M01_L04M01_L04Incident AnalysisIncident Analysislinks../M01_L04/assets/coursemap.swfcourseMenuBtnCourse menu. Select this button to access the course menu.MainMenuButtonClickedmoduleMapBtnLesson Map. Select this button to access the lesson map.CourseMapButtonClickedglossaryBtnGlossaryGlossary. Select this button open the glossary.GlossaryButtonClickedresourcesBtnResources. Select this button open the resources.ResourcesButtonClickedexitBtnExit. Select this button to exit the course.ExitButtonClickedreplayBtnReplay. Select this button to replay the current screen.ReplayButtonClickedpauseBtnPause. Select this button to pause the course.PauseButtonClickedresumeBtnResume. Select this button to resume the course.ResumeButtonClickedpreviousPgBtnPrevious PagePrevious. Select this button to go to the previous screen.PreviousButtonClickednextPgBtnNext PageNext. Select this button to go to the next screen.NextButtonClickedIntroductionObjectives and Topicsdisaiar04_011Welcome to the lesson on Incident Analysis. When you have completed this lesson, you will be able to identify the key components of network analysis, system analysis, malware analysis, and forensic analysis. There are seven topics in this lesson. After completing this introduction and a brief overview of the various types of analyses, you will examine each type of analysis in greater detail. Rich Media Text Description. Course: D O D Intrusion Detection System (I D S) Analysis, Part 4: C N D Analysis: Incident Response and Analysis, Lesson 4: Incident Analysis. For each screen you will hear a description. The description is cued by an audio tone. Listen to the description, and then select the play audio narration button to continue. Screen 1 of 22. Lesson title: Incident Analysis. Topic title: Introduction. Screen title: Objectives and Topics. Four learning objectives display in support of audio. Seven topics display. The first topic is titled Introduction. The second topic is titled Analysis Overview. The third topic is titled Network/Traffic Analysis. The fourth topic is titled System/Host Analysis. The fifth topic is titled Malware/Binary Analysis. The sixth topic is titled Forensic Analysis. The seventh and final topic is the Conclusion. Text displays as follows: References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service, or agency for guidance on the use of these products.Analysis OverviewTypes of Analysisdisaiar04_022As you learned in the previous lesson, the purpose of incident analysis is to understand the technical details, root causes, and potential impact of an incident. As a CND analyst, you will conduct various types of analyses to develop this understanding. The type of analysis that you conduct will depend on the nature of the incident under analysis. Most incident analysis relies on a combination of five primary types of analysis. Network or traffic analysis looks at network traffic to determine an incident's effect on network resources and identify other indications of compromise. System or host analysis attempts to acquire, preserve, and analyze system artifacts to characterize the incident and develop a course of action. A subset of system/host analysis, volatile data analysis conducts an initial triage on available data to determine whether a compromise has occurred and what level of further analysis is required. Malware or binary analysis identifies, analyzes, and characterizes suspect software artifacts to aid in incident mitigation and law enforcement activities. Finally, forensic analysis applies legal and scientific methods to the identification, collection, examination, and analysis of data related to an incident. It is important to note that these categories are somewhat arbitrary, as there are no clear lines of separation between them. For example, malware may leave traces on a system under analysis as well as in network data. Each of these types of analysis will be covered in detail later in this lesson. Screen 2 of 22. Topic title: Analysis Overview. Screen title: Types of Analysis. Reprised image displays of C N D Analyst. Reprised image displays of network with alert visible. Five icons display to represent the following five types of analysis: network/traffic analysis, system/host analysis, volatile data analysis, malware/binary analysis, and forensic analysis. Network/traffic analysis icon is highlighted, and callout text displays reading Analyzes an incident's effect on network resources. System/host analysis icon is highlighted, and callout text displays reading Acquires, preserves, and analyzes system artifacts. Volatile data analysis icon is highlighted, and callout text displays reading Conducts an initial triage on available data. Malware/binary analysis icon is highlighted, and callout text displays reading Identifies, analyzes, and characterizes suspect software artifacts. Forensic analysis icon is highlighted, and callout text displays reading Applies scientific methods to the identification, collection, examination, and analysis of data. Text displays in support of audio.Levels of Analysisdisaiar04_033In addition to conducting various types of analyses, you will also conduct various levels of analysis to develop your understanding of an incident or event. The level, or depth, of analysis required often depends on the context of the analysis request or the mission of the organization. For example, some