Installation this is where the remote access trojan

This preview shows page 5 - 8 out of 17 pages.

Installation This is where the remote access Trojan or backdoor is installed on the system allowing access into the system. Installing malware requires the end-user to unknowingly enable the malicious code. One way to do is to deploy a HIPS (Host-based Intrusion Prevention System) to alert or block on common installation paths. The defender needs to understand endpoint process auditing to discover abnormal file creations and compile the time of the malware to determine if it is old or new. Command & Control In this stage, the command and control channel is blocked and attackers cannot issue any commands. Usually compromised hosts must beacon outbound to an Internet controller server to establish a Command & Control (C2) channel. When the C2 channel is established the attackers have "hands on the keyboard" access inside the target environment. The attackers' goal is to established control over as many workstations as possible “in an effort to “exfiltrate” data
6 Incident Response without setting off any anomalies or other monitoring applications based upon content, quantity, frequency, etc. Hence, the reason it is essential to have the proper tools in place that can identify, track, observe, stop and destroy these campaigns within your arsenal of capabilities.” [Pro] Actions on Target Defenders must detect this stage as early as possible and deploy the necessary tools to collect forensic evidence. Once this stage is detected the prepared action plan must be initiated. This plan should include a comprehensive communication plan, detailing evidence to be sent to the highest ranking official or governing Board, the deployment of end-point security tools to block data loss and preparation for briefing a CIRT Team. The BYOD policy runs on a thin line of protecting the company and invading the employee's privacy. The best way to avoid any legal issues is to have the employees sign a document stating that they are consenting to monitor when using the device on the company network. Notice and asking for permission to monitor is the most effective way to ensure the security posture of the company as well as respecting the privacy of the employees. This will help prevent information from spilling and reduce the risks of other malicious attempts to attack the device or network. Tracking Suspicious Behavior “Suspicious network activity can refer to a number of different behaviors that involve abnormal access patterns, database activities, file changes, and other out-of-the-ordinary actions that can indicate an attack or data breach.” [Jac18] Auditing user account is an effective way to find suspicious activity on the network. Suspicious activity can include:
7 Incident Response Account abuse- The abuse of privileged accounts are most likely signs of insider threat indicators are could be accessing sensitive information without need, sharing account access, and modified audit trails.

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture