Upload File

incident response tools - users.cs.jmu.edu

23
Incident Response Tools James Madison University Dept. of Computer Science June 13, 2015 1 Introduction Being successfully attacked is inevitable. A determined hacker WILL be able to penetrate your network. The attacker, if they want to re-enter your network, will have to leave a backdoor somewhere. This means they will likely re-add guest accounts, disable firewall ports, and re-enable services that you had previously disabled (in the Windows Security Exercise...like FTP) to provide a means for them to access your computer easily. In this chapter, we will briefly re-examine things talked about in the Windows Security Exercise that are relevant after an incident and then we will cover new tools that will help you investigate an incident. All tools necessary are available on the Desktop of your IR Tools snapshot. 2 Services Knowing what services are running on your windows machine is very important, especially after being attacked. Having extra services running that are not necessary may add vulnerabilities to your machine and may allow an attacker to re-enter your network. The more services that are running on a machine means the more services you must protect and secure. By default, many software packages install many extra side services you do not want to be running, and as good network administrator you must be aware of these.

Upload: others

Post on 11-May-2022

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Incident Response Tools - users.cs.jmu.edu

IncidentResponseTools

JamesMadisonUniversityDept.ofComputerScience

June13,2015

1Introduction

Beingsuccessfullyattackedisinevitable.AdeterminedhackerWILLbeabletopenetrateyournetwork.

Theattacker,iftheywanttore-enteryournetwork,willhavetoleaveabackdoorsomewhere.Thismeanstheywilllikelyre-addguestaccounts,disablefirewallports,andre-enableservicesthatyouhadpreviouslydisabled(intheWindowsSecurityExercise...likeFTP)toprovideameansforthemtoaccessyourcomputereasily.

Inthischapter,wewillbrieflyre-examinethingstalkedaboutintheWindowsSecurityExercisethatarerelevantafteranincidentandthenwewillcovernewtoolsthatwillhelpyouinvestigateanincident.

AlltoolsnecessaryareavailableontheDesktopofyourIRToolssnapshot.

2Services

Knowingwhatservicesarerunningonyourwindowsmachineisveryimportant,especiallyafterbeingattacked.Havingextraservicesrunningthatarenotnecessarymayaddvulnerabilitiestoyourmachineandmayallowanattackertore-enteryournetwork.Themoreservicesthatarerunningonamachinemeansthemoreservicesyoumustprotectandsecure.Bydefault,manysoftwarepackagesinstallmanyextrasideservicesyoudonotwanttoberunning,andasgoodnetworkadministratoryoumustbeawareofthese.

Page 2: Incident Response Tools - users.cs.jmu.edu

2.1WhatServicesarerunning?

AllMicrosoftWindowsServerEditionshaveaGraphicalUserInterfacestohelpmanagethemachine’sservices.TheGUItomanagewhatservicesarerunningcanbeaccessedintheStartMenuunderAdministrativeToolsbyclickingonServices.Figure1showshowtoaccesstheservicesGUIfromthestartmenu.

Figure1:ClickonServicestomanagewhatservicesarerunning

Bydefault,thelistofthingsonthislistislargeanddifficulttosortthroughbutwewillonlybelookingatafewchoicethings.Bydefault,WindowsFirewallisDisabled.Thisisaveryimportantservice.Anattacker,wantingtoregainaccesstoyoursystemlater,mayhavedisabledWindowsFirewall.Toturnitbackondoubleclickonit,change”Disabled”to”Automatic”,andthenPress”Start”.Figure2showshowtodothis.

Page 3: Incident Response Tools - users.cs.jmu.edu

Figure2:ChangeSetuptypetoAutomatictoturnthefirewallon.

YoumayalsonoticethattheFileTransferProtocolmaybeenabled.Itisveryimportantthatthisprotocol,andTelnet,aredisabledandtheyshouldalwaysstaydisabled.Theseprotocolsareusedsoremoteuserscanauthenticateanduseyourcomputer.RemoteAuthenticationisastandardpractice,butFTPandTelnetdonotdoitsecurely.IfyouseeSSHorVerySecurityFileTransferProtocoltheseservicesareokaytouse.Afteranattackerentersyoursystemtheymayre-enableFTPorTelnetinordertoaccessyourmachinelater.Theymaythinkthatthe

Page 4: Incident Response Tools - users.cs.jmu.edu

systemadministratormaynotnoticesincetheywerelikelydisabledtobeginwith.Thisiswhyitissoimportanttocheckandre-disabletheseservicesiftheyhavebeenenabled.

3Firewalls

AllWindowsdistributionscomewithabuiltinhostbasedfirewallthatyoucanconfigure.Intherealworldmanycompaniesbuyexpensivemachinesthatservesolelyasafirewall.EventhoughtheWindowsFirewallisnotexpensiveanddedicatedhardwareitisagreatlineofdefensetokeepattackersfromaccessingportsonyourcomputerthatmayhaveavulnerability.Itwillalsoprotectyourcomputerfromattacksthatoriginatefrominsideyournetwork.Itisveryeasytounderstandhowafirewallworks.Peopleconnecttoyourcomputerthroughportsandafirewallblocksports.Aneasywaytothinkaboutportsisalotoftinymailboxes.Anytimesomeonewantstocommunicatewithyourservertheyputmailinaparticularmailbox.Eachportisforadifferentpurpose.Afirewallwillblockthesemailboxessonobodycanputanythinginthem.Thisdecreasesthesurfaceareaahackercouldattackyouwith.

Page 5: Incident Response Tools - users.cs.jmu.edu

Figure3:ChangeSetuptypetoAutomatictoturnthefirewallon.

TousetheWindowsFirewallyoumustfirstenableit.WindowsFirewallcanbefoundintheControlPanel.AfterclickingonWindowsFirewallyoushouldseeauserinterfaceliketheoneinFigure3.ChangeWindowsFirewallfromofftoonandthenclicktheAdvancedtabatthetopoftheinterface.

Page 6: Incident Response Tools - users.cs.jmu.edu

Figure4:ClickSettingsandcheckAllowincomingechorequest.

Intheadvancedtab,clickSettingswithintheICMPsettings.WhentheICMPSettingsuserinterfacepopsupselectAllowincomingechorequestsandthenOk.Thisallowsothercomputerstopingyourcomputer.Pingisspecialanddoesnotuseaport,butyourfirewallisstillabletoblockit.NextclickontheExceptionstabatthetopoftheWindowsFirewall.TheseinstructionsarereflectedinFigure4

ClickontheAddPortbuttonintheExceptionstabtoaddexceptionstotheFirewall.BydefaultWindowsFirewallwillblockallportsandyouwillonlyopentheonesyouneed.Thisismucheasierthanleavingallopenandblockingtheonesyoudon’twantbecausetherearemorethansixty-fivethousandports.YourcomputerwillberunningaWebserverandwebserversgenerallyuseport80tocommunicatewithcomputersthatrequestwebpages.Figure5showsyouhowtounblockport80.AfterpressingOkinWindowsFirewall,yourFirewallchangeswilltakeaffectandyourfirewallwillbeactive.Youshouldalsodothesamewithport

Page 7: Incident Response Tools - users.cs.jmu.edu

23whichisTelnet(wewillgointowhylater,yesTelnetisinsecureandingeneralshouldnotbeused,butwehaveaveryspecificreason).

Figure5:MakesuretoselectTCPafterhittingpressingAddPort.

