WEBVTT 00:07.190 --> 00:11.360 In our last episode, we talked about network symptoms and then we talked about host symptoms. 00:11.360 --> 00:14.390 It's no wonder that today we're going to talk about application symptoms. 00:14.390 --> 00:19.340 It's important to remember that applications play an important role to any device or organization. 00:19.340 --> 00:25.220 Without applications residing on the specific equipment and hardware that we utilize, we as cybersecurity 00:25.220 --> 00:27.290 professionals really wouldn't have a job. 00:27.290 --> 00:32.330 And so when we're looking at application symptoms, we need to go past the network infrastructure, 00:32.360 --> 00:39.110 past the host infrastructure, and identify how we can relate those specific applications within its 00:39.110 --> 00:44.420 confines of not only itself, but how it pulls that role on the host systems as well. 00:44.480 --> 00:49.400 A lot of people like to separate applications from hosts like I just kind of mentioned, but really 00:49.400 --> 00:54.140 they're kind of combined into one and we can see the symptoms residing not only in the host machine, 00:54.140 --> 00:55.850 but also the application. 00:55.850 --> 01:00.710 Yet the application is where usually we see the most problem application related symptoms can include 01:00.710 --> 01:07.430 application Modification, meaning that we had a patch or we provided a security update to the normal 01:07.430 --> 01:08.330 application. 01:08.360 --> 01:10.310 Well, yes, this is a modification. 01:10.310 --> 01:15.710 It's a authorized modification, meaning that we authorize went through the testing process we went 01:15.710 --> 01:20.960 through and made sure that it conformed properly to not only the host machine, but to our other applications. 01:20.960 --> 01:26.120 And we went through the rigorous testing and approval process to allow that modification of that original 01:26.120 --> 01:26.720 software. 01:26.750 --> 01:31.700 Unauthorized application modification comes into play when something changes within the application 01:31.700 --> 01:34.340 that we weren't aware of or that we didn't authorize. 01:34.370 --> 01:40.070 It's not uncommon for applications to come out with its own patching or new software update, but as 01:40.070 --> 01:44.060 an organization, we need to control when those modifications take place. 01:44.060 --> 01:49.010 We don't just willy nilly go into play and say update now, even though that's what most people do on 01:49.010 --> 01:50.210 their home computers. 01:50.240 --> 01:55.460 As the cyber security professionals, we need to make sure that the modifications taking place on our 01:55.460 --> 01:58.820 host machines with our applications play nice with one another. 01:58.940 --> 02:04.390 Unauthorized application modifications could mean that the application crashes unexpectedly, and it 02:04.390 --> 02:07.450 could mean that there's a new vulnerability introduced to our system. 02:07.540 --> 02:12.160 It can mean a variety of different things that we weren't aware of, or that we didn't properly test 02:12.160 --> 02:13.540 when it was rolled out. 02:13.570 --> 02:18.040 It could also mean that somebody went in and purposely modified that application to do something that 02:18.040 --> 02:22.930 it wasn't originally designed for, without our knowledge, without the third party knowledge, and 02:22.930 --> 02:28.060 just went in open different ports or changed the codings in such a way that introduced a vulnerability 02:28.060 --> 02:29.080 within our system. 02:29.110 --> 02:32.950 Usually we don't have employees going through and changing the code on our applications. 02:32.950 --> 02:38.740 I know that's surprising, but what we do normally see is that employees will go on to a website and 02:38.740 --> 02:43.870 see a brand new plugin, or a new feature that they want to download. 02:43.930 --> 02:45.700 Zoom is a perfect example. 02:46.120 --> 02:51.550 It has multiple plugins out there that you could update your system with that allow the user to have 02:51.580 --> 02:54.070 better experiences with the zoom platform. 