SlideShare a Scribd company logo
Incident Handling Process (HTB) 1
Incident Handling Process (HTB)
introduction
Incident handling is a clearly defined set of procedures to manage and respond to
security incidents in a computer or network environment.
types of incidents
intrusion incidents
those caused by malicious insiders
availability issues
loss of intellectual property
An event is an action occurring in a system or network. Examples of events are:
A user sending an email
A mouse click
A firewall allowing a connection request
An incident is an event with a negative consequence.
Data theft
Funds theft
Unauthorized access to data
Installation and usage of malware and remote access tools
Cyber Kill Chain (attack lifecycle)
(7) different stages
1. recon (information gathering)
Passive (Linkden / insta / job ads / partners / documentations)
Active (poking and scaning web apps , IP addresses..etc)
identify the present antivirus or EDR technology in the target organization.
2. weaponize (developing the malware to be used for initial access)
embed it into some type of exploit or deliverable payload
Incident Handling Process (HTB) 2
This malware is crafted to be extremely lightweight and undetectable by the
antivirus and detection tools.
3. delivery (delivering the exploit/payload to the victim)
Traditional approaches are phishing emails (contain a malicious attachment or a
link to a web page)
The web page can either contain an exploit or hosting the malicious payload
to avoid sending it through email scanning tools.
the web page can also mimic a legit website
social engineering pretext
there are cases where physical interaction is utilized to deliver the payload via
USB tokens and similar storage tools, that are purposely left around.
4. exploitation (when an exploit or a delivered payload is triggered)
the attacker typically attempts to execute code on the target system in order to
gain access or control
5. installation (the initial stager is executed and is running on the compromised
machine.)
Some common techniques
Droppers: a small piece of code that is designed to install malware on the
system and execute it. it may be delivered through email attachments,
malicious websites, or social engineering tactics.
Backdoors: a type of malware that is designed to provide the attacker with
ongoing access to the compromised system. (may be installed during the
exploitation stage or delivered through a dropper.)
Rootkits: a type of malware that is designed to hide its presence on a
compromised system. (used in the installation stage to evade detection by
antivirus software)
6. command and control (the attacker establishes a remote access capability to the
compromised machine.)
advanced groups will utilize separate tools in order to ensure that multiple variants
of their malware live in a compromised network, and if one of them gets
discovered and contained, they still have the means to return to the environment.
7. action (objective of the attack)
exfiltrating confidential data
obtain the highest level of access possible
deploy ransomware
Incident Handling Process (HTB) 3
….etc
It is important to understand that adversaries won't operate in a linear
manner (like the cyber kill chain shows). Some previous cyber kill
chain stages will be repeated over and over again. If we take, for
example, the installation stage of a successful compromise, the
logical next step for an adversary going forward is to initiate
the recon stage again to identify additional targets and find
vulnerabilities to exploit, so that he moves deeper into the network
and eventually achieves the attack's objective(s).
Our objective is to stop an attacker from progressing further up the kill chain, ideally in
one of the earliest stages.
Incident Handling Process Overview
incident handling process defines a capability for organizations to prepare, detect, and
respond to malicious events
the process is not linear but cyclic.
Incident handling has two main activities:
investigating
Discover the initial 'patient zero' victim and create an (ongoing if still active)
incident timeline
Determine what tools and malware the adversary used
Document the compromised systems and what the adversary has done
Incident Handling Process (HTB) 4
recovering
creating and implementing a recovery plan
a report is issued that details the cause and cost of the incident.
Additionally, "lessons learned" activities are performed
Stages of the Incident Handling Process
1. Preparation
we have two separate objectives
1. the establishment of incident handling capability within the organization.
2. the ability to protect against and prevent IT security incidents by implementing
appropriate protective measures, such as:
a. endpoint and server hardening
b. active directory tiering
c. multi-factor authentication
d. privileged access management
Preparation Prerequisites
we need to ensure that we have:
1. Skilled incident handling team members
2. Trained workforce (through security awareness activities)
3. Clear policies and documentation
roles and Contact info of incident handling team members and all other teams
Incident response policy, plan, and procedures
Network diagrams
Baselines of systems and networks, out of a golden image and a clean state
environment
Organization-wide asset management database
User accounts with excessive privileges
Ability to acquire hardware, software, or an external resource without a complete
procurement process
Forensic/Investigative cheat sheets
4. Tools (software and hardware)
Incident Handling Process (HTB) 5
These include, but are not limited to:
Additional forensic workstation for each incident handling team member to
preserve disk images and log files, perform data analysis, and investigate without
any restrictions
(malware will be tested here, so tools such as antivirus should be disabled)
Digital forensic image acquisition and analysis tools
Memory capture and analysis tools (volatility)
Live response capture and analysis
Log analysis tools
Network capture and analysis tools
Network cables and switches
Write blockers
Hard drives for forensic imaging
Power cables
Screwdrivers, tweezers, and other relevant tools to repair or disassemble
hardware devices if needed
Indicator of Compromise (IOC) creator and the ability to search for IOCs across
the organization
An Indicator of Compromise (IOC) is a piece of evidence or artifact that
suggests the presence of a security incident or compromise.
It can be a file hash, IP address, domain name, URL, file name, registry
key, network traffic pattern, or behavioral anomaly.
IOCs are used to identify and detect malicious activities or intrusions in
investigations.
Chain of custody forms
Encryption software
Ticket tracking system
a software application or platform that helps organizations manage and track
various types of requests, issues, or incidents reported by users or customers