organizations may be tasked with recovering from a compromise and have a goal of determining the extent of the damage. However, this may differ greatly from analysis conducted to support a law enforcement investigation, where data preservation and chain of custody must be strictly managed. The level of incident analysis to be conducted will vary depending on a number of factors, including those listed here. Take a moment to review them. Screen 3 of 22. Screen title: Levels of Analysis. Reprised image displays of C N D analyst. Images display of network intrusion, office building, and report labeled Damage Assessment. Images display of network intrusion and image representing law enforcement. Text displays as follows: The level of incident analysis to be conducted will vary depending on the incident category, the operational and technical impacts, any identifiable attack vectors or system weaknesses, the availability of relevant information for analysis and available resources.Correlation of Incident Datadisaiar04_044No matter what type of analysis you are conducting, or at what level, it is crucial that you correlate incident data between different data sources, incidents, and sites. This correlation of incident data is invaluable in identifying attacker tactics, techniques, and procedures, or TTPs, and consequently in enabling the development of new detection methodologies and enhanced security guidance. As a CND analyst, you must keep correlation in mind throughout all of your incident analysis efforts. Screen 4 of 22. Screen title: Correlation of Incident Data. Reprised image displays of C N D analyst. Image representing incident data displays as a central hub with arrows leading out to four separate images representing data sources, incidents, and sites. Text displays in support of audio.Network/Traffic AnalysisOverviewdisaiar04_055Network analysis is the process of collecting, examining, and interpreting network traffic to identify and respond to events that violate the security policy or posture of the resources attached to the network or the network infrastructure. Analyzing an adversary's use of network resources, understanding the patterns of activity to characterize the threat, and uncovering the network interactions that occurred during an intrusion all provide valuable information that can be useful in discovering other affected or vulnerable systems. This kind of information is also helpful in the development of additional defensive measures. Screen 5 of 22. Topic title: Network/Traffic Analysis. Screen title: Overview. Reprised image displays of C N D analyst and basic network with adversary infecting network. Text displays in support of audio.Approachdisaiar04_066Network analysis should be an ongoing activity, with analysts constantly monitoring the operation of the network. A fundamental precept of computer network defense is to "know thy network." Because many incidents might not be detected by automated detection measures, such as an IDS, an analyst's understanding of the network provides the best chance of noticing unusual patterns associated with malicious activity. An approach to CND Analysis is described in the IDS Part 3 course. Some fundamental technological approaches to network analysis are listed here. Take a moment to review them. Screen 6 of 22. Screen title: Approach. Reprised image displays of C N D analyst and basic network with I D S. Adversary signal is displayed penetrating network. Text displays as follows: Technical Approaches to Network Analysis. Wire speed network packet capture and examination. Pattern matching. Protocol analysis at all layers of the protocol stack. Behavioral analysis. Statistical anomaly detection. Correlation between data types. Alert data. Packet data. Vulnerability data. Statistical data. Log data. Session/flow data. Text displays as follows: For a more detailed evaluation of network analysis, refer to the CND Analysis: A Structured Approach to Intrusion Analysis module of the IDS Analysis, Part 3 course.System/Host AnalysisOverviewdisaiar04_077System/host analysis is the process of gathering and reviewing all information from and about the affected system or systems to further incident analysis and better understand the full scope of the incident. The system information to be analyzed typically includes logs, files, Internet history, configuration settings, records of recently logged-on users, past connections, running processes, open files, and changes to files or system settings, such as access control lists, or ACLs, registries, and permissions. Screen 7 of 22. Topic title: System/Host Analysis. Screen title: Overview. Reprised image displays of C N D analyst and basic network showing infected system. Text displays in support of audio.System Analysis Toolboxdisaiar04_088If the system has been compromised, then you should exercise caution in using any programs on the suspect system that may have been modified or in trusting the validity of logs that may have been tampered with. Your CND or incident response toolbox should contain trusted copies of the appropriate operating system tools to collect data for offline analysis. The toolbox should include all tools required to collect information to analyze files and logs, processes, and connections. The analysis of files and logs examines text files, binary/executable files, and archive files. The analysis