02:54.070 --> 03:00.640 However, not all of those are necessarily secure or provided by the organization in such a manner that 03:00.640 --> 03:04.630 allows us to control them And so a lot of organizations just don't allow for that. 03:04.660 --> 03:09.010 However, you've always got that employee that wants to upgrade to the newest plugin to update to the 03:09.010 --> 03:11.740 newest feature that that software provides. 03:11.770 --> 03:16.690 This is where the problem comes into play that we as cybersecurity specialists, need to be aware of, 03:16.690 --> 03:21.940 and that our employees aren't really going to follow our processes and procedures to the key. 03:21.970 --> 03:24.400 We utilize technology to prohibit this. 03:24.430 --> 03:28.060 We also utilize policies and procedures to stop that from happening. 03:28.060 --> 03:32.680 But it does occur, and we need to be aware of those occurrences in order to stop them and rule back 03:32.710 --> 03:34.630 that, that that application. 03:34.660 --> 03:37.300 There's also something called privilege escalation. 03:37.330 --> 03:44.320 Privilege escalation occurs when a software process or an application exceeds its authorized permissions. 03:44.350 --> 03:49.960 Obviously, if I have a new application, I want it to just download to my machine and have minimal 03:49.990 --> 03:51.910 privileges on that device. 03:52.030 --> 03:56.440 Um, my three year old, for instance, when he was a kid, he would go through and he would just start 03:56.440 --> 03:57.880 downloading apps all over the place. 03:57.880 --> 03:59.050 He would just one after another. 03:59.080 --> 04:04.840 It would be Angry Birds to this Star Wars game, to this game that was about light birds and letters. 04:04.840 --> 04:05.470 You get the point. 04:05.470 --> 04:07.930 Just all kinds of different applications. 04:07.930 --> 04:12.070 Those applications didn't play well with each other, and they would normally cause other applications 04:12.070 --> 04:15.700 that he had going on simultaneously on his tablet to crash. 04:15.730 --> 04:20.140 Now, I know I'm talking a tablet and you would be thinking to yourself, well, wait a second, a tablet 04:20.140 --> 04:21.610 in a organization? 04:21.610 --> 04:24.190 I don't think so, but stick with me on this one. 04:24.760 --> 04:30.160 Throughout those applications that he was modifying, it also allowed different privileges associated 04:30.160 --> 04:31.450 with each application. 04:31.450 --> 04:36.460 In less than six months, my three year old came up to me and he said, daddy, my tablet doesn't work 04:36.460 --> 04:36.970 anymore. 04:36.970 --> 04:42.970 When I got his tablet and I started running through it, he hadn't managed to download over 257 different 04:42.970 --> 04:44.380 viruses onto his system. 04:44.380 --> 04:47.530 That's 257 malwares in less than six months. 04:47.560 --> 04:52.240 Now, obviously Non-employees are a three year old, and so there's a little bit of difference in there. 04:52.240 --> 04:57.400 But in many cases, if we let our employees just run rampant, they're going to do the same thing. 04:57.400 --> 05:02.050 We need to lock down our machines, and we need to make sure those applications don't have unauthorized 05:02.050 --> 05:02.860 privileges. 05:02.860 --> 05:08.260 When we go through as a cyber security analyst, you need to look at processes and applications is what 05:08.260 --> 05:11.470 are they authorized to do versus what they aren't authorized to do? 05:11.500 --> 05:16.660 On my own normal mobile device, I don't authorize applications to track me. 05:16.660 --> 05:18.220 That's just something I don't allow. 05:18.250 --> 05:23.050 Your computer systems shouldn't allow the different escalation and privileges associated with those 05:23.050 --> 05:24.070 different machines. 05:24.070 --> 05:25.720 Some make sense, right? 05:25.750 --> 05:30.730 If I'm using a mapping program on my mobile device, obviously I want it to be able to locate and know 05:30.730 --> 05:33.250 where I'm at while I'm using the application. 