let's see another great use case brought by our friend max Lewis from the DC area on the value of particular UVA and also advisor so we have these two offenses and we don't even know whether they were they are obviously related we can see it's the same source IP mm-hmm there's a B Arnold here and there so these two are related so let's analyze them in chronological order without UVA or advice or what we see one event here it's actually the USB Drive files writing that's from the endpoint protection type of software okay let's go
to the other offense and see this one this one has 15 events we can actually look at those events see what the nature of those are okay tor activity well this is tor browser it's not good some you know Bluecoat site well now what did Billy Arnold did well if I don't have UVA I will have to perform searches and look for the stop but why if I have it for before I proceed let me actually while we do this search let me send this to to advisor and see if adviser can provide additional information
so this can be automated I'm doing it manually here so let's actually see this guy be Arnold why the heck is he doing boy because I have you BA I can actually go here and search for the user be Arnold and actually I know because of the link to Active Directory that been our notice this user ID that curve that he saw and is a assistant deputy director physical security in the DC area by the way this is a use case recreated from a real case scenario so what is it that Ben has been up
to it's actually take a look here and you BA and UVA makes our life a lot easier so browse to your search well that's you be a flag those things precisely because when people are about to leave sometimes they take information along with them so it's actually click in here and see where did he go well if you have a guy from DC going to a Russian looking for personal security jobs in Russia that's definitely not a good thing let's see what else can we find in here take a look at these brows to communication
is this lifestyle what is this lifestyle again UVA flag those for a reason and this is the wikiHow website exfiltrate data without getting caught was not very smart easy let's go to this communication website click in here now this is the one that related to the previous one that we saw let's look at this malicious website you see how we see these two sirs this well tor project and this is what the two of things are related so the guy got finally learned how to actually trade data without being caught or so he thinks and
he downloaded the brow tor browser and that's probably what we don't see much more after that Dolman account user removal meter detected so UVA gave me in a minute without me having to do any searches in curator bank all these events and actually I can see in a real case that will see all the user event and risky events at and chronologically happening in here and I can click on any one of those and investigate them accordingly right I can go or I can go down here in time in a similar way and look for
that particular activity it's actually go back and I'm going back to the offenses but I don't need to see anything more I obviously it seems like the guy actually removed some so media here so then Arnold he's been taking information with him he's planning to go to Russia that's not a good thing at all and we're gonna look at the advice or information in a second but I'm interested in looking at the flow here and the flows can tell you amount of data being you see destination bytes so there's some significant amount of data that
actually went out not too much with this some and I can actually look at this site that he went in Germany and good information let's see what advice or can give us additional information on well this is related to other offenses actually this is the same offense that I've was testing this out but it this would have been related to any other offense we would have seen this in the graphic as we are seeing in here but notice that this is telling us how they weekly how that come is related to this equation group this
piece of malware so it's not a good site to go not only because we are looking for buddy formation but you can actually be infected with all the pieces of malware let's actually look at the order of friends as well and see if advisor can provide us any more detail any other IOC s and and sure enough there are some there are a few more here are actually the same the same ones we saw before what I can do now is I can actually export those into a reference set and make you radar even more
watchful for anyone else in my organization to fall victim for these attacks so I hope that this has give you yet another reason for you to at the very least download the free UVA app and see how he can facilitate your job instead of you to be doing searches and you BA can do all that for you automatically
