Hands on/Interview prep
Incident Response Process
1. Preparation 2. Detection and Analysis (Identification) 3. Containment 4. Eradication 5. Recovery 6. Document/Lessons learned
RDP (Remote Desktop Protocol)
3389 Remote Desktop Protocol is a proprietary protocol developed by Microsoft which provides a user with a graphical interface to connect to another computer over a network connection.
What port is used for DNSlookup
53
MITRE ATT&CK Framework
A framework that provides explicit pseudo-code examples for detecting or mitigating a given threat within a network and ties specific behaviors back to individual actors.
Runbook vs Playbook
A playbook provides a checklist to check for incidents, a runbook tells us what kind of tools the organization has available. Playbook is more general.
What is the difference between a threat, a vulnerability, and a risk
A risk is the potential for loss or damage. A threat is someone with the potential to cause harm. A vulnerability is a weakness that can be exploited by threat actors.
What is a switch?
A switch, in the context of networking, is a high-speed device that receives incoming data packets and redirects them to their destination on a local area network (LAN). A switch determines the source and destination addresses of each packet and forwards data only to specific devices, while hubs transmit the packets to every port except the one that received the traffic. Unfortunately, with a hub, everyone sees every packet which is why hubs have pretty much died in the market. Switching is a much better because you can segment a network either logically (through VLANs or mapping) or physically (connecting switches back to a core).
SQL Injection
A type of malformed input that takes advantage of an appropriate true conditional logic statement adding a request for data that is against the security policy
What is a Watering Hole Attack?
A watering hole attack is a method in which the attacker seeks to compromise a specific group of end users by infecting websites that members of that group are known to visit. The attacks have been adopted by criminals, APT groups and nation states alike and we see the amounts rising. The goal is to infect a victim's computer and gain access to the network. Cybersecurity professionals don't see this as the end of Spear Phishing, because the watering hole attacks are still targeted attacks, but they cast a wider net and trap more victims than the attacker's original objective.
What is active directory
Active directory authorizes and authenticates all users and computers in a window domain network, ensuring the security of the computer and software. Through active directory various functions can be managed like creating admin users, connecting to printers or external hard drives.
What is IP addressing
Addresses used to identify a packet's source and destination host computer. Addressing rules also organize addresses into groups, which greatly assists the routing process.
Pony Trojan
Also known as Pony Stealer, Pony Loader, FareIT. Pony is more than just code for cryptocurrency or credential theft. It's actually a botnet controller that targets Windows machines. Once a computer is infected, Pony runs in the background collecting information about the system, its network activity and the users that are connected to it.
What is an IP address
An IP address is a number identifying a computer or another device on the Internet. It is similar to a mailing address, which identifies where postal mail comes from and where it should be delivered. IP addresses uniquely identify the source and destination of data transmitted with the Internet Protocol.
HTTPS (Hypertext Transfer Protocol Secure)
An encrypted version of HTTP. It uses port 443.
Symmetric Encryption
An encryption method whereby the same key is used to encode and to decode the message. Encryption is faster but more vulnerable. It is used for bulk data transfer.
What type of encryption method is used for an SSL handshake?
Asymmetric Cryptography
Certificates
Certificates are an important part of asymmetric encryption. Certificates include public keys along with details about the owner of the certificate and the CA (Certificate Authority) that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.
Cryptographic protocols
Changes plain text to cipher text
CIA Triad
Confidentiality (level of secrecy): The information should be accessible and readable for only authorized personnel. Integrity: What is sent is what is received (modification) Integrity ensures that data is not corrupted or modified by unauthorized personnel. Availability: People who should have access will have access when they need. Hardware maintenance, regular upgrading, data backups, data recovery and network bottlenecks should be taken care of. Least Privilege as well.
What would you do if you found 1000 alerts at once
DDOS attack perhaps. Quick scan what is going on, what type of threat is this, false positive or true positive.
What is an ETC
Editable Text Configuration: ETC is a folder which contain all your system configuration files in it. Then why the etc name
What security solutions uses threat intelligence
Every prevention detection system use TI feeds AV solutions use to check malicious hashes Firewalls use TI to check blacklisted IP
What sources can Qradar process data from
Firewalls, User directories, Proxies, Applications, Routers Syslog port 514 have to have it open and reachable from your network and cloud ddevices, they are all going throuhg this port for the siem tool.
Walk us through a SIEM alert you encountered recently?
