Kill Chain Model for Use Cases Assist in Incident Response
1- Situational Awareness
Outbound Protocols
Outbound protocols by size
Top destination Countries
Top destination Countries by size
2- Reconnaissance
Port scan activity
ICMP query
3- Weaponization and Delivery
Injection
Cross Site Scripting
Cross Site Request Forgery
Failure to Restrict URL
Downloaded binaries
Top email subjects
Domains mismatching
Malicious or anomalous Office/Java/Adobe files
Suspicious Web pages (iframe + [pdf|html|js])
3. Situational
Awareness
Ability to identify what is happening in the networks and system landscape
Reconnaissance
Weaponization
& Delivery
Lateral
Movement
Data Exfiltration
Persistency
Identification and selection of the target/s host or network by active scanning
Transmission/Inject of the malicious payload in to the target/s
Detect, exploit and compromise other vulnerable hosts
Steal and exhilarate data
Establish a foothold in the corporate network
In military strategy, a “Kill Chain” is a phase model to describe the stages of an attack, which also helps inform
ways to prevent attacks.
11
Incident Response
Kill Chain Model for Use Cases Assist in Incident Response
4. 12
Incident Response
Kill Chain Model for Use Cases Assist in Incident Response
Situational Awareness
- Outbound Protocols
- Outbound protocols by size
- Top destination Countries
- Top destination Countries by size
Reconnaissance
- Port scan activity
- ICMP query
Weaponization and Delivery
- Injection
- Cross Site Scripting
- Cross Site Request Forgery
- Failure to Restrict URL
- Downloaded binaries
- Top email subjects
- Domains mismatching
- Malicious or anomalous Office/Java/Adobe files
- Suspicious Web pages (iframe + [pdf|html|js])
5. 13
Incident Response
Kill Chain Model for Use Cases Assist in Incident Response
Lateral Movement
- Remove or add account
- Remote WMI communications
- Remote Group Policy Editor
- Remote Session Communications (during outside working hours?)
- Antivirus terminated
Data Exfiltration
- Upload on cloud storage domains
- Suspicious HTTP Methods (Delete, Put)
- Uploaded images
- FTP over non standard port
- IRC communication
- SSH | ICMP Tunneling
Persistency Phase
- Unusual User Agents
- Outbound SSL VPN
- Outbound unknown
7. 15
Incident Response
Advanced Persistent Threat
“Advanced Persistent Threat” is a complex and targeted cyber attacks over long periods of time (i .e
“persistent”).These attacks are well funded and mostly state sponsored and carried out by
professionals. The motive behind the attack is to gain access to the target system and maintain
access for prolonged periods.
Step 1
•Reconnaissance
Step 2
•Initial Intrusion into the Network
Step 3
•Establish a Backdoor into the Network
Step 4
•Obtain User Credentials
Step 5
•Install Various Utilities
Step 6
•Privilege Escalation / Lateral Movement / Data
Exfiltration
Step 7
•Maintain Persistence
8. 16
Incident Response
Incident Response Process - Preparation
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
Always install software from trusted sources and verify
digital sign and MD5 hash.
Use benchmarks for building systems on the network
including harden systems
Use group policy to distribute enterprise wide end point
security measures and remove admin privileges from all
end user systems and server
Enable appropriate logging on all the network devices
Leverage SIEM to correlate data from multiple defense
tool sources. Use data to identify potential compromise
such as blocked emails, code execution in browser, and
probable large data in HTML, outgoing traffic to specific
IP’s on unusual ports, abnormal DNS requests, drive by
malware download, AV clean fail alert, reinfection in 5
minutes, multiple failed DNS resolution attempts, SAM
file access, privilege account failed, forced pwd change)
Systems that require admin privileges must be identified
in CMDB as high value target.
Identify and block all grey-listed domain
Collect detailed behavioral profiles on all the data and
functions handled by each application
Decrypt and re-encrypt confidential traffic through
applications or some other encryption utilities, wherever
possible
Identify, create and constantly update a list of all IPs that
are known to be associated with malware command and
control. (Threat Intelligence / Reputation IP)
Setup procedures for external notification through
contributing to Open Source Intelligence.
