SlideShare una empresa de Scribd logo

Incident Response: Validation, Containment & Forensics

Priyanka Aash
Priyanka Aash

Kill Chain Model for Use Cases Assist in Incident Response 1- Situational Awareness Outbound Protocols Outbound protocols by size Top destination Countries Top destination Countries by size 2- Reconnaissance Port scan activity ICMP query 3- Weaponization and Delivery Injection Cross Site Scripting Cross Site Request Forgery Failure to Restrict URL Downloaded binaries Top email subjects Domains mismatching Malicious or anomalous Office/Java/Adobe files Suspicious Web pages (iframe + [pdf|html|js])

Tecnología
1 de 30
Advanced SOC Section 5 - Incident Response
10 Incident Lifecycle Management Threat Management – NIST Aligned Process
Situational Awareness Ability to identify what is happening in the networks and system landscape Reconnaissance Weaponization & Delivery Lateral Movement Data Exfiltration Persistency Identification and selection of the target/s host or network by active scanning Transmission/Inject of the malicious payload in to the target/s Detect, exploit and compromise other vulnerable hosts Steal and exhilarate data Establish a foothold in the corporate network  In military strategy, a “Kill Chain” is a phase model to describe the stages of an attack, which also helps inform ways to prevent attacks. 11 Incident Response Kill Chain Model for Use Cases Assist in Incident Response
12 Incident Response Kill Chain Model for Use Cases Assist in Incident Response Situational Awareness - Outbound Protocols - Outbound protocols by size - Top destination Countries - Top destination Countries by size Reconnaissance - Port scan activity - ICMP query Weaponization and Delivery - Injection - Cross Site Scripting - Cross Site Request Forgery - Failure to Restrict URL - Downloaded binaries - Top email subjects - Domains mismatching - Malicious or anomalous Office/Java/Adobe files - Suspicious Web pages (iframe + [pdf|html|js])
13 Incident Response Kill Chain Model for Use Cases Assist in Incident Response Lateral Movement - Remove or add account - Remote WMI communications - Remote Group Policy Editor - Remote Session Communications (during outside working hours?) - Antivirus terminated Data Exfiltration - Upload on cloud storage domains - Suspicious HTTP Methods (Delete, Put) - Uploaded images - FTP over non standard port - IRC communication - SSH | ICMP Tunneling Persistency Phase - Unusual User Agents - Outbound SSL VPN - Outbound unknown
Advanced SOC Incident Response - APT
15 Incident Response Advanced Persistent Threat “Advanced Persistent Threat” is a complex and targeted cyber attacks over long periods of time (i .e “persistent”).These attacks are well funded and mostly state sponsored and carried out by professionals. The motive behind the attack is to gain access to the target system and maintain access for prolonged periods. Step 1 •Reconnaissance Step 2 •Initial Intrusion into the Network Step 3 •Establish a Backdoor into the Network Step 4 •Obtain User Credentials Step 5 •Install Various Utilities Step 6 •Privilege Escalation / Lateral Movement / Data Exfiltration Step 7 •Maintain Persistence
16 Incident Response Incident Response Process - Preparation Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Always install software from trusted sources and verify digital sign and MD5 hash.  Use benchmarks for building systems on the network including harden systems  Use group policy to distribute enterprise wide end point security measures and remove admin privileges from all end user systems and server  Enable appropriate logging on all the network devices  Leverage SIEM to correlate data from multiple defense tool sources. Use data to identify potential compromise such as blocked emails, code execution in browser, and probable large data in HTML, outgoing traffic to specific IP’s on unusual ports, abnormal DNS requests, drive by malware download, AV clean fail alert, reinfection in 5 minutes, multiple failed DNS resolution attempts, SAM file access, privilege account failed, forced pwd change)  Systems that require admin privileges must be identified in CMDB as high value target.  Identify and block all grey-listed domain  Collect detailed behavioral profiles on all the data and functions handled by each application  Decrypt and re-encrypt confidential traffic through applications or some other encryption utilities, wherever possible  Identify, create and constantly update a list of all IPs that are known to be associated with malware command and control. (Threat Intelligence / Reputation IP)  Setup procedures for external notification through contributing to Open Source Intelligence.
17 Incident Response Incident Response Process – Signs of Compromise Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Identification of same email from public domain to significant number of users or C-level employees or high value targets; encrypted attachments, password protected and zipped and protected to escape email malware filter; (put user in the reference list)  End point alert / HIPS / Host based malware alerts for local script execution for the same user, raise incident  Identify unusual traffic volumes to multiple ports or IP addresses or excessive packet loss (connection over 4 hours to external IP)  Examine abnormal services on known ports and abnormal ports for well-known services, verify reputation scores of IP (SSH to port 80)  EDR and WAF alerts for scripts, hash mismatch  Botnet filter alerts for traffic to blacklisted domains  Email / SPAM filter misbehavior/ maintenance activity followed by suspicious activity on the network specially related to unknown/ suspicious remote destinations.  Monitor packet flow inside and outside from the network for likely patterns of Command and Control (C+C) traffic, outbound custom encrypted communications, covert communication channels with external entities, etc.  Threat Intelligence alerts for connections / data sent to suspicious destination outside organization specially belonging to less reputed geographic location and at odd hours.  Examine if any data breach has occurred like large HTML packet  Review hourly and daily reports of network usage to identify unusual occurrences and spikes in traffic.
Use Case Use Case Model –Attack Based- Kill Chain- Use Case 17 B Category Sub Category SIEM Rule Source Use Case Condition Action Correlate Reconn End point protection Email gateway Harmful attachment (binary/ infected word or pdf file, password or encrypted file attached) the source of the email is internal IP Add email recipient machines source IP address of the event to shortlist 1. Delivery End point protection AV server all antivirus and anti-malware software events Source IP address would be added to the compromised host active list Define a second high-level rule that cross correlates to determine if the host source IP address is also found on shortlist 1. (If Yes - raise an Incident) Host Exploitation End point protection Local System Rule 1: A registry change has occurred in one of the registry start locations such as Runonce Rule 2: If new unknown process has been spawned Add them to shortlist 1 C&C End point protection Firewall / IPS End point communicates to the known bad C&C IP address Add them to "compromised active list") Local Compromise End Point protection Local System Rule 1: Creation of local accounts. Rule 2: Creation of escalation of privileges. Rule 3: Group policy changes. Rule 4: If Antivirus or Antimalware software processes have been terminated. Add them to shortlist 2 Correlation rule if an IP address exists on shortlist 2 more than once raise and incident alert. Internal Recon End Point protection Firewall / IPS Rule 1 - Per to peer communication Rule 2 - Beaconing of desktop network communications trying to find a way of routing to the Internet this would show as firewall drop events Rule 3 - Multiple communications where the source network zone is desktop and the destination network zone is desktop. Correlate