• Tools
- Packet capture
o Wireshark
o tcpdump - Log analysis/correlation
o Security information and
event management (SIEM)
o Security orchestration,
automation, and response
(SOAR) - Endpoint security
o Endpoint detection and
response (EDR) - Domain name service (DNS) and
Internet Protocol (IP) reputation
o WHOIS
o AbuseIPDB - File analysis
o Strings
o VirusTotal - Sandboxing
o Joe Sandbox
o Cuckoo Sandbox
• Common techniques - Pattern recognition
o Command and control - Interpreting suspicious
commands - Email analysis
o Header
o Impersonation
o DomainKeys Identified Mail
(DKIM)
o Domain-based Message
Authentication, Reporting,
and Conformance (DMARC)
o Sender Policy Framework
(SPF)
o Embedded links - File analysis
o Hashing - User behavior analysis
o Abnormal account activity
o Impossible travel
• Programming languages/scripting - JavaScript Object Notation
(JSON) - Extensible Markup Language
(XML) - Python
- PowerShell
- Shell script
- Regular expressions