por Dustin Cerda hace 5 años
984
Ver más
NETBIOS
●Name Registration 137 (TCP/UDP)
-Uses UDP Primarily for name resolution
●Datagram connectionless (UDP 138)
-Primarily used for Mailslots
●Connection-Oriented (TCP 139)
-Netbios over TCP
Get local NETBIOS Names
nbtstat
nbtstat –n
Hostname vs NETBIOS names
Netbios names = 16 characters with 15 visible, cannot be a part of domain and can use “_”
Domain names = 255 characters, can be static or manually assigned, and can use “-” instead of “_”
Examines Malware while it is running.
Examines malware without executing it.
Name/Hash check for existing information online.
OSINT framework focused on gathering information from free tools or
resources.-https://osintframework.com/
IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all.
Purpose
Bot herder can utilize the botnet to accomplish a task such as:
Methodology
Individual machine infected and part of the botnet.
Person in control of the botnet.
Multiple machines infected and controlled by a bot herder.
Blocks access to a resource, requires payment from victim (Top threat currently).
Paid for ads to infect users device.
Monitors behavior of user.
Remote administration/Command and control of a botnet.
Records keyboard usage.
Malicious program that provides remote command and control.
Multiple infection/transmission methods used together.
-Blended threats are bundles of malicious programs that combine the functionality of different types of malware such as Trojans, worms, and backdoors.
A blended threat often involves an infection chain that begins with a user visiting a website and then diverted to a malicious URL. After this, social engineering lures will lead the user to download a malicious file which will continue to download additional malicious files.
By using multiple methods and techniques, cybercriminals are able to quickly and surreptitiously spread threats.
Layered security platforms that provide in-depth defense and continuous monitoring are best used against blended threats.
-
https://www.trendmicro.com/vinfo/us/security/definition/blended-threat
-
.
-https://www.owasp.org/index.php/Unsafe_Mobile_Code
Hidden within legitimate program, not usually self-replicating.
Does not require user interaction. (Self Replicating)
A computer worm is a type of malware that spreads copies of itself from computer to computer. A worm can replicate itself without any human interaction, and it does not need to attach itself to a software program in order to cause damage.
-
https://us.norton.com/internetsecurity-malware-what-is-a-computer-worm.html
Request user interaction in to replicate and spread.
**Need access to all processes in order to function**
Race Condition-Two threads trying to access the same resource.
Deadlock-When two threads depend on each other (Example: thread depends on thread b value)
Thread is being created.
Finished execution, heading for deallocation in most cases.
Ready for execution, but paging needed to bring back in memory.
Period of inactivity while waiting for an event.
Thread currently running on a processor.
Next thread to run, only one per processor per system.
Selected to run, but not yet executed. Optimization for scheduling database.
Waiting for Execution, in priority pool.
Object Manager-An object consists of a standard header and object-specific attributes. Because all objects have the same structure, there is a single object manager in Windows that maintains all objects.
The object header includes items such as the object name, so that other processes can reference the object by name, and a security descriptor, so that the object manager can control which processes access the system resource.
The tasks that the object manager performs include the following:
https://docs.microsoft.com/en-us/windows/win32/sysinfo/object-manager
Paging is a memory management scheme by which a computer stores and retrieves data from secondary storage[a] for use in main memory.
During the "Waiting" Page file/Swap space is given.
Loads BCD
4. EFI boot manager give OS boot menu
5. Winload.efi
Extensible Firmware Interface, executes files for the firmware of the computer.
6. Request EFI system partition
Formatted as FAT
Up to 1GB in size
The Hivelist
\REGISTRY\MACHINE\HARDWARE-Recreated every time the system starts.
\REGISTRY\USER\Security ID number
-Specifies location of files that store the current user profile.
-Specifies location of files that store the HKLM\SECURITY key.
-Specifies location of files that store the HKU\.DEFAULT key.
-Specifies location of ifles that sotre the HKLM\SYSTEM key.
- Specifies location of files that store the HKLM\SOFTWARE key.
- Specifies location of files that store the HKLM\SAM key.
Query
Create
Modify
Delete
REG_DWORD .32 bit integar
Max 7FFF, FFFF or 2,147,483,647
REG_LINK
Symbolic links- A link that will take you to the actual location of the data
REG_SZ.String
REG_QWORD
64 bit integer. Max 7FFF,FFFF,FFFF,FFFF or 9,223,372,036,854,775,807
REG_MULTI_SZ
Multi-String values- Multiple strings that are terminated with "\0". Example: "abc\0def\0"
REG_BINARY.Binary Data
Keys contain other keys (AKA Sub-keys) and/or a collection of property/value pairs. Keys are a container object, much like a folder.