rules 1-3 where the source also exists on either shortlist 1 or shortlist 2 and if it does raise this as an incident and add the IP to the compromised host asset list. Lateral Movement End Point protection Local System Rule 1: Windows program audit events where netstat has been used add source IP to shortlist 2. Rule 2: Windows net logon event add source IP address to shortlist 2. Add to shortlist 2 for any of the event detected Correlation rule 2: If rules 1—6 correlate with an IP address on shortlist 1 raise as an incident alert and compromised host asset list. Establish Persistence End Point protection Firewall Internal Rule 1: Internal to Internal communications between hosts in the same network zone on unknown communications channels for example a desktop communicating to another desktop using HTTPS. Data Exfiltration Data Protection Email gateway / Proxy and FW Rule 1: Windows program audit event where NTbackup has been used add source IP to shortlist 2. ii. Rule 2: Windows events for registry access to the following registry locations as this indicates the Correlate multiple email sending events where attachment are being sent to a single unknown email in the same day and the for a total data size of > 100mb Add to shortlist 1.
18 Incident Response Incident Response Process – Limit the Damage Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Take the infected system into separate VLAN  Use packet capturing utilities to replay old (or malicious) traffic to identify additionally infected systems  Examine system to identify any lateral movement made within the enterprise by the attacker and perform the same checks on affected systems.  Identify end point IOC (hash, registry change, process running, service running to identify the other infected system)  Based on the initial investigation, do the following – Block IP address of the attacker, terminate vulnerable/ infected process, disable or change user password  Preserve information and artifacts associated with the incident.  Update the firewall / anti-malware blacklist to block attackers IPs and monitor them in detail including communication protocol  Remove sensitive data from unsecured and unnecessary locations.  Alert related key users on possible attacks and limit system & user privileges to copy, modify and delete secondary data/ information.  Alert law enforcement and other authorities such as CERT, if required.  Notify internal users and affected departments/ systems owners.
19 Incident Response Incident Response Process – Source and Anatomy Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  In case of spear phishing, verify the links clicked and the destination URL  Investigate the information provided or data uploaded on the phished site  Identify suspicious changes in listening ports, system services and drivers, startup tasks, and scheduled tasks on the infected system  Identify for new account with high privileges or permission changes  Identify DNS requests  Verify Host Intrusion Prevention System (HIPS) and alerts for execution of scripts or malicious code  Use file system and memory analysis and look for a malware/ code specific entity in Memory (process information, running service information)  Analyze changes in the registry for unexpected registry keys.  Extract and identify characteristics of adversary with other affected systems; this may be achieved by using correlation rules to search for identified characteristics of attacks such as:  Files  System calls  Processes  Network  Ports  IP addresses  Host names  Investigate further to Identify all:  Active (beaconing) and passive (listening) backdoors  Other entry points like web servers, mail servers, VPN
20 Incident Response Incident Response Process - Remove Cause Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Reset all affected systems, users and service passwords  Remove backdoors by running updated anti- malware tool, use vendor supplied stringers as necessary for eradication and clean up  Fix vulnerable systems they’re exploiting for access with updated patches  Run registry cleaners and scan for memory resident malicious codes and clean up with alternate boot mediums.  Develop or update antivirus and/or security devices (IPS/IDS) signatures.  Re-engineer the system or the systems to prevent re-infection.  Segment critical data to more restricted areas and implement auditing for critical data access  Enable block mode for sensitive data on data loss prevention tool.
21 Incident Response Incident Response Process – Resume Normal Operation Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Clean all traces like infected files, binaries, infected code and data.  Clean browsing history, registry and memory. Preferable post taking all snapshots, install with clean image  Update all antivirus / anti malware programs with new signatures and patches  Scan the infected system with latest antivirus and anti- malware programs  Scan for suspicious items discovered on all infected and interconnected systems using updated antimalware used to disinfect the targeted systems.  Perform System integrity checks for all the infected systems.  Restoring all systems for which integrity has affected due to the attack, from last know good backup.  Confirming all systems and services restored to normal operations.  Perform System integrity checks for all infected systems.  Restoring all systems for which integrity as affected due to the attack, from last know good backup.  Confirming all systems and services restored to normal operations.  Restore the data from previous backup
22 Incident Response Incident Response Process – Post Mortem & Lesson Learned Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Perform forensics to identify the source of attack and motivation like state sponsors  Identify if the attackers used a third party (e.g., contractor, client, joint venture) as an attack vector  Identify if the attackers had insider assistance  Identify if the attackers had physical access to the facilities or network  Collect evidence from packet captures / network information, logs and infected system browsing history and malicious code and its reverse engineering  Reverse-engineer binaries to help identify attack methods, communication protocols, and attack servers.  Create images of hard drives from infected hosts.  Ensure preservation of evidence besides maintaining chain of custody as required by legal authorities.  Perform communications (internal/external user groups, public media etc.)
Advanced SOC Exercise – IR Playbook
24 Example Carbanak – A-SOC Capabilities 2 Malicious Web server sends or reflects exploit code <click> 1 Install Malware Mail-Client 5 Victim Domain Name Server Attacker Used Spearphised emails Command & Control 4 web-page + 3 Follow link Lateral Movement Screen capture/ Video recording 9 6 Remotely Control Malware Contact Updater By IP Address (C&C) 7 8 Word file with MA Data upload – Screens and VR
25 Example Carbanak – A-SOC Capabilities 2 Malicious Web server sends or reflects exploit code <click> 1 Install Malware Mail-Client 5 Victim Domain Name Server Attacker Using Spearphised emails Command & Control 4 web-page + 3 Follow link 9 6 Remotely Control Malware Contact Updater By IP Address (C&C) 7 8 Word file with MA Lateral Movement Screen capture/ Video recording Data upload – Screens and VR d) Monitor Web Traffic a) Monitor DNS c) Monitor Port & Protocol Usage b) Monitor NetFlow e) Data in HTML Response - Netflow b) Monitor NetFlow
26 Example Carbanak – IOC
