Cyber Security Forum

  Phishing investigation Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.   In SIEM investigation. Phishing mails reports us 1. Customers 2. Employees or 3. We get alert In SIEM tool.   The investigation following Firstly we requested to employee or customers to send saved email. Once we receive mail à We have to save mail   Go to properties. Copy the complete in Internet Header information Then we have Threat Intelligence tool Mx tool Box open In Header Analyzer   Then Paste   In Header analyzer part.. Need to check Following point   1. SPF : sender policy   Framework   Find the Original Sender ip address then check reputation of this from various Thr...

  Responsibility Index Phase Responsibility      Identification L1 Analyst:- GSOC Monitoring Team      Investigation  L2 Analyst:-This includes individuals from Network Team/GSOC Containment L2 Analyst: -  This includes individuals from Network Team/ Server team          Remediation L2 Analyst:-This includes Network Team/Server Team/GSOC Recovery L2 Analyst:-This includes Network Team/Server Team/GSOC Brute Force attack Procedure Identification Stage Stage Source Identification Brute Force incident is reported by  Network Team Incident/If the alert is raised by the SIEM Investigating Stage Stage Actions by Respective Team Investigation Security team checks If the Brute Force attack is identified and an alert generated via SIEM below parameters are considered for investigating: Source addresses of the attempts Firewall Action Investigating Destination on which brute force attem...

Alert Analysis & Remediation Runbook Use Case: Email Proxy – Phishing Email detected- Incident Analysis Document History Version Date of Submission Primary Author(s) Reviewed By Purpose of Revision Status (Draft/Review/Approved) Table of Contents Objective: 3 Incident Analysis Steps 3 1. Identify the context 4 2. Identify Domain\IP and attachment details 4 3. Identify overall endpoint security status 5 4. Identify possible source of this behaviour 6 5. Identify infection radius: 6 Objective of Response: 7 Incident response Steps 7 1. Block identified blacklisted URLs and IPs at firewall block suspicious email domain at email gateway 7 2. Isolate the system 8 3. Identify the location of attachments, processes generated and terminate them: 8 4. Initiate a full review and remediation of the endpoint security 8 5. Identify other impacted systems and perform remediation 8 6. Implement plan to mitigate similar incidents in future 9 Obje...