4CommandLineTools

Thecommandlineisapowerfultoolthatcanhelpadefendergetimportantinformationquicklyandeasily.Thereisalittlebitofalearningcurvewhenusingthecommandline,andalmostnobodyknowseverycommandthereis,butlearninghowtouseafewbasiccommandsisquickandeasy.Toopenthecommandline,clicktoopentheStartmenuandclickCommandPrompt,orpressWindowsKey+Randtypecmd.exe.Inthesetutorialswewillonlyscratchthesurfaceofthethingsthesecommandscando.Ifyouwanttolearnmoreaboutaparticularcommand,youcandosobytypingcommandhelpintotheterminal,where”command”isthecommandyouwantmoreinformationon.

4.1netstat

Page 8: Incident Response Tools - users.cs.jmu.edu

Netstatisapowerfulcommandlinetoolthatlistsimportantnetworkinginformationaboutyourcomputer.Themainusesfornetstatistoshowopennetworkconnections.Toreadcomprehensivedocumentationaboutnetstatyoucanreadhttps://technet.microsoft.com/en-us/library/bb490947.aspx.Netstatwillshowwhoandwhatiscurrentlyconnectedtoyourcomputer.Thisisanextremelyimportantthingtoknow.Ifanattackerwastohackyourcomputer,theywouldhavetocommunicatewithyourcomputeroverthenetworkinordertointeractwithit.Usingnetstatyoucouldseeifahackeriscurrentlyconnectedtoyourcomputerandtakestepstokickhimout.Inthecommandlinewindowtypenetstat-an.The-anisusedtospecifyexactlywhatinformationyouwanttoshow.-ameansnetstatwillshowallactiveconnections.-nmeansnetstatwillshowallportsyourcomputerislisteningforactiveconnectionson.Aftertypingnetstat–anandhittingenteryourterminalshouldlooksimilartothecommandlinewindowinFigure6.

Figure6:Outputfromanetstat-ancommand

Thisshowsyouwhatitlookslikewhentherearenoactiveconnectionsbutwhatwillitlooklikewhenyoudohaveanactiveconnection?Inordertotestthisandseehownetstatchanges,openawebbrowserandentergoogle.comintotheURLbarandhitenter.Re-enternetstat-anintotheterminalandviewhowtheoutput

Page 9: Incident Response Tools - users.cs.jmu.edu

changes.Therearenowconnectionsconnectingtoaforeignaddressthatyoucansee.ThisisbecauseyourcomputerestablishesaconnectionwithGoogleinordertocommunicateandaskGoogletosendyoutheirwebpage.Openanewwebpageandseehownetstatchanges.Itmaysometimesbedifficulttoidentifygoodversusbadconnectionsonyourcomputer.Generallyaconnectiontoaportthatyoushouldnotneedisbad.Anexampleofthiswouldbeawebserverthatonlyneedstoallowconnectionstoport80.Connectionsyouseetoport80aremorethanlikelygood,butifnetstatshowsaconnectiononport21,22,or23toaremoteaddressthenitishighlylikelythatyourcomputerhasbeencompromised.Alsocheckforyourcomputerconnectingtoforeignaddressonhighnumberports.

4.2ipconfig

ipconfigisacommandlineprogramthatcanbeusedtoshowthenetworkinginformationofyourcomputer.ItwillshowthingslikeyourIPaddress,physicaladdress,andDNSserver.

Figure7:Outputfromipconfig/allcommand

Page 10: Incident Response Tools - users.cs.jmu.edu

Thistoolisnotagreattooltokeephackersoutofyourcomputer.Itismoreatooltousewhenyoufirstsitdownonyourcomputer.ItmaybeusefultonoteyourIPaddress,DNSServer,gateway,andphysicaladdress.Thesevaluesarenotstaticandyoumaynoticethemchange,butifyounoticethesethingschangingoftenitmaybeasignanattackerhasplayedwithyournetworkingconfiguration.

