Incident Response For Common Attack Types

Brute Forcing

Details:
Attacker trying to guess a password by attempting several different passwords
Threat Indicators:
Multiple login failures in a short period of time
Where To Investigate:
• Active directory logs
• Application logs
• Operational system logs
• Contact user
Possible Actions:
If not legit action, disable the account and investigate/block attacker

Botnets

Details:
Attackers are using the victim server to perform DDoS attacks or other malicious activities
Threat Indicators:
• Connection to suspicious IPs
• Abnormal high volume of network traffic
Where To Investigate:
• Network traffic
• OS logs (new processes)
• Contact server owner
• Contact support team
Possible Actions:
If confirmed:
• Isolate the server
• Remove malicious processes
• Patch the vulnerability utilized for infection

Ransomware

Details:
A type of malware that encrypts files and requests a ransom (money payment) from the user to decrypt the files
Threat Indicators:
• Anti-Virus alerts
• Connection to suspicious Ips
Where To Investigate:
• AV logs
• OS logs
• Account logs
• Network traffic
Possible Actions:
• Request AV checks
• Isolate the machine

Data Exfiltration
Details:
The attacker (or rogue employee) exfiltrates data to external sources
Threat Indicators:
• Abnormal high network traffic
• Connection to cloud -storage solutions (Dropbox, Google Cloud)
• Unusual USB Sticks
Where To Investigate:
• Network traffic
• Proxy logs
• OS logs
Possible Actions:
• If employee: Contact manager, perform full forensics
• If external threat: Isolate the machine, disconnect from network
Compromised Account

Details:
Attackers get access to one account (via social engineering or any other method)
Threat Indicators:
• Off-hours account logins
• Account group changes
• Abnormal high network traffic
Where To Investigate:
• Active directory logs
• OS logs
• Network traffic
• Contact user for clarifications
Possible Actions:
If confirmed:
• Disable account
• Password changes
• Forensic investigations

Denial Of Service (Dos/DDoS)

Details:
When attacker can cause interference in a system by exploiting DoS vulnerabilities or by generating a high volume of traffic
Threat Indicators:
Abnormal high network traffic in public facing servers
Where To Investigate:
• Network traffic
• Firewall logs
• OS logs
Possible Actions:
• If DoS due to vulnerabilities: Contact the patching team for remediation
• If DDoS due to network traffic: Contact network Support or ISP

Hands-on debugging session: instrument, monitor, and fix

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

RSVP here →