Training in phishing message analysis:
The training includes manual analysis of phishing messages, such as: header analysis, attachment analysis (at a basic level), message content analysis, hyperlink analysis, HTTP transaction analysis, deep packet inspection for HTTP and TLS protocols, analysis of social engineering techniques, analysis of errors and inconsistencies, as well as OSINT (Open Source Intelligence), analysis of various phishing examples, report writing training, and a holistic view of security from a phishing perspective.
The training takes place in a logically and network-isolated laboratory, utilizing dedicated HTTP and HTTPS forms that simulate credential leaks through these web forms.
Training in malware analysis (with optional Cyberwarfare workshops, i.e., Blue vs. Red Team, or without them):
The training includes manual and dynamic malware analysis using examples of simple applications as well as threats such as Stealer (data theft) and Keylogger (keystroke logging). It introduces participants to tools used in static and dynamic malware analysis, the basics of network and digital forensics related to malware, OSINT (Open Source Intelligence), and the analysis of various examples. Additionally, participants will learn report writing, a holistic perspective on security in the context of malware, and the basics of reverse engineering.
The training takes place in a logically and network-isolated laboratory, using proprietary malware such as Stealer and Keylogger, as well as publicly available Stealer malware representing one of the currently active variants used by cybercriminals.
The training may also include, fully or partially (e.g., for SOC team members), Cyberwarfare workshops, i.e., Blue vs. Red Team, enabling practical exercises in defending against malware. These workshops provide valuable feedback, helping participants improve their practical skills in cyber defense.
Training in evidence preservation (Chain of Custody):
The training is conducted by a specialist holding the ISO/IEC 27037:2012 – Lead Implementer certification (issued by Pacific Certifications and ABIS), which authorizes him to implement and manage processes related to the identification, preservation, acquisition, and storage of digital evidence in accordance with international standards of practice in digital forensics.
The training introduces participants to topics related to the chain of custody, its significance, and formal requirements. It includes an introduction to procedures, best practices, and tools used in preserving evidence.
Additional information:
The chain of custody (CoC) is a document that tracks the stages of transfer and handling of potential digital evidence. It should be initiated as soon as evidence is collected or preserved. The process is based on meticulously recording the history of an item, starting from its identification and seizure by the investigation team to its current storage location and condition.
Chain of custody documentation may consist of a single document or a set of complementary records. It provides a detailed description of procedures related to handling digital evidence and specifies individuals responsible for its storage and processing. This applies to both digital data and materials in other formats, such as paper notes.
The purpose of such documentation is to ensure full transparency of evidence access and movement at every stage of the process. In practice, the chain of custody may include various types of records, such as a log of digital data acquisition on a specific device, a record of the device’s transport, or documentation related to creating data copies or extracting data for analysis.
Key benefits of implementing a chain of custody include:
- Ensuring evidence integrity: Evidence remains unaltered, allowing it to be admissible in legal proceedings.
- Maintaining credibility in legal processes: Careful documentation and preservation of evidence enhance its value in court proceedings and audits.
- Reducing the risk of evidence tampering allegations: Transparency in evidence management eliminates doubts about its authenticity.
- Adherence to internationally accepted standards: Implementing procedures compliant with international standards, such as ISO/IEC 27037, ensures that investigative actions are objectively recognized and respected by legal entities and other stakeholders.
- Ensuring consistency in investigative actions: Standardized processes improve collaboration both internally and with external entities.
- Building trust in the organization: Professionalism in investigative actions increases the organization’s credibility in the eyes of clients, business partners, and regulatory authorities.
- Supporting decision-making processes: The chain of custody supports the involvement of key individuals in the organization, such as the CISO (Chief Information Security Officer – the highest-ranking Cybersecurity Specialist in the organization) and qualified and certified digital and network forensic specialists. This ensures that decisions are based on reliable data and made by individuals with appropriate expertise.
In summary, implementing a chain of custody is essential for the proper conduct of forensic analyses and the management of digital evidence. It protects the organization from legal and regulatory risks, increases the efficiency of operations, and supports building trust and transparency in security-related activities.
Training in forensic analysis (digital and network):
The training covers all key areas of forensic analysis, such as: digital forensics in the Windows operating system conducted on the hard drive of a workstation, analysis of network traffic generated by the workstation along with its correlation with system processes, analysis of volatile memory (RAM), the use of necessary tools for the analysis of system artifacts, and the preparation of a detailed report from the conducted forensic analysis.
The goal of forensic analysis is to identify traces of various attack vectors, such as malware, phishing, data exfiltration, system manipulation, or privilege escalation. Malware analysis enables the reconstruction of the compromise process, understanding mechanisms of persistence, data exfiltration, and activity concealment, as well as assessing the impact on the system. In the case of phishing, the aim is to identify methods of extracting confidential information, such as login credentials or financial data, and the means of their transmission, e.g., through HTTP or TLS protocols. Each of these areas is analyzed independently, allowing for a precise understanding of the nature of the incident, effective threat response, and protection of the infrastructure against future attacks.
Additional information:
Malware leaves numerous traces in the operating system, which are crucial for digital forensics. Analyzing these artifacts allows for the reconstruction of the workstation’s compromise process, identifying malware techniques, and assessing its impact on the system.
In the Windows environment, significant sources of information include system event logs, which may contain entries related to unauthorized logins, privilege escalation, or the installation of new services. Logs from applications are also important, as they may reveal unusual activity, such as unauthorized remote sessions, downloading malicious files, or data manipulation.
Registry analysis enables the detection of persistence traces, such as entries initiating automatic program launches, scheduled tasks, or unusual changes in system policy settings.
System artifacts and data within file system structures allow for the reconstruction of activities such as file creation, modification, deletion, or movement, as well as the history of application launches. Analyzing this information makes it possible to trace file system activities, which is critical for identifying malicious software operations and determining their impact on the compromised system.
Malware often uses inter-process communication (IPC) mechanisms, such as named pipes, shared memory, or COM (Component Object Model) mechanisms, which may be used to transfer data between malware components or to hijack legitimate processes. Analyzing these traces helps detect abuses in the context of process interactions.
An important aspect is dynamic analysis, e.g., of operational memory, which reveals the presence of malicious DLLs (Dynamic-Link Libraries), code injections, or processes operating only in memory. Malware may also employ advanced hiding techniques, such as rootkits (manipulating system structures), DLL hijacking, the use of distributed components across different processes, polymorphism (where malware changes its underlying code to evade detection), and packers that alter the file’s characteristics.
Comprehensive forensic analysis allows for a complete reconstruction of the events related to the workstation’s compromise, the identification of malicious actions, and an understanding of the masking techniques used by malware, which is critical for incident response and infrastructure protection.
Phishing attackers often aim to obtain sensitive information, such as usernames, passwords, credit card numbers, or other personal data. To transmit this data, they need a network mechanism, using the Internet as a medium.
Most commonly, this data leaks through HTTP or TLS protocols. Specifically, attackers use POST requests in the HTTP protocol and the Application Data operation in the TLS protocol, which indicates an established tunnel between two parties. These are the most frequently used mechanisms for data exfiltration in phishing attacks.