welcome to Module four
since Otto's security Operations Center. Introduction to case and incident management on John Gomez.
And this is it Last Montreuil.
Before we get into it, I want to really take a moment to say, Hey,
you've done great. I applaud you for sticking it out. Hopefully you've learned a good amount of information to develop a foundational set of skills. Really, truly hope that you find value in what we've presented to you.
And this module, I think, is going to give you a chance to apply pretty much everything that we cover in the 1st 3 modules.
Using some real world cases should be a lot of fun.
take basically in this module, what we're doing is creating some tabletop simulations. And so these air, many tabletops we do actually is part of our organization. We have a lot of tabletops we doing for clients and others, and we call him cybersecurity Tactical Simulations or C A. T. S. But they're a lot of fun.
You should enjoy them.
Um, and basically, for each one, we're gonna kind of give you some alerts. You're gonna have a chance to then figure out what those alerts mean to you, you're gonna have to give you some guidance on the diagnosis and things you should be considering and asking. And then I'll give you some of review of what you should have thought about Andi. What you should have done
One hint is you can pause the video as often as you wish, right, So I'm gonna move through these kind of quickly just to get through them. But you should pause them after each alert. After each piece of information is given to you and think about what you would do think about, you know, you can use your notes. You can review the previous modules,
learn to apply the tools. That's why I created this module. So you'd have a little bit
of an opportunity to start applying the tools and techniques into thinking that I have that covered in the last few modules. And one thing is, look, a lot of these things are gonna be judgment calls, so you know, you may think something should be different than what I'm telling you. It is which is fine.
You know, what I'm really after is that you understand how to apply the tools
and not that we totally agree on everything. But you understand the spirit of what the tools are supposed to be doing and the techniques and tactics that way reviewed. So with that, let's get into it.
in case one, you're gonna get an alert. And that first alert comes to you on Monday at nine
05 And you receive that alert stating that I p address 1 90 to 1 68 1 2193
is communicating with an I P address in another country.
Okay, at this point, you don't know who that other I P addresses. It's just in another country.
You do not have any reason have any I p addresses in the organization communicating with that other country.
And so that's all the alert, all the information you have.
It's now Monday at 9 11
and you get a second lor. This alert tells you that for the same I p address 1 90 to 1 68 1 2193
that it simply employing malware
that has been associated with command and control tactics.
So this I p address is somehow another using now where to establish command control.
Monday at 9 15
Four minutes later, you get another alert. This time you're being told that the same I P address is employing tactics indicative of a reverse shell with an i p in another country.
This I p address is asset level. For now is a good time to stop the video
and think about what all this means and what you would do.
Okay, so let's talk about the diagnosis.
Is this an issue or an incident?
What would you do based on the information you were presented? Just this information.
What triage would you have performed? What type of an investigation would you have launched?
So let's review this actually was an issue at this point and not an incident.
and you should have investigated the source i p to determine the type of asset,
right? You knew the asset value, but hopefully you thought about Hey, I need to figure out what type of asset is this. I know it's an asset value for, but what is this thing?
And you should have spoken to the owner of the asset. Whoever's responsible for managing that
now in this case,
the asset was actually a medical device
and it was being remotely supported. So what happened here is the person who owned this asset, who was responsible for it
actually inside the remote support agreement. And the vendor did use malware
to actually set up a reverse shot to bypass security and I t networking
so that they could remotely support their devices.
And that did get flagged as alerts. So it was a very riel command of control reverse cell session.
the situation here was that it was actually legitimate.
Unfortunately, nobody ever told the I t team in i t security team that this was going on, so these alerts got raised, so this would probably would have been an issue,
although it would have been a very high level issue. It would have been triaged to be high in terms of a priority. Should have been immediately investigated. And so I just wanted to illustrate to you with this case is a very real case that occurred in our security operations center. That just because you're seeing things happen like this, just because this is what the screen is telling you
doesn't mean you should take immediate action all the time. You got to get good.
That kind of deciphering and looking for the clues
doesn't mean you don't have urgency. Just means that you should probably have not shut down this. I p blacklisted it. Shut down the device. In this case, you have been shutting down a medical device hoping that, you know, this kind of illustrates. See, they look a little deeper, okay?
And yeah, you know, not all the information was there for you, but it's not always gonna be there for you in the real world.
You really had to think twice before you just start turning things off our blacklisting or raising an incident. So
there you go. First case,
Saturday, 2032. You receive an alert that I p address 1 90 to 1 68 1 30 31 is sending passwords in clear text to an I P address outside of your organization. You do not know what
the other I P addresses at this point, nor doesn't matter right now. You just know this I p address is sending passwords in clear text
outside of your organization.
Clear violation of security protocols and privacy. Best practices
2149 on Sunday. You get the same alert
on Monday at 1912. Same alert
for the same eyepiece
and at Tuesday at 2012
the same alert.
This asset is an asset level three
again. Now is a good time to stop the video
and think about what you would do.
So let's talk about the diagnosis.
Is this an issue or an incident?
What would you do based on the information you're presented here,
what triage level would you declare and what priority?
Let's review this. This is actually a priority low in triage level of Concerning Why?
