ISE 620 Module 5 Lab
SNHU
Unauthorized Activities: Courses of Action
ATTACK
STEP
ATTACK
ACTION
DEFENSIVE COUNTERMEASURE
DEFENSIVE STEP
(IR PROCESS)
Targeting
Objective: Decide who to attack
Identify suspicious external
connections to a public-facing
Microsoft Windows server.
Identification
To utilize a scanning tool for the purpose of
scanning a network for open ports on the
firewall.
To conduct the scanning of the public-facing
Microsoft Windows servers to identify
vulnerabilities like possible host victims.
DETECTION
POINT
The firewall connection logs
will disclose the connections
to suspicious/ unknown/
anonymous IP addresses.
INDICATOR(S)
OF ATTACK
The connections to the IP
addresses which have been
reported to be abused or
malicious on any reliable and
reputed database, like
www.abuseipdb.com
ANNOTATION
Vulnerability scanners are extremely vital tools which are available for security practitioners as well as online
hackers. They are often used for achieving important goals for both parties. The security practitioners make use
of vulnerability scanners so that they can locate open vulnerabilities in their systems or network. The results
help them to patch the identified vulnerabilities and make suitable changes as necessary.
Cyber hackers use vulnerability scanning tools to locate the victims that they intend to attack and identify the
key exploits they these victims might be susceptible to.
Numerous modern firewalls and security appliances like advanced Security Incident and Event Management
(SIEM) platforms have the ability to monitor network traffic, detect vulnerabilities and other suspicious
connections. Security practitioners can establish rules in modern firewalls so that they can drop the connection
when malicious connections are detected. But it is necessary to evaluate every event, even if the connection has
been dropped. The collected information can help by giving detailed insight into redesigning future security
decisions.
ATTACK
STEP
ATTACK
ACTION
DEFENSIVE COUNTERMEASURE
DEFENSIVE STEP
(IR PROCESS)
Targeting
Objective: Decide what to attack
Identify suspicious group
membership changes for guest
user account
Identification
Gain remote administrative access to at least
one vulnerable server in a potential target
network.
DETECTION
POINT
Windows Event logs that show
unauthorized alterations or
changes that are made to a
Windows group or user.
INDICATOR(S)
OF ATTACK
The guest user account
appears in a privileged user
group without prior security
team approval/coordination
ANNOTATION
Security practitioners need to know the network quite well, including what makes up the normal behavior. Since
each and every network is unique, the activity within these networks differ drastically depending on the size of
the organization and the industry in which they function. Security practitioners must take the time so that they
can build and maintain proper understanding of normal traffic within the network environment. This
understanding relating to the normal traffic can assist security practitioners to identify any anomalous activity
which occurs within the network, like when a new account is created or improper permission is granted.
It is vital to develop and use some kind of distinctive naming convention so that it can help the security
practitioners to identify anomalous activity effectively. For instance, instead of using a standard First Initial and
Last Name username naming convention (i.e. TJones), it can be mixed up in a way so that it will be less
predictable (i.e. JonesT, Trevor_Jones, etc.). Such an approach will enable security practitioners to effectively
identify when an unauthorized account has been created. They can also have another indicator to identify failed
login attempts (an individual who knows the naming convention vs. an individual who only knows an employee’s
name but does not know the naming convention)
ATTACK
STEP
ATTACK
ACTION
DEFENSIVE COUNTERMEASURE
DEFENSIVE STEP
(IR PROCESS)
Access &
Escalation
Objective: Solidify your foothold
Separate the system from the
network in order to prevent
the spreading of infection to
other hosts.
Harden the network security
by defining the firewall rules
which allow connections (both
in and out) for just approved
and critical business
applications.
Removal of unauthorized tasks
from the Windows Task
Scheduler on the affected host.
Running the malware and
virus scan on the infected
host for detecting any traces
of the malware infection.
Identification
- Ensure flexible remote access to a
compromised target system in the
network you wish to attack
- Use the system task scheduler to
establish periodic, remote “check-ins”
between a compromised target system
and your network
DETECTION
POINT
Firewall connection logs.
The list of the scheduled tasks.
INDICATOR(S)
OF ATTACK
Logs show the connections to
malicious or suspicious IP
addresses.
Any unauthorized tasks are
found in the scheduled tasks.
Any unauthorized program is
found in the Windows Startup
folder.
ANNOTATION
Even if an infected system has been isolated from the network, it is extremely important to harden the overall
security of the network. Such an approach is necessary to ensure that the infection has not already passed
beyond the single detected machine.
The hardening of the security of the network by using the firewall rules can play a vital role to prevent or
cease malware from connecting “home” to the Command and Control (C&C) server for downloading additional
malicious elements or to receive additional commands. Stopping such a connection will help as it will provide
extra time to analyze an infected machine without worrying that it will make more external connections or
receive more files or commands.
It is necessary to remove any type of unauthorized scheduled tasks or programs on the infected machine. It is
also equally important to preserve any information which might be useful for the investigation for determining
the exact source or cause of the infection as well as to safeguard the network henceforth.
