Incident Response For Common Attack Types

Incident Response For Common Attack Types

1. Brute Forcing

Details:
Attacker trying to guess a password by attempting several different passwords
Threat Indicators:
Multiple login failures in a short period of time
Where To Investigate:
• Active directory logs
• Application logs
• Operational system logs
• Contact user
Possible Actions:
If not legit action, disable the account and investigate/block attacker

1. Botnets

Details:
Attackers are using the victim server to perform DDoS attacks or other malicious activities
Threat Indicators:
• Connection to suspicious IPs
• Abnormal high volume of network traffic
Where To Investigate:
• Network traffic
• OS logs (new processes)
• Contact server owner
• Contact support team
Possible Actions:
If confirmed:
• Isolate the server
• Remove malicious processes
• Patch the vulnerability utilized for infection

1. Ransomware

Details:
A type of malware that encrypts files and requests a ransom (money payment) from the user to decrypt the files
Threat Indicators:
• Anti-Virus alerts
• Connection to suspicious Ips
Where To Investigate:
• AV logs
• OS logs
• Account logs
• Network traffic
Possible Actions:
• Request AV checks
• Isolate the machine

1. Data Exfiltration
   Details:
   The attacker (or rogue employee) exfiltrates data to external sources
   Threat Indicators:
   • Abnormal high network traffic
   • Connection to cloud -storage solutions (Dropbox, Google Cloud)
   • Unusual USB Sticks
   Where To Investigate:
   • Network traffic
   • Proxy logs
   • OS logs
   Possible Actions:
   • If employee: Contact manager, perform full forensics
   • If external threat: Isolate the machine, disconnect from network

2. Compromised Account

Details:
Attackers get access to one account (via social engineering or any other method)
Threat Indicators:
• Off-hours account logins
• Account group changes
• Abnormal high network traffic
Where To Investigate:
• Active directory logs
• OS logs
• Network traffic
• Contact user for clarifications
Possible Actions:
If confirmed:
• Disable account
• Password changes
• Forensic investigations

1. Denial Of Service (Dos/DDoS)

Details:
When attacker can cause interference in a system by exploiting DoS vulnerabilities or by generating a high volume of traffic
Threat Indicators:
Abnormal high network traffic in public facing servers
Where To Investigate:
• Network traffic
• Firewall logs
• OS logs
Possible Actions:
• If DoS due to vulnerabilities: Contact the patching team for remediation
• If DDoS due to network traffic: Contact network Support or ISP