INCIDENT HANDLING AND RESPONSE

(HC-08)

Dr Bishwajeet Pandey, SMIEEE

CSE Research Coordinator-Jain University, India

PhD (Gran Sasso Science Institute, L'Aquila, Italy)

Visiting Professor at
UCSI UNIVERSITY-Malaysia
L.N. Gumilyov Eurasian National University-Kazakhstan
ABOUT MYSELF

• PhD from Gran Sasso Science Institute, Italy

• PhD Supervisor Prof Paolo Prinetto from Politecnico Di Torino, World Rank 13 in
Electrical Engineering
• MTech from Indian Institute of Information Technology, Gwalior
• Visited 41 Countries Across The Globe
• Written 200+ Research paper with 193 Researcher from 63 Universities
• Scopus Profile: https://www.scopus.com/authid/detail.uri?authorId=57203239026
• Google Scholar: https://scholar.google.com/citations?user=UZ_8yAMAAAAJ&hl=hi
• IBM Certified Solution Designer
• EC-Council Certified Ethical Hacker
• AWS Certified Cloud Practitioner
• Qualified GATE 4 times
• Email [email protected], [email protected]
MY SCOPUS PROFILE
MY GOOGLE SCHOLAR PROFILE
IHR Syllabus
Host Monitoring

Discover Unknown and Unauthorized Devices on the Network

• Rogue wireless access points, old systems that were supposed to be
decommissioned, and devices that were plugged into the network but
weren't approved are all examples of things you'll find when you
begin discovering assets on a computer network.
• Additionally, software inventories will help you prevent software
license issues, identify out-of-date applications, and see unauthorized
applications running that are creating risk to your IT environment.
Host Monitoring

Scan a single host — Scans a

single host for 1000 well-known
ports.These ports are the ones
used by popular services like
SQL, SNTP, apache, and
others.
> nmap scanme.nmap.org
Host Monitoring

● Port scanning is one of the most fundamental features of

Nmap. We can scan for ports in several ways.

● Using the -p param to scan for a single port

> nmap -p 973 192.164.0.1

● If you specify the type of port, you can scan for

information about a particular type of connection, for
example for a TCP connection.
> nmap -p T:7777, 973 192.164.0.1
Host Monitoring

● A range of ports can be scanned by separating them with

a hyphen.
> nmap -p 22–176 192.164.0.1

● We can also use the -top-ports flag to specify the top n

ports to scan.
> nmap --top-ports 10 scanme.nmap.org
Host Monitoring

• nmap -sT scanme.nmap.org

 TCP Connect Scan using NMAP & Wireshark

• When a port is open

• Nmap -p 80 -sT scanme.nmap.org
 TCP Connect Scan using NMAP & Wireshark

• When a port is closed

• Nmap -p 81 -sT scanme.nmap.org
Network Monitoring

Use Network Traffic to Determine Tool Coverage

• One of the biggest weaknesses of endpoint protection tools such as

anti-virus and Advanced Endpoint Protection is that lack of 100% coverage
can still lead to compromise in the environment, through pivot from an
unprotected machine.

• Lack of coverage also leads to a blind spot in your network. One of the
most effective ways to determine whether or not you have 100% of devices
covered is to look at network traffic at your network's perimeter (where it
connects to the Internet or other networks) and evaluate traffic behavior.
Network Monitoring

Use Network Traffic to Determine Tool Coverage

• For example, if a computer has an endpoint protection tool that
creates network traffic to the Internet as the tool checks in, you'll see
it in the network traffic.
• If you see a computer that has the target Operating System of that
should have 100% coverage sending traffic to the Internet but not
sending traffic to the check-in site for the endpoint protection tool,
that indicates the host is not covered and should be something that
alerts your security analysts and IT team to fix.
Network Monitoring
Network Monitoring
Network Monitoring
Application Monitoring

Hardware and Software Inventories Should be Related

• Understanding which physical devices are running a specific type of
operating system, as well as understanding which applications (by version)
are running on these devices is important to know if you are investigating
suspicious activity.
• There are many benefits to having this information available, including
eliminating false positives, understanding a given device's role (e.g.
database server or web server), and understanding what type of data can be
found on the device (e.g. file servers contain data, database servers contain
data, etc.).
Application Monitoring

• Forensic applications can identify the deleted files that still exist
or display the artifact that proves they once did exist.

