Getting back to basics, IR 101 - Ep 013

Recorded May 2020

TOPIC: Getting back to basics, IR 101

OUR SPONSORS:

sqs-block-image-figure

intrinsic

">

sqs-block-image-link

" href="https://www.log-md.com/" target="_blank">

NEWS-WORTHY:Best EDR Security Services In 2020 for Endpoint Protection

• https://www.softwaretestinghelp.com/edr-security-services/

How to Avoid Spam—Using Disposable Contact Information

• https://www.wired.com/story/avoid-spam-disposable-email-burner-phone-number/

Shiny new Azure login attracts shiny new phishing attacks

• https://nakedsecurity.sophos.com/2020/05/18/shiny-new-azure-login-attracts-shiny-new-phishing-attacks/

Upgrading from EDR to MDR is Critical but Easier than You Think

• https://securityboulevard.com/2020/05/upgrading-from-edr-to-mdr-is-critical-but-easier-than-you-think/

The ransomware that attacks you from inside a virtual machine

• https://nakedsecurity.sophos.com/2020/05/22/the-ransomware-that-attacks-you-from-inside-a-virtual-machine/

SITE-WORTHY:Malware Archaeology - Cheat Sheets

• https://www.MalwareArchaeology.com/cheat-sheets

TOOL-WORTHY:LOG-MD - The Log anD Malicious Discovery tool

• “LOG-MD -a” will give you how you compare against the cheat sheets

• https://www.LOG-MD.com

MALWARE OF THE MONTH:

Qakbot

• Typical delivery via a Office doc or URL

• Created a folder in C:\Users

Key Detection points

• Enable better logging AutoRuns - Uses Run key and Scheduled Task

• WMIPrvSe launch binary in C:\Users

• Binary in root of \Username directory C:\Users\<username>\<random long filename>.exe

• C:\Users\<username>\AppData\Roaming\Microsoft\<random_foldername> Syswow64\Explorer.exe used Parent of Explorer.exe is NEVER a binary in C:\Users

• Process injection of Syswow64\Explorer.exe

• Ping 127.0.0.1

• Scheduled Task created by a binary in C:\Users

• Syswow64\Explorer,exe opening all the browsers

• Binary in C:\User calling out to foreign country

PREVENTION

• Block Office macros

• Don’t allow uncategorized websites

• EDR Software

• Whitelisting C:\Users

TOPIC OF THE DAY:

Getting back to basics, IR 101

What is getting back to basics - IR 101

• This will likely be multiple episodes

• We will start with Windows

Why is this important?

1. WHEN you have an incident, data we, and you need will be available

2. This is probably the #1 finding and recommendation we have made to organizations we have been involved with over the years

3. Security tools fail, so other data you collect can help discover what happened where, when, and how

What is the problem we are wanting our listeners to solve? 

1. To be better prepared in the event of an incident to speed up investigations

2. Give your SOC, IT, or Security people the data they need to investigate events

3. Make log management data better if you are collecting all the things

4. And of course… help your IR Consultancy do a better job FASTER

Other Articles:

-------------------

CIS Benchmarks

• https://www.cisecurity.org/cis-benchmarks/

DerbyCon talk on EDR

• https://www.irongeek.com/i.php?page=videos/derbycon7/t416-edr-etdr-next-gen-av-is-all-the-rage-so-why-am-i-enraged-michael-gough

DerbyCon talk on Winnti

• https://www.irongeek.com/i.php?page=videos/derbycon5/teach-me01-a-deep-look-into-a-chinese-advanced-attack-understand-it-learn-from-it-and-how-to-detect-and-defend-against-attacks-like-this-michael-gough