Professional Documents
Culture Documents
Cyber
Security
Incident
Response
&
Recovery
CS4684
JD
FJD
ulp
Fulp
CSIH,
CISSP-‐ISSEP-‐ISSAP
CISSP,
ISSEP,
ISSAP,
Naval
Naval
Postgraduate
Postgraduate
School
School
11
Step-‐2
-‐sS
à
______________________________
JD
FJD
ulp
Fulp
CSIH,
CISSP-‐ISSEP-‐ISSAP
CISSP,
ISSEP,
ISSAP,
Naval
Naval
Postgraduate
Postgraduate
School
School
12
The
IThe
ncident:
Step-‐by-‐Step-‐6
Incident:
Step-‐2
AXacker
uses
______
(tool)
to
scan
the
DMZ,
looking
for
systems
with
ports
____
or
____
open.
She
finds
two,
and
also
learns
the
names
of
three
systems
in
the
DMZ.
What
are
those
systems
and
names?
(previous
2
slides)
Ardala
FTPs
to
her
“drop
site”
to
save
the
two
password
files
(Step-‐6)
and
also
to
download:
Server.c
for
use
in
a
________
aXack,
and
Datapipe
for
use
in
_______-‐_______________
JD
FJD
ulp
Fulp
CSIH,
CISSP-‐ISSEP-‐ISSAP
CISSP,
ISSEP,
ISSAP,
Naval
Naval
Postgraduate
Postgraduate
School
School
20
The
IThe
ncident:
Step-‐by-‐Step-‐6
Incident:
Step-‐6
Or more simply…
53
3389
JD
FJD
ulp
Fulp
CSIH,
CISSP-‐ISSEP-‐ISSAP
CISSP,
ISSEP,
ISSAP,
Naval
Naval
Postgraduate
Postgraduate
School
School
25
The
The
Incident:
Step-‐by-‐Step-‐6
Incident:
Step-‐10
3389
3389
JD
FJD
ulp
Fulp
CSIH,
CISSP-‐ISSEP-‐ISSAP
CISSP,
ISSEP,
ISSAP,
Naval
Naval
Postgraduate
Postgraduate
School
School
26
The
The
Incident:
Step-‐by-‐Step-‐6
Incident:
Step-‐11
3389
53
AXacker
runs
_______________
(program)
through
this
relay
network
to
brute-‐force
crack
usernames
&
passwords
on
systems
running
MicrosoY
3389
Terminal
Services
JD
FJD
ulp
Fulp
CSIH,
CISSP-‐ISSEP-‐ISSAP
CISSP,
ISSEP,
ISSAP,
Naval
Naval
Postgraduate
Postgraduate
School
School
27
TSgrinder
running
Step-‐11
from
172.27.20.105
to
172.27.20.3
(but
forwarded
via
Datapipe
all
the
way
to
10.10.10.3
JD
FJD
ulp
Fulp
CSIH,
CISSP-‐ISSEP-‐ISSAP
CISSP,
ISSEP,
ISSAP,
Naval
Naval
Postgraduate
Postgraduate
School
School
28
The
The
Incident:
Step-‐by-‐Step-‐6
Incident:
Step-‐12
AXacker
discovers
the
admin
password
on
10.10.10.3,
then
connects,
via
her
pivot-‐point
system,
to
the
RDP
(Terminal
Service)
running
on
the
target
machine
53
3389
JD
FJD
ulp
Fulp
CSIH,
CISSP-‐ISSEP-‐ISSAP
CISSP,
ISSEP,
ISSAP,
Naval
Naval
Postgraduate
Postgraduate
School
School
29
Step-‐13
JD
FJD
ulp
Fulp
CSIH,
CISSP-‐ISSEP-‐ISSAP
CISSP,
ISSEP,
ISSAP,
Naval
Naval
Postgraduate
Postgraduate
School
School
30
The
Incident:
Step-‐14
JD
FJD
ulp
Fulp
CSIH,
CISSP-‐ISSEP-‐ISSAP
CISSP,
ISSEP,
ISSAP,
Naval
Naval
Postgraduate
Postgraduate
School
School
32
Sample
Google
result
for
“Port
6723”,
this
one
from
hXp://www.auditmypc.com/tcp-‐port-‐6723.asp
Res ea rch
Res ea rch
Res ea rch
JD
FJD
ulp
Fulp
CSIH,
CISSP-‐ISSEP-‐ISSAP
CISSP,
ISSEP,
ISSAP,
Naval
Naval
Postgraduate
Postgraduate
School
School
35
InformaJve
mstream
overview
for
the
inquisiJve
Incident
Analyst
at
à
hXp://www.giac.org/paper/gcih/132/mstream-‐ddos-‐plain-‐simple/100598
Res ea rch
JD
FJD
ulp
Fulp
CSIH,
CISSP-‐ISSEP-‐ISSAP
CISSP,
ISSEP,
ISSAP,
Naval
Naval
Postgraduate
Postgraduate
School
School
36
IniRal
Incident
Lead(s)?
Discussion:
Assuming
you’re
an
incident
handler
for
CHM;
which
of
the
above
I&W
or
AS&W
will
you
have
invesJgaJve
access
to?
What
would
you
“search
for”
among
your
millions
of
logged
packets?
JD
Fulp
CSIH,
CISSP,
ISSEP,
ISSAP,
Naval
Postgraduate
School
37
Delivery
Vectors
Involved
(Table
D-‐A-‐1
of
CJCSM
6510.01B)
38
Finished