Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Effective Threat Investigation for SOC Analysts
  • Table Of Contents Toc
  • Feedback & Rating feedback
Effective Threat Investigation for SOC Analysts

Effective Threat Investigation for SOC Analysts

By : Mostafa Yahia
4.8 (21)
Buy this Book
close
close
Effective Threat Investigation for SOC Analysts

Effective Threat Investigation for SOC Analysts

4.8 (21)
By: Mostafa Yahia
Buy this Book

Overview of this book

Effective threat investigation requires strong technical expertise, analytical skills, and a deep understanding of cyber threats and attacker techniques. It's a crucial skill for SOC analysts, enabling them to analyze different threats and identify security incident origins. This book provides insights into the most common cyber threats and various attacker techniques to help you hone your incident investigation skills. The book begins by explaining phishing and email attack types and how to detect and investigate them, along with Microsoft log types such as Security, System, PowerShell, and their events. Next, you’ll learn how to detect and investigate attackers' techniques and malicious activities within Windows environments. As you make progress, you’ll find out how to analyze the firewalls, flows, and proxy logs, as well as detect and investigate cyber threats using various security solution alerts, including EDR, IPS, and IDS. You’ll also explore popular threat intelligence platforms such as VirusTotal, AbuseIPDB, and X-Force for investigating cyber threats and successfully build your own sandbox environment for effective malware analysis. By the end of this book, you’ll have learned how to analyze popular systems and security appliance logs that exist in any environment and explore various attackers' techniques to detect and investigate them with ease.
Table of Contents (22 chapters)
close
close
close
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Conventions used
Disclaimer
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1: Email Investigation Techniques
Part 1: Email Investigation Techniques
Free Chapter
2
Chapter 1: Investigating Email Threats
Chapter 1: Investigating Email Threats
Top infection vectors
Why do attackers prefer phishing emails to gain initial access?
Email threat types
Attacker techniques to evade email security detection
Social engineering techniques to trick the victim
The anatomy of secure email gateway logs
Investigating suspicious emails
Summary
3
Chapter 2: Email Flow and Header Analysis
Chapter 2: Email Flow and Header Analysis
Email flow
Email header analysis
Investigating the email header of a spoofed message
Summary
4
Part 2: Investigating Windows Threats by Using Event Logs
Part 2: Investigating Windows Threats by Using Event Logs
5
Chapter 3: Introduction to Windows Event Logs
Chapter 3: Introduction to Windows Event Logs
Windows event types
Windows event log analysis tools
The investigative approach for this part of the book
Summary
6
Chapter 4: Tracking Accounts Login and Management
Chapter 4: Tracking Accounts Login and Management
Account login tracking
Login validation events
Account and group management tracking
Summary
7
Chapter 5: Investigating Suspicious Process Execution Using Windows Event Logs
Chapter 5: Investigating Suspicious Process Execution Using Windows Event Logs
Introduction to Windows processes
Windows process types
Windows Process Tracking events
Investigating suspicious process executions
Summary
8
Chapter 6: Investigating PowerShell Event Logs
Chapter 6: Investigating PowerShell Event Logs
Introducing PowerShell
PowerShell execution tracking events
Investigating PowerShell attacks
Summary
9
Chapter 7: Investigating Persistence and Lateral Movement Using Windows Event Logs
Chapter 7: Investigating Persistence and Lateral Movement Using Windows Event Logs
Understanding and investigating persistence techniques
Understanding and investigating lateral movement techniques
Summary
10
Part 3: Investigating Network Threats by Using Firewall and Proxy Logs
Part 3: Investigating Network Threats by Using Firewall and Proxy Logs
11
Chapter 8: Network Firewall Logs Analysis
Chapter 8: Network Firewall Logs Analysis
Firewall logs value
Firewall logs anatomy
Summary
12
Chapter 9: Investigating Cyber Threats by Using the Firewall Logs
Chapter 9: Investigating Cyber Threats by Using the Firewall Logs
Investigating reconnaissance attacks
Investigating lateral movement attacks
Investigating C&C and exfiltration attacks
Investigating DoS attacks
Summary
13
Chapter 10: Web Proxy Logs Analysis
Chapter 10: Web Proxy Logs Analysis
Understanding the value of proxy logs
The significance of proxy log investigation
The anatomy of proxy logs
Summary
14
Chapter 11: Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs
Chapter 11: Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs
Suspicious outbound communications alerts
Investigating suspicious outbound communications (C&C communications)
Summary
15
Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats
Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats
16
Chapter 12: Investigating External Threats
Chapter 12: Investigating External Threats
Investigating web attacks
Investigating suspicious external access to the remote services
Summary
17
Chapter 13: Investigating Network Flows and Security Solutions Alerts
Chapter 13: Investigating Network Flows and Security Solutions Alerts
Investigating network flows
Investigating IPS/IDS alerts
Investigating endpoint security solutions alerts
Investigating network sandbox and AV alerts
Summary
18
Chapter 14: Threat Intelligence in a SOC Analyst’s Day
Chapter 14: Threat Intelligence in a SOC Analyst’s Day
Introduction to threat intelligence
Investigating threats using VirusTotal
Investigating threats using IBM X-Force Exchange
Investigating suspicious inbound IPs using AbuseIPDB
Investigating threats using Google
Summary
19
Chapter 15: Malware Sandboxing – Building a Malware Sandbox
chevron up
Chapter 15: Malware Sandboxing – Building a Malware Sandbox
Introducing the sandbox technology
Required tools for analysis
Preparing the guest VM
Analysis tools in action
Hands-on demo lab
Summary
20
Index
Index
Why subscribe?
21
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book

Hands-on demo lab

In this section, we will conduct a hands-on demo lab to provide a better understanding of how to analyze real malware by using the previously mentioned tools that exist in our in-house sandbox. The malicious file analyzed in this section is named Kenora.exe. To investigate that suspicious file, we will do the following:

  1. Scan the file using YARA.
  2. Conduct static analysis.
  3. Conduct dynamic analysis.

Scanning the file using YARA

The first step we will take to investigate the suspicious file is to use the YARA tool to run the YARA rules on the file. To do this, we will use the command prompt (CMD) to execute the YARA rule, which is located at D:\YARA\yara64.exe. Also, we will use the downloaded YARA rules repository, located at D:\YARA\rules-YARA, to run against the suspected file, Kenora.exe, which is located at D:\Malware\Kenora.exe. The final command is as follows:

d:\YARA\yara64.exe -w d:\YARA\rules-YARA\index.yar  d:\Malware\Kenora...

Unlock full access

Continue reading for free

A Packt free trial gives you instant online access to our library of over 7000 practical eBooks and videos, constantly updated with the latest in tech
Start a 7-day FREE trial
End of Section 6
Next Section
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY