SOC Case Management 101 Part 4

00:17

welcome to Module four

00:19

since Otto's security Operations Center. Introduction to case and incident management on John Gomez.

00:24

And this is it Last Montreuil.

00:28

Before we get into it, I want to really take a moment to say, Hey,

00:32

you've done great. I applaud you for sticking it out. Hopefully you've learned a good amount of information to develop a foundational set of skills. Really, truly hope that you find value in what we've presented to you.

00:44

And this module, I think, is going to give you a chance to apply pretty much everything that we cover in the 1st 3 modules.

00:51

Using some real world cases should be a lot of fun.

00:54

Now,

00:56

take basically in this module, what we're doing is creating some tabletop simulations. And so these air, many tabletops we do actually is part of our organization. We have a lot of tabletops we doing for clients and others, and we call him cybersecurity Tactical Simulations or C A. T. S. But they're a lot of fun.

01:15

You should enjoy them.

01:17

Um, and basically, for each one, we're gonna kind of give you some alerts. You're gonna have a chance to then figure out what those alerts mean to you, you're gonna have to give you some guidance on the diagnosis and things you should be considering and asking. And then I'll give you some of review of what you should have thought about Andi. What you should have done

01:37

One hint is you can pause the video as often as you wish, right, So I'm gonna move through these kind of quickly just to get through them. But you should pause them after each alert. After each piece of information is given to you and think about what you would do think about, you know, you can use your notes. You can review the previous modules,

01:53

learn to apply the tools. That's why I created this module. So you'd have a little bit

01:57

of an opportunity to start applying the tools and techniques into thinking that I have that covered in the last few modules. And one thing is, look, a lot of these things are gonna be judgment calls, so you know, you may think something should be different than what I'm telling you. It is which is fine.

02:15

You know, what I'm really after is that you understand how to apply the tools

02:19

and not that we totally agree on everything. But you understand the spirit of what the tools are supposed to be doing and the techniques and tactics that way reviewed. So with that, let's get into it.

02:32

Case one.

02:34

So

02:35

in case one, you're gonna get an alert. And that first alert comes to you on Monday at nine

02:39

05 And you receive that alert stating that I p address 1 90 to 1 68 1 2193

02:49

is communicating with an I P address in another country.

02:53

Okay, at this point, you don't know who that other I P addresses. It's just in another country.

02:58

You do not have any reason have any I p addresses in the organization communicating with that other country.

03:05

And so that's all the alert, all the information you have.

03:10

It's now Monday at 9 11

03:13

and you get a second lor. This alert tells you that for the same I p address 1 90 to 1 68 1 2193

03:21

that it simply employing malware

03:23

that has been associated with command and control tactics.

03:27

So this I p address is somehow another using now where to establish command control.

03:37

Monday at 9 15

03:38

Four minutes later, you get another alert. This time you're being told that the same I P address is employing tactics indicative of a reverse shell with an i p in another country.

03:54

This I p address is asset level. For now is a good time to stop the video

04:00

and think about what all this means and what you would do.

04:05

Okay, so let's talk about the diagnosis.

04:10

Is this an issue or an incident?

04:14

What would you do based on the information you were presented? Just this information.

04:21

What triage would you have performed? What type of an investigation would you have launched?

04:29

So let's review this actually was an issue at this point and not an incident.

04:34

Yeah,

04:35

and you should have investigated the source i p to determine the type of asset,

04:41

right? You knew the asset value, but hopefully you thought about Hey, I need to figure out what type of asset is this. I know it's an asset value for, but what is this thing?

04:50

And you should have spoken to the owner of the asset. Whoever's responsible for managing that

04:56

now in this case,

04:58

the asset was actually a medical device

05:00

and it was being remotely supported. So what happened here is the person who owned this asset, who was responsible for it

05:08

actually inside the remote support agreement. And the vendor did use malware

05:15

to actually set up a reverse shot to bypass security and I t networking

05:19

so that they could remotely support their devices.

05:23

And that did get flagged as alerts. So it was a very riel command of control reverse cell session.

05:29

But

05:30

the situation here was that it was actually legitimate.

05:33

Unfortunately, nobody ever told the I t team in i t security team that this was going on, so these alerts got raised, so this would probably would have been an issue,

05:43

although it would have been a very high level issue. It would have been triaged to be high in terms of a priority. Should have been immediately investigated. And so I just wanted to illustrate to you with this case is a very real case that occurred in our security operations center. That just because you're seeing things happen like this, just because this is what the screen is telling you

06:02

doesn't mean you should take immediate action all the time. You got to get good.

06:06

That kind of deciphering and looking for the clues

06:10

doesn't mean you don't have urgency. Just means that you should probably have not shut down this. I p blacklisted it. Shut down the device. In this case, you have been shutting down a medical device hoping that, you know, this kind of illustrates. See, they look a little deeper, okay?

06:26

And yeah, you know, not all the information was there for you, but it's not always gonna be there for you in the real world.

06:30

You really had to think twice before you just start turning things off our blacklisting or raising an incident. So

06:39

there you go. First case,

06:43

second case

06:45

Saturday, 2032. You receive an alert that I p address 1 90 to 1 68 1 30 31 is sending passwords in clear text to an I P address outside of your organization. You do not know what

06:59

the other I P addresses at this point, nor doesn't matter right now. You just know this I p address is sending passwords in clear text

07:06

outside of your organization.

07:09

Clear violation of security protocols and privacy. Best practices

07:15

2149 on Sunday. You get the same alert

07:20

on Monday at 1912. Same alert

07:24

for the same eyepiece

07:27

and at Tuesday at 2012

07:29

the same alert.

07:31

This asset is an asset level three

07:34

again. Now is a good time to stop the video

07:39

and think about what you would do.

07:43

So let's talk about the diagnosis.

07:46

Is this an issue or an incident?

07:49

What would you do based on the information you're presented here,

07:55

what triage level would you declare and what priority?

08:00

Let's review this. This is actually a priority low in triage level of Concerning Why?

08:05

Well, there's no information here that this is an attack, so we've got clear text passports. Yeah, it violated the problem. It violated whatever policies, air protocols or best practices the organization they have in place.

08:18

But other than that,

08:20

there's not anything else here based on this information.

08:24

So

08:24

one of things I was hoping you do is get a little emotional and think there's something else going on, or this should be a medium or moderate or high in terms of triage categories and priorities.

08:35

But right now this is just possibly a configuration issue warrants further investigation. It's an asset level three and so honestly.

08:43

Justin Issue

08:48

Case through

08:50

Thursday, 16 23. Your help desk calls you to advise that several users over the past two hours have been reporting the following.

08:58

Your machines are running very slow.

09:00

Each user was advised by the help desk to reboot their machine,

09:03

and after rebooting the machine appears to be running normally.

09:09

It's Thursday, 1911.

09:11

You receive an alert that several servers in your environment are experiencing file integrity issues.

09:16

An investigation by you shows that the files are owned by the users who rebooted their machines.

09:24

So the files on the servers

09:26

are now somehow being. They have an integrity issue for the exact users at the help desk. Told you, rebooted their machines after being running very slowly

09:37

now 2001 on Thursday

09:41

and helped us calls you back to tell you that there are more machines that users reporting running very slowly.

09:50

Okay, diagnosis,

09:52

issue or incident?

09:56

What questions should you be asking? The help desk.

10:00

What is your initial triage level?

10:05

Was your triage level after the server alert

10:07

at 1911 on Thursday?

10:11

What do you do after the second help desk. All

10:16

So this is an issue which these things happen a lot

10:20

that evolves to an incident.

10:22

Okay, so you started. This is an issue. Users rebooting the machines helped us calls, uses. Hey, we're seeing these kind of behavior. We rebooted,

10:31

you know, you probably should have asked to help. That's what we're user's doing before you asked him, you know, before they called you and said the machines were slow.

