STEP BY STEP

TO ANALYSE
ALERTS
(MALWARE
ATTACK &
PHISHING
ATTACK)
BY IZZMIER IZZUDDIN
Scenario 1: Detection and Analysis of a Malware Attack

Background

A company's Security Information and Event Management (SIEM) system detects suspicious
activity on one of its servers. The SOC analysts are alerted to investigate the potential
malware attack.

Detection Phase

1. Initial Alert

• SIEM Alert: The SIEM generates an alert indicating unusual outbound traffic from a
server (Server A) to an unfamiliar external IP address.
• Alert Details: The alert includes the following details:
o Source IP: 192.168.1.10 (Server A)
o Destination IP: 203.0.113.45
o Protocol: TCP
o Port: 443 (HTTPS)
o Timestamp: 10:15 AM

2. Alert Triage

• Priority Assessment: The SOC analyst assesses the priority based on the nature of
the alert and the criticality of Server A.
• Contextual Information: The analyst gathers additional information:
o Server A hosts critical business applications.
o The destination IP is not recognized in the company’s whitelist.
o The traffic volume is higher than normal for HTTPS connections.

Analysis Phase

3. Investigation

• Log Review: The analyst reviews logs from the SIEM and other sources (e.g.,
firewall, IDS/IPS):
o Firewall Logs: Confirm unusual outbound traffic to 203.0.113.45.
o Web Proxy Logs: Show HTTP requests to suspicious domains prior to the
HTTPS traffic.
o Endpoint Logs: Indicate a recent download of an unknown executable file.
• Threat Intelligence: The analyst cross-references the destination IP and domains
with threat intelligence databases:
o The IP and domains are associated with known malware distribution.

4. Malware Identification

• File Analysis: The analyst retrieves the suspicious executable file from Server A for
analysis:
o Sandbox Analysis: Executes the file in a controlled environment to observe
behaviour.
 o Signature-Based Detection: Uses antivirus tools to identify known malware
signatures.
o Behavioural Analysis: Monitors for indicators of compromise (IOCs) such as
unusual file modifications and network connections.
• Findings: The file is identified as part of a Remote Access Trojan (RAT) used to
exfiltrate data and establish a backdoor.

Containment Phase

5. Immediate Actions

• Isolation: The SOC team isolates Server A from the network to prevent further data
exfiltration.
• Blocking IP: Adds firewall rules to block outbound traffic to the suspicious IP
addresses and domains.

Eradication Phase

6. Malware Removal

• System Scan: Runs comprehensive antivirus and anti-malware scans to identify and
remove the RAT and any associated files.
• Manual Inspection: Conducts manual inspection of system files and registries to
ensure complete removal.

Recovery Phase

7. System Restoration

• Reimage Server: Reimage Server A from a clean backup to ensure no remnants of

the malware remain.
• Patch and Update: Apply the latest security patches and updates to Server A.
• User Notification: Inform affected users of the incident and any actions they need to
take (e.g., password changes).

Post-Incident Activity

8. Root Cause Analysis

• Entry Point Identification: Determines that the malware was introduced through a
phishing email that led to the download of the RAT.
• Security Gaps: Identifies gaps in email filtering and user training.

9. Lessons Learned

• Security Awareness: Enhances user training programs to recognize phishing

attempts.
• Email Filtering: Implements advanced email filtering solutions to detect and block
malicious attachments and links.
 • SIEM Tuning: Adjusts SIEM rules to detect similar patterns of behavior earlier.

10. Documentation and Reporting

• Incident Report: Compiles a detailed report of the incident, including detection,

analysis, response actions, and lessons learned.
• Playbook Update: Updates the SOC playbook to reflect new detection techniques
and response procedures based on the incident.
Scenario 2: Detection and Analysis of a Phishing Attack

Background

An organization's SIEM system detects multiple failed login attempts followed by a

successful login from an unusual location. The SOC analysts are alerted to investigate
potential account compromise due to phishing.

Detection Phase

1. Initial Alert

• SIEM Alert: The SIEM generates an alert indicating multiple failed login attempts
followed by a successful login.
• Alert Details: The alert includes the following details:
o User: izzmier
o Source IP: 45.76.200.15 (unusual location)
o Timestamp: 2:30 AM
o Number of Failed Attempts: 5
o Successful Login: Yes

2. Alert Triage

• Priority Assessment: The SOC analyst assesses the priority based on the unusual
login time and location.
• Contextual Information: The analyst gathers additional information:
o User izzmier typically logs in from the corporate office or through the
corporate VPN.
o The source IP is geolocated to a foreign country where the user has never
logged in from.

Analysis Phase

3. Investigation

• Log Review: The analyst reviews logs from the SIEM and other sources (e.g., VPN
logs, email logs):
o VPN Logs: No corresponding VPN login activity from the source IP.
o Email Logs: Identifies a phishing email received by user izzmier two days
prior, containing a link to a fake login page.
• Threat Intelligence: The analyst checks the source IP against threat intelligence
databases:
o The IP is associated with known malicious activity, including previous
phishing campaigns.

4. Phishing Confirmation

• Email Analysis: The analyst retrieves the phishing email and examines it:
o Link Inspection: Analyses the URL in the email and confirms it directs to a
phishing site mimicking the organization’s login page.
 o Phishing Site: Verifies the phishing site is designed to harvest credentials.
• User Contact: Contacts user izzmier to confirm if they have interacted with the email
or noticed any unusual activity:
o User confirms they clicked the link and entered their credentials.

Containment Phase

5. Immediate Actions

• Account Lockdown: The SOC team immediately locks user izzmier’s account to
prevent further unauthorized access.
• Password Reset: Forces a password reset and ensures the user sets a new, strong
password.

Eradication Phase

6. Phishing Site Takedown

• Report Phishing Site: Reports the phishing site to the web hosting provider and
relevant authorities to get it taken down.

Recovery Phase

7. User Education

• User Training: Provides user izzmier with additional training on recognizing

phishing attempts and safe email practices.
• System Monitoring: Increases monitoring on user izzmier account and related
systems to detect any further suspicious activity.

Post-Incident Activity

8. Root Cause Analysis

• Phishing Campaign Analysis: Investigates the phishing campaign to determine its

scope and identify other potential targets within the organization.
• Security Gaps: Identifies gaps in email filtering and the need for enhanced user
awareness training.

9. Lessons Learned

• Email Filtering: Implements advanced email filtering solutions to detect and block
phishing emails more effectively.
• User Awareness Campaign: Launches an organization-wide awareness campaign to
educate users about phishing threats and response strategies.

10. Documentation and Reporting

• Incident Report: Compiles a detailed report of the incident, including detection,
analysis, response actions, and lessons learned.
• Playbook Update: Updates the SOC playbook to include specific procedures for
detecting and responding to phishing attacks.