Kill Chain Model for Use Cases Assist in Incident Response
1- Situational Awareness
Outbound Protocols
Outbound protocols by size
Top destination Countries
Top destination Countries by size
2- Reconnaissance
Port scan activity
ICMP query
3- Weaponization and Delivery
Injection
Cross Site Scripting
Cross Site Request Forgery
Failure to Restrict URL
Downloaded binaries
Top email subjects
Domains mismatching
Malicious or anomalous Office/Java/Adobe files
Suspicious Web pages (iframe + [pdf|html|js])
The project title for this task force is “Cyber Security Maturity Model for Organizations”. Some of the
key things that you are going to learn from this presentation is:
The user organizations will learn, how to easily adapt a cyber security maturity assessmentmodel based on the widely accepted frameworks such as NIST CSF and ISO27001:2013
The readers will learn about the core information security domains and how to plan forsecurity activities around those core domains
The readers will learn how to prioritize the security budget and draw out the securitycontrol implementation roadmap for their organization
The readers will learn to apply a risk informed approach to information security for theirorganizations which can be used to educate about and sell security to their CEO’s and board members.
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Sirius
SIEM technology has been around for years and continues to enjoy broad market adoption. Companies continue to rely on SIEM capabilities to handle proactive security monitoring, detection and response, and regulatory compliance. However, with today’s staggering volume of cyber-security threats and the number of security devices, network infrastructures and system logs, IT security staff can become quickly overwhelmed.
Gartner projects that by 2020:
-- 50% of new SIEM implementations will be delivered via SIEM as a service.
-- 60% of all advanced security analytics will be delivered from the cloud as part of SIEM-as-a-service offerings.
the IBM Security Intelligence Platform, also known as QRadar®, integrates SIEM, log management, anomaly detection, vulnerability management, risk management and incident forensics into a unified, highly scalable, real-time solution that provides superior threat detection, greater ease of use, and low total cost of ownership compared with competitive products
These slides guides you through the tools and techniques one can use for footprinting websites or people.You will find amazing tools and techniques have a look
Building a Next-Generation Security Operations Center (SOC)Sqrrl
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
The project title for this task force is “Cyber Security Maturity Model for Organizations”. Some of the
key things that you are going to learn from this presentation is:
The user organizations will learn, how to easily adapt a cyber security maturity assessmentmodel based on the widely accepted frameworks such as NIST CSF and ISO27001:2013
The readers will learn about the core information security domains and how to plan forsecurity activities around those core domains
The readers will learn how to prioritize the security budget and draw out the securitycontrol implementation roadmap for their organization
The readers will learn to apply a risk informed approach to information security for theirorganizations which can be used to educate about and sell security to their CEO’s and board members.
Security Incident and Event Management (SIEM) - Managed and Hosted Solutions ...Sirius
SIEM technology has been around for years and continues to enjoy broad market adoption. Companies continue to rely on SIEM capabilities to handle proactive security monitoring, detection and response, and regulatory compliance. However, with today’s staggering volume of cyber-security threats and the number of security devices, network infrastructures and system logs, IT security staff can become quickly overwhelmed.
Gartner projects that by 2020:
-- 50% of new SIEM implementations will be delivered via SIEM as a service.
-- 60% of all advanced security analytics will be delivered from the cloud as part of SIEM-as-a-service offerings.
the IBM Security Intelligence Platform, also known as QRadar®, integrates SIEM, log management, anomaly detection, vulnerability management, risk management and incident forensics into a unified, highly scalable, real-time solution that provides superior threat detection, greater ease of use, and low total cost of ownership compared with competitive products
These slides guides you through the tools and techniques one can use for footprinting websites or people.You will find amazing tools and techniques have a look
Building a Next-Generation Security Operations Center (SOC)Sqrrl
So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations.
Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
The Cybersecurity Risk Management Framework Strategy for Defense Platform Systems course prepares command leadership to implement the National Institute of Standards and Technology’s (NIST) cybersecurity Risk Management Framework (RMF) from a Platform Information Technology (PIT) perspective.
This one-day workshop reviews the five functions of cybersecurity that leadership must consider when making decisions about program resources and requirements.
Cybersecurity for Critical National InfrastructureDr David Probert
Presentation focuses on National Cybersecurity Strategies, Models and Plans. These include the well known UN/ITU - International Telecommunication Union Strategy Guidelines which were updated this year. The talk includes the authors security missions to Armenia and Georgia as well as industrial ICS/SCADA security and the critical info sectors. We briefly review national cybersecurity legislation as well as standards and cyber skills requirements. We wrap up with a cyber "Shopping List" , Business Action Plan & Conceptual RoadMap. This presentation was given on the 6th November 2018 at the 38th East-West Security Conference in Nice, France! Enjoy!
