Hello, aspiring ethical hackers. In our previous blogpost, you learnt about Antivirus. In this article you will learn about Endpoint Detection and Response (EDR). Let’s begin with what is it.

What is Endpoint Detection and Response (EDR)?

Endpoint Detection and Response, also known as Endpoint detection and Threat response (EDT) is a tool used in endpoint security that can detect, contain, investigate and remediate malware, ransomware and other threats like cyber attacks on endpoint devices. This endpoint devices maybe desktop, laptop, mobile, servers and virtual machines.

Both are endpoint security solutions that protect the endpoint devices from malware and viruses. Although its functionality is similar to Antivirus, it is different from Antivirus. While Antivirus detects known malware & viruses, EDR can also detect advanced cyber threats and even actions that seem suspicious. It has a centralized management with agents installed on client devices with a centralized management on one device.

An EDR has two components. They are,

1. Endpoint data collection agent.
2. Endpoint centralized management console.

The endpoint agents are installed on the endpoint devices whose security needs to be monitored. This can include multiple devices. These agents collect data from the endpoint devices and send it to the centralized management console.

Importance of EDR

Constantly evolving threat landscape makes the role of EDR very important in cybersecurity. EDR’s not only mitigate known threats, but they also neutralize unknown threats based on their behaviors or action. Not just that, they mitigate the threat by responding with a counter action. EDR’s also play a role in automatic incident response and even in digital forensics and compliance testing.

How EDR works?

An EDR has the following stages while functioning. They are,

1. Collecting data:

This is the first stage and in this stage all the agents installed on endpoint devices collect data and send it to the management console. Analysts monitor the security of the devices from a single location.

2. Analyzing collected data:

All the data collected by endpoint agents may not be important from security point of view. So, the centralized Management console of an EDR filters the data and analyses it for any threats.

3. Detecting threats:

While analyzing the collected data, if EDR finds anything dangerous, it flags it as a threat and triggers an alert.

4. Planning response:

Not just sending an alert, it also responds to mitigate the threat on the machine it is detected.

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about threat intelligence. In this article, you will learn everything you need to know about Security Information & Event Management or SIEM solutions and its role in threat intelligence.

What is SIEM?

You have learnt in threat intelligence that data & information related to security is collected, processed and analyzed to detect upcoming threats to the organization. This data not only includes external data but also data from the organization’s network itself.

A Security Information & Event Management solution’s role comes here. It collects information, stores, processes, analyzes and upgrades security related data from multiple devices from the organization. This also helps in proper incident response. SIEM can collect, aggregate, analyze data from multiple devices in a network like Firewalls, IDS, IPS, Network gateways, Honeypots, Wireless access points, Endpoint security solutions, Routers, Switches etc. If it finds anything suspicious, it can trigger an alert and even quarantine the resource.

SIEM is a combination of Security Information management (SIM) and Security Event Management (SEM) solutions. It can be considered a successor to log viewers and event management tools.

Importance of SIEM

You have just now learnt that Log analysis tools and Event viewer tools are the predecessors of SIEM solutions. Well, manually viewing and analyzing logs and events can be a process requiring efforts of huge proportions. Just imagine that with multiple devices in a network, instead of a single system. This can directly affect the security of the organization as most of the threats nowadays require immediate response.

Here’s where a SIEM solution proves resourceful. It not only simplifies and automates but also enhances the security of the organization. Some popular SIEM vendors include Splunk, IBM QRadar, LogRhythm, Microsoft Sentinel, Securonix, Exabeam, Sumologic etc.

Hello, aspiring ethical hackers. In this article, you will learn everything you need to know about Incident Response (IR). Unfortunately, unlike pen testing or ethical hacking, the role of incident response becomes important only after a cyber attack or any other cyber incident has occurred.

What is Incident Response (IR)?

In simple terms, incident response is how you or your organization respond to a cyber attack or a data breach that occurred in your organization. Obviously, any organization will want to respond to any cyber incident in such a way that the impact or damage due to that incident is minimized and contained.

So, IR is a planned and organized response of an organization to a cyber attack or incident.

Why is incident response important?

No matter how much security an organization has, there is no guarantee that a cyber incident may not occur. This cyber attack can damage the organization’s brand reputation, affect customers retention, damage intellectual property etc. A data breach can simply make a business run out of business.

IR aims to reduce this damage as quickly as possible. This requires a definite plan instead of ad hoc responses.

Stages of Incident Response

As I told you, Incident response should follow a planned and organized approach that should make the organization quickly recover from the impact of the cyber attack. Any good Incident response should have 5 steps. They are,

1.Preparation or Planning

Every organization should have a definite Incident response plan that caters to its requirements and depends on resources it wants to protect in its organization. This plan should be in written format. It should also have a dedicated incident response team that is not only aware of the incident response plan but also trained in it. This team should have the necessary tools and documentation ready in the case of a cyber attack.

2.Identification:

The next step is identifying the incident. In this era of false positives and false negatives, the incident response teams should be able to first determine what is a cyber attack to its organization. For example, let’s imagine an organization uses Windows XP machines in its organization. You know Windows XP machines are vulnerable to ms08-067.

Multiple SYN requests to SMB port of Windows XP machines of an organization may raise shackles but it is not yet an incident. But somebody exploiting the vulnerability to gain a shell or creating a new user account on that Windows XP machine can be termed as an incident.

