Life-cycle of a security incident: from detection to response

Uploading a dangerous payload

Demo time: exploit the RCE

  • go offline: shutdown the system until developers fix the issue;
  • stay online: mitigate the risk while keeping the system online.

Mitigate the risk of keeping the system online

  • collect the logs;
  • find the IIS log directory;
  • send the logs to a central log collector (configure a local agent to monitor in real-time the IIS logs and send them to the central collector that keep also a secure copy of the log files — it can also be useful in case of forensic activities);
  • analyse logs while the problem is happening;
  • find attack patterns.

Write your own detection rule

  • identify pattern unique fields: starting from the log analysis, we look for unique fields into the logs while the attack happens;
  • minimise the false positives: the goal is to be accurate to reduce the number of false positives, so security analysts will only work on real events;
  • schedule a search for the pattern: no one can identify the pattern by hand, we have to automate the detection phase;
  • create an alert: when the event happens an action will be executed, a script is called that will open a ticket on our service desk platform.

Respond to the incident

Final remarks

--

--

--

We help tech communities to grow worldwide, providing top-notch tools and unparalleled networking opportunities.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Secure Self-Service Switch Profile or Role for Salesforce End/ Business-Users

Subdomain takeover- Vuln which can give you easy money

How to join Sator in the Satorverse

GDPR: Email Encryption

{UPDATE} 神域守望:守護永恆的希望 Hack Free Resources Generator

Web Attack Detection using Machine Learning.

Open SMTP (Email) Servers on Your Network

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Codemotion

Codemotion

We help tech communities to grow worldwide, providing top-notch tools and unparalleled networking opportunities.

More from Medium

Child Panels and how do they differ from regular SMM Panel?

https://zosmm.com/

Using AzApi to Manage Azure Resources without a Terraform Provider.

Example pull request showing update to SKU validation for Data Bricks in AzureRM

Start with the Tutor Distribution of Open edX

Internet Relay Chat(IRC) Guide(3): Example IRC Communications