Secure facility for storage and investigation
Incident handling system independent of your organization's infrastructure
Many of the tools mentioned above will be part of what is known as a jump bag -
always ready with the necessary tools to be picked up and leave immediately.
Incident Handling Process (HTB) 6
communications about an incident should be conducted through channels that are
not part of the organization's systems
assume that adversaries have control over everything and can read
communication channels such as email.
Some of the highly recommended protective measures in
Preparation
DMARC (email protection against phishing)
to reject emails that 'pretend' to originate from your organization.
testing is mandatory; otherwise you risk blocking legitimate emails with no ability to
recover them.
Endpoint Hardening (& EDR)
Endpoint devices (workstations, laptops, etc.) are the entry points for most of the
attacks that we are facing on a daily basis
There are a few widely recognized endpoint hardening standards such as CIS and
Microsoft baselines and these should be the building blocks for your organization's
hardening baselines.
Some highly important actions
Disable LLMNR/NetBIOS
Implement LAPS and remove administrative privileges from regular users
Disable or configure PowerShell in "ConstrainedLanguage" mode
Enable Attack Surface Reduction (ASR) rules if using Microsoft Defender
Implement whitelisting.
Consider at least blocking execution from user-writable folders (Downloads,
Desktop, AppData, etc.).
These are the locations where exploits and malicious payloads will initially find
themselves.
Remember to also block script types such as .hta, .vbs, .cmd, .bat, .js, and
similar. Please pay attention to LOLBin files while implementing whitelisting. they
are used in the wild as initial access to bypass whitelisting.
Utilize host-based firewalls. As a bare minimum, block workstation-to-workstation
communication and block outbound traffic to LOLBins
Outbound traffic refers to traffic that originates from inside your
own network.
Incident Handling Process (HTB) 7
Inbound traffic refers to any traffic coming to your network
Deploy an EDR product. At this point in time, AMSI provides great visibility into
obfuscated scripts for antimalware products to inspect the content before it gets
executed. It is highly recommended that you only choose products that integrate with
AMSI.
Network Protection
Business-critical systems must be isolated
connections should be allowed only as the business requires
Internal resources should really not be facing the Internet directly (unless placed in a
DMZ)
consider IDS/IPS systems (Their power really shines when SSL/TLS interception is
performed to identify malicious traffic based on content)
SSL/TLS interception :
1. Decryption and Inspection of the packets
2. Re-encryption and Forwarding
ensure that only organization-approved devices can get on the network.
Solutions such as 802.1x (IEEE Standard for port-based network access
control) can be utilized to reduce the risk of bring your own device (BYOD) or
malicious devices connecting to the corporate network
If you are a cloud-only company using, for example, Azure/Azure AD, then you can
achieve similar protection with Conditional Access policies (allow access to
organization resources only if you are connecting from a company-managed
device)
Privilege Identity Management / MFA / Passwords
common mistake is that admin users either have a weak (but often complex) password
"Password1!". It contains an upper-case, lower-case, digit, and a special character,
but regardless of that, it is easy to guess. or a shared password with their regular user
account (which can be obtained via multiple attack vectors such as keylogging)
Multi-factor authentication (MFA) is another identity-protecting solution that should
be implemented at least for any type of administrative access to ALL applications and
devices.
Vulnerability Scanning
Perform continuous vulnerability scans of your environment and remediate at least the
"high" and "critical" vulnerabilities discovered.
User Awareness Training
Incident Handling Process (HTB) 8
Training users to recognize suspicious behavior and report it when discovered
Periodic "surprise" testing should also be part of this training, including, for example,
monthly phishing emails, dropped USB sticks in the office building, etc.
Active Directory Security Assessment
The best way to detect security misconfigurations or exposed critical vulnerabilities is
by looking for them from the perspective of an attacker.
Purple Team Exercises
Purple team exercises are essentially security assessments by a red team that either
continuously or eventually inform the blue team about their actions, findings, any
visibility/security shortcomings, etc.
Such exercises will help in identifying vulnerabilities in an organization while testing the
blue team's defensive capability in terms of logging, monitoring, detection, and
responsiveness.
2. Detection & Analysis Stage
this phase involves all aspects of detecting an incident, such as utilizing sensors, logs,
and trained personnel. It also includes information and knowledge sharing, utilizing
context-based threat intelligence.
Segmentation of the architecture and having a clear understanding of and visibility
within the network are also important factors.
Threats are introduced to the organization via an infinite amount of attack vectors, and
their detection can come from sources such as:
An employee that notices abnormal behavior
An alert from one of our tools (EDR, IDS, Firewall, SIEM, etc.)
Threat hunting activities
A third-party notification informing us that they discovered signs of our
organization being compromised
It is highly recommended to create levels of detection by logically categorizing our
network as follows.
Detection at the network perimeter (using FWs, internet-facing network
IDS/IPS, DMZ, etc.)
Detection at the internal network level (using local FWs, host IDS/IPS, etc.)
Detection at the endpoint level (using antivirus systems, endpoint detection &
response systems, etc.)
Detection at the application level (using application logs, service logs, etc.)
Incident Handling Process (HTB) 9
Incident Severity & Extent Questions
→ When handling a security incident, we should also try to answer the following questions
to get an idea of the incident's severity and exent:
1. What is the exploitation impact?
2. What are the exploitation requirements?
3. Can any business-critical systems be affected by the incident?
4. Are there any suggested remediation steps?
5. How many systems have been impacted?
6. Is the exploit being used in the wild?
7. Does the exploit have any worm-like capabilities?
→ As you can imagine, high-impact incidents will be handled promptly, and incidents with a
high number of impacted systems will have to be escalated.
Incident Confidentiality & Communication
→ all of the information gathered should be kept on a need-to-know basis, unless
applicable laws or a management decision instruct us otherwise. There are multiple
reasons for this.
→ The adversary may be, for example, an employee of the company, or if a breach has
occurred, the communication to internal and external parties should be handled by the
appointed person in accordance with the legal department.
Initial Investigation
we should aim to collect as much information as possible at this stage about the following:
Date/Time when the incident was reported. Additionally, who detected the incident
and/or who reported it?
How was the incident detected?
What was the incident? Phishing? System unavailability? etc.
Assemble a list of impacted systems (if relevant)
Document who has accessed the impacted systems and what actions have been
taken. Make a note of whether this is an ongoing incident or the suspicious activity
has been stopped
Physical location, operating systems, IP addresses and hostnames, system
owner, system's purpose, current state of the system
(If malware is involved) List of IP addresses, time and date of detection, type of
malware, systems impacted, export of malicious files with forensic information on them
(such as hashes, copies of the files, etc.)
Incident Handling Process (HTB) 10
→ With the initially gathered information, we can start building an incident timeline.
→ This timeline will keep us organized throughout the event and provide an overall picture
of what happened.
→ the timeline should contain the information described in the following columns:
Date
Time of the
event
hostname event description data source
09/09/2021 13:31 CET SQLServer01
Hacker tool 'Mimikatz'
was detected
Antivirus
Software
The Investigation
The investigation starts based on the initially gathered information that contain what
we know about the incident so far
we will begin a 3-step cyclic process that will iterate over and over again as the
investigation evolves
1. Creation and usage of indicators of compromise (IOC)
An Indicator of Compromise (IOC) is a piece of evidence or artifact that suggests
the presence of a security incident or compromise. It can be a file hash, IP
address, domain name, URL, file name, registry key, network traffic pattern, or
behavioral anomaly. IOCs are used to identify and detect malicious activities or
intrusions in cybersecurity investigations.
a widely used standard for IOCs is Yara
there are free tools that can be utilized, such as Mandiant's IOC Editor
To leverage IOCs, we will have to deploy an IOC-obtaining/IOC-searching tool
A common approach is to utilize WMI or PowerShell for IOC-related
operations in Windows environments.
we need to ensure that only connection protocols and tools that don't cache
credentials upon a successful login are utilized (such as WinRM).
When "PsExec" is used with explicit credentials, those credentials are cached
on the remote machine. (don’t use)
2. Identification of new leads and impacted systems
After searching for IOCs, you expect to have some hits that reveal other systems
with the same signs of compromise.
3. Data collection and analysis from the new leads and impacted systems
we will want to collect and preserve the state of those systems for further analysis
there are multiple approaches to how and what data to collect (Depending on the
system)
Incident Handling Process (HTB) 11
1. live response on a system as it is running (most common)
2. shut down a system and then perform any analysis on it
a. not easy as much of the artifacts will only live within the RAM memory of
the machine, which will be lost if the machine is turned off
→ Once the data has been collected, it is time to analyze it. This is often the most time-
consuming process during an incident. Malware analysis and disk forensics are the
most common examination types.
→ during the data collection process, you should keep track of the chain of custody to
ensure that the examined data is court-admissible if legal action is to be taken against an
adversary.
3. Containment, Eradication, & Recovery Stage
→ prevent the incident from causing more damage. (When the investigation is
complete and we have understood the type of incident and the impact on the
business)
Containment
we take action to prevent the spread of the incident.
Incident Handling Process (HTB) 12
containment actions are coordinated and executed across all systems
simultaneously. Otherwise, we risk notifying attackers that we are after them
We divide the actions into short-term containment and long-term containment .
short-term containment
The actions here contain the damage and provide time to develop a more concrete
remediation strategy.
Some of these actions can include, placing a system in a separate/isolated VLAN,
pulling the network cable out of the system(s)
long-term containment
we focus on persistent actions and changes.
changing user passwords, applying firewall rules, inserting a host intrusion
detection system, applying a system patch, and shutting down systems.
Eradication
Once the incident is contained, eradication is necessary to eliminate both the root
cause of the incident and what is left of it to ensure that the adversary is out of the
systems and network.
Some of the activities in this stage include removing the detected malware from
systems, rebuilding some systems, and restoring others from backup.
Additional system-hardening activities are often performed during the eradication
stage
Recovery
we bring systems back to normal operation.
When everything is verified, these systems are brought into the production
environment.
All restored systems will be subject to heavy logging and monitoring after an
incident, as compromised systems tend to be targets again if the adversary regains
access to the environment in a short period of time.
Typical suspicious events to monitor for are:
Unusual logons
Unusual processes
Changes to the registry in locations that are usually Falmodified by malware
4. Post-Incident Activity
Incident Handling Process (HTB) 13
In this stage, our objective is to document the incident and improve our capabilities
based on lessons learned from it.
Reporting
→ A complete report will contain answers to questions such as:
What and when happened?
Performance of the team dealing with the incident in regard to plans, playbooks,
policies, and procedures
Did the business provide the necessary information and respond promptly to aid in
handling the incident in an efficient manner? What can be improved?
What actions have been implemented to contain and eradicate the incident?
What preventive measures should be put in place to prevent similar incidents in the
future?
What tools and resources are needed to detect and analyze similar incidents in the
future?

More Related Content

Similar to Incident handling is a clearly defined set of procedures to manage and respond to security incidents in a computer or network environment.

APT - Project
APT - Project APT - Project
APT - Project
Dev Lavaniya
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackAdvanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
EMC
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work Guide
Eduardo Chavarro
 
Data security
Data securityData security
Data security
Soumen Mondal
 
46 102-112
46 102-11246 102-112
46 102-112
idescitation
 
Certified Ethical Hacking
Certified Ethical HackingCertified Ethical Hacking
Certified Ethical Hacking
Jennifer Wood
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detection
UltraUploader
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
Affine Analytics
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
Tiffany Sandoval
 
ITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure on WannaCry
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
Satria Ady Pradana
 
It kamus virus security glossary
It kamus virus   security glossaryIt kamus virus   security glossary
It kamus virus security glossary
Fathoni Mahardika II
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Raghav Bisht
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET Journal
 
A Comprehensive Review On Intrusion Detection System And Techniques
A Comprehensive Review On Intrusion Detection System And TechniquesA Comprehensive Review On Intrusion Detection System And Techniques
A Comprehensive Review On Intrusion Detection System And Techniques
Kelly Taylor
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
Information Technology
 
Survey on classification techniques for intrusion detection
Survey on classification techniques for intrusion detectionSurvey on classification techniques for intrusion detection
Survey on classification techniques for intrusion detection
csandit
 
Apt zero day malware
Apt zero day malwareApt zero day malware
Apt zero day malware
aspiretss
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
Laura Arrigo
 

Similar to Incident handling is a clearly defined set of procedures to manage and respond to security incidents in a computer or network environment. (20)

APT - Project
APT - Project APT - Project
APT - Project
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the HaystackAdvanced Threats in the Enterprise: Finding an Evil in the Haystack
Advanced Threats in the Enterprise: Finding an Evil in the Haystack
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work Guide
 
Data security
Data securityData security
Data security
 
46 102-112
46 102-11246 102-112
46 102-112
 
Certified Ethical Hacking
Certified Ethical HackingCertified Ethical Hacking
Certified Ethical Hacking
 
A trust system based on multi level virus detection
A trust system based on multi level virus detectionA trust system based on multi level virus detection
A trust system based on multi level virus detection
 
Deep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection systemDeep Learning based Threat / Intrusion detection system
Deep Learning based Threat / Intrusion detection system
 
Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...Attackers May Depend On Social Engineering To Gain...
Attackers May Depend On Social Engineering To Gain...
 
ITPG Secure on WannaCry
ITPG Secure on WannaCryITPG Secure on WannaCry
ITPG Secure on WannaCry
 
(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code(Training) Malware - To the Realm of Malicious Code
(Training) Malware - To the Realm of Malicious Code
 
It kamus virus security glossary
It kamus virus   security glossaryIt kamus virus   security glossary
It kamus virus security glossary
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
 
A Comprehensive Review On Intrusion Detection System And Techniques
A Comprehensive Review On Intrusion Detection System And TechniquesA Comprehensive Review On Intrusion Detection System And Techniques
A Comprehensive Review On Intrusion Detection System And Techniques
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
 
Survey on classification techniques for intrusion detection
Survey on classification techniques for intrusion detectionSurvey on classification techniques for intrusion detection
Survey on classification techniques for intrusion detection
 
Apt zero day malware
Apt zero day malwareApt zero day malware
Apt zero day malware
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
 

More from Varun Mithran

HVAC design for health care facilities is all about providing a safer environ...
HVAC design for health care facilities is all about providing a safer environ...HVAC design for health care facilities is all about providing a safer environ...
HVAC design for health care facilities is all about providing a safer environ...
Varun Mithran
 
JWT stands for JSON Web Token. It's a compact, URL-safe means of representing...
JWT stands for JSON Web Token. It's a compact, URL-safe means of representing...JWT stands for JSON Web Token. It's a compact, URL-safe means of representing...
JWT stands for JSON Web Token. It's a compact, URL-safe means of representing...
Varun Mithran
 
SARS-CoV-2 is the virus responsible for the COVID-19 pandemic that started in...
SARS-CoV-2 is the virus responsible for the COVID-19 pandemic that started in...SARS-CoV-2 is the virus responsible for the COVID-19 pandemic that started in...
SARS-CoV-2 is the virus responsible for the COVID-19 pandemic that started in...
Varun Mithran
 
Cross-site request forgery (also known as CSRF) is a web vulnerability that a...
Cross-site request forgery (also known as CSRF) is a web vulnerability that a...Cross-site request forgery (also known as CSRF) is a web vulnerability that a...
Cross-site request forgery (also known as CSRF) is a web vulnerability that a...
Varun Mithran
 
Coronavirus genomes and subgenomes encode six ORFs
Coronavirus genomes and subgenomes encode six ORFsCoronavirus genomes and subgenomes encode six ORFs
Coronavirus genomes and subgenomes encode six ORFs
Varun Mithran
 
Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's Guide
Varun Mithran
 
There are three main types of ducting used within domestic ventilation system...
There are three main types of ducting used within domestic ventilation system...There are three main types of ducting used within domestic ventilation system...
There are three main types of ducting used within domestic ventilation system...
Varun Mithran
 
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
Varun Mithran
 
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
Varun Mithran
 
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookTOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
Varun Mithran
 
BASIC ECG RTHYM - STEMI- SVT -A FIB- SINUS BRADYCARDIA -TACHYCARDIA
BASIC ECG RTHYM - STEMI- SVT -A FIB- SINUS BRADYCARDIA -TACHYCARDIABASIC ECG RTHYM - STEMI- SVT -A FIB- SINUS BRADYCARDIA -TACHYCARDIA
BASIC ECG RTHYM - STEMI- SVT -A FIB- SINUS BRADYCARDIA -TACHYCARDIA
Varun Mithran
 
BASIC ECG RTHYM RAJI.pptx ACLS PREPARATION
BASIC ECG RTHYM RAJI.pptx ACLS PREPARATIONBASIC ECG RTHYM RAJI.pptx ACLS PREPARATION
BASIC ECG RTHYM RAJI.pptx ACLS PREPARATION
Varun Mithran
 
Apply now for "Raspberry Pi for beginners" video course as Self learning
Apply now for "Raspberry Pi for beginners" video course as  Self learning  Apply now for "Raspberry Pi for beginners" video course as  Self learning
Apply now for "Raspberry Pi for beginners" video course as Self learning
Varun Mithran
 

More from Varun Mithran (13)

HVAC design for health care facilities is all about providing a safer environ...
HVAC design for health care facilities is all about providing a safer environ...HVAC design for health care facilities is all about providing a safer environ...
HVAC design for health care facilities is all about providing a safer environ...
 