Values store data. Values are non-container objects, much like a file.
Registry Hive is a group of keys, subkeys, and values in the registry that has a set of supporting files that contain backups of its data.
https://support.microsoft.com/en-us/help/256986/windows-registry-information-for-advanced-users
HKU/HKLM available via remote tools
HKCC-Current Config
Current hardware profile, information that is gathered at runtime.
HKLM-Local Machine
System related information, Security Account Manager (SAM), Critical boot/kernel functions, 3rd party software, hardware, BCD.dat. Contains all hardware profiles.
HKCR-Classes Root
Files association and COM objects, backward compatibility, and file extension information.
HKU-Users
All accounts on machine, the root key containing the ntuser.dat hives for ALL users.
HKCU-Current User
Individual user settings
Random reads & writes during app use
Application Startup
Licensing data, installed component, software settings/config.
Reads per-user preferences and settings.
Kernel Boot Process
Loads device drivers and system element config.
Initial Boot Process (Pre-Kernel)
List of boot device drivers to load before kernel.
Contains System-wide/Per-User Settings
Config and control mechanism for WinOS
Hierarchical Database/Critical System Config
Additional Notes for Processes
If a process or some type of action can not start right away, the process will be held by scheduler until resources become available.
(Each State has additional notes)
Termination of a process due to a halt or abort.
Process can't execute until some events occurs (I/O reads).
Process ready to execute when given the opportunity (CPU Time).
Process currently being executed (one or more threads executings). **Amount of threads able to run depends on number of CPU cores**
●Virtualization is technology that allows you to create multiple simulated environments or dedicated resources from a single, physical hardware system. Software called a HYPERVISOR connects directly to that hardware and allows you to split 1 system into separate, distinct, and secure environments known as VIRTUAL MACHINES (VMs).
Two Components of Virtualization
Situational Awareness
Most important Awareness
Printers and netstat might require additional setup.
Windows 7 has two different types of pre-boot processes.
First 512 bytes sector on HD, reads & loads volume boot record.
3. VBR
Loads bootmgr into memory.
4. Bootmgr
Read Boot Configuration Datbase (BCD)
(Reference)
Boot menu and memtest
Calls/starts Winload.exe
Calls winresume
5. Winload
Loads NTOSKRNL.exe
Loads dependencies
Loads device drivers
1. POST
2. MBR
Loads boot code.
3. Bootcode
Instructions that are run by a computer to start-up. Searches partition table for boot sector and loads NT Loader (NTLDR).
4. NTLDR
Boot manager and system loader (NTFS or FAT). Loads a specific file called boot.ini.
5. NTOSKRL
Starts system, prepares multiple layers of the kernel space. Starts SMSS.exe
6. SMSS.exe
Launches winlogon.exe and Client/Server Run-Time Subsystem (CSRSS), user mode is kicked off. It also launches Win32 and WinLogin
7. Winlogin
Starts Local Security Authority Subsystem Service (LSASS) enforces security policies on the machine, Loads Microsoft Standard GINA DLL (MSGINA) implements the authentication policy, Starts Security Configuration Management (SCM), starts logonui.exe which implements graphical user interface.
GPRESULT-query GPO through command line.
-Resultant Set of Policy (RSOP) can be accessed using GPRESULT query, additional information can be found in below link.
DC Tools
DSQUERY
-query the directory according to specific criteria.
DSMOD
-modify existing objects in the directory.
DSGET
-display the selected properties of a specific object in the directory.
DSADD
-add specific types of objects to the directory.
Node Types
Computer
Computer node object relate to policies that affect the computer system, ie. startup scripts, firewall configuration, Name Resolution Policy.
User
User nodes relate to user policies and are relevant to only the currently logged on user.
Physical
Member Servers
Domain Controllers
In Active Directory, You have multiple Domain Controllers which are equal peers.
Each DC in the Active Directory domain contains a copy of the AD database and synchronizes changes with all other DCs by multi-master replication.
Replication occurs frequently and on a pull basis instead of a push one.
A server requests updates from a fellow domain controller.
If information on one DC changes (e.g. a user changes their password), it sends signal to the other domain controllers to begin a pull replication of the data to ensure they are all up to date.
Servers not serving as DCs, but in the Active Directory domain, are called ‘member servers.’
