SlideShare a Scribd company logo
Advanced SOC Section 5 - Incident Response
10
Incident Lifecycle Management
Threat Management – NIST Aligned Process
Situational
Awareness
Ability to identify what is happening in the networks and system landscape
Reconnaissance
Weaponization
& Delivery
Lateral
Movement
Data Exfiltration
Persistency
Identification and selection of the target/s host or network by active scanning
Transmission/Inject of the malicious payload in to the target/s
Detect, exploit and compromise other vulnerable hosts
Steal and exhilarate data
Establish a foothold in the corporate network
 In military strategy, a “Kill Chain” is a phase model to describe the stages of an attack, which also helps inform
ways to prevent attacks.
11
Incident Response
Kill Chain Model for Use Cases Assist in Incident Response
12
Incident Response
Kill Chain Model for Use Cases Assist in Incident Response
Situational Awareness
- Outbound Protocols
- Outbound protocols by size
- Top destination Countries
- Top destination Countries by size
Reconnaissance
- Port scan activity
- ICMP query
Weaponization and Delivery
- Injection
- Cross Site Scripting
- Cross Site Request Forgery
- Failure to Restrict URL
- Downloaded binaries
- Top email subjects
- Domains mismatching
- Malicious or anomalous Office/Java/Adobe files
- Suspicious Web pages (iframe + [pdf|html|js])
13
Incident Response
Kill Chain Model for Use Cases Assist in Incident Response
Lateral Movement
- Remove or add account
- Remote WMI communications
- Remote Group Policy Editor
- Remote Session Communications (during outside working hours?)
- Antivirus terminated
Data Exfiltration
- Upload on cloud storage domains
- Suspicious HTTP Methods (Delete, Put)
- Uploaded images
- FTP over non standard port
- IRC communication
- SSH | ICMP Tunneling
Persistency Phase
- Unusual User Agents
- Outbound SSL VPN
- Outbound unknown
Advanced SOC Incident Response - APT
15
Incident Response
Advanced Persistent Threat
“Advanced Persistent Threat” is a complex and targeted cyber attacks over long periods of time (i .e
“persistent”).These attacks are well funded and mostly state sponsored and carried out by
professionals. The motive behind the attack is to gain access to the target system and maintain
access for prolonged periods.
Step 1
•Reconnaissance
Step 2
•Initial Intrusion into the Network
Step 3
•Establish a Backdoor into the Network
Step 4
•Obtain User Credentials
Step 5
•Install Various Utilities
Step 6
•Privilege Escalation / Lateral Movement / Data
Exfiltration
Step 7
•Maintain Persistence
16
Incident Response
Incident Response Process - Preparation
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
 Always install software from trusted sources and verify
digital sign and MD5 hash.
 Use benchmarks for building systems on the network
including harden systems
 Use group policy to distribute enterprise wide end point
security measures and remove admin privileges from all
end user systems and server
 Enable appropriate logging on all the network devices
 Leverage SIEM to correlate data from multiple defense
tool sources. Use data to identify potential compromise
such as blocked emails, code execution in browser, and
probable large data in HTML, outgoing traffic to specific
IP’s on unusual ports, abnormal DNS requests, drive by
malware download, AV clean fail alert, reinfection in 5
minutes, multiple failed DNS resolution attempts, SAM
file access, privilege account failed, forced pwd change)
 Systems that require admin privileges must be identified
in CMDB as high value target.
 Identify and block all grey-listed domain
 Collect detailed behavioral profiles on all the data and
functions handled by each application
 Decrypt and re-encrypt confidential traffic through
applications or some other encryption utilities, wherever
possible
 Identify, create and constantly update a list of all IPs that
are known to be associated with malware command and
control. (Threat Intelligence / Reputation IP)
 Setup procedures for external notification through
contributing to Open Source Intelligence.
17
Incident Response
Incident Response Process – Signs of Compromise
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
 Identification of same email from public domain to
significant number of users or C-level employees or high
value targets; encrypted attachments, password
protected and zipped and protected to escape email
malware filter; (put user in the reference list)
 End point alert / HIPS / Host based malware alerts for
local script execution for the same user, raise incident
 Identify unusual traffic volumes to multiple ports or IP
addresses or excessive packet loss (connection over 4
hours to external IP)
 Examine abnormal services on known ports and
abnormal ports for well-known services, verify reputation
scores of IP (SSH to port 80)
 EDR and WAF alerts for scripts, hash mismatch
 Botnet filter alerts for traffic to blacklisted domains
 Email / SPAM filter misbehavior/ maintenance activity
followed by suspicious activity on the network specially
related to unknown/ suspicious remote destinations.
 Monitor packet flow inside and outside from the network
for likely patterns of Command and Control (C+C) traffic,
outbound custom encrypted communications, covert
communication channels with external entities, etc.
 Threat Intelligence alerts for connections / data sent to
suspicious destination outside organization specially
belonging to less reputed geographic location and at
odd hours.
 Examine if any data breach has occurred like large HTML
packet
 Review hourly and daily reports of network usage to
identify unusual occurrences and spikes in traffic.
Use Case
Use Case Model –Attack Based- Kill Chain- Use Case
17
B
Category
Sub
Category
SIEM Rule Source Use Case Condition Action Correlate
Reconn
End point
protection
Email gateway
Harmful attachment (binary/ infected word or pdf file, password or encrypted
file attached) the source of the email is internal IP
Add email recipient
machines source IP address
of the event to shortlist 1.
Delivery
End point
protection
AV server all antivirus and anti-malware software events
Source IP address would be
added to the compromised
host active list
Define a second high-level rule that cross
correlates to determine if the host source IP
address is also found on shortlist 1. (If Yes - raise
an Incident)
Host Exploitation
End point
protection
Local System
Rule 1: A registry change has occurred in one of the registry start locations
such as Runonce
Rule 2: If new unknown process has been spawned
Add them to shortlist 1
C&C
End point
protection
Firewall / IPS End point communicates to the known bad C&C IP address Add them to "compromised active list")
Local
Compromise
End Point
protection
Local System
Rule 1: Creation of local accounts.
Rule 2: Creation of escalation of privileges.
Rule 3: Group policy changes.
Rule 4: If Antivirus or Antimalware software processes have been terminated.
Add them to shortlist 2
Correlation rule if an IP address exists on shortlist
2 more than once raise and incident alert.
Internal Recon
End Point
protection
Firewall / IPS
Rule 1 - Per to peer communication
Rule 2 - Beaconing of desktop network communications trying to find a way of
routing to the Internet this would show as firewall drop events
Rule 3 - Multiple communications where the source network zone is desktop
and the destination network zone is desktop.
Correlate rules 1-3 where the source also exists
on either shortlist 1 or shortlist 2 and if it does
raise this as an incident and add the IP to the
compromised host asset list.
Lateral Movement
End Point
protection
Local System
Rule 1: Windows program audit events where netstat has been used add
source IP to shortlist 2.
Rule 2: Windows net logon event add source IP address to shortlist 2.
Add to shortlist 2 for any of
