Lesson 1, Topic 1
Communication with a Known Bad
- Review the relevant events in SEIM and collect the following information:
a) Destination IP address of the outbound connections
b) Time and date of offence
c) Geo location of the external hosts
d) Search the correlation and basic events to collect the information that are required
e) IP address and the host name on the internal asset involved
f) Any additional information about the host involved (asset name, criticality, owner, etc.)
g) The requested URL on the proxy servers
h) The username associated with the network connection if available
i) Search the correlation and basic events to collect the information that are required
- Evaluate the external IP address reputation and analyze the events and network traffic if available:
a) Investigate the malicious IP address and URL using the available information sources (X-Force Exchange, IP Void, etc.) to see if it is/has been associated with malicious/unauthorized activity. (Please be careful not to go directly to any sites thought to be malicious)
a. Where is the data coming from and where is it going?
b. Is it associated with known malicious activity or indicators of compromise (e.g., malware, malicious IPs/domains, etc.)?
c. What type of site/IP/hostname is it? Is it an official affiliated vendor, group, association, etc?
d. Does it appear to be a legitimate site/IP/hostname?
e. Are there professional relationships in place? Are they in the same division or industry?
b) Verify the reliability of the information about the malicious IPs or URLs
c) Check internal references for authorized exceptions (e.g., CMDB Tool, CSIRT team)
NOTE: It is the recommended to search the following websites to get more information about the malware and level of risk:
- Search for any possible related incident in the ticketing system or the SIEM solution
a) Destination IP address
b) Requested URL
c) Hostname and IP address of the internal hosts
In case of finding relevant incidents, create a master incident ticket and link all the existing tickets with the master ticket
- Categorize the incident as Malicious Code and assign the incident to the appropriate team based on the document “SOC Tier 1 – Security Threat Monitoring Process/Procedure”.
NOTE: Below is the list of available options for the incident types:
Web Application Attack
Unauthorized System Activity
Unauthorized Network Activity
Suspicious System Activity
Suspicious Network Activity
Probes and Scans
Denial of Service
Communication with Malicious Network
- Collect as much information as possible about the malicious communication:
a) Services and processes that are used for the communication with the know bad destination network
b) Ports and network protocols that are used for the communication with the malicious network (Firewall logs or packet sniffing tools can be used if no information is publicly available)
c) Requested IP Address and URL’s for the communication with the known bad network
d) DNS Queries for the communication with the malicious network
- Prioritize the incidents based on the instructions provided in the document “Security Incident Management Process”.
- If there is, any evidence that shows the communication is initiated by malware, change the type of the incident to Malicious Code and follow the instructions in the Malicious Code runbook.
- Consider possible short-term containment actions:
a) Prevent communication with the Malicious Network: Blocking the malicious communication to any external host can be effective to contain any type of security threat. Below are some recommended mechanisms to achieve this goal:
a. Apply filters to firewalls or router ACLs to block IP addresses that are associated with the network communication
b. Apply filters to the proxy solution to block the URLs that are associated to the network communication
c. Isolate the internal host and run antivirus / malware health checks
- If the exfiltration was user initiated, fully document the case and escalate to CSIRT and HR/legal teams.
- Conduct further network and host forensics as required
- If there are any unauthorized changes on the protective technology by the internal users or admins, ensure all the user accounts that are associated with the person are disabled.
- Take the following actions if applicable:
a) Review the firewall policies to ensure they are following the best practices
b) Review the security policies on the IPS
c) Review the security policies of the proxy servers
d) Revisit the network configuration on the host
- If the incident is left open for an extended period (e.g., 7+ days) Ensure at least one follow-up notification is sent and If they are still unresponsive, escalate to management for action
- Work with the Threat Intelligence team to refine existing rules or develop new signatures/rules to detect activity, as necessary.
- Look for attacker’s artifacts to come back:
a) Unusual network communication
b) Unusual processes
c) Account used by the attackers and simultaneous logins
- Put together a report detailing what happened, why it happened, what could have prevented it, and what you’ll be doing to prevent it from happening again.
- Meet with management to go over the report and get their approval for the changes needed to prevent similar incidents in the future.