Cartes-fiches

Cartes-fiches 18 Cartes-fiches
Utilisateurs 0 Utilisateurs
Sprache English
Niveau Université
Crée / Actualisé 19.06.2019 / 19.06.2019
Attribution de licence Non précisé
Lien de web
Intégrer
0 Réponses exactes 18 Réponses textes 0 Réponses à choix multiple
Fermer la fenêtre

Why is malware identification important?

  • Malware identification is important for incident reponse in a company or in law enforcement context.
  • In cyber crime case: reinstall machine and you're done.
  • Espionage type of attack possible affects substantial parts of a network and requiers different / more complex reactions.
Fermer la fenêtre

How can malware identification help us in our analysis of the malware?

  • Mostly the same attack has been used befor.
  • Most malware families have been analyzed befor -> addition information
  • Through identifying malware we emidiatly get access to all work done previously
  • analysis of new malware can take days to months.
Fermer la fenêtre

What is an IOC (Indicator of Compromise)?

 

An indicator of compromise (IOC) is an a priori known characteristic artefact of attacks, malware samples / families.

IOCs can be used for detection and identification purposes.

Fermer la fenêtre

Name some host based IOCs (Indicator of Compromise)

Host based IOCs

  • Hashes of malware executables, modules, dropped files etc...
  • Filenames of dropped files or email attachements (infection vector)
  • Registry entries (e.g. used for persistence)
  • Mutexes (program object that is created so that multiple program thread can take turns sharing the same resource, such as access to a file.)
  • Process names
  • Anti-virus or Yara signatures
  • Strings
Fermer la fenêtre

Name some network based IOCs.

Network based IOCs

  • IPs addresses or domain of CC
  • CC protocol characteristics
  • WHIOIS information
Fermer la fenêtre

What is Yara?

Yara is a language to check for IOCs

  • open language anyone can write rules
  • allows shareing of rules
Fermer la fenêtre

How difficult is it for an attacker to change the IOCs of following components:

  • TTPs (Tactics, Techniques and Procedures)
  • Tools
  • Network /Host Artifacts
  • Domain Names
  • IP Addresses
  • Hash Values
Attribution de licence: Non précisé
Fermer la fenêtre

What is an advantage of yarea rules and for what purposes can they be used?

In contrast to AV engine rules, Yara rules can be written and shared by anybody, which allows security teams to act independently of vendors.

Yara rules ca be used in different places of an organiyation's detection / security technologies:

  • Memory forensic investigation
  • Sandboxes
  • Endpoint / AV
  • Gateway detection