the event detected
Correlation rule 2: If rules 1—6 correlate with an
IP address on shortlist 1 raise as an incident alert
and compromised host asset list.
Establish
Persistence
End Point
protection
Firewall Internal
Rule 1: Internal to Internal communications between hosts in the same
network zone on unknown communications channels for example a desktop
communicating to another desktop using HTTPS.
Data Exfiltration
Data
Protection
Email gateway /
Proxy and FW
Rule 1: Windows program audit event where NTbackup has been used add
source IP to shortlist 2.
ii. Rule 2: Windows events for registry access to the following registry
locations as this indicates the
Correlate multiple email sending events where
attachment are being sent to a single unknown
email in the same day and the for a total data size
of > 100mb Add to shortlist 1.
18
Incident Response
Incident Response Process – Limit the Damage
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
 Take the infected system into separate VLAN
 Use packet capturing utilities to replay old (or
malicious) traffic to identify additionally infected
systems
 Examine system to identify any lateral movement
made within the enterprise by the attacker and
perform the same checks on affected systems.
 Identify end point IOC (hash, registry change,
process running, service running to identify the
other infected system)
 Based on the initial investigation, do the following –
Block IP address of the attacker, terminate
vulnerable/ infected process, disable or change
user password
 Preserve information and artifacts associated with
the incident.
 Update the firewall / anti-malware blacklist to block
attackers IPs and monitor them in detail including
communication protocol
 Remove sensitive data from unsecured and
unnecessary locations.
 Alert related key users on possible attacks and limit
system & user privileges to copy, modify and delete
secondary data/ information.
 Alert law enforcement and other authorities such as
CERT, if required.
 Notify internal users and affected departments/
systems owners.
19
Incident Response
Incident Response Process – Source and Anatomy
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
 In case of spear phishing, verify the links clicked and the
destination URL
 Investigate the information provided or data uploaded on
the phished site
 Identify suspicious changes in listening ports, system
services and drivers, startup tasks, and scheduled tasks
on the infected system
 Identify for new account with high privileges or
permission changes
 Identify DNS requests
 Verify Host Intrusion Prevention System (HIPS) and
alerts for execution of scripts or malicious code
 Use file system and memory analysis and look for a
malware/ code specific entity in Memory (process
information, running service information)
 Analyze changes in the registry for unexpected registry
keys.
 Extract and identify characteristics of adversary with
other affected systems; this may be achieved by using
correlation rules to search for identified characteristics
of attacks such as:
 Files
 System calls
 Processes
 Network
 Ports
 IP addresses
 Host names
 Investigate further to Identify all:
 Active (beaconing) and passive (listening) backdoors
 Other entry points like web servers, mail servers, VPN
20
Incident Response
Incident Response Process - Remove Cause
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
 Reset all affected systems, users and service
passwords
 Remove backdoors by running updated anti-
malware tool, use vendor supplied stringers as
necessary for eradication and clean up
 Fix vulnerable systems they’re exploiting for access
with updated patches
 Run registry cleaners and scan for memory resident
malicious codes and clean up with alternate boot
mediums.
 Develop or update antivirus and/or security devices
(IPS/IDS) signatures.
 Re-engineer the system or the systems to prevent
re-infection.
 Segment critical data to more restricted areas and
implement auditing for critical data access
 Enable block mode for sensitive data on data loss
prevention tool.
21
Incident Response
Incident Response Process – Resume Normal Operation
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
 Clean all traces like infected files, binaries, infected code
and data.
 Clean browsing history, registry and memory. Preferable
post taking all snapshots, install with clean image
 Update all antivirus / anti malware programs with new
signatures and patches
 Scan the infected system with latest antivirus and anti-
malware programs
 Scan for suspicious items discovered on all infected and
interconnected systems using updated antimalware
used to disinfect the targeted systems.
 Perform System integrity checks for all the infected
systems.
 Restoring all systems for which integrity has affected
due to the attack, from last know good backup.
 Confirming all systems and services restored to
normal operations.
 Perform System integrity checks for all infected
systems.
 Restoring all systems for which integrity as
affected due to the attack, from last know good
backup.
 Confirming all systems and services restored to
normal operations.
 Restore the data from previous backup
22
Incident Response
Incident Response Process – Post Mortem & Lesson Learned
Preparation
Identification
& Verification
Containment Eradication Recovery
Post Incident
Analysis
Investigation
 Perform forensics to identify the source of attack
and motivation like state sponsors
 Identify if the attackers used a third party (e.g.,
contractor, client, joint venture) as an attack vector
 Identify if the attackers had insider assistance
 Identify if the attackers had physical access to the
facilities or network
 Collect evidence from packet captures / network
information, logs and infected system browsing
history and malicious code and its reverse
engineering
 Reverse-engineer binaries to help identify attack
methods, communication protocols, and attack
servers.
 Create images of hard drives from infected hosts.
 Ensure preservation of evidence besides
maintaining chain of custody as required by legal
authorities.
 Perform communications (internal/external user
groups, public media etc.)
Advanced SOC Exercise – IR Playbook
24
Example
Carbanak – A-SOC Capabilities
2
Malicious Web
server sends or
reflects exploit code
<click>
1
Install Malware
Mail-Client
5
Victim
Domain
Name
Server
Attacker
Used Spearphised
emails
Command
& Control
4 web-page +
3 Follow link
Lateral Movement
Screen capture/ Video recording
9
6
Remotely Control
Malware
Contact Updater
By IP Address (C&C)
7
8
Word file with MA
Data upload – Screens
and VR
25
Example
Carbanak – A-SOC Capabilities
2
Malicious Web
server sends or
reflects exploit code
<click>
1
Install Malware
Mail-Client
5
Victim
Domain
Name
Server
Attacker
Using Spearphised emails
Command
& Control
4 web-page +
3 Follow link
9
6
Remotely Control
Malware
Contact Updater
By IP Address (C&C)
7
8
Word file with MA
Lateral Movement
Screen capture/
Video recording
Data upload – Screens
and VR
d) Monitor Web Traffic
a) Monitor DNS
c) Monitor Port &
Protocol Usage
b) Monitor NetFlow
e) Data in HTML
Response - Netflow
b) Monitor NetFlow
26
Example
Carbanak – IOC
Topic Descriptions / Actions
Purpose The purpose of this document is the provide guidance to Tier2 Triage and Tier 3 Response
analysts on the approach to incident remediation.
Scope The scope of this guidance includes 3 stages:
 Containment
 Eradication
 Recovery
Containment The intention of this stage is to limit the damage caused by the incident without yet removing the
cause of the incident. This is typically done as the first step as it may take additional time to
understand the cause of the incident and the appropriate eradication strategy. Examples of
containment may include shutting down of affected systems, closing firewall ports etc.
