The document describes an incident response case involving the compromise of a company's network. An attacker first gained access via a spear phishing email that exploited a vulnerable version of Adobe Acrobat. They then stole VPN credentials, allowing remote access from their home system. Over several weeks, the attacker performed reconnaissance and stole sensitive engineering data by modifying file permissions. The company's implementation of a SIEM tool helped identify the attacker's activities and multiple compromised accounts. An incident response team was brought in to fully eradicate the threat and secure the network.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 152: 4 Starting the Investigation & 5 LeadsSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
This presentation outlined how performing memory forensics on a single memory image broke open an extremely large intrusion in the non-profit space. Tools, techniques and procedures (TTP’s) of an advanced actor intrusion will be highlighted during a technical deep-dive of memory analysis and related workflow.
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
The top 10 windows logs event id's used v1.0Michael Gough
How to catch malicious activity on Windows systems using properly configured audit logging and the Top 10 events and more you must have enable, configured and alerting.
LOG-MD
MalwareArchaeology.com
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...APNIC
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially other (IoT) devices by Afifa Abbas.
A presentation given at APNIC 42's FIRST TC Security Session (2) session on Wednesday, 5 October 2016.
Trisis in Perspective: Implications for ICS DefendersDragos, Inc.
Discovery of TRISIS/TRITON was a landmark event in the Industrial Control Systems (ICS) security community. It is the fifth known ICS-specific malware (following Stuxnet, Havex, BlackEnergy2, and CRASHOVERRIDE), and the first such malware to specifically target safety instrumented systems. Since identification and public disclosure in early December 2017, much has been written on TRISIS, its operation, and mitigations; however, such mitigations are usually too specific to TRISIS and fall short in assisting defenders with safety systems other than a Schneider Electric Triconex. In May, Dragos discovered that XENOTIME, the activity group behind TRISIS, had expanded its targeting to North America and other safety systems. Given this new data, a generalized approach to safety system defense is critical knowledge for ICS security personnel. This discussion aims to provide such an approach to guarding safety systems. We will provide an overview of the TRISIS malware, including its installation, execution and modification to the controller. Next, we will break down the TRISIS event's specific tactics, techniques and procedures (TTPs) and generalize them across the ICS kill chain. Using this model, we provide present-day actionable defense strategies for asset owners, as well as guidance for forensics, restoration, and recovery should an attack be discovered. We also look to the future and recommend ways in which the state of the art can be improved by vendors and ICS owners to empower defenders with the information they need to stop future attacks.
Learn more here: https://www.dragos.com/blog/trisis/
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
Ransomware - a malicious software used by hackers to block access to a computer system until a ransom is paid. Attackers contact the user with ransom demands. Most attackers request payment in Bitcoin (the crypto-currency). Even if you pay the ransom, the attackers may not deliver the key to unencrypt files.
As ransomware attacks continue to grow in number and sophistication, individual PC users and organizations should reassess their current security strategy. There is a common misconception that adding layers of automated defence technologies will reduce the risk of falling victim to ransomware attacks. While endpoint security products and secure email gateways can offer some level of protection, sooner or later a phishing email, which is the most widely-used attack vector, will penetrate defences and user will be faced with determining whether or not an email is legitimate or part of an attack.
Practical security - access control, least privilege, cryptography at work, security attacks and pen testing your system with MetaSploit. The enemy knows the system. Not security by obscurity
The methods and techniques that businesses employ to safeguard information are referred to as information security (or InfoSec). This includes setting up security measures to prohibit unauthorised users from accessing sensitive data. Network and infrastructure security are just two examples of the many areas that the topic of information security (InfoSec) encompasses.
Cloud Security Engineering - Tools and TechniquesGokul Alex
Cloud Security Engineering Education Materials prepared by Gokul Alex. It covers the essential tools and techniques to protect cloud enterprise architectures and cloud information systems.
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
Every time a new information technology finds its way into production, it seems as though we end up repeating the same process – security vulnerabilities will be discovered and disclosed in that technology, and users and vendors will deny that the risks are significant. Only after major attacks occur do we really start to see efforts to address the inherent risks in a systematic way.
We’re falling into this exact same trap again with Industrial Control and SCADA systems, but in this case the problem is worse, because the inherent nature of control systems prevents us from applying many of the strategies that have been used to protect other kinds of computer networks.
Join Lancope’s Director of Security Research, Tom Cross, for a look at the five stages of grief that organizations seem to pass through as they come to terms with security risks, and how far we’ve come regarding Industrial Control Systems.
Hear about:
The state of Control Systems security vulnerabilities
Attack activity that is prompting a change in perspective
The unique, long-term challenges associated with protecting SCADA networks
How anomaly detection can play a key role in protecting SCADA systems now
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
We all have good and bad thoughts from time to time and situation to situation. We are bombarded daily with spiraling thoughts(both negative and positive) creating all-consuming feel , making us difficult to manage with associated suffering. Good thoughts are like our Mob Signal (Positive thought) amidst noise(negative thought) in the atmosphere. Negative thoughts like noise outweigh positive thoughts. These thoughts often create unwanted confusion, trouble, stress and frustration in our mind as well as chaos in our physical world. Negative thoughts are also known as “distorted thinking”.