SIEM is an abbreviation of “Security Information and Event Management”. It comprises of two parts:
Security Information Management
Security Event Management
NYC Workshop: Improving the Business Value of your Service Management ProgramNavvia
David Mainville, CEO of Navvia lead this interactive workshop and discussed:
- What’s wrong with today's Service Management programs?
- Positioning and selling the value of your Service Management program in Business Terms
- Identifying opportunities for improvement by soliciting feedback directly from your users
- Getting everyone on the same page by designing, documenting and communicating what needs to be done
- Continually improving your value to the Business
For more great content please visit: http://navvia.com/resources/
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
The cyber security profession has successfully established explicit guidance for practitioners to implement effective cyber security programs via the NIST Cyber Security Framework (CSF). The CSF provides both a roadmap and a measuring stick for effective cyber security. Application of the CSF within cyber is nothing new, but the resurgence of Enterprise Security Risk Management and Security Convergence highlight opportunities for expanded application for cyber, physical, and personnel security risks. This NIST CSF can help practitioners build a cross-pollenated understanding of holistic risk.
Main points covered:
• Understand the purpose, value, and application of the NIST CSF in familiar non-technical terms.
• Understand how the Functions and Categories of the NIST CSF (the CSF “Core”) and an organization's “current” and “target” profiles are relevant and valuable in a variety of sectors and environments.
• Understand how an organization’s physical and cyber security resources and stakeholders can align with the NIST CSF as a tool to achieve holistic security risk management.
Presenters:
David Feeney, CPP, PMP has 17 years of security industry experience assisting organizations with risk management matters specific to physical, personnel, and cyber security. He has 9 years of experience with service providers and 8 years of experience within enterprise security organizations. David has worked with industry leaders in the energy, technology, healthcare, and real estate sectors. Areas of specialization include Security Operations Center design and management, Security Systems design and implementation, and Enterprise Risk Management. David holds leadership positions in ASIS International and is also a member of the InfraGard FBI program. David holds Certification Protection Professional (CPP) and Project Management Professional (PMP) certifications.
Andrea LeStarge, MS has over ten years of experience in program management, risk analysis and curriculum development. Being specialized in Homeland Security, Andrea leverages her experience in formerly managing projects to support various Federal Government entities in identifying, detecting and responding to man-made, natural and cyber incidents. She has an established track record in recognizing security gaps and corrective risk mitigation options, while effectively communicating findings to stakeholders, private sector owners and operators, and first-responder personnel within tactical, operational and strategic levels. Overall, Andrea encompasses analytical tradecraft and demonstrates consistent, repeatable and defensible methodologies pertaining to risk and the elements of threat, vulnerability and consequence.
Recorded webinar: https://youtu.be/hxpuYtMQgf0
Talking about Next-Gen Security Operation Center for IDNIC+APJII as representative from IDSECCONF. People-Centric SOC requires lot of investment on human in terms of quantity and quality, unfortunately, (good) IT security people are getting rare these days. Organisation need to put their investments more on technology, as in Industry 4.0, machines are getting more advanced to support Human on doing continuous and repetitive task.
Moving from “traditional” to next-gen SOC require proper plan, thats what this talk was about.
The Cybersecurity Risk Management Framework Strategy for Defense Platform Systems course prepares command leadership to implement the National Institute of Standards and Technology’s (NIST) cybersecurity Risk Management Framework (RMF) from a Platform Information Technology (PIT) perspective.
This one-day workshop reviews the five functions of cybersecurity that leadership must consider when making decisions about program resources and requirements.
Cybersecurity for Critical National InfrastructureDr David Probert
Presentation focuses on National Cybersecurity Strategies, Models and Plans. These include the well known UN/ITU - International Telecommunication Union Strategy Guidelines which were updated this year. The talk includes the authors security missions to Armenia and Georgia as well as industrial ICS/SCADA security and the critical info sectors. We briefly review national cybersecurity legislation as well as standards and cyber skills requirements. We wrap up with a cyber "Shopping List" , Business Action Plan & Conceptual RoadMap. This presentation was given on the 6th November 2018 at the 38th East-West Security Conference in Nice, France! Enjoy!
SIEM is an abbreviation of “Security Information and Event Management”. It comprises of two parts:
Security Information Management
Security Event Management
NYC Workshop: Improving the Business Value of your Service Management ProgramNavvia
David Mainville, CEO of Navvia lead this interactive workshop and discussed:
- What’s wrong with today's Service Management programs?
- Positioning and selling the value of your Service Management program in Business Terms
- Identifying opportunities for improvement by soliciting feedback directly from your users
- Getting everyone on the same page by designing, documenting and communicating what needs to be done
- Continually improving your value to the Business
For more great content please visit: http://navvia.com/resources/
Measuring method complexity of the case management modeling and notation (CMMN)Mike Marin
Compares modeling notation between CMMN, BPMN, EPC, and UML Activity Diagrams using the meta-model based method complexity approach introduced by Rossi and Brinkkemper
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Skybox Security
Presented at Black Hat 2014.