Eradication This stage is typically done after the containment stage where the cause of the incident is
removed. Eradication can only be performed before containment if the incident cause is
immediately clear and eradication can be performed swiftly before additional damage is caused
by the incident. Examples of eradication include deleting malicious code, removing malicious
accounts etc.
Recovery This stage is done once the “victim” system impacted is no longer vulnerable. Examples of
recovery include restoring from backup, patching servers etc.
27
Incident Response
IR response process
Topic Descriptions / Actions
Attack Category Authentication (Internal User)
Attack Sub Categories Misc Login Succeeded, Unknown Authentication, Host Login Succeeded, Host Login Failed, Misc Login
Failed, Privilege Escalation Failed, Privilege Escalation Succeeded, Mail Service Login Succeeded, Mail Service
Login Failed, Auth Server Login Failed, Auth Server, Group Added, Group Changed, Group
Removed, Computer Account Added, Computer Account Changed, Computer Account Removed, Remote
Access Login Succeeded, Remote Access Login Failed, General Authentication Successful, Telnet Login
Succeeded, Telnet Login Failed, Suspicious Password, Samba Login Succeeded, Samba Login Failed and etc
Response Remediation
Options
1. Containment
a. Terminate processes with any active connections with attacker IP or port
b. Disable user id in question
2. Eradication
a. Work with network team to physically locate internal attacker
b. Turn off switch port of internal attacker
c. Remove user access
3. Recovery
a. Implement strong password policy
b. Reconfigure vulnerable service as applicable
c. Restore to previous good state from backup or recovery application
28
Incident Response
IR response process
“Website defacement" refers to any unauthorized changes made to the appearance of either a single webpage, or an
entire site. Worse, the hacker will replace the home page with an embarrassing (or worse) message.
 Web page Defacement: The most straight forward and visually identifiable attack where the web page content is changed and
replaced by the perpetrators. The website data is not deleted.
 Data Deletion: This is a second stage of damage where the website is defaced and also the data and other pages are deleted.
 Install Malicious Software: Website defacement can be augmented by introducing a malicious code in the target environment to
establish stronghold. The malicious code can then be used for further compromises such as lateral movement.
 IRC bot: In more severe case, once the attacker has established a foothold, they can install an IRC bot which can then be controlled
through IRC channels.
29
Incident Response
IR Response Exercise – Website Defacement
30
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
1
Create a hot cluster of servers to run website. - Build a back up site and setup routing backups. Enable
detailed logging on web server and test the site for vulnerabilities
2
The website should be protected by a WAF firewall, IPS, Host based IPS and anti-malware and monitored
logs and alerts for unauthorized access/ change of files / privilege escalation to the system backups. Enable
detailed logging on web server and test the site for vulnerabilities
3 Deploy monitoring tools to quickly detect any abnormal behavior on your critical websites. (e.g. Sucuri)
4 Home page should be access controlled from Management IP
5 Log all access and alert for any change to home page file, immediately verify with change request
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
31
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Identification & Verification
SIEM Use Case
Monitored Element Description Log Source Configuration / Threshold Priority
More than 30 request for same web file
(e.g. *.php) file by the same IP address
and port number or same user
During attack the URL targeted by attacker
changes with each request but the actual file
name trying to target with each request will
remain the same
Web Server 30 request in 5 minutes 2
Home page (*.php) change
Enable home page file auditong feature,
configure alert for file change and priority 1 log
alert
Web Server File change from auditing - 1 1
DNS requests over port 80
infected hosts sending C&C communications
masked as DNS requests over port 80 is the
common thing so watch in Web gateway if any
DNS request is observed on port 80
Web Server Port / Protocol mismatch 1
High number of HEAD requests on web
server
Likely indicating an attempt to discover
vulnerable CGI scripts.
High number of non-standard HTTP requests,
indicating a possible attack or information
gathering to precede an attack.
Web Server 10 in 1 min 2
Web server not responding or slow
response (HTML response time is huge)
due to possible DoS attack.
Web server has not served any pages in an hour
and the IDS have reported multiple DoS attack
events.
Web Server Slow response / 10 sec to open file 2
SQL Injection, XSS, Injection, Redirects,
Failed attempts,
SQL Injection, XSS and other attacks from WAF
Weg gateway/
Firewall
1
1. Extract attack source IP from SIEM/ WAF as log source (IIS/Apache)
2. Notify application owner of attack
3. Implement firewall rule to block attacker IP
4. If attack source is on local network, remote to a machine within same
subnet of unauthorized device
5. Ping offending machine IP
6. Run “arp –a” command on command prompt to extract MAC Address
7. Block the IP/MAC (NAC) and disable the user
25
Incident Response
IR Playbook Exercise – Website Defacement
SQL Injection
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Identification & Verification
32
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Containment
1 Take the infected host out of the cluster.
2 Redirect all traffic to the backup servers.
3 If the source of the attack is another system on the network, disconnect it as soon as possible.
4 Conduct site/page replication for redirection, as required.
5 Disable links to affected page or redirect to a correct version of the page.
6
Backup all data stored on the web server for forensic purposes and evidence collecting. The best practice
here if applicable is to make a complete bit-by-bit copy of the hard-disk containing the web server. This will
be helpful to recover deleted files.
33
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Investigation
1 Check files with static content (in particular, check the modification dates, hash signature).
2 Check mash up content providers.
3 Check links presents in the web page (src, meta, css, script etc).
4 Review database for modifications, content changes, traces of script injections, etc.
5 Review server logs and application access logs.
6 Look for evidence of data exfiltration.
34
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Eradication
1 Patch identified vulnerabilities (including all technical and source code vulnerabilities).
2 Remove code/scripts installed by the attacker.
3
Change all user passwords if the web server provides user-authentication and/or there is evidence or any
reason to think that passwords may have been compromised.
4 Update patches, anti-virus and malwares and scan the system for vulnerabilities.
5 Compare eradication outcome against a known good backup.
35
Incident Response
IR Playbook Exercise – Website Defacement
Preparation
Identification
& Verification
Containment Eradication RecoveryInvestigation
Recovery
1
Full restore from a good known backup. Apply validated and verified latest database content updates on
top of the good known backup if required to compensate for any content changes between compromise
and recovery.
2 Reconnect dependent systems.
3 Perform testing (sandbox test environment, user acceptance testing etc).
4 Reconnect web server to the internal LAN/Internet, as required.
5 Confirm normal operations.
Questions? Questions, Comments and Feedback

