Step by Step To Analyse Alerts
Step by Step To Analyse Alerts
TO ANALYSE
ALERTS
(MALWARE
ATTACK &
PHISHING
ATTACK)
BY IZZMIER IZZUDDIN
Scenario 1: Detection and Analysis of a Malware Attack
Background
A company's Security Information and Event Management (SIEM) system detects suspicious
activity on one of its servers. The SOC analysts are alerted to investigate the potential
malware attack.
Detection Phase
1. Initial Alert
• SIEM Alert: The SIEM generates an alert indicating unusual outbound traffic from a
server (Server A) to an unfamiliar external IP address.
• Alert Details: The alert includes the following details:
o Source IP: 192.168.1.10 (Server A)
o Destination IP: 203.0.113.45
o Protocol: TCP
o Port: 443 (HTTPS)
o Timestamp: 10:15 AM
2. Alert Triage
• Priority Assessment: The SOC analyst assesses the priority based on the nature of
the alert and the criticality of Server A.
• Contextual Information: The analyst gathers additional information:
o Server A hosts critical business applications.
o The destination IP is not recognized in the company’s whitelist.
o The traffic volume is higher than normal for HTTPS connections.
Analysis Phase
3. Investigation
• Log Review: The analyst reviews logs from the SIEM and other sources (e.g.,
firewall, IDS/IPS):
o Firewall Logs: Confirm unusual outbound traffic to 203.0.113.45.
o Web Proxy Logs: Show HTTP requests to suspicious domains prior to the
HTTPS traffic.
o Endpoint Logs: Indicate a recent download of an unknown executable file.
• Threat Intelligence: The analyst cross-references the destination IP and domains
with threat intelligence databases:
o The IP and domains are associated with known malware distribution.
4. Malware Identification
• File Analysis: The analyst retrieves the suspicious executable file from Server A for
analysis:
o Sandbox Analysis: Executes the file in a controlled environment to observe
behaviour.
o Signature-Based Detection: Uses antivirus tools to identify known malware
signatures.
o Behavioural Analysis: Monitors for indicators of compromise (IOCs) such as
unusual file modifications and network connections.
• Findings: The file is identified as part of a Remote Access Trojan (RAT) used to
exfiltrate data and establish a backdoor.
Containment Phase
5. Immediate Actions
• Isolation: The SOC team isolates Server A from the network to prevent further data
exfiltration.
• Blocking IP: Adds firewall rules to block outbound traffic to the suspicious IP
addresses and domains.
Eradication Phase
6. Malware Removal
• System Scan: Runs comprehensive antivirus and anti-malware scans to identify and
remove the RAT and any associated files.
• Manual Inspection: Conducts manual inspection of system files and registries to
ensure complete removal.
Recovery Phase
7. System Restoration
Post-Incident Activity
• Entry Point Identification: Determines that the malware was introduced through a
phishing email that led to the download of the RAT.
• Security Gaps: Identifies gaps in email filtering and user training.
9. Lessons Learned
Background
Detection Phase
1. Initial Alert
• SIEM Alert: The SIEM generates an alert indicating multiple failed login attempts
followed by a successful login.
• Alert Details: The alert includes the following details:
o User: izzmier
o Source IP: 45.76.200.15 (unusual location)
o Timestamp: 2:30 AM
o Number of Failed Attempts: 5
o Successful Login: Yes
2. Alert Triage
• Priority Assessment: The SOC analyst assesses the priority based on the unusual
login time and location.
• Contextual Information: The analyst gathers additional information:
o User izzmier typically logs in from the corporate office or through the
corporate VPN.
o The source IP is geolocated to a foreign country where the user has never
logged in from.
Analysis Phase
3. Investigation
• Log Review: The analyst reviews logs from the SIEM and other sources (e.g., VPN
logs, email logs):
o VPN Logs: No corresponding VPN login activity from the source IP.
o Email Logs: Identifies a phishing email received by user izzmier two days
prior, containing a link to a fake login page.
• Threat Intelligence: The analyst checks the source IP against threat intelligence
databases:
o The IP is associated with known malicious activity, including previous
phishing campaigns.
4. Phishing Confirmation
• Email Analysis: The analyst retrieves the phishing email and examines it:
o Link Inspection: Analyses the URL in the email and confirms it directs to a
phishing site mimicking the organization’s login page.
o Phishing Site: Verifies the phishing site is designed to harvest credentials.
• User Contact: Contacts user izzmier to confirm if they have interacted with the email
or noticed any unusual activity:
o User confirms they clicked the link and entered their credentials.
Containment Phase
5. Immediate Actions
• Account Lockdown: The SOC team immediately locks user izzmier’s account to
prevent further unauthorized access.
• Password Reset: Forces a password reset and ensures the user sets a new, strong
password.
Eradication Phase
• Report Phishing Site: Reports the phishing site to the web hosting provider and
relevant authorities to get it taken down.
Recovery Phase
7. User Education
Post-Incident Activity
9. Lessons Learned
• Email Filtering: Implements advanced email filtering solutions to detect and block
phishing emails more effectively.
• User Awareness Campaign: Launches an organization-wide awareness campaign to
educate users about phishing threats and response strategies.