Lesson Progress
0% Complete


  1. Review the relevant events in SEIM and collect the following information:
    a) IP address and the host name on the internal asset involved
    b) Time and date of offence
    c) The username that is associated to the suspicious activity
    d) Any additional information about the host involved (asset name, criticality, owner, etc.)
    e) Type of the activity and systems or users that are affected
    f) Identify whether the activity is initiate from an external or internal machine
  2. If the activity is initiate from an external machine, evaluate the external IP address reputation and analyze the events and network traffic if available:
    a) Investigate the malicious IP address and URL using the available information sources (X-Force Exchange, IP Void, etc.) to see if it is/has been associated with malicious/unauthorized activity. (Please be careful not to go directly to any sites thought to be malicious)
    a. Where is the data coming from and where is it going?
    b. Is it associated with known malicious activity or indicators of compromise (e.g., malware, malicious IPs/domains, etc.)?
    c. What type of site/IP/hostname is it? Is it an official affiliated vendor, group, association, etc?
    d. Does it appear to be a legitimate site/IP/hostname?
    e. Are there professional relationships in place? Are they in the same division or industry?
    b) Verify the reliability of the information about the malicious IPs or URLs
    c) Check internal references for authorized exceptions (e.g., CMDB Tool, CSIRT team)
    NOTE: It is the recommended to search the following websites to get more information about the malware and level of risk:
    • https://exchange.xforce.ibmcloud.com/
    • https://www.mcafee.com/threat-intelligence/ip/spam-senders.aspx
    • http://ipremoval.sms.symantec.com/lookup/
    • https://ers.trendmicro.com/reputations
  3. Search for any possible related incident in the ticketing system or the SIEM solution
    a) username
    b) Destination IP address
    c) Requested URL
    d) Hostname and IP address of the internal hosts
    e) Type of communication (e.g., large file transfer, SSH, VPN)
    In case of finding relevant incidents, create a master incident ticket and link all the existing tickets with the master ticket
  4. Categorize the incident as Unauthorized Network Activity and assign the incident to the appropriate team based on the document “SOC Tier 1 – Security Threat Monitoring Process/Procedure”.
    NOTE: Below is the list of available options for the incident types:
     Malicious Code
     Web Application Attack
     Unauthorized Access
     Unauthorized System Activity
     Unauthorized Network Activity
     Suspicious System Activity
     Suspicious Network Activity
     Probes and Scans
     Denial of Service
     Policy Violation
     Device Misconfiguration
     Device Malfunctioning
     Communication with Malicious Network
  5. Collect as much information as possible about the suspicious activity:
    a) Users that are associated to the suspicious activity
    b) Type of suspicious network communication and the impact on the day-to-day operation
    c) Type of assets that are affected
  6. Prioritize the incidents based on the instructions provided in the document “Security Incident Management Process”.


  1. If there is, any evidence that shows the communication is initiated by malware, change the type of the incident to Malicious Code and follow the instructions in the Malicious Code runbook.
  2. Consider possible short-term containment actions:
    a) Apply filters to firewalls or router ACLs to block IP addresses that are associated with the network communication
    b) Apply filters to the proxy solution to block the URLs that are associated to the network communication
    c) Isolate the internal host and run antivirus / malware health checks
  3. If the exfiltration was user initiated, fully document the case and escalate to CSIRT and HR/legal teams.
  4. Conduct further network and host forensics as required


  1. If there are any unauthorized changes on the protective technology by the internal users or admins, ensure all the user accounts that are associated with the person are disabled.
  2. Take the following actions if applicable:
    a) Review the firewall policies to ensure they are following the best practices
    b) Review the security policies on the IPS
    c) Review the security policies of the proxy servers
  3. Revisit the network configuration on the host
  4. If the incident is left open for an extended period (e.g., 7+ days) Ensure at least one follow-up notification is sent and If they are still unresponsive, escalate to management for action


  1. Work with the Threat Intelligence team to refine existing rules or develop new signatures/rules to detect activity, as necessary.
  2. Look for artifacts to come back:
    a) Unusual network communication
    b) Unusual processes
    c) Account used by the attackers and simultaneous logins

Lessons Learned

  1. Put together a report detailing what happened, why it happened, what could have prevented it, and what you’ll be doing to prevent it from happening again.
  2. Meet with management to go over the report and get their approval for the changes needed to prevent similar incidents in the future.