×

Home Top Podcaster Networks By Language By Country By Category About Us Contact Us Faqs Features News & Blogs Privacy Policy Terms Of Use

☰

Search

Home > The Incident Response Podcast > Getting back to basics, IR 101 - Episode 013


	Podcast:		The Incident Response Podcast
	Episode:		Getting back to basics, IR 101 - Episode 013
	Category:		Technology
	Duration:		00:50:36
	Publish Date:		2020-06-03 15:22:42
	Description:		Recorded May 2020 TOPIC: Getting back to basics, IR 101 OUR SPONSORS: NEWS-WORTHY: Best EDR Security Services In 2020 for Endpoint Protection https://www.softwaretestinghelp.com/edr-security-services/ How to Avoid Spam—Using Disposable Contact Information https://www.wired.com/story/avoid-spam-disposable-email-burner-phone-number/ Shiny new Azure login attracts shiny new phishing attacks https://nakedsecurity.sophos.com/2020/05/18/shiny-new-azure-login-attracts-shiny-new-phishing-attacks/ Upgrading from EDR to MDR is Critical but Easier than You Think https://securityboulevard.com/2020/05/upgrading-from-edr-to-mdr-is-critical-but-easier-than-you-think/ The ransomware that attacks you from inside a virtual machine https://nakedsecurity.sophos.com/2020/05/22/the-ransomware-that-attacks-you-from-inside-a-virtual-machine/ SITE-WORTHY: Malware Archaeology - Cheat Sheets https://www.MalwareArchaeology.com/cheat-sheets TOOL-WORTHY: LOG-MD - The Log anD Malicious Discovery tool “LOG-MD -a” will give you how you compare against the cheat sheets https://www.LOG-MD.com MALWARE OF THE MONTH: Qakbot Typical delivery via a Office doc or URL Created a folder in C:\Users Key Detection points Enable better logging AutoRuns - Uses Run key and Scheduled Task WMIPrvSe launch binary in C:\Users Binary in root of \Username directory C:\Users\\.exe C:\Users\\AppData\Roaming\Microsoft\ Syswow64\Explorer.exe used Parent of Explorer.exe is NEVER a binary in C:\Users Process injection of Syswow64\Explorer.exe Ping 127.0.0.1 Scheduled Task created by a binary in C:\Users Syswow64\Explorer,exe opening all the browsers Binary in C:\User calling out to foreign country PREVENTION Block Office macros Don’t allow uncategorized websites EDR Software Whitelisting C:\Users TOPIC OF THE DAY: Getting back to basics, IR 101 What is getting back to basics - IR 101 This will likely be multiple episodes We will start with Windows Why is this important? WHEN you have an incident, data we, and you need will be available This is probably the #1 finding and recommendation we have made to organizations we have been involved with over the years Security tools fail, so other data you collect can help discover what happened where, when, and how What is the problem we are wanting our listeners to solve? To be better prepared in the event of an incident to speed up investigations Give your SOC, IT, or Security people the data they need to investigate events Make log management data better if you are collecting all the things And of course… help your IR Consultancy do a better job FASTER Other Articles: ------------------- CIS Benchmarks https://www.cisecurity.org/cis-benchmarks/ DerbyCon talk on EDR https://www.irongeek.com/i.php?page=videos/derbycon7/t416-edr-etdr-next-gen-av-is-all-the-rage-so-why-am-i-enraged-michael-gough DerbyCon talk on Winnti https://www.irongeek.com/i.php?page=videos/derbycon5/teach-me01-a-deep-look-into-a-chinese-advanced-attack-understand-it-learn-from-it-and-how-to-detect-and-defend-against-attacks-like-this-michael-gough
	Total Play:		0