3C. Analyse endpoint monitoring output obj 3.1, 3.2

Question 1

EPP

Answer 1

Endpoint Protection Platform
- a single agent that performs multiple security tasks (e.g., host firewall, malware detection). Used as a means of preventing performance issues caused by running multiple security products
- Signature-based

Question 2

EDR

Answer 2

Endpoint Detection and Response
- uses behavioural and anomaly-based analysis to provide real-time insights into a compromise
- containment and remediation

Question 3

UEBA

Answer 3

User and Entity Behaviour Analytics
- provides analysis process for identifying malicous activity by establishing a baseline behaviour for entities (e.g., workstation) and detecting deviations from this behaviour

Question 4

Typical malware attack stages

Answer 4

1) Dropper/downloader
2) Maintain access
3) Strengthen access
4) Actions on Objectives
5) Concealment

Question 5

Methods for performing Code Injection

Answer 5

1) Masquerading
- dropper replaces genuine executable with malicious one

2) DLL injection
- dropper forces the process to load a DLL, which then executes malicious code

3) DLL side loading
- dropper exploits vuln in program’s manifest to load a malicious DLL at runtime

4) Process Hollowing
- dropper starts process in suspended state, rewrites memory locations containing process code with the malware code