Security Event Triage: Detecting System Anomalies
In this course on system anomaly detection, you will explore the use of CPU, RAM, GPU, fans, and power resource usage data to reveal various advanced attacker techniques and uncover events associated with hardware supply chain interdiction.
What you'll learn
Developing the skills necessary for a security analyst to properly detect and triage advanced attacker intrusion tactics and techniques requires experience and the use of advanced detection capabilities. Neither of which are easily obtained. In this course, Security Event Triage: Detecting System Anomalies, you will learn foundational knowledge required to baseline different machine performance data and triage deviations from that baseline that can indicate a stealthy adversary’s presence in your environment when all other methods have failed. First, you will learn about CPU, RAM, and Hard drive metric data and how it can be used to detect anything from botnets to the use of hard drives as microphones for side-channel espionage. Next, you will discover the techniques used for “in-browser” crypto-jacking or malware delivered crypto mining activity by monitoring browser activity and GPU usage that stands out from the established baseline for normal applications. Finally, you will look at fan speeds and power usage to identify air-gapped network hopping techniques and hardware supply chain compromise. When you are finished with this course, you will have the skills and knowledge of not only how a multitude of advanced attacker techniques are performed, but also what they look like in a realistic environment and how to identify them as part of your security analyst operations.
Table of contents
- Introduction to Basic Computer Resource Monitoring 2m
- Collecting and Normalizing Basic Telemetry Data for Security 6m
- If I Had the Bots, How Would I Know? 2m
- Detecting Post Exploitation Botnet Activity 11m
- Advanced Persistent Threats Are Worse Than Bots 3m
- Listen to My Hard Drive Yourself 2m
- Detection for Attack Techniques and What Is Next 6m
- Introduction to Fan and Power Side Channels 2m
- How Air Gap Hopping without USB Works 3m
- Demonstrating Air Gap Hopping with Fan Speeds and How to Catch It 4m
- How Could You Possibly Find Hardware Supply Chain Interdiction? 3m
- Detecting Anomalous Hardware Configurations through Power Usage Anomalies 7m
- Implications of Power and Network Correlation Anomalies 3m
About the author
Aaron M. Rosenmund is a cyber security operations subject matter expert, with a background in federal and business defensive and offensive cyber operations and system automation. Leveraging his administration and automation experience, Aaron actively contributes to multiple open and closed source security operation platform projects and continues to create tools and content to benefit the community. As an educator & cyber security researcher at Pluralsight, he is focused on advancing cyber secur... more