Topic Descriptions / Actions Purpose The purpose of this document is the provide guidance to Tier2 Triage and Tier 3 Response analysts on the approach to incident remediation. Scope The scope of this guidance includes 3 stages:  Containment  Eradication  Recovery Containment The intention of this stage is to limit the damage caused by the incident without yet removing the cause of the incident. This is typically done as the first step as it may take additional time to understand the cause of the incident and the appropriate eradication strategy. Examples of containment may include shutting down of affected systems, closing firewall ports etc. Eradication This stage is typically done after the containment stage where the cause of the incident is removed. Eradication can only be performed before containment if the incident cause is immediately clear and eradication can be performed swiftly before additional damage is caused by the incident. Examples of eradication include deleting malicious code, removing malicious accounts etc. Recovery This stage is done once the “victim” system impacted is no longer vulnerable. Examples of recovery include restoring from backup, patching servers etc. 27 Incident Response IR response process
Topic Descriptions / Actions Attack Category Authentication (Internal User) Attack Sub Categories Misc Login Succeeded, Unknown Authentication, Host Login Succeeded, Host Login Failed, Misc Login Failed, Privilege Escalation Failed, Privilege Escalation Succeeded, Mail Service Login Succeeded, Mail Service Login Failed, Auth Server Login Failed, Auth Server, Group Added, Group Changed, Group Removed, Computer Account Added, Computer Account Changed, Computer Account Removed, Remote Access Login Succeeded, Remote Access Login Failed, General Authentication Successful, Telnet Login Succeeded, Telnet Login Failed, Suspicious Password, Samba Login Succeeded, Samba Login Failed and etc Response Remediation Options 1. Containment a. Terminate processes with any active connections with attacker IP or port b. Disable user id in question 2. Eradication a. Work with network team to physically locate internal attacker b. Turn off switch port of internal attacker c. Remove user access 3. Recovery a. Implement strong password policy b. Reconfigure vulnerable service as applicable c. Restore to previous good state from backup or recovery application 28 Incident Response IR response process
“Website defacement" refers to any unauthorized changes made to the appearance of either a single webpage, or an entire site. Worse, the hacker will replace the home page with an embarrassing (or worse) message.  Web page Defacement: The most straight forward and visually identifiable attack where the web page content is changed and replaced by the perpetrators. The website data is not deleted.  Data Deletion: This is a second stage of damage where the website is defaced and also the data and other pages are deleted.  Install Malicious Software: Website defacement can be augmented by introducing a malicious code in the target environment to establish stronghold. The malicious code can then be used for further compromises such as lateral movement.  IRC bot: In more severe case, once the attacker has established a foothold, they can install an IRC bot which can then be controlled through IRC channels. 29 Incident Response IR Response Exercise – Website Defacement
30 Incident Response IR Playbook Exercise – Website Defacement Preparation 1 Create a hot cluster of servers to run website. - Build a back up site and setup routing backups. Enable detailed logging on web server and test the site for vulnerabilities 2 The website should be protected by a WAF firewall, IPS, Host based IPS and anti-malware and monitored logs and alerts for unauthorized access/ change of files / privilege escalation to the system backups. Enable detailed logging on web server and test the site for vulnerabilities 3 Deploy monitoring tools to quickly detect any abnormal behavior on your critical websites. (e.g. Sucuri) 4 Home page should be access controlled from Management IP 5 Log all access and alert for any change to home page file, immediately verify with change request Preparation Identification & Verification Containment Eradication RecoveryInvestigation
31 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Identification & Verification SIEM Use Case Monitored Element Description Log Source Configuration / Threshold Priority More than 30 request for same web file (e.g. *.php) file by the same IP address and port number or same user During attack the URL targeted by attacker changes with each request but the actual file name trying to target with each request will remain the same Web Server 30 request in 5 minutes 2 Home page (*.php) change Enable home page file auditong feature, configure alert for file change and priority 1 log alert Web Server File change from auditing - 1 1 DNS requests over port 80 infected hosts sending C&C communications masked as DNS requests over port 80 is the common thing so watch in Web gateway if any DNS request is observed on port 80 Web Server Port / Protocol mismatch 1 High number of HEAD requests on web server Likely indicating an attempt to discover vulnerable CGI scripts. High number of non-standard HTTP requests, indicating a possible attack or information gathering to precede an attack. Web Server 10 in 1 min 2 Web server not responding or slow response (HTML response time is huge) due to possible DoS attack. Web server has not served any pages in an hour and the IDS have reported multiple DoS attack events. Web Server Slow response / 10 sec to open file 2 SQL Injection, XSS, Injection, Redirects, Failed attempts, SQL Injection, XSS and other attacks from WAF Weg gateway/ Firewall 1
1. Extract attack source IP from SIEM/ WAF as log source (IIS/Apache) 2. Notify application owner of attack 3. Implement firewall rule to block attacker IP 4. If attack source is on local network, remote to a machine within same subnet of unauthorized device 5. Ping offending machine IP 6. Run “arp –a” command on command prompt to extract MAC Address 7. Block the IP/MAC (NAC) and disable the user 25 Incident Response IR Playbook Exercise – Website Defacement SQL Injection Preparation Identification & Verification Containment Eradication RecoveryInvestigation Identification & Verification
32 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Containment 1 Take the infected host out of the cluster. 2 Redirect all traffic to the backup servers. 3 If the source of the attack is another system on the network, disconnect it as soon as possible. 4 Conduct site/page replication for redirection, as required. 5 Disable links to affected page or redirect to a correct version of the page. 6 Backup all data stored on the web server for forensic purposes and evidence collecting. The best practice here if applicable is to make a complete bit-by-bit copy of the hard-disk containing the web server. This will be helpful to recover deleted files.
33 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Investigation 1 Check files with static content (in particular, check the modification dates, hash signature). 2 Check mash up content providers. 3 Check links presents in the web page (src, meta, css, script etc). 4 Review database for modifications, content changes, traces of script injections, etc. 5 Review server logs and application access logs. 6 Look for evidence of data exfiltration.
34 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Eradication 1 Patch identified vulnerabilities (including all technical and source code vulnerabilities). 2 Remove code/scripts installed by the attacker. 3 Change all user passwords if the web server provides user-authentication and/or there is evidence or any reason to think that passwords may have been compromised. 4 Update patches, anti-virus and malwares and scan the system for vulnerabilities. 5 Compare eradication outcome against a known good backup.
35 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Recovery 1 Full restore from a good known backup. Apply validated and verified latest database content updates on top of the good known backup if required to compensate for any content changes between compromise and recovery. 2 Reconnect dependent systems. 3 Perform testing (sandbox test environment, user acceptance testing etc). 4 Reconnect web server to the internal LAN/Internet, as required. 5 Confirm normal operations.
Questions? Questions, Comments and Feedback