Heartbleed. Target. Adobe … businesses are under siege by cybercriminals looking for financial gain and political actors looking for trade secrets. It’s a wildly uneven match where a motivated attacker can find exploitable attack vectors in minutes and maintain unabated access for months, while the security team continues to rely on time-honored methodology to fix vulnerabilities in order of severity.
But severity-based vulnerability management misses the mark completely, as it overlooks the fact that risk exposure is the real concern. This workshop will focus on identifying critical vulnerabilities so they can be fixed as quickly as possible to ensure a reduction in risk and the shrinking the attack surface over time.
In this deep dive session on vulnerability analysis and prioritization, we’ll cover:
- Calculating risk exposure: Risk = Impact * Likelihood * Time
- The data you need to be collecting about assets and vulnerabilities
- Prioritizing vulnerabilities using simple 2 factor relationships
- Asset-to-vulnerability correlation to augment the accuracy and freshness of active scan data
- Techniques to drive down the risk exposure time
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkAndrew Gerber
As threats evolve, it is essential to move beyond looking at events toward developing behavioral analysis capabilities. Knowing not only the components but also the rhythms of your environment becomes crucial to enable earlier detection of attackers. This session will review the threat and risk landscape today, recommend approaches to bolster your security control monitoring, apply situational awareness and kill chain techniques, and walk through the construction of two specific use cases. They are 1) detecting compromised accounts via remote access behavior analysis and 2) detecting malicious activity (attacker or insider) by detecting and tracing network jumpers from corporate to guest networks. The session will discuss the design approach and searches used in these two use cases so that you can build other use cases to improve your security capability and posture.
Consider a logical cross reference or grouping for Cybersecurity Framework subcategories. This could make an assessment easier and more meaningful.
The Cybersecurity Framework identifies categories and subcategories of practice, processes, and activities to be used in a cyber security assessment. But, categories often house unrelated subcategories and subcategories are dependent on other subcategories across various categories.
An overview of how to structure a threat based assessment of risk that is relevant to the business and which clearly ties risk mitigation to the threats being mitigated in a way that business leaders can easily understand.
An immersive workshop at General Assembly, SF. I typically teach this workshop at General Assembly, San Francisco. To see a list of my upcoming classes, visit https://generalassemb.ly/instructors/seth-familian/4813
I also teach this workshop as a private lunch-and-learn or half-day immersive session for corporate clients. To learn more about pricing and availability, please contact me at http://familian1.com
Running Head Security Assessment Repot (SAR) .docxSUBHI7
Running Head: Security Assessment Repot (SAR) 1
Security Assessment Report (SAR) 27
Intentionally left blank
Security Assessment Report (SAR)
CHOICE OF ORGANIZATION IS UNIVERSITY OF MARYLAND MEDICAL CENTER (UMMC) OR A FICTITIUOS ORGANIZATION (BE CREATIVE)
Introduction
· Research into OPM security breach.
· What prompts this assessment exercise in our choice of organization? “but we have a bit of an emergency. There's been a security breach at the Office of Personnel Management. need to make sure it doesn't happen again.
· What were the hackers able to do? OPM OIG report and found that the hackers were able to gain access through compromised credentials
· How could it have been averted? A) security breach could have been prevented, if the Office of Personnel Management, or OPM, had abided by previous auditing reports and security findings.b) access to the databases could have been prevented by implementing various encryption schemas and c) could have been identified after running regularly scheduled scans of the systems.
Organization
· Describe the background of your organization, including the purpose, organizational structure,
· Diagram of the network system that includes LAN, WAN, and systems (use the OPM systems model of LAN side networks), the intra-network, and WAN side networks, the inter-net.
· Identify the boundaries that separate the inner networks from the outside networks.
· include a description of how these platforms are implemented in your organization: common computing platforms, cloud computing, distributed computing, centralized computing, secure programming fundamentals (cite references)
Threats Identification
Start Reading: Impact of Threats
The main threats to information system (IS) security are physical events such as natural disasters, employees and consultants, suppliers and vendors, e-mail attachments and viruses, and intruders.
Physical events such as fires, earthquakes, and hurricanes can cause damage to IT systems. The cost of this damage is not restricted to the costs of repairs or new hardware and software. Even a seemingly simple incident such as a short circuit can have a ripple effect and cost thousands of dollars in lost earnings.
Employees and consultants; In terms of severity of impact, employees and consultants working within the organization can cause the worst damage. Insiders have the most detailed knowledge of how the information systems are being used. They know what data is valuable and how to get it without creating tracks.
