Embedded Files
Cyber Security Incident Response Process Complete Guideline
Before start with Incident Response let's understand where is Incident response stand in SOC process.
Once the alert is serious or event became critical incident response is activate to manage.
Incident response team is responsible to drive the incident and mitigate the impact till resolution and root cause analysis including digital forensics and post incident activity.
What is Cyber Incident Response?
Cyber Security Incident Response is basically organized and strategic approach to detecting and managing cyber attack and data breaches. It helps to minimize damage, recovery time and cost.
NIST Incident Response Steps -
NIST Incident Response Steps -
Step 1: Preparation
Step 2: Detection and Analysis
Step 3: Containment, Eradication and Recovery
Step 4: Post-Incident Activity
Preparation:
Preparation is the key to effective incident response. Even the best incident response team cannot effectively address an incident without predetermined guidelines. In order to successfully address security events, these features should be included in an incident response plan:
Develop and Document IR Policies: Establish policies, procedures, and agreements for incident response management.
Define Communication Guidelines: Create communication standards and guidelines to enable seamless communication during and after an incident.
Incorporate Threat Intelligence Feeds: Perform ongoing collection, analysis, and synchronization of your threat intelligence feeds.
Conduct Cyber Hunting Exercises: Conduct operational threat hunting exercises to find incidents occurring within your environment. This allows for more proactive incident response.
Assess Your Threat Detection Capability: Assess your current threat detection capability and update risk assessment and improvement programs.
It includes plan, procedures , SOP (Standard Operating Procedures including real time example/scenario with resolution steps), Communication protocol and escalation matrix.
Detection and Analysis:
The focus of this phase is to monitor security events in order to detect, alert, and report on potential security incidents.
Monitor security events in your environment using firewalls, intrusion prevention systems, and data loss prevention.
Detect potential security incidents by correlating alerts within a SIEM solution.
Triage and Analysis including (a) Endpoint Analysis (b) Binary Analysis (c) log/event analysis
It also includes system responses, digital forensics, memory analysis, and malware analysis.
Containment, Eradication and Recovery:
Containment refers to stop the spreading , Isolate the affected system immediately.
Start recovery to apply temporary/adhoc fix , Finally test it to deploy the fix into production
Post-Incident Activity:
Post recovery start collecting all the artifact and chronology with the incident
How the issue was identified (i,e - through SIEM Solution, IDS alert..etc) ?
2. What time incident occurs? and how its reported ?
3. What time issue resolved ?
4. What are the steps taken ?
5. Update SOP based on the case
6. Track and follow-up actions.
Few things keep in mind cyber security incident response communication must be restricted and confidential unless its genuine case, Otherwise it could impact company reputation.
Real time Example : There was one Saturday @ 5 PM one of my team members was in shift and he called me and said one of the web application he was not able to access and front page of that application he can see attacker paste some sample records from database and one red color banner top of the web page( Attacker mentioned "I have access on your database pay $20,000 USD through Bitcoin get the access back"
Database sitting in DMZ (Demilitarized Zone) Most of the organizations database sitting in DMZ Zone: Web Server- Application Server - Database. In case anyone touch in database it will trigger an automated alert, However shift guy didn't monitored.
Start Investigating:
First we have verified whatever data attacker put top on the page is it real or not by using "select" query from the database
We have verified database backup when it was last time taken, In case we have to restore.
Send out initial communication within restricted and limited group. Keep in mind cyber communication can not be disclose until or unless huge customer base / regulatory impact. It could impact on company reputation.
Engage all the Participant required for this investigation- Network team , Fraud management team, Application Owner, Crisis Management Team and other required teams
Application owner said there was not changes on this web application last 1-2 months
Network team highlight there was some changes last time when we change firewall SonicWall TZ350 (Firewall brand) to FortiGate 60F (Firewall brand). It was a clue for us at that point of time.
During last time WAF ( Web Application Firewall) configuration rule changes was blacklisted with CAPS character and attacker put some malicious code with including mix of small and capital character
Malicious code was like : ( msvenum -f "malicious code , arbitrary listing port and the sql statement was mix of small and caps -UnIOn all- 'Union is a sql function'),
If any attacker put any malicious code on WAF ( Web Application Firewall ) it will through "MOD_SECURITY" error, However because of this wrong blacklisting attacker successfully gain the access on database.
" It was WAF bypass SQL Injection attack on database"
Finally we put some control/changes configuration on WAF level with help of network team and test that changes before deployed into production and other side update SOP based on the incident.