Recomendados

Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingPriyanka Aash
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 

Recomendados

Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingPriyanka Aash
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
Understanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopUnderstanding Cyber Kill Chain and OODA loop
Understanding Cyber Kill Chain and OODA loopDavid Sweigert
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadarVirginia Fernandez
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt ScannerFlorian Roth
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookMargarete McGrath
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
ETIS Information Security Benchmark Successful Practices in telco security
ETIS Information Security Benchmark Successful Practices in telco securityETIS Information Security Benchmark Successful Practices in telco security
ETIS Information Security Benchmark Successful Practices in telco securityETIS - the Global IT Association for Telecommunications
 
NYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNavvia
 

Más contenido relacionado

La actualidad más candente

Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRTAPNIC
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellenceErik Taavila
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookMargarete McGrath
 

La actualidad más candente (20)

Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Incident response
Incident responseIncident response
Incident response
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt Scanner
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Roadmap to security operations excellence
Roadmap to security operations excellenceRoadmap to security operations excellence
Roadmap to security operations excellence
 
Dell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbookDell Technologies Cyber Security playbook
Dell Technologies Cyber Security playbook
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 

Destacado

NYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNavvia
 
Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)Mike Marin
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Skybox Security
 
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerIT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerManageEngine, Zoho Corporation
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkAndrew Gerber
 
NIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross ReferenceNIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross ReferenceJim Meyer
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2Kyle Lai
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk AssessmentMichael Lines
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 

Destacado (12)

ETIS Information Security Benchmark Successful Practices in telco security
ETIS Information Security Benchmark Successful Practices in telco securityETIS Information Security Benchmark Successful Practices in telco security
ETIS Information Security Benchmark Successful Practices in telco security
 
NYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management Program
 
Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
 
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerIT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
 
NIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross ReferenceNIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross Reference
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
 

Similar a Incident Response: Validation, Containment & Forensics

Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacksjyoti_lakhani
 
Running Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxRunning Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxSUBHI7
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].pptBachaSirata
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.pptRaj Kumar
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesAmy Gerrie
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introductionjagadeesh katla
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshellYahia Kandeel
 
透视消费者.ppt
透视消费者.ppt透视消费者.ppt
透视消费者.pptwei mingyang
 
2014_protect_presentation
2014_protect_presentation2014_protect_presentation
2014_protect_presentationJeff Holland
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersSomyos U.
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksMicrosoft
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber AnalyticsNovetta
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
 

Similar a Incident Response: Validation, Containment & Forensics (20)

Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacks
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat Protection
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 
ATP
ATPATP
ATP
 
Running Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docxRunning Head Security Assessment Repot (SAR) .docx
Running Head Security Assessment Repot (SAR) .docx
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].ppt
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.ppt
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshell
 
SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019
 
透视消费者.ppt
透视消费者.ppt透视消费者.ppt
透视消费者.ppt
 
Security and-visibility
Security and-visibilitySecurity and-visibility
Security and-visibility
 
2014_protect_presentation
2014_protect_presentation2014_protect_presentation
2014_protect_presentation
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security Perimeters
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
 

