Scribd
Upload
6 views25 pages

acquiring-server-information-with-python-slides

The document outlines the incident investigation process using IBM Security QRadar, detailing the roles and responsibilities of an incident response specialist. It emphasizes the importance of following a structured process for effective incident management, including preparation, detection, containment, eradication, recovery, and post-incident activities. Additionally, it highlights the use of SOAR platforms to automate responses and streamline investigations.

Uploaded by

Alejandro Saldias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views25 pages

acquiring-server-information-with-python-slides

The document outlines the incident investigation process using IBM Security QRadar, detailing the roles and responsibilities of an incident response specialist. It emphasizes the importance of following a structured process for effective incident management, including preparation, detection, containment, eradication, recovery, and post-incident activities. Additionally, it highlights the use of SOAR platforms to automate responses and streamline investigations.

Uploaded by

Alejandro Saldias
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 25

Incident Investigation

with IBM Security QRadar


The Incident Response Process

Ricardo Reimao, OSCP, CISSP


Cybersecurity Consultant
Investigating threats and
responding to incidents
QRadar Courses
IBM Security QRadar: Functions and Capabilities

Monitor and Incident Admin and Threat


Detect Response Engineer Hunting
(SOC Analyst)
Responsibilities of a
Incident Response Specialist

Understand the Collect indicators of


Review cases and
scope and impact of compromise
declare incidents
an attack (IoCs)

Determine
Eradicate and Help creating a
impacted assets
contain the threat recovery plan
and impacted data
QRadar and Incident Investigation

QRadar centralizes security data in one place


Correlate data to identify threats
- Logs, network traffic, vulnerabilities, etc.

Access historical data and previous cases


Setup detection rules
Course Overview

The incident
Gathering initial
response Communications
information
process

Containment,
Attacker and
eradication and Finding IoCs
victim analysis
recovery

Two major incidents


Scenario: The Globomantics QRadar

You just got hired by Globomantics


You will work as an incident response (IR)
specialist.
There are two major incidents to investigate
You are responsible for:
- Investigating offenses raised by the SOC
- Determining scope of the threats
- Collecting indicators of compromise (IoCs)
- Creating containment and eradication
plans
The Incident Response Process
The Importance of Following a Process

During real incidents, the stress might lead to


mistakes

The process ensures that best practices are


followed
Ensures consistency on investigations
Ensures that the case can be investigated by
multiple specialists
Process Overview

Containment,
Detection Post-incident
Preparation eradication
and analysis activities
and recovery

Based on National Institute of Standards and Technology (NIST) process:

Computer Incident Handling Guide (NIST 800-61)


https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Preparation

Define an incident response plan


Define roles and responsibilities
Creating support documentation
- Templates, procedures, etc.
Rehearsing processes and simulating
incidents
Courses focused on preparation
Detection and Analysis

Main topic of this course


Confirm the incident
Understand the impact and scope

Analyze the targets and attackers


Collect indicators of compromise (IoCs)
Create an incident timeline
Communicate stakeholders
Containment, Eradication and Recovery
Decide on the containment goals
- Restore business
- Preserve evidences
- etc.
Contain the threat
- Isolate machines, block traffic, etc.
Eradicate the threat
- Remove malware, remove backdoors, delete
accounts, fix vulnerabilities, etc.
Recover from the incident
- Restore from backups, re-image devices,
system hardening, etc.
Post-incident Activities

In-depth review of the incident


Understand the point of entry and hardening
the environment
Implementing detection mechanisms
Performing lessons-learned analysis
Incident Notes and Timeline
The Importance of Notes and Documentation

Large amounts of data during an incident


Stress factor during real incidents
Take notes right away
Document everything you find and every step
of your investigation
Reporting the case to stakeholders or even
law enforcement
Main Information to Note

Indicators of
Impacted Attacker
Compromise
servers information
(IoCs)

Investigation …any other


To-do tasks
steps information
Collecting Evidences

In case you need to report the incident


- Specially for law enforcement
Ensure you are not tampering the evidence
Most common evidences:
- Logs, network traffic, malicious software,
compromised accounts, etc.
Incident Timeline

Timestamp Action
2023-06-30 @ 09:50
14:23 User
12:18 Ransomware
(robertf)start
received
called
toIT
run
support
anand
email
files
regarding
containing
start to ransomware
bemalware
encryptedon his laptop
2023-06-30 @ 12:18
14:56
14:23 Ransomware
Incident
User (robertf)
escalated
start
called
to
toIT
run
the
support
and
IR team
files
regarding
(Lead:
start toRicardo)
ransomware
be encryptedon his laptop
2023-06-30 @ 14:23
14:56 User
Incident
(robertf)
escalated
calledtoITthe
support
IR team
regarding
(Lead: Ricardo)
ransomware on his laptop
2023-06-30 @ 14:56 Incident escalated to the IR team (Lead: Ricardo)
2023-06-30 @ 16:15 The machine was isolated and re-imaged. Investigating the scope
2023-06-30 @ 17:10 Few other users received same email, but none of them opened.
Created email filtering rule and new detection rules.
Working with SOAR Platforms
What Are SOAR Platforms?

Security Orchestration Automation and


Response (SOAR)
A platform that collects data from QRadar (and
other tools) so you can automate some
responses
Allows you to review data and automate tasks
across multiple security platforms
- SIEM, IPS, DLP, firewall, vulnerability
scanner, etc.
Common in large companies with several
security tools
Main SOAR Platforms

IBM Security
Splunk SOAR Swimlane
SOAR

Siemplify FortiSOAR 20+ other vendors


Investigating Incidents Using SOAR

All data is in one place


Some of the remediation actions might already
be automated
- Example: Blocking IPs on the firewall
Investigating the case and reviewing
remediation actions
The role of an IR specialist

Summary The IR processes phases


- Preparation
- Detection and analysis
- Eradication, containment and recovery
- Post-incident activities
The importance of notes and timelines
How to work with SOAR platforms
Next up:
Incident Investigations

You might also like