Threat Level: green Handler on Duty: Tom Webb

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

New VMware Patches VMSA-2016-0009.4 VMSA-2016-0013 http://www.vmware.com/security/advisories.html

Published: 2016-08-24
Last Updated: 2016-08-24 12:51:04 UTC
by Tom Webb (Version: 1)
0 comment(s)
Keywords:
0 comment(s)

Stay on Track During IR

Published: 2016-08-24
Last Updated: 2016-08-24 12:23:45 UTC
by Tom Webb (Version: 1)
0 comment(s)

When responding to incidents, it’s easy to go down a rabbit hole that likely won’t produce results to the questions we are always after: How did the attacker get in? What information is contained on the system? And What information was accessed?

 

To streamline analysis we need to determine what information is most useful for each incident classifications, this gives more flexibility to SOPs by pulling these into a methodology depending on the investigation. Rather than adding these processes over and over into different procedures documents (which all may not get updated) you can link to one process from the methodology.

 

Additionally, you can chart out specific items (e.g. determine logged-in username for computer) similar to the SANS forensics poster for where to get specific data for user activity. (P is primary source. S is secondary)


 

 

FW Log

IDS

HID

BRO

DHCP

NAC

Full

Packet

SMTP

Logs

DNS

AD

DLP

Phish

   

S

P

   

P

P

S

   

Web Shell

S

S

S

P

   

P

       

C&C

S

S

 

P

   

P

 

P

   

Data

Exfil

S

 

P

S

   

P

       

Logged-in user

   

S

   

P

     

P

 

 

 

Do anyone else use a similar process or have a better one?Leave a comment.

 

--

Tom Webb

@twsecblog

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Voice Message Notifications Deliver Ransomware
1 day ago by Xme (5 comments)

Red Team Tools Updates: hashcat and SpiderFoot
1 day ago by Russ McRee (0 comments)

Cisco ASA SNMP Remote Code Execution Vulnerability
3 days ago by Rick (1 comment)

What are YOU doing to give back to the security community?
3 days ago by Russell (5 comments)

Data Classification For the Masses
5 days ago by Xme (14 comments)

1 compromised site - 2 campaigns
6 days ago by Brad (0 comments)

522 Error Code for the Win
1 week ago by Tom (1 comment)

View All Diaries →

Latest Discussions

SWIFT frauds
created 5 hours ago by RAJASEKHARAN (0 replies)

IS Audit of DC and DR
created 5 hours ago by RAJASEKHARAN (0 replies)

Unix/Linux servers
created 5 hours ago by RAJASEKHARAN (0 replies)

AliExpress being used as C&C for DoS?
created 4 days ago by Anonymous (0 replies)

Remote Monitoring Tools
created 2 weeks ago by Percy08 (1 reply)

View All Forums →

Latest News

View All News →

Top Diaries

Critical Cisco ASA IKEv1/v2 Vulnerability. Active Scanning Detected
6 months ago by Dr. J. (25 comments)

Data Classification For the Masses
5 days ago by Xme (14 comments)

An Approach to Vulnerability Management
2 months ago by Russell (13 comments)

Using File Entropy to Identify "Ransomwared" Files
2 weeks ago by Rob VandenBrink (2 comments)

Profiling SSL Clients with tshark
1 week ago by Dr. J. (2 comments)