Suppliers and vendors; Organizations cannot avoid exchanging information with vendors, suppliers, business partners, and customers. However, the granting of access rights to any IS or network, if not done at the proper level—that is, at the least level of privilege—can leave the IS or ne ...
a brief introduction of cyber war and its methods, may be called "cyber warfare introduction" . i have good knowledge on this domain and i practically follow this method. in this presentation i explain the reference 50% and it will complete on my next upload. please give your feedback if any suggestions to help me. thank you.
Despite best efforts and substantial financial investment, costly breaches continue to happen at an alarming rate. The common approach to securing assets by purchasing sophisticated, layered security technologies is not working. These technologies are necessary, but not enough. A best practice model to minimize risk combines technology with continuous monitoring by security experts in a SOC. This session presents a model for effectively monitoring hybrid, multi-cloud environments. It covers the basic architecture of a modern SOC and proposes a pragmatic approach to providing complete visibility into all potential attack surfaces.
Open source network forensics and advanced pcap analysisGTKlondike
Speaker: GTKlondike
There is a lot of information freely available out on the internet to get network administrators and security professionals started with network analysis tools such as Wireshark. However, there is a well defined limit on how in depth the topic is covered. This intermediate level talk aims to bridge the gap between a basic understanding of protocol analyzers (I.e. Wireshark and TCPdump), and practical real world usage. Things that will be covered include: network file carving, statistical flow analysis, GeoIP, exfiltration, limitations of Wireshark, and other network based attacks. It is assumed the audience has working knowledge of protocol analysis tools (I.e. Wireshark and TCPdump), OSI and TCP/IP model, and major protocols (I.e. DNS, HTTP(s), TCP, UDP, DHCP, ARP, IP, etc.).
Bio
GTKlondike is a local hacker/independent security researcher who has a passion for network security, both attack and defense. He has several years experience working as an network infrastructure and security consultant mainly dealing with switching, routing, firewalls, and servers. Currently attending graduate school, he is constantly studying and learning new techniques to better defend or bypass network security mechanisms.
How to protect your corporate from advanced attacksMicrosoft
Cybersecurity is a top priority for CSO/CISO and the budget allocated, especially in a large organization, is growing. The complexity and sophistication
of cyber threats are increasing. What are these current threats and how can Microsoft help your organization in their efforts to eliminate cyber threats?
Despite billions spent on enterprise cyber security, breaches from advanced attacks, costing millions, are occurring on a daily basis.
Our Solution: Complete Near Real-time Network Security Visibility and Awareness: If security analysts could see everything occurring on their network in real-time, breaches would occur but there would never be catastrophic damage – breach reaction would be almost instantaneous. Novetta Cyber Analytics is a linchpin enterprise security solution that enables security analysts, for the first time, to see a complete, near real-time, uncorrupted picture of their entire network. Security analysts then ask and receive answers to subtle questions – at the speed of thought – to enable detection, triage and response to breaches as they occur.
The Benefits: Increase events-responded-to an estimated 30X over.
Substantially reduce or eliminate damage from breaches.
Create a dramatically more effective and efficient security team.
Maximize current security infrastructure investment.
Be far more confident that your network is actually secure.
OUR DIFFERENTIATORS:
Understands the truth of what is happening on your network.
Detects advanced attacks that have breached perimeter defenses.
Develops a complete, near real-time understanding of suspicious behaviour.
Develops a battleground understanding of your entire security situation.
Augments current security solutions.
Proven speed, scale and effectiveness on the largest, most attacked networks on earth.
Get Real-Time Cyber Threat Protection with Risk Management and SIEMRapid7
The 2012 Verizon Data Breach Investigations Report quantified the sharp increase in cyber threats, noting that 68% were due to malware, up 20% from 2011. What is most concerning is that 85% of breaches took weeks or more to discover. Despite the focus on threat prevention, breaches will happen. In this environment the ability to identify risk, protect vulnerable assets and manage threats become critical. Learn how these combined solutions can help your organization identify behavioral anomalies, internal and external threats, and prevent breaches based on accurate enterprise security intelligence.
To download a free Nexpose demo, clock here: http://www.rapid7.com/products/nexpose/compare-downloads.jsp
Similar to Incident Response: Validation, Containment & Forensics (20)
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
3. Situational
Awareness
Ability to identify what is happening in the networks and system landscape
Reconnaissance
Weaponization
& Delivery
Lateral
Movement
Data Exfiltration
Persistency
Identification and selection of the target/s host or network by active scanning
Transmission/Inject of the malicious payload in to the target/s
Detect, exploit and compromise other vulnerable hosts
Steal and exhilarate data
Establish a foothold in the corporate network
In military strategy, a “Kill Chain” is a phase model to describe the stages of an attack, which also helps inform
ways to prevent attacks.
11
Incident Response
Kill Chain Model for Use Cases Assist in Incident Response
4. 12
Incident Response
Kill Chain Model for Use Cases Assist in Incident Response
Situational Awareness
- Outbound Protocols
- Outbound protocols by size
- Top destination Countries
- Top destination Countries by size
Reconnaissance
- Port scan activity
- ICMP query
Weaponization and Delivery
- Injection
- Cross Site Scripting
- Cross Site Request Forgery
- Failure to Restrict URL
- Downloaded binaries
- Top email subjects
- Domains mismatching
- Malicious or anomalous Office/Java/Adobe files
- Suspicious Web pages (iframe + [pdf|html|js])
5. 13
Incident Response
Kill Chain Model for Use Cases Assist in Incident Response
Lateral Movement
- Remove or add account
- Remote WMI communications
- Remote Group Policy Editor
- Remote Session Communications (during outside working hours?)
- Antivirus terminated
Data Exfiltration
- Upload on cloud storage domains
- Suspicious HTTP Methods (Delete, Put)
- Uploaded images
- FTP over non standard port
- IRC communication
- SSH | ICMP Tunneling
Persistency Phase
- Unusual User Agents
- Outbound SSL VPN
- Outbound unknown
7. 15
Incident Response
Advanced Persistent Threat
“Advanced Persistent Threat” is a complex and targeted cyber attacks over long periods of time (i .e
“persistent”).These attacks are well funded and mostly state sponsored and carried out by
professionals. The motive behind the attack is to gain access to the target system and maintain
access for prolonged periods.
Step 1
•Reconnaissance
Step 2
•Initial Intrusion into the Network
Step 3
•Establish a Backdoor into the Network
Step 4
•Obtain User Credentials
Step 5
•Install Various Utilities
Step 6
•Privilege Escalation / Lateral Movement / Data
Exfiltration
Step 7
•Maintain Persistence
8. 16
Incident Response
Incident Response Process - Preparation
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
Always install software from trusted sources and verify
digital sign and MD5 hash.
Use benchmarks for building systems on the network
including harden systems
Use group policy to distribute enterprise wide end point
security measures and remove admin privileges from all
end user systems and server
Enable appropriate logging on all the network devices
Leverage SIEM to correlate data from multiple defense
tool sources. Use data to identify potential compromise
such as blocked emails, code execution in browser, and
probable large data in HTML, outgoing traffic to specific
IP’s on unusual ports, abnormal DNS requests, drive by
malware download, AV clean fail alert, reinfection in 5
minutes, multiple failed DNS resolution attempts, SAM
file access, privilege account failed, forced pwd change)
Systems that require admin privileges must be identified
in CMDB as high value target.
Identify and block all grey-listed domain
Collect detailed behavioral profiles on all the data and
functions handled by each application
Decrypt and re-encrypt confidential traffic through
applications or some other encryption utilities, wherever
possible
Identify, create and constantly update a list of all IPs that
are known to be associated with malware command and
control. (Threat Intelligence / Reputation IP)
Setup procedures for external notification through
contributing to Open Source Intelligence.
9. 17
Incident Response
Incident Response Process – Signs of Compromise
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
Identification of same email from public domain to
significant number of users or C-level employees or high
value targets; encrypted attachments, password
protected and zipped and protected to escape email
malware filter; (put user in the reference list)
End point alert / HIPS / Host based malware alerts for
local script execution for the same user, raise incident
Identify unusual traffic volumes to multiple ports or IP
addresses or excessive packet loss (connection over 4
hours to external IP)
Examine abnormal services on known ports and
abnormal ports for well-known services, verify reputation
scores of IP (SSH to port 80)
EDR and WAF alerts for scripts, hash mismatch
Botnet filter alerts for traffic to blacklisted domains
Email / SPAM filter misbehavior/ maintenance activity
followed by suspicious activity on the network specially
related to unknown/ suspicious remote destinations.
Monitor packet flow inside and outside from the network
for likely patterns of Command and Control (C+C) traffic,
outbound custom encrypted communications, covert
communication channels with external entities, etc.
Threat Intelligence alerts for connections / data sent to
suspicious destination outside organization specially
belonging to less reputed geographic location and at
odd hours.
Examine if any data breach has occurred like large HTML
packet
Review hourly and daily reports of network usage to
identify unusual occurrences and spikes in traffic.
10. Use Case
Use Case Model –Attack Based- Kill Chain- Use Case
17
B
Category
Sub
Category
SIEM Rule Source Use Case Condition Action Correlate
Reconn
End point
protection
Email gateway
Harmful attachment (binary/ infected word or pdf file, password or encrypted
file attached) the source of the email is internal IP
Add email recipient
machines source IP address
of the event to shortlist 1.
