Scenario:

Bank of the People allows employees to bring their devices to work and use them in the corporate network. They have a Microsoft identity management system for authentication and authorization. A few employees have noticed in the last few days that the onscreen keyboards they use have become slow. Others report that their emails from g mail seem to include an increased number of phishing attacks.

Offer a procedure you recommend to address each. Use at least one non-standard (additional) procedure and explain why is it appropriate.

Initial Compromise

Pivot and Escalation

Command and Control (C2) and Exfiltration

Persistence

Make an estimation and explain what you think happened at each phase. Make a recommendation as to what needs to change in standard procedures as a result of the incident.

Backdoors: \& Breaches INITIAL COMPROMISE Backdoors Backdoors Backdoors 8Breaches 8Breaches PERSISTENCE PROCEDURES :stablished Procedures: Jther Procedures: MEMORY ANALYSIS Incident Response Team pulls the memory from the suspect system and reviews it for possible malicious activity. ENDPOINT ANALYSIS This is where the Defenders use their SANS IR MANEMENT (SIEM) LOG ANALYS the right things? Do youregularly emulate at the to bring in the Hele Desk... and pray. NETWORK THREAT HUNTING - + ar Network Team is on thair game. They cen further harm. USER AND ENTITY BEHAVIOR ANALYTICS (UEBA) It's like logging, but it actually works. UEBA looks for multiple concurrent logins, impossible logins based an geagraphy, unusual. 3. lyi CYBER DECEPTION The attackers go after one of your deception technologies. This could be a Word Web Bug, Honey Account, or a full honeypot. TOOLS CanaryTokens HoneyBadger Active Defense Harbinger Distribution MITRE Shield https://shield.mitre.org/ https://www.activecountermeasures.com/free-tools/adhd/