Incident Response team responsibility is to drive the issue technically till the resolution and perform root cause analysis, triaging, reporting, communication and post incident activity.
However most of the organization SOC ( Security Operation Centre ) team and Incident response team work hand to hand to resolve the issue.
Digital Forensics
Digital forensics helps recover data when an attack does occur and also helps identify the culprit behind the crime
Tools for Digital Forensics : There are many free V/s paid tools are available in market to perform digital forensics like: EnCase, FTK Imager, Autopsy ..etc . Autopsy is recently one of the popular digital forensics tools , However there are many tools available in market .
There are different types of digital forensics :
Computer Forensics
Database Forensics
Network Forensics
Mobile Forensics
Forensics Data Analysis
Example - How to perform digital forensics?
To Perform digital forensics first we have to collect the data. This illustration based on Autopsy tool ( Version : 4.19 )
a) Install Autopsy and click New Case
b) Select the location where you want to save the data, Better to store location without C/Drive on your computer.
c) Select the data source to collect the data - Its good have to data collect with below sequence :
Memory Data
Running Processes
Open Files
Network configuration
Operating System details
There are many functionality can see in left side panel of Autopsy tool, Its depend on your case and investigation you are doing
Once we have collected the data and start investigating. Few things can be consider during investigation :
a) Recent activity - Try to corelate with your case : what time issue happened? Who modify the file ? ..etc
b) In Autopsy you can see "Deleted files "and their Hashes (SHA) and MD5 which is very important to check file integrity .
Chain Of Custody : One of the important concept for digital forensics, Example : Any case going to legal/court proceedings chain of custody capture all the artifact /evidence with chronology ( To present the legal case in court tool is used to perform digital forensics should be performed with licensed tool and its good to have person investigated the case is ECIH certified, However its depend on the case )
Digital Forensics related few important point :
If new data overwrites that old data, the old data is no longer recoverable.
Yes. It is possible to recover data by forensics even if you delete or wipe the contents using the most sophisticated technology available in the market.
Determine if a file has changed - Stochastic forensics method can be used to identify this
Various kinds of techniques are used in computer forensics investigation such as:
·
Stochastic forensics: It is a method to forensically re-establish the digital activities that have insufficient digital artifacts, thus analyzing emerging patterns resulting from the stochastic nature of modern-day computers.
Steganography: Reverse Steganography is a technique of hiding the secret information inside or on top of something, that something can be anything from an image to any type o file.
Cross-drive analysis: Cross-drive analysis (CDA) is a technique that allows an investigator to quickly identify and correlate information from multiple data sources or information across multiple drives.
Live analysis: It is used to examine the computers from within the OS using various forensics. This approach is useful in the case where the investigator is dealing with encrypted files. Which TCP and UDP ports are open, what services are currently in use, and running, etc.
Deleted files recovery: It is a technique that is used to recover deleted files. The deleted data can be recovered or craved out using forensic tools such as CrashPlan, OnTrack EasyRecovery, Wise Data Recovery, etc.
SOC analysis/ Incident response should be aware of Networking Concept and TCP/IP Model
Click below :
Cyber Threat Intelligence (CTI)
Cyber threat intelligence is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace.
Threat Intelligence Use Cases
Threat Intelligence Use Cases
Integrating threat intelligence into your already existing security processes improves decision making for incident response team.
One of the best uses for threat intelligence is to gather data and perform analysis that will help your organization create a simple metric for evaluating vulnerabilities.
A good threat intelligence solution should gather its data from both open and closed sources on the internet which help us to identify the threat actors.
Threat Intelligence provide reports industry, sector wise active threats, Which help organizations strategic decision to reduce the risk.
What is Malware ( Malicious + Software = Malware )
Malware is a software intentionally designed to cause damage or gain access to a computer network , server , client ..etc.
Slow down your system
Creating annoying pop-ups
Install Other application
Steal sensitive data
Delete/Encrypt files
Stop services and shutdown systems
How System/Machine can be affected with Malware ?
How System/Machine can be affected with Malware ?
