firewall and access control rules to block malicious behavior.

Log tuning balances logging quantity to avoid parsing overload and wasted resources while ensuring enough data for security incidents. Identify the optimal quantity over time to make our jobs easier.

Demonstrate installing and running snort to collect network-based security intelligence, configure rules to detect scans, log alerts, and analyze captured traffic with Wireshark after an Nmap attack from Kali Linux.

Collect data from host-based intelligence sources. Examine operating system log data, Windows event logs, system logs, application logs, and DNS event logs.

Explore how operating system log data varies across unix, linux, macos, and windows, capturing authentication attempts, times, application services, errors, remote access, driver failures, hardware problems, and security policy changes.

Navigate Windows event logs, including application, security, setup, and system logs, to troubleshoot client or server machines. Use event forwarding to a collector system and consult eventid.net for event IDs.

Explore syslog data as a logging protocol using UDP 5:14 to transmit events from devices to log servers. Note severity levels and ACL-denied traffic, shown from a Cisco PIX router.

Explore how application logs capture server and client data, detect startup and configuration changes, track transactions, and integrate host-based and anti-malware logs for security and operational insights.

Explore dns event logs to examine query types, spot suspicious sites, identify malware indicators, and adjust logging levels from simple to debug for deeper threat detection.

Examine SMTP logs from mail servers, covering client-to-server mail transfers and remote delivery, interpret error codes and indicators of denial of service such as out of memory.

Learn how web servers log http activity, including client ip, user id, time zone, request method and resource, and status codes for detecting client and server errors.

Examine FTP logs to capture security telemetry, including date and time, source and destination IP addresses, usernames, actions, status codes, bytes sent and received, unique session IDs, and path details.

Analyze SSH logs to detect threats by examining date and time, client username, IP address, port, software version, encryption type, and whether connections succeeded or failed.

Explore sql logs to track date and time of events, database startup, administrative login failures or successes, and attacker attempts to access a new server, sql injection, or account hijacking.

Demonstrates collecting host-based security intelligence with Windows Event Viewer, exploring logs, creating custom views, and configuring forwarding, subscriptions, and automated responses.

Parse log files with Microsoft’s Log Parser Studio version 2 to analyze Event Viewer data, import server logs, and run queries that show application errors per hour.

Review how to collect cybersecurity intelligence from network-based and host-based sources using a security information and event management (SIEM) platform, including Windows Event Viewer logs and web server data.

Learn to analyze logs using common tools such as grep and cut, Windows tools like Event Viewer and PowerShell, and automate analysis with Bash scripts and cross-platform guidelines.

Turn raw log data into a usable form for analysis and parsing using manual, automated, or hybrid tools, with shell scripting and regular expressions.

Filter out unnecessary or duplicate data from multiple sources, normalize and combine sources, synchronize events and times, normalize data formats, and securely store data for analysis.

Identify log analysis tools across platforms, from Linux utilities like grep and cut to Windows tools like Findstr and Event Viewer, plus Bash and PowerShell scripting for log parsing.

Utilize the grep command in Unix to search log files for exact string matches, such as an IP address, and filter results by criteria like usernames, hosts, dates, and times.

Learn to use the cut command in unix to filter log data by characters or fields without changing the file. Apply -c and -d -f options to view space-delimited fields.

The diff command in Unix compares two text files line by line to identify differences, showing where to add or delete lines with line-number references, without changing either file.

Use the find command in Windows to search the firewall log for icmp entries. Apply case-sensitive searches with forward slash I, like grep, and display results in the command line.

Use Windows management instrumentation command line (WMIC) to analyze local and remote security logs, and enable WinRM to run remote commands with administrator credentials and review results.

Use Windows event viewer to inspect application, security, setup, and system logs, and set up a collector to forward events and logs; filter, save, and trigger alerts.

Automate repetitive tasks with bash on unix-like systems by using grep, pipes, and redirection to create log files, with prompts for search terms and locations.

Use Windows PowerShell to run a script that gets the security event log with -newest 5, filters on instance id 4625, and outputs time written and message to a file.

Discover unix based log analysis tools such as awk and tail, plus real-time insights with SCC and Microsoft log parser, and explore SIEM visualizations and big data tools for logs.

Learn to analyze logs across Windows and Linux using native tools like find, Event Viewer, PowerShell, grep, cut, and diff; configure event forwarding and custom views for efficient retrieval.

Analyze Linux log files for security intelligence using grep with ignore-case, cut with spaces and colons, and pipes to surface critical errors in /var/log.

Leverage siem tools for analysis to enhance security intelligence correlation and explore the realities of the siem in the intelligence lifecycle, with guidelines for security intelligence analysis.

Learn how to correlate security intelligence events across locations to detect potential breaches, where simultaneous logins, badge swipes, RFID indicator, and VPN activity trigger alerts and prompt investigation.

