Incident Response and Kill Chain Analysis

[ElektraEmber]

Hi, I want to learn about incident response and understand all stages of the kill chain, including how defenders can prevent an attack at every step. Someone shared a SANS courses, but I cannot afford it. Where else can I learn and practice so that I remember it?

Any good free resources where you learned are welcome

 

[Loverboy69]

Hi, check out this torrents

https://btdig.com/search?q=SANS

 

[ElektraEmber]

Hi, check out this torrents

https://btdig.com/search?q=SANS

thank you

 

[ElektraEmber]

thank you

unfortunately there are no seeders, so unable download anything

 

[diana0x0]

The incident response protocol really isn't universal. There are different steps depending on what tools are in use, the nature of the incident, etc. Let's go over a few scenarios:
Scenario 1: You send a phishing email to one or more of the employees with the intention of gaining initial access or credentials. If your email contains spam signatures, suspicious urls (domain attributes like age and trust are analyzed too), easily identifiable malware, or you trip any rule they have in place, this may create an alert for the SOC to triage. The SOC will then analyze the email and it's contents including headers. If they determine it is malicious, they will block the sender company wide, they may ask the recipients if they clicked on anything or downloaded anything and if they did will inspect their computers, and will definitely issue an alert to employees to look out for phishing emails (if they're competent).

Scenario 2: You already have access to the environment. During post exploitation, you trigger an alert. Lets say you created a suspicious parent-child process relation (for example: microsoft word spawning cmd.exe). This will likely generate an alert if they have an edr or similar tool in use. They will get an alert usually containing the following information - Computer/Host/IP, Process ID, Process name, Severity, and the rule that was triggered. They then will either remote into the machine or physically inspect it, or use built in tools in the EDR for the next steps:
They will quarantine/block the process/file. They may or may not get a memory dump for analysis. They will further investigate where the compromise/alert came from to determine the initial access point, whether it was via phishing, vpn creds, rdp, etc. This will involve going through the various logs for those applications/services/the OS. Once they determine that they will respond according to what the entrance method was. If it was vpn creds they'll revoke those creds and may or may not issue a company-wide password reset order. If it was phishing they'll do something similar to scenario 1 but with some more analysis. If they use a managed service provider or managed detection and response provider, they will be the most likely ones to do the extra steps to get more info for analysis.

Scenario 3: You completed a successful attack, but it was discovered after the fact. They will mostly do the same thing as scenario 2. If you did damage like ransomware, the response will depend on a lot more factors like what fallbacks they have, how much money it's costing them etc.

Keep in mind again, that this depends on so much. If the blue team is not competent they wont be able to effectively defend the network even with all the tools in the world. They may have an overly sensitive edr configuration and get fatigued from seeing so many of the same alerts pop up over and over that they just turn it down or staight up ignore certain alerts. Many many things factor in to how those people are going to respond.

To learn, go where the blue teamers/SOCs go to learn. So much valuable information in the cybersecurity space is shared on forums, social media, even podcasts that people in the industry run. Twitter, reddit, and linkedin are good places to start. Many tools defenders use will have their own subreddit or even a dedicated forum. Youtube has a lot of very good conference talks to take a look at too. Look into documentation for various tools that defenders use: edrs, logging tools, SIEMs, etc. So all in all, look for:
- blue team/SOC/defense-tools podcasts/forums/subreddits. (very important)
- Documentation on the software commonly used (elastic is a great source for edr related documentation. Also very important).

This is one of the reasons reconaissance is so important. Stalk the hell out of whatever defenders/employees you want to learn about on linkedin and their other socials. See if they post about what EDR/defense tools/software they use so you can better target your attack

Cheers!