10:39

So, you know, a little bit of investigation there needs to take place. You definitely have to kind of watch it. You probably wanted a minimal or modern minimal,

10:48

um, kind of

10:50

try a triage category that moved to to moderate, if not severe. But this eventually moves to an incident. When you start realizing that, Hey, you know the final integrity issues going on here, and we've got users whose machines have been re booted on. Then when they help does calls and tells you that Hey, there's more machines in Mom.

11:09

At that point time, you probably want to start escalating this out

11:13

and taking more and more action. So the idea here is things can escalate. You gotta not just get so focused on one thing that whole concept of don't get singular

11:22

keep looking for other pieces of information. Keep investigating. Keep driving things forward. Don't let the case get stagnant and learn how to tie pieces of information together.

11:37

OK, Case number four

11:39

Sunday 06 59 You receive a call from a database administrator that they can't access their user account because someone has already logged in with their count

11:50

case of Obviously, there's a policy in place that allows only one person to log into an account at a time.

11:56

What would you be wanting to know? What would you D'oh!

12:01

Sunday 7 11 You confirm that the D B account is being used from an I P address outside of your organization and not known to your organization.

12:11

So basically the I P address that is logged in with this d. B. A account

12:16

is coming from an I P address outside of your organization and does not have the rights or the authority to be logging in under that account, what do you do?

12:28

And you also confirmed that this d B A account is an admin level account.

12:35

So

12:37

what do we have issue or incident?

12:41

What triage level would you declare?

12:45

What steps would you take?

12:48

This is an active incident. You have a situation here where you have a compromised account. Somebody's gotten D d. A's user ID and password. It's an admin level account. The person is actively logged in from outside of the organization. So there's been a breach.

13:05

This triage level should be critical.

13:07

You should consider disconnecting the attacker, blacklisting their I p and changing the admin account.

13:13

Now that should all of occur if you have the proper authority as part of your incident response to do those things. If you don't, you obviously would have to follow whatever

13:24

protocols are in place for your organization.

13:28

You should also close the case and begin forensics

13:31

now, after a short now, assuming you you have responsibility for forensics

13:37

after assurance that this is the only compromised account.

13:39

So I think I want you to take away is you don't close the case. Just because you saw this incident may want to make sure that Okay, nobody else's accounts have been compromised. And then forensics will kick in and help you determine what other systems this account actually was involved with. But most importantly, you should be also keeping in mind.

13:58

Are there other incidents or other indicators of compromise

14:03

that you need to be aware of? That could lead to further and further incidents that you discover.

14:09

So that's the fourth case.

14:11

What are the key takeaways here? Well,

14:13

there's much more to case management in simply what we see in the movies, right? It takes a lot of analytics, takes a lot of patience. It takes attention to detail, and it takes you through the ability to remain calm and not let your emotions get in the way. Your attention to detail, Nobility communicator gonna be extremely critical to your success.

14:33

You know, we've already talked a lot about emotions getting in the way.

14:37

So your emotional state staying calm, staying in control If you get freaked out, If you got getting anxious, everyone around you is gonna say, Wow, if the security analyst security teams getting freaked out, this must be really bad.

14:50

So no matter how bad something is, how crazy stressed out how many things were going on, you got to stay calm and case management relies on you staying calm and thinking about what you're going to be doing and how you're going to be dealing with these issues. Then the ability to perform triage we talked a lot about triage have given you a couple of different approaches to triage.

15:09

Really is a critical skill set,

15:13

right? So in top of that is your ability to investigate things accurately and quickly within your skill set.

15:24

So congratulations. Look, you've completed these four modules. There's a lot more to learn.

15:28

I'm really, really proud of you. I hope you're proud of yourself. You've taken a big step to create a foundation. I told you the beginning of this and module one that this is an abbreviated introduction. There's so much more.

15:39

But I'm hoping, really hoping that I've given you some value, that you walk away from this understanding some terms and some techniques and our ability to incorporate some tactics into your day to day.

15:52

And so, um, look, you know, if you have feedback, there's things we can do for help you

15:58

please reach out.

16:00

Let us know what we could do dio

16:03

to do better. Um,

16:04

most of all wish you tremendous success

16:08

and that you achieve all of your objectives