Well, there's no information here that this is an attack, so we've got clear text passports. Yeah, it violated the problem. It violated whatever policies, air protocols or best practices the organization they have in place.
But other than that,
there's not anything else here based on this information.
one of things I was hoping you do is get a little emotional and think there's something else going on, or this should be a medium or moderate or high in terms of triage categories and priorities.
But right now this is just possibly a configuration issue warrants further investigation. It's an asset level three and so honestly.
Thursday, 16 23. Your help desk calls you to advise that several users over the past two hours have been reporting the following.
Your machines are running very slow.
Each user was advised by the help desk to reboot their machine,
and after rebooting the machine appears to be running normally.
It's Thursday, 1911.
You receive an alert that several servers in your environment are experiencing file integrity issues.
An investigation by you shows that the files are owned by the users who rebooted their machines.
So the files on the servers
are now somehow being. They have an integrity issue for the exact users at the help desk. Told you, rebooted their machines after being running very slowly
now 2001 on Thursday
and helped us calls you back to tell you that there are more machines that users reporting running very slowly.
issue or incident?
What questions should you be asking? The help desk.
What is your initial triage level?
Was your triage level after the server alert
at 1911 on Thursday?
What do you do after the second help desk. All
So this is an issue which these things happen a lot
that evolves to an incident.
Okay, so you started. This is an issue. Users rebooting the machines helped us calls, uses. Hey, we're seeing these kind of behavior. We rebooted,
you know, you probably should have asked to help. That's what we're user's doing before you asked him, you know, before they called you and said the machines were slow.
So, you know, a little bit of investigation there needs to take place. You definitely have to kind of watch it. You probably wanted a minimal or modern minimal,
um, kind of
try a triage category that moved to to moderate, if not severe. But this eventually moves to an incident. When you start realizing that, Hey, you know the final integrity issues going on here, and we've got users whose machines have been re booted on. Then when they help does calls and tells you that Hey, there's more machines in Mom.
At that point time, you probably want to start escalating this out
and taking more and more action. So the idea here is things can escalate. You gotta not just get so focused on one thing that whole concept of don't get singular
keep looking for other pieces of information. Keep investigating. Keep driving things forward. Don't let the case get stagnant and learn how to tie pieces of information together.
OK, Case number four
Sunday 06 59 You receive a call from a database administrator that they can't access their user account because someone has already logged in with their count
case of Obviously, there's a policy in place that allows only one person to log into an account at a time.
What would you be wanting to know? What would you D'oh!
Sunday 7 11 You confirm that the D B account is being used from an I P address outside of your organization and not known to your organization.
So basically the I P address that is logged in with this d. B. A account
is coming from an I P address outside of your organization and does not have the rights or the authority to be logging in under that account, what do you do?
And you also confirmed that this d B A account is an admin level account.
what do we have issue or incident?
What triage level would you declare?
What steps would you take?
This is an active incident. You have a situation here where you have a compromised account. Somebody's gotten D d. A's user ID and password. It's an admin level account. The person is actively logged in from outside of the organization. So there's been a breach.
This triage level should be critical.
You should consider disconnecting the attacker, blacklisting their I p and changing the admin account.
Now that should all of occur if you have the proper authority as part of your incident response to do those things. If you don't, you obviously would have to follow whatever
protocols are in place for your organization.
You should also close the case and begin forensics
now, after a short now, assuming you you have responsibility for forensics
after assurance that this is the only compromised account.
So I think I want you to take away is you don't close the case. Just because you saw this incident may want to make sure that Okay, nobody else's accounts have been compromised. And then forensics will kick in and help you determine what other systems this account actually was involved with. But most importantly, you should be also keeping in mind.
Are there other incidents or other indicators of compromise
that you need to be aware of? That could lead to further and further incidents that you discover.
So that's the fourth case.
What are the key takeaways here? Well,
there's much more to case management in simply what we see in the movies, right? It takes a lot of analytics, takes a lot of patience. It takes attention to detail, and it takes you through the ability to remain calm and not let your emotions get in the way. Your attention to detail, Nobility communicator gonna be extremely critical to your success.
You know, we've already talked a lot about emotions getting in the way.
So your emotional state staying calm, staying in control If you get freaked out, If you got getting anxious, everyone around you is gonna say, Wow, if the security analyst security teams getting freaked out, this must be really bad.
So no matter how bad something is, how crazy stressed out how many things were going on, you got to stay calm and case management relies on you staying calm and thinking about what you're going to be doing and how you're going to be dealing with these issues. Then the ability to perform triage we talked a lot about triage have given you a couple of different approaches to triage.
Really is a critical skill set,
right? So in top of that is your ability to investigate things accurately and quickly within your skill set.
So congratulations. Look, you've completed these four modules. There's a lot more to learn.
I'm really, really proud of you. I hope you're proud of yourself. You've taken a big step to create a foundation. I told you the beginning of this and module one that this is an abbreviated introduction. There's so much more.
But I'm hoping, really hoping that I've given you some value, that you walk away from this understanding some terms and some techniques and our ability to incorporate some tactics into your day to day.
And so, um, look, you know, if you have feedback, there's things we can do for help you
please reach out.
Let us know what we could do dio
to do better. Um,
most of all wish you tremendous success
and that you achieve all of your objectives
throughout your journey in life