of processes results in lists of processes, including processes that open a socket. And the analysis of connections results in lists of open sockets or ports and lists systems connected to the compromised system. The analyst who performs such analyses must be knowledgeable and have the necessary tools to access and examine both volatile and nonvolatile information on the affected system or systems. Let's first take a look at volatile data. Screen 8 of 22. Screen title: System Analysis Toolbox. Reprised image displays of C N D analyst and basic network showing compromised system. Image displays of toolbox. Toolbox opens, and tools emerge in sync to audio. The first tool is files and logs. The second tool is processes. The third tool is connections. Text displays in support of audio.Volatile Datadisaiar04_099Volatile data is any data stored in system memory that will be permanently lost when the system loses power, is rebooted, or is shut down. Such data may include system registers, caches, and RAM. As a CND analyst, you are potentially part of an incident response team, and you should be mindful of preserving the volatile data on a compromised system. Even pulling the network cable can destroy potentially useful data. Not only must you diligently collect and preserve volatile data during incident analysis, you must also minimize the footprint left on the suspect system to maintain the integrity of the collected data. Why examine volatile data? Examination of volatile data provides insight into the state of the system, such as any currently running processes, any open sockets and ports, or the existence of any memory-resident malware. Examining volatile data can also help you to determine a logical timeline identifying the date, time, and/or cause of the incident. Volatile data can be found at both the system level and at the network level. Select Volatile System Data and Volatile Network Data to view examples of each. Volatile Datadisaiar04_09_019Volatile System DataPopup 1 of 2. Popup title: Volatile System Data. Text displays as follows: Examples. System profile. Current system data and time. Command history. Current system uptime. Running processes. Open files, startup files, and clipboard data. Logged on users. Dynamic-linked libraries (D L ells) or shared libraries. Domain name server (D N S) cache. Passwords in memory. Recent commands. Current and recently opened files.Volatile Datadisaiar04_09_029Volatile Network DataPopup 2 of 2. Popup title: Volatile Network Data. Text displays as follows: Examples. Open connections. Open ports and sockets. Routing information and configuration. Network interface status and configuration. Address resolution protocol (A R P) cache. Domain name server (D N S) cache.Screen 9 of 22. Screen title: Volatile Data. Reprised images display of C N D analyst and basic network showing one infected system. Text displays in support of audio. The terms Volatile System Data and Volatile Network Data become selectable as popups.Persistent (Nonvolatile) Datadisaiar04_1010Persistent, or nonvolatile, data is data in the system's hard drives and removable storage media that will not be changed when the system is shut down, such as system logs, application logs, and file metadata. As a CND analyst, you must collect persistent data while preventing data on the suspect system from being overwritten. This collection effort often involves disk imaging, which is the process of creating an exact duplication of the original disk. A disk image includes files as well as hidden files, deleted data, slack space, swap files, and unallocated space. Screen 10 of 22. Screen title: Persistent (Nonvolatile) Data. Reprised images display of C N D analyst and basic network showing one infected system. Text displays in support of audio.Other Activitiesdisaiar04_1111While conducting the system analysis, you may need to perform additional system analysis activities, such as looking up hostnames and IP addresses, tracing hostnames and IP addresses back to their sources, searching for hidden or deleted files, checking the integrity of system binaries, checking for unauthorized processes or services, identifying potential malware, and examining other machines on the local network. Be mindful of tracing hostnames and IP addresses back to their sources. Traceroute, ping, and other IP lookup tools can notify the threat actor that someone is "on to them." The malicious actor may then change tactics or perform other actions detrimental to your investigation. Screen 11 of 22. Screen title: Other Activities. Reprised images display of C N D analyst and basic network showing one infected system. Text displays in support of audio.Malware/Binary AnalysisOverviewdisaiar04_1212Malware is software designed and/or deployed by adversaries without the consent or knowledge of the user in support of adversarial missions, such as gaining access to resources or information, deploying cyber strikes, or disrupting command and control operations. Malware/binary analysis is the process of analyzing and capturing the capabilities of software artifacts suspected of being malicious code. An essential step in determining the full scope of an incident, it provides basic to in-depth reviews of potentially malicious files to enhance the defensive posture within the DoD through improved prevention and identification. It also provides a means to