05:33.250 --> 05:38.200 But if it's not using the application, it shouldn't have permissions that it doesn't need, i.e. it 05:38.200 --> 05:39.430 shouldn't be able to track me. 05:39.460 --> 05:43.510 Now, I know that's just my personal devices, but think about that from an organizational point of 05:43.510 --> 05:44.080 view. 05:44.110 --> 05:49.240 What are different applications inside your work environment and what permissions do they have accessibility 05:49.240 --> 05:49.570 to? 05:49.600 --> 05:52.150 Are they able to modify other applications? 05:52.180 --> 05:56.260 Are they able to identify and reach out to command and control servers? 05:56.290 --> 06:02.650 Are they able to pull in different files from other different applications or programs on the computer 06:02.650 --> 06:03.610 that they're utilizing? 06:03.610 --> 06:08.880 All of these are dangerous permissions that we should stop whenever possible, unless the application 06:08.880 --> 06:11.700 has a legitimate use in order to proceed with them. 06:11.700 --> 06:16.710 There was an application that came out about a year and a half ago that I was privy to, and they rolled 06:16.710 --> 06:21.090 it out and it was able to pull from different cloud environments simultaneously. 06:21.120 --> 06:26.640 Now, obviously, that could be a dangerous front where I've got 6 or 7 different cloud platforms interacting 06:26.640 --> 06:31.320 in one device, and this application on this computer is able to pull from all seven of them. 06:31.320 --> 06:34.920 But that was a normal privilege that was authorized for that application. 06:34.920 --> 06:40.920 And it went through a review process as well as an authorization process that's in privileged escalation 06:40.920 --> 06:42.030 that we approved. 06:42.060 --> 06:46.800 However, when we're talking about privilege escalation from a cyber security standpoint, it's unapproved 06:46.800 --> 06:52.590 escalation of privileges associated with either the person, the application or the device. 06:52.590 --> 06:57.630 There are different application related symptoms that come into play with each application associated 06:57.630 --> 06:58.170 with it. 06:58.170 --> 07:02.820 For instance, an antivirus program may give you something like this where it's saying, hey, there's 07:02.850 --> 07:05.640 unauthorized spyware or there's another problem on it. 07:05.640 --> 07:10.890 It wasn't that long ago I think in 2013, where there was a particular nasty malware that would pop 07:10.890 --> 07:16.140 up saying you're Adobe Acrobat needs to be updated, and users would take this for granted and they'd 07:16.140 --> 07:17.430 say, yes, update now. 07:17.460 --> 07:20.160 However, it wouldn't go to the Adobe Acrobat web page. 07:20.160 --> 07:25.290 It would go to a fake web page that looked like Adobe Acrobat, that then went download malware into 07:25.290 --> 07:29.100 their system, and it remained uncaught for very for about six months. 07:29.100 --> 07:35.520 If I remember correctly, this is a dangerous related malware that utilizes the same processes and procedures 07:35.520 --> 07:38.910 that users expect to see on their own devices. 07:38.940 --> 07:45.840 Obviously, as cybersecurity professionals, we want to relate or negate those pop up windows as much 07:45.840 --> 07:50.520 as possible and have full control over those security related applications. 07:50.520 --> 07:56.460 For instance, in this one, you can see that it detected 25 critical system objects, and it's going 07:56.460 --> 07:59.610 on and saying, should I remind me later or should I register the product? 07:59.610 --> 08:05.310 This is a known scam that comes into play with antivirus programs, where they're trying to get you 08:05.310 --> 08:09.000 to register the product in order to pay them extra money. 08:09.030 --> 08:13.590 Obviously, this isn't something we should normally see on our organization, but it does occur every 08:13.590 --> 08:14.520 once in a while. 08:14.550 --> 08:19.800 If you have users that are experiencing a pop up windows like this, this could be an indicator of compromise 08:19.800 --> 08:24.600 at an application level, and we need to do a full virus scan and malware scan in order to identify 08:24.600 --> 08:29.790 what's going on within the system, and then remove those unauthorized programs from our systems. 