Menu
Incident Response Forensics
Threat Hunting is a proactive method. It's a way of looking for adversaries actively, identifying known malware, performing anomaly detections, and utilizing the threat intelligence information.
Incident Response is reactive, and the process starts after the team received an alert or notification. Majority of the organization starts from reactive (IR) and slowly moves to the Threat Hunting as they mature. Threat Intelligence plays a crucial role in the success of the IR and TH Programs in any organization. In this series, I'll talk about couple of ways folks use to obtain password in Unix System starting with basic methods and will dive deeper subsequently. Users often make mistake to type password in the shell instead of the password prompt. One of the easiest way to find it is to do it via searching the .bash_history of all the users. Many developer accidentally add AWS access key and secret in the code as a variable. Assume it has been compromised and follow the steps below:
Six Steps of Incident Response are as follows:
The Incident management should also focus on understanding the motivation of the adversaries. Lets talk about the each step in detail below: Preparation - Organizations should not only focus on the development of an incident response capability but also think of the ways to respond to the incidents. Prevention is better than cure - Companies should focus on the ways to prevent and incident. Logging and retaining the right data is the key. This will help the security operations team to respond to the incident in a much faster way. * Another key aspect is to have a centralized database and use some sort of SIEM with it for free text search to enable your analyst to search quickly and report finding to the incident commander. * To respond better to Incidents, Organization does prepare cybersecurity plans, performs tabletop exercises, hires retainers and purchase cyber insurance, etc. Identification - Majority of the companies rely on the employees or law enforcement agencies to notify about the abnormal activity (Third Party). Having a good detection plan is critical for the organization to succeed. Usually, detection teams write/develop alerts based on the data EDR tools, and threat intel feeds. The adversaries are smart enough, and they know your detection methods very well. An advanced intruder will drop malware on only a few machines and move laterally to gain access to other machines and maintain persistence there. As a knee-jerk response, the majority of the organization will move to eradication without scoping the incident well. To identify the right Indicator of compromise must be granular like IP address, Hostname, Command, and Control (C2), FQDN, etc. Calculated Data is also critical like Hash Value on a file. Think about it - Will you trust an IP or a Computed Malicious hash more? In the majority of the cases, you'll not be able to find the IOC just based on granular and calculated data. You'll need to come up with behavior. User Behavior Analytics can play a crucial role in identifying an intruder. * Make sure you "Scope" the incident very well before moving forward else you'll end up month fighting the same intruder. Containment - To Scope an Incident in the right way, you'll need the information about the actions taken by the intruder. Things like malware type, how they are moving laterally, how they are maintaining persistence etc. Develop the intelligence about the intruder before moving to remediation. * Tools like Joe Sandbox, VirusTotal, Yara can help you in developing the intelligence as well. Eradication/Remediation - This is time to mitigate the incident, totally depends on the type of adversary you are fighting. You may need to block some IP, Sinkhole domains, change passwords etc. Recovery/Actions - There are several things that the security team will learn during the incident. Recovery is things like improving the authentication, or adding another layer of Authorization, Add additional logging, purchasing/implementing new tools for visibility etc. Follow up / Post Incident Review - Follow up needed to make sure the incident is completely mitigated and adversary is removed completely. May be you can have your red team perform the similar attack to see if there are any open loopholes. Key Point: The adversaries are smart and they know about majority of the tools and methods out there in the market. To be successful against them move towards the intelligence driven incident response. It's critical to understand the motive of the intruder. You should ask this question multiple times during an investigation. What is he/she trying to get? student_number = []
student_name ["mark","rob","Jessica"] Index is used to access elements in a list for example: student_name[0] == "Mark" student_name[1] == "rob" student_name[-1]="Jessica" Replacing an element in list Student_name[0] ="James" student_name ["James","rob","Jessica"] Add element to a list: student_name.append("mark") student_name ["James","rob","Jessica","mark"] Checking element in list: "mark" in student_name == True number = 5
if number == 5: print("Number is 5") else: print("Number is Not 5") Truthy and Falsy Value: Eg; Any number other than 0 has truthy value Eg: Empty string is falsy value python_book = True if not python_book: print("This will not execute") Multiple If Conditions: number = 3 python_book = True if number = =3 and python_book: print("This will work") if number == 17 or python_book: print("This will work too") Ternary if Statements a = 1 b =2 "bigger" if a > b else "smaller" Note: This can be super helpful in list comprehension. Numbers
Integer = Number Float = Decimal Number Code Example: Integer: answer = 42 Float: pi = 3.14159 Complex Number (Python 3): Easy TypeCast int(pi) == 3 float(answer) == 42.0 String: Python 2: ASCII Python 3: Unicode String Can be defined using: 'Jello World' = "Jello World" = """Jello World """ Example: "hello.capatalize() == "Hello" "hello".replace("e" , "a") == "Hallo" "hello".isalpha() == True "123".isdigit()== True #Useful when converting to Int Advanced "Some, csv, values".split(",") = ["some","csv","values"] String Format name = "PythonGo" Machine = 'BAL" "Great meeting you {0}. I am {1}".format(name,machine) Python 3.6 String Interpolation: f"Great meeting you {name}. I am {machine} Boolean and None: python_book = True java_book = False Used often with If Statement Note - Both Start with Capital Letter T and Capital F int(python_book) == 1 int(java_book)==0 ste(python_book) == "True" aliens_found= None |
Archives
April 2020
Categories |