This is a practice-oriented course that provides the basic knowledge required to perform duties as a security analyst and conducts incident analysis training through hands-on exercises. We will explore incident analysis methods from a practical perspective necessary for corporate intrusion response and analysis tasks.
According to Article 2, Paragraph 1, Item 7 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., an "infringement accident" refers to "a situation caused by an act of attacking information and communications networks or related information systems through methods such as hacking, computer viruses, logic bombs, mail bombs, denial of service, or high-power electromagnetic waves."
An incident occurring in information asset-related systems refers to cases where abnormal operations occur in systems and applications, or phenomena unintended by the administrator (deletion, modification, leakage, etc.) are caused by an attacker.
When a cyber security incident occurs, a company must quickly identify the scope of the damage and minimize the business impact through incident recovery. If activities required for compliance with industry laws or regulations are omitted, penalties or additional enforcement items may arise according to the relevant laws or regulations. To minimize the business impact, the company's security, public relations, and legal teams focus on incident response across the entire organization. Companies conduct annual or quarterly mock drills to practice the essential activities required to respond when a security incident occurs.
Security analysts perform incident analysis when a security breach or legal issue occurs within a company or organization. To identify the causes of system anomalies arising from various factors, they must possess the capability to distinguish between these problematic situations. In particular, when an intrusion by an outsider or a security incident caused by an internal employee occurs, the role of a security analyst is to analyze the system's damage and determine the cause of the breach through incident analysis.
In order to analyze the damage caused by a corporate incident and derive response measures to prevent recurrence, analyzing the exact cause of the incident is most important. However, in reality, experiencing the actual incident analysis process is very rare and difficult.
The term “Big Root” is generally used to emphasize the complexity of a problem or situation. “Big Root” means that the root of the problem is large and complex. This indicates that the problem is not limited to a simple cause or factor, but rather that various factors are intricately intertwined.
Incidents caused by advanced cyberattacks are also difficult to resolve through surface-level system analysis alone. These sophisticated attacks lead to recurring incidents and cause continuous damage to a company's business. To identify the root cause and intrusion vector of a security incident, corporate security teams must examine information from various systems and solutions during the analysis process.
Through this lecture, we will explain incident response procedures and learn about the types and causes of cybersecurity incidents that cause severe damage to companies. You will also learn the skills necessary to fundamentally resolve the security vulnerabilities that cause hacking incidents.
From concept to practice The fundamentals of incident analysis.
Through incident analysis training similar to real-world cases, you can improve your incident analysis capabilities.
You will acquire the basic knowledge required to perform tasks as a security analyst and practice using analysis tools.
Based on an understanding of network communications and applications, we identify the causes of cyber security incidents.
By analyzing threat logs generated from various security devices, you can identify attackers attempting to intrude.
You will learn practical incident analysis methods required for performing corporate intrusion response and analysis tasks.
In this course, we will explore practical incident analysis methods required for performing intrusion response and analysis tasks in a corporate environment. We provide practitioners performing network-based intrusion detection log or network packet analysis with the knowledge and know-how for using analysis tools required by security analysts, and explain what results should be sought through analysis.
In particular, you will encounter various logs and analysis tools while performing security analysis tasks. For those who wish to work in intrusion detection system log analysis, web server logs, and network packet analysis, I aim to explain the basic concepts of threat analysis and practical techniques. By explaining the fundamental concepts and techniques along with the know-how the author has acquired on the job, I hope to help students improve their task performance capabilities.
The information analyzed for incident analysis typically includes web logs, IDS/IPS logs, and network packet logs. We plan to conduct incident response training by analyzing logs from systems where actual security incidents occurred. Finally, we will also share insights on how to manage and develop your future career from a professional career management perspective.
Efficient analysis learning is provided to help you.
Intrusion Response/Analysis Information Collection Methods Required for Practical Work
Analysis tools and usage methods used by incident response/analysis practitioners
Practical know-how through incident response/analysis cases
1) Learn the analysis tools and methodological techniques used by incident response/analysis practitioners.