understand the purpose and activity of malicious code and identify indicators for detection and prevention. Uncovering an adversary's tactics, techniques, and procedures, or TTPs, as well as his or her motivations, provides valuable information that can be useful in discovering other affected or vulnerable systems. This kind of information is also helpful in establishing a more concrete framework for attribution and in developing additional defensive measures. Screen 12 of 22. Topic title: Malware/Binary Analysis. Screen title: Overview. Reprised images display of C N D analyst and basic network showing adversary penetrating network. Image displays of malware icon. Text displays in support of audio.Approachdisaiar04_1313There are several key concerns to keep in mind in your approach to malware analysis. Of utmost importance is to handle all malware with care. Malware can be extremely destructive, can propagate quickly and efficiently, and is difficult to contain. Therefore, analysts must take all necessary precautions to ensure that the sample does not affect any other operational systems or networks. If possible, once you identify a malware sample, move it to an isolated environment for analysis. In addition, ensure that all software artifacts suspected of being malware are safely acquired, preserved, and submitted to the authorized malware catalogs for storage. Be aware of the analytical resources available to you, and consider the cost-benefit in determining the level of analysis to be conducted on a given artifact. And finally, to prevent the execution of code that may harm DoD networks or systems, conduct all malware analysis in a safe and isolated environment that is segregated from other DoD systems. This isolated environment is also known as a sandbox. Screen 13 of 22. Screen title: Approach. Reprised images display of C N D analyst and basic network showing one infected system. Four images display to represent the following concepts: handle with care, catalog all software artifacts, manage capability effectively, and perform analysis in isolation.Levels of Malware Analysisdisaiar04_1414Malware analysis can be performed at various levels of depth. Each successive level requires personnel to possess more sophisticated skills and have access to additional tools or systems. The first level is behavioral analysis, which involves execution of the malware in a sandbox using monitoring tools and packet capture tools to observe its interactions with the environment. The second level is surface analysis, which involves quick checks to characterize the sample and determine the basic nature and intent of the malware. The third level is run-time analysis, which involves the controlled execution of the malware sample in an isolated environment to monitor, observe, and record run-time behavior and develop an initial suggestion of adversarial intent. The fourth level is static analysis, which involves examining and interpreting the contents of the malware sample to determine adversarial intent with a high degree of confidence. And finally, as the most in-depth analysis method, reverse engineering disassembles the sample to examine the code. This is the only method that can produce a definitive understanding of a malware sample. Select each level of malware analysis to learn more about each. Select Job Aid to view a printable job aid describing the levels of malware analysis. Levels of Malware Analysisdisaiar04_14_0114Behavioral AnalysisPopup 1 of 5. Popup title: Behavioral Analysis. Text displays as follows: Execution of the malware in a sandbox using monitoring tools and packet capture tools to observe its interactions with the environment.Levels of Malware Analysisdisaiar04_14_0214Surface AnalysisPopup 2 of 5. Popup title: Surface Analysis. Text displays as follows: Quick checks to characterize the sample and determine the basic nature and intent of the malwareLevels of Malware Analysisdisaiar04_14_0314Run-time AnalysisPopup 3 of 5. Popup title: Run-time Analysis. Text displays as follows: Controlled execution of the malware sample in an isolated environment to monitor, observe, and record run-time behavior and develop an initial suggestion of adversarial intentLevels of Malware Analysisdisaiar04_14_0414Static AnalysisPopup 4 of 5. Popup title: Static Analysis. Text displays as follows: Examining and interpreting the contents of the malware sample to determine adversarial intent with a high degree of confidenceLevels of Malware Analysisdisaiar04_14_0514Reverse EngineeringPopup 5 of 5. Popup title: Reverse Engineering. Text displays as follows: The most in-depth analysis method; disassembles sample to examine the code; the only method that can produce a definitive understanding of a malware sample.Screen 14 of 22. Screen title: Levels of Malware Analysis. Reprised images display of C N D analyst and basic network showing one infected system. Image displays of magnifying glass examining parts of the network. Text displays in support of audio. Job Aid icon displays and becomes selectable to open a P D F version of the job aid. The following terms become selectable as popups: Behavioral Analysis, Surface Analysis, Run-time Analysis, Static Analysis, and Reverse Engineering. Forensic AnalysisOverviewdisaiar04_1515Computer forensics is the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communication devices, and storage