9. 17
Incident Response
Incident Response Process – Signs of Compromise
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
Identification of same email from public domain to
significant number of users or C-level employees or high
value targets; encrypted attachments, password
protected and zipped and protected to escape email
malware filter; (put user in the reference list)
End point alert / HIPS / Host based malware alerts for
local script execution for the same user, raise incident
Identify unusual traffic volumes to multiple ports or IP
addresses or excessive packet loss (connection over 4
hours to external IP)
Examine abnormal services on known ports and
abnormal ports for well-known services, verify reputation
scores of IP (SSH to port 80)
EDR and WAF alerts for scripts, hash mismatch
Botnet filter alerts for traffic to blacklisted domains
Email / SPAM filter misbehavior/ maintenance activity
followed by suspicious activity on the network specially
related to unknown/ suspicious remote destinations.
Monitor packet flow inside and outside from the network
for likely patterns of Command and Control (C+C) traffic,
outbound custom encrypted communications, covert
communication channels with external entities, etc.
Threat Intelligence alerts for connections / data sent to
suspicious destination outside organization specially
belonging to less reputed geographic location and at
odd hours.
Examine if any data breach has occurred like large HTML
packet
Review hourly and daily reports of network usage to
identify unusual occurrences and spikes in traffic.
10. Use Case
Use Case Model –Attack Based- Kill Chain- Use Case
17
B
Category
Sub
Category
SIEM Rule Source Use Case Condition Action Correlate
Reconn
End point
protection
Email gateway
Harmful attachment (binary/ infected word or pdf file, password or encrypted
file attached) the source of the email is internal IP
Add email recipient
machines source IP address
of the event to shortlist 1.
Delivery
End point
protection
AV server all antivirus and anti-malware software events
Source IP address would be
added to the compromised
host active list
Define a second high-level rule that cross
correlates to determine if the host source IP
address is also found on shortlist 1. (If Yes - raise
an Incident)
Host Exploitation
End point
protection
Local System
Rule 1: A registry change has occurred in one of the registry start locations
such as Runonce
Rule 2: If new unknown process has been spawned
Add them to shortlist 1
C&C
End point
protection
Firewall / IPS End point communicates to the known bad C&C IP address Add them to "compromised active list")
Local
Compromise
End Point
protection
Local System
Rule 1: Creation of local accounts.
Rule 2: Creation of escalation of privileges.
Rule 3: Group policy changes.
Rule 4: If Antivirus or Antimalware software processes have been terminated.
Add them to shortlist 2
Correlation rule if an IP address exists on shortlist
2 more than once raise and incident alert.
Internal Recon
End Point
protection
Firewall / IPS
Rule 1 - Per to peer communication
Rule 2 - Beaconing of desktop network communications trying to find a way of
routing to the Internet this would show as firewall drop events
Rule 3 - Multiple communications where the source network zone is desktop
and the destination network zone is desktop.
Correlate rules 1-3 where the source also exists
on either shortlist 1 or shortlist 2 and if it does
raise this as an incident and add the IP to the
compromised host asset list.
Lateral Movement
End Point
protection
Local System
Rule 1: Windows program audit events where netstat has been used add
source IP to shortlist 2.
Rule 2: Windows net logon event add source IP address to shortlist 2.
Add to shortlist 2 for any of
the event detected
Correlation rule 2: If rules 1—6 correlate with an
IP address on shortlist 1 raise as an incident alert
and compromised host asset list.
Establish
Persistence
End Point
protection
Firewall Internal
Rule 1: Internal to Internal communications between hosts in the same
network zone on unknown communications channels for example a desktop
communicating to another desktop using HTTPS.
Data Exfiltration
Data
Protection
Email gateway /
Proxy and FW
Rule 1: Windows program audit event where NTbackup has been used add
source IP to shortlist 2.
ii. Rule 2: Windows events for registry access to the following registry
locations as this indicates the
Correlate multiple email sending events where
attachment are being sent to a single unknown
email in the same day and the for a total data size
of > 100mb Add to shortlist 1.