Active Directory requires at least one Domain Controller, but you can install as many as you want (and it’s recommended you install at least two domain controllers in case one fails).
Sites
An Active Directory site object represents a collection of IP subnets, usually constituting a physical Local Area Network (LAN).
Multiple sites are connected for replication by site links.
Typically, sites are used for:
Physical Location Determination: Enables clients to find local resources such as printers, shares, or domain controllers.
Replication: You can optimize replication between domain controllers by creating links.
By default, Active Directory uses automatic site coverage, though you can purposefully setup sites and resources.
Logical
Tree and Forest
Trees
A tree is a grouping or hierarchical arrangement of one or more domains.
Trees are created by adding one or child domains to a parent domain.
In a tree, all domains share the same contiguous namespace and naming structure.
By adding domains to a tree, you can retain the security configuration through the tree (domain), and allow for administration to be delegated to a single OU or a single domain.
The tree structure easily accommodates organizational changes.
Forest
Are at the top of the Active Directory Structure.
A forest holds all objects, organizational units (OUs), domains, and attributes in its hierarchy
A forest is a grouping or hierarchical arrangement of one or more separate, completely independent domain trees.
Under a forest are one or more trees which hold domains, OUs, objects, and attributes.
Forests have the following characteristics:
All domains in a forest share a common schema.
All domains in a forest share a common global catalog.
All domains in a forest are linked by implicit two-way transitive trust.
Trees in a forest have different naming structures, according to their domains.
Domains in a forest operate independently, but the forest enables communication across the entire organization.
Organizational Units
An Organizational Unit (OU) is a container which gives a domain hierarchy and structure.
It is used for ease of administration and to create an AD structure in the company’s geographic or organizational terms.
An OU can contain OUs, allowing for the creating of a multi-level structure
Domains
A domain is a collection of computers and their associated security groups that are managed as a single entity.
The domain is the core unit of logical structure in Active Directory It can be used to store millions of objects (these objects are considered vital to the network)
Microsoft recommends:
using as few domains as possible
relying on Organizational Units (OUs) for structure
Domains can contain multiple nested OUs.
Signed and Encrypted LDAP Traffic
By default, Active Directory tools in Windows Server operating systems sign and encrypt all LDAP traffic.
Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with.
Interoperability with Directory Services
Active Directory is based on standard directory access protocols, including LDAP version 3, and the Name Service Provider Interface (NSPI), and can interoperate with other directory services employing these protocols.
Because the LDAP directory access protocol is an industry-standard directory service protocol, programs can be developed using LDAP to share Active Directory information with other directory services that also support LDAP.
The NSPI protocol, which is used by Microsoft Exchange Server 4 and 5.x clients, is supported by Active Directory to provide compatibility with the Exchange directory.
Directory-enabled Applications and Infrastructure
Features within Active Directory make it easier to configure and manage applications and other directory-enabled network components.
Active Directory provides a powerful development environment through Active Directory Service Interface (ADSI).
Security Integration
Active Directory is integrated with the Windows Server operating system security since server version 2000.
Access control can be defined for each object in the directory and on each property of each object.
Security policies can be applied locally, or to a specified site, domain, or organizational unit.
Flexible, Secure Authentication and Authorization
Active Directory authentication and authorization services provide protection for data while minimizing barriers to doing business over the Internet.
Active Directory supports multiple authentication protocols, such as the Kerberos version 5 protocol, Secure Sockets Layer (SSL) version 3, and Transport Layer Security (TLS) using X.509 version 3 certificates.
Active Directory provides security groups that span domains.
Replication of Information
Active Directory provides multi-master replication technology to ensure information availability, fault tolerance, load balancing, and other performance benefits.
Multi-master replication allows you to update the directory at any domain controller and replicates directory changes to any other domain controller.
Because multiple domain controllers are employed, replication continues, even if any single domain controller stops working.
Policy-Based Adminsitration
In Active Directory, policies are used to define the permitted actions and settings for users and computers across a given domain, or organizational unit.
Policy-based management simplifies tasks such as operating system updates, application installation, user profiles, and desktop-system lock down.
Client Configuration Management
Active Directory provides new technologies for managing client configuration issues, such as user mobility and hard disk failures, with a minimum of administration and user downtime.
Integration with DNS
Integration with DNS
Active Directory uses DNS, an Internet standard service that translates easily readable host names to numeric Internet Protocol (IP) addresses.
Although separate and implemented differently for different purposes, Active Directory and DNS have the same hierarchical structure.