External Storage device
Direct access to the target computer
Email
Phishing
Attachment
Drive by download
Malvertising
APT Malware
Specific Target (achieve via reconnaissance)
Use Zero days vulnerabilities and exploits
Very sophisticated skills
Commodity Malware
No Specific Target
i,e. WannaCry
Well known vulnerability / Average skills
Different Types of malware
Virus
Trojan
Worm
Ransomware
Spyware
Adware
Botnets
Rootkits
Key Logger
Scareware
Malware is any software used to gain unauthorized access to IT systems in order to steal data, disrupt system services or damage IT networks in any way. Ransomware is a type of malware identified by specified data or systems being held captive by attackers until a form of payment or ransom is provided.
Its good to have some understanding of Libraries and Functions
Its good to have some understanding of Libraries and Functions
One of the most common executable file format on windows environment is PE
PE stands for Portable Executable.
All the .exe and .dll are PE files.
Contains information the Operating system needs to run the executable
PE file format includes - DOS header, DOS Stub,PE header, section table ..etc
Obfuscation Techniques
Techniques to use hiding/masking meaningful information
Techniques to use hiding/masking meaningful information
Obfuscation makes process harder to understand
Few components of it -
Packers
Polymorphic Malware and Metamorphic Malware
Dead code insertion
Subroutine reordering
Practical example of Packet capture Malware Analysis by using Wireshark
o Login to Wireshark
o Select the different source you want to collect the data
o Click on capture options
o Two different options to capture network traffic pcap and pacpng
o Save the file in some location. It’s good to have to store data without C drive
o There are different options you can collect data with first 64 MB ..etc
o Data collected here with pcap with complete dump
o This file can be used later for further analysis
Wireshark - Malware traffic Analysis -
Start collecting all the IOC ( Indicator Of Compromise). Listed below :
IP Address
Domain Name
User Agent
Host Name
File Hashes (SHA )
Specific Pattern
Upload the file in Wireshark
Arrange the Wireshark screen to make analysis easier
Go to Statistics and Protocol hierarchy select IPV4 ( UDP and TCP protocol)
UDP is mainly to get machine related application (i,e. DHCP , DNS ..etc)
TCP is more focus on application (HTTP) related information.
Based on HTTP request right click and select the files
Once you have the files - It could be .jar , .exe , .swf extension
Use some tool to get the file Hashes ( Hash Tool one of them)
Use that hashes and put into VirusTotal ( One free tool) to identify file is affected or not.
Put that Hashes into Wireshark and search other necessary details
Find out the IP address / Host name link with that hashes
Start collecting all the IOCs to map with the MAC address to identify which machine is affected.
Most Common Types Of Cyber Attacks
Ransomware
Phishing
SQL Injection
DoS and DDoS Attacks
Cross-Site Scripting (XSS)
Man-in-the-Middle (MitM)
Cryptojacking
Password Attack
Insider Threat
DNS Tunneling
Ransomware
Ransomware is malware that encrypts a victim’s computer files, making them inaccessible, and demands a ransom be paid to restore access. This type of attack is usually carried out using a Trojan that masquerades as a legitimate file or program to trick the victim into downloading and executing it. Once executed, the ransomware encrypts files on the local computer and any connected network drives. The victim is then presented with a ransom demand, which typically requests payment in Bitcoin or another cryptocurrency.
How to Prevent Ransomware Attacks
How to Prevent Ransomware Attacks
Best practices that can help prevent ransomware attacks :
Backup data regularly and keep backups offline. Then, in the event of an attack, backups can be used to restore encrypted files.
Educate employees about avoiding suspicious emails and links.
Use reputable security software, and keep it up to date.
Restrict user permissions. Users should only have access to the data and systems they need to do their jobs.
Phishing
Phishing is a social engineering attack that tricks victims into revealing sensitive information, such as login credentials or credit card numbers. Phishing attacks are typically carried out using email or instant messages. The attacker will send an email or message that appears to be from a legitimate source, such as a bank or website. The message will often include a link to a fake website that looks legitimate. When the victim enters their login credentials or other sensitive information, the attacker can use it to access accounts or commit fraud.
How to Prevent Phishing Attacks
How to Prevent Phishing Attacks
Organizations can protect themselves from phishing attacks by implementing security awareness training for employees. This type of training can educate employees about spot phishing emails and what to do if they receive one. Additionally, organizations can use email filtering to block phishing emails from reaching employees.
SQL Injection
SQL injection is an attack that allows attackers to execute malicious SQL queries against a database. The attacker inserts malicious code into an input field, such as a login form; the database then executes that. This can allow the attacker to access sensitive data, such as customer records or credit card numbers. Additionally, SQL injection can modify data in the database or delete it entirely.