More Related Content

What's hot

Network forensics1
Network forensics1Network forensics1
Network forensics1
Santosh Khadsare
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Sqrrl
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)
Priyanka Aash
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber Security
Nathan Desfontaines
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) Technology
Liwei Ren任力偉
 
Cybersecurity for Small Business - Incident Response.pptx
Cybersecurity for Small Business - Incident Response.pptxCybersecurity for Small Business - Incident Response.pptx
Cybersecurity for Small Business - Incident Response.pptx
Art Ocain
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
laibaarsyila
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
PencilData
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
User and Entity Behavior Analytics using the Sqrrl Behavior Graph
User and Entity Behavior Analytics using the Sqrrl Behavior GraphUser and Entity Behavior Analytics using the Sqrrl Behavior Graph
User and Entity Behavior Analytics using the Sqrrl Behavior Graph
Sqrrl
 
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the HaystackMachine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Alistair Gillespie
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
Camilo Fandiño Gómez
 
Combating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial IntelligenceCombating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial Intelligence
Inderjeet Singh
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
Infosec
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
Siem ppt
Siem pptSiem ppt
Siem ppt
kmehul
 

What's hot (20)

Network forensics1
Network forensics1Network forensics1
Network forensics1
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)SACON - Threat hunting (Chandra Prakash)
SACON - Threat hunting (Chandra Prakash)
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
 
The Proactive Approach to Cyber Security
The Proactive Approach to Cyber SecurityThe Proactive Approach to Cyber Security
The Proactive Approach to Cyber Security
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) Technology
 
Cybersecurity for Small Business - Incident Response.pptx
Cybersecurity for Small Business - Incident Response.pptxCybersecurity for Small Business - Incident Response.pptx
Cybersecurity for Small Business - Incident Response.pptx
 
Threat Hunting Playbook.pdf
Threat Hunting Playbook.pdfThreat Hunting Playbook.pdf
Threat Hunting Playbook.pdf
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
User and Entity Behavior Analytics using the Sqrrl Behavior Graph
User and Entity Behavior Analytics using the Sqrrl Behavior GraphUser and Entity Behavior Analytics using the Sqrrl Behavior Graph
User and Entity Behavior Analytics using the Sqrrl Behavior Graph
 
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the HaystackMachine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
IBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence OverviewIBM QRadar Security Intelligence Overview
IBM QRadar Security Intelligence Overview
 
Combating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial IntelligenceCombating Cyber Security Using Artificial Intelligence
Combating Cyber Security Using Artificial Intelligence
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Siem ppt
Siem pptSiem ppt
Siem ppt
 

Viewers also liked

ETIS Information Security Benchmark Successful Practices in telco security
ETIS Information Security Benchmark Successful Practices in telco securityETIS Information Security Benchmark Successful Practices in telco security
ETIS Information Security Benchmark Successful Practices in telco security
ETIS - the Global IT Association for Telecommunications
 
NYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management Program
Navvia
 
Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)
Mike Marin
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Skybox Security
 
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerIT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
ManageEngine, Zoho Corporation
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Andrew Gerber
 
NIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross ReferenceNIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross Reference
Jim Meyer
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
Kyle Lai
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
Michael Lines
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
Seth Familian
 

Viewers also liked (12)

ETIS Information Security Benchmark Successful Practices in telco security
ETIS Information Security Benchmark Successful Practices in telco securityETIS Information Security Benchmark Successful Practices in telco security
ETIS Information Security Benchmark Successful Practices in telco security
 
NYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management ProgramNYC Workshop: Improving the Business Value of your Service Management Program
NYC Workshop: Improving the Business Value of your Service Management Program
 
Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)Measuring method complexity of the case management modeling and notation (CMMN)
Measuring method complexity of the case management modeling and notation (CMMN)
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
 
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow AnalyzerIT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
IT Solutions Provider in Kosovo uses Bandwidth monitoring, NetFlow Analyzer
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with SplunkMapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
 
NIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross ReferenceNIST Cybersecurity Framework Cross Reference
NIST Cybersecurity Framework Cross Reference
 
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
ISACA - China Cybersecurity Law Presentation - Kyle Lai - v3.2
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
 