If you do not have much experience in incident analysis, you may feel overwhelmed about where to start an investigation when an incident occurs. Through this course, you will practice case studies by incident type so that analysts can quickly find the cause of an incident and identify attack paths. Through hands-on practice, you will learn what to focus on to find traces of a breach when analyzing security logs and how to analyze them efficiently.
✅ Learning cases for criteria to distinguish normal logs
✅ Hands-on practice using mass log analysis programs
✅ Learning types of security incidents
2) You can apply and adapt to various situations through analysis methods that are not dependent on specific hacking techniques.
Attackers attempt to infiltrate systems using various methods. By understanding the principles of exploiting vulnerabilities, rather than being dependent on specific attack tools or methods, you will be able to apply and perform analysis on a wide range of security attack attempts.
Security analysis practice for training.
IDS Log Analysis Training
A portion of the attack behavior logs detected by commercial security products is filtered and provided for practice. The attack event names, attack times, and other information are configured identically to actual incident cases.
Web Log Analysis Training
You will directly analyze the attack techniques used against the web server and the logs remaining on the target server. Through this analysis, you will identify vulnerable configurations of the web server and determine the cause of the incident.
Network Packet Analysis
Cybersecurity incident cases were reproduced under the same conditions in a lab environment, and network traffic was captured by replicating the process of attacking a system from an attacker's perspective. The captured packets are then analyzed to determine the target of the attack and the extent of the damage.
📣 Please check before taking the course!
The attacker IP and target IP in the logs used for the practice have been modified for educational purposes.
Learning Content 📚
Through various practice cases, you can practice incident analysis and learn the analysis process. Before learning through the guided analysis process, try performing the analysis yourself first, then compare your own process with the contents of the analysis guide.
Section 1 - Pre-learning
Before the hands-on practice, we will examine the methodologies required for analysis. We will learn how to analyze by distinguishing between identifying attack behaviors based on specific patterns and identifying threats by setting thresholds based on behavior. Then, we will look at how to apply these to security incident cases through examples of identifying abnormal behavior in movies.
Reference video for identifying abnormal behavior in movies (Click)
We analyze the cause of a large-scale network failure by examining intrusion detection solution events detected during a specific period. The following table shows the intrusion detection events extracted from the intrusion detection system.
Detection Item
Detection Information
Event Collection Period
3 months
Detection Signature Name
TCP_Invalid_SACK
Source IP
10.0.0.1
Source Port
Random
Destination IP
Random
Destination Port
Random
Total
1441 cases
The intrusion detection system signature known as TCP_Invalid_SACK is triggered by abnormal SYN and ACK packets. Generally, TCP communication involves exchanging necessary communication packets according to methods defined in the protocol. However, depending on the program used for communication or network characteristics, communication may occur in a manner that deviates from the established protocol. The TCP_Invalid_SACK signature records these occurrences.
For this reason, communication history is detected even when an attacker uses non-standard programs. Of course, the detected information does not only record the attacker's communications. Among the 1,441 detected events, the number of times the attacker communicated will likely be small. A security analyst must identify those few instances of attack detection through event analysis.
We will trace the cause of the incident through the process of directly analyzing the practice log files. The results of the analysis regarding the cause of the incident are explained in the Analysis Guide section. As emphasized earlier, you will conduct incident analysis training by first analyzing the process yourself and then comparing your findings with the contents of the Analysis Guide section.
Analyze the details of an incident on a compromised system through web log analysis. Log processing is the task of removing unanalyzed or unnecessary information to analyze events more efficiently. However, this traffic is as vast as a haystack. Finding attack traffic, which is like a needle hidden in a haystack, is by no means an easy task.
In the second practice session, we will look at how to clear away the haystack using web logs. Let's install Splunk, Log Parser, and Elasticsearch and practice the process of analyzing Windows web server logs.
