Question

Two scenarios are provided for the candidates. The candidates can provide appropriate solutions for any one or both the scenarios considering all the points.

Scenario 1:

An environment is attacked by zero-day attack with users identifying a notepad with attacker details and instructions to regain access, 60% of estate/users are impacted. Every endpoint had AV & EDR tools, but the machines were infected. Environment had required security controls for network, firewall, log monitoring, nothing was detected in SIEM. Backup strategy used is snapshot back-up on the same network in the same domain.

Using threat hunting techniques can we establish how hacker could have infiltrate and,

1. How to find what are the IOC’s.
2. How do you identify if any data exfiltration has happened?
3. Approach to restrict further propagation of malicious code in estate & immediate corrective actions.
4. What will be the incident response and recovery strategy ?

Scenario 2:

When looking at any security team, one thing you might notice is that there is a tool for everything. And we do mean everything: ticketing, threat intelligence, security investigations, malware analysis, detection, incident response, advanced persistent threats, security monitoring the list goes on.

Every organization wants the best of the best to build their defenses. This can often leave their security teams and security operations centers with a tool stack of uncooperative solutions that don’t communicate with one another, with their full value remaining untapped, and they can interrupt or even cancel each other out. The team becomes paralyzed by the sheer number of alerts generated by these solutions, losing time that could be spent on contextualized investigation and response.

We often cite alert fatigue as a common challenge in SOCs, and with good reason. Nobody likes alerts, because whether it’s a fire alarm, car alarm, or alarm for any other kind of emergency, it signals to us that a real threat is present. But after hearing alerts time and time again, all we hear is the boy who cried wolf. We downplay these alerts because we’ve spent so much of our precious time combing through them, only to reveal themselves as fake. In SOC terms, this leads to real threats being missed, often to devastating consequences.

There is a solution. That solution is connecting the tools that security teams run, to communicate with each other and do away with the tedious, time-consuming tasks that have a high potential for human error. Streamlining the process with which tools are used helps to keep security professionals from losing any of their precious time.

1. What is security orchestration?
2. What can we use security orchestration for?
3. What are the benefits of security orchestration?
4. What are the key elements that are needed for SOAR to perform as desired?
5. What is Automated response and how does it work, can you give an example?

Answer 1

Scenario-1:-

Q1. Using threat hunting techniques can we establish how a hacker could have infiltrated

(a) Using hunting techniques like CB response, we can set up some endpoint triggers such that when an attacker tried to attack a particular endpoint, we might prevent it before it happens.

(b) When doing this we may have to think in terms of the attacker's point of view and plan the endpoint triggers so that identifying the threats will be easier.

Q2. How to find what is the IOC’s

There are two ways on how we find what are IOCs:

a. One way is to find any configuration changes in the registry. We can find altered keys and values that disable firewalls and antivirus, when we find these changes then there is an IOC.

b. Another way is to find suspicious activities by malware within the filesystem of the infected environment. Some activities like suspicious reading, writing, deletions indicate there are IOCs.

Q3. How do you identify if any data exfiltration has happened?

We can find data exfiltrations by identifying swells in the database read volume. We have to check massive database activity where there are database dumps that resulted in large traffic transactions. This will prove that some attackers have gained illegal access.

Q4. Approach to restrict further propagation of malicious code in estate & immediate corrective actions.

(a) Apply white-box testing to review code for the presence of malicious code before releasing of the software.

(b) Use the Veracode tool for identifying malicious codes in the system.

(c) You can also use application analysis tools to identify malicious code and restrict them before even they affect the environment.

Q5.  What will be the incident response and recovery strategy?

(a) Incident response action will be detection and reporting. Monitor security events in order to detect, alert, and report on potential security incidents.

(b) Setting up an effective recovery process is important and also setting up some snapshot-based backup tools to recover the backed up data is an important recovery strategy.