• Deleted files may affect the culpability of a suspect by

demonstrating willful actions to hide his or her transgressions
 Application Monitoring

• nmap -sV scanme.nmap.org

• Nmap can provide information

about the underlying operating
system using TCP/IP
fingerprinting.

• OS detection is not always

accurate, but it goes a long
way towards helping a pen
tester get closer to their target.
Application Monitoring

● The http-enum.nse script

enumerates directories
used by popular web
applications and servers.
● Here's an example of
how to use the
http-enum.nse script:
nmap --script=http-enum
<target
Exploit in OPENSSH from exploit-db
Exploit in Apache from exploit-db
Application Monitoring

• The mysql-info.nse script

enumerates features of
my sql.
• Here's an example of how
to use the mysql-info.nse
script:
• nmap -p 3306
--script=mysql-info <target
• Note: 5432 for postgresql,
script is pgsql-brute
Monitoring and incident management: a
winning combination

• Monitoring systems gather and log a wide range of performance

data on a diverse range of targets — from applications to user
experience, networks, servers, and more.

• Usually, monitoring is conducted under runtime conditions, but

synthetic monitoring can also be used to simulate loads and test
the resilience of web services
Monitoring and incident management: a
winning combination

• Incident management systems use monitoring system outputs

(and other relevant inputs) in order to quickly detect, prioritize,
diagnose, and resolve performance issues that are disrupting
normal service operation.

• The monitoring system output may be the log data itself, an

event-triggered alert indicating that a performance threshold has
been breached, or both.
Monitoring and incident management: a
winning combination

• Closely coupling monitoring and incident management systems

creates a synergy that is far more powerful than either process
alone.

• Monitoring and incident management systems complement each

other to achieve proactive, realtime incident responses that
accelerate business outcomes.
Promiscuous mode

• Promiscuous mode is a type of computer networking operational

mode in which all network data packets can be accessed and
viewed by all network adapters operating in this mode.

• It is a network security, monitoring and administration technique

that enables access to entire network data packets by any
configured network adapter on a host system.

• Promiscuous mode is used to monitor(sniff) network traffic.

Promiscuous mode

• Typically, promiscuous mode is used and implemented by a snoop

program that captures all network traffic visible on all configured
network adapters on a system.

• Because of its ability to access all network traffic on a segment,

promiscuous mode is also considered unsafe.

• Like a system with multiple VMs, each host has the ability to see
network packets destined for other VMs on that system.
Snooping

• Snooping is a broad term that can include casual observance of

an email that appears on another person's computer screen or
watching what someone else is typing.

• More sophisticated snooping uses software to remotely monitor

activity on a computer or as communications data traverses a
network.

• For Example, Teamviewer, AnyDESK

Segment
Paranoid Mode

• Paranoid mode is an enhanced protection mode.

• When this mode is activated, the guard starts

scanning all the files being opened, created or
modified on hard disks, removable media and
network disks.
Paranoid Mode

• Report Paranoia is a Nessus Scan setting that allows a

user to specify whether or not we should only report
vulnerabilities with a high level of confidence, or be a
little more paranoid and flag a system if there is
possibility they are or could be vulnerable.

• It can lead to potential false positives but can give a

larger view of their cyber exposure.
Paranoid Mode

9+cybersecurity tips for the mildly paranoid

• Don’t get phished

• Turn on two-factor authentication
• Only use secure web browsers
• Use strong passwords
• Install a modern operating system
• Install security updates and patches
• Use a security program
• Use encrypted messaging software
• Install a camera cover on your computer and phone
• Use a landline
• Unplug and turn off your devices
Health and Safety Issues

From a health and safety context, cyberattacks can be grouped into three distinct areas, as
follows.

• Attacks on Industrial Automation Control Systems (IACS) resulting in physical risks.

• Attacks resulting in the loss, unauthorised access to, destruction, or other unintended
use of electronic information and data.
• Attacks resulting in the disruption of operations caused by the loss or interruption of
electronic systems and networks such as Building Management Systems.
Health and Safety Issues

Attacks on IACS

• Industrial Automation Control Systems can include electrical, control and

instrumentation systems, emergency shutdown systems, and fire and gas
systems. All have safety critical applications.

