Unit 5: Defense and Analysis Techniques

MEMORY FORENSICS:
Memory forensics is a crucial area within cybersecurity that involves analyzing the volatile
memory (RAM) of a computer system to uncover digital evidence, detect threats, and
investigate malicious activity. Unlike traditional disk forensics, memory forensics focuses on
real-time data that exists only while the system is powered on.

Why Memory Forensics Matters in Cybersecurity

1.Malware detection: Identifies rootkits, Trojans, and fileless malware that don't leave traces
on disk.

2.Incident response: Provides insight into what was running during a breach, including
processes, network connections, and injected code.

3.Data recovery: Retrieves sensitive information such as passwords, encryption keys, and
cached data.

4.Digital investigations: Helps reconstruct attacker behavior during post-exploitation stages.

5.Uncovering Hidden Malware: Memory forensics can reveal evidence of malware that has
been disguised or is difficult to detect through other means.

6.Live Analysis: It provides a snapshot of the system's state at the time of the incident,
allowing analysts to understand what was happening in real-time.

Challenges in Memory Forensics

Data Volatility: RAM stores temporary data that disappears when the system shuts down.
It's important to capture it quickly before it's lost.

Memory Acquisition: Collecting a memory dump requires careful handling and the right
tools to avoid damaging or missing critical data.

Tool Selection: Using outdated or incompatible tools can lead to incomplete or incorrect
analysis, so choosing the right tools is essential.

Data Integrity: The memory data must remain unchanged during capture and analysis to
ensure it’s valid evidence.

Tools and Techniques:

Memory Dump Tools: Various software and tools are used to capture a memory dump,
including Volatility, and others.
Memory Analysis Tools: These tools help analysts examine the memory dump for evidence
of malicious activity, such as running processes, open files, and network connections.

Reverse Engineering: In some cases, analysts may need to use reverse engineering
techniques to understand the behavior of malware or other malicious code.

Chain of Custody: Proper documentation of who collected and handled the data is necessary
to maintain trust and legal admissibility.

HONEYPOTS:
What Are Honeypots in Cybersecurity?

Honeypots are fake systems made to look like real computers or servers. Their job is to trick
hackers into thinking they’ve found a target, while security teams secretly watch and learn
from the attack. They help experts understand how hackers work and protect real systems
from being harmed.

How Honeypots Work

Attract Hackers: Honeypots are set up to look like valuable or weak systems, such as a server
with open ports or fake login pages, to catch a hacker’s attention.

Watch Closely: Once someone interacts with the honeypot, security teams record
everything the attacker does—like what tools they use and what they’re trying to steal or
damage.

Learn and Analyze: Experts study the hacker’s actions to understand their methods and
improve real system defenses.

Protect Real Systems: By focusing on the honeypot, hackers are distracted from the real
servers. This gives the security team time to detect and respond to threats.

Types of honeypots:

1. Research honeypots:

Used by experts to learn how hackers attack.

They are not part of real company systems.

2. Production Honeypots:

Used in real company networks to catch and distract hackers.

They help protect important data and systems.

Benefits of Using Honeypots:

Better Threat Awareness: They give clear insights into hacker techniques and help improve
security strategies.

Early Warning: Honeypots can alert security teams about attacks before they hit actual
systems.

Stronger Network Security: By seeing where hackers try to break in, teams can fix
weaknesses in their network.

Attack Diversion: They distract hackers from real data and systems, buying time for a proper
response.

Limitations of Honeypots:

False Alarms: Sometimes, honeypots can be triggered by harmless users or automatic scans,
leading to confusion.

Security Risk: If not properly set up, honeypots could become targets themselves and might
leak information.

Need for Skilled Experts: Building and managing honeypots needs people with good
technical knowledge and experience.

MALACIOUS CODE NAMING:

Malicious code naming in cybersecurity means giving names to harmful software or scripts
(like viruses, worms, or malware) based on what they do, where they come from, or who
created them. These names make it easier for cybersecurity experts to recognize, group, and
deal with these threats quickly and effectively.

Here's a more detailed look:

Common Naming Practices

1. Functionality-Based Naming:

-This type of naming is based on what the malware does.

-Examples include keyloggers, spyware, ransomware, and Trojans.

-It helps in quickly understanding the malware’s behavior.

-Such names make threat identification easier for security teams.

2. Origin-Based Naming:

-Malware names may indicate the country or group behind it.

-For example, “Bear” is linked to Russian groups, “Panda” to Chinese.

-It helps trace the possible source of the threat.

-This can aid in geopolitical analysis and targeted defenses.

3. Family-Based Naming:

-Malware with shared traits is grouped into families.

-New variants often carry the family name with slight changes.