Delivery
End point
protection
AV server all antivirus and anti-malware software events
Source IP address would be
added to the compromised
host active list
Define a second high-level rule that cross
correlates to determine if the host source IP
address is also found on shortlist 1. (If Yes - raise
an Incident)
Host Exploitation
End point
protection
Local System
Rule 1: A registry change has occurred in one of the registry start locations
such as Runonce
Rule 2: If new unknown process has been spawned
Add them to shortlist 1
C&C
End point
protection
Firewall / IPS End point communicates to the known bad C&C IP address Add them to "compromised active list")
Local
Compromise
End Point
protection
Local System
Rule 1: Creation of local accounts.
Rule 2: Creation of escalation of privileges.
Rule 3: Group policy changes.
Rule 4: If Antivirus or Antimalware software processes have been terminated.
Add them to shortlist 2
Correlation rule if an IP address exists on shortlist
2 more than once raise and incident alert.
Internal Recon
End Point
protection
Firewall / IPS
Rule 1 - Per to peer communication
Rule 2 - Beaconing of desktop network communications trying to find a way of
routing to the Internet this would show as firewall drop events
Rule 3 - Multiple communications where the source network zone is desktop
and the destination network zone is desktop.
Correlate rules 1-3 where the source also exists
on either shortlist 1 or shortlist 2 and if it does
raise this as an incident and add the IP to the
compromised host asset list.
Lateral Movement
End Point
protection
Local System
Rule 1: Windows program audit events where netstat has been used add
source IP to shortlist 2.
Rule 2: Windows net logon event add source IP address to shortlist 2.
Add to shortlist 2 for any of
the event detected
Correlation rule 2: If rules 1—6 correlate with an
IP address on shortlist 1 raise as an incident alert
and compromised host asset list.
Establish
Persistence
End Point
protection
Firewall Internal
Rule 1: Internal to Internal communications between hosts in the same
network zone on unknown communications channels for example a desktop
communicating to another desktop using HTTPS.
Data Exfiltration
Data
Protection
Email gateway /
Proxy and FW
Rule 1: Windows program audit event where NTbackup has been used add
source IP to shortlist 2.
ii. Rule 2: Windows events for registry access to the following registry
locations as this indicates the
Correlate multiple email sending events where
attachment are being sent to a single unknown
email in the same day and the for a total data size
of > 100mb Add to shortlist 1.
11. 18
Incident Response
Incident Response Process – Limit the Damage
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
Take the infected system into separate VLAN
Use packet capturing utilities to replay old (or
malicious) traffic to identify additionally infected
systems
Examine system to identify any lateral movement
made within the enterprise by the attacker and
perform the same checks on affected systems.
Identify end point IOC (hash, registry change,
process running, service running to identify the
other infected system)
Based on the initial investigation, do the following –
Block IP address of the attacker, terminate
vulnerable/ infected process, disable or change
user password
Preserve information and artifacts associated with
the incident.
Update the firewall / anti-malware blacklist to block
attackers IPs and monitor them in detail including
communication protocol
Remove sensitive data from unsecured and
unnecessary locations.
Alert related key users on possible attacks and limit
system & user privileges to copy, modify and delete
secondary data/ information.
Alert law enforcement and other authorities such as
CERT, if required.
Notify internal users and affected departments/
systems owners.
12. 19
Incident Response
Incident Response Process – Source and Anatomy
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
In case of spear phishing, verify the links clicked and the
destination URL
Investigate the information provided or data uploaded on
the phished site
Identify suspicious changes in listening ports, system
services and drivers, startup tasks, and scheduled tasks
on the infected system
Identify for new account with high privileges or
permission changes
Identify DNS requests
Verify Host Intrusion Prevention System (HIPS) and
alerts for execution of scripts or malicious code
Use file system and memory analysis and look for a
malware/ code specific entity in Memory (process
information, running service information)
Analyze changes in the registry for unexpected registry
keys.
Extract and identify characteristics of adversary with
other affected systems; this may be achieved by using
correlation rules to search for identified characteristics
of attacks such as:
Files
System calls
Processes
Network
Ports
IP addresses
Host names
Investigate further to Identify all:
Active (beaconing) and passive (listening) backdoors
Other entry points like web servers, mail servers, VPN
13. 20
Incident Response
Incident Response Process - Remove Cause
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
Reset all affected systems, users and service
passwords
Remove backdoors by running updated anti-
malware tool, use vendor supplied stringers as
necessary for eradication and clean up
Fix vulnerable systems they’re exploiting for access
with updated patches
Run registry cleaners and scan for memory resident
malicious codes and clean up with alternate boot
mediums.
Develop or update antivirus and/or security devices
(IPS/IDS) signatures.
Re-engineer the system or the systems to prevent
re-infection.
Segment critical data to more restricted areas and
implement auditing for critical data access
Enable block mode for sensitive data on data loss
prevention tool.
14. 21
Incident Response
Incident Response Process – Resume Normal Operation
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
Clean all traces like infected files, binaries, infected code
and data.
Clean browsing history, registry and memory. Preferable
post taking all snapshots, install with clean image
Update all antivirus / anti malware programs with new
signatures and patches
Scan the infected system with latest antivirus and anti-
malware programs
Scan for suspicious items discovered on all infected and
interconnected systems using updated antimalware
used to disinfect the targeted systems.
Perform System integrity checks for all the infected
systems.
Restoring all systems for which integrity has affected
due to the attack, from last know good backup.
Confirming all systems and services restored to
normal operations.
Perform System integrity checks for all infected
systems.
Restoring all systems for which integrity as
affected due to the attack, from last know good
backup.
Confirming all systems and services restored to
normal operations.
Restore the data from previous backup
15. 22
Incident Response
Incident Response Process – Post Mortem & Lesson Learned
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
Perform forensics to identify the source of attack
and motivation like state sponsors
Identify if the attackers used a third party (e.g.,
contractor, client, joint venture) as an attack vector
Identify if the attackers had insider assistance
Identify if the attackers had physical access to the
facilities or network
Collect evidence from packet captures / network
information, logs and infected system browsing
history and malicious code and its reverse
engineering
Reverse-engineer binaries to help identify attack
methods, communication protocols, and attack
servers.
Create images of hard drives from infected hosts.
Ensure preservation of evidence besides
maintaining chain of custody as required by legal
authorities.
Perform communications (internal/external user
groups, public media etc.)
17. 24
Example
Carbanak – A-SOC Capabilities
2
Malicious Web
server sends or
reflects exploit code
<click>
1
Install Malware
Mail-Client
5
Victim
Domain
Name
Server
Attacker
Used Spearphised
emails
Command
& Control
4 web-page +
3 Follow link
Lateral Movement
Screen capture/ Video recording
9
6
Remotely Control
Malware
Contact Updater
By IP Address (C&C)
7
8
Word file with MA
Data upload – Screens
and VR
18. 25
Example
Carbanak – A-SOC Capabilities
2
Malicious Web
server sends or
reflects exploit code
<click>
1
Install Malware
Mail-Client
5
Victim
Domain
Name
Server
Attacker
Using Spearphised emails
Command
& Control
4 web-page +
3 Follow link
9
6
Remotely Control
Malware
Contact Updater
By IP Address (C&C)
7
8
Word file with MA
Lateral Movement
Screen capture/
Video recording
Data upload – Screens
and VR
d) Monitor Web Traffic
a) Monitor DNS
c) Monitor Port &
Protocol Usage
b) Monitor NetFlow
e) Data in HTML
Response - Netflow
b) Monitor NetFlow
20. Topic Descriptions / Actions
Purpose The purpose of this document is the provide guidance to Tier2 Triage and Tier 3 Response
analysts on the approach to incident remediation.
Scope The scope of this guidance includes 3 stages:
Containment
Eradication
Recovery
Containment The intention of this stage is to limit the damage caused by the incident without yet removing the
cause of the incident. This is typically done as the first step as it may take additional time to
understand the cause of the incident and the appropriate eradication strategy. Examples of
containment may include shutting down of affected systems, closing firewall ports etc.
Eradication This stage is typically done after the containment stage where the cause of the incident is
removed. Eradication can only be performed before containment if the incident cause is
immediately clear and eradication can be performed swiftly before additional damage is caused
by the incident. Examples of eradication include deleting malicious code, removing malicious
accounts etc.
Recovery This stage is done once the “victim” system impacted is no longer vulnerable. Examples of
recovery include restoring from backup, patching servers etc.
27
Incident Response
IR response process
21. Topic Descriptions / Actions
Attack Category Authentication (Internal User)
Attack Sub Categories Misc Login Succeeded, Unknown Authentication, Host Login Succeeded, Host Login Failed, Misc Login
Failed, Privilege Escalation Failed, Privilege Escalation Succeeded, Mail Service Login Succeeded, Mail Service
Login Failed, Auth Server Login Failed, Auth Server, Group Added, Group Changed, Group
Removed, Computer Account Added, Computer Account Changed, Computer Account Removed, Remote
Access Login Succeeded, Remote Access Login Failed, General Authentication Successful, Telnet Login
Succeeded, Telnet Login Failed, Suspicious Password, Samba Login Succeeded, Samba Login Failed and etc
Response Remediation
Options
1. Containment
a. Terminate processes with any active connections with attacker IP or port
b. Disable user id in question
2. Eradication
a. Work with network team to physically locate internal attacker
b. Turn off switch port of internal attacker
c. Remove user access
3. Recovery
a. Implement strong password policy
b. Reconfigure vulnerable service as applicable
c. Restore to previous good state from backup or recovery application
28
Incident Response
IR response process
22. “Website defacement" refers to any unauthorized changes made to the appearance of either a single webpage, or an
entire site. Worse, the hacker will replace the home page with an embarrassing (or worse) message.