First off the Alerts fire into the SIEM, - Alert details are used to determine the risk level of the event - Triages are acquired and queries are run to collect more details about the event, - Conversations are held with stakeholders to help determine the impact of the incident, and make sure all groups are responding appropriately - Infected systems are quarantined to make sure they can't infect other assets, - The incident is documented in a ticketing system to aid future investigations.
Why do you want to make a career in cybersecurity
Growing up I always had a passion for helping people. I would volunteer a lot, and I majored in Criminal Justice, but my focus was on social work. After working at a Homeless shelter for a while. I soon heard from a friend about cybersecurity. After doing some research within the field, I realized this was another way to protect someone. Furthermore, It would give me the feeling of a private investigator, without having the risk of working in the law.
What are HTTP methods? List all HTTP methods that you know, and explain them.
HTTP methods supported by REST are: The primary or most commonly-used HTTP methods are POST, GET, PUT, PATCH, and DELETE. These methods correspond to create, read, update, and delete (or CRUD) operations, respectively.
What are the differences between HTTP, HTTPS, SSL, and TLS?
HTTP stands for Hypertext Transfer Protocol. It is an application layer protocol used to communicate between two machines, and is mostly used in client server models. HTTPS stands for HTTP over SSL. Often called HTTP over SSL or HTTP over TLS. HTTPS increases the privacy and integrity of the data that is communicated over the internet. SSL stands for Secure Sockets Layer. SSL is a cryptographic protocol that provides authentication and data encryption in network communication. TLS stands for Transport Layer Security. It is a successor to SSL. It provides a secure version of SSL.
Hypertext Transfer Protocol (HTTP)
HTTP uses port 80 for unencrypted web communications
Why is TI important?
Helps keep companies informed of the advanced threats, exploits, and zero day threats that they are most vulnerable to and how to take action against them.
Walk me through your day to day activities at your current job (CyberNow).
I am part of the incident response/SOC team at CyberNow and I work on three major areas on a day to day basis. Monitoring & Incident Response Phishing Analysis Vulnerability scanning. I use FireEye HX in the SOC for Endpoint Detection and Response to detect, identify and contain threats of endpoints. I monitor alerts and respond accordingly. We monitor the events on QRadar/Splunk. QRadar is mainly used for correlations and Splunk for log collection. I monitor the offenses and assign individual offenses to myself and conduct 63 IR processes on them and document everything using the Hive. I would say that the number of offenses that I see mostly are firewall denies, authentication failures, brute force attempts, connection to a known malware site, traffic from an untrusted network, and potential data loss.
Why are you applying to this position?
I did some research on the company and I feel as though it has a lot of upside to grow and have a impact in the environment. I am looking for that opportunity that is a good fit and I feel as though this position checks all the boxes.
Walk me through your resume
I graduated from Stockton University with a Bachelor's in Criminal Justice. I taught poetry at a Homeless Shelter, as well as working as a Pharmacy Technician. From there I started to get interested in Cybersecurity. It felt like a natural flow as I sort of felt like a private investigator while looking at some of these threats. So I got my Comptia security + certification. I currently work as a Cybersecurity analyst at CybernowLabs. I work in a SOC environment with about ten other analysts. We utilize SIEM tools like Qradar and Splunk, as well as EDR tools like Crowdstrike and Sentinel One.
Tell me about your home lab
I have a little home lab where I have a virtual box with a virtual Kali Linux, Metasploitsble and Windows environments. This allows me download malware in a safe area to protect my his machine..I can download malware in my virtual windows machine, detonate it with Network miner, process hacker and reg shot running so that I can observe what the malware does and document it. I can also attack my metasploitable machine with my Kali box to see what it looks like when an attacker does the same. It helps me to understand the attacks better.
Proofpoint
I have used proofpoint to maintain email secuirty. I would analyze email headers and terminate any threats. My instructor and contact was Jack Johnson, he was excellent, and Proofpoint was one of the top security systems and gave me a great experience
How do you keep up to date ?
I listen to various podcasts that cover cybersecurity news. My favorite one is Security Now with Steven Gibson. I also like to browse various cybersecurity forums on social media platforms like reddit
Why are you leaving your current job?
I would love to have the opportunity to improve as a cybersecurity analyst and continue to face bigger challenges, and attack types. I feel as though this company will be a better fit, and will give me better opportunity to grow into a tier 2 analyst.
What are the top 5 SIEM alerts you face
I would say that the number of offenses that I see mostly are firewall denies, authentication failures, brute force attempts, connection to a known malware site, traffic from an untrusted network, and potential data loss.
