SOC 101: Real-time Incident Response Walkthrough

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] one of the most common questions that i get when i'm doing incident response or threat hunting or more specifically teaching people how to do threat hunting or incident response is how would you know to go look at that specific machine or how would you know to take a memory dump or look at that machine's individual traffic out of the ten thousand twenty thousand fifty thousand devices that are on the network well the answer to that is because of a group that we talk about called the sock or the security operations center and you know i say this all the time i think in our industry the sock and the sock team are the most underrated underappreciated under discussed groups in all of cyber security because it's because of that team we're able to see the things that we need to see or focus on the things we need to focus on but as a part of that and what makes a sock team work and what makes instant response and through hunting and all that works is having a good sim solution i'm going to show you how using a sim one of my favorites exa beam how this ties together and we'll go from the very beginning of where someone in the sock saw through the sim a problem and then we'll look at what the hunting and the incident response would look like let's jump right into it now what we said is the fact that what you normally see is the sock is who's responsible for letting us know where to look for a specific piece of malware and when something's wrong what you see here is kind of my way to illustrate this you can see the sock up here at the top these are the the unsung heroes the people that are in there daily grinding it out looking for these variations and anomalies and then they're usually plugged into what we call a sim or a security information and event management system and one of my favorites as i said in the previous part of this video is exam now what you can see is incident response threat hunting you know incident detection or intrusion detection risk management all of this ties into these sim solutions and utilizes the data let's look at what happens in a scenario we're going to go quickly from beginning to end where something in the sim showed us that something wasn't quite right and then we'll dig into the weeds so you can see how we get into those weeds kind of counter to what my normal videos are whereas we pick up right in the weeds let's look at that so i've logged into my xbeam sim console here and you know this is one of the best dashboards most intuitive dashboards of the sim market you know this is one of my favorites so as you can see here we can see all kinds of things we can see notable users and by notable we mean users that there's been some activity that makes us notice them you know there's something about this user's activity that makes us kind of put them in this category there's notable assets this would be specific servers or desktops or things like that that may be doing some behavior that kind of makes us notice those devices as well and you can see we have all different kinds of categories here that we look at in our sim to see what's going on now in this particular instance we're going to look at barbara salazar here so if we go look at her alert and see why she's in the notable people's list here we can see if we click on this incident here now i want you to notice this is classified as a medium it's not a critical not a high uh categorization but if we go look at her and look at what this report is what we see and this is november 22nd so this is like just you know yesterday what we can see is ms salazar here has been vpning in from the ukraine and the reason she got into this group of notable is because she's never vpn from the ukraine before right so that may not be anything but it could be everything so that's how we got to focus on ms salazar so now we're going to go and look at our vpn concentrator or our vpn dropbox or jump box so you know a lot of these organizations have these really old boxes or really old infrastructures where when you vpn in you jump off into that box and then from that box you can move horizontally inside the environment so now let's jump over to that based on what we saw in this great dashboard here uh to get us to that point to where we knew that barbara salazar was having an issue or there could have been an issue and this could be the impetus for where we might start something like a cyber threat hunt based on just this medium thing here we don't know that there's anything wrong but the dashboard can quickly get us to the point remember we started here it can quickly get us to the point to where we can kind of see that okay there's vpn from a geo location that she's never done before uh we don't have any evidence of malware or anything like that it's a medium priority thing but you know what let's let's create a threat hunting hypothesis and assume that maybe there is an issue because there's a vpn from the ukraine this gives us all that so let's go now and look and see what we would see on her vpn session or the previous sessions that she's generated so now as we get to the vpn junction point you can see the vpn profiles here and if we go look at those we look in her profile and we don't see anything weird there but we're forming an hypothesis here because we understand that the whole purpose of these advanced persistent threats is they don't want you to see evidence of anything going on so just out of curiosity here we're just gonna run i'm going to run a task list and get a list of running processes and i'm also going to run these are just built-in windows commands i'm going to do netstat and look at current connections and i'm going to write that to the same file all right now this is a common little triage that i'll do when i think something's wrong and i'm going to copy this file somewhere that i can get to it remotely all right so we don't know that anything's wrong but we just did a little triage we copied that file over uh took a a list of you know what was running and just to show you what that file looks like it's just a little