Learn to use siems for real-time security event analysis by collecting diverse log data, defining threat scope, and automating alerting with ticketing and evidence trails.

Explore how SIEMs consolidate multiple security tools into a single platform, evolving from hype and clunky configurations to modern, useful solutions. SolarWinds LEM illustrates an integrated SIEM example.

Correlate the SIEM with the intelligence life cycle by automating collection, processing, and distilling security intelligence. Acknowledge human analysis in production and how SIEM aids planning, dissemination, and integration.

Learn to configure siems for security intelligence analysis by preserving original data, generating actionable alerts and tickets, conducting regular log reviews, and continuous vulnerability assessment across networks and assets.

Demonstrates incorporating SIEMs into security intelligence analysis by deploying Splunk as a centralized log analysis platform that aggregates local and remote logs, performance data, and active directory monitoring.

Learn to parse log files using regular expressions, building expressions with quantifiers, anchors, and character sets to perform keyword, IP, and port searches, including email patterns.

Master regular expressions to describe search patterns and use operators to locate delimiters in log files, using a cheat sheet of syntax, punctuation, and a space.

Learn quantification operators for pattern matching, including the asterisk, question mark, plus, and curly bracket ranges for exact, at least, or between N and M repetitions.

Master anchor operators in strings by using the caret (carat) to require that the string begins with 105 and the dollar sign to require that it ends with 105.

Explore character set operators, brackets, and ranges that match digits and letters, including negation and dash ranges, with examples like not 0-3 and not a-f.

master miscellaneous search operators, including dot wildcard, parentheses for sub expressions, brackets for ranges, squiggly brackets for repetition, and the bar as OR, with backslash as literal escape.

Learn regex special operators such as \\w, \\d, and \\s; a word is letters, digits, or underscores, and use \\b or \\B for word boundaries and non boundaries.

Build a regex to match IP addresses in the 188.24.1.x to 188.24.122.x range by escaping literal dots and restricting the final octet to one to three digits.

Explore keyword searches to locate patterns in logs and files, using literal operators, dot notation, emails, dates, and times with examples like error, malice, and 02/24/2016.

Learn to craft special character searches, escaping forward slashes, matching http(s) schemes, domain patterns like .com, and digit delimiters such as dash or comma in log queries.

Identify and search IP addresses by patterning one to three digits with dots, covering all addresses, specific subnets, and class C ranges, using exact matches and 0 to 255.

Master regular expressions by applying quantifiers, anchors, and character sets to perform complex analyses. Use groups, escapes, and modifiers to tailor patterns, with a cheat sheet for quick reference.

Analyze log data using cross-platform tools for Linux, Unix, and Windows; explore automating analysis and parsing logs with regular expressions through real-world examples.

Analyze incidents with Registry Editor in Windows. Explore file system analysis tools, Process Explorer, volatile memory analysis tools, service analysis tools, Active Directory analysis tools, and network analysis tools.

Examine the Windows registry editor to see how the path complete character key in the command processor governs autocomplete, with 40 hex mapping to at and 09 to tab.

Analyze the registry to detect compromise by identifying malicious or unknown driver keys and accessed programs, and export a key to text for parsing since the registry editor lacks timestamps.

Learn Windows file system analysis tools, using the diyar command to search file types, ownership, and alternate data streams, and monitor disk activity with Resource Monitor and Task Manager.

Discover how Process Explorer from Sysinternals reveals a program's resource usage, the processes and registry keys it touches, and how it helps investigate malware like webcam abuse.

Process Monitor from Microsoft to analyze how processes interact on the system, view event properties, history of interactions, IO details, and the thread stack for threat detection and response.

Explore Windows service analysis tools, including Task Scheduler for viewing triggers, actions, and history; inspect services.msc for startup types; and use net start to query service information.

Explore volatile memory analysis on Windows to uncover indicators of compromise hidden in ram, even after history or programs are cleared, using Magnet ram capture and Belkasoft live ram capture.

Explore active directory analysis tools beyond the standard Active Directory Users and Computers to reveal last logon times, password changes, and suspicious values using Active Directory Explorer.

Use wireshark to capture traffic and inspect packets, IP and MAC addresses, and ports for threats like ddos and poisoning. Enumerate hosts with map and validate with ipconfig and iperf.

Explore Windows network analysis tools, including net stat, BIOS info, net command, traceroute, and ARP, to monitor live ports, connections, IP MAC mappings, and detect potential compromises like ARP poisoning.

Explore Windows based incident analysis tools, including IP config, DNS cache, hosts file, DNS lookup, netstat, traceroute, Task Manager, Process Explorer, and Resource Monitor, to detect intrusions.

Analyze incidents with Linux-based tools, covering file system analysis, process analysis, memory analysis, session analysis, and network analysis.

Explore Linux file system analysis with lsof to list open files and identify processes, connections, and potential malicious activity. Use dd to copy files or entire disks.