How to Prevent SQL Injection Attacks
How to Prevent SQL Injection Attacks
Organizations can protect themselves from SQL injection attacks by using parameterized queries. This type of query defines each input field as a parameter, preventing malicious code execution. Additionally, organizations can use web application firewalls (WAFs) to detect and block SQL injection attempts.
More details click - SQL Injection
DoS and DDoS Attacks
A denial-of-service (DoS) attack is an attack that prevents users from accessing a system or service. A distributed denial-of-service (DDoS) attack is a type of DoS attack that comes from multiple sources. DoS and DDoS attacks are typically carried out by flooding the target system with traffic, overwhelming it, and preventing legitimate users from accessing it. These types of attacks can be carried out using botnets and networks of infected computers that an attacker can control.
How to Prevent Dos and DDoS Attacks
How to Prevent Dos and DDoS Attacks
Organizations can protect themselves from DoS and DDoS attacks by implementing rate-limiting. This type of protection limits the amount of traffic sent to a system, making it more difficult for attackers to overwhelm it. Additionally, organizations can use firewalls and intrusion detection/prevention systems (IDS/IPS) to block malicious traffic.
Malware
Malware is a type of malicious software that can be used to damage or disable computers, networks, and systems. For example, malware can steal sensitive data, such as login credentials or credit card numbers. Additionally, malware can be used to hijack computers and use them to carry out attacks, such as DDoS attacks. There are many different types of malware, including viruses, worms, Trojans, and rootkits.
How to Prevent Malware Attacks
How to Prevent Malware Attacks
Organizations can protect themselves from malware attacks by using security software, such as antivirus and anti-malware programs. These programs can detect and remove malware from computers and networks. Additionally, organizations should keep their operating systems and software up-to-date, as this can help prevent malware from being able to exploit vulnerabilities.
Man-in-the-Middle Attacks
A man-in-the-middle (MITM) attack is a type of attack where the attacker intercepts communication between two parties. The attacker can then eavesdrop on the conversation or even modify the exchanged data. MITM attacks can be carried out using various methods, such as ARP spoofing and DNS poisoning.
How to Prevent Man-in-the-Middle Attacks
How to Prevent Man-in-the-Middle Attacks
Organizations can protect themselves from MITM attacks by using encryption. This type of protection makes it more difficult for attackers to eavesdrop on communications. Additionally, organizations can use firewalls and intrusion detection/prevention systems (IDS/IPS) to detect and block MITM attacks.
Password Attacks ( Brute Force Attack )
A password attack is a type of attack that attempts to guess or brute force a password. Password guessing can be done using common passwords, such as "password" or "123456". Additionally, attackers can use brute force methods to try every possible combination of characters until the correct password is guessed. Password attacks can also be carried out using phishing emails or malware.
How to Prevent Password Attacks
How to Prevent Password Attacks
Organizations can protect themselves from password attacks by implementing strong password policies. These policies should require employees to use complex passwords that are not easily guessed. Additionally, organizations can use two-factor authentication (2FA), which requires a second form of verification, such as a one-time code and a password.
Insider Threats
An insider threat is a type of attack that comes from within an organization. Insider threats can be carried out by malicious insiders, such as disgruntled employees, or by careless insiders, such as employees who accidentally leak data. Insider threats can be difficult to detect and prevent because the attackers already have access to the organization's systems and data.
How to Prevent Insider Threats Attacks
How to Prevent Insider Threats Attacks
Organizations can protect themselves from insider threats by using security software, such as activity monitoring and data loss prevention (DLP) programs. These programs can help organizations detect and prevent malicious or accidental data leaks. Additionally, organizations should provide employees with security training to educate them on proper security procedures.
AI (Artificial Intelligence ) will bring revolution in the Cyber Incident Response
Artificial Intelligence can be used to automate tasks related to incident response, such as gathering information, identifying affected systems, and notifying stakeholders. This can help to speed up the response to incidents and minimize the damage that is caused.
How AI (Artificial Intelligence ) and Machine Learning (ML) Could Transform Incident response process
Microsoft Security Copilot (Open AI GPT 4)
With AI Incident response ( Analyze Incident )
With AI Incident response ( Analyze Incident )
Details of malware with location
(i,e. Backup from path C\program data\users\abc.exe)
Attack path details
Click Run to get more visibility how to manage the threat:
Click Run to get more visibility how to manage the threat:
Isolate affected devices
Revoke access of compromise accounts
Restore original policies/systems
Google Sites
Report abuse