Welcome to the session on IOC or Indicator of Compromise. In this session, we're going to look at data that can be found on the Internet which could indicate that your company's been compromised. But also try to detail elements or places where potentially people are logging in and we could try to spot this type of activity maybe at the beginning of these type of attacks and unauthorised accesses and that type of stuff. So, we're gonna look at something very simple, like a Windows Event Viewer and also Unix syslogs. These type of things can also give some of this information as well, so, let me just go in, and actually, I've brought up my Event Viewer on my machine here. This is the Windows Event Viewer, which obviously is on all Windows machines. Now, we, we have different log systems on the systems themselves, and this is the Windows Event Viewer. It's a very useful one. It shows everything that's happening on the system itself. Shows what applications have been installed, if they're running correctly, logins. So, if I choose, for example, 4672, which is a code number here, this tells me that someone has successfully connected to-, probably myself, who's successful connected to his machine at a different date and time. Now, if that time was two o'clock in the morning and I've logged into the system and I'm not normally authorised to be on the system at that time in the morning, it could indicate potentially some form of hacker has gained entry into your system. So, this could be an indication, potentially, and if suddenly you have 2,000 password changes, that could also indicate potentially a brute-force attack.  

Someone's trying to launch an attack to break my passwords and that type of stuff, which could then be flagged up to a security information event management system, like Splunk, and the alerts could be then logged and uplifted by your Security Operations Centre, your SOC. So, this is one way of obviously analysing these types of information coming in. Now, we have other platforms. We have syslogs, we have Unix logs. These are different system files. Some of these configuration files will log information of different activities going on. Could be different parameters that we've set that we want to see unusual activity. Other indications of compromise can come from different formats, and obviously all of these could be-, like, firewall logs, where someone is accessing a website and the website is a known website for hackers. That could be an indication. You know, suddenly we've got people accessing sites which they should not normally do. Log files changing, all of these fragments which, from a digital forensics perspective, could also be flagged up and give, sort of, indications to us. And obviously, that would obviously be important to log in terms of information. Other indicators of compromise might come from the Internet itself. Now, the Internet is made up of the surface web, the deep web, and the dark web. Now, the surface web is what you use on a daily basis. That's the 5% that we use on a daily basis. The deep web are sites which'll have been not indexed by different browsing tools, like Google. Google, obviously, not being the only one out there. Other sites, which might have-, requiring you to log in, provide a username and password, these are, tend to be, on the deep web. And then the dark web is a subdirectory of the deep web.   

The TOR  - Onion Routers - will be the one-, most common one that people use, and that could also give you, sort of, some indications. If someone's been compromised, sometimes the information, they may-, a blackmail demand might have been put forward, or there could be indications on the web that some of your data's on the Internet. And I'm gonna show you, sort of, a demonstration of, of this using the TOR browser. So, this is the TOR browser I'm using, and I've maximised the screen only for the benefits of this demonstration. Normally, when I'm doing Internet research myself using the TOR browser, I would miniaturise it down, because people can be tracked or located through this, but I've actually accessed a site called Ransomware Group Sites. Now, Ransomware is one of the most prevalent types of attacks on the Internet. 81% of attacks that we can see currently are related to ransomware attacks, and on this site here, I've gone-, come across it, it's called Ransomware Group Sites, there's a whole list of ransomware groups on the dark web, and all of this contains different data relating to different companies. And I've bookmarked a couple, just to show you information related to different companies. So, this one here, this is obviously some breach data from a company called New City Commercial Corporation, and obviously this is breach data relating to people themselves or companies. We've got usernames and passwords coming up in this one, and obviously, that potentially could indicate that your website's been compromise if data like this starts appearing on the site.  

Also, there's another one here I've come across. This is a whole site where lots of breach data's available to us. We've got one, Leiden University, which is obviously in Holland, has been hacked and breach data's available to us. Obviously, you can get the latest information from different sites from some of this breach data. You can also get some of this information from other platforms as well, like the Internet Archive. Some of that information is available to us as well. So, I'll just go and see if I can bring up another website where there's some of this breach data can also be located as well, just to show you some more indications of compromise. So, this is using the Internet Archive. Now, the Internet Archive, as I said before, is the Wayback Machine. Now, I've actually accessed a whole lot of breach data on the Internet Archive through a different platform. Now, I'm actually accessing it in the Internet Archive 'cause someone's bookmarked the website itself. The website itself, while I wait for this to load up, is called 'Snusbase'. So, this is Snusbase here. This is Snusbase, and this is a database search engine, indexed websites of data relating to database breaches, and normally if you wanna access this site you have to provide some form of payment. This is available on the surface web this tool, but you can access some breach data through that. Now, that database of information is available in the Internet Archive, and it's located in a different platform and location. Now, if I just go in and show on a different browser the breach data, so this is the breach data here, and you can see here, this is the Wayback Machine, contains Experian. Experian, you know, one-, these are all compressed, so 1GB would be equivalent to about 4GB of data. The LinkedIn database has been compromised. That's equivalent to 16GB or 20GB of data on LinkedIn. And you've got some banking sites here. Loads of breach data that's available, but some of these are historical, whereas in the dark web you're more likely to find the most recent data breach information. All of these are indicators of compromise, and either through the logs we get or what we can find on the Internet, can obviously help to flag this information to us. Hopefully that's been useful for you.