devices in a way that is admissible as evidence in a court of law. Forensic analysis identifies and confirms compromises, infection vectors, and security violations from systems identified in standard incident reporting. It may also generate further indicators and recommendations for both intrusion detection and prevention. Screen 15 of 22. Topic title: Forensic Analysis. Screen title: Overview. Reprised images display of C N D analyst and basic network showing one infected system. Text displays in support of audio.Processdisaiar04_1616Forensic analysis, as a process, consists of four basic phases: collection, examination, analysis, and reporting. In the collection phase, data is identified, labeled, recorded, and acquired from all relevant sources, all the while following guidelines and procedures that preserve the integrity of the data. The examination phase involves forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest while also preserving its integrity. The analysis phase involves analyzing the collected data using forensically proven methods and techniques to derive information that addresses the questions driving the analysis. And finally, the results of the analysis must be reported. Although the formality of the reporting phase varies greatly depending on the situation, reporting may include describing the methods used, explaining how tools and procedures were selected, determining what other actions need to be performed, and providing recommendations for improvement to policies, guidelines, procedures, tools, and other aspects of the forensic process. Screen 16 of 22. Screen title: Process. Reprised image displays of C N D analyst. Four phases of the forensic analysis process display. Phase 1 is titled Collection. Phase 2 is titled Examination. Phase 3 is titled Analysis. And Phase 4 is titled Reporting. Text displays in support of audio.What Sets Forensics Apart?disaiar04_1717So how is forensic analysis different than other types of incident analysis? You may have noticed that many of the tasks that support forensic collection and analysis are similar to, and sometimes the same as, those that support other incident analysis activities. The difference is that while other analysis activities are generally focused on gaining a technical understanding of the incident, when the same analysis activities are conducted for forensic analysis, they are focused on processing and preserving the authenticity and integrity of data in a manner that ensures that the data can be admissible as evidence in a court of law. For incidents to be eligible for investigation as cyber crime, incident handlers must understand and follow proper forensic and evidence-handling procedures, even if that means doing nothing until a trained forensic analyst can begin the proper evidence collection. Data and information gathered as evidence for forensic analysis must be obtained and handled in accordance with various applicable laws, possibly spanning many jurisdictions, to ensure that the information will stand up in a court of law. Electronic data gathered from a computer for use in forensic analysis can consist of both volatile data and persistent data from the affected system or systems. The use of approved forensic tools and methods to collect and handle volatile and persistent data will help to ensure that incident handlers and first responders satisfy all legal requirements. Screen 17 of 22. Screen title: What Sets Forensics Apart? Question text appears on screen: How is forensic analysis different? Reprised images display of C N D analyst and basic network showing one infected system. Large oval displays with the word Analysis in the center. The following words appear around Analysis in support of audio: collect, identify, gather, acquire, analyze, examine, determine response, recommend action. Text displays in support of audio.Knowledge CheckKnowledge Checkdisaiar04_1818Knowledge Check1500425Which type of analysis gathers and reviews all information from or about the affected system or systems to further incident analysis and better understand the full scope of the incident?
Question 1 of 4.Network analysisSystem/host analysisMalware/binary analysisForensic analysisCorrect. System/host analysis gathers and reviews all information from and about the affected system or systems to further incident analysis and better understand the full scope of the incident.Incorrect. System/host analysis gathers and reviews all information from and about the affected system or systems to further incident analysis and better understand the full scope of the incident.Which type of analysis combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communication devices, and storage devices in a way that is admissible as evidence in a court of law?
Question 2 of 4.Network analysisSystem/host analysisMalware/binary analysisForensic analysisCorrect. Computer forensics combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communication devices, and storage devices in a way that is admissible as evidence in a court of law.Incorrect. Computer forensics combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communication devices, and storage devices in a way that is admissible as evidence in a court of law.Which type of analysis collects, examines, and interprets network traffic to identify and respond to incidents affecting networked resources?
Question 3 of 4.Network analysisSystem/host analysisMalware/binary analysisForensic analysisCorrect. Network analysis collects, examines, and interprets network traffic to identify and respond to incidents affecting networked resources.Incorrect. Network analysis collects, examines, and interprets network traffic to identify and respond to incidents affecting networked resources.Which type of analysis analyzes and captures the capabilities of software artifacts suspected of being malicious code?
Question 4 of 4.Network analysisSystem/host analysisMalware/binary analysisForensic analysisCorrect. Malware/binary analysis analyzes and captures the capabilities of software artifacts suspected of being malicious code.Incorrect. Malware/binary analysis analyzes and captures the capabilities of software artifacts suspected of being malicious code.Now check your knowledge of the various types of analysis. Screen 18 of 22. Topic title: Knowledge Check. Screen title: Knowledge Check. Knowledge check is a series of four multiple-choice questions, each with the same four answer options. For each question, select the best answer, and then select Done. Use the keyboard to cycle through the answers.Knowledge Checkdisaiar04_1919Knowledge Check1500425Which type of analysis involves pattern matching, protocol analysis, and statistical anomaly detection?
Question 1 of 6.Network/traffic analysisSystem/host analysisMalware/binary analysisForensic analysisForensic analysis for Statement: Which type of analysis involves pattern matching, protocol analysis, and statistical anomaly detection?Correct. Pattern matching, protocol analysis, and statistical anomaly detection are all activities that may be conducted during network/traffic analysis.Incorrect. Pattern matching, protocol analysis, and statistical anomaly detection are all activities that may be conducted during network/traffic analysis.Which type of analysis involves behavioral analysis, run-time analysis, and reverse engineering?
Question 2 of 6.Network/traffic analysisSystem/host analysisMalware/binary analysisForensic analysisCorrect. Behavioral analysis, run-time analysis, and reverse engineering are all levels of analysis conducted during malware analysis.Incorrect. Behavioral analysis, run-time analysis, and reverse engineering are all levels of analysis conducted during malware analysis.Which type of analysis involves analysis of volatile and persistent (nonvolatile) data?
Question 3 of 6.Network/traffic analysisSystem/host analysisMalware/binary analysisForensic analysisCorrect. Volatile and persistent (nonvolatile) data are both used to support system/host analysis.Incorrect. Volatile and persistent (nonvolatile) data are both used to support system/host analysis.Which type of analysis involves collection, examination, analysis, and reporting as the primary phases in its analysis process?
Question 4 of 6.Network/traffic analysisSystem/host analysisMalware/binary analysisForensic analysisCorrect. Collection, examination, analysis, and reporting are the four basic phases of forensic analysis.Incorrect. Collection, examination, analysis, and reporting are the four basic phases of forensic analysis.Which type of analysis involves analysis of logs, files, processes, and connections?
Question 5 of 6.Network/traffic analysisSystem/host analysisMalware/binary analysisForensic analysisCorrect. Logs, files, processes, and connections are all analyzed as part of system/host analysis.Incorrect. Logs, files, processes, and connections are all analyzed as part of system/host analysis.Which type of analysis must be conducted in isolation?
Question 6 of 6.Network/traffic analysisSystem/host analysisMalware/binary analysisForensic analysisCorrect. To prevent the execution of code that may harm DoD networks or systems, malware/binary analysis must always be conducted in an isolated environment (also known as a sandbox).Incorrect. To prevent the execution of code that may harm DoD networks or systems, malware/binary analysis must always be conducted in an isolated environment (also known as a sandbox).Now try these questions on the components of each type of analysis Screen 19 of 22. Screen title: Knowledge Check. Knowledge check is a series of six multiple-choice questions, each with the same four answer options. For each question, select the best answer, and then select Done. Use the keyboard to cycle through the answers. Knowledge Checkdisaiar04_2020Knowledge Check1500425Surface analysisNetwork/trafficSystem/hostMalware/binaryCorrect. Surface analysis is a level of malware/binary analysis.Incorrect. Surface analysis is a level of malware/binary analysis.Correlation between data typesNetwork/trafficSystem/hostMalware/binaryCorrect. Correlation of data between data types is performed during network/traffic analysis.Incorrect. Correlation of data between data types is performed during network/traffic analysis.Analysis of open sockets and portsNetwork/trafficSystem/hostMalware/binaryCorrect. Open sockets and ports are analyzed during system/host analysis.Incorrect. Open sockets and ports are analyzed during system/host analysis.Wire speed network packet captureNetwork/trafficSystem/hostMalware/binaryCorrect. Wire speed packet capture and examination are performed during network/traffic analysis.Incorrect. Wire speed packet capture and examination are performed during network/traffic analysis.Reverse engineeringNetwork/trafficSystem/hostMalware/binaryCorrect. Reverse engineering is a level of malware analysis.Incorrect. Reverse engineering is a level of malware analysis.Analysis of configuration settingsNetwork/trafficSystem/hostMalware/binaryCorrect. Configuration settings are analyzed during system/host analysis.Incorrect. Configuration settings are analyzed during system/host analysis.Now try these. Screen 20 of 22. Screen title: Knowledge Check. Knowledge check is a survey-style activity with six questions and three answer columns labeled Network/traffic, System/host, and Malware/binary. Select the best answer for each question, and then select Done. Use the keyboard to cycle through the answers.Knowledge Checkdisaiar04_2121Knowledge Check1500425Which level of malware analysis involves quick checks to characterize the sample?