Active Directory clients use DNS to locate domain controllers
Primary DNS zones are stored in Active Directory, enabling replication to other Active Directory Domain Controllers.
Scalability, Extensibility, Manageability
Scalability
Active Directory enables you to scale the directory to meet business and network requirements through the configuration of domains and trees and the placement of domain controllers.
Active Directory allows millions of objects per domain and uses indexing technology and advanced replication techniques to speed performance.
Extensibility
The structure of the Active Directory database (the schema) can be expanded to allow customized types of information.
Manageability
In contrast to the flat domain model used in Windows NT, Active Directory is based on hierarchical organizational structures.
These organizational structures make it easier to control administrative privileges and other security settings, and to make it easier to locate network resources, such as files and printers.
Centralized Data Storage
All data in Active Directory resides in a single, distributed data repository, allowing users easy access to the information from any location
A single distributed data store requires less administration and duplication and improves the availability and organization of the data.
The Active Directory domain relies on a global catalog database which contains a global listing of all objects in the forest.
The Global Catalog is held on DCs configured as global catalog servers.
The Global Catalog contains a subset of information – such as a user’s first name and last name – and the distinguished name of the object so your client can contact the proper domain controller if you need more information.
The distinguished name is the full address of an object in the directory.
For example, a printer in the OU CTB in the Ft_Gordon.mil domain might have a distinguished name of:
CN=AcctLaser1,OU=CTB,DC=Ft_Gordon,DC=mil
Listing of all objects in forest
The Active Directory schema defines objects that can be stored in Active Directory.
The schema is a list of definitions that determine the kinds of objects and types of information about those objects that can be stored in Active Directory.
Because the schema definitions themselves are stored as objects, they can be administered in the same manner as the rest of the objects in Active Directory.
The schema is defined by two types of objects:
Schema Attribute Object
Schema Class Object
Logon
Credential Providers
In a domain logon
In a local logon
Domain Accounts
Local Account SIDs
Built-In User Accounts
S-1-5-21-547793982-3027706357-987482306-1003
-500-Admin Account
-501-Guest Account
-1000 - Beginning of User Accounts
S-1-5-21-547793982-3027706357-987482306-1003
-psgetsid
-WMIC useraccount list brief
Locate SID in Registry
CLI
req query HKU
reg query "hklm\software\microsoft\windowsnt\currentversion\profilelist\{SID}"
WMIC
wmic useraccount get name, sid, fullname
wmic useraccount where sid={sid} get name
wmic useracount where name={name} get sid
Powershell
get-childitem Registry::\HKEY_USERS -ErrorAction SilentlyContinue
get-childitem 'HKLM:\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList|'
(Ksecdd.sys) - implements Advanced Local Procedure Call (ALPC) interfaces which kernel components use to communicate with user-mode LSASS.
Secures channel to domain controller and passes logon.
Obtains different logon credentials, smartcard, user/pass, biometrics.
Provides user interface to authenticate to system.
Winlogon.exe - Grabs secure attention sequence (SAS), manages interactive logon, creates first process.
DLLs that run through LSASS that verify user account credentials and respond to LSASS which generates a token.
Loaded into LSASS (Ntdsa.dll) - Contains a database with information about domain objects.
Local users and groups along with passwords (encrypted).
Loaded into LSASS (samsrv.dll) - manages users and groups on local machine.
Registry area under HKLM\Security that stores security policy settings.
Local system security policy, user authentication, sending security audit messages to Event Log. Loads Local Security Authority service (LSA, lsasrv.dll).
Defines access token structure, performs object security access checks, generate security audit messages.
Additional details on mailslots:
https://docs.microsoft.com/en-us/windows/win32/ipc/mailslots
A Socket is on endpoint of a two-way communication link between two programs running on a network. Endpoint consists of an IP address and a port number.
-Enable access to the underlying transport provider.
-Can manipulate the underlying transport, so they can be used for malicious purposes that pose a security threat. Therefore, only members of the Administrators group can create sockets of type SOCK_RAW on Windows 2000 and later.
-IP Address & Port
-Enable processes to use UDP to communicate.
-A datagram socket supports a bidirectional flow of messages.
-A process on a datagram socket might receive messages in a different order from the sending sequence.
-A process on a datagrame socket might receive duplicate messages.
-Messages that are sent over a datagram socket might be dropped.
-Enable processes to communicate using TCP.
-A stream socket provides a bidirectional, reliable, sequenced, and unduplicated flow of data with no record boundaries.