The Art Pastor's Guide to Sabbath | Steve ThomasonSteve Thomason
What is the purpose of the Sabbath Law in the Torah. It is interesting to compare how the context of the law shifts from Exodus to Deuteronomy. Who gets to rest, and why?
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
This is a presentation by Dada Robert in a Your Skill Boost masterclass organised by the Excellence Foundation for South Sudan (EFSS) on Saturday, the 25th and Sunday, the 26th of May 2024.
He discussed the concept of quality improvement, emphasizing its applicability to various aspects of life, including personal, project, and program improvements. He defined quality as doing the right thing at the right time in the right way to achieve the best possible results and discussed the concept of the "gap" between what we know and what we do, and how this gap represents the areas we need to improve. He explained the scientific approach to quality improvement, which involves systematic performance analysis, testing and learning, and implementing change ideas. He also highlighted the importance of client focus and a team approach to quality improvement.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
2. Events and Incidents
• Event
• Any observable occurrence in a system or
networ
k
• Incident
• Violation or threat of violation of security
policies, acceptable use policies, or standard
security practices
3. Incident Response
• Con
fi
rm whether an incident occurre
d
• Rapid detection and containmen
t
• Determine scop
e
• Prevent a disjointed, noncohesive respons
e
• Determine and promote facts and actual
informatio
n
• Minimize disruption to business and network
operations
4. Incident Response
• Minimize damage to the compromised
organizatio
n
• Restore normal operation
s
• Manage public perceptio
n
• Allow for legal action against perpetrator
s
• Educate senior managemen
t
• Enhance security posture against future
incidents
5. IR Teams
• Investigation tea
m
• Determines what has happened and performs
a damage assessmen
t
• Remediation tea
m
• Removes the attacker and enhances security
postur
e
• Public relations
6. Live Response
• Classical forensics was done post-morte
m
• On a hard disk imag
e
• Now mody analysis id performed on systems
that are powered on (live
)
• Including memory analysis to see running
processes, network connections, etc.
8. Initial Compromise
• Early January: SQL injection vulnerability
exploited on server WEB
1
• In a DMZ belonging to a small business unit
purchased by the parent organization four years
prio
r
• Command execution on database server DB1, with
privileges of the SQL Server service (local
administrator
)
• Using xp_cmdshel
l
• Download malware and execute it on DB1
9. Escape DMZ
• Miscon
fi
guration in DMZ
fi
rewall allowed
malware to execute SQL commands on a
database server intDB
1
• Located within the corporate environment
10. Recon
• Attacker spent weeks performing
reconnaissance of corporate environmen
t
• For
fi
rst week, attacker used SQL injectio
n
• Then the attacker implanted a backdoo
r
• Extracted and cracked password hash for local
administrator account on intDB
1
• Now the attacker has local admin on most
systems
13. Exploit Domain Controller
• Installed keylogger malwar
e
• Obtained password hashes from multiple
systems for administrator account
s
• Including hashes from the Domain Controller
14. Mid-February
• More than 20 backdoors, spanning three distinct
malware familie
s
• We'll call the primary backdoor family BKDOO
R
• Custom malware creation ki
t
• Allowed attacker to modify binaries to avoid
antivirus detection
15. BKDOOR
• Full control of victim syste
m
• File upload and downloa
d
• Tunnel Remote Desktop Protocol traf
fi
c into the
environmen
t
• Proxy network traf
fi
c between backdoor
s
• Encrypts command-and-control (C2) traf
fi
c with
RC4 "C2 data
"
• Persistence through "DLL search-order
hijacking"
16. PROXY Malware Family
• Redirected connections to destination address
speci
fi
ed in its con
fi
guration
fi
l
e
• Can also accept original destination address
from the BKDOOR malware
17. BKDNS Malware Family
• Tunneled C2 traf
fi
c through DNS queries and
response
s
• A backup system, not used during this
investigatio
n
• Used on both Windows and Linux systems
18. Late March
• Attacker stole data multiple time
s
• Took usernames and password
s
• Network architecture and IT informatio
n
• Information about
fi
nancial systems and how
fi
nancial data was handled
19. Stealing Financial Data
• Outbound FTP connection to an attacker-
controlled FTP serve
r
• Also used a backdoor to send
fi
nancial data to
C2 serve
r
• Compressed the data as ZIP, RAR or CAB
fi
les
21. PCI Data
• Payment Card Industry dat
a
• Magnetic stripe has two track
s
• Track 1 & Track 2 (similar data
)
• CVV/CVV2 number used to verify physical
possession of the car
d
• Not all merchants collect the CVV/CVV2 number
22. Compromise JMPSRV
• Gained access with stolen domain administrator
password (two-factor authentication not used
)
• Transferred reconnaissance tools to JMPSR
V
• Begin reconnaissance of restricted
fi
nancial
environmen
t
• Took password hashes from RAM on JMPSRV
23. Recon
• Next two months
fi
ndin
g
• Systems that processed or stored cardholder
informatio
n
• Systems with direct Internet connection
s
• Stole documents that described the
infrastructure
24. Naming Convention
• 90 systems processed or stored
fi
nancial
informatio
n
• PROC_FIN01, PROC_FIN02, STOR_FIN01,
STOR_FIN02, etc
.
