95%(97)92 out of 97 people found this document helpful
This preview shows page 5 - 8 out of 17 pages.
InstallationThis is where the remote access Trojan or backdoor is installed on the system allowing access into the system. Installing malware requires the end-user to unknowingly enable the malicious code. One way to do is to deploy a HIPS (Host-based Intrusion Prevention System) to alert or block on common installation paths. The defender needs to understand endpoint process auditing to discover abnormal file creations and compile the time of the malware to determine if it is old or new. Command & ControlIn this stage, the command and control channel is blocked and attackers cannot issue any commands. Usually compromised hosts must beacon outbound to an Internet controller server to establish a Command & Control (C2) channel. When the C2 channel is established the attackers have "hands on the keyboard" access inside the target environment. The attackers' goal is to established control over as many workstations as possible “in an effort to “exfiltrate” data
6Incident Responsewithout setting off any anomalies or other monitoring applications based upon content, quantity, frequency, etc. Hence, the reason it is essential to have the proper tools in place that can identify,track, observe, stop and destroy these campaigns within your arsenal of capabilities.” [Pro]Actions on TargetDefenders must detect this stage as early as possible and deploy the necessary tools to collect forensic evidence. Once this stage is detected the prepared action plan must be initiated. This plan should include a comprehensive communication plan, detailing evidence to be sent to the highest ranking official or governing Board, the deployment of end-point security tools to block data loss and preparation for briefing a CIRT Team. The BYOD policy runs on a thin line of protecting the company and invading the employee's privacy. The best way to avoid any legal issues is to have the employees sign a document stating that they are consenting to monitor when using the device on the company network. Notice and asking for permission to monitor is the most effective way to ensure the security posture of the company as well as respecting the privacy of the employees. This will help prevent information from spilling and reduce the risks of other malicious attempts to attack the device or network. Tracking Suspicious Behavior“Suspicious network activity can refer to a number of different behaviors that involve abnormal access patterns, database activities, file changes, and other out-of-the-ordinary actions that can indicate an attack or data breach.” [Jac18] Auditing user account is an effective way to find suspicious activity on the network. Suspicious activity can include:
7Incident ResponseAccount abuse- The abuse of privileged accounts are most likely signs of insider threat indicatorsare could be accessing sensitive information without need, sharing account access, and modified audit trails.