08:29.820 --> 08:35.610 Botnet activity really comes into play, where I've got a command and control system outside of my network, 08:35.610 --> 08:41.100 and the client has been attached with malware, meaning that the client or the host machine has been 08:41.100 --> 08:47.550 infected, and it's sending out that beacon across our network to communicate with a command and control 08:47.550 --> 08:48.180 system. 08:48.210 --> 08:53.490 Now, we talked about command and control systems and the network systems, and we identified how the 08:53.490 --> 08:57.600 command and control, or Beaconing could play a role in indicator of compromise. 08:57.600 --> 09:03.300 However, within that beacon, it comes back to an application or even a client associated with it. 09:03.300 --> 09:09.810 Within botnet activity, our own systems within our within our organization could actually be providing 09:09.810 --> 09:15.590 malicious activity across not only our own network, but neighboring networks as well, and third party 09:15.620 --> 09:16.250 vendors. 09:16.250 --> 09:22.820 This could lead to malicious activity and denial of service activity across different applications and 09:22.820 --> 09:24.020 different systems. 09:24.020 --> 09:29.990 We could actually see some problems related from our system exfiltration or our data going through. 09:30.020 --> 09:35.300 Data exfiltration is something that is usually hidden within a DDoS attack, and it's not uncommon to 09:35.300 --> 09:41.930 see where our own network is being dosed and the user or the malicious actor is trying to exfiltrate 09:41.960 --> 09:43.820 data simultaneously. 09:43.820 --> 09:49.460 While our cybersecurity staff is trying to deal with this DDoS attack secretly, they're on the back 09:49.490 --> 09:55.910 end expelling data, making it to where our our sensitive information, our proprietary data is then 09:55.910 --> 09:57.050 leaving our network. 09:57.050 --> 10:01.670 Both of those don't seem like they go hand in hand with one another, but it's a common tactic used 10:01.670 --> 10:03.110 by malicious actors. 10:03.110 --> 10:06.740 You need to be aware of these tactics and techniques that are used by actors, so that you can better 10:06.740 --> 10:08.300 prepare and defend against them. 10:08.300 --> 10:14.700 Botnet activity is the first point of that, seconded by data Exfiltration through email or even normal 10:14.700 --> 10:15.420 traffic patterns. 10:15.450 --> 10:20.400 Remember, whenever we're undergoing an attack, you should take the idea that there isn't just one 10:20.400 --> 10:21.420 attack going on. 10:21.420 --> 10:23.670 There's usually something else associated with it. 10:23.700 --> 10:29.010 While that not always happens, it is pretty indicative of normal strategies that we're seeing in common 10:29.010 --> 10:30.300 day malware attacks. 10:30.330 --> 10:32.430 There's also phishing communication. 10:32.460 --> 10:35.190 Phishing communication is pretty standard for social engineering. 10:35.190 --> 10:36.300 And we see phishing. 10:36.300 --> 10:39.270 We see phishing, we see smishing. 10:39.330 --> 10:40.920 And I feel like I should break that down. 10:40.920 --> 10:42.180 So let's let's go through this right. 10:42.210 --> 10:48.360 Phishing communication is broad communication associated with emails where we're hitting the entire 10:48.360 --> 10:49.140 organization. 10:49.140 --> 10:54.360 And it's very broad in scope because it's not really identifying a key person within it. 10:54.360 --> 10:58.500 That's phishing communication with the general ideology that we're trying to get them to click on a 10:58.500 --> 11:04.740 link that would either download email or even open a secure communication between that client computer 11:04.740 --> 11:10.560 and an off network computer in order for them to invade our computer systems, usually using something 11:10.560 --> 11:12.770 like RDP or even SSH. 11:12.950 --> 11:15.090 There's also something called spearfishing. 11:15.090 --> 11:17.430 And I think you should know this from your security plus days. 11:17.460 --> 11:22.740 Spearfishing is where we target a specific individual, usually commonly noted with fishing as well. 11:22.740 --> 11:27.690 But we have personal identifiers in there like their name, maybe their title, even their phone number. 11:27.780 --> 11:31.020 And we could utilize this on different applications within there. 11:31.050 --> 11:38.190 Then there's also smishing or texting phishing with voice phishing or robocalls and that kind of thing. 11:38.880 --> 11:43.650 You have to remember that while those are all social engineering attacks, they very much come into 11:43.650 --> 11:49.140 play with the application related attack measures that we see from malicious actors, whether it's through 11:49.170 --> 11:52.410 phishing or even smishing where they're company phone is hit with a link. 11:52.440 --> 11:57.600 You need to understand that as an analyst, we need to be prepared for those various attack vectors 11:57.600 --> 12:01.020 when they come into play with our organization. 12:02.910 --> 12:08.910 Anomalous activity usually comes in the form of phishing attacks or even smishing or social engineering 12:08.910 --> 12:15.270 attacks, but it can also come in the form of a process or a application doing something that it shouldn't 12:15.310 --> 12:16.180 normally do. 12:16.210 --> 12:20.530 Usually we relate this to privilege escalation or some other form of attack. 12:20.560 --> 12:26.530 But when it really comes down to it, anomalous activity is an activity on our system or on our client 12:26.530 --> 12:32.470 that isn't authorized and doesn't have a known normal link to another objective. 12:32.500 --> 12:39.130 Meaning that usually a malware hasn't been involved, but somebody opened up a port in order to communicate, 12:39.130 --> 12:44.500 or we downloaded an antivirus program, and the antivirus program is picking up the viruses, but it 12:44.500 --> 12:47.200 missed one because it wasn't updated properly. 12:47.230 --> 12:51.760 Anomalous activity can be any number of things, but what it really includes is something that we haven't 12:51.760 --> 12:56.350 seen before, or it can't be directly linked to another activity that's malicious in nature. 12:56.380 --> 13:01.360 This can take the form of new accounts where an actor gets in there and he starts creating new accounts 13:01.360 --> 13:03.400 that make sense or don't make sense. 13:03.400 --> 13:08.800 For instance, when I was with AT&T, um, it used to be our first letter of our initial, the second 13:08.800 --> 13:12.730 letter of our initial, and then a random pseudo number letter combination. 13:12.730 --> 13:17.560 And that would be the user ID that we utilize for our entire career with AT&T. 13:17.590 --> 13:22.030 If we had new accounts that were popping up that didn't have that format, we knew that there was a 13:22.030 --> 13:26.920 problem and somebody had gained an entry into our system and started creating new accounts. 13:26.920 --> 13:28.870 However, that's not always the case. 13:28.870 --> 13:34.270 If a malicious actor really knows what's going on, they can duplicate our same procedure and start 13:34.270 --> 13:35.440 creating new accounts. 13:35.440 --> 13:40.930 If we see a rash of new accounts that don't make a lot of sense, that could be indicative of an indicator 13:40.960 --> 13:41.830 of compromise. 13:41.860 --> 13:49.420 We also often see service interruptions with malware, and new applications, or new policies or procedures 13:49.420 --> 13:50.260 come into play. 13:50.260 --> 13:52.480 We often see service interruptions. 13:52.480 --> 13:57.520 Usually this comes into an authorized aspect during our maintenance window, but not always. 13:57.520 --> 14:04.120 If I'm seeing a service interruption where a machine or a software within a host environment, i.e. 14:04.150 --> 14:09.520 a server or something else comparable to that is no longer available during normal regular business 14:09.520 --> 14:13.720 hours, and I can't attribute it to something I need to investigate and find out why. 14:13.750 --> 14:19.120 Usually this is regulated to the IT department, but as a cybersecurity analyst, you should be aware 14:19.120 --> 14:21.130 that not everything is an IT problem. 14:21.130 --> 14:27.430 If we're seeing crashes in software that could be associated with an application or with another process 14:27.430 --> 14:30.670 interfering with that, uh, corresponding service. 14:30.670 --> 14:34.480 And so service interruptions can play a role within the cyber environment. 14:34.480 --> 14:39.640 This is why having a direct communication with the IT department and having a good working relationship 14:39.640 --> 14:44.530 with them really expands upon our capabilities as a cyber security workforce. 14:44.530 --> 14:48.940 And so, again, we need to make sure that we have a good working environment with our IT staff. 14:49.300 --> 14:55.000 Finally, there's application logs just like IPS, IDs, firewalls and anything else on our network. 14:55.030 --> 14:56.770 Applications have logs too. 14:56.800 --> 14:59.350 Some logs we want to collect, some we don't. 14:59.350 --> 15:04.840 And it really kind of confines itself to what is important within our own organization. 15:04.840 --> 15:10.210 Regardless of what we collect for our Siem environment or not, we need to make sure that we always 15:10.210 --> 15:15.250 have those application logs available to us so that we can go back if we see a problem within our network 15:15.250 --> 15:18.310 or within our applications, those logs can provide us alerts. 15:18.310 --> 15:24.010 They can provide us keys into what's going on and what's going what's happening with that specific application 15:24.010 --> 15:26.530 and how it interferes with other applications on there. 15:26.560 --> 15:31.690 This also allows us to quickly identify if there was a legitimate process that just had a legitimate 15:31.690 --> 15:37.480 issue that our IT staff could take care of, or if there was something more nefarious going on and where 15:37.480 --> 15:39.190 our cyber team needs to get involved. 15:39.220 --> 15:44.890 Those application logs are key to identifying key features within our cybersecurity environment, and 15:44.890 --> 15:50.830 can lead us down the road to identifying what's really going on within our applications environment, 15:50.830 --> 15:52.000 as well as our network environment. 15:52.000 --> 15:55.960 Throughout this course, we identify different applications and how they intersect with our host and 15:55.960 --> 15:57.160 even network environment. 15:57.160 --> 16:03.580 We also identified how they can be utilized within a cyber scope, whether from an IT perspective or 16:03.580 --> 16:05.020 a security perspective. 16:05.020 --> 16:10.300 It's important to note for Cisa, you're probably not going to see a lot of questions from the technical 16:10.300 --> 16:14.050 perspective, we're not going to ask you, here's a log of an application. 16:14.080 --> 16:16.360 How what's going on with this other application. 16:16.360 --> 16:18.280 It's too narrowly defined. 16:18.280 --> 16:20.850 And Cisa doesn't expect you to know that. 16:20.850 --> 16:27.300 But what they do expect you to understand is simple things like this application is then is now able 16:27.300 --> 16:33.720 to interact or intersect with this other application that has nothing to do with it, i.e. maybe I have 16:33.720 --> 16:38.520 an application that's associated with word and it's intersecting or interacting with an application 16:38.520 --> 16:39.420 for maps. 16:39.420 --> 16:42.660 There's really no straight route for those two. 16:42.690 --> 16:45.600 So why are they able to feed off information from one another? 16:45.600 --> 16:52.080 And then they'll ask you, is this an authorized permission or what kind of permission should we investigate 16:52.080 --> 16:54.210 further within our within our strategy? 16:54.240 --> 16:59.610 Remember, most of the Sisa questions are scenario based, so you should be really prepared to read 16:59.610 --> 17:04.110 through and a paragraph full of information and then quickly identify what's going on. 17:04.140 --> 17:09.210 Now this is a very high level question answer scenario for most of these questions in Sisa. 17:09.210 --> 17:15.000 So again, we're not expecting you to be able to read the individual application logs, but we are expecting 17:15.000 --> 17:16.560 you to be able to read network logs. 17:16.560 --> 17:20.610 So there's that fine line at eliminator between the two that you need to prepare for. 17:20.610 --> 17:21.630 Sisa.