file looks like that shows us running processes and connections now notice here's a list of all the running processes and they're all legitimate when this process is nothing looks out of whack there here's um you know connections there's no weird connections there's actually no connections just listening ports they all look legit so nothing to see there uh on this jump box now because we saw got that hint from barbara salazar's vpn from the ukraine we knew it came into this box we're gonna just as a precautionary measure out of an abundance of caution we're gonna take a memory dump anyway of this machine and we always talk about the order of volatility and why um that's such an important thing so we're going to write just write right onto the c drive here and we're just going to write a memory dump out and i'm using this old machine because it's got a really really tiny amount of memory so this this demo can go quicker uh with me just taking like a 256 meg memory dump but you get the point you don't have to sit here and watch me uh you know wait for a memory dump from a 32 gig memory machine to take 45 minutes for you to get the point of what's going on here so i'm going to take that memory dump now and we're going to put it onto a server all right it's transferred so now we're going to go to our investigative machine we're going to bring that memory dump over and then with that dump we're going to just do a comparative analysis here so remember we wrote out this file so we wrote out this hacked file right that showed us everything that's going on on the machine and we can see there's our running processes and then we can see random data our connections i want you to pay attention to the fact that there's a listening session on port 80 and port 110 but nothing on port 100 and here's again the running processes now taking that memory dump that we just bought over so let's look at that i'm going to use a tool called volatility this is just a memory dump tool and we're going to point at that barb dot raw file here all right and just i'm not trying to teach you volatility here so i'm not going to go into all the things i'm doing with the commands here and we're going to get a list of running processes so that's going to be the first comparative analysis we're going to do so we're going to look at the processes that are currently running per the memory dump and compare that to what we see when we run task list or task manager from the victim itself which is what we see over here and right away we see two processes right there that we don't see running on the other side over here so the machine itself is lying to us and telling us that you know this is all the processes we have and there's no weird connections but also if we looked at connections we'll see that there's a connection on port 100 that doesn't show up over here right when we looked at the listening ports from the machine itself it says look we don't have any connections and this is what's all it's listening so clearly there's something wrong you know what it ends up being is that weird process is actually a root kit that you saw there so that's actually a root kit that's running and if we extract that root kit we would find that it's something very very bad as a matter of fact let's go ahead and do that so let's get it get the process name for that rootkit and it's and it's pid all right so that rootkit that thing that we think is a root kit which is right here all right that's running as a pid of 3148 so what i'm going to do is make a directory name barb and i'm going to extract that root kit out to that directory and we'll use something called proc dump to do that from volatility we're going to dump it right to barb and that process is 31.48 oh we forgot to do our dash d here my bad all right so it dumped it out i'm just going to go right out to now now in practice we don't use virus total for real work because you know there could in this root kit there could be you know customer information exposed or something like that so but just for this demo i'm going to show you that that root kit is really bad it is something bad and it doesn't show up on any scans or anything like that that you do so we had to actually do the memory dump to get to this and then there's the binary so we go ahead and upload it to virustotal and let virustotal tell us what it thinks and of course it comes back and says backdoor backdoor root kit root kit root kit bad bad bad so the point of this is generally we start in the weeds here but we knew to do a memory dump we knew to look for disparities or differences based on what the memory said versus what the machine said itself all because in the beginning when we looked at our sim we knew that something was up with barbara lazar's vpn sessions because why she was doing vpn sessions from somewhere she'd never done them before in this case the ukraine and that is what led us to go take that memory done so for all of you that always ask me well how would you know to go to that machine in the first place sim sim solutions specifically ones that are really really good and have great dashboards that are intuitive like exit beam is what makes us able to do that and again can't take my hats off enough to uh these sock teams that actually manage these things and put these dashboards together and make it easier for us to shine and look like the heroes in this industry so that's what i wanted you to take a look at thank you hope you enjoyed this little educational session
Info
Channel: Exabeam
Views: 27,401
Rating: 4.984375 out of 5
Keywords: incident response, threat hunting, digital forensics, cyber threat intelligence, dfir, security, cyber threat hunting, information security, cybersecurity, infosec, learn digital forensics, exabeam threat hunting, threat hunting tutorial, cyber security training for beginners, cybersecurity for beginners, security awareness, cyber security, cyber security tutorial, cybersecurity training, cybersecurity 101, what is siem, exabeam siem, exabeam demo
Id: 2BOOl8_nwjQ
Channel Id: undefined
Length: 12min 30sec (750 seconds)
Published: Wed Jan 06 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.