Qradar
IBM's SIEM log management, analytics, and compliance reporting platform. We used splunk and Qradar. Helps to identify suspected attacks and policy breaches. I spent most of my time on this solution and splunk.
What is ICMP?
ICMP is Internet Control Message Protocol. It provides messaging and communication for protocols within the TCP/IP stack. It works on the Network Layer in the OSI model. This is also the protocol that manages error messages that are used by network tools such as PING.
Name some common Indicators of compromise obtained from threat intelligence
IP addresses, URLs, and Domain Names: An example would be malware targeting an internal host that is communicating with a known threat actor. Email addresses, subject, links and attachments: Phishing attempt where a link initiates a malicilous command Registry keys, filenames, and file hashes and DLLs: attack from external host that has been flagged for nefarious behavior and has already been infected
IPv4 vs IPv6
IPv4: 32-bit number: 4 billion addresses; four sets of numbers marked off by periods IPv6: 128-bit addresses, able to handle up to 1 quadrillion addresses; almost unlimited # of addresses
What would you do if you get 1000 alerts
If I were working and I saw 1000 alerts all at the same time, the first thing I would do is stay calm and analyze the situation like any other alert. I can use the play book for guidance based on the type of alert however, I would initially want to know what the alert is. Is this a repeat alert? Then I can begin to dive into the investigation. I would investigate as far as I could take it. The end goal being able to determine the nature of the alert. True positive, true positive non-issue, or false positive. If I can determine the nature of the alert then I would take the appropriate steps from there such as completing the ticket and closing out the alerts. If there needs to be an escalation then I would take those steps to involve other members of the team. If it is a false positive alert I can take the appropriate information and partner with the engineer so that we can see if this is an opportunity to tune these alerts out. Especially if it is a repeat alert.
What is an IOA
Indicators of attack Focuses more on the why and intent of an actor. Unlike indicators of compromise used by legacy endpoint detections solutions, IOA focus on detecting the intent of what an attacker is trying to accomplish
What is an IOC
Indicators of compromise. It is an attribute associated with an attack. Attributes associated with an attack might include: IP address, url, email, file hash etc. IOCs also provide actionable threat intelligence that can be shared within the community to further improve an organization's incident response and remediation strategies.
How TI can be integrated with SIEM
Integrated by using lists. These lists should be updated regularly to get the latest IOCs
Examples of how you have consumed TI I
Integrating TI feeds with SIEM USing ipvoid, URLvoid, virustotal, Urlscan.io during analysis of any alert Ad-hoc reports for latest attacks (using their IOCs)
IMAP
Internet Message Access Protocol uses port 143 for a similar purpose.
What is the LDAP default port in Active Directory?
LDAP 389 is the directory service protocol that is used to query and update AD. LDAP naming paths are used to access AD objects and include the following: Distinguished names Relative Distinguished names
What is the difference between LDAP and Active directory
LDAP is the protocol and Active directory is the service
How would you prevent Bruteforce attacks
MFA and Account lockout
How would you strengthen user authentication?
Mention two-factor authentication or non-repudiation and how you would implement it. Authentication, the process of proving that someone is who he claims to be, is one of the most important components of your security infrastructure. To be effective, authentication works together with identification and authorization. (Access control) To make authentication stronger, you can combine methods, often referred to as multi factor or Non-repudiation. The most common type is two-factor authentication, such as using a PIN code as well as a SecurID token to log on to your network. The example of two-factor authentication with which you are probably most familiar is your ATM card -- you insert your card (something you have) into the ATM machine and enter your PIN (something you know) to access your account number and perform transactions.
Tell me about yourself
My name is Hamid Mohammad. I would like to thank you for the opportunity. I am looking forward to merge my Criminal justice knowledge with my experience in cybersecurity. After watching my friend Sarah do well in this field, and realizing how central this industry is to everyday life, I decided I wanted to help. I studied and got my CompTIA Security + certification and now I work in Incident response in a SOC environment for CyberNowLabs. I work on a team with 10 other analysts that field offenses threats and notables in Qradar, Crowdstrike, and Proofpoint. I utilize the incident response process to investigate and document threats to the CNL network. I look forward to grow as a analyst and am currently studying for my CEH and AWS exam.
How would you handle patch management?
Patch management is the process of managing a network of computers by regularly deploying all missing patches to keep computers up to date. It typically includes evaluating and testing patches before deploying them. - Leaving software and operating systems unpatched puts your organization at risk of serious security breaches. - Soon after a security update is released, cybercriminals are already on the move, looking to exploit any unpatched systems. Steps: -Vulnerability scanning -Patching schedule (off-hours patching) -Testing and monitoring.
