Lesson 1, Topic 24
Suspicious System Activity
- Review the relevant events in SEIM and collect the following information:
a) IP address and the host name on the internal asset involved
b) Time and date of offence
c) The username that is associated to the suspicious activity
d) Any additional information about the host involved (asset name, criticality, owner, etc.)
e) Type of the activity and systems or users that are affected
f) Identify whether the activity is initiate from an external or internal machine
- If the activity is initiate from an external machine, evaluate the external IP address reputation and analyze the events and network traffic if available:
a) Investigate the malicious IP address and URL using the available information sources (X-Force Exchange, IP Void, etc.) to see if it is/has been associated with malicious/unauthorized activity. (Please be careful not to go directly to any sites thought to be malicious)
a. Where is the data coming from and where is it going?
b. Is it associated with known malicious activity or indicators of compromise (e.g., malware, malicious IPs/domains, etc.)?
c. What type of site/IP/hostname is it? Is it an official affiliated vendor, group, association, etc?
d. Does it appear to be a legitimate site/IP/hostname?
e. Are there professional relationships in place? Are they in the same division or industry?
b) Verify the reliability of the information about the malicious IPs or URLs
c) Check internal references for authorized exceptions (e.g., CMDB Tool, CSIRT team)
NOTE: It is the recommended to search the following websites to get more information about the malware and level of risk:
- Search for any possible related incident in the ticketing system or the SIEM solution
b) Hostname and IP address of the internal hosts
c) Type of activity (e.g., user creation, configuration changes, etc.)
In case of finding relevant incidents, create a master incident ticket and link all the existing tickets with the master ticket
- Categorize the incident as Suspicious System Activity and assign the incident to the appropriate team based on the document “SOC Tier 1 – Security Threat Monitoring Process/Procedure”.
NOTE: Below is the list of available options for the incident types:
Web Application Attack
Unauthorized System Activity
Unauthorized Network Activity
Suspicious System Activity
Suspicious Network Activity
Probes and Scans
Denial of Service
Communication with Malicious Network
- Collect as much information as possible about the suspicious activity:
a) Users that are associated to the suspicious activity
b) Changes that are made to the systems and the impact on the day-to-day operation
c) Type of assets that are affected
- Prioritize the incidents based on the instructions provided in the document “Security Incident Management Process”.
- Identify the severity of the incident based on the following scenarios, and assign the incident to the appropriate team based on the document “SOC Tier 2 – Security Incident Triage Process/Procedure”
Any type of changes that is done on workstations and the associated user accounts
Any type of changes that is done on servers and the associated user accounts
Any type of changes that is done on critical servers and the associated user accounts
- Inform the system admins about the incident and investigate the reason for the change:
a) Approved changed by management
b) Informally approved by management by the change management process is not followed properly
c) Unapproved changed with low impact
d) Unapproved changed with medium impact
e) Unapproved changed with high impact
- For unapproved changes with medium/high impact, disable the accounts that are used to initiate the changes
- Considering reverting the changes on the systems if possible
- Conduct further network and host forensics as required
- If there is, any evidence that shows the activity is initiated by malware, change the type of the incident to Malicious Code and follow the instructions in the Malicious Code runbook.
- If the activity is done through a compromised account, change the type of the incident to Unauthorized Access and follow the instructions in the Unauthorized Access runbook.
- If the activity has low impact and is initiated by a legitimate user without following the organization policies, notify the related mangers to ensure those employees will follow the company change policies and will not proceed with any changes without a proper approval.
- If the activity has medium/high impact and is initiated by a legitimate user without following the organization policies, engage the system admins to revert the changes. Also notify the related mangers to ensure those employees will follow the company change policies and will not proceed with any changes without a proper approval.
- If the activity has low impact and is initiated by an illegal user, investigate the possible motivation behind the activity and if required, inform the related mangers about the incident for further investigation
- If the activity has medium/high impact and is initiated by an illegal user, engage the system admins to revert the changes. Also investigate the possible motivation behind the activity and escalate to CSIRT and HR/legal teams.
- If the exfiltration was user initiated, fully document the case and escalate to CSIRT and HR/legal teams.
- If the incident is left open for an extended period (e.g., 7+ days) Ensure at least one follow-up notification is sent and If they are still unresponsive, escalate to management for action
- Work with the Threat Intelligence team to refine existing rules or develop new signatures/rules to detect activity, as necessary.
- Look for artifacts to come back:
a) Unusual changes on systems
b) Unusual authentication activity
- Put together a report detailing what happened, why it happened, what could have prevented it, and what you’ll be doing to prevent it from happening again.
- Meet with management to go over the report and get their approval for the changes needed to prevent similar incidents in the future.