adam's notes

Using Analysis to Identify Malicious Activity

Identifying malicious activity via analysis involves analyzing data to detect and prevent cyberattacks, malicious software, or other activities that can damage or infiltrate computer networks and the systems.

  • accomplished using several methods:
    • network traffic analysis
    • malware analysis
    • log monitoring
    • behavioral analysis
    • etc.

Anomalous Activity

  • anomalous computer activity can be
    • harmless glitches
    • to malicious cyberattacks
  • examples of anomalous activity:
    • hardware failures
    • software bugs
    • human error
    • or cyber-attacks
  • may or may not be malicious
    • security analyst must determine the difference
  • kinds of anomalous activity:
    • Unusual network traffic
      • unexpected spikes in network activity
      • unusual data flow patterns
      • communication with suspicious or unfamiliar IP addresses
    • Abnormal resource utilization
      • unusually high CPU or memory usage
        • may be caused by
          • malware
          • password attacks
          • resource-intensive applications
          • or hardware failures
    • Suspicious user behavior
      • unauthorized attempts to access sensitive data
      • changes to system configurations or settings
      • installation of unauthorized software
      • accounts performing actions they should not be able to complete
    • Unusual system events
      • error messages
      • system crashes
      • unexpected shutdowns
  • essential to have a baseline understanding of what is normal behavior
    • can establish baselines by
      • monitoring system logs, network traffic, user activity over time
      • using anomaly detection tools
        • IDS, SIEM

Introduction of New Accounts

  • Introducing new accounts can indicate malicious activity, such as an attempt to gain unauthorized access to a system or network
  • attackers will create accounts to bypass existing security measures
  • common means of establishing a backdoor
  • can signify insider threats

Unexpected Output or Outbound Communications

  • Unexpected output can be a sign that an attacker has successfully compromised a system and is attempting to
    • exfiltrate data
    • establish a backdoor
    • obtain secondary infectors
    • or communicate with a C&C system
  • Examples include:
EventDescription
Unusual network trafficThis can include unexpected spikes in network activity, communication with unfamiliar IP addresses, or unusual data flow patterns, which may indicate data exfiltration or command and control (C2) activity.
Unexpected files or processesThis can include the appearance of unknown files or processes on a system, which may indicate malware or an attacker with access to a system.
Unexpected communicationThis can include unexpected communication between applications and systems, which may indicate attempts to exploit vulnerabilities, establish a C2 channel, or exfiltrate data.
Communication with suspicious IP addressesThis can include communication with IP addresses that are known to be associated with malware, phishing campaigns, or other cyberattacks.
Unusual communication protocolsThis can include unusual communication protocols not typically used in the environment, which may indicate attempts to bypass security measures or establish a C2 channel.
Large data transfersThis can include the transfer of large amounts of data to external IP addresses, which may indicate data exfiltration or the theft of sensitive data.
Communication during unusual timesThis can include communication during unusual hours or outside of normal business hours, which may indicate attempts to evade detection.
Communication with suspicious domainsThis can include contact with domains that are known to be associated with phishing campaigns, cyberattacks, or domains that have been recently registered.
Encrypted communicationThis can include encrypted or obfuscated communication, which may indicate attempts to hide malicious activity from security personnel.

Service Interruption

  • Service interruption can signify malicious activity, as it may indicate that an attacker has successfully compromised a system or network
  • service interruption as a sign of malicious activity include:
    • DoS attacks
    • Ransomware infection
    • Exploiting vulnerabilities
    • Insider threats

Application Logs

  • Application logs can be a valuable source of information for identifying suspicious activity
    • record detailed information about the behavior of applications and users
  • Signs of malicious activity in application logs
    • Monitoring for unusual or unauthorized access
    • Tracking changes to application settings or configurations
    • Detecting anomalies in application behavior
      • unexpected data inputs or unusual data flows
    • Identifying the source of security incidents
      • source of initial access or communication
    • Auditing user behavior
      • changes to permissions
      • access attempts
      • authentication activity

Graph View

Backlinks