Question 1 of 5.Behavioral analysisSurface analysisRun-time analysisStatic analysisReverse engineeringCorrect. The second level of malware analysis, surface analysis involves quick checks to characterize the sample and determine the basic nature and intent of the malware.Incorrect. The second level of malware analysis, surface analysis involves quick checks to characterize the sample and determine the basic nature and intent of the malware.Which level of malware analysis involves controlled execution of the malware sample in an isolated environment to monitor, observe, and record run-time behavior?
Question 2 of 5.Behavioral analysisSurface analysisRun-time analysisStatic analysisReverse engineeringCorrect. The fourth level of malware analysis, run-time analysis involves controlled execution of the malware sample in an isolated environment to monitor, observe, and record run-time behavior. This level helps to develop an initial suggestion of adversarial intent.Incorrect. The fourth level of malware analysis, run-time analysis involves controlled execution of the malware sample in an isolated environment to monitor, observe, and record run-time behavior. This level helps to develop an initial suggestion of adversarial intent.Which level of malware analysis involves execution of the malware in a sandbox to observe its interactions with the environment?
Question 3 of 5.Behavioral analysisSurface analysisRun-time analysisStatic analysisReverse engineeringCorrect. The lowest level of malware analysis, behavioral analysis involves executing the malware in a sandbox using monitoring tools and packet capture tools to observe its interactions with the environment.Incorrect. The lowest level of malware analysis, behavioral analysis involves executing the malware in a sandbox using monitoring tools and packet capture tools to observe its interactions with the environment.Which level of malware analysis involves examining and interpreting the contents of the malware sample to determine adversarial intent with a high degree of confidence?
Question 4 of 5.Behavioral analysisSurface analysisRun-time analysisStatic analysisReverse engineeringCorrect. The third level or malware analysis, static analysis involves examining and interpreting the contents of the malware sample to determine adversarial intent with a high degree of confidence.Incorrect. The third level or malware analysis, static analysis involves examining and interpreting the contents of the malware sample to determine adversarial intent with a high degree of confidence.Which level of malware analysis is the most in-depth method of analysis?
Question 5 of 5.Behavioral analysisSurface analysisRun-time analysisStatic analysisReverse engineeringCorrect. The highest level of malware analysis, reverse engineering is the most in-depth method of analysis. It is also the only method that can produce a definitive understanding of a malware sample.Incorrect. The highest level of malware analysis, reverse engineering is the most in-depth method of analysis. It is also the only method that can produce a definitive understanding of a malware sample.Now try these questions on the levels of malware analysis. Screen 21 of 22. Screen title: Knowledge Check. Knowledge check is a series of five multiple-choice questions, each with the same five answer options. For each question, select the best answer, and then select Done. Use the keyboard to cycle through the answers.ConclusionSummary and Conclusiondisaiar04_2222Congratulations! You have completed the lesson on incident analysis. You should now be able to identify the key components of network analysis, system analysis, malware analysis, and forensic analysis. Screen 22 of 22. Topic title: Conclusion. Screen title: Summary and Conclusion. Congratulations text displays. Text displays in support of audio. Objectives bullets change to checkmarks in sync with audio.