5SysInternals

Sysinternalsisasuiteoffreetoolsthathelpusersbetterunderstandwhatishappeningonthecomputer.Theyareallavailable,alongwithtutorialsanddocumentation,athttp://technet.microsoft.com/enus/sysinternals/.Inthisdocumentwewilldemonstrateafewofthebesttoolsinthesuite.IfyouwishtodownloadallSysinternalstools,youcanathttp://download.sysinternals.com/files/SysinternalsSuite.zip,butalltoolsarealreadyinstalledtoyourdesktopintheSysinternalsfolder.Whatiscoveredinthistutorialisbynomeanscomprehensive.TheSysinternalssuitehassomanyusesandeventhetoolswecoverhavemanyusesbeyondthescopeofthistutorial.Ifyouhaveextratimetryloadingupatoolthatsoundsinterestingandseewhatyoucanfigureout.

5.1TCPView

TCPViewisaprogramwrittenbyMicrosoftthathelpsyouseenetworkinginformationforyourcomputer.Itisverysimilartonetstatbutinagraphicalform.Itcanbedownloadedfromhttp://download.sysinternals.com/files/TCPView.zip.Torunitdoubleclickon’tcpview.exe’intheSysinternalsfolder.Thegraphicaluserinterfacewillshowcurrent,activeTCPconnections.Ifanattackeriscommunicatingwithyourcomputeryoumayseeasuspiciousconnection.AnexampleofthiswouldbesomethinglikeNotepad.exeusingaTCPporttocommunicatewitharemotehost.Notepadshouldneverbecommunicatingoverthenetwork.

Page 11: Incident Response Tools - users.cs.jmu.edu

Figure8:TCPViewofadefaultWindows2003Installation.

AsyoucanseeWindowshasavarietyofservicesthatuseTCP.ThemajorityofthesedonothaveaRemoteAddress.Thismeansthatsomeprocessesonyourcomputerarecommunicating,usingTCP,withotherprocessesonyourcomputer.Thisisastandardpracticeand,forthemostpart,youwillonlyneedtobeconcernedwithsuspiciousprocessesconnectingtosuspiciousremoteaddresses.IfyoudonoticeasuspiciousTCPconnectionyoucaneasilyrightclickontheprocessesandclickonEndProcess.Itmaybeobviousthatthistoolisverysimilartonetstat.Ifyouareinahurryyoumightsavetimebyusingnetstat,butTCPViewismorepowerfulandhasgreaterfunctionalitybeyondmonitoring.YoucaneasilyseetheprocessassociatedwitheachTCPconnectionwhichisveryhelpful.

5.2ProcessMonitor

ProcessMonitor,calledprocmon.exeinSysinternals,isaprogramthatcanbeusedtoshowwhatresourceseachprocessesisusing.Manyprocessesrequiretheusageofdifferentresourcesthatarestoredonyourcomputer.ProcessMonitorwillhelpyouunderstandwhichresourceseachprocessisusing.ForthemostpartProcessMonitorisanadvancedtooltousethattakesalotoftechnicalknowledgetounderstandwhatisreallybeingshown,butknowingaboutthistoolisimportant.

Page 12: Incident Response Tools - users.cs.jmu.edu

Figure9showsausageforProcessMonitorthatdoesnotrequiredeeptechnicalknowledge.UsingtheProcessTree,foundintools,youcaneasilyseehoweachprocesswascreated,andbywhatprocesses.Thisisextremelyuseful.

Figure9:ProcessTreeexample.Seehowprocesseswerespawned.

UsingProcessTree,youcanlookforsuspiciouschildprocesses(processescreatedbyothers).Forexample,Firefox.exeshouldnotbespawningNotepad.exe.Processesthathavenothingtodowitheachothershouldnotbespawningeachother.IfyouseethisyoushouldinvestigatetheprocessesusingTCPViewasyoumayhavebeencompromised.Spendsometimelookingattheprocesstreeandnotinghowoneprocessmyspawnmanyothers.OpenaprogramandseehowtheProcessTreechanges.

5.3Autoruns

Onethinganattackerwilllikelydoafterhackingacomputerisaddinginamechanismtogetbackintothecomputerwhenitisturnedoffandon.Thismeanstheattackerhastosetthecomputertorunacertainprogramonstartup,

Page 13: Incident Response Tools - users.cs.jmu.edu

otherwiseonceyouturnacomputeroffalloftheattacker’sworkisgone.TodothistheywilladdafiletoanautorundirectoryortotheRegistry.Usually,whenapplicationswishtorunatstartup,theywillbeaddedinmsconfigtotheautoruntab.Checkingthisautoruntabisagoodstartbutisnotenough.AnattackerwhoknowsWindowsinternalswillknowtherearemanyplacestheycanputcodethattheywanttoberunatstart-up.In-fact,therearesomanyplacesitwouldtaketoolongtodothismanually.AutorunsisanapplicationthatcanbeusedtoshowALLprogramsthatwillrunatstart-up.Figure10showshowtoviewallAutorunprograms.Openautoruns.exeandselecttheEverythingtab.

Figure10:Showallprocessesthatareautorun.

InthisEverythingtabyoushouldseealotofthingsthatrunatstartupthatarerequiredforthecomputertoworkproperly.TheyarepartoftheWindowsOperatingSystem.LiketheotherSysinternalstools,youshouldbelookingforsuspiciousprogramsthatauto-run.SuspiciousprogramswouldincludeServicesthatarebeingstartedthatyouknowyoushouldnotberequired.IfanFTPServerisstartedwhenyoudonotneedFTP(youshouldneverneedFTP),orifastrange

Page 14: Incident Response Tools - users.cs.jmu.edu

looking.exeisstarted,youneedtoinvestigatethisandpossiblyremoveit.ChecktoseeifitislisteningforincomingconnectionswithnetstatandcheckTCPViewtoseeiftheprocesshasaremoteconnectiontoit.Nothingiscurrentlyhiddeninanautorundirectory.Thereisnothingforyoutoremovewiththistool,buttherearemanythingsthatrunatstartup.Takealookaroundatthem.Allthefunctionalitythatyourcomputerhasisaccomplishedwithprogramsthatrunatstartup.Itmaybeagoodideatofamiliarizeyourselfwithwhatanormalset-uplookslike,andthenlookforthingsthatareoutofplacewhenthetimecomes.

5.4RootkitRevealer

Sometimeshackerwillusesophisticatedsoftwaretohidetheirpresenceonthemachine.Forexample,thesoftwaremaychangethenetstatcommandoutputtofilteroutthehacker’sconnectiontoyourcomputer.Anyonewhousesthenetstatcommandwillseeregularoutputfromthecommand,butthehacker’sconnectionwillbemysteriouslymissing.ProgramsthatdothisarecalledRootkits.Theyareextremelydangerousandcanbedifficulttofind.InSysinternalsRootkitRevealer.execanbeusedtohelplocatethese.

Page 15: Incident Response Tools - users.cs.jmu.edu

Figure11:Showallprocessesthatareautorun.

Figure11showshowtostartascanandtellyourcomputertobeginlookingforrootkits.RootkitRevealerworksbyaskingforthesameinformationfromalotofdifferentplacesandtryingtofinddiscrepancies.Forexample,itmayaskforopenTCPconnections.Todothis,Rootkitrevealermayusenetstat,butalsoasktheunderlyingoperatingsystem.Ifthereisadiscrepancyintheinformationthatisreturned,RootkitRevealerwillalertyouandlookfortherootcause.RootkitRevealer,ifitfindsawell-knownrootkit,willalsoeasilyallowyoutoremoveit.Rootkitsareextremelypowerfultoolsandhavegottenextremelyadvancedandeasytouseinthelastfewyears.RootkitRevealermayhelp,butasadefenderyoureallydonotwanttobeinapositionwhereyouhavetoremovearootkit.IfRootkitRevealerdoesn’thelp,youmayhaveadifficultroadaheadofyou.Rememberthat,althoughthisisapowerfultoolandwilldoagoodjobdetectingrootkits,itisnotfoolproof.Thereisalwaysachanceofafalsepositivewhenscanning.