Más de Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

Más de Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Último

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 

Último (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

Incident Response: Validation, Containment & Forensics

  • 1. Advanced SOC Section 5 - Incident Response
  • 2. 10 Incident Lifecycle Management Threat Management – NIST Aligned Process
  • 3. Situational Awareness Ability to identify what is happening in the networks and system landscape Reconnaissance Weaponization & Delivery Lateral Movement Data Exfiltration Persistency Identification and selection of the target/s host or network by active scanning Transmission/Inject of the malicious payload in to the target/s Detect, exploit and compromise other vulnerable hosts Steal and exhilarate data Establish a foothold in the corporate network  In military strategy, a “Kill Chain” is a phase model to describe the stages of an attack, which also helps inform ways to prevent attacks. 11 Incident Response Kill Chain Model for Use Cases Assist in Incident Response
  • 4. 12 Incident Response Kill Chain Model for Use Cases Assist in Incident Response Situational Awareness - Outbound Protocols - Outbound protocols by size - Top destination Countries - Top destination Countries by size Reconnaissance - Port scan activity - ICMP query Weaponization and Delivery - Injection - Cross Site Scripting - Cross Site Request Forgery - Failure to Restrict URL - Downloaded binaries - Top email subjects - Domains mismatching - Malicious or anomalous Office/Java/Adobe files - Suspicious Web pages (iframe + [pdf|html|js])
  • 5. 13 Incident Response Kill Chain Model for Use Cases Assist in Incident Response Lateral Movement - Remove or add account - Remote WMI communications - Remote Group Policy Editor - Remote Session Communications (during outside working hours?) - Antivirus terminated Data Exfiltration - Upload on cloud storage domains - Suspicious HTTP Methods (Delete, Put) - Uploaded images - FTP over non standard port - IRC communication - SSH | ICMP Tunneling Persistency Phase - Unusual User Agents - Outbound SSL VPN - Outbound unknown
  • 6. Advanced SOC Incident Response - APT
  • 7. 15 Incident Response Advanced Persistent Threat “Advanced Persistent Threat” is a complex and targeted cyber attacks over long periods of time (i .e “persistent”).These attacks are well funded and mostly state sponsored and carried out by professionals. The motive behind the attack is to gain access to the target system and maintain access for prolonged periods. Step 1 •Reconnaissance Step 2 •Initial Intrusion into the Network Step 3 •Establish a Backdoor into the Network Step 4 •Obtain User Credentials Step 5 •Install Various Utilities Step 6 •Privilege Escalation / Lateral Movement / Data Exfiltration Step 7 •Maintain Persistence
  • 8. 16 Incident Response Incident Response Process - Preparation Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Always install software from trusted sources and verify digital sign and MD5 hash.  Use benchmarks for building systems on the network including harden systems  Use group policy to distribute enterprise wide end point security measures and remove admin privileges from all end user systems and server  Enable appropriate logging on all the network devices  Leverage SIEM to correlate data from multiple defense tool sources. Use data to identify potential compromise such as blocked emails, code execution in browser, and probable large data in HTML, outgoing traffic to specific IP’s on unusual ports, abnormal DNS requests, drive by malware download, AV clean fail alert, reinfection in 5 minutes, multiple failed DNS resolution attempts, SAM file access, privilege account failed, forced pwd change)  Systems that require admin privileges must be identified in CMDB as high value target.  Identify and block all grey-listed domain  Collect detailed behavioral profiles on all the data and functions handled by each application  Decrypt and re-encrypt confidential traffic through applications or some other encryption utilities, wherever possible  Identify, create and constantly update a list of all IPs that are known to be associated with malware command and control. (Threat Intelligence / Reputation IP)  Setup procedures for external notification through contributing to Open Source Intelligence.
  • 9. 17 Incident Response Incident Response Process – Signs of Compromise Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Identification of same email from public domain to significant number of users or C-level employees or high value targets; encrypted attachments, password protected and zipped and protected to escape email malware filter; (put user in the reference list)  End point alert / HIPS / Host based malware alerts for local script execution for the same user, raise incident  Identify unusual traffic volumes to multiple ports or IP addresses or excessive packet loss (connection over 4 hours to external IP)  Examine abnormal services on known ports and abnormal ports for well-known services, verify reputation scores of IP (SSH to port 80)  EDR and WAF alerts for scripts, hash mismatch  Botnet filter alerts for traffic to blacklisted domains  Email / SPAM filter misbehavior/ maintenance activity followed by suspicious activity on the network specially related to unknown/ suspicious remote destinations.  Monitor packet flow inside and outside from the network for likely patterns of Command and Control (C+C) traffic, outbound custom encrypted communications, covert communication channels with external entities, etc.  Threat Intelligence alerts for connections / data sent to suspicious destination outside organization specially belonging to less reputed geographic location and at odd hours.  Examine if any data breach has occurred like large HTML packet  Review hourly and daily reports of network usage to identify unusual occurrences and spikes in traffic.
  • 10. Use Case Use Case Model –Attack Based- Kill Chain- Use Case 17 B Category Sub Category SIEM Rule Source Use Case Condition Action Correlate Reconn End point protection Email gateway Harmful attachment (binary/ infected word or pdf file, password or encrypted file attached) the source of the email is internal IP Add email recipient machines source IP address of the event to shortlist 1. Delivery End point protection AV server all antivirus and anti-malware software events Source IP address would be added to the compromised host active list Define a second high-level rule that cross correlates to determine if the host source IP address is also found on shortlist 1. (If Yes - raise an Incident) Host Exploitation End point protection Local System Rule 1: A registry change has occurred in one of the registry start locations such as Runonce Rule 2: If new unknown process has been spawned Add them to shortlist 1 C&C End point protection Firewall / IPS End point communicates to the known bad C&C IP address Add them to "compromised active list") Local Compromise End Point protection Local System Rule 1: Creation of local accounts. Rule 2: Creation of escalation of privileges. Rule 3: Group policy changes. Rule 4: If Antivirus or Antimalware software processes have been terminated. Add them to shortlist 2 Correlation rule if an IP address exists on shortlist 2 more than once raise and incident alert. Internal Recon End Point protection Firewall / IPS Rule 1 - Per to peer communication Rule 2 - Beaconing of desktop network communications trying to find a way of routing to the Internet this would show as firewall drop events Rule 3 - Multiple communications where the source network zone is desktop and the destination network zone is desktop. Correlate rules 1-3 where the source also exists on either shortlist 1 or shortlist 2 and if it does raise this as an incident and add the IP to the compromised host asset list. Lateral Movement End Point protection Local System Rule 1: Windows program audit events where netstat has been used add source IP to shortlist 2. Rule 2: Windows net logon event add source IP address to shortlist 2. Add to shortlist 2 for any of the event detected Correlation rule 2: If rules 1—6 correlate with an IP address on shortlist 1 raise as an incident alert and compromised host asset list. Establish Persistence End Point protection Firewall Internal Rule 1: Internal to Internal communications between hosts in the same network zone on unknown communications channels for example a desktop communicating to another desktop using HTTPS. Data Exfiltration Data Protection Email gateway / Proxy and FW Rule 1: Windows program audit event where NTbackup has been used add source IP to shortlist 2. ii. Rule 2: Windows events for registry access to the following registry locations as this indicates the Correlate multiple email sending events where attachment are being sent to a single unknown email in the same day and the for a total data size of > 100mb Add to shortlist 1.
