We covered responding to cyber incident using Splunk to analyze the related events and uncover the attack artifacts. This was part of TryHackMe Incident Handling with Splunk.
Description
Learn to use Splunk for incident handling through interactive scenarios.
Highlights
Incident Handling Life Cycle
1. Preparation
The preparation phase covers the readiness of an organization against an attack. That means documenting the requirements, defining the policies, incorporating the security controls to monitor like EDR / SIEM / IDS / IPS, etc. It also includes hiring/training the staff.
2. Detection and Analysis
The detection phase covers everything related to detecting an incident and the analysis process of the incident. This phase covers getting alerts from the security controls like SIEM/EDR investigating the alert to find the root cause. This phase also covers hunting for the unknown threat within the organization.
3. Containment, Eradication, and Recovery
This phase covers the actions needed to prevent the incident from spreading and securing the network. It involves steps taken to avoid an attack from spreading into the network, isolating the infected host, clearing the network from the infection traces, and gaining control back from the attack.
4. Post-Incident Activity / Lessons Learnt
This phase includes identifying the loopholes in the organization’s security posture, which led to an intrusion, and improving so that the attack does not happen next time. The steps involve identifying weaknesses that led to the attack, adding detection rules so that similar breach does not happen again, and most importantly, training the staff if required.
Scenario
A Big corporate organization Wayne Enterprises has recently faced a cyber-attack where the attackers broke into their network, found their way to their web server, and have successfully defaced their website http://www.imreallynotbatman.com. Their website is now showing the trademark of the attackers with the message YOUR SITE HAS BEEN DEFACED as shown below.
They have requested “US” to join them as a Security Analyst and help them investigate this cyber attack and find the root cause and all the attackers’ activities within their network.
Room Answers
What is the CMS our web server is using?
What is the IP address of the server imreallynotbatman.com?
What was the URI which got multiple brute force attempts?
What was the correct password for admin access to the content management system running imreallynotbatman.com?
How many unique passwords were attempted in the brute force attempt?
Looking at the logs, which user executed the program 3791.exe on the server?
Search hash on the virustotal. What other name is associated with this file 3791.exe?
Fortigate Firewall ‘fortigate_utm’ detected SQL attempt from the attacker’s IP 40.80.148.42. What is the name of the rule that was triggered during the SQL Injection attempt?
Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address that is most likely associated with the P01s0n1vy APT group?
What is the name of the Malware associated with the Poison Ivy Infrastructure?