Page 16: Incident Response Tools - users.cs.jmu.edu

6EventViewer

TheEventviewerisusedtoviewlogsastheyaregeneratedonyourcomputer.Yourcomputer,bydefault,logsmanythings,likesuccessfulloginstoyourcomputer.Whatthecomputerlogscanbechangedtologmoreinformationortologlessinformation.Thisisatradeoff.Themorethingsyoulog,themoresystemresourcesyoumustdedicatetologging(processingpower,writingtodisk,andspace).Logtoolittleandyouareunabletodeterminewhathappenedifsomeonehacksyourcomputer.Thisisanimportanttradeoff.YoucanaccesstheEventViewerintheComputerManagementwindowinAdministrativeTools.Tochangeexactlywhatislogged,youmustaccesstheLocalSecurityPolicies,inAdministrativeTools.

6.1ChangeWhatIsLogged

Bydefault,Windowsdoesnotlogenough.Wewouldatleastliketoseefailedloginattemptsinsteadofonlysuccessful.Tomakewindowslogthese:

Page 17: Incident Response Tools - users.cs.jmu.edu

Figure12:Howtoaddfailedloginattempts.Remembertopress’apply’

YoucanviewtheseattemptsandseemuchmoreinformationintheeventviewerlikeinFigure13.DoubleclickingeventsintheEventViewerwillprovideyouwithmoreinformation.UsingtheEventViewer,youmaybeabletonoticeifyouhavebeencompromised.Forexample,ifyounoticemanyunsuccessfulloginattemptsatonecertaintime,followedbyasuccessfulattempt,itwouldbeagoodideathatyoushouldlookfurtherintotheincidentandresetthatuser’spassword.

Page 18: Incident Response Tools - users.cs.jmu.edu

Figure13:Howtoaddfailedloginattempts.Remembertopress’apply’

7ValhallaHoneypots

Honeypotsaretrapsthatdefenderssetontheirnetworkinordertoattracthackersandallowdefenderstoeasilyidentifywhoismaliciousontheirnetwork.Theconceptisstraightforward.AdefendercreatesaVirtualMachineorarealmachineandputsitontheirnetwork.Thedefendermakesitlooklikethismachineisveryoldandvulnerabletoattacks(lowhangingfruit).Hackersarelazy,solowhangingfruitisverydesirable.Sincearegularuseronthenetworkwillneverhaveaneedtoaccessthehoneypot,anycomputerthatcontactsthehoneypotislikelycompromised.Therearedifferentlevelsofinteractionthatahoneypotcanhave.Alowinteractionhoneypotwillfoolvulnerabilityscannersbutahackerwillneverbeabletohackor’log-in’.HighinteractionHoneypotswillfoolvulnerabilityscannersbutwillalsogivetheattacktheillusionthattheycanlog-inorhackthecomputer.ThereisalotofsoftwareouttherethatallowsyoutoeasilysetupahoneypotonaWindowsmachine.WewillbeusingsoftwarecalledValhallatocreatehoneypots.Valhallaiscapableofcreatinglow-interactionandhigh-interactionhoneypots.TouseValhalla,opentheValhalladirectoryonthedesktopanddoubleclickthe.exefile.Next,clicktheServerConfigbuttonontheleftside.

Page 19: Incident Response Tools - users.cs.jmu.edu

Figure14:ValhallaServerConfigGUI

AfteropeningtheServerConfigGUI,presstheOptionsbuttonforWebServer,FTPServer,andTELNETServer.SelecttheEnablebuttonsyouseeinFigure15andtheNoLoginrequiredbutton.

Page 20: Incident Response Tools - users.cs.jmu.edu

Figure15:ValhallaServerConfigGUI

AfterclickingtheEnablebuttonsyoucanXoutofthewindowsandclick"Monitoring".