-This helps track the evolution of malware over time.

-It also supports quicker response to known malware types.

4. Attack Method-Based Naming:

-Names are sometimes based on how the malware attacks.

-An example is Heartbleed, which exploited a data leak vulnerability.

-Such names highlight the technique or vulnerability used.

-They help researchers understand and fix specific flaws.

5. Author-Defined Naming:

-Some malware is named by its own creators or hacker groups.

-These names may be used for branding or intimidation.

-It helps attackers build a reputation in cybercrime communities.

-Such names may carry unique signatures or styles.

Why Naming Is Important:

Helps Identify Threats: Names let security experts quickly understand what kind of malware
they’re dealing with and how to stop it.
Makes It Easier to Track: Names help track malware over time to see how it changes or
spreads.

Supports Teamwork: Using common names helps security teams and organizations share
information more easily.

Raises Awareness: When people know the names of common threats, they’re more likely to
stay alert and take steps to protect themselves.

AUTOMATED MALACIOUS CODE ANALYSIS SYSTEM:

Security teams use special tools and techniques to quickly study malware (harmful
software). This helps them understand what the malware does, why it was created, and how
dangerous it is. These systems can do things like scan the code, run it in a safe place, and
watch what it does—all automatically.

Main Parts of Automated Malware Analysis:

1. Sandboxing: The malware is run in a virtual or fake environment that doesn’t affect the
real system. This helps experts safely watch how it behaves.

2. Static Analysis: This means looking at the malware’s code without running it. It helps find
out how it works and what signs (called IOCs) it might leave behind.

3. Dynamic Analysis: Here, the malware is actually run in a safe environment, and its
behavior is closely watched—like what files it touches or what internet connections it
makes.

4. Automated Tools:

-Malware Analysis Platforms:

These are automated tools that run malware in a secure environment and generate detailed
reports on its behavior, such as file changes, network activity, and system impact.

Example: Hybrid Analysis, VMRay.

-Disassemblers/Decompilers:

These tools convert malware's machine code into human-readable format, allowing analysts
to study its structure and logic without executing it.

Example: IDA Pro, Ghidra.

-Debuggers:

Debuggers allow step-by-step execution of malware code to observe its behavior and
identify hidden functions or malicious actions.
Example: Immunity Debugger.

-Process Monitor:

It is a tool that tracks and records all system-level activities such as file access, registry
changes, and process execution in real time.

Example: Microsoft Process Monitor.

Benefits:

1. Faster Detection: Malware is checked quickly, so threats are found and blocked faster.

2. Better Security: Understanding malware helps improve protection systems.

3. Stronger Threat Hunting: Helps security teams find and stop hackers more easily.

4. Saves Time and Effort: Tools do most of the work, saving time for experts.

5. Finds Unknown Threats: Can detect new malware that antivirus software doesn’t know
yet.

Challenges:

1.Changing Malware: Hackers often change how malware works to avoid detection.

2.Too Complex: New malware can be very advanced and hard to analyze automatically.

3.False Alarms: Sometimes the tools give wrong alerts, which wastes time.

INTRUSION DETECTION SYSTEM:

Definition of Intrusion Detection System (IDS):

An Intrusion Detection System (IDS) is a cybersecurity tool that monitors network traffic and
system activities for suspicious behavior or known threats, and alerts security personnel
when potential intrusions or attacks are detected.

Key points:

Watching the Network: An IDS keeps an eye on all the data moving through a network and
checks for anything strange or unexpected.

Spotting Problems: It looks for signs of trouble, like someone trying to log in many times or
hackers trying to break in using known tricks.

Sending Alerts: If it finds something suspicious, it quickly tells the security team so they can
take action to stop any damage.
Types of Intrusion Detection Systems (IDS):

Network-based IDS (NIDS):

A type of IDS that monitors and analyzes network traffic to detect malicious activity. It is
typically placed at strategic points within a network to observe traffic to and from all
devices.

Host-based IDS (HIDS):

An IDS that runs on individual devices (such as servers or computers) and monitors
operating system and application activity to detect suspicious behavior on that specific host.

Detection Methods Used by IDS:

Signature-based Detection:

A method that detects threats by comparing observed activity with a database of known
attack patterns or signatures.

Anomaly-based Detection:

A technique that identifies threats by detecting deviations from normal behavior or baseline
profiles of network or system activity.

Hybrid Detection:

A detection approach that combines both signature-based and anomaly-based methods to

improve accuracy and detection capabilities.

Limitations:

IDSs are primarily for detection and alerting, not prevention. They need to be combined with
other security measures like firewalls and intrusion prevention systems (IPS) to effectively
protect a network.