3.Containment:

Once an incident has been identified correctly, the next step should be to limit and prevent further damage. The infected resource should be isolated and steps taken to ensure that customers or employees don’t experience any problems in accessing the resource.

Going with the same example we gave above, the infected Windows XP machine should be isolated so that the infection can be prevented from spreading to other devices on the network. In some cases, the network traffic needs to be rerouted or redirected. Once isolated, the forensics team should be informed so that it can perform digital forensics to further investigate the incident.

4.Eradication:

After the infected system or resource is isolated and the forensics team is done with creating forensic images of the infected system, the next step is the removal and restoration of systems affected by the security incident. For example, this stage involves fixing the ms08-067 vulnerability and removing the malware or payload, backdoors from the infected system. The important role of this stage is to make sure that the system cannot be exploited again.

5. Recovery

This stage involves bringing the infected system back into production environment and to make sure that another incident doesn’t occur. Before the infected system is brought back into production again, they are tested, monitored, validated and cleansed of all malware.

All of the above steps should be written in policy plan and should be documented. That’s all about Incident response. Next, learn how to prevent your organization from being hacked with threat intelligence.

Hello, aspiring ethical hackers. In our previous blogpost, you have learnt in detail about malware. In this article, you will learn about malware analysis.

What is malware analysis?

Malware analysis is the process of analyzing the code of the Virus to find out what it does, how it works, how it evades Antivirus etc. This helps in detection and prevention of the threat.

Importance of analyzing malware

Analyzing of malware helps us to understand the functionality of malware and what it does when executed, the level of damage it causes after infection etc. It will also help us to understand how malware infected our machine at first. By knowing these, better mitigation can be planned for present and future.

Types of malware analysis

There are variety of techniques used to analyze malware. They are,

1. Static analysis:

In this type of analysis, the static properties of the virus are analyzed without actually executing it. This type of analysis helps us to understand details like nature of malware, file names, IP addresses and domains, metadata etc.

2. Dynamic analysis:

In this analysis, the virus is actively executed in a sandbox. A sandbox is an isolated and secure environment in which you can safely execute code of malware. Analyzing it this way is an improvement over static analysis as we can see malware in action. This helps us to gather more information about the malware.

3. Hybrid analysis:

Some types of advanced malware have protection mechanisms to prevent anyone from analyzing the malware. For example, anti-sandbox feature is used that tells malware to stay dormant if it detects a sandbox. It is in cases like these, hybrid analysis becomes important. It combines both static and dynamic analysis to analyze the malware.

Stages in analyzing malware

Analyzing of malware has the following stages. They are,

1. Get malware sample:

Obviously, getting the malware sample is the first step if you want to analyze its code.

2. Build a lab to analyze malware:

The next step in analyzing the code of malware is creation of an isolated and safe environment without any risk of infection to the organization’s network.

3. Performing static analysis:

Next step is to get the virus sample into the malware analysis lab and perform static analysis on it. As already learnt, this helps us to understand the behavioral properties of malware.

4. Performing automated analysis:

The next step is to use a automated tool to analyze malware. This analysis can determine potential risks if malware infects a machine.

5. Manual code review:

In this stage, the code of the malware is reversed manually using debuggers, disassembly compilers and other specialized tools to understand its behavior.

Hello, aspiring ethical hackers. In our previous blogpost, you learnt about threat intelligence. In this article, you will learn about digital forensics. It plays an important role not only in investigating cyber attacks but also in solving crimes that have digital elements attached to it. This digital evidence is admissible in court proceedings. In Information security, unlike penetration testing, forensics comes after the cyber attack has already occurred.

What is digital forensics?

Digital forensics, a branch of forensic science is a process that includes identification collection, acquisition, analysis and reporting of any information or evidence from digital devices that were used as part of a crime or victims of cyber attacks.

Types of digital forensics

Digital forensics has different branches. They are,

1. Computer forensics:

Also known as cyber forensics, this branch deals with collecting digital evidence from computers.

2. Mobile forensics:

As you might have guessed by now, this branch deals with collection of digital evidence from mobile devices like smart phones, tablets etc.

3. Network forensics:

This branch deals with collection and analysis of digital evidence from network traffic.

4. Database forensics:

This branch deals with analyzing databases for digital evidence.

5. Cloud forensics:

This branch deals with collecting and analyzing digital evidence from the cloud.

Stages of digital forensics

Digital forensics has five stages. They are,

1. Identification of digital evidence:

The first stage is identifying where the digital evidence may be present after a cyber attack or cyber incident.

2. Acquisition and preservation:

After identifying where digital evidence may be present, the next step is to collect this evidence and more importantly preserve it from being contaminated. If the evidence gets contaminated, it will not be admissible in court.

3. Analysis:

In this stage, the collected and carefully preserved digital evidence is analyzed to reconstruct the events of the cyber attack or cyber crime.

4. Documentation:

After all the evidence related to the cyber crime or cyber attack has been analyzed, the next step is documenting all the evidence in a clean manner to be presented in a court.

5. Presentation:

The last stage is presenting all the documented evidence in court or to the affected and all other stakeholders for conviction and to help courts in decision making.

Next, learn how to respond in case of a cyber incident with incident response.