JWT stands for JSON Web Token. It's a compact, URL-safe means of representing...
JWT stands for JSON Web Token. It's a compact, URL-safe means of representing...JWT stands for JSON Web Token. It's a compact, URL-safe means of representing...
JWT stands for JSON Web Token. It's a compact, URL-safe means of representing...
 
SARS-CoV-2 is the virus responsible for the COVID-19 pandemic that started in...
SARS-CoV-2 is the virus responsible for the COVID-19 pandemic that started in...SARS-CoV-2 is the virus responsible for the COVID-19 pandemic that started in...
SARS-CoV-2 is the virus responsible for the COVID-19 pandemic that started in...
 
Cross-site request forgery (also known as CSRF) is a web vulnerability that a...
Cross-site request forgery (also known as CSRF) is a web vulnerability that a...Cross-site request forgery (also known as CSRF) is a web vulnerability that a...
Cross-site request forgery (also known as CSRF) is a web vulnerability that a...
 
Coronavirus genomes and subgenomes encode six ORFs
Coronavirus genomes and subgenomes encode six ORFsCoronavirus genomes and subgenomes encode six ORFs
Coronavirus genomes and subgenomes encode six ORFs
 
Bug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's GuideBug Bounty Blueprint : A Beginner's Guide
Bug Bounty Blueprint : A Beginner's Guide
 
There are three main types of ducting used within domestic ventilation system...
There are three main types of ducting used within domestic ventilation system...There are three main types of ducting used within domestic ventilation system...
There are three main types of ducting used within domestic ventilation system...
 
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
SOC Analyst Guide For Beginners SOC analysts work as members of a managed sec...
 
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
Subdomain enumeration is a crucial phase in cybersecurity, particularly durin...
 
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide HandbookTOP 100 Vulnerabilities Step-by-Step Guide Handbook
TOP 100 Vulnerabilities Step-by-Step Guide Handbook
 
BASIC ECG RTHYM - STEMI- SVT -A FIB- SINUS BRADYCARDIA -TACHYCARDIA
BASIC ECG RTHYM - STEMI- SVT -A FIB- SINUS BRADYCARDIA -TACHYCARDIABASIC ECG RTHYM - STEMI- SVT -A FIB- SINUS BRADYCARDIA -TACHYCARDIA
BASIC ECG RTHYM - STEMI- SVT -A FIB- SINUS BRADYCARDIA -TACHYCARDIA
 
BASIC ECG RTHYM RAJI.pptx ACLS PREPARATION
BASIC ECG RTHYM RAJI.pptx ACLS PREPARATIONBASIC ECG RTHYM RAJI.pptx ACLS PREPARATION
BASIC ECG RTHYM RAJI.pptx ACLS PREPARATION
 
Apply now for "Raspberry Pi for beginners" video course as Self learning
Apply now for "Raspberry Pi for beginners" video course as  Self learning  Apply now for "Raspberry Pi for beginners" video course as  Self learning
Apply now for "Raspberry Pi for beginners" video course as Self learning
 

Recently uploaded

Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
safelyiotech
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
Alina Yurenko
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
dakas1
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
Pedro J. Molina
 
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
kalichargn70th171
 
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio, Inc.
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
Paul Brebner
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
ShulagnaSarkar2
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
Bert Jan Schrijver
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
The Third Creative Media
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Kubernetes at Scale: Going Multi-Cluster with Istio
Kubernetes at Scale:  Going Multi-Cluster  with IstioKubernetes at Scale:  Going Multi-Cluster  with Istio
Kubernetes at Scale: Going Multi-Cluster with Istio
Severalnines
 
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptxOperational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
sandeepmenon62
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
ervikas4
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
gapen1
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
What’s New in Odoo 17 – A Complete Roadmap
What’s New in Odoo 17 – A Complete RoadmapWhat’s New in Odoo 17 – A Complete Roadmap
What’s New in Odoo 17 – A Complete Roadmap
Envertis Software Solutions
 
TMU毕业证书精仿办理
TMU毕业证书精仿办理TMU毕业证书精仿办理
TMU毕业证书精仿办理
aeeva
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
Yara Milbes
 
Liberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptxLiberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptx
Massimo Artizzu
 

Recently uploaded (20)

Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
Safelyio Toolbox Talk Softwate & App (How To Digitize Safety Meetings)
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
 
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
一比一原版(UMN毕业证)明尼苏达大学毕业证如何办理
 
Orca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container OrchestrationOrca: Nocode Graphical Editor for Container Orchestration
Orca: Nocode Graphical Editor for Container Orchestration
 
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdfThe Comprehensive Guide to Validating Audio-Visual Performances.pdf
The Comprehensive Guide to Validating Audio-Visual Performances.pdf
 
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data PlatformAlluxio Webinar | 10x Faster Trino Queries on Your Data Platform
Alluxio Webinar | 10x Faster Trino Queries on Your Data Platform
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
 
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
J-Spring 2024 - Going serverless with Quarkus, GraalVM native images and AWS ...
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
Kubernetes at Scale: Going Multi-Cluster with Istio
Kubernetes at Scale:  Going Multi-Cluster  with IstioKubernetes at Scale:  Going Multi-Cluster  with Istio
Kubernetes at Scale: Going Multi-Cluster with Istio
 
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptxOperational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
 
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptxMigration From CH 1.0 to CH 2.0 and  Mule 4.6 & Java 17 Upgrade.pptx
Migration From CH 1.0 to CH 2.0 and Mule 4.6 & Java 17 Upgrade.pptx
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
What’s New in Odoo 17 – A Complete Roadmap
What’s New in Odoo 17 – A Complete RoadmapWhat’s New in Odoo 17 – A Complete Roadmap
What’s New in Odoo 17 – A Complete Roadmap
 
TMU毕业证书精仿办理
TMU毕业证书精仿办理TMU毕业证书精仿办理
TMU毕业证书精仿办理
 
The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024The Rising Future of CPaaS in the Middle East 2024
The Rising Future of CPaaS in the Middle East 2024
 
Liberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptxLiberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptx
 

Incident handling is a clearly defined set of procedures to manage and respond to security incidents in a computer or network environment.

  • 1. Incident Handling Process (HTB) 1 Incident Handling Process (HTB) introduction Incident handling is a clearly defined set of procedures to manage and respond to security incidents in a computer or network environment. types of incidents intrusion incidents those caused by malicious insiders availability issues loss of intellectual property An event is an action occurring in a system or network. Examples of events are: A user sending an email A mouse click A firewall allowing a connection request An incident is an event with a negative consequence. Data theft Funds theft Unauthorized access to data Installation and usage of malware and remote access tools Cyber Kill Chain (attack lifecycle) (7) different stages 1. recon (information gathering) Passive (Linkden / insta / job ads / partners / documentations) Active (poking and scaning web apps , IP addresses..etc) identify the present antivirus or EDR technology in the target organization. 2. weaponize (developing the malware to be used for initial access) embed it into some type of exploit or deliverable payload
  • 2. Incident Handling Process (HTB) 2 This malware is crafted to be extremely lightweight and undetectable by the antivirus and detection tools. 3. delivery (delivering the exploit/payload to the victim) Traditional approaches are phishing emails (contain a malicious attachment or a link to a web page) The web page can either contain an exploit or hosting the malicious payload to avoid sending it through email scanning tools. the web page can also mimic a legit website social engineering pretext there are cases where physical interaction is utilized to deliver the payload via USB tokens and similar storage tools, that are purposely left around. 4. exploitation (when an exploit or a delivered payload is triggered) the attacker typically attempts to execute code on the target system in order to gain access or control 5. installation (the initial stager is executed and is running on the compromised machine.) Some common techniques Droppers: a small piece of code that is designed to install malware on the system and execute it. it may be delivered through email attachments, malicious websites, or social engineering tactics. Backdoors: a type of malware that is designed to provide the attacker with ongoing access to the compromised system. (may be installed during the exploitation stage or delivered through a dropper.) Rootkits: a type of malware that is designed to hide its presence on a compromised system. (used in the installation stage to evade detection by antivirus software) 6. command and control (the attacker establishes a remote access capability to the compromised machine.) advanced groups will utilize separate tools in order to ensure that multiple variants of their malware live in a compromised network, and if one of them gets discovered and contained, they still have the means to return to the environment. 7. action (objective of the attack) exfiltrating confidential data obtain the highest level of access possible deploy ransomware
  • 3. Incident Handling Process (HTB) 3 ….etc It is important to understand that adversaries won't operate in a linear manner (like the cyber kill chain shows). Some previous cyber kill chain stages will be repeated over and over again. If we take, for example, the installation stage of a successful compromise, the logical next step for an adversary going forward is to initiate the recon stage again to identify additional targets and find vulnerabilities to exploit, so that he moves deeper into the network and eventually achieves the attack's objective(s). Our objective is to stop an attacker from progressing further up the kill chain, ideally in one of the earliest stages. Incident Handling Process Overview incident handling process defines a capability for organizations to prepare, detect, and respond to malicious events the process is not linear but cyclic. Incident handling has two main activities: investigating Discover the initial 'patient zero' victim and create an (ongoing if still active) incident timeline Determine what tools and malware the adversary used Document the compromised systems and what the adversary has done
  • 4. Incident Handling Process (HTB) 4 recovering creating and implementing a recovery plan a report is issued that details the cause and cost of the incident. Additionally, "lessons learned" activities are performed Stages of the Incident Handling Process 1. Preparation we have two separate objectives 1. the establishment of incident handling capability within the organization. 2. the ability to protect against and prevent IT security incidents by implementing appropriate protective measures, such as: a. endpoint and server hardening b. active directory tiering c. multi-factor authentication d. privileged access management Preparation Prerequisites we need to ensure that we have: 1. Skilled incident handling team members 2. Trained workforce (through security awareness activities) 3. Clear policies and documentation roles and Contact info of incident handling team members and all other teams Incident response policy, plan, and procedures Network diagrams Baselines of systems and networks, out of a golden image and a clean state environment Organization-wide asset management database User accounts with excessive privileges Ability to acquire hardware, software, or an external resource without a complete procurement process Forensic/Investigative cheat sheets 4. Tools (software and hardware)
