Beruflich Dokumente
Kultur Dokumente
3. Thanks for the heads-up. Let me handle this, I will get back to you if anything
is required.
-----------------------------------------------------------------------------------
-------------------------------------------------------------------------------
REVIEW:
4. Let me review this ticket..I see that proper checks are done for the Incident..
hmmm.. EDR and threat intel data are pointing towards a Ransomware Attack
6. Now that I have isolated the laptop, ((Let me raise a child ticket assigning it
to the Local Desktop team to rebuild the image of the laptop)).
ScreenShot: Containment
-----------------------------------------------------------------------------------
------------------------------------------------------------------------
THREAT HUNT:
7. ((So the containment is complete, and now I will have to do a THREAT HUNT by
diving deeper to understand how the infection spread to the laptop))
8. I see on the ticket that infected process is outlook.exe.. hmmm which clearly
indciates that the THREAT VECTOR was EMAIL anddddddddd and the infection could be
through a phishing email.
Screenshot: outlook.exe
9. Let me call the Exchange Team to check for any email where the recepient email
Address is of the user using the infected laptop and with the malicious .DOC file
attachment.
Screenshot: email address & DOC File
-----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
10. So the Exchange team just confirmed the presense of the email with the
malicious .DOC file attachment and they also shared 1. Subject line of the
Particular email. 2. Sender EMail Address & 3. Sender IP Address
(ScreenShot): Subject Line, Email Address. Sender IP Address
11. Now let me check with exhange team whether similiar emails were received by
other users in the organisation,................... Yes, they just confirmed that
there are similiar emails received by other users inside the organisation.
(Screenshot: Similiar Emails)
-----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
So all this while you saw the Incident Response Stages, which are in the reverse
direction of how the exact Incident unfolded and every stage is mapped to Cyber
Kill Chain Process.
-----------------------------------------------------------------------------------
-----------------------------------------------------------------------------------
1. To mark all Hash values derived from Virus Total for Prevention on EDR so that
any similiar malicious attempts from a different source IP Address will be Blocked
in the Future.
2. To check and make sure all the machines have AV agents installed on them and the
AV Updates are pushed periodically without fail.
3. Exchange team should purge all similiar phishing emails on O365, to make sure
that the infection doesnt spread.
- and to block future email transaction from the malicious sender email address on
Exchange server.
- and also if required to block sender IP Address on perimeter firewall