Similar to Incident Response: Validation, Containment & Forensics

Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacks
jyoti_lakhani
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat Protection
Lan & Wan Solutions
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
Lan & WanLan & Wan
ATP
ATPATP
Running Head Security Assessment Repot (SAR) .docx
Running Head  Security Assessment Repot (SAR)                    .docxRunning Head  Security Assessment Repot (SAR)                    .docx
Running Head Security Assessment Repot (SAR) .docx
SUBHI7
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].ppt
BachaSirata
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.ppt
Raj Kumar
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
Amy Gerrie
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
jagadeesh katla
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshell
Yahia Kandeel
 
SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019
Advanced Technology Consulting (ATC)
 
透视消费者.ppt
透视消费者.ppt透视消费者.ppt
透视消费者.ppt
wei mingyang
 
Security and-visibility
Security and-visibilitySecurity and-visibility
Security and-visibility
edwardstudyemai
 
2014_protect_presentation
2014_protect_presentation2014_protect_presentation
2014_protect_presentation
Jeff Holland
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security Perimeters
Somyos U.
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
Microsoft
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
Novetta
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Rapid7
 

Similar to Incident Response: Validation, Containment & Forensics (20)

Ids 009 network attacks
Ids 009 network attacksIds 009 network attacks
Ids 009 network attacks
 
Advanced Threat Protection
Advanced Threat ProtectionAdvanced Threat Protection
Advanced Threat Protection
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 
ATP
ATPATP
ATP
 
Running Head Security Assessment Repot (SAR) .docx
Running Head  Security Assessment Repot (SAR)                    .docxRunning Head  Security Assessment Repot (SAR)                    .docx
Running Head Security Assessment Repot (SAR) .docx
 
Chapter_Five[1].ppt
Chapter_Five[1].pptChapter_Five[1].ppt
Chapter_Five[1].ppt
 
firewalls.ppt
firewalls.pptfirewalls.ppt
firewalls.ppt
 
FireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slidesFireSIGHT Management Center (FMC) slides
FireSIGHT Management Center (FMC) slides
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
Seucrity in a nutshell
Seucrity in a nutshellSeucrity in a nutshell
Seucrity in a nutshell
 
SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019SOC-as-a-Service - comSpark 2019
SOC-as-a-Service - comSpark 2019
 
透视消费者.ppt
透视消费者.ppt透视消费者.ppt
透视消费者.ppt
 
Security and-visibility
Security and-visibilitySecurity and-visibility
Security and-visibility
 
2014_protect_presentation
2014_protect_presentation2014_protect_presentation
2014_protect_presentation
 
Event - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security PerimetersEvent - Internet Thailand - Total Security Perimeters
Event - Internet Thailand - Total Security Perimeters
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
How to protect your corporate from advanced attacks
How to protect your corporate from advanced attacksHow to protect your corporate from advanced attacks
How to protect your corporate from advanced attacks
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
 
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEMGet Real-Time Cyber Threat Protection with Risk Management and SIEM
Get Real-Time Cyber Threat Protection with Risk Management and SIEM
 

More from Priyanka Aash

Keynote : Presentation on SASE Technology
Keynote : Presentation on SASE TechnologyKeynote : Presentation on SASE Technology
Keynote : Presentation on SASE Technology
Priyanka Aash
 
Keynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive SecurityKeynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
Demystifying Neural Networks And Building Cybersecurity ApplicationsDemystifying Neural Networks And Building Cybersecurity Applications
Demystifying Neural Networks And Building Cybersecurity Applications
Priyanka Aash
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Incident Response .pdf
(CISOPlatform Summit & SACON 2024) Incident Response .pdf(CISOPlatform Summit & SACON 2024) Incident Response .pdf
(CISOPlatform Summit & SACON 2024) Incident Response .pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) GRC.pdf
(CISOPlatform Summit & SACON 2024) GRC.pdf(CISOPlatform Summit & SACON 2024) GRC.pdf
(CISOPlatform Summit & SACON 2024) GRC.pdf
Priyanka Aash
 
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
Priyanka Aash
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
Priyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
Priyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
Priyanka Aash
 

More from Priyanka Aash (20)

Keynote : Presentation on SASE Technology
Keynote : Presentation on SASE TechnologyKeynote : Presentation on SASE Technology
Keynote : Presentation on SASE Technology
 
Keynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive SecurityKeynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive Security
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
Demystifying Neural Networks And Building Cybersecurity Applications
Demystifying Neural Networks And Building Cybersecurity ApplicationsDemystifying Neural Networks And Building Cybersecurity Applications
Demystifying Neural Networks And Building Cybersecurity Applications
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
 
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
 
(CISOPlatform Summit & SACON 2024) Incident Response .pdf
(CISOPlatform Summit & SACON 2024) Incident Response .pdf(CISOPlatform Summit & SACON 2024) Incident Response .pdf
(CISOPlatform Summit & SACON 2024) Incident Response .pdf
 
(CISOPlatform Summit & SACON 2024) GRC.pdf
(CISOPlatform Summit & SACON 2024) GRC.pdf(CISOPlatform Summit & SACON 2024) GRC.pdf
(CISOPlatform Summit & SACON 2024) GRC.pdf
 
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
(CISOPlatform Summit & SACON 2024) Orientation by CISO Platform_ Using CISO P...
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 

Recently uploaded

Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 

Recently uploaded (20)

Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 

Incident Response: Validation, Containment & Forensics

  • 1. Advanced SOC Section 5 - Incident Response
  • 2. 10 Incident Lifecycle Management Threat Management – NIST Aligned Process
  • 3. Situational Awareness Ability to identify what is happening in the networks and system landscape Reconnaissance Weaponization & Delivery Lateral Movement Data Exfiltration Persistency Identification and selection of the target/s host or network by active scanning Transmission/Inject of the malicious payload in to the target/s Detect, exploit and compromise other vulnerable hosts Steal and exhilarate data Establish a foothold in the corporate network  In military strategy, a “Kill Chain” is a phase model to describe the stages of an attack, which also helps inform ways to prevent attacks. 11 Incident Response Kill Chain Model for Use Cases Assist in Incident Response
  • 4. 12 Incident Response Kill Chain Model for Use Cases Assist in Incident Response Situational Awareness - Outbound Protocols - Outbound protocols by size - Top destination Countries - Top destination Countries by size Reconnaissance - Port scan activity - ICMP query Weaponization and Delivery - Injection - Cross Site Scripting - Cross Site Request Forgery - Failure to Restrict URL - Downloaded binaries - Top email subjects - Domains mismatching - Malicious or anomalous Office/Java/Adobe files - Suspicious Web pages (iframe + [pdf|html|js])
  • 5. 13 Incident Response Kill Chain Model for Use Cases Assist in Incident Response Lateral Movement - Remove or add account - Remote WMI communications - Remote Group Policy Editor - Remote Session Communications (during outside working hours?) - Antivirus terminated Data Exfiltration - Upload on cloud storage domains - Suspicious HTTP Methods (Delete, Put) - Uploaded images - FTP over non standard port - IRC communication - SSH | ICMP Tunneling Persistency Phase - Unusual User Agents - Outbound SSL VPN - Outbound unknown
  • 6. Advanced SOC Incident Response - APT
  • 7. 15 Incident Response Advanced Persistent Threat “Advanced Persistent Threat” is a complex and targeted cyber attacks over long periods of time (i .e “persistent”).These attacks are well funded and mostly state sponsored and carried out by professionals. The motive behind the attack is to gain access to the target system and maintain access for prolonged periods. Step 1 •Reconnaissance Step 2 •Initial Intrusion into the Network Step 3 •Establish a Backdoor into the Network Step 4 •Obtain User Credentials Step 5 •Install Various Utilities Step 6 •Privilege Escalation / Lateral Movement / Data Exfiltration Step 7 •Maintain Persistence
  • 8. 16 Incident Response Incident Response Process - Preparation Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Always install software from trusted sources and verify digital sign and MD5 hash.  Use benchmarks for building systems on the network including harden systems  Use group policy to distribute enterprise wide end point security measures and remove admin privileges from all end user systems and server  Enable appropriate logging on all the network devices  Leverage SIEM to correlate data from multiple defense tool sources. Use data to identify potential compromise such as blocked emails, code execution in browser, and probable large data in HTML, outgoing traffic to specific IP’s on unusual ports, abnormal DNS requests, drive by malware download, AV clean fail alert, reinfection in 5 minutes, multiple failed DNS resolution attempts, SAM file access, privilege account failed, forced pwd change)  Systems that require admin privileges must be identified in CMDB as high value target.  Identify and block all grey-listed domain  Collect detailed behavioral profiles on all the data and functions handled by each application  Decrypt and re-encrypt confidential traffic through applications or some other encryption utilities, wherever possible  Identify, create and constantly update a list of all IPs that are known to be associated with malware command and control. (Threat Intelligence / Reputation IP)  Setup procedures for external notification through contributing to Open Source Intelligence.
  • 9. 17 Incident Response Incident Response Process – Signs of Compromise Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Identification of same email from public domain to significant number of users or C-level employees or high value targets; encrypted attachments, password protected and zipped and protected to escape email malware filter; (put user in the reference list)  End point alert / HIPS / Host based malware alerts for local script execution for the same user, raise incident  Identify unusual traffic volumes to multiple ports or IP addresses or excessive packet loss (connection over 4 hours to external IP)  Examine abnormal services on known ports and abnormal ports for well-known services, verify reputation scores of IP (SSH to port 80)  EDR and WAF alerts for scripts, hash mismatch  Botnet filter alerts for traffic to blacklisted domains  Email / SPAM filter misbehavior/ maintenance activity followed by suspicious activity on the network specially related to unknown/ suspicious remote destinations.  Monitor packet flow inside and outside from the network for likely patterns of Command and Control (C+C) traffic, outbound custom encrypted communications, covert communication channels with external entities, etc.  Threat Intelligence alerts for connections / data sent to suspicious destination outside organization specially belonging to less reputed geographic location and at odd hours.  Examine if any data breach has occurred like large HTML packet  Review hourly and daily reports of network usage to identify unusual occurrences and spikes in traffic.
  • 10. Use Case Use Case Model –Attack Based- Kill Chain- Use Case 17 B Category Sub Category SIEM Rule Source Use Case Condition Action Correlate Reconn End point protection Email gateway Harmful attachment (binary/ infected word or pdf file, password or encrypted file attached) the source of the email is internal IP Add email recipient machines source IP address of the event to shortlist 1. Delivery End point protection AV server all antivirus and anti-malware software events Source IP address would be added to the compromised host active list Define a second high-level rule that cross correlates to determine if the host source IP address is also found on shortlist 1. (If Yes - raise an Incident) Host Exploitation End point protection Local System Rule 1: A registry change has occurred in one of the registry start locations such as Runonce Rule 2: If new unknown process has been spawned Add them to shortlist 1 C&C End point protection Firewall / IPS End point communicates to the known bad C&C IP address Add them to "compromised active list") Local Compromise End Point protection Local System Rule 1: Creation of local accounts. Rule 2: Creation of escalation of privileges. Rule 3: Group policy changes. Rule 4: If Antivirus or Antimalware software processes have been terminated. Add them to shortlist 2 Correlation rule if an IP address exists on shortlist 2 more than once raise and incident alert. Internal Recon End Point protection Firewall / IPS Rule 1 - Per to peer communication Rule 2 - Beaconing of desktop network communications trying to find a way of routing to the Internet this would show as firewall drop events Rule 3 - Multiple communications where the source network zone is desktop and the destination network zone is desktop. Correlate rules 1-3 where the source also exists on either shortlist 1 or shortlist 2 and if it does raise this as an incident and add the IP to the compromised host asset list. Lateral Movement End Point protection Local System Rule 1: Windows program audit events where netstat has been used add source IP to shortlist 2. Rule 2: Windows net logon event add source IP address to shortlist 2. Add to shortlist 2 for any of the event detected Correlation rule 2: If rules 1—6 correlate with an IP address on shortlist 1 raise as an incident alert and compromised host asset list. Establish Persistence End Point protection Firewall Internal Rule 1: Internal to Internal communications between hosts in the same network zone on unknown communications channels for example a desktop communicating to another desktop using HTTPS. Data Exfiltration Data Protection Email gateway / Proxy and FW Rule 1: Windows program audit event where NTbackup has been used add source IP to shortlist 2. ii. Rule 2: Windows events for registry access to the following registry locations as this indicates the Correlate multiple email sending events where attachment are being sent to a single unknown email in the same day and the for a total data size of > 100mb Add to shortlist 1.