11. 18
Incident Response
Incident Response Process – Limit the Damage
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
Take the infected system into separate VLAN
Use packet capturing utilities to replay old (or
malicious) traffic to identify additionally infected
systems
Examine system to identify any lateral movement
made within the enterprise by the attacker and
perform the same checks on affected systems.
Identify end point IOC (hash, registry change,
process running, service running to identify the
other infected system)
Based on the initial investigation, do the following –
Block IP address of the attacker, terminate
vulnerable/ infected process, disable or change
user password
Preserve information and artifacts associated with
the incident.
Update the firewall / anti-malware blacklist to block
attackers IPs and monitor them in detail including
communication protocol
Remove sensitive data from unsecured and
unnecessary locations.
Alert related key users on possible attacks and limit
system & user privileges to copy, modify and delete
secondary data/ information.
Alert law enforcement and other authorities such as
CERT, if required.
Notify internal users and affected departments/
systems owners.
12. 19
Incident Response
Incident Response Process – Source and Anatomy
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
In case of spear phishing, verify the links clicked and the
destination URL
Investigate the information provided or data uploaded on
the phished site
Identify suspicious changes in listening ports, system
services and drivers, startup tasks, and scheduled tasks
on the infected system
Identify for new account with high privileges or
permission changes
Identify DNS requests
Verify Host Intrusion Prevention System (HIPS) and
alerts for execution of scripts or malicious code
Use file system and memory analysis and look for a
malware/ code specific entity in Memory (process
information, running service information)
Analyze changes in the registry for unexpected registry
keys.
Extract and identify characteristics of adversary with
other affected systems; this may be achieved by using
correlation rules to search for identified characteristics
of attacks such as:
Files
System calls
Processes
Network
Ports
IP addresses
Host names
Investigate further to Identify all:
Active (beaconing) and passive (listening) backdoors
Other entry points like web servers, mail servers, VPN
13. 20
Incident Response
Incident Response Process - Remove Cause
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
Reset all affected systems, users and service
passwords
Remove backdoors by running updated anti-
malware tool, use vendor supplied stringers as
necessary for eradication and clean up
Fix vulnerable systems they’re exploiting for access
with updated patches
Run registry cleaners and scan for memory resident
malicious codes and clean up with alternate boot
mediums.
Develop or update antivirus and/or security devices
(IPS/IDS) signatures.
Re-engineer the system or the systems to prevent
re-infection.
Segment critical data to more restricted areas and
implement auditing for critical data access
Enable block mode for sensitive data on data loss
prevention tool.
14. 21
Incident Response
Incident Response Process – Resume Normal Operation
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
Clean all traces like infected files, binaries, infected code
and data.
Clean browsing history, registry and memory. Preferable
post taking all snapshots, install with clean image
Update all antivirus / anti malware programs with new
signatures and patches
Scan the infected system with latest antivirus and anti-
malware programs
Scan for suspicious items discovered on all infected and
interconnected systems using updated antimalware
used to disinfect the targeted systems.
Perform System integrity checks for all the infected
systems.
Restoring all systems for which integrity has affected
due to the attack, from last know good backup.
Confirming all systems and services restored to
normal operations.
Perform System integrity checks for all infected
systems.
Restoring all systems for which integrity as
affected due to the attack, from last know good
backup.
Confirming all systems and services restored to
normal operations.
Restore the data from previous backup
15. 22
Incident Response
Incident Response Process – Post Mortem & Lesson Learned
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
Perform forensics to identify the source of attack
and motivation like state sponsors
Identify if the attackers used a third party (e.g.,
contractor, client, joint venture) as an attack vector
Identify if the attackers had insider assistance
Identify if the attackers had physical access to the
facilities or network
Collect evidence from packet captures / network
information, logs and infected system browsing
history and malicious code and its reverse
engineering
Reverse-engineer binaries to help identify attack
methods, communication protocols, and attack
servers.
Create images of hard drives from infected hosts.
Ensure preservation of evidence besides
maintaining chain of custody as required by legal
authorities.
