Certified Cybersecurity Technician - Module 19 - Incident Response - Lab (EC-Council) (Z-Library)

📄 File Format: PDF

💾 File Size: 2.1 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

Copyrights @ 2022 EC-Council International Ltd. 1Certified Cybersecurity Technician CERTIFIED CYBERSECURITY TECHNICIAN CHAPTER 19 INCIDENT RESPONSE

📄 Page 2

Copyrights @ 2022 EC-Council International Ltd. 2Certified Cybersecurity Technician INDEX Chapter 19: Incident Response Exercise 1: Conduct Security Checks using buck-security on Linux Exercise 2: Analysis and Validation of Malware Incident Exercise 3: Implement Policies using Group Policy Management Console 05 12 26

📄 Page 3

Copyrights @ 2022 EC-Council International Ltd. 3Certified Cybersecurity Technician SCENARIO Information security incidents have sharply increased in recent years, owing to the adoption of digital technologies and the frequent innovation of new technologies. In this environment, organizations are at risk of huge losses in data, trust, profits, systems, devices, and human resources. Therefore, it is crucial for organizations to be prepared to battle—if not completely prevent—these incidents. Understanding the concept of incident response (IR) will help in handling security breaches effectively and minimize the damage due to a cybersecurity attack. Hence, a security professional, must understand the complete process of incident handling and response (IH&R) that must be implemented to face, fight, and prevent different types of information-based attacks. OBJECTIVE The objective of this lab is to provide expert knowledge on the incident response process. It includes of the following tasks: • Conducting security checks on Linux using buck-security tool • Analyzing and validation of malware incident • Implementing policies using Group Policy Management Conso OVERVIEW OF INCIDENT RESPONSE Incident response (IR) is the process of taking organized and careful steps when reacting to a security incident. It involves a sequence of steps that begin with first identifying and reporting an incident. IR is a systematic approach that is adopted to handle security incidents with minimal damage, recovery time, and costs. In the process of responding to an incident, security professionals can acquire information such as the network vulnerability that allowed the attack, the individual(s) who initiated the attack, and the types of devices and files that were affected. IR processes differ from organization to organization according to their business and operating environment.

📄 Page 4

Copyrights @ 2022 EC-Council International Ltd. 4Certified Cybersecurity Technician LAB TASKS A cyber security professional or a security professional use numerous tools and techniques to perform incident response. The recommended labs that will assist in learning the IR process include the following: Note: Turn on PfSense Firewall virtual machine and keep it running throughout the lab exercises. Conduct Security Checks using buck-security on Linux01 Implement Policies using Group Policy Management Console03 Analysis and Validation of Malware Incident02

📄 Page 5

Copyrights @ 2022 EC-Council International Ltd. 5Certified Cybersecurity Technician EXERCISE 1: CONDUCT SECURITY CHECKS USING BUCK-SECURITY ON LINUX Windows OS tracks various events, activities, and functions through logs. LAB SCENARIO Once a security incident has been reported, the IH&R team must perform incident triage. As part of incident triage, security professionals assess the details and correlate indicators with logs and other system files to validate the incident and determine the impacted systems, networks, devices, and applications. For classifying an incident’s severity, security professionals must perform incident analysis and validation to analyze the indicators of a reported issue and verify whether it is an information security incident or an error in hardware or software components. If the reported incident is an information security incident, then the security professionals must perform further analysis to identify any security loopholes that led to the incident. A security professional must be able to perform security scanning using automated tools to detect security vulnerabilities in operating systems such as Linux and Windows that led to the security incident. OBJECTIVE This lab demonstrates how to conduct security checks using buck-security on Linux operating system to know the security status of the system. OVERVIEW OF BUCK-SECURITY The buck-security tool is a collection of security checks for Linux. It was designed for Debian and Ubuntu servers, but it can be useful for any Linux system. The buck-security tool allows security professionals to identify the security status of a system. It provides an overview of the system’s security status within a couple of minutes.

