Skip to content

Incident Handling Process

  1. Preparation
    • Covers The readiness of an organization of an attack
    • Documenting requirements
    • Defining Policies
    • Incorporating controls to monitor like EDR/SIEM/IDS/IPS
    • Hiring / Training staff
  2. Detection and Analysis
    • Detecting an incident
    • Analysis process of the incident
    • Alerts from Security controls like SIEM/EDR investigating the alert to find the root cause
    • Hunting for the unknown threat
  3. Containment, Eradication, and Recovery
    • Actions needed to prevent the incident from spreading
    • Securing the network from the attack
    • Isolating the infected host
    • clearing the network from the infected traces
    • gaining control back from the attack
  4. Post-incident Activity / Lessons Learnt
    • identifying the loopholes in the security posture that led to the intrusion
    • Improving so that the attack does not happen again
    • Indetifying weaknessess that lead to the attack
    • Adding detection rules so that similar breach does not happen again
    • Training staff

Cyber Kill Chain

  • Reconaissance
  • Weaponization
  • Delivery
  • Exploitation
  • Installation
  • Command and Control
  • Actions on Objectives

Interesting log sources

  • Wineventlog
    • contains windows events logs
  • winregistry
    • contains logs related to the registry creation/modification/ deletion
  • XmlWinEventLog
    • contains stsmon event logs
    • important log source from an investigation point of view
  • Fortigate_utm
    • contains Fortinet Firewall logs
  • iis
    • contains IIS web server logs
  • Nessus:scan
    • contains results from the Nessus vulnerability scanner
  • Suricata
    • Contains the details of the alerts from the Suricata IDS.
    • This log source shows which alert was triggered and what caused the alert to get triggered— a very important log source for the Investigation.
  • stream:http
    • contains the network flow related to http traffic
  • stream: DNS
    • contains the network flow related to DNS traffic
  • stream:icmp
    • contains the network flow related to icmp traffic

Reconnaissance Phase

  • an attempt to discover and collect info about a target
  • knowledge about the system in use
  • the web app
  • employees or location
  • To identify IP address

sample searches

  • query
    • index=botsv1 imreallynotbatman.com

  • explanation

    • looking for event logs in the index "botsv1" which contain the term imreallynotbatman.com

  • query

    • index=botsv1 imreallynotbatman.com sourcetype=stream:http
  • explanation
    • this