  • 5. Incident Handling Process (HTB) 5 These include, but are not limited to: Additional forensic workstation for each incident handling team member to preserve disk images and log files, perform data analysis, and investigate without any restrictions (malware will be tested here, so tools such as antivirus should be disabled) Digital forensic image acquisition and analysis tools Memory capture and analysis tools (volatility) Live response capture and analysis Log analysis tools Network capture and analysis tools Network cables and switches Write blockers Hard drives for forensic imaging Power cables Screwdrivers, tweezers, and other relevant tools to repair or disassemble hardware devices if needed Indicator of Compromise (IOC) creator and the ability to search for IOCs across the organization An Indicator of Compromise (IOC) is a piece of evidence or artifact that suggests the presence of a security incident or compromise. It can be a file hash, IP address, domain name, URL, file name, registry key, network traffic pattern, or behavioral anomaly. IOCs are used to identify and detect malicious activities or intrusions in investigations. Chain of custody forms Encryption software Ticket tracking system a software application or platform that helps organizations manage and track various types of requests, issues, or incidents reported by users or customers Secure facility for storage and investigation Incident handling system independent of your organization's infrastructure Many of the tools mentioned above will be part of what is known as a jump bag - always ready with the necessary tools to be picked up and leave immediately.
  • 6. Incident Handling Process (HTB) 6 communications about an incident should be conducted through channels that are not part of the organization's systems assume that adversaries have control over everything and can read communication channels such as email. Some of the highly recommended protective measures in Preparation DMARC (email protection against phishing) to reject emails that 'pretend' to originate from your organization. testing is mandatory; otherwise you risk blocking legitimate emails with no ability to recover them. Endpoint Hardening (& EDR) Endpoint devices (workstations, laptops, etc.) are the entry points for most of the attacks that we are facing on a daily basis There are a few widely recognized endpoint hardening standards such as CIS and Microsoft baselines and these should be the building blocks for your organization's hardening baselines. Some highly important actions Disable LLMNR/NetBIOS Implement LAPS and remove administrative privileges from regular users Disable or configure PowerShell in "ConstrainedLanguage" mode Enable Attack Surface Reduction (ASR) rules if using Microsoft Defender Implement whitelisting. Consider at least blocking execution from user-writable folders (Downloads, Desktop, AppData, etc.). These are the locations where exploits and malicious payloads will initially find themselves. Remember to also block script types such as .hta, .vbs, .cmd, .bat, .js, and similar. Please pay attention to LOLBin files while implementing whitelisting. they are used in the wild as initial access to bypass whitelisting. Utilize host-based firewalls. As a bare minimum, block workstation-to-workstation communication and block outbound traffic to LOLBins Outbound traffic refers to traffic that originates from inside your own network.
  • 7. Incident Handling Process (HTB) 7 Inbound traffic refers to any traffic coming to your network Deploy an EDR product. At this point in time, AMSI provides great visibility into obfuscated scripts for antimalware products to inspect the content before it gets executed. It is highly recommended that you only choose products that integrate with AMSI. Network Protection Business-critical systems must be isolated connections should be allowed only as the business requires Internal resources should really not be facing the Internet directly (unless placed in a DMZ) consider IDS/IPS systems (Their power really shines when SSL/TLS interception is performed to identify malicious traffic based on content) SSL/TLS interception : 1. Decryption and Inspection of the packets 2. Re-encryption and Forwarding ensure that only organization-approved devices can get on the network. Solutions such as 802.1x (IEEE Standard for port-based network access control) can be utilized to reduce the risk of bring your own device (BYOD) or malicious devices connecting to the corporate network If you are a cloud-only company using, for example, Azure/Azure AD, then you can achieve similar protection with Conditional Access policies (allow access to organization resources only if you are connecting from a company-managed device) Privilege Identity Management / MFA / Passwords common mistake is that admin users either have a weak (but often complex) password "Password1!". It contains an upper-case, lower-case, digit, and a special character, but regardless of that, it is easy to guess. or a shared password with their regular user account (which can be obtained via multiple attack vectors such as keylogging) Multi-factor authentication (MFA) is another identity-protecting solution that should be implemented at least for any type of administrative access to ALL applications and devices. Vulnerability Scanning Perform continuous vulnerability scans of your environment and remediate at least the "high" and "critical" vulnerabilities discovered. User Awareness Training
  • 8. Incident Handling Process (HTB) 8 Training users to recognize suspicious behavior and report it when discovered Periodic "surprise" testing should also be part of this training, including, for example, monthly phishing emails, dropped USB sticks in the office building, etc. Active Directory Security Assessment The best way to detect security misconfigurations or exposed critical vulnerabilities is by looking for them from the perspective of an attacker. Purple Team Exercises Purple team exercises are essentially security assessments by a red team that either continuously or eventually inform the blue team about their actions, findings, any visibility/security shortcomings, etc. Such exercises will help in identifying vulnerabilities in an organization while testing the blue team's defensive capability in terms of logging, monitoring, detection, and responsiveness. 2. Detection & Analysis Stage this phase involves all aspects of detecting an incident, such as utilizing sensors, logs, and trained personnel. It also includes information and knowledge sharing, utilizing context-based threat intelligence. Segmentation of the architecture and having a clear understanding of and visibility within the network are also important factors. Threats are introduced to the organization via an infinite amount of attack vectors, and their detection can come from sources such as: An employee that notices abnormal behavior An alert from one of our tools (EDR, IDS, Firewall, SIEM, etc.) Threat hunting activities A third-party notification informing us that they discovered signs of our organization being compromised It is highly recommended to create levels of detection by logically categorizing our network as follows. Detection at the network perimeter (using FWs, internet-facing network IDS/IPS, DMZ, etc.) Detection at the internal network level (using local FWs, host IDS/IPS, etc.) Detection at the endpoint level (using antivirus systems, endpoint detection & response systems, etc.) Detection at the application level (using application logs, service logs, etc.)