Perform communications (internal/external user
groups, public media etc.)
17. 24
Example
Carbanak – A-SOC Capabilities
2
Malicious Web
server sends or
reflects exploit code
<click>
1
Install Malware
Mail-Client
5
Victim
Domain
Name
Server
Attacker
Used Spearphised
emails
Command
& Control
4 web-page +
3 Follow link
Lateral Movement
Screen capture/ Video recording
9
6
Remotely Control
Malware
Contact Updater
By IP Address (C&C)
7
8
Word file with MA
Data upload – Screens
and VR
18. 25
Example
Carbanak – A-SOC Capabilities
2
Malicious Web
server sends or
reflects exploit code
<click>
1
Install Malware
Mail-Client
5
Victim
Domain
Name
Server
Attacker
Using Spearphised emails
Command
& Control
4 web-page +
3 Follow link
9
6
Remotely Control
Malware
Contact Updater
By IP Address (C&C)
7
8
Word file with MA
Lateral Movement
Screen capture/
Video recording
Data upload – Screens
and VR
d) Monitor Web Traffic
a) Monitor DNS
c) Monitor Port &
Protocol Usage
b) Monitor NetFlow
e) Data in HTML
Response - Netflow
b) Monitor NetFlow
20. Topic Descriptions / Actions
Purpose The purpose of this document is the provide guidance to Tier2 Triage and Tier 3 Response
analysts on the approach to incident remediation.
Scope The scope of this guidance includes 3 stages:
Containment
Eradication
Recovery
Containment The intention of this stage is to limit the damage caused by the incident without yet removing the
cause of the incident. This is typically done as the first step as it may take additional time to
understand the cause of the incident and the appropriate eradication strategy. Examples of
containment may include shutting down of affected systems, closing firewall ports etc.
Eradication This stage is typically done after the containment stage where the cause of the incident is
removed. Eradication can only be performed before containment if the incident cause is
immediately clear and eradication can be performed swiftly before additional damage is caused
by the incident. Examples of eradication include deleting malicious code, removing malicious
accounts etc.
Recovery This stage is done once the “victim” system impacted is no longer vulnerable. Examples of
recovery include restoring from backup, patching servers etc.
27
Incident Response
IR response process
21. Topic Descriptions / Actions
Attack Category Authentication (Internal User)
Attack Sub Categories Misc Login Succeeded, Unknown Authentication, Host Login Succeeded, Host Login Failed, Misc Login
Failed, Privilege Escalation Failed, Privilege Escalation Succeeded, Mail Service Login Succeeded, Mail Service
Login Failed, Auth Server Login Failed, Auth Server, Group Added, Group Changed, Group
Removed, Computer Account Added, Computer Account Changed, Computer Account Removed, Remote
Access Login Succeeded, Remote Access Login Failed, General Authentication Successful, Telnet Login
Succeeded, Telnet Login Failed, Suspicious Password, Samba Login Succeeded, Samba Login Failed and etc
Response Remediation
Options
1. Containment
a. Terminate processes with any active connections with attacker IP or port
b. Disable user id in question
2. Eradication
a. Work with network team to physically locate internal attacker
b. Turn off switch port of internal attacker
c. Remove user access
3. Recovery
a. Implement strong password policy
b. Reconfigure vulnerable service as applicable
c. Restore to previous good state from backup or recovery application
28
Incident Response
IR response process
22. “Website defacement" refers to any unauthorized changes made to the appearance of either a single webpage, or an
entire site. Worse, the hacker will replace the home page with an embarrassing (or worse) message.
Web page Defacement: The most straight forward and visually identifiable attack where the web page content is changed and
replaced by the perpetrators. The website data is not deleted.
Data Deletion: This is a second stage of damage where the website is defaced and also the data and other pages are deleted.
Install Malicious Software: Website defacement can be augmented by introducing a malicious code in the target environment to
establish stronghold. The malicious code can then be used for further compromises such as lateral movement.
IRC bot: In more severe case, once the attacker has established a foothold, they can install an IRC bot which can then be controlled
through IRC channels.