Qradar correlates information
Point in time Offending users Origins Targets Vulnerabilities Asset Information Known Threats
POP
Post Office Protocol allows clients to retrieve mail on port 110.
What is a SIEM?
SIEM software collects and aggregates log data generated throughout the organization's technology infrastructure, from host systems and applications to network and security devices such as firewalls and antivirus filters. The software then identifies and categorizes incidents and events and analyzes them. The software delivers on two main objectives, which are to: ● provide reports on security-related incidents and events, such as successful and failed logins, malware activity and other possible malicious activities and ● send alerts if the analysis shows that an activity runs against predetermined rulesets and thus indicates a potential security issue. Splunk, IBM QRadar, McAfee are top SIEM providers. It basically collects logs, security related information from security devices and customer end points and runs AI and analytics to bring forward correlated and user actionable (human readable) information.
Name a few commercial threat intelligence feeds
SOC radar was the one we used the most IBM X force exchange Crowdstrike Anomali ThreatStream Palo Alto Networks AutoFocus FireEye iSight Threat Intelligence Recorded Future
Secure Shell (SSH) Protocol
SSH uses port 22 for encrypted administrative connections to servers
What is SSL/TLS?
Secure Socket Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols providing communication security over a network; for example, a client connecting to a web server. TLS is the continuation of SSL.
SMTP
Simple Mail transfer protocol Uses port 25 to exchange email between servers.
What are TAXII and STIX
Structured threat information expression (SticO is a language and serialization format used to exchange cyber threat intelligence (CTI) Structured threat information expression (Stix) is a structured language for cyber threat intelligence. TAXII is trusted automated exchange of indicator information a free and open transport mechanism that standardized the automated exchange for cyber threat information. Example hailataxii.com
Confirmed vs Unconfirmed
System infected- confirmed system not infected- unconfirmed
Explain the three-way handshake
TCP is a connection-oriented protocol so systems must go through a handshaking process to create a connection before transmitting data. 1.) The system sends a packet with a SYN flag set. This indicates that it would like to open a connection to the destination system. 2.) The destination system receives this packet and replies with another packet that does two things. It acknowledges the original connection request and then asks to open a reciprocal connection in the other direction. This packet is known as the SYN/ACK packet 3.) The original system receives the SYN/ACK packet and sends a final ACK to the destination system, completing the reciprocal connection. Once the three-packet sequence completes, the connection is open, and the systems may begin exchanging data.
What is a DMZ and what is in it?
The DMZ functions as a small, isolated network positioned between the Internet and the private network and if its design is effective, allows the organization extra time to detect and address breaches before they further penetrate into the internal networks. Any service that is being provided to users on the external network can be placed in the DMZ. The most common of these services are: ● Web servers ● Mail servers ● FTP servers ● VoIP servers
Data Link Layer (2)
The Data Link Layer provides node-to-node data transfer (between two directly connected nodes), it also handles error correction from the physical layer. Two sublayers exist here as well - the Media Access Control (MAC) layer and the Logical Link Control (LLC) layer. In the networking world, most switches operate here.
What is the OSI model?
The OSI model uses layers to help give a visual description of what is going on with a particular networking system. One way to remember the OSI model is with a phrase "Please Do Not Throw Sausage Pizza Away" 1. Physical 2. Data link 3. Network 4. Transport 5. Session 6. Presentation 7. Application
Presentation Layer
The Presentation Layer represents the preparation or translation of application format to network format or from network formatting to application format. In other words, the layer "presents" data for the application or the network. A good example of this is encryption and decryption of data for secure transmission - this happens at Layer 6.
Which security tools do you currently use
The SIEM tools I use are Qradar and Splunk. The EDR tools I use are CrowdStrike Falcon, and SentinelOne. For Phishing alerts and emails I use proofpoint. When ticketing and drawing conclusions from my investigations I use Jira, and Resillient.
What are HTTP status codes?
The Status-Code element in a server response, is a 3-digit integer where the first digit of the Status-Code defines the class of response.
Session Layer
The fifth layer in the OSI model. This layer establishes and maintains communication between two nodes on the network. It can be considered the "traffic cop" for network communications. When two devices, computers or servers need to "speak" with one another, a session needs to be created, and this is done at the Session Layer. Functions at this layer involve setup, coordination (how long should a system should wait for a response, for example) and termination between the applications at each end of the session.
Can you tell me about your day to day responsibilities at Cyber Now Labs
The first task of the day is receiving a hand-over of activity and information from the analysts on the previous shift, especially as we are in a 24/7 security operations center. I get a briefing on the current events: ongoing incidents or things that are suspicious that need monitoring, and any related tickets that have been opened to track such activities. Then I check my email and see if their is anything urgent or time sensitive that needs handling. Then I review the latest alerts and sort by relevancy and urgency. I create new trouble tickets for alerts that signal an incident and require Tier 2 / Incident Response review. I continuously monitors the alert queue; triages security alerts; monitors the health of security sensors and endpoints; collects data and context necessary to initiate Tier 2 work.
Transport Layer
The fourth layer of the OSI model. In this layer protocols ensure that data are transferred from point A to point B reliably and without errors. this layer services include flow control, acknowledgment, error correction, segmentation, reassembly, and sequencing. It deals with the coordination of the data transfer between end systems and hosts. How much data to send, at what rate, where it goes, etc. The best-known example of the Transport Layer is the Transmission Control Protocol (TCP) which is built on top of the Internet Protocol (IP), commonly known as TCP/IP. TCP and UDP port numbers work at Layer 4, while IP addresses work at Layer 3, the Network Layer.
How would you handle a compromised endpoint?
The goal is to handle the situation in a way that limits damage and reduces recovery time and costs. would use the SANS Incident Handler steps I am trained in. Preparation is key. According to the SANS Institute, there are six key phases of an incident response plan: 1) Preparation: Preparing users and IT staff to handle potential incidents should they arise. 2) Identification: Determining whether an event qualifies as a security incident. 3) Containment: Limiting the damage of the incident and isolating affected systems to prevent further damage. 4) Eradication: Finding the root cause of the incident and removing affected systems from the production environment. 5) Recovery: Permitting affected systems back into the production environment and ensuring no threat remains. 6.) Lessons learned: Completing incident documentation, performing analysis to learn from the incident and potentially improving future response efforts.
Application Layer
The one at the top - it's what most users see. In the OSI model, this is the layer that is the "closest to the end user.'' Applications that work at Layer 7 are the ones that users interact with directly. A web browser (Google Chrome, Firefox, Safari, Skype, Outlook, Office) - are examples of Layer 7 applications.
Physical Layer (Layer 1)
The physical Layer which represents the electrical and physical representation of the system. This can include everything from the cable type, radio frequency link (as in an 802.11 wireless system), as well as the layout of pins, voltages and other physical requirements. When a network problem occurs, many networking pros go right to the physical layer to check that all of the cables are properly connected and that the power plug hasn't been pulled from the router, switch or computer, for example.
Threat Intelligence
The process of investigating and collecting information about emerging threats and threat sources.
Network Layer
The third layer in the OSI model. Protocols in this layer translate network addresses into their physical counterparts and decide how to route data (forward packets) from the sender to the receiver.
Whats the difference between threat hunting and threat detection
Threat detection is a reactive approach Use traditional preventive technologies and monitoring tools to detect a malicious activity. Threat detection leads to mitigation. Threat hunting is a proactive approach. Detect slow and stealth attacks that would otherwise go unnoticed by preventive technologies. Threat hunting leads to threat detection and incident response.
What is the difference between authentication and authorization
To be effective, authentication works together with identification and authorization. (Access control) Identification, such as a username, determines whether a user is known to the system. Authorization determines whether the user is allowed to access the requested resource or data.
TCP vs UDP
Transmission Control Protocol is connection oriented, which means it establishes connections between two systems before transferring data. Reliable as it acknowledges the receipt of every packet. It guarantees delivery and failed packets are retransmitted. Some examples are email and websites(HTTPS SSH) It is Responsible for most internet traffic. User Datagram Protocol on the other hand is connectionless. It is faster, but doesn't guarantee delivery as it doesn't perform acknowledgements. It is used for voice and video where guaranteed delivery is not as essential.
What is TCP/IP
Transmission Control Protocol/Internet Protocol. Its designed as a model to offer a highly reliable and end-to-end byte stream over an unreliable internetwork. The TCP/IP Model helps you to determine how a specific computer should be connected to the internet and how you can transmit data between them. It helps you to create a virtual network when multiple computer networks are connected together.
Where do you install threat intelligence in the network?
Trick question TI is not installed on prem, it is a subscription based service offered by many vendors.
Baseline
True positive, false positive, something to compare the anomaly with.