📄 Page 6

Copyrights @ 2022 EC-Council International Ltd. 6Certified Cybersecurity Technician Note: Ensure that the PfSense Firewall virtual machine is running. 1. Turn on the Attacker Machine-2 virtual machine. 2. In the login page, the attacker username will be selected by default. Enter password as toor in the Password field and press Enter to log in to the machine. Note: If a Parrot Updater pop-up appears at the top-right corner of Desktop, ignore and close it. Note: If a Question pop-up window appears asking you to update the machine, click No to close the window. 3. Click the MATE Terminal icon at the top of the Desktop window to open a Terminal window. 4. A Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user. E X E R C IS E 1 : C O N D U C T S E C U R IT Y C H E C K S U S IN G B U C K -S E C U R IT Y O N LI N U X

📄 Page 7

Copyrights @ 2022 EC-Council International Ltd. 7Certified Cybersecurity Technician 5. In the [sudo] password for attacker field, type toor as a password and press Enter. Note: The password that you type will not be visible. 6. Now, type cd and press Enter to jump to the root directory. 7. Type chmod -R 755 buck-security-master and press Enter to give adequate permissions to the tool folder. E X E R C IS E 1 : C O N D U C T S E C U R IT Y C H E C K S U S IN G B U C K -S E C U R IT Y O N LI N U X

📄 Page 8

Copyrights @ 2022 EC-Council International Ltd. 8Certified Cybersecurity Technician 8. Type cd buck-security-master and press Enter. E X E R C IS E 1 : C O N D U C T S E C U R IT Y C H E C K S U S IN G B U C K -S E C U R IT Y O N LI N U X

📄 Page 9

Copyrights @ 2022 EC-Council International Ltd. 9Certified Cybersecurity Technician 9. Type ./buck-security and press Enter. This command will run a security scan on the Linux machine and check for vulnerabilities in the machine. 10. The result displays the issues found in the security measures with security WARNING messages, as shown in the screenshot below. E X E R C IS E 1 : C O N D U C T S E C U R IT Y C H E C K S U S IN G B U C K -S E C U R IT Y O N LI N U X

📄 Page 10

Copyrights @ 2022 EC-Council International Ltd. 10Certified Cybersecurity Technician 11. Scroll-down to view the complete result. Observe the section [3] CHECK firewall: Check firewall policies. This section shows the complete settings of the Firewall in the Linux machine. Similarly, observe other security warning messages along with the corresponding security issues. E X E R C IS E 1 : C O N D U C T S E C U R IT Y C H E C K S U S IN G B U C K -S E C U R IT Y O N LI N U X

📄 Page 11

Copyrights @ 2022 EC-Council International Ltd. 11Certified Cybersecurity Technician 12. These security issues and vulnerabilities can further be analyzed and mitigated to enhance the overall security infrastructure of an organization’s network. 13. This concludes the demonstration showing how to conduct security checks on Linux system. 14. Close all open windows. 15. Turn off the Attacker Machine-2 virtual machine. E X E R C IS E 1 : C O N D U C T S E C U R IT Y C H E C K S U S IN G B U C K -S E C U R IT Y O N LI N U X

📄 Page 12

Copyrights @ 2022 EC-Council International Ltd. 12Certified Cybersecurity Technician EXERCISE 2: ANALYSIS AND VALIDATION OF MALWARE INCIDENT The analysis of compromised systems, network, databases, files and other devices is important to validate a security incident. LAB SCENARIO Modern attackers use sophisticated malware techniques as cyber weapons to steal sensitive data. Malwares such as viruses, trojans, worms, spyware, and rootkits allow an attacker to breach security defences and subsequently attack the target systems. Malware can cause the target an individual, a group of people, or an organization—to suffer intellectual and financial losses. Moreover, the malware spreads from one system to another with ease and stealth. Thus, security professionals must find and fix existing infections and thwart future attacks. This can be achieved by performing malware analysis. OBJECTIVE This lab demonstrates how to analyze and validate a malware incident, through the following: • Analyzing viruses using an open-source malware analysis tool called VirusTotal • Identifying suspicious file through packaging and obfuscation methods using PE OVERVIEW OF INCIDENT ANALYSIS AND VALIDATION Incident responders must analyze the indicators of a reported issue to verify whether it is an information security incident or an error in the hardware or software components. The IH&R team should ideally evaluate each indicator to determine whether the incident legitimate. They must find the different sources of indicators, examine the security solutions, verify the system and device logs, and identify the incident and its vectors. An accurate, indicator does not necessarily mean that an incident has occurred. All incidents cannot be security incidents; some incidents such as web server crash and the modification of sensitive files could have been caused by human errors. The incident analysis will help determine whether the IH&R team needs to handle the incident, register the issue and take further action, or pass it to other teams for processing.

