Back to Course

Incident Response

0% Complete
0/0 Steps
  1. Incident Response
    Incident Reporting
  2. Incident Response Use Cases
    Lab Setup
  3. Role Playing - Shift Manager
  4. Demonstrating: Investigating and Escalating
  5. Report from Malware Analyst
  6. Exercise 1.1: Exploring Suspicious Executable Detected using SIEM
  7. Exercise 1.2: Investigating Multiple Failed Logins using SIEM
  8. Exercise 3: Mitigating Risk
  9. Exercise 4.1: Asking the Right Questions
  10. Scenario 4.1: Asking the Right Questions
  11. Scenario 4.2: Suspicious or Malicious?
  12. Exercise 4.2: Reviewing the Shift Log
  13. Exercise 4.3: Investigating an Unauthorized Login Attempt
  14. Exercise 4.4: Investigating Firewall Traffic
  15. Exercise 4.5: Reviewing the Security Operations Mailbox
  16. Exercise 5.1: Reviewing New Intelligence
  17. Exercise 5.2: Assessing Threat Severity
  18. Exercise 6: Recommending Remediation
  19. Exercise 7: Conducting a Post-Incident Review
  20. Exercise 8: Communicating with Operations and Senior Management
  21. Business Continuity
    Business Continuity Plan Development
    8 Topics
  22. BCP Invocation Process
    2 Topics
  23. Emergency Procedures
    7 Topics
  24. Crisis Management Team
    10 Topics
  25. BCP Seating Plan
  26. Overview
  27. Disaster Recovery
    Scope of Critical Services
  28. Network Services
  29. Application Hosting Service
  30. File Hosting Services
  31. Call Centre and Voice Recording Services
  32. Regulatory Links
  33. Thin Client Environment
  34. Voice System (Non-Service Desk)
  35. Printing Services
  36. Recovery Time Objective (RTO) & Recovery Point Objective
  37. Single Point of Failure
  38. Redundancy Requirements
  39. Alternate Locations
  40. Contact Protocol
    4 Topics
Lesson 4 of 40
In Progress

Demonstrating: Investigating and Escalating

Goals

To introduce tools, analytic techniques, and escalation processes which the student will use in this training.

Objectives

After completing this demonstration, you should be able to:

  • Review an alert and associated data in SIEM.
  • Practice managing incident escalation.
  • Identify malware indicators using ENDPOINT THREAT DETECTION TOOL.
  • Document investigative steps.
  • Discuss potential remediation steps for an incident.

Introduction

As part of your orientation, you review the first incident in the shift log with the shift supervisor in order to gain familiarity with the tools and processes of the secops team. The first incident is:

•     Incident 001: Event analyst escalated an alert of a host beaconing to a suspicious domain.

Part 1: Escalation 

This part of the exercise demonstrates the escalation from the Tier 1 to the Tier 2 analyst. In some cases, a Tier 1 analyst would perform the initial investigation steps. 

Follow these steps to complete the initial investigation:

  1. From your lab environment, open SIEM.
  2. Select Unifiedà InvestigationàNavigate.
    1. The investigation device list appears.
  3. Choose Concentrator from the device list by double-clicking on it. – SIEM displays all captured data.
  4. Investigate the ‘beaconing to suspicious domains’ alert which is listed in the Alerts section.
    1. SIEM displays all data for this alert.
  5. Collect data about this alert. 
    1. Your instructor will demonstrate how to export the files, logs and PCAP associated with this incident.
  6. From your desktop, open Notepad++.
  7. Document your findings.
  8. What do you conclude?

Hints

Identify this data using SIEM:

  • The source IP address of the machine
    • The domain names
    • Source country for the suspicious domain names
    • The country of the domain names
    • The service type  
    • Session data for the service type
    • Files names

Demonstration: Investigating and Escalating

Part 2: Investigation

This section of the exercises focuses on the activities of the Incident Analyst after hand-off from the Event (Tier 1) analyst.

From your lab environment, open the ENDPOINT THREAT DETECTION TOOL VM. 

  • Review the report. 
  • Note that the score for salesrep1-pc is high. 
  • Open Notepad++.
  • Add to the documentation of this incident.
  • Escalate to malware analyst.

Part 3: Escalation

Escalation from the malware analyst. Review report from malware analyst. Malware analyst confirms malware and behavior.

Part 4: Investigation

Now that you know the malware details

  • Look for more info; in ENDPOINT THREAT DETECTION TOOL.
  • Add to report

Part 5: Close

We will not close the incident at this point.

SOLUTION

Part 1: Escalation               Answers to the investigation questions:

  • The source IP address of the machine
    • 10.101.240.178
  • The domain names
    • televisionhunters.ru
    • radiolovers.ru
  • Source country for the suspicious domain names
    • Russian Federation
  • The service type 
    • HTTP
  • File names
    • build.exe
    • file.php
  • Session data for the service type.
    • Get request: build.exe
    • Put request: file.php
  • Conclusion: this HTTP activity suggests malware is present on 10.101.240.178. Beaconing to 213.183.58.186. Sends a file to this IP address, file.php. Possibly contains information about the host. Gets file build.exe from 213.183.58.186.
  • Action: escalate to Tier 2 analyst.