incidentresponse - All Articles - CISO Platform2024-03-28T20:12:57Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/incidentresponseIncident Response Process - Signs Of Compromisehttps://www.cisoplatform.com/profiles/blogs/incident-response-process-signs-of-compromise2017-09-19T10:50:38.000Z2017-09-19T10:50:38.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>Here are some indicators which will help you detect a compromise :</p>
<ul>
<li>Identification of same email from public domain to significant number of users or C-level employees or high value targets; encrypted attachments, password protected and zipped and protected to escape email malware filter; (put user in the reference list)</li>
</ul>
<ul>
<li>End point alert / HIPS / Host based malware alerts for local script execution for the same user, raise incident</li>
</ul>
<ul>
<li>Identify usual traffic volumes to multiple ports or IP addresses or excessive packet loss (connection over 4 hours to external IP )</li>
</ul>
<ul>
<li>Examine abnormal services on known ports and abnormal ports for well-known services, verify reputation scores of IP (SSH to port 80)</li>
</ul>
<ul>
<li>EDR and WAF alerts for scripts, hash mismatch</li>
</ul>
<ul>
<li>Botnet filter alerts for traffic to blacklisted domains</li>
</ul>
<ul>
<li>Email / SPAM filter misbehavior / maintainance activity followed by suspicious activity on the network specially related to unknown / suspicious remote destinations</li>
</ul>
<ul>
<li>Monitor packet flow inside and outside from the network for likely patterns of Command and Control (C + C) traffic, outbound custom encrypted communications, covert communication channels with external entities etc.</li>
</ul>
<ul>
<li>Threat intelligence alerts for connections / data sent to suspicious destination outside organization specially belonging to less reputed geographic location and at odd hours</li>
</ul>
<ul>
<li>Examine if any data breach has occurred like large HTML packet</li>
</ul>
<ul>
<li>Review hourly and daily reports of network usage to identify unusual occurrences and spikes in traffic</li>
</ul>
<p></p>
<p></p>
<p><span>This was presented at </span><a href="https://www.sacon.io/?utm_source=CP&utm_medium=BlogPPT&utm_campaign=IRNISTKillChain_Sacon_Bang_2017" target="_blank">SACON - The Security Architecture Conference</a><span> - largest security architecture conference in the region. You can find the full presentation <a href="http://www.cisoplatform.com/profiles/blogs/incident-response-validation-containment-forensics" target="_blank">here</a>. SACON International 2017 will be hosting a Cyber Security Workshop by Dr. Phil Polstra (Author Of 'Linux Forensic').</span></p>
<p></p>
<p></p>
<p><span><a href="https://www.sacon.io/?#lp-pom-block-1401" target="_blank"><img width="600" src="{{#staticFileLink}}8669816284,original{{/staticFileLink}}" class="align-center" alt="8669816284?profile=original" /></a></span></p>
<p></p>
<p><span class="font-size-4"><strong>Dr. Phil Polstra (Author of 'Linux Forensic' & many more books) will be conducting Linux and Windows Forensic Workshop at SACON 2017. Check workshop agenda <a href="https://www.sacon.io/?#lp-pom-block-1401" target="_blank">here</a></strong></span></p>
<p></p>
<p></p></div>