• None connected directly to the Interne
t
• Attacker sent data through JMPSRV and MAIL to
get out
26. Testing Methods
• Put Sysinternals "PsSuite" on PROC_FIN0
1
• Used pslist to see running processe
s
• Dumped RAM from multiple processe
s
• Created a RAR archive and transferred it ou
t
• Trying to
fi
nd processes that contained
cardholder data
27. Cardharvest
• Two days later, attacker installed a custom binary
named "cardharvest.exe" onto PROC_FIN0
1
• Searched process RAM for Track 2 data every
15 second
s
• Hashed the data to prevent duplicate collectio
n
• Encrypted it using RC4 and a hard-coded static
ke
y
• Saved it to a local
fi
le
28. Three Months
• Over the next three month
s
• Attacker stole millions of cardholder data
record
s
• From all 90
fi
nancial systems
29. Detection
• After ten months of exploitatio
n
• A system administrator noticed that MAIL was
communicating with a server in a foreign
country over port 8
0
• Triage showed that there was a compromis
e
• Initiated incident response
30. Incident Response
• Team travelled to client locatio
n
• Immediate containment pla
n
• Comprehensive incident investigatio
n
• Eradication event to remove all traces of the
attacke
r
• Less than two months for complete IR
34. Initial Compromise
• In mid-May, attacker sent 100 spear-phishing
email
s
• Targets chosen because of business
relationship to speakers at an industry
conferenc
e
• Most had local administrator privilege
s
• None had domain administrator privileges
35. Malicious PDF
• One recipient, Bob, opened the attachment with
a vulnerable version of Adobe Acroba
t
• Exploit installed GHoST RAT (Remote Access
Trojan
)
• Attacker gained control of BOBSYS01 from the
C2 server
36. VPN Compromise
• Two days later, attacker performed
reconnaissance on BOBSYS0
1
• Bob was an enginee
r
• Had VPN software that used a machine
certi
fi
cate, username, and passwor
d
• Obtained and cracked local administrator
password has
h
• Used mimikatz.exe to extract Bob's password
and VPN machine certi
fi
cate
37. The Attacker Obtained
• No longer needs Bob's syste
m
• Attacker can now VPN in from any system
38. HOME3
• Less than one week late
r
• Attacker connected via VPN from a system
named HOME
3
• Used RDP but ended the session by closing the
window instead of logging ou
t
• Caused an event to be logged in the Security
event lo
g
• Capturing attacker's host name and IP
address (from Texas)
39. Recon
• Attacker spent the next 2 weeks performing
reconnaissanc
e
• Mapped network shares and directory listing
s
• Installed keylogger
s
• Accessed email through Outlook Web Access
(OWA) with stolen credentials
40. SENS1
• Two weeks later, attacker started accessing
business-critical data from a share on
fi
le server
SENS
1
• Sensitive engineering data for a new produc
t
• Access Control Lists (ACLs) restricted this data
to engineers working on the projec
t
• But the attacker had local administrator
access and modi
fi
ed the ACLs to gain access
41. Next Four Weeks
• Attacker sporadically stole dat
a
• Created encrypted RAR
fi
le
s
• Renamed them to CAB
fi
le
s
• Uploaded to an attacker-controlled FTP serve
r
• Then deleted RAR
fi
le and ran Windows
defragmentation utilit
y
• In an attempt to cover tracks
42. SIEM
• Two weeks after the attacker began stealing
dat
a
• Company started evaluating a new Security
Information and Event Management (SIEM)
utilit
y
• Included VPN logs in the data set
s
• SIEM showed Bob logging in from multiple
systems and IP addresses simultaneously on
multiple days
43. Chasing Attacker
• Security staff disabled Bob's accoun
t
• Attacker started using another account, Mary'
s
• SIEM quickly discovered malicious use of
Mary's accoun
t
• Initiated incident response and called IR
specialists in
44. Real IR
• Identify IP addresses attacker used to VPN fro
m
• GHoST RAT was sending beacons to one of
those same IP
s
• This led to discovery of compromise on
BOBSYS0
1
• Comprehensive eradication event performed
two weeks after IR initiated
45. OWA Access
• Two days after the eradication even
t
• SIEM detected one of attacker's IP addresses
attempting access to OWA, with multiple user
account
s
• Even though company had changed all
passwords during the eradication event, not all
users had actually changed their password
s
• A second enterprise-level password change
disabled all accounts that failed to change
passwords within 24 hours