Back to Course

Incident Response

0% Complete
0/71 Steps
  1. Incident Response
    Incident Reporting
  2. Incident Response Use Cases
    Lab Setup
  3. Role Playing - Shift Manager
  4. Demonstrating: Investigating and Escalating
  5. Report from Malware Analyst
  6. Exercise 1.1: Exploring Suspicious Executable Detected using SIEM
  7. Exercise 1.2: Investigating Multiple Failed Logins using SIEM
  8. Exercise 3: Mitigating Risk
  9. Exercise 4.1: Asking the Right Questions
  10. Scenario 4.1: Asking the Right Questions
  11. Scenario 4.2: Suspicious or Malicious?
  12. Exercise 4.2: Reviewing the Shift Log
  13. Exercise 4.3: Investigating an Unauthorized Login Attempt
  14. Exercise 4.4: Investigating Firewall Traffic
  15. Exercise 4.5: Reviewing the Security Operations Mailbox
  16. Exercise 5.1: Reviewing New Intelligence
  17. Exercise 5.2: Assessing Threat Severity
  18. Exercise 6: Recommending Remediation
  19. Exercise 7: Conducting a Post-Incident Review
  20. Exercise 8: Communicating with Operations and Senior Management
  21. Business Continuity
    Business Continuity Plan Development
    8 Topics
  22. BCP Invocation Process
    2 Topics
  23. Emergency Procedures
    7 Topics
  24. Crisis Management Team
    10 Topics
  25. BCP Seating Plan
  26. Overview
  27. Disaster Recovery
    Scope of Critical Services
  28. Network Services
  29. Application Hosting Service
  30. File Hosting Services
  31. Call Centre and Voice Recording Services
  32. Regulatory Links
  33. Thin Client Environment
  34. Voice System (Non-Service Desk)
  35. Printing Services
  36. Recovery Time Objective (RTO) & Recovery Point Objective
  37. Single Point of Failure
  38. Redundancy Requirements
  39. Alternate Locations
  40. Contact Protocol
    4 Topics
Lesson 6 of 40
In Progress

Exercise 1.1: Exploring Suspicious Executable Detected using SIEM

Goals

To investigate suspicious activity using SIEM.

Objectives

After completing this exercise, you should be able to:

  • Investigate an alert in SIEM.
  • Document findings.
  • Make an assessment based on your investigation.

Introduction

The next entry in the shift log is:

•     Incident (inc02): Alert on suspicious executable detected 

Metasploit is a penetration testing tool used by both security professionals and hackers. Activity of this nature may or may not present a security threat.

Instructions

Follow these steps to complete this exercise: 

  1. From your lab environment, open SIEM.
  2. Select Unifiedà Investigation.
  3. The investigation device list appears.
  4. Choose Concentrator by double-clicking on it.
  5. Investigate the ‘hacker tool activity’ alert which is listed in the Alerts section.
  6. List the affected IP addresses:
  7. Identify the user account involved in this alert:
  8. Classify the suspicious activity:
  9. Which service is exploited?
  10. What do you conclude after investigating this alert?

Solution

List the affected IP addresses:

  • Source IP Addresses:
  • 192.168.5.10
  • 172.15.2.11
  • Destination IP addresses:
  • 192.168.5.189
  • 64.53.52.12
  • 192.168.5.172

Identify the user account involved in this alert? –            metasploit

Classify the suspicious activity: –           Account escalation

Which service is exploited?

–    SMB

What do you conclude after investigating this alert?

–    Nothing suspicious

Any recommendations?