-After the connection is established, data can be read from and written to these sockets as a byte stream.
Steps:
C:\Windows\System32\Drivers\etc\hosts
ipconfig /flushdns
7-Steps of RPC
https://www.geeksforgeeks.org/operating-system-remote-procedure-call-rpc/
https://www.ques10.com/p/2133/explain-rpc-implementation-mechanism-1/
When Making an RPC
Primary remote file-access protocol on Windows Clients and Servers.
SMB 1.0 - used in Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2002 R2
SMB 2.0 – integrated into Windows Vista and Windows Server 2008
-Increased the scale of file sharing, performance and uses HMACSHA-257 instead of MD5.
SMB 2.1 – used on Windows 7 and Windows Server 2008 R2
-Improved file leasing, ensured large MTU support
SMB 3.0 – used on Windows 8 and Windows server 2012
-Increased performance and scaling, has more features for back-up, security and management.
-Uses AES-128-CCM based signing algorithm
SMB 3.02 – Used in Windows 8.1 and Windows Server 2012 R2
-Implemented option to disable CIFS/SMB1 support when it is unnecessary
SMB 3.1.1 – Introduced with Windows 10 and Windows Server 2016
-Supports AES-128-GCM encryption in addition to AES-128-CCM, also uses SHA-512 hash for integrity checks.
-Makes secure negotiation mandatory when connecting to SMB 2.x or higher
http://www.tech-faq.com/osi-model.html
Maintain a record of access to secure objects.
At startup (or config changes), LSASS sends the system audit policy to the Security Reference Monitor (SRM).
When an object is accessed, SRM generates auditing messages and sends them to LSASS.
LSASS sends the event log messages on the Event Logger.
Configure for Anomalous Activity
Command Prompt
auditpol /get /category:*
-auditpol /resourceSACL /type:File /view
-auditpol /resourceSACL /type:Key /view
Local Security Policy
-Advanced Audit Policy Configuration Setting
Policy Settings
Global Audit Policy-SACL
Global policy to setup auditing on a ll objects of one type:
File system objects
Registry keys
Object-Access ACE
Audit settings defined on a per object basis.
Auditing settings are contained.
Event Logs
View/Analyze Event Logs-GUI
-Reads in C:\Windows\System32\Winevt folder.
-Locations are configurable.
Command Line Interface
-wevtutil el - show all logs
-wevtutil gli security -get securitg log info
-wevtutil qe security /c:3 -get last 3 events from security log
Powershell
-get-eventlog -logname system -newest 10
CustomLog
Contains events logged by applications that create a custom log. Enables an application to control the size of log or attach ACLs for security purposes.
System
Contains events logged by system components, failure of a driver or other system components to load during startup.
Security
Contains events such as valid and invalid logon attempts, creating, opening, or deleting files or other objects.
Applicatoin
Contains events logged by applications.
Monitors traffic across the wire.
-Inline or passive
-Network Firewalls
-IDS/IPS
-Web/Applicatoin Proxy
-VPN Concentrator
Heuristic Based Detection
Device/software develops a baseline of the system, then looks for anomalous activity.
Has potential to catch zero day attack.
Larger number of false positvies
Signature Based Detection
Device/Software maintains a database of previously identified attack signatures.
Compares activities and binaries to this database to determine a match.
Only catching known signatures.
Signatures require continuous updating.
Small changes to a binary could bypass signature.
Runs local, only concerned with that machine.
Some install as a service, newer versions are cloud based.
System Firewalls
Process monitoring, kernel calls.
Directory monitoring
System Setting / Registry monitoring
Log monitoring
Authentication, Authorization, Accounting (AAA)
Application Whitelisting.
Limits privileges of user run applications, even when run as Administrator, to prevent the modification of system files, resources, or settings.
Requesting elevated privileges require explicit acknowledgement from user.
Each process is given a privilege level.
Higher integrity level can send messages to lower level integrity.
Lower can only read from higher
Can be bypassed by signed and trusted applications with the UIaccess manifest setting.
Critical files that are protected and installed by the OS, vistit link for all extensions.
https://docs.microsoft.com/en-us/windows/win32/wfp/protected-file-list
sfc /verifyfile=c \windows\system32\winhttp.all-full path to single file.
sfc /scannow-all sytsem files
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379563(v=vs.85).aspx
Security Identifiers (SID's) for owner
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx
System Access Control List (SACL)
Specifies the types of access attempts that generate audit records for the object.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx
Discretionary Access Control List (DACL)
Specifies the access rights (read, write, execute, delete) allowed or denied to particular users or groups.
https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx
netsh advfirewall-to create.
wf.msi fo -gui
Work/Domain
Most trusted.