  • 9. Incident Handling Process (HTB) 9 Incident Severity & Extent Questions → When handling a security incident, we should also try to answer the following questions to get an idea of the incident's severity and exent: 1. What is the exploitation impact? 2. What are the exploitation requirements? 3. Can any business-critical systems be affected by the incident? 4. Are there any suggested remediation steps? 5. How many systems have been impacted? 6. Is the exploit being used in the wild? 7. Does the exploit have any worm-like capabilities? → As you can imagine, high-impact incidents will be handled promptly, and incidents with a high number of impacted systems will have to be escalated. Incident Confidentiality & Communication → all of the information gathered should be kept on a need-to-know basis, unless applicable laws or a management decision instruct us otherwise. There are multiple reasons for this. → The adversary may be, for example, an employee of the company, or if a breach has occurred, the communication to internal and external parties should be handled by the appointed person in accordance with the legal department. Initial Investigation we should aim to collect as much information as possible at this stage about the following: Date/Time when the incident was reported. Additionally, who detected the incident and/or who reported it? How was the incident detected? What was the incident? Phishing? System unavailability? etc. Assemble a list of impacted systems (if relevant) Document who has accessed the impacted systems and what actions have been taken. Make a note of whether this is an ongoing incident or the suspicious activity has been stopped Physical location, operating systems, IP addresses and hostnames, system owner, system's purpose, current state of the system (If malware is involved) List of IP addresses, time and date of detection, type of malware, systems impacted, export of malicious files with forensic information on them (such as hashes, copies of the files, etc.)
  • 10. Incident Handling Process (HTB) 10 → With the initially gathered information, we can start building an incident timeline. → This timeline will keep us organized throughout the event and provide an overall picture of what happened. → the timeline should contain the information described in the following columns: Date Time of the event hostname event description data source 09/09/2021 13:31 CET SQLServer01 Hacker tool 'Mimikatz' was detected Antivirus Software The Investigation The investigation starts based on the initially gathered information that contain what we know about the incident so far we will begin a 3-step cyclic process that will iterate over and over again as the investigation evolves 1. Creation and usage of indicators of compromise (IOC) An Indicator of Compromise (IOC) is a piece of evidence or artifact that suggests the presence of a security incident or compromise. It can be a file hash, IP address, domain name, URL, file name, registry key, network traffic pattern, or behavioral anomaly. IOCs are used to identify and detect malicious activities or intrusions in cybersecurity investigations. a widely used standard for IOCs is Yara there are free tools that can be utilized, such as Mandiant's IOC Editor To leverage IOCs, we will have to deploy an IOC-obtaining/IOC-searching tool A common approach is to utilize WMI or PowerShell for IOC-related operations in Windows environments. we need to ensure that only connection protocols and tools that don't cache credentials upon a successful login are utilized (such as WinRM). When "PsExec" is used with explicit credentials, those credentials are cached on the remote machine. (don’t use) 2. Identification of new leads and impacted systems After searching for IOCs, you expect to have some hits that reveal other systems with the same signs of compromise. 3. Data collection and analysis from the new leads and impacted systems we will want to collect and preserve the state of those systems for further analysis there are multiple approaches to how and what data to collect (Depending on the system)
  • 11. Incident Handling Process (HTB) 11 1. live response on a system as it is running (most common) 2. shut down a system and then perform any analysis on it a. not easy as much of the artifacts will only live within the RAM memory of the machine, which will be lost if the machine is turned off → Once the data has been collected, it is time to analyze it. This is often the most time- consuming process during an incident. Malware analysis and disk forensics are the most common examination types. → during the data collection process, you should keep track of the chain of custody to ensure that the examined data is court-admissible if legal action is to be taken against an adversary. 3. Containment, Eradication, & Recovery Stage → prevent the incident from causing more damage. (When the investigation is complete and we have understood the type of incident and the impact on the business) Containment we take action to prevent the spread of the incident.
  • 12. Incident Handling Process (HTB) 12 containment actions are coordinated and executed across all systems simultaneously. Otherwise, we risk notifying attackers that we are after them We divide the actions into short-term containment and long-term containment . short-term containment The actions here contain the damage and provide time to develop a more concrete remediation strategy. Some of these actions can include, placing a system in a separate/isolated VLAN, pulling the network cable out of the system(s) long-term containment we focus on persistent actions and changes. changing user passwords, applying firewall rules, inserting a host intrusion detection system, applying a system patch, and shutting down systems. Eradication Once the incident is contained, eradication is necessary to eliminate both the root cause of the incident and what is left of it to ensure that the adversary is out of the systems and network. Some of the activities in this stage include removing the detected malware from systems, rebuilding some systems, and restoring others from backup. Additional system-hardening activities are often performed during the eradication stage Recovery we bring systems back to normal operation. When everything is verified, these systems are brought into the production environment. All restored systems will be subject to heavy logging and monitoring after an incident, as compromised systems tend to be targets again if the adversary regains access to the environment in a short period of time. Typical suspicious events to monitor for are: Unusual logons Unusual processes Changes to the registry in locations that are usually Falmodified by malware 4. Post-Incident Activity
  • 13. Incident Handling Process (HTB) 13 In this stage, our objective is to document the incident and improve our capabilities based on lessons learned from it. Reporting → A complete report will contain answers to questions such as: What and when happened? Performance of the team dealing with the incident in regard to plans, playbooks, policies, and procedures Did the business provide the necessary information and respond promptly to aid in handling the incident in an efficient manner? What can be improved? What actions have been implemented to contain and eradicate the incident? What preventive measures should be put in place to prevent similar incidents in the future? What tools and resources are needed to detect and analyze similar incidents in the future?