  • 11. 18 Incident Response Incident Response Process – Limit the Damage Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Take the infected system into separate VLAN  Use packet capturing utilities to replay old (or malicious) traffic to identify additionally infected systems  Examine system to identify any lateral movement made within the enterprise by the attacker and perform the same checks on affected systems.  Identify end point IOC (hash, registry change, process running, service running to identify the other infected system)  Based on the initial investigation, do the following – Block IP address of the attacker, terminate vulnerable/ infected process, disable or change user password  Preserve information and artifacts associated with the incident.  Update the firewall / anti-malware blacklist to block attackers IPs and monitor them in detail including communication protocol  Remove sensitive data from unsecured and unnecessary locations.  Alert related key users on possible attacks and limit system & user privileges to copy, modify and delete secondary data/ information.  Alert law enforcement and other authorities such as CERT, if required.  Notify internal users and affected departments/ systems owners.
  • 12. 19 Incident Response Incident Response Process – Source and Anatomy Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  In case of spear phishing, verify the links clicked and the destination URL  Investigate the information provided or data uploaded on the phished site  Identify suspicious changes in listening ports, system services and drivers, startup tasks, and scheduled tasks on the infected system  Identify for new account with high privileges or permission changes  Identify DNS requests  Verify Host Intrusion Prevention System (HIPS) and alerts for execution of scripts or malicious code  Use file system and memory analysis and look for a malware/ code specific entity in Memory (process information, running service information)  Analyze changes in the registry for unexpected registry keys.  Extract and identify characteristics of adversary with other affected systems; this may be achieved by using correlation rules to search for identified characteristics of attacks such as:  Files  System calls  Processes  Network  Ports  IP addresses  Host names  Investigate further to Identify all:  Active (beaconing) and passive (listening) backdoors  Other entry points like web servers, mail servers, VPN
  • 13. 20 Incident Response Incident Response Process - Remove Cause Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Reset all affected systems, users and service passwords  Remove backdoors by running updated anti- malware tool, use vendor supplied stringers as necessary for eradication and clean up  Fix vulnerable systems they’re exploiting for access with updated patches  Run registry cleaners and scan for memory resident malicious codes and clean up with alternate boot mediums.  Develop or update antivirus and/or security devices (IPS/IDS) signatures.  Re-engineer the system or the systems to prevent re-infection.  Segment critical data to more restricted areas and implement auditing for critical data access  Enable block mode for sensitive data on data loss prevention tool.
  • 14. 21 Incident Response Incident Response Process – Resume Normal Operation Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Clean all traces like infected files, binaries, infected code and data.  Clean browsing history, registry and memory. Preferable post taking all snapshots, install with clean image  Update all antivirus / anti malware programs with new signatures and patches  Scan the infected system with latest antivirus and anti- malware programs  Scan for suspicious items discovered on all infected and interconnected systems using updated antimalware used to disinfect the targeted systems.  Perform System integrity checks for all the infected systems.  Restoring all systems for which integrity has affected due to the attack, from last know good backup.  Confirming all systems and services restored to normal operations.  Perform System integrity checks for all infected systems.  Restoring all systems for which integrity as affected due to the attack, from last know good backup.  Confirming all systems and services restored to normal operations.  Restore the data from previous backup
  • 15. 22 Incident Response Incident Response Process – Post Mortem & Lesson Learned Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation  Perform forensics to identify the source of attack and motivation like state sponsors  Identify if the attackers used a third party (e.g., contractor, client, joint venture) as an attack vector  Identify if the attackers had insider assistance  Identify if the attackers had physical access to the facilities or network  Collect evidence from packet captures / network information, logs and infected system browsing history and malicious code and its reverse engineering  Reverse-engineer binaries to help identify attack methods, communication protocols, and attack servers.  Create images of hard drives from infected hosts.  Ensure preservation of evidence besides maintaining chain of custody as required by legal authorities.  Perform communications (internal/external user groups, public media etc.)
  • 16. Advanced SOC Exercise – IR Playbook
  • 17. 24 Example Carbanak – A-SOC Capabilities 2 Malicious Web server sends or reflects exploit code <click> 1 Install Malware Mail-Client 5 Victim Domain Name Server Attacker Used Spearphised emails Command & Control 4 web-page + 3 Follow link Lateral Movement Screen capture/ Video recording 9 6 Remotely Control Malware Contact Updater By IP Address (C&C) 7 8 Word file with MA Data upload – Screens and VR
  • 18. 25 Example Carbanak – A-SOC Capabilities 2 Malicious Web server sends or reflects exploit code <click> 1 Install Malware Mail-Client 5 Victim Domain Name Server Attacker Using Spearphised emails Command & Control 4 web-page + 3 Follow link 9 6 Remotely Control Malware Contact Updater By IP Address (C&C) 7 8 Word file with MA Lateral Movement Screen capture/ Video recording Data upload – Screens and VR d) Monitor Web Traffic a) Monitor DNS c) Monitor Port & Protocol Usage b) Monitor NetFlow e) Data in HTML Response - Netflow b) Monitor NetFlow
  • 20. Topic Descriptions / Actions Purpose The purpose of this document is the provide guidance to Tier2 Triage and Tier 3 Response analysts on the approach to incident remediation. Scope The scope of this guidance includes 3 stages:  Containment  Eradication  Recovery Containment The intention of this stage is to limit the damage caused by the incident without yet removing the cause of the incident. This is typically done as the first step as it may take additional time to understand the cause of the incident and the appropriate eradication strategy. Examples of containment may include shutting down of affected systems, closing firewall ports etc. Eradication This stage is typically done after the containment stage where the cause of the incident is removed. Eradication can only be performed before containment if the incident cause is immediately clear and eradication can be performed swiftly before additional damage is caused by the incident. Examples of eradication include deleting malicious code, removing malicious accounts etc. Recovery This stage is done once the “victim” system impacted is no longer vulnerable. Examples of recovery include restoring from backup, patching servers etc. 27 Incident Response IR response process