Public
Private
Get-NetFirewallRule | Select Name, Enabled, Direction, Description | Format-list
wmic /namespace:\\Root\StandardCimv2 path MSFT_NetFirewallRule WHERE 'DisplayName LIKE "%ICMP%"' get DisplayName, Enabled, Profiles
netsh advfirewall ?
netsh advfirewall show currentprofile
wf.msc
●Volatility is a measure of how perishable electronically stored data is (when electrical power is turned off or fails).
●Order of volatility is important when making decisions about how to respond to a potentially compromised system. A system shutdown is sometimes the worst option forensically, since it may mean the loss of transient (volatile) data held in RAM. Understanding what data is lost at a system shutdown, and what data is lost when drives are replaced or reformatted, will help guide the steps taken to forensically investigate a potentially compromised device.
Consolidate Info
Crawl System for Malicious Items
Targeted Analysis
Trace Indicators to Source
Search for Indicators of Compromise/Symptoms
Cursory Review of Baseline Info
Gather Baseline Info
Archival Media
Physical Config, Network Topology
Remote Logging/Monitoring Data
Disk/Other Storage Media
Temporary File System
Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory
Registers, Cache
Continually Monitor
Update SOP, AAR
Lessons Learned
Return network to Normal
Remove VLANs
Clean (and monitor)
Key Rotation
Reimage
Know what needs to be removed
Where Security personnel determine the priority, scope, and root cause of an incident.
●Attribution
●Avenue of Approach
●Indicators of Compromise
●Vulnerability Assessment
●Forensic Analysis (Static & Dynamic)[4]
●Static Analysis - Static analysis examines malware without actually running it.
■Strings - Seeing what DLLs, functions, headers might be revealed in the strings output.
■OSINT (Open Source Research), Hash the file and check the hash to see if there is anything online about it.
■Running the binary through antivirus tools to verify maliciousness
■Disassemble the binary using a tool such as IDA (Pro)
●Dynamic Analysis - Watching the malware while it is running
○Typically takes place after static analysis techniques have been exhausted
○Binary is run using a sandbox that records all activity and changes caused by the malware
○Monitor all activity using ProcMon, Task Manager, Procexep
○Look for network traffic using TCPView and Wireshark, fake responses using a tool like Fakenet
○Check for registry and file changes with tools like RegShot and sigcheck
○View the programs execution in a debugger such as Ollydbg or WinDbg
Forensic Analysis
Vulnerability Assessment
Indicators of Compromise (IOCs)
Avenue of Approach
Attribution
Limit the damage caused to systems and prevent any further damage from occurring.
This includes short and long term containment activities.
●Cordon and Clear (VLANs)
●Remove from Network, when Feasible
●Quarantine
●Sandbox
●Patch / Hotfix
Add Firewalls
Add Firewalls
Patch/Hotfix
Sandbox
Quarantine
Remove from Network
Cordon & Clear (VLANs)
Incident
Unusual Logons
High Traffic Volumes
External devices
Unsual User Privilege
Unknown User Accounts
Unknown Connections
Unusual Activity/Config Outside Baseline
Event
This step happens before an incident occurs. Ensure you have the appropriate response plans, policies, call trees and other documents in place and that you have identified and trained the members of your incident response team, including external entities. Ensure that tools and procedures for incident response have been selected and documented. Ideas:
●Have a packing list for every team member so everyone brings everything they need. (Don’t want to not have to call back or make impact purchases while on a IR mission.)
●Ensure all tools are updated (don’t want to show up to a site and have to update your tools on a compromised network)
●Training (team members know what tools they use and their job roles)
●Documentation (Team knows the TTPs that they will be using during the IR)
●Standard Operating Procedures (review SOPs that you will use while on an incident)
●Network Diagrams (if you are able to get Network Diagrams from the sites you might go to.)
●Policies & Procedures (Know these of places that you may go to)
●What are some external entities that might be part of an incident response team (S-6, S-3, SJA, CI, etc.)
●One important preparation item is to enable NTP or another method to keep host clocks synchronized, so that events can be correlated, and forensic analysis uses a consistent time.
Enable NTP
Network Time Protocol (NTP) server.
Incident Response Team
Network Diagrams
Documentation
Policies & Procedures
SOP
Training
Update Tools
Packing List