Skip to content

2: Intrusion Analysis

Jump to bottom
Weaver Heavy Industries edited this page Dec 14, 2017 · 3 revisions

2: Intrusion Analysis

Overview

Intrusion analysis is at the heart of threat intelligence. It is a fundamental skillset for any security practitioner who wants to use a more complete approach to addressing security. Two of the most commonly used models for assessing adversary intrusions are the "kill chain" and the "Diamond Model". These models serve as a framework and structured scheme for analyzing intrusions and extracting patterns such as adversary behaviors and malicious indicators. In this section students will participate in and be walked through multi-phase intrusions from initial notification of adversary activity to the completion of analysis of the event. The section also highlights the importance of this process in terms of structuring and defining adversary campaigns.

Exercises

Topics

Primary Collection Source: Intrusion Analysis Intrusion Analysis as a Core Skillset Methods to Performing Intrusion Analysis Intrusion Kill Chain Kill Chain Courses of Action Passively Discovering Activity in Historical Data and Logs Detecting Future Threat Actions and Capabilities Denying Access to Threats Delaying and Degrading Adversary Tactics and Malware Kill Chain Deep Dive Scenario Introduction Notification of Malicious Activity Pivoting Off of a Single Indicator to Discover Adversary Activity Identifying and Categorizing Malicious Actions Using Network and Host-Based Data Interacting with Incident Response Teams Interacting with Malware Reverse Engineers Effectively Leveraging Requests for Information Handling Multiple Kill Chains Identifying Different Simultaneous Intrusions Managing and Constructing Multiple Kill Chains Linking Related Intrusions Collection Source: Malware Data from Malware Analysis Key Data Types to Analyze and Pivot On VirusTotal and Malware Parsers Identifying Intrusion Patterns and Key Indicators

Clone this wiki locally