What is US-Cert
United States Computer Emergency Readiness Team + Each agency must designate a primary and secondary POC with US-CERT and report all incidents consistent with the agency's incident response policy. + Serves as "trusted introducer" to broker relationships between organizations\
asymmetric encryption
Used in public key encryption, in which the key to encrypt data is different from the key to decrypt. Encryption is slow due to high computation. Often used for securely exchanging secret keys. SLOWER but MORE SECURE. Uses a public key for encryption and a private key for decryption
FTP (File Transfer Protocol)
Uses port 21 to transfer data between systems
What is the difference between antivirus and EDR
WIth EDR you can manage all computers from one location, visibility, data enterprise search, containment, data acquisition, triage
What is your salary expectation
Well based on my understanding and my skillset, and the rate that analysts make in this area I have a pretty good idea and that window is 60-80k a year, I am in the process of a interview in Michigan and I can tell you its going to be in 40$ an hour, if I can solidify a job here in local Virginia I would be happy.
Qradar helps us answer the following questions
What is being attacked? What is the security impact? Who is attacking? Where should the investigation be focused? When are the attacks taking place? How is the attack penetrating the system? Is the suspected attack or policy breach real or a false alarm?
How do you handle a phishing case
What type of phishing case is it? malscan, impersonation. If they show a url one talk about how you will analyze the purpose of that url. What website is being posted what is the intention, I hover over it and analyze if what shows up in the bottom left. I love using urlscan.io I will submit that link there and it will tell me if it is not hosting a legitimate domain and what is suspicious about it. Now i need to make sure how many other people received that email to determine my scope of how many users i am dealing with. I used proofpoint which is a security solution that helps us with this. I will request a domain block on our network.
What Kali tools are you currently using?
Wireshark for pcap analyzing , Nmap,
How does threat intelligence work
Works in 2 ways Few TI feeds let you download the IOC database on prem (like integrating into SIEM lists) It is integrated into your SIEM solution OR You get a subscription like SOC radar where everytime you need to check the reputation of a file, URL, or IP addresses, the security solution makes a quick lightweight query to the TI server, get the responses and take appropriate actions. Few other TI, works as a subscription based, every time.
What are some open source threat intelligence sources
abuse.ch virustotal urlscan.io ipvoid urlvoid OSINT threatfeeds.io autoshun.org malwaredomainlist.com ransom-db.com genesis.market
What are the TCP/IP model layers?
application, transport, internet, network access
Mimikatz
one of the tools to gather credential data from Windows systems. Mimikatz It's now well known to extract plaintext password, hash, PIN code, and kerberos tickets from memory.
What ports do windows systems use
ports 137, 138 and 139 for network communications using the NetBIOS protocol
The following are a few examples of common incidents that can have a negative impact on businesses:
● A distributed denial of service (DDoS) attack against critical cloud services. ● A malware or ransomware infection that has encrypted critical business files across the corporate network. ● A successful phishing attempt that has led to the exposure of personally-identifiable information (PII) of customers. ● An unencrypted laptop known to have sensitive customer records that has gone missing.
Walk me through the incident response process
● Preparation - Planning in advance how to handle and prevent security incidents. ● Identification (Detection and Analysis) - Encompasses everything from monitoring potential attack vectors, to looking for signs of an incident, to prioritization. ● Containment, Eradication, and Recovery - Developing a containment strategy, identifying and mitigating the hosts and systems under attack, and having a plan for recovery. ● Post-Incident Activity - Reviewing lessons learned and having a plan for evidence retention. SEE PAGE 17 CHANGE THIS
What sorts of anomalies would you look for to identify a compromised system?
● Unusual Outbound Network Traffic 38 ● Anomalies in Privileged User Account Activity ● Geographical Irregularities ● Log-In Red Flags ● Increases in Database Read Volume ● HTML Response Sizes ● Large Numbers of Requests for the Same File ● Mismatched Port-Application Traffic ● Suspicious Registry or System File Changes ● Unusual DNS Requests ● Unexpected Patching of Systems ● Mobile Device Profile Changes ● Bundles of Data in the Wrong Place ● Web Traffic with Unhuman Behavior ● Signs of DDoS Activity
How to prevent a zero day attack
● Update all the applications and software once the security patches are released. ● Implement the use of Web Application Firewall (WAF) to protect your website. It helps to identify possible website attacks with much accuracy. ● Install an Internet Security suite that is loaded with a smart antivirus, sandboxing techniques, default deny protection, heuristic file behavioral analysis.