An attacker who bypassed file extension restrictions uploads an application executable file (ASP extension file) to the bulletin board and takes control of the system. Let's analyze the web shell attack carried out through network communication. The packet analysis process allows for highly efficient breach analysis simply by selecting the target communication or the scope of the server to be analyzed. To analyze web shell communication packets, we will efficiently analyze them using filter syntax commonly used during analysis.
During the analysis process, let's extract the backdoor files executed through actual network communication and track what kind of communication occurred and what damage was caused to the server through reproduction.
Q&A 💬
Q. What is the prior knowledge required for learning?
This course is primarily practice-oriented. It does not include basic concepts or theories regarding cybersecurity. To perform the exercises in this course, an understanding of IDS, web application configuration, and web server response codes is required. While prior knowledge is necessary, you can still perform incident analysis even if you have no prior experience with hacking.
Q. How is this different from other security courses?
The lecture content is structured around practical experience in security incident analysis techniques and know-how. Since all three incident analysis cases are adapted from real-world incidents, you can enhance your security incident analysis experience. However, please note that the forensic process in a legal sense, such as collecting disk images, will not be covered.
Q. Are there any reference notes regarding the course?
The practice sessions use open-source tools (MS Log Parser Studio, Wireshark), free trial security products, and Microsoft Excel. The practice content omits the installation process for the analysis products. Students must proceed with individual installations by referring to the installation guide links provided by each manufacturer.
The instructor of this course is ✒️
Bigroot Security
I have been active for 18 years as a CERT team incident response expert and a solution engineer for foreign security companies. I served as the PM for SOC construction and operation projects at IBM Korea. I have performed tasks in designing security infrastructure and developing construction/operation processes. At AhnLab's CERT team, I conducted security incident analysis & response for private companies and public institutions. During the 3.20 DarkSeoul campaign, I performed system inspections for domestic broadcasting stations, and during the Nate personal information leak incident, I supported the inspection of the compromised systems.
Key Experience
Security Consultant: Design/build/operate security enhancement strategies through security infrastructure consulting
Security Control Consulting: Performed SOC establishment consulting and operational tasks
Security Service Product Development: Next-generation security monitoring solution & service development
Incident Response: Numerous cases including military, public, and private sectors
I performed security incident analysis and response for private companies and public institutions as a member of the AhnLab CERT team. During the March 20 DarkSeoul campaign, I conducted system inspections for domestic broadcasting stations, and I also supported the investigation of compromised systems during the Nate personal information leak incident. I have carried out numerous digital forensic investigations into various security breaches targeting both private and public sector organizations.
At IBM Korea, I served as a PM for SOC implementation and operations projects, where I was responsible for designing security infrastructure and developing deployment and operational processes.
As a technical security solution specialist at Cisco Korea, I diagnosed customer environments and provided strategic advice on improvements, leveraging my expertise in security architecture design and threat response scenarios.
I am currently working as a solution engineer at a foreign security firm.
• Security Consultant: Designed, built, and operated security enhancement strategies through security infrastructure consulting
• Security Operations Center (SOC) Consulting: Performed SOC establishment consulting and operational tasks
• Security Consultant: Designed, implemented, and operated security enhancement strategies through security infrastructure consulting
• Security Operations Center (SOC) Consulting: Performed SOC establishment consulting and operational tasks
• Security Service Product Development: Development of next-generation security monitoring solutions & services
• Incident Response: Numerous cases across military, public, and private sectors
Consulting: Performed SOC establishment consulting and operations • Security Service Product Development: Developed next-generation security monitoring solutions & services • Incident Response: Numerous cases across military, public, and private sectors
Consulting: Performed SOC establishment consulting and operations • Security Service Product Development: Developed next-generation security monitoring solutions & services • Incident Response: Numerous cases across military, public, and private sectors
The lecture feels like a compilation of various lectures you've given rather than a single cohesive flow. I think it's a good lecture for beginners in security monitoring.
