Beruflich Dokumente
Kultur Dokumente
Internet - Firewalls
Vulnerability Scan
and IDS/IPS OOB
Vulnerability Scan
Internet - Firewalls Using Criticality context to
from outside Vulnerability Scan on
and IDS/IPS, Server identify the Port scan on
critical assets
HIDS/HIPS vulnerable ports
Can use data from FW, IPS
Communication Communication
Internet - Firewalls & IDS and use GeoIP
traffic that is from traffic observed from
and IPS/IDS, VPN enrichment to identify any
an unusual geo an unusual geo
Devices communication to or from
location source. location source.
unusual Geo's
Communication
Communication
traffic that is Can use data from FW, IPS
traffic observed from
known to be from Firewalls, IPS/IDS, & IDS and use Threat
bad or blacklisted
bad or blacklisted VPN intelligence to identify any
source host
source host communication to or from
addresses.
addresses. unusual Geo's
Using logs and Packets
Internet - Firewalls with threat intelligence to
Slow Horizontal Scan
and IDS/IPS detect any beaconing
traffic
Using logs and Packets
Internet - Firewalls with threat intelligence to
Slow Scans Slow Vertical Scan
and IDS/IPS detect any beaconing
traffic
Slow Box Scan Using logs and Packets
(Combination of Internet - Firewalls with threat intelligence to
horizontal and and IDS/IPS detect any beaconing
Vertical Scan) traffic
Using Packet capture to
Malware
Spear phishing AV analyse the downloaded
downloaded
file for malicious content
Using Packet capture to
Weaponized Malware
AV analyse the downloaded
document downloaded
Initial file for malicious content
Compromise Using Packet capture to
Watering Hole Malware
proxy analyse the downloaded
attack downloaded
file for malicious content
Using Threat intelligence
C&C communication Proxy/Firewall Threat
System Exploit identify known CnC
attempts feed
communication attempts
The installation of package
can be identified by system
logs but the actual
Endpoint forensics can be
Establish install backdoor Malware has been achieved from Endpoint
AV
Foothold malware installed solution ECAT. Without
endpoint forensics we
cannot confirm the
installed software is
malicious or not unless
Threat feeds already have
the data
capture schedule
tasks with taskname Using Event ID's can be
windows OS
"At<number>g" achieved from windows
Use of psexec,
event ID 602,4698. sytem event logs
scheduled tasks
psexec:- monitor
(at command),
event log service
WMI
install 4697 with windows OS Using Event ID's can be
service name achieved from windows
psexesvc sytem event logs
Move Laterally Internal communication
monitoring for user
Anomaly detection User behavior
behaviour changes like
using event logs analysis
multiple login fails and
Use of valid
succeffull logins frequently
credentials over
Internal communication
SMB or RDP
Desktop to Desktop monitoring for user
SEPM/HIDS (personal
communication behaviour changes like
firewall)
observed multiple login fails and
succeffull logins frequently
The installation of package
can be identified by system
logs but the actual
Endpoint forensics can be
achieved from Endpoint
Application
Backdoor Malware has been solution ECAT. Without
whitelisting, AV, Anti
malware installed endpoint forensics we
Malware solution
cannot confirm the
installed software is
malicious or not unless
Threat feeds already have
Maintain
the data
Presence
Detailed analysis of Trend report on Host
host check failure VPN device checker status of VPN
alerts clients
VPN access Baselining of VPN users
Anomaly detection
User behavior access requests to monitor
for VPN users (user
analysis any behavioural changes or
profiling)
deviations
Using Packet capture files
Executable detected detected as non-standard
NIDS/NIPS
in http/https traffic service over standard
protocol
password Password encoded
encoded zip or Outbound file NIDS, proxy DLP Using Packet Capture
RAR files transfer detected identify zip and rara files.
Detected File
transfer over FTP
FTP Firewalls
(white list for FTP Whitelisting of key listed
allowed Ips) FTP sites
Connection
established over port Using Threat intelligence
Firewalls - threat
smb SMB ports (139, 445) and SMB ports to identify
feed
towards known bad threats and SMB traffic
IP within internal network