{"id":38710,"date":"2024-02-15T10:38:23","date_gmt":"2024-02-15T10:38:23","guid":{"rendered":"https:\/\/www.mfec.co.th\/uncategorized\/incident-response-detecting-and-analyzing-threats-through-malicious-behavior\/"},"modified":"2024-12-06T03:30:18","modified_gmt":"2024-12-06T03:30:18","slug":"incident-response-detecting-and-analyzing-threats-through-malicious-behavior","status":"publish","type":"post","link":"https:\/\/www.mfec.co.th\/en\/tech-talk\/incident-response-detecting-and-analyzing-threats-through-malicious-behavior\/","title":{"rendered":"Incident Response \u2013 Detecting and Analyzing Threats Through Malicious Behavior"},"content":{"rendered":"\n

One of the challenges in responding to cyber threats is monitoring and responding to attacks that continuously evolve in their methods and techniques. Relying solely on signature-based detection, which identifies specific characteristics of attack patterns, may not be sufficient. It’s necessary to also incorporate anomaly detection or abnormal behavior analysis for more comprehensive coverage. Although there are tools available today to assist in detecting such incidents, the ability of analysts to understand how these tools work or to identify abnormalities that the tools might miss can greatly enhance the accuracy of threat response. <\/p>\n\n

The incident response process, as recommended by NIST SP 800-61r2, is divided into four steps. This article focuses on step 2, Detection and Analysis. The aim is to help those involved in threat analysis understand how to detect and analyze malicious behavior. Key points from two documents\u2014Technical Approaches to Uncovering and Remediating Malicious Activity and Federal Government Cybersecurity Incident and Vulnerability Response Playbooks\u2014will be referenced, with the content divided into three sections: Log to collect, Methods for Analyzing Abnormal Behavior, and Recommended Response Actions.<\/span><\/span>\u00a0<\/span><\/p>\n\n

<\/p>\n\n

Part 1:<\/span> Log to collect<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n\n

When considering which logs to collect, you can start by looking at what is required by law (e.g., the Computer Crime Act of 2021). Then, expand to cover the requirements of audits or regulatory bodies, and define the use cases along with the urgency level of each event. <\/p>\n\n

Another approach is to choose use cases first (e.g., referencing techniques in MITRE ATT&CK that are commonly used by attackers). Afterward, link the log sources to the relevant techniques and specify indicators to create detection rules. The selection of use cases can be based on several factors, such as activities that are inconsistent with the organization\u2019s IT security policy, alerts from security analytics devices, threat intelligence data, or information from other sources useful for monitoring abnormal events. <\/p>\n\n

\"\"<\/figure><\/div>\n\n

The selection of indicators to create detection rules can be based on attack vectors and potential impacts on the systems to be monitored. For example, consider how attackers can access the system, which accounts have elevated privileges, and if successful, how malware might be installed or a backdoor created for future access. Additionally, assess whether lateral movement to other systems within the organization is possible, or if sensitive data could be directly transferred from the compromised system. This information can help identify related events for crafting detection rule logic. <\/p>\n\n

<\/p>\n\n

Part 2: <\/span><\/span>Methods for Analyzing Abnormal Behavior<\/span><\/span>\u00a0<\/span><\/strong><\/p>\n\n

After selecting log sources and evaluating indicators based on potential threats, the next step is to define conditions for detecting or searching for abnormal events. This can be divided into four approaches: <\/p>\n\n

  1. Indicator of Compromise (IOC) Search<\/span><\/span><\/em> \u2013 <\/span><\/span>This<\/span> involves<\/span> directly<\/span> searching<\/span> for<\/span> identified<\/span> malicious<\/span> data<\/span> (<\/span>e.g<\/span>., <\/span>domains<\/span>, IP <\/span>addresses<\/span>, <\/span>file<\/span> hashes<\/span>) <\/span>in<\/span> logs<\/span>. <\/span>The<\/span> advantage<\/span> is<\/span> that<\/span> it<\/span> is<\/span> straightforward<\/span> with<\/span> a <\/span>lower<\/span> chance<\/span> of<\/span> false<\/span> positives<\/span>. <\/span>However<\/span>, <\/span>the<\/span> downside<\/span> is<\/span> that<\/span> IOC-<\/span>based<\/span> detection<\/span> can<\/span> be<\/span> easily<\/span> bypassed<\/span>, <\/span>and<\/span> network-related<\/span> IOCs<\/span> may<\/span> be<\/span> dynamic<\/span>, <\/span>leading<\/span> to<\/span> false<\/span> positives<\/span> over<\/span> time<\/span>.<\/span><\/span>\u00a0<\/span><\/li>
  2. Frequency Analysis<\/span><\/span><\/em> \u2013 <\/span><\/span>This<\/span> method<\/span> identifies<\/span> abnormalities<\/span> based<\/span> on<\/span> human<\/span> behavior<\/span> by<\/span> analyzing<\/span> datasets<\/span> to<\/span> establish<\/span> patterns<\/span> of<\/span> normal<\/span> activities<\/span>, <\/span>then<\/span> monitoring<\/span> for<\/span> events<\/span> that<\/span> fall<\/span> outside<\/span> these<\/span> established<\/span> patterns<\/span>. <\/span>For<\/span> example<\/span>, <\/span>logins<\/span> outside<\/span> working<\/span> hours<\/span>, <\/span>logins<\/span> from<\/span> unfamiliar<\/span> devices<\/span>, <\/span>or<\/span> the<\/span> use<\/span> of<\/span> previously<\/span> unused<\/span> ports<\/span>.<\/span><\/span>\u00a0<\/span><\/li>
  3. Pattern Analysis<\/em> <\/span><\/span>\u2013 <\/span><\/span>This<\/span> method<\/span> looks<\/span> for<\/span> abnormalities<\/span> caused<\/span> by<\/span> malware<\/span> or<\/span> automated<\/span> scripts<\/span>, <\/span>which<\/span> differ<\/span> from<\/span> normal<\/span> human<\/span> behavior<\/span>. <\/span>For<\/span> instance<\/span>, <\/span>recurring<\/span> events<\/span> occurring<\/span> at<\/span> the<\/span> same<\/span> time<\/span> every<\/span> day<\/span>.<\/span><\/span>\u00a0<\/span><\/li>
  4. Anomaly Analysis<\/span><\/span><\/em> \u2013 <\/span><\/span>Analysts<\/span> collaborate<\/span> with<\/span> system<\/span> administrators<\/span> to<\/span> look<\/span> for<\/span> behavior<\/span> or<\/span> errors<\/span> in<\/span> the<\/span> system<\/span> that<\/span> are<\/span> abnormal<\/span> but<\/span> may<\/span> not<\/span> yet<\/span> be<\/span> definitively<\/span> identified<\/span> as<\/span> an<\/span> attack<\/span>.<\/span><\/span>\u00a0<\/span><\/li><\/ol>\n\n

    Methods for detecting abnormalities on hosts generally focus on analyzing data from processes, applications, files, user accounts, and event logs present on the machines. Some abnormalities are clear indicators of an attack, while others may require confirmation from relevant personnel. Examples of detecting abnormalities on a host include: <\/p>\n\n