P-Bass is a process analysis tool for Linux; this command shows process IDs, terminal connections, execution time, and process names, with filtering, sorting, and real-time results.

Explore Linux memory analysis with Volatility and Belka tools to view available and used memory, kernel buffers, and page cache, and diagnose with the free command for possible malware indicators.

Identify unauthorized logins on Linux using session analysis tools like who, w, and rwho to reveal accounts, login sources, and idle times.

Explore Linux network analysis tools that mirror Windows equivalents, including Wireshark for capture, tcpdump for packet analysis, iperf, and map as a port scanner.

Explore linux network analysis tools like ifconfig, netstat, trace route, and arp, noting richer data on packets and the ARP mappings for all interfaces.

Explore Linux-based incident analysis tools to monitor and analyze network traffic, using ifconfig to manage interfaces, top to view processes, tcpdump for live capture, and Wireshark for packet analysis.

Analyze malware through sandboxing in virtualized environments and crowdsourcing detection on platforms like VirusTotal; explore reverse engineering, disassembly, and malware strings, plus anti-malware solutions and AEC guidelines for analysis.

Conduct safe malware analysis by running samples in a protected, monitored sandbox to observe system changes, process and service activity, network sockets, file creation/deletion, and memory dumps with periodic snapshots.

Crowd-sourced malware signatures enhance detection by sharing information across companies, using Virus Total to integrate dozens of anti-malware products and its public API for extensions across apps and third-party software.

Review a VirusTotal malware entry, noting the unique hash value, file name, detection ratio, and analysis state; multiple sources indicate the file is a trojan.

Reverse engineering differs from sandboxing by analyzing a malware’s component structure to reveal its base-level behavior. Java decompilers show what Java files do, while sandboxes prevent triggering during analysis.

Disassemblers convert machine language to assembly for easier reading, enabling reverse engineering of executables; interactive debuggers and tools like Ali de-bug automate analysis in real time to reveal components.

Analyze a malware disassembly in IDA, using the mail sample to inspect different views and glean what the malware could do or where it is headed.

Explore how malware strings—encoded sequences—signal actions like registry modification or downloads, while legitimate files may exhibit similar or encoded strings, complicating detection.

Implement anti-malware solutions on host machines, with an enterprise dashboard to view log files and real-time statistics, plus real-time protection and signature updates.

Explore MAEC, the malware attribute enumeration and characterization standard from the Miter Corporation, enabling malware information exchange with three data models and SML schemas to reduce redundancy and speed mitigation.

Configure sandbox environments, test anti-sandbox detection, reverse engineer malware with disassemblers like IDA and OllyDbg, and share findings on Virus Total to aid crowdsource protection.

Analyze malware by inspecting suspicious processes in task manager, locating the executable, and scanning it with VirusTotal to assess risk and guide further investigation.

Analyze indicators of compromise to detect unauthorized software, suspicious emails, registry entries, unknown ports, rogue hardware, website defacement, excessive bandwidth, service disruption, and unauthorized account activity.

Identify indicators of compromise (IOCs) and learn to correlate multiple IOC signals to build a narrative of events, with examples like unauthorized software, suspicious emails, registry entries, and unknown ports.

Identify indicators of compromise from unauthorized software and files, review hosts file entries, monitor with host-based intrusion detection systems, and use ipconfig /displaydns to verify DNS cache.

Identify suspicious emails that signal phishing or compromised credentials by analyzing headers and sender patterns, including internal emails. Assess outbound messages for sensitive data and malware exfiltration indicators.

Identify suspicious registry entries that signal compromise, such as run and run once keys, potential malware like a rogue executable, and altered file associations, service, and driver entries.

Identify known and unknown port usage on a system by examining tcp and udp traffic, recognizing typical services by destination ports, and flagging anomalies with netstat insights.

Malware across multiple machines can trigger bandwidth spikes, degrade performance, and saturate networks, as worms cause mass update requests and a distributed denial of service attack against update servers.

Explore service disruption and defacement on web sites, from overt hacks to subtle changes. Learn how attackers alter contact information and compromise critical systems to halt access.

Identify rogue hardware as a sign of compromise and examine how rogue USB devices and rogue access points enable man-in-the-middle attacks and spoofed network services.

Detect suspicious or unauthorized account usage by auditing logins, sessions, device connections, and privilege escalation attempts. Audit failed logons, monitor new accounts added to administrative groups, and review off-hours logins.

Analyze indicators of compromise by scanning enterprise anti-malware logs, monitoring hosts file changes, and watching for phishing in emails and potential exposure of credit card numbers or social security numbers.

Analyze indicators of compromise by auditing a Windows server, configuring group policy, monitoring object access, and tracing unauthorized Active Directory activity to detect backdoor accounts.

Master active asset and network analysis using Windows and Linux tools, and examine malware in sandboxes to deconstruct threats. Identify indicators of compromise to strengthen threat detection and response.