Cyber Security Forum

Alert Analysis & Remediation Runbook Use Case: AV – Malware detected but not cleaned Document History Version Date of Submission Primary Author(s) Reviewed By Purpose of Revision Status (Draft/Review/Approved) Table of Contents Objective: 3 Incident Analysis Steps 3 1. Identify the context 4 Objective: If this malware can cause any damage on this endpoint or other endpoints in the network ANALYSIS Below are the steps to be performed in order to analyze triggered alerts Incident Analysis Steps Identify the context Identify the IP address/ host name of the asset Identify the AD user name/Email ID associated with this if it is endpoint Identify Malware details Check malware name which got triggered Identify the criticality of the malware as per AV category like ransomware, worm, Trojan, etc  Check hash value of the file in https://www.virustotal.com and identify the criticality ( Also check how other AV tools are doing for this hash value ) Identify the file path where it...

Alert Analysis & Remediation Runbook Use Case: Email Proxy – Phishing Email detected- Incident Analysis Document History Version Date of Submission Primary Author(s) Reviewed By Purpose of Revision Status (Draft/Review/Approved) Table of Contents Objective: 3 Incident Analysis Steps 3 1. Identify the context 4 2. Identify Domain\IP and attachment details 4 3. Identify overall endpoint security status 5 4. Identify possible source of this behaviour 6 5. Identify infection radius: 6 Objective of Response: 7 Incident response Steps 7 1. Block identified blacklisted URLs and IPs at firewall block suspicious email domain at email gateway 7 2. Isolate the system 8 3. Identify the location of attachments, processes generated and terminate them: 8 4. Initiate a full review and remediation of the endpoint security 8 5. Identify other impacted systems and perform remediation 8 6. Implement plan to mitigate similar incidents in future 9 Obje...