• In early 2017, the HSE published Cyber Security for Industrial Automation
and Control Systems. Aimed at major hazard workplaces, the publication
recognises that threats can originate not only from system networks but also
software upgrades, maintenance activities and unauthorised access.
Health and Safety Issues

Attacks on sensitive data

• A cyberattack could have serious repercussions even in organisations that are not
major hazard industries. Health and safety management systems can create
considerable volumes of documentation containing sensitive business-related
information as well as personal data relating to employees or other persons.
• Personal data can include information on accident/incident reporting forms,
occupational health reports, etc. With ever-increasing use of online reporting systems
and outsourced occupational health services, the potential for cyberattack is clear.
•
Health and Safety Issues

Attacks on sensitive data

• In addition to the above, other consequences of the loss of general health and safety information
could include the following.

• Resources may have to be invested to ensure that lost documentation and information is replaced
(eg risk assessments having to be undertaken again).

• Defence against prosecution or civil litigation may be weakened due to an inability to provide
evidence of previous good health and safety management where documentation is permanently
lost.

• Lost historical data that could assist in identifying and developing future risk control measures
would leave a knowledge gap
Health and Safety Issues

Attacks on sensitive data

• Failure to protect sensitive health and safety data and its subsequent
loss or theft could incur investigation and prosecution by the
Information Commissioner’s Office. Fines can be imposed up to €20
million or 4% of an organisation’s turnover.

• There may also be data relating to health and safety that is

commercially sensitive that the organisation may wish to keep out of
the public domain.
Health and Safety Issues

Attacks on BMS

• The third area that can have health and safety implications can be described as operational.
Building Management Systems (BMS), either standalone or integrated, can form part of many
health and safety risk control systems. These systems control several environmental factors (eg
ventilation, lighting, power, fire and security systems, etc).

• As an example, many organisations now use automated access control systems as a security
measure to protect employees and prevent unauthorised access to certain premises. A cyberattack
has the potential to override such systems, putting employees at risk from those gaining
unauthorised access.
Health and Safety Issues

• Oldsmar Sheriff Bob Gualtieri, in the press statement, mentioned that the
hacker tried to manipulate the sodium hydroxide concentration in the water.

• “Sodium hydroxide, also known as lye, is the main ingredient in liquid drain
cleaners. It’s also used to control water acidity and remove metals from
drinking water in the water treatment plant.“

• “The hacker changed the sodium hydroxide from about 100 parts per million
to 11,100 parts per million. This is a significant and potentially dangerous
increase.”
Securing crime scene

• Securing the Crime Scene first responders should

guarantee the safety of all the people at the crime
scene further as defend the integrity of the proof.

• Once inbound at the location, the first responders

should move to the scene of the incident and establish
the victim devices, networks, so on and mark a fringe.
Securing crime scene: BEST PRACTICES

• Follow customary procedures and policies of the legal

authority whereas securing the scene
• Make positive that the scene is safe for the responders
• Verify the sort of the incident
• Establish a security perimeter to check
Securing crime scene: BEST PRACTICES

• Secure all electronic devices, as well as personal or

moveable devices
• Verify any information that’s related to the offence
• Remove all persons from the crime scene or the world
containing proof
• Protect and preserve the proof that’s in danger of
being simply lost
Securing crime scene: BEST PRACTICES

• Do not permit a person to access the scene or

electronic devices
• Deny any provide of facilitate or technical help
• Locate and facilitate the victim
• Protect destructible knowledge (e.g., pagers and caller
ID boxes) physically and electronically
Collecting incident Information

Adhering to division policies and applicable laws, the primary

responders should collect the subsequent info regarding the
victim devices and connected systems:

• Actual holders or users of any electronic devices at the

crime scene
• Web mail and social networking web site account info
• Usernames and web service suppliers
• Passwords needed to access the system, software, or data
Collecting incident Information

• Purpose of victimization the system

• Automatic applications in use
• Any offsite knowledge storage
• Unique security schemes or harmful devices
• Documents description installation of a hardware or code on
the system
• Any offsite knowledge storage
Collecting incident Information

The forensic team must conduct preliminary interviews to collect a

lot of proof. As a locality of their preliminary investigation, the
primary responders should perform the subsequent steps to collect
info at the crime scene:

• Identify the persons at the crime scene, conduct individual

interviews, and note everyone’s physical position and his or her
reason for being there
• As a part of the investigation method, confirm if the incident
was a criminal act, violation of policies, or accident