DEV Community

Hafiz Muhammad Attaullah
Hafiz Muhammad Attaullah

Posted on

Incident Response For Common Attack Types

Incident Response For Common Attack Types

  1. Brute Forcing

Details:
Attacker trying to guess a password by attempting several different passwords
Threat Indicators:
Multiple login failures in a short period of time
Where To Investigate:
• Active directory logs
• Application logs
• Operational system logs
• Contact user
Possible Actions:
If not legit action, disable the account and investigate/block attacker

  1. Botnets

Details:
Attackers are using the victim server to perform DDoS attacks or other malicious activities
Threat Indicators:
• Connection to suspicious IPs
• Abnormal high volume of network traffic
Where To Investigate:
• Network traffic
• OS logs (new processes)
• Contact server owner
• Contact support team
Possible Actions:
If confirmed:
• Isolate the server
• Remove malicious processes
• Patch the vulnerability utilized for infection

  1. Ransomware

Details:
A type of malware that encrypts files and requests a ransom (money payment) from the user to decrypt the files
Threat Indicators:
• Anti-Virus alerts
• Connection to suspicious Ips
Where To Investigate:
• AV logs
• OS logs
• Account logs
• Network traffic
Possible Actions:
• Request AV checks
• Isolate the machine

  1. Data Exfiltration
    Details:
    The attacker (or rogue employee) exfiltrates data to external sources
    Threat Indicators:
    • Abnormal high network traffic
    • Connection to cloud -storage solutions (Dropbox, Google Cloud)
    • Unusual USB Sticks
    Where To Investigate:
    • Network traffic
    • Proxy logs
    • OS logs
    Possible Actions:
    • If employee: Contact manager, perform full forensics
    • If external threat: Isolate the machine, disconnect from network

  2. Compromised Account

Details:
Attackers get access to one account (via social engineering or any other method)
Threat Indicators:
• Off-hours account logins
• Account group changes
• Abnormal high network traffic
Where To Investigate:
• Active directory logs
• OS logs
• Network traffic
• Contact user for clarifications
Possible Actions:
If confirmed:
• Disable account
• Password changes
• Forensic investigations

  1. Denial Of Service (Dos/DDoS)

Details:
When attacker can cause interference in a system by exploiting DoS vulnerabilities or by generating a high volume of traffic
Threat Indicators:
Abnormal high network traffic in public facing servers
Where To Investigate:
• Network traffic
• Firewall logs
• OS logs
Possible Actions:
• If DoS due to vulnerabilities: Contact the patching team for remediation
• If DDoS due to network traffic: Contact network Support or ISP

Top comments (0)