29
Incident Response
IR Response Exercise – Website Defacement
23. 30
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
1
Create a hot cluster of servers to run website. - Build a back up site and setup routing backups. Enable
detailed logging on web server and test the site for vulnerabilities
2
The website should be protected by a WAF firewall, IPS, Host based IPS and anti-malware and monitored
logs and alerts for unauthorized access/ change of files / privilege escalation to the system backups. Enable
detailed logging on web server and test the site for vulnerabilities
3 Deploy monitoring tools to quickly detect any abnormal behavior on your critical websites. (e.g. Sucuri)
4 Home page should be access controlled from Management IP
5 Log all access and alert for any change to home page file, immediately verify with change request
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
24. 31
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Identification & Verification
SIEM Use Case
Monitored Element Description Log Source Configuration / Threshold Priority
More than 30 request for same web file
(e.g. *.php) file by the same IP address
and port number or same user
During attack the URL targeted by attacker
changes with each request but the actual file
name trying to target with each request will
remain the same
Web Server 30 request in 5 minutes 2
Home page (*.php) change
Enable home page file auditong feature,
configure alert for file change and priority 1 log
alert
Web Server File change from auditing - 1 1
DNS requests over port 80
infected hosts sending C&C communications
masked as DNS requests over port 80 is the
common thing so watch in Web gateway if any
DNS request is observed on port 80
Web Server Port / Protocol mismatch 1
High number of HEAD requests on web
server
Likely indicating an attempt to discover
vulnerable CGI scripts.
High number of non-standard HTTP requests,
indicating a possible attack or information
gathering to precede an attack.
Web Server 10 in 1 min 2
Web server not responding or slow
response (HTML response time is huge)
due to possible DoS attack.
Web server has not served any pages in an hour
and the IDS have reported multiple DoS attack
events.
Web Server Slow response / 10 sec to open file 2
SQL Injection, XSS, Injection, Redirects,
Failed attempts,
SQL Injection, XSS and other attacks from WAF
Weg gateway/
Firewall
1
25. 1. Extract attack source IP from SIEM/ WAF as log source (IIS/Apache)
2. Notify application owner of attack
3. Implement firewall rule to block attacker IP
4. If attack source is on local network, remote to a machine within same
subnet of unauthorized device
5. Ping offending machine IP
6. Run “arp –a” command on command prompt to extract MAC Address
7. Block the IP/MAC (NAC) and disable the user
25
Incident Response
IR Playbook Exercise – Website Defacement
SQL Injection
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Identification & Verification
26. 32
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Containment
1 Take the infected host out of the cluster.
2 Redirect all traffic to the backup servers.
3 If the source of the attack is another system on the network, disconnect it as soon as possible.
4 Conduct site/page replication for redirection, as required.
5 Disable links to affected page or redirect to a correct version of the page.
6
Backup all data stored on the web server for forensic purposes and evidence collecting. The best practice
here if applicable is to make a complete bit-by-bit copy of the hard-disk containing the web server. This will
be helpful to recover deleted files.
27. 33
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Investigation
1 Check files with static content (in particular, check the modification dates, hash signature).
2 Check mash up content providers.
3 Check links presents in the web page (src, meta, css, script etc).
4 Review database for modifications, content changes, traces of script injections, etc.
5 Review server logs and application access logs.
6 Look for evidence of data exfiltration.
28. 34
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Eradication
1 Patch identified vulnerabilities (including all technical and source code vulnerabilities).
2 Remove code/scripts installed by the attacker.
3
Change all user passwords if the web server provides user-authentication and/or there is evidence or any
reason to think that passwords may have been compromised.
4 Update patches, anti-virus and malwares and scan the system for vulnerabilities.
5 Compare eradication outcome against a known good backup.
29. 35
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Recovery
1
Full restore from a good known backup. Apply validated and verified latest database content updates on
top of the good known backup if required to compensate for any content changes between compromise
and recovery.
2 Reconnect dependent systems.
3 Perform testing (sandbox test environment, user acceptance testing etc).
4 Reconnect web server to the internal LAN/Internet, as required.
5 Confirm normal operations.