Of course, Cliff did do that! He has it recorded in his log book. Not long after this, Cliff hears that the DOE is filing a complaint about LBL for not reporting this incident when it happened. NERC Incident Response Planning presentation:.Incident Response Process white paper:.Incident Handlers Handbook white paper:.I briefly provided an overview of this process as an introduction to incident response. The standard incident response model is called PICERL: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. While the PICERL model didn’t exist in Cliff’s time, he was actually thinking about the transition from identification to containment. When Cliff believes the investigation is over he starts to think about the incident response process. Fortunately, the FBI got involved and convinced his boss to keep the investigation open for a little while longer. Cliff fails to convince him otherwise and begins a plan to change the password for all 1200 users in the network. They discovered an account that appears to be compromised and are going to start monitoring it for the next time the attacker comes back.Ĭliff’s boss comes in and tells him that it is time to end the investigation. Meanwhile, the Bundespost gets back in touch and shares that the source of the call is a VAX computer at the University of Bremen. This includes the Ballistic Research Laboratory and TRW, a company developing US keyhole spy satellites. Search for an IP and Domain on Alienvault OTX and see if you can find related malicious infrastructure.Ĭliff discovers additional victims of the attackers. Find one of the file hashes from and search for it on VirusTotal.Read a few of the blog posts and explore the available information. Sign up for an Alienvault OTX account and familiarize yourself with the interface.Diamond Model meets Star Wars from ThreatConnect:.The Original Diamond Model of Intrusion Analysis Paper:.I also discussed the Diamond Model as a method of assimilating and characterizing collected information to form a clear picture of events that have transpired. I discussed sources of OSINT and demonstrated pivoting based on indicators from a real investigation. The power of collective intelligence is vast and is something many security practitioners rely on when conducting investigations. Open Source Intelligence and the Diamond ModelĬliff’s examination of Usenet threads related to the breach he was investigating is an example of open source intelligence (OSINT) investigation. It turns out these same usernames were observed during a Stanford breach. They went by the aliases Hagbard and Pengo. Bob tells Cliff that attackers from the German Chaos Computer Club broke into his network through CERN, and they had also been in the Fermilab computers as well. He comes into contact with Bob at the University of Toronto. Can you identify biases in each other?Ĭliff spends time searching Usenet for news about hackers that might be related.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |