Back to Course
Incident Response
0% Complete
0/71 Steps
-
Incident ResponseIncident Reporting
-
Incident Response Use CasesLab Setup
-
Role Playing - Shift Manager
-
Demonstrating: Investigating and Escalating
-
Report from Malware Analyst
-
Exercise 1.1: Exploring Suspicious Executable Detected using SIEM
-
Exercise 1.2: Investigating Multiple Failed Logins using SIEM
-
Exercise 3: Mitigating Risk
-
Exercise 4.1: Asking the Right Questions
-
Scenario 4.1: Asking the Right Questions
-
Scenario 4.2: Suspicious or Malicious?
-
Exercise 4.2: Reviewing the Shift Log
-
Exercise 4.3: Investigating an Unauthorized Login Attempt
-
Exercise 4.4: Investigating Firewall Traffic
-
Exercise 4.5: Reviewing the Security Operations Mailbox
-
Exercise 5.1: Reviewing New Intelligence
-
Exercise 5.2: Assessing Threat Severity
-
Exercise 6: Recommending Remediation
-
Exercise 7: Conducting a Post-Incident Review
-
Exercise 8: Communicating with Operations and Senior Management
-
Business ContinuityBusiness Continuity Plan Development8 Topics
-
BCP Invocation Process2 Topics
-
Emergency Procedures7 Topics
-
Crisis Management Team10 Topics
-
BCP Seating Plan
-
Overview
-
Disaster RecoveryScope of Critical Services
-
Network Services
-
Application Hosting Service
-
File Hosting Services
-
Call Centre and Voice Recording Services
-
Regulatory Links
-
Thin Client Environment
-
Voice System (Non-Service Desk)
-
Printing Services
-
Recovery Time Objective (RTO) & Recovery Point Objective
-
Single Point of Failure
-
Redundancy Requirements
-
Alternate Locations
-
Contact Protocol4 Topics
Participants3
Lesson 6 of 40
In Progress
Exercise 1.1: Exploring Suspicious Executable Detected using SIEM
Goals
To investigate suspicious activity using SIEM.
Objectives
After completing this exercise, you should be able to:
- Investigate an alert in SIEM.
- Document findings.
- Make an assessment based on your investigation.
Introduction
The next entry in the shift log is:
• Incident (inc02): Alert on suspicious executable detected
Metasploit is a penetration testing tool used by both security professionals and hackers. Activity of this nature may or may not present a security threat.
Instructions
Follow these steps to complete this exercise:
- From your lab environment, open SIEM.
- Select Unifiedà Investigation.
- The investigation device list appears.
- Choose Concentrator by double-clicking on it.
- Investigate the ‘hacker tool activity’ alert which is listed in the Alerts section.
- List the affected IP addresses:
- Identify the user account involved in this alert:
- Classify the suspicious activity:
- Which service is exploited?
- What do you conclude after investigating this alert?
Solution
•
List the affected IP addresses:
- Source IP Addresses:
- 192.168.5.10
- 172.15.2.11
- Destination IP addresses:
- 192.168.5.189
- 64.53.52.12
- 192.168.5.172
•
Identify the user account involved in this alert? – metasploit
•
Classify the suspicious activity: – Account escalation
•
Which service is exploited?
– SMB
•
What do you conclude after investigating this alert?
– Nothing suspicious
•
Any recommendations?