Figure17:Valhallamonitoring.

Page 21: Incident Response Tools - users.cs.jmu.edu

NowtotestthiswecanruntheTELNETclientfromtheCommandPrompt.WithintheCommandPrompt,type"telnet127.0.0.1"(asshowninfigure16)andhitENTER.

Figure16:TelnetcommandwithinCommandPrompt

ThiswillnowestablishaconnectionwithyourHoneypot,whichcanbeseenwithintheValhallamonitoringwindow.Ifyoutypecommands(noneofwhichshouldworkordomuch)theywillalsobeloggedbytheHoneypot.

Figure19:Thehoneypotatwork.

Page 22: Incident Response Tools - users.cs.jmu.edu

AbovewastheTELNETpartoftheHoneypot,butwhataboutWEB?Stoppingthemonitoring,gobacktotheWEBclientportionofServerConfigandgototheOptions.MakesuretheFolderis"c:\inetpub\wwwroot"andtheIndexPageis"index.html"asshowninfigure20.

Figure20:WEBClientOptions

PressStart,clickRun,andtypecmd.exeandhitEnter.ThiswillcauseaCommandPrompttoopen.Next,typeecho”TextWebpage”>C:\inetpub\wwwroot\index.html.Thiswillcreateanewfile,calledindex.html,thatcontains”TextWebpage”.

AfterthisyoucanXoutoftheValhallaconfigurationwindowsandclick"Monitoring".

ThepointofthisisthatyouconfiguredValhallatohaveaWebserverhoneypot.ThispagewillbesenttoanyonewhotriestoaccessyourcomputeronPort80,becausewebserversalwaysrunonPort80.Totestthis,openupawebbrowser,andintheURLbartype"http://localhost".

8Conclusion

Respondingtoanincidentcanbedifficult.Piecingtogetherwhathappenedcanbeextremelychallenginganditispossiblethatyoumayneverhaveacompletepictureofwhathappened.Thistutorialwasshowedbasicre-hardeningand

Page 23: Incident Response Tools - users.cs.jmu.edu

incidentresponsetools,butthereisstillmuchtolearninthefuture.Therewasnothingtoremoveinthisexercisebecauseitisaverygoodideatoseewhatanon-compromisedcomputerlookslike,beforeyoutrytodecidewhetheradifferentcomputeriscompromised.Moreadvancedincidentresponsetechniqueswillalldifferdependingonwhatyouwishtodofollowingtheincident.Ifyouwishtobuildacaseandpresschargesagainsttheindividualsresponsible,yourcourseofactionwillbeverydifferentthanifyouonlywantyourcomputertobesafefromoutsiders.


Incident response cloud

MayDay-conf 2019-Oct Cluj...OSQuery–Endpoint Visibility Incident Management & Response TheHive–Security Incident Response Platform Cyphon.io–Incident Response Platform Offers:

Data Breach IncIDent response plan toolkIt · Incident Response Team 3 Incident Response Contact Sheet 4 Suspecting or Detecting an Incident 5 Incident Response Discovery Form 6 Incident

Improving Incident Response Incident Response Agenda Why Incident Response is Important Threats, Numbers, Traditional Response What is an Incident

Incident Response CD-ROMINCLUDESindex-of.co.uk/Hacking-Coleccion/Incident Response... · Incident Response Wiley Technology Publishing Timely. Practical. Reliable. Your in-depth guide

Establishing an Incident Response Plan...Computer Forensics. AGENDA • Incident Response Landscape • Incident Response Considerations • NIST Framework • Elements of an IR Plan

Lesson 11 Basics of Incident Response. UTSA IS 3523 ID and Incident Response Overview Hacker Lexicon Incident Response

California-Joint Cyber Incident Response Guide Cyber Incident...Feb 27, 2018  · Incident Response Lifecycle A security incident response capability will be developed and implemented