Web page Defacement: The most straight forward and visually identifiable attack where the web page content is changed and
replaced by the perpetrators. The website data is not deleted.
Data Deletion: This is a second stage of damage where the website is defaced and also the data and other pages are deleted.
Install Malicious Software: Website defacement can be augmented by introducing a malicious code in the target environment to
establish stronghold. The malicious code can then be used for further compromises such as lateral movement.
IRC bot: In more severe case, once the attacker has established a foothold, they can install an IRC bot which can then be controlled
through IRC channels.
29
Incident Response
IR Response Exercise – Website Defacement
23. 30
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
1
Create a hot cluster of servers to run website. - Build a back up site and setup routing backups. Enable
detailed logging on web server and test the site for vulnerabilities
2
The website should be protected by a WAF firewall, IPS, Host based IPS and anti-malware and monitored
logs and alerts for unauthorized access/ change of files / privilege escalation to the system backups. Enable
detailed logging on web server and test the site for vulnerabilities
3 Deploy monitoring tools to quickly detect any abnormal behavior on your critical websites. (e.g. Sucuri)
4 Home page should be access controlled from Management IP
5 Log all access and alert for any change to home page file, immediately verify with change request
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
24. 31
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Identification & Verification
SIEM Use Case
Monitored Element Description Log Source Configuration / Threshold Priority
More than 30 request for same web file
(e.g. *.php) file by the same IP address
and port number or same user
During attack the URL targeted by attacker
changes with each request but the actual file
name trying to target with each request will
remain the same
Web Server 30 request in 5 minutes 2
Home page (*.php) change
Enable home page file auditong feature,
configure alert for file change and priority 1 log
alert
Web Server File change from auditing - 1 1
DNS requests over port 80
infected hosts sending C&C communications
masked as DNS requests over port 80 is the
common thing so watch in Web gateway if any
DNS request is observed on port 80
Web Server Port / Protocol mismatch 1
High number of HEAD requests on web
server
Likely indicating an attempt to discover
vulnerable CGI scripts.
High number of non-standard HTTP requests,
indicating a possible attack or information
gathering to precede an attack.
Web Server 10 in 1 min 2
Web server not responding or slow
response (HTML response time is huge)
due to possible DoS attack.
Web server has not served any pages in an hour
and the IDS have reported multiple DoS attack
events.
Web Server Slow response / 10 sec to open file 2
SQL Injection, XSS, Injection, Redirects,
Failed attempts,
SQL Injection, XSS and other attacks from WAF
Weg gateway/
Firewall
1
25. 1. Extract attack source IP from SIEM/ WAF as log source (IIS/Apache)
2. Notify application owner of attack
3. Implement firewall rule to block attacker IP
4. If attack source is on local network, remote to a machine within same
subnet of unauthorized device
5. Ping offending machine IP
6. Run “arp –a” command on command prompt to extract MAC Address
7. Block the IP/MAC (NAC) and disable the user
25
Incident Response
IR Playbook Exercise – Website Defacement
SQL Injection
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Identification & Verification
26. 32
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Containment
1 Take the infected host out of the cluster.
2 Redirect all traffic to the backup servers.
3 If the source of the attack is another system on the network, disconnect it as soon as possible.
4 Conduct site/page replication for redirection, as required.
5 Disable links to affected page or redirect to a correct version of the page.
6
Backup all data stored on the web server for forensic purposes and evidence collecting. The best practice
here if applicable is to make a complete bit-by-bit copy of the hard-disk containing the web server. This will
be helpful to recover deleted files.
27. 33
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Investigation
1 Check files with static content (in particular, check the modification dates, hash signature).
2 Check mash up content providers.
3 Check links presents in the web page (src, meta, css, script etc).
4 Review database for modifications, content changes, traces of script injections, etc.
5 Review server logs and application access logs.
6 Look for evidence of data exfiltration.
28. 34
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Eradication
1 Patch identified vulnerabilities (including all technical and source code vulnerabilities).
2 Remove code/scripts installed by the attacker.
3
Change all user passwords if the web server provides user-authentication and/or there is evidence or any
reason to think that passwords may have been compromised.
4 Update patches, anti-virus and malwares and scan the system for vulnerabilities.
5 Compare eradication outcome against a known good backup.
29. 35
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Recovery
1
Full restore from a good known backup. Apply validated and verified latest database content updates on
top of the good known backup if required to compensate for any content changes between compromise
and recovery.
2 Reconnect dependent systems.
3 Perform testing (sandbox test environment, user acceptance testing etc).
4 Reconnect web server to the internal LAN/Internet, as required.
5 Confirm normal operations.