  • 11. 18 Incident Response Incident Response Process – Limit the Damage Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Take the infected system into separate VLAN  Use packet capturing utilities to replay old (or malicious) traffic to identify additionally infected systems  Examine system to identify any lateral movement made within the enterprise by the attacker and perform the same checks on affected systems.  Identify end point IOC (hash, registry change, process running, service running to identify the other infected system)  Based on the initial investigation, do the following – Block IP address of the attacker, terminate vulnerable/ infected process, disable or change user password  Preserve information and artifacts associated with the incident.  Update the firewall / anti-malware blacklist to block attackers IPs and monitor them in detail including communication protocol  Remove sensitive data from unsecured and unnecessary locations.  Alert related key users on possible attacks and limit system & user privileges to copy, modify and delete secondary data/ information.  Alert law enforcement and other authorities such as CERT, if required.  Notify internal users and affected departments/ systems owners.
  • 12. 19 Incident Response Incident Response Process – Source and Anatomy Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  In case of spear phishing, verify the links clicked and the destination URL  Investigate the information provided or data uploaded on the phished site  Identify suspicious changes in listening ports, system services and drivers, startup tasks, and scheduled tasks on the infected system  Identify for new account with high privileges or permission changes  Identify DNS requests  Verify Host Intrusion Prevention System (HIPS) and alerts for execution of scripts or malicious code  Use file system and memory analysis and look for a malware/ code specific entity in Memory (process information, running service information)  Analyze changes in the registry for unexpected registry keys.  Extract and identify characteristics of adversary with other affected systems; this may be achieved by using correlation rules to search for identified characteristics of attacks such as:  Files  System calls  Processes  Network  Ports  IP addresses  Host names  Investigate further to Identify all:  Active (beaconing) and passive (listening) backdoors  Other entry points like web servers, mail servers, VPN
  • 13. 20 Incident Response Incident Response Process - Remove Cause Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Reset all affected systems, users and service passwords  Remove backdoors by running updated anti- malware tool, use vendor supplied stringers as necessary for eradication and clean up  Fix vulnerable systems they’re exploiting for access with updated patches  Run registry cleaners and scan for memory resident malicious codes and clean up with alternate boot mediums.  Develop or update antivirus and/or security devices (IPS/IDS) signatures.  Re-engineer the system or the systems to prevent re-infection.  Segment critical data to more restricted areas and implement auditing for critical data access  Enable block mode for sensitive data on data loss prevention tool.
  • 14. 21 Incident Response Incident Response Process – Resume Normal Operation Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Clean all traces like infected files, binaries, infected code and data.  Clean browsing history, registry and memory. Preferable post taking all snapshots, install with clean image  Update all antivirus / anti malware programs with new signatures and patches  Scan the infected system with latest antivirus and anti- malware programs  Scan for suspicious items discovered on all infected and interconnected systems using updated antimalware used to disinfect the targeted systems.  Perform System integrity checks for all the infected systems.  Restoring all systems for which integrity has affected due to the attack, from last know good backup.  Confirming all systems and services restored to normal operations.  Perform System integrity checks for all infected systems.  Restoring all systems for which integrity as affected due to the attack, from last know good backup.  Confirming all systems and services restored to normal operations.  Restore the data from previous backup
  • 15. 22 Incident Response Incident Response Process – Post Mortem & Lesson Learned Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Perform forensics to identify the source of attack and motivation like state sponsors  Identify if the attackers used a third party (e.g., contractor, client, joint venture) as an attack vector  Identify if the attackers had insider assistance  Identify if the attackers had physical access to the facilities or network  Collect evidence from packet captures / network information, logs and infected system browsing history and malicious code and its reverse engineering  Reverse-engineer binaries to help identify attack methods, communication protocols, and attack servers.  Create images of hard drives from infected hosts.  Ensure preservation of evidence besides maintaining chain of custody as required by legal authorities.  Perform communications (internal/external user groups, public media etc.)
  • 16. Advanced SOC Exercise – IR Playbook
  • 17. 24 Example Carbanak – A-SOC Capabilities 2 Malicious Web server sends or reflects exploit code <click> 1 Install Malware Mail-Client 5 Victim Domain Name Server Attacker Used Spearphised emails Command & Control 4 web-page + 3 Follow link Lateral Movement Screen capture/ Video recording 9 6 Remotely Control Malware Contact Updater By IP Address (C&C) 7 8 Word file with MA Data upload – Screens and VR
  • 18. 25 Example Carbanak – A-SOC Capabilities 2 Malicious Web server sends or reflects exploit code <click> 1 Install Malware Mail-Client 5 Victim Domain Name Server Attacker Using Spearphised emails Command & Control 4 web-page + 3 Follow link 9 6 Remotely Control Malware Contact Updater By IP Address (C&C) 7 8 Word file with MA Lateral Movement Screen capture/ Video recording Data upload – Screens and VR d) Monitor Web Traffic a) Monitor DNS c) Monitor Port & Protocol Usage b) Monitor NetFlow e) Data in HTML Response - Netflow b) Monitor NetFlow
