after reading kaspersky incident response guide

Posted by fierce at 2020-03-28

A few days ago, Kaspersky released a document of security incident response guide. For details, please refer to the link in the original text. After reading it all over, I feel that this is a very basic process introduction with relatively complete guidance materials, which is suitable for network administrators and primary security event responders to read. Of course, there are a lot of Kaspersky's private goods in the document. In essence, this is a kind of dry market material, which mainly consists of the following parts:

1. Terms and definitions. The explanation of several basic concepts involved in the document is not academic and easy to understand.

2. Introduction to kill chain of Lockheed Martin. Unknown attack, how to know the defense, to the attacker's basic routine to have an understanding.

3. Recommended basic steps of event response: preparation, identification, isolation, removal, recovery and reflection.

4. Detailed demonstration of response processing case based on a fictitious event.

5. Recommend relevant tools: IOC collection, forensics processing, analysis and clearance.

In fact, the biggest feeling I get from reading it is the role of IOC. The word IOC has appeared more than 50 times in the document. Basically, the whole event response is actually driven by IOC as the starting point, that is to say, the event response is driven by threat intelligence. Now everyone is talking about the new trend of security, going out for a meeting to talk about a topic without mentioning a machine learning artificial intelligence. I'm embarrassed to say hello to people. Without ml / AI support, entrepreneurship and security can't attract investment. However, in fact, IOC, a low-level Threat Intelligence, is the most effective way to find security events for organizations with weak security capabilities. There is no one, and the 360 Threat Intelligence Center is the one that provides accurate and effective IOC Threat Intelligence with rich context. Just a year or two ago, slogan, who participated in security related exhibitions and joined in Threat Intelligence everywhere, saw blackhat this year, which was basically gone. Everyone was talking about machine learning and anomaly detection, but almost all detection products were integrated with inputable Threat Intelligence, which began to come into effect when everyone was not talking about it.

Generally speaking, Kaspersky's guide document is standard in content, but not rich in details. It's a primer. To form corresponding working ability, you need to see more materials and practices. However, the part about event trigger in the document feels very valuable. The simple translation is as follows for peers who have no time to read the original document.

Event trigger

Event trigger is such an event, its appearance indicates the real harm in the network. When such events occur, the event response team should be aware of the ongoing attack activities in the network. In this sense, event triggers are different from general network activity events.

Event triggers generated by antivirus system

The anti-virus management system can collect event information from the terminal. When a terminal finds out the threat event, it will send it to the anti-virus management system. But not all events are event triggers. For example, an event that finds malicious code and then a successful event is not an event that needs to be responded.

Alarm events are generated only when:

Connect to a known C & C

Malicious code killing failed

Malicious code repeatedly detected in the same computer

The protection level is reduced due to the error and failure of anti-virus system

Suspicious activity that can be used as an event trigger

Some abnormal signs can also be used as event triggers. The emergence of those activities requires the security team to join in and investigate. Here are some examples:

Unknown software automatically follows the startup when the operating system starts

Unknown service in system service list

Executable files are executed from specific directories from which the operating system is theoretically unlikely to start programs, such as system cache and temporary directories

Loading a library from a directory that is not likely to hold library files, such as loading a system library file from a software installation directory

Unexpected user privilege escalation operation

Although it is legal, it is very likely to be used by attackers, such as mimikatz, windows credentials editor and other remote control tools

The following suspicious network behaviors can also be triggered as event triggers:

Unexpected DNS and ICMP traffic surge

Communicating with domain names that frequently change their IP addresses may indicate that an attacker uses fast flux DNS technology to hide the C & C server by using the intruded machine as a proxy

Communicate with the URL contained in the threat intelligence data of Kaspersky laboratory, such as the landing page classified as malicious exploit Kit

Communicate with the IP address contained in Kaspersky's threat intelligence data, for example, which IP is classified as a scan source or used to perform DDoS Attacks

Interact with domain names that contain suspicious whois information

These abnormal signs listed above can actually serve as the starting point of thread hunting, and more scenarios can be listed for experienced attack and defense analysts. At this year's black hat exhibition, Splunk talked about two ways to find unknown attacks by searching unusual host behaviors. In fact, it is very simple to search the process logs output by Microsoft Sysmon framework by searching rare process chains and rare execution file paths. 360 Threat Intelligence Center's internal thread Hunting has also used similar ideas to find targeted attacks in practice.