Responding to Cyberattacks

Question 1

An alert was generated that an anomalous logon occurred to one of our servers. What are the questions that should be asked?

Answer 1

• Whose account was used?
• Where did the logon occur from?
• Where was that account being used before the logon?
• Has there been any other potentially anomalous activity seen with that account?

Question 2

What are some of the common cybersecurity incidents that incident response teams need to react to? (7)

Answer 2

• Data Breaches
• Ransomware Attacks
• Phishing and Spear-Phishing Attacks
• DDoS (Distributed Denial of Service) Attacks
• Advanced Persistent Threats (APTs)
• Insider Threats
• Malware Infections

Question 3

What are the different kinds of data breaches?

Answer 3

• ongoing discovered data exfiltration where sensitive data is continuously uploaded to attacker’s server
• misconfigured cloud server that contains sensitive information and that is accidentally publicly available
• credential compromise where attacker gains access to user credentials, either through phishing, keylogging, or credential stuffing, and uses them to access sensitive systems or data
• an insider threat where current or former employee misuses their access to steal or expose sensitive information
• 3rd party or data sharing data breach where data is exposed due to a breach at a third-party vendor or through mishandling of data sharing
• lost or stolen devices where devices containing sensitive data (laptops, mobile devices, external storage) are lost or stolen
• exploitation of vulnerabilities in web or software applications, leading to unauthorized data access

Question 4

You receive an alert that claims that a user station is uploading a lot of data to an unknown IP address. How do you approach this?

Answer 4

1. check the destination IP address to determine the reputation and also threat intelligence and threat feeds that you have subscription for
2. check the application protocol and port used to transfer the data and also the process used to generate this data, if available
3. review the user’s historical data transfer patterns to determine if the current activity is an anomaly (UEBA)
4. check if there are other related SIEM alerts or events that could be correlated with this activity (login attempts, unusual after-hours activity)
5. if available, check if there are any session logs that could indicate the volume of transfered data and the duration of the session
6. with this data, contact the customer to find out more about the host uploading the data
7. do a packet capture, if available, connect to the host, and look for the process that generates this traffic if this was not included in the log
8. block the IP address and investigate in parallel if there are similar patterns from other hosts in the network and make sure that the data didn’t start to get uploaded elswhere, as IP addres is easy to change
9. engage the forensics team and determine how did the intrusion happened in the first place in order to successfully eradicate the threat

Question 5

You are investigating a potential memory-based malware on a Windows system. This type of malware resides in memory and typically leaves no traces on the hard drive. What specific tools and commands would you use to analyze and identify this kind of malware? Describe your approach in detail.”

Answer 5

• Preserve System State
  
  • ensure that the system is not restarted or shut down to preserve the contents of the memory
• Memory Dump
  
  • perform a memory dump to capture the contents of the system’s RAM
• Analysis with Volatility
  
  • use the tool to dentify suspicious processes, network connections, or unusual patterns in memory
• Further Analysis
  
  • use threat intelligence databases for known malware signatures or behaviors
• Documentation
  
  • keep a detailed record of your findings, including the commands used and the output, for further investigation and reporting

Question 6

What tools can you use to dump the content of the memory in Windows?

Answer 6

1. Windows Memory Diagnostic
2. Sysinternals tool livekd

Question 7

How would you use livekd command to create a memory dump file?

Answer 7

livekd -m c:\memory.dmp