  • 21. Topic Descriptions / Actions Attack Category Authentication (Internal User) Attack Sub Categories Misc Login Succeeded, Unknown Authentication, Host Login Succeeded, Host Login Failed, Misc Login Failed, Privilege Escalation Failed, Privilege Escalation Succeeded, Mail Service Login Succeeded, Mail Service Login Failed, Auth Server Login Failed, Auth Server, Group Added, Group Changed, Group Removed, Computer Account Added, Computer Account Changed, Computer Account Removed, Remote Access Login Succeeded, Remote Access Login Failed, General Authentication Successful, Telnet Login Succeeded, Telnet Login Failed, Suspicious Password, Samba Login Succeeded, Samba Login Failed and etc Response Remediation Options 1. Containment a. Terminate processes with any active connections with attacker IP or port b. Disable user id in question 2. Eradication a. Work with network team to physically locate internal attacker b. Turn off switch port of internal attacker c. Remove user access 3. Recovery a. Implement strong password policy b. Reconfigure vulnerable service as applicable c. Restore to previous good state from backup or recovery application 28 Incident Response IR response process
  • 22. “Website defacement" refers to any unauthorized changes made to the appearance of either a single webpage, or an entire site. Worse, the hacker will replace the home page with an embarrassing (or worse) message.  Web page Defacement: The most straight forward and visually identifiable attack where the web page content is changed and replaced by the perpetrators. The website data is not deleted.  Data Deletion: This is a second stage of damage where the website is defaced and also the data and other pages are deleted.  Install Malicious Software: Website defacement can be augmented by introducing a malicious code in the target environment to establish stronghold. The malicious code can then be used for further compromises such as lateral movement.  IRC bot: In more severe case, once the attacker has established a foothold, they can install an IRC bot which can then be controlled through IRC channels. 29 Incident Response IR Response Exercise – Website Defacement
  • 23. 30 Incident Response IR Playbook Exercise – Website Defacement Preparation 1 Create a hot cluster of servers to run website. - Build a back up site and setup routing backups. Enable detailed logging on web server and test the site for vulnerabilities 2 The website should be protected by a WAF firewall, IPS, Host based IPS and anti-malware and monitored logs and alerts for unauthorized access/ change of files / privilege escalation to the system backups. Enable detailed logging on web server and test the site for vulnerabilities 3 Deploy monitoring tools to quickly detect any abnormal behavior on your critical websites. (e.g. Sucuri) 4 Home page should be access controlled from Management IP 5 Log all access and alert for any change to home page file, immediately verify with change request Preparation Identification & Verification Containment Eradication RecoveryInvestigation
  • 24. 31 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Identification & Verification SIEM Use Case Monitored Element Description Log Source Configuration / Threshold Priority More than 30 request for same web file (e.g. *.php) file by the same IP address and port number or same user During attack the URL targeted by attacker changes with each request but the actual file name trying to target with each request will remain the same Web Server 30 request in 5 minutes 2 Home page (*.php) change Enable home page file auditong feature, configure alert for file change and priority 1 log alert Web Server File change from auditing - 1 1 DNS requests over port 80 infected hosts sending C&C communications masked as DNS requests over port 80 is the common thing so watch in Web gateway if any DNS request is observed on port 80 Web Server Port / Protocol mismatch 1 High number of HEAD requests on web server Likely indicating an attempt to discover vulnerable CGI scripts. High number of non-standard HTTP requests, indicating a possible attack or information gathering to precede an attack. Web Server 10 in 1 min 2 Web server not responding or slow response (HTML response time is huge) due to possible DoS attack. Web server has not served any pages in an hour and the IDS have reported multiple DoS attack events. Web Server Slow response / 10 sec to open file 2 SQL Injection, XSS, Injection, Redirects, Failed attempts, SQL Injection, XSS and other attacks from WAF Weg gateway/ Firewall 1
  • 25. 1. Extract attack source IP from SIEM/ WAF as log source (IIS/Apache) 2. Notify application owner of attack 3. Implement firewall rule to block attacker IP 4. If attack source is on local network, remote to a machine within same subnet of unauthorized device 5. Ping offending machine IP 6. Run “arp –a” command on command prompt to extract MAC Address 7. Block the IP/MAC (NAC) and disable the user 25 Incident Response IR Playbook Exercise – Website Defacement SQL Injection Preparation Identification & Verification Containment Eradication RecoveryInvestigation Identification & Verification
  • 26. 32 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Containment 1 Take the infected host out of the cluster. 2 Redirect all traffic to the backup servers. 3 If the source of the attack is another system on the network, disconnect it as soon as possible. 4 Conduct site/page replication for redirection, as required. 5 Disable links to affected page or redirect to a correct version of the page. 6 Backup all data stored on the web server for forensic purposes and evidence collecting. The best practice here if applicable is to make a complete bit-by-bit copy of the hard-disk containing the web server. This will be helpful to recover deleted files.
  • 27. 33 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Investigation 1 Check files with static content (in particular, check the modification dates, hash signature). 2 Check mash up content providers. 3 Check links presents in the web page (src, meta, css, script etc). 4 Review database for modifications, content changes, traces of script injections, etc. 5 Review server logs and application access logs. 6 Look for evidence of data exfiltration.
  • 28. 34 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Eradication 1 Patch identified vulnerabilities (including all technical and source code vulnerabilities). 2 Remove code/scripts installed by the attacker. 3 Change all user passwords if the web server provides user-authentication and/or there is evidence or any reason to think that passwords may have been compromised. 4 Update patches, anti-virus and malwares and scan the system for vulnerabilities. 5 Compare eradication outcome against a known good backup.
  • 29. 35 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Recovery 1 Full restore from a good known backup. Apply validated and verified latest database content updates on top of the good known backup if required to compensate for any content changes between compromise and recovery. 2 Reconnect dependent systems. 3 Perform testing (sandbox test environment, user acceptance testing etc). 4 Reconnect web server to the internal LAN/Internet, as required. 5 Confirm normal operations.