Cybersecurity Incident Response · 2017-04-11 · • Review the incident response phases • Discuss incident response team (IRT), meetings, tools, and documentation • Explain

INCIDENT RESPONSE ACTIVITY - ICS-CERT · 2017-01-09 · INCIDENT RESPONSE ACTIVITY. INDUSTRIAL CONTROL SYSTEMS. CYBER EMERGENCY RESPONSE TEAM. INCIDENT RESPONSE ACTIVITY. SITUATIONAL

Lesson 6 Basics of Incident Response. UTSA IS 6353 Security Incident Response Overview Hacker Lexicon Incident Response

Incident Response Plan - Spearstonespearstone.com/resources/Breach_Response_Plan_by_AICPA.pdf · 4 Table of Contents Incident Response Plan 6 Incident Response Team 6 Incident Response

Business Resilience & Incident Response Are You Ready? · Resilience & Incident Response ... Business Resilience & Incident Response ... Business Resilience & Incident Response Are

CrowdStrike Services CROWDSTRIKE INCIDENT RESPONSE AND PROACTIVE …€¦ · CrowdStrike Incident Response & Proactive Services. 01 AM I BREACHED? INCIDENT RESPONSE The CrowdStrike

Enterprise Incident Response - Cisco · Enterprise Incident Response: ... Case Study 2: Removable Media. ... • Full-scope incident response, analysis, and investigation

Incident Response Incident Response Process Forensics

Critical Incident Response Overview and Critical Incident ... · following standard emergency response under ... It is recommended that the following “Critical Incident Response

Exam information - Universitetet i oslo · Incident response is a reaction to unexpected events. Incident response shall reduce negative consequences of an incident. As incident response

Pollution Incident Response Management Plan Boral … · Pollution Incident Response Management Plan Boral Cement ... pollution incident response management plan. ... matter in the

POLLUTION INCIDENT RESPONSE MANAGEMENT PLAN FOR …danielsinternational.com.au/.../pollution-incident-response-plan.pdf · CONFIDENTIAL & PROPRIETARY | POLLUTION INCIDENT RESPONSE

1. Incident Response System Modelling...2 1. Incident Response System Modelling The Incident Response (IR) subsystem is responsible for handling any incident message and providing

TRAUMATIC INCIDENT RESPONSE PROGRAM …Traumatic Incident Response Program Manual March 2014 2 SECU State Employees' Credit Union TIR Traumatic Incident Response TIRC Traumatic Incident

Anti Incident Response

Be Prepared: Incident Response and Business Continuity ... · Incident Response and Business Continuity —What These Are Incident response management Ensure proper management response

Communication Strategies for Incident Response - · PDF fileEffective incident response requires more than notification technologies. Real-time collaboration among incident response

RSA Incident Response: Emerging Threat Profile€¦ · RSA Incident Response incident response RSA Incident Response: Emerging Threat Profile . Shell_Crew . January 2014

Cyber incident response - KPMG · the incident response programme. Incident response programme development • Assistance in creation of an incident response programme, process design

Lesson 5 Introduction to Incident Response. UTSA IS 6353 Incident Response Overview Hacker Lexicon Incident Response

Incident Totals Incident Type Response per District

Incident Response Preparedness: Best Practices - lba.org Crocker - Incident Response - Are... · Sr. Incident Response Consultant, Incident Response & Digital Forensics . SecureWorks

Incident Response Policy & Process...Incident Response Policy & Process Policy Document iCIMS – Information Security INCIDENT RESPONSE POLICY & PROCESS Policy Document Version 1.6,

How to Response Against Web Security Incident...Agenda Incident Response Life Cycle Recap Incident Response Web Hacking PlayBook Incident Response Step for Web Hacking Security Incident

Incident response

LCG Incident Response

Digital Forensics, Incident Response, and Cloud Computing · Digital Forensics, Incident Response, and Cloud ... •Cloud-ready incident response and forensics: ... forensics-incident-response-summit-jesse-kornblum-computer