  • 20. Topic Descriptions / Actions Purpose The purpose of this document is the provide guidance to Tier2 Triage and Tier 3 Response analysts on the approach to incident remediation. Scope The scope of this guidance includes 3 stages:  Containment  Eradication  Recovery Containment The intention of this stage is to limit the damage caused by the incident without yet removing the cause of the incident. This is typically done as the first step as it may take additional time to understand the cause of the incident and the appropriate eradication strategy. Examples of containment may include shutting down of affected systems, closing firewall ports etc. Eradication This stage is typically done after the containment stage where the cause of the incident is removed. Eradication can only be performed before containment if the incident cause is immediately clear and eradication can be performed swiftly before additional damage is caused by the incident. Examples of eradication include deleting malicious code, removing malicious accounts etc. Recovery This stage is done once the “victim” system impacted is no longer vulnerable. Examples of recovery include restoring from backup, patching servers etc. 27 Incident Response IR response process
  • 21. Topic Descriptions / Actions Attack Category Authentication (Internal User) Attack Sub Categories Misc Login Succeeded, Unknown Authentication, Host Login Succeeded, Host Login Failed, Misc Login Failed, Privilege Escalation Failed, Privilege Escalation Succeeded, Mail Service Login Succeeded, Mail Service Login Failed, Auth Server Login Failed, Auth Server, Group Added, Group Changed, Group Removed, Computer Account Added, Computer Account Changed, Computer Account Removed, Remote Access Login Succeeded, Remote Access Login Failed, General Authentication Successful, Telnet Login Succeeded, Telnet Login Failed, Suspicious Password, Samba Login Succeeded, Samba Login Failed and etc Response Remediation Options 1. Containment a. Terminate processes with any active connections with attacker IP or port b. Disable user id in question 2. Eradication a. Work with network team to physically locate internal attacker b. Turn off switch port of internal attacker c. Remove user access 3. Recovery a. Implement strong password policy b. Reconfigure vulnerable service as applicable c. Restore to previous good state from backup or recovery application 28 Incident Response IR response process
  • 22. “Website defacement" refers to any unauthorized changes made to the appearance of either a single webpage, or an entire site. Worse, the hacker will replace the home page with an embarrassing (or worse) message.  Web page Defacement: The most straight forward and visually identifiable attack where the web page content is changed and replaced by the perpetrators. The website data is not deleted.  Data Deletion: This is a second stage of damage where the website is defaced and also the data and other pages are deleted.  Install Malicious Software: Website defacement can be augmented by introducing a malicious code in the target environment to establish stronghold. The malicious code can then be used for further compromises such as lateral movement.  IRC bot: In more severe case, once the attacker has established a foothold, they can install an IRC bot which can then be controlled through IRC channels. 29 Incident Response IR Response Exercise – Website Defacement
  • 23. 30 Incident Response IR Playbook Exercise – Website Defacement Preparation 1 Create a hot cluster of servers to run website. - Build a back up site and setup routing backups. Enable detailed logging on web server and test the site for vulnerabilities 2 The website should be protected by a WAF firewall, IPS, Host based IPS and anti-malware and monitored logs and alerts for unauthorized access/ change of files / privilege escalation to the system backups. Enable detailed logging on web server and test the site for vulnerabilities 3 Deploy monitoring tools to quickly detect any abnormal behavior on your critical websites. (e.g. Sucuri) 4 Home page should be access controlled from Management IP 5 Log all access and alert for any change to home page file, immediately verify with change request Preparation Identification & Verification Containment Eradication RecoveryInvestigation
  • 24. 31 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Identification & Verification SIEM Use Case Monitored Element Description Log Source Configuration / Threshold Priority More than 30 request for same web file (e.g. *.php) file by the same IP address and port number or same user During attack the URL targeted by attacker changes with each request but the actual file name trying to target with each request will remain the same Web Server 30 request in 5 minutes 2 Home page (*.php) change Enable home page file auditong feature, configure alert for file change and priority 1 log alert Web Server File change from auditing - 1 1 DNS requests over port 80 infected hosts sending C&C communications masked as DNS requests over port 80 is the common thing so watch in Web gateway if any DNS request is observed on port 80 Web Server Port / Protocol mismatch 1 High number of HEAD requests on web server Likely indicating an attempt to discover vulnerable CGI scripts. High number of non-standard HTTP requests, indicating a possible attack or information gathering to precede an attack. Web Server 10 in 1 min 2 Web server not responding or slow response (HTML response time is huge) due to possible DoS attack. Web server has not served any pages in an hour and the IDS have reported multiple DoS attack events. Web Server Slow response / 10 sec to open file 2 SQL Injection, XSS, Injection, Redirects, Failed attempts, SQL Injection, XSS and other attacks from WAF Weg gateway/ Firewall 1
  • 25. 1. Extract attack source IP from SIEM/ WAF as log source (IIS/Apache) 2. Notify application owner of attack 3. Implement firewall rule to block attacker IP 4. If attack source is on local network, remote to a machine within same subnet of unauthorized device 5. Ping offending machine IP 6. Run “arp –a” command on command prompt to extract MAC Address 7. Block the IP/MAC (NAC) and disable the user 25 Incident Response IR Playbook Exercise – Website Defacement SQL Injection Preparation Identification & Verification Containment Eradication RecoveryInvestigation Identification & Verification
  • 26. 32 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Containment 1 Take the infected host out of the cluster. 2 Redirect all traffic to the backup servers. 3 If the source of the attack is another system on the network, disconnect it as soon as possible. 4 Conduct site/page replication for redirection, as required. 5 Disable links to affected page or redirect to a correct version of the page. 6 Backup all data stored on the web server for forensic purposes and evidence collecting. The best practice here if applicable is to make a complete bit-by-bit copy of the hard-disk containing the web server. This will be helpful to recover deleted files.
  • 27. 33 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Investigation 1 Check files with static content (in particular, check the modification dates, hash signature). 2 Check mash up content providers. 3 Check links presents in the web page (src, meta, css, script etc). 4 Review database for modifications, content changes, traces of script injections, etc. 5 Review server logs and application access logs. 6 Look for evidence of data exfiltration.
  • 28. 34 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Eradication 1 Patch identified vulnerabilities (including all technical and source code vulnerabilities). 2 Remove code/scripts installed by the attacker. 3 Change all user passwords if the web server provides user-authentication and/or there is evidence or any reason to think that passwords may have been compromised. 4 Update patches, anti-virus and malwares and scan the system for vulnerabilities. 5 Compare eradication outcome against a known good backup.
  • 29. 35 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Recovery 1 Full restore from a good known backup. Apply validated and verified latest database content updates on top of the good known backup if required to compensate for any content changes between compromise and recovery. 2 Reconnect dependent systems. 3 Perform testing (sandbox test environment, user acceptance testing etc). 4 Reconnect web server to the internal LAN/Internet, as required. 5 Confirm normal operations.