Flashcards

Flashcards 18 Flashcards
Students 0 Students
Sprache English
Level University
Created / Updated 19.06.2019 / 19.06.2019
Licencing Not defined
Weblink
Embed
0 Exact answers 18 Text answers 0 Multiple-choice answers
Close window

Why is malware identification important?

  • Malware identification is important for incident reponse in a company or in law enforcement context.
  • In cyber crime case: reinstall machine and you're done.
  • Espionage type of attack possible affects substantial parts of a network and requiers different / more complex reactions.
Close window

How can malware identification help us in our analysis of the malware?

  • Mostly the same attack has been used befor.
  • Most malware families have been analyzed befor -> addition information
  • Through identifying malware we emidiatly get access to all work done previously
  • analysis of new malware can take days to months.
Close window

What is an IOC (Indicator of Compromise)?

 

An indicator of compromise (IOC) is an a priori known characteristic artefact of attacks, malware samples / families.

IOCs can be used for detection and identification purposes.

Close window

Name some host based IOCs (Indicator of Compromise)

Host based IOCs

  • Hashes of malware executables, modules, dropped files etc...
  • Filenames of dropped files or email attachements (infection vector)
  • Registry entries (e.g. used for persistence)
  • Mutexes (program object that is created so that multiple program thread can take turns sharing the same resource, such as access to a file.)
  • Process names
  • Anti-virus or Yara signatures
  • Strings
Close window

Name some network based IOCs.

Network based IOCs

  • IPs addresses or domain of CC
  • CC protocol characteristics
  • WHIOIS information
Close window

What is Yara?

Yara is a language to check for IOCs

  • open language anyone can write rules
  • allows shareing of rules
Close window

How difficult is it for an attacker to change the IOCs of following components:

  • TTPs (Tactics, Techniques and Procedures)
  • Tools
  • Network /Host Artifacts
  • Domain Names
  • IP Addresses
  • Hash Values
Licencing: Not defined
Close window

What is an advantage of yarea rules and for what purposes can they be used?

In contrast to AV engine rules, Yara rules can be written and shared by anybody, which allows security teams to act independently of vendors.

Yara rules ca be used in different places of an organiyation's detection / security technologies:

  • Memory forensic investigation
  • Sandboxes
  • Endpoint / AV
  • Gateway detection