📄 Page 13

Copyrights @ 2022 EC-Council International Ltd. 13Certified Cybersecurity Technician Note: Ensure that the PfSense Firewall virtual machine is running. 1. Turn on the Admin Machine-1 virtual machine. 2. Log in with the credentials Admin and admin@123. Note: If Networks prompt appears once you have logged into the machine, click Yes. 3. Open any web browser (in this lab task Mozilla Firefox) and place the mouse cursor on address field then, type https://www.virustotal. com/#/home/upload and press Enter. The VirusTotal home page will appear. Click Choose file. E X E R C IS E 2 : A N A LY S IS A N D V A LI D A TI O N O F M A LW A R E IN C ID E N T

📄 Page 14

Copyrights @ 2022 EC-Council International Ltd. 14Certified Cybersecurity Technician 4. When the Open window appears, navigate to Z:\CCT-Tools\CCT Module 19 Incident Response\Malware, select the wikiworm.exe application, and click Open. E X E R C IS E 2 : A N A LY S IS A N D V A LI D A TI O N O F M A LW A R E IN C ID E N T

📄 Page 15

Copyrights @ 2022 EC-Council International Ltd. 15Certified Cybersecurity Technician 5. VirusTotal will automatically start computing the hashes and other signatures with well-known threat indicators from various sources and subsequently produce a malware infection score. View the result of the malware analysis of wikiworm.exe. 6. The VirusTotal score is 57/71 and all the results are shown in detail under the Detection tab. Note: The VirusTotal score may vary when you perform this lab. E X E R C IS E 2 : A N A LY S IS A N D V A LI D A TI O N O F M A LW A R E IN C ID E N T

📄 Page 16

Copyrights @ 2022 EC-Council International Ltd. 16Certified Cybersecurity Technician 7. Click on the Details tab to extract more details about IoCs of the malware, such as MD5, SHA-1, Authentihash, Imphash, SSDeep, TRiD and File size. E X E R C IS E 2 : A N A LY S IS A N D V A LI D A TI O N O F M A LW A R E IN C ID E N T

📄 Page 17

Copyrights @ 2022 EC-Council International Ltd. 17Certified Cybersecurity Technician 8. Click on the Relations tab to view the relations of the malware using Contact URLs, Contacted Domains, Execution Parents and Graph Summary. E X E R C IS E 2 : A N A LY S IS A N D V A LI D A TI O N O F M A LW A R E IN C ID E N T

📄 Page 18

Copyrights @ 2022 EC-Council International Ltd. 18Certified Cybersecurity Technician E X E R C IS E 2 : A N A LY S IS A N D V A LI D A TI O N O F M A LW A R E IN C ID E N T

📄 Page 19

Copyrights @ 2022 EC-Council International Ltd. 19Certified Cybersecurity Technician 9. Click on the Community tab to view details such as HybridAnalysis and number of votes by the community members under the Voting Details section. E X E R C IS E 2 : A N A LY S IS A N D V A LI D A TI O N O F M A LW A R E IN C ID E N T

📄 Page 20

Copyrights @ 2022 EC-Council International Ltd. 20Certified Cybersecurity Technician E X E R C IS E 2 : A N A LY S IS A N D V A LI D A TI O N O F M A LW A R E IN C ID E N T