Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Effective Threat Investigation for SOC Analysts
  • Table Of Contents Toc
  • Feedback & Rating feedback
Effective Threat Investigation for SOC Analysts

Effective Threat Investigation for SOC Analysts

By : Mostafa Yahia
4.8 (21)
Buy this Book
close
close
Effective Threat Investigation for SOC Analysts

Effective Threat Investigation for SOC Analysts

4.8 (21)
By: Mostafa Yahia
Buy this Book

Overview of this book

Effective threat investigation requires strong technical expertise, analytical skills, and a deep understanding of cyber threats and attacker techniques. It's a crucial skill for SOC analysts, enabling them to analyze different threats and identify security incident origins. This book provides insights into the most common cyber threats and various attacker techniques to help you hone your incident investigation skills. The book begins by explaining phishing and email attack types and how to detect and investigate them, along with Microsoft log types such as Security, System, PowerShell, and their events. Next, you’ll learn how to detect and investigate attackers' techniques and malicious activities within Windows environments. As you make progress, you’ll find out how to analyze the firewalls, flows, and proxy logs, as well as detect and investigate cyber threats using various security solution alerts, including EDR, IPS, and IDS. You’ll also explore popular threat intelligence platforms such as VirusTotal, AbuseIPDB, and X-Force for investigating cyber threats and successfully build your own sandbox environment for effective malware analysis. By the end of this book, you’ll have learned how to analyze popular systems and security appliance logs that exist in any environment and explore various attackers' techniques to detect and investigate them with ease.
Table of Contents (22 chapters)
close
close
close
Preface
Icon
Preface
Icon
Who this book is for
Icon
What this book covers
Icon
To get the most out of this book
Icon
Conventions used
Icon
Disclaimer
Icon
Get in touch
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book
1
Part 1: Email Investigation Techniques
Icon
Part 1: Email Investigation Techniques
Free Chapter
2
Chapter 1: Investigating Email Threats
chevron up
Icon
Chapter 1: Investigating Email Threats
Icon
Top infection vectors
Icon
Why do attackers prefer phishing emails to gain initial access?
Icon
Email threat types
Icon
Attacker techniques to evade email security detection
Icon
Social engineering techniques to trick the victim
Icon
The anatomy of secure email gateway logs
Icon
Investigating suspicious emails
Icon
Summary
3
Chapter 2: Email Flow and Header Analysis
Icon
Chapter 2: Email Flow and Header Analysis
Icon
Email flow
Icon
Email header analysis
Icon
Investigating the email header of a spoofed message
Icon
Summary
4
Part 2: Investigating Windows Threats by Using Event Logs
Icon
Part 2: Investigating Windows Threats by Using Event Logs
5
Chapter 3: Introduction to Windows Event Logs
Icon
Chapter 3: Introduction to Windows Event Logs
Icon
Windows event types
Icon
Windows event log analysis tools
Icon
The investigative approach for this part of the book
Icon
Summary
6
Chapter 4: Tracking Accounts Login and Management
Icon
Chapter 4: Tracking Accounts Login and Management
Icon
Account login tracking
Icon
Login validation events
Icon
Account and group management tracking
Icon
Summary
7
Chapter 5: Investigating Suspicious Process Execution Using Windows Event Logs
Icon
Chapter 5: Investigating Suspicious Process Execution Using Windows Event Logs
Icon
Introduction to Windows processes
Icon
Windows process types
Icon
Windows Process Tracking events
Icon
Investigating suspicious process executions
Icon
Summary
8
Chapter 6: Investigating PowerShell Event Logs
Icon
Chapter 6: Investigating PowerShell Event Logs
Icon
Introducing PowerShell
Icon
PowerShell execution tracking events
Icon
Investigating PowerShell attacks
Icon
Summary
9
Chapter 7: Investigating Persistence and Lateral Movement Using Windows Event Logs
Icon
Chapter 7: Investigating Persistence and Lateral Movement Using Windows Event Logs
Icon
Understanding and investigating persistence techniques
Icon
Understanding and investigating lateral movement techniques
Icon
Summary
10
Part 3: Investigating Network Threats by Using Firewall and Proxy Logs
Icon
Part 3: Investigating Network Threats by Using Firewall and Proxy Logs
11
Chapter 8: Network Firewall Logs Analysis
Icon
Chapter 8: Network Firewall Logs Analysis
Icon
Firewall logs value
Icon
Firewall logs anatomy
Icon
Summary
12
Chapter 9: Investigating Cyber Threats by Using the Firewall Logs
Icon
Chapter 9: Investigating Cyber Threats by Using the Firewall Logs
Icon
Investigating reconnaissance attacks
Icon
Investigating lateral movement attacks
Icon
Investigating C&C and exfiltration attacks
Icon
Investigating DoS attacks
Icon
Summary
13
Chapter 10: Web Proxy Logs Analysis
Icon
Chapter 10: Web Proxy Logs Analysis
Icon
Understanding the value of proxy logs
Icon
The significance of proxy log investigation
Icon
The anatomy of proxy logs
Icon
Summary
14
Chapter 11: Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs
Icon
Chapter 11: Investigating Suspicious Outbound Communications (C&C Communications) by Using Proxy Logs
Icon
Suspicious outbound communications alerts
Icon
Investigating suspicious outbound communications (C&C communications)
Icon
Summary
15
Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats
Icon
Part 4: Investigating Other Threats and Leveraging External Sources to Investigate Cyber Threats
16
Chapter 12: Investigating External Threats
Icon
Chapter 12: Investigating External Threats
Icon
Investigating web attacks
Icon
Investigating suspicious external access to the remote services
Icon
Summary
17
Chapter 13: Investigating Network Flows and Security Solutions Alerts
Icon
Chapter 13: Investigating Network Flows and Security Solutions Alerts
Icon
Investigating network flows
Icon
Investigating IPS/IDS alerts
Icon
Investigating endpoint security solutions alerts
Icon
Investigating network sandbox and AV alerts
Icon
Summary
18
Chapter 14: Threat Intelligence in a SOC Analyst’s Day
Icon
Chapter 14: Threat Intelligence in a SOC Analyst’s Day
Icon
Introduction to threat intelligence
Icon
Investigating threats using VirusTotal
Icon
Investigating threats using IBM X-Force Exchange
Icon
Investigating suspicious inbound IPs using AbuseIPDB
Icon
Investigating threats using Google
Icon
Summary
19
Chapter 15: Malware Sandboxing – Building a Malware Sandbox
Icon
Chapter 15: Malware Sandboxing – Building a Malware Sandbox
Icon
Introducing the sandbox technology
Icon
Required tools for analysis
Icon
Preparing the guest VM
Icon
Analysis tools in action
Icon
Hands-on demo lab
Icon
Summary
20
Index
Icon
Index
Icon
Why subscribe?
21
Other Books You May Enjoy
Icon
Other Books You May Enjoy
Icon
Packt is searching for authors like you
Icon
Share Your Thoughts
Icon
Download a free PDF copy of this book

Why do attackers prefer phishing emails to gain initial access?

A phishing email is a type of social engineering attack where an attacker tricks target victims into opening a malicious file or link or providing personal or confidential information, such as passwords and credit card numbers, through fraudulent emails. The reason why phishing is a preferred and successful way for attackers to gain initial access to the victim’s environment is due to several factors, including the following:

  • It is easy during the reconnaissance phase to acquire a list of target victim users’ email addresses.

The reconnaissance phase is the first step taken by intruders to breach a target environment. This phase can last for hours, days, weeks, or even months. During this phase, attackers collect information about the target victim, including their email addresses, which can be used to deliver a weaponized document or link. Attackers can collect email addresses in several ways, such as through job postings, social media platforms such as LinkedIn, third-party subscriptions, data leaks on the dark web, Wayback Machine archives such as Archive.org, or data collection from marketing platforms such as ZoomInfo.com.

  • It is not hard to prepare a weaponized attachment or link.

It is relatively easy for an attacker to upload malware to legitimate cloud platforms and then share the download link with the victim through email. They can also weaponize a document through Visual Basic for Applications (VBA) macros or send the malware executable itself in a compressed format, all of which can be sent to the victim via email.

  • Many users lack security awareness.

Attackers exploit the fact that many users may be vulnerable to social engineering attacks, and a majority of them may not have received proper security awareness training to recognize and respond to these threats.

Now that you understand why most attackers choose phishing emails as a way to achieve their goals, such as gaining initial access to the victim’s environment, let us discuss the various email threat types.

End of Section 3
Next Section

Create a Note

Modal Close icon
You need to login to use this feature.
notes
bookmark search playlist font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Delete Note

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY