Effective Threat Investigation for SOC Analysts

Effective Threat Investigation for SOC Analysts

by Mostafa Yahia
Released August 2023
Publisher(s): Packt Publishing
ISBN: 9781837634781

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Detect and investigate various cyber threats and techniques carried out by malicious actors by analyzing logs generated from different sources Purchase of the print or Kindle book includes a free PDF eBook

Key Features

  • Understand and analyze various modern cyber threats and attackers' techniques
  • Gain in-depth knowledge of email security, Windows, firewall, proxy, WAF, and security solution logs
  • Explore popular cyber threat intelligence platforms to investigate suspicious artifacts

Book Description

Effective threat investigation requires strong technical expertise, analytical skills, and a deep understanding of cyber threats and attacker techniques. It's a crucial skill for SOC analysts, enabling them to analyze different threats and identify security incident origins. This book provides insights into the most common cyber threats and various attacker techniques to help you hone your incident investigation skills.

The book begins by explaining phishing and email attack types and how to detect and investigate them, along with Microsoft log types such as Security, System, PowerShell, and their events. Next, you’ll learn how to detect and investigate attackers' techniques and malicious activities within Windows environments. As you make progress, you’ll find out how to analyze the firewalls, flows, and proxy logs, as well as detect and investigate cyber threats using various security solution alerts, including EDR, IPS, and IDS. You’ll also explore popular threat intelligence platforms such as VirusTotal, AbuseIPDB, and X-Force for investigating cyber threats and successfully build your own sandbox environment for effective malware analysis.

By the end of this book, you’ll have learned how to analyze popular systems and security appliance logs that exist in any environment and explore various attackers' techniques to detect and investigate them with ease.

What you will learn

  • Get familiarized with and investigate various threat types and attacker techniques
  • Analyze email security solution logs and understand email flow and headers
  • Practically investigate various Windows threats and attacks
  • Analyze web proxy logs to investigate C&C communication attributes
  • Leverage WAF and FW logs and CTI to investigate various cyber attacks

Who this book is for

This book is for Security Operation Center (SOC) analysts, security professionals, cybersecurity incident investigators, incident handlers, incident responders, or anyone looking to explore attacker techniques and delve deeper into detecting and investigating attacks. If you want to efficiently detect and investigate cyberattacks by analyzing logs generated from different log sources, then this is the book for you. Basic knowledge of cybersecurity and networking domains and entry-level security concepts are necessary to get the most out of this book.

Table of contents

  1. Effective Threat Investigation for SOC Analysts
  2. Contributors
  3. About the author
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Conventions used
    5. Disclaimer
    6. Get in touch
    7. Share Your Thoughts
    8. Download a free PDF copy of this book
  6. Part 1: Email Investigation Techniques
  7. Chapter 1: Investigating Email Threats
    1. Top infection vectors
    2. Why do attackers prefer phishing emails to gain initial access?
    3. Email threat types
      1. Spearphishing attachments
      2. Spearphishing Link
      3. Blackmail email
      4. Business Email Compromise (BEC)
    4. Attacker techniques to evade email security detection
    5. Social engineering techniques to trick the victim
    6. The anatomy of secure email gateway logs
    7. Investigating suspicious emails
      1. Investigating the email sender domain and SMTP server reputation
      2. Spoofing validation
      3. Email sender behavior
      4. Email subject and attached filename
      5. Investigating suspicious email content
    8. Summary
  8. Chapter 2: Email Flow and Header Analysis
    1. Email flow
    2. Email header analysis
      1. Email message content and metadata
      2. Email X-headers
      3. The header that was added by the hop servers
      4. Email authentication
    3. Investigating the email header of a spoofed message
    4. Summary
  9. Part 2: Investigating Windows Threats by Using Event Logs
  10. Chapter 3: Introduction to Windows Event Logs
    1. Windows event types
      1. Security event log types
      2. System event log types
      3. Application event log types
      4. Other event log types
    2. Windows event log analysis tools
    3. The investigative approach for this part of the book
      1. HELK installation
    4. Summary
  11. Chapter 4: Tracking Accounts Login and Management
    1. Account login tracking
      1. Windows accounts
      2. Tracking successful logins
      3. Tracking successful administrator logins
      4. Tracking logon sessions
      5. Tracking failed logins
    2. Login validation events
      1. Login validation Event IDs (NTLM protocol)
      2. Login validation Event IDs (Kerberos protocol)
    3. Account and group management tracking
      1. Tracking account creation, deletion, and change activities
      2. Tracking creation and account adding to security groups
    4. Summary
  12. Chapter 5: Investigating Suspicious Process Execution Using Windows Event Logs
    1. Introduction to Windows processes
    2. Windows process types
      1. Common standard Windows processes
    3. Windows Process Tracking events
      1. Creator Subject
      2. Target Subject
      3. Process Information
    4. Investigating suspicious process executions
      1. Hiding in plain sight
      2. Living Off The Land (LOTL)
      3. Suspicious parent-child process relationships
      4. Suspicious process paths
    5. Summary
  13. Chapter 6: Investigating PowerShell Event Logs
    1. Introducing PowerShell
      1. Why do attackers prefer PowerShell?
      2. PowerShell usage in different attack phases
    2. PowerShell execution tracking events
    3. Investigating PowerShell attacks
      1. Fileless PowerShell malware
      2. Suspicious PowerShell commands and cmdlets
    4. Summary
  14. Chapter 7: Investigating Persistence and Lateral Movement Using Windows Event Logs
    1. Understanding and investigating persistence techniques
      1. Registry run keys
      2. Windows scheduled tasks
      3. Windows services
      4. WMI event subscription
    2. Understanding and investigating lateral movement techniques
      1. Remote Desktop connection
      2. Windows admin shares
      3. PsExec – a Sysinternals tool
      4. PowerShell remoting
    3. Summary
  15. Part 3: Investigating Network Threats by Using Firewall and Proxy Logs
  16. Chapter 8: Network Firewall Logs Analysis
    1. Firewall logs value
    2. Firewall logs anatomy
      1. Log Timestamp
      2. Source IP
      3. Source Port
      4. Destination IP
      5. Destination Port
      6. Source Interface Zone
      7. Destination Interface Zone
      8. Device Action
      9. Sent Bytes
      10. Received Bytes
      11. Sent Packets
      12. Received Packets
      13. Source Geolocation country
      14. Destination Geolocation country
    3. Summary
  17. Chapter 9: Investigating Cyber Threats by Using the Firewall Logs
    1. Investigating reconnaissance attacks
      1. Public-facing IPs and port scanning
      2. Internal network service discovery
    2. Investigating lateral movement attacks
      1. Remote desktop application (RDP)
      2. Windows admin shares
      3. PowerShell Remoting
    3. Investigating C&C and exfiltration attacks
      1. Investigating suspicious traffic to external IPs
      2. Investigating DNS tunneling
      3. Investigating data exfiltration
    4. Investigating DoS attacks
    5. Summary
  18. Chapter 10: Web Proxy Logs Analysis
    1. Understanding the value of proxy logs
    2. The significance of proxy log investigation
    3. The anatomy of proxy logs
      1. The source IP (src)
      2. The source port (srcport)
      3. The destination IP (dst)
      4. The destination port (dstport)
      5. The username (username)
      6. The log timestamp (devicetime)
      7. The device action (s-action)
      8. The response status code (sc-status)
      9. The HTTP method (cs-method)
      10. The received bytes from the server by the client (sc-bytes)
      11. The sent bytes from the client to the server (cs-bytes)
      12. The web domain (cs-host)
      13. The MIME type (Content-Type)
      14. The user agent (cs(User-Agent))
      15. The referrer URL (cs(Referer))
      16. The website category (filter-category)
      17. The accessed URL (cs-uri)
    4. Summary
  19. Chapter 11: Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs
    1. Suspicious outbound communications alerts
    2. Investigating suspicious outbound communications (C&C communications)
      1. Investigating the web domain reputation
      2. Investigating suspicious target web domain names
      3. Investigating the requested web resources
      4. Investigating the referrer URL
      5. Investigating the communications user agent
      6. Investigating the communications' destination port
      7. Investigating the received and sent bytes, the HTTP method, and the Content-Type
      8. Investigating command and control techniques
    3. Summary
  20. Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats
  21. Chapter 12: Investigating External Threats
    1. Investigating web attacks
      1. The command injection vulnerability
      2. The SQL injection vulnerability
      3. Path traversal vulnerability
      4. XSS vulnerability
      5. Investigating WAF logs
    2. Investigating suspicious external access to the remote services
      1. Investigating unauthorized VPN and RDP access
      2. Investigating compromised mailboxes
      3. Investigating suspicious authentications to web services
    3. Summary
  22. Chapter 13: Investigating Network Flows and Security Solutions Alerts
    1. Investigating network flows
    2. Investigating IPS/IDS alerts
    3. Investigating endpoint security solutions alerts
      1. Investigating AV alerts
      2. Investigating EDR alerts
    4. Investigating network sandbox and AV alerts
    5. Summary
  23. Chapter 14: Threat Intelligence in a SOC Analyst’s Day
    1. Introduction to threat intelligence
      1. Strategic level
      2. Operational level
      3. Tactical level
      4. The role of threat intelligence in SOCs
    2. Investigating threats using VirusTotal
      1. Investigating suspicious files
      2. Investigating suspicious domains and URLs
      3. Investigating suspicious outbound IPs
    3. Investigating threats using IBM X-Force Exchange
      1. Investigating suspicious domains
      2. Investigating suspicious IPs
      3. Investigating the file hash
    4. Investigating suspicious inbound IPs using AbuseIPDB
    5. Investigating threats using Google
    6. Summary
  24. Chapter 15: Malware Sandboxing – Building a Malware Sandbox
    1. Introducing the sandbox technology
      1. Sandbox types
      2. Sandbox installation requirements
    2. Required tools for analysis
      1. Static analysis tools
      2. Dynamic analysis tools
    3. Preparing the guest VM
      1. Guest preparation steps
      2. Tips to evade the sandbox’s detection
    4. Analysis tools in action
      1. Static analysis phase
      2. Dynamic analysis phase
    5. Hands-on demo lab
      1. Scanning the file using YARA
      2. Conducting static analysis
      3. Conducting dynamic analysis
      4. Analyzing the outputs
    6. Summary
  25. Index
    1. Why subscribe?
  26. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts
    3. Download a free PDF copy of this book

Product information

  • Title: Effective Threat Investigation for SOC Analysts
  • Author(s): Mostafa Yahia
  • Release date: August 2023
  • Publisher(s): Packt Publishing
  • ISBN: 9781837634781