Module 9 Lab

CYBR 440 - Incident Detection and Response Module 9 Lab – Incident Tracking In this ninth lab, we will learn how to use automated incident tracking systems to document what happens during an incident. Depending on the incident, incident responders often have to produce a written report meant for external entities such as executives, legal, and third parties while utilizing automated tools to help with the more technical aspects of incident tracking. We will use two popular open-source tools for incident tracking in this lab. The first is an eGRC tool used for compliance but has incident tracking functionality as an integrated compliance tool. The second is an incident tracking and response platform explicitly built for incident responders. This second platform integrates much of the threat intelligence and malware analysis capability to make research and tracking seamless. You will be required to submit the following graded items as part of this lab:  Answer all questions listed in BOLD  Provide screenshots when asked Accessing the Lab This lab is hosted in the university IS Lab and requires special instructions to access it. If you are not familiar with accessing the IS Lab, please see the document in this course that walks you through accessing the Cybersecurity Desktop. You can access the Cybersecurity Desktop through the Web or using VMWare’s Horizon client. It would be best if you used the native Horizon client when possible as it provides better performance. The web client can be accessed at https://workspace.bellevue.edu . Make sure you log in to this interface with your Bellevue student ID and password. After accessing workspace.bellevue.edu and selecting the IS Lab desktop, open a browser and navigate to https://10.98.100.11 . The first time you access this site, you will see a warning in the browser. Make sure to click advanced and then Proceed to 10.98.100.11 (Unsafe). Next, you should see the following remote access page.

After accessing Bellevue Bank and Trust’s Remote Management Portal, login in using the following information:  Username: analyst# - Where # is the number provided to you by your instructor  Password: An@lyst#!! - Where # is the number provided to you by your instructor After logging in, you should see the following page: You should have three available connections, RDP Kali #, RDP Workstation#, and SSH Kali #. These are the three analyst tools you will use throughout this course.

3. At the top of the screen, click Actions, and then + Add. 4. On the first tab of this screen, fill out the following information based on the information on your case study. a. Title - Your choice b. Type - Incident c. Description - A good description of the incident d. Tags - Phishing, Ransomware e. Open Date - The date the incident started (see the case study), September 16 th , 2021. f. Automatically Close Incident - Leave disabled g. Close Date - Leave blank for now h. Status - Ongoing 5. On the Risk Profile tab, fill in the following information a. Related Risk Assets - Select Widespread Ransomware Attack Against Multiple Systems b. Related Third-Party Risks - Leave Blank c. Related Business Risks - Leave Blank 6. On the Incident Stakeholder tab, fill in the following information a. Owner - Select Bruce Edwards b. Reporter - Type the name Jordan Brands c. Victim - List the names of the victims i. Charles Sullivan ii. Sarah Kopsa iii. Michelle Michelson 7. On the Incident Profil, fill in the following information a. Affected Compensating Controls - Select Backups, Malware Cleanup/Reimage b. Affected Assets - As the users are already linked to assets, this field should already be filled in with the affected assets. If not, select the following assets: i. VDI15A22 ii. lincolnbackoffice15 iii. l55cm2 iv. cio1 v. mgr257

vi. bankshare01 vii. Bank Share 01 Data c. Affected Third-Parties - Leave Blank. 8. Click Save at the bottom of the Add Item (Security Incident) page. You should see a new incident appear on the Security Incident page with Ongoing and Lifecycle Incomplete status. 9. On the Security Incident page, click on the arrow pointing down next to the number 7 in the stages column and then click show. You will see the seven stages of incident response. 10. Click on the hamburger menu next to the Preparation stage and click Comments and Attachments. Type in the comment box what you think the CSIRT team in this case study did to be ready for this incident. They have a reasonably mature team, so there should be plenty of description. While we don’t have this available, a written playbook for phishing and ransomware could be attached here. Click Add Comment, and then Close when you finish. 11. Click on the hamburger menu next to Preparation and click Edit. Change the Status to completed and then click Save.

22. Click the hamburger menu next to the Post-Incident Activity stage and click Comments & Attachments. Add a description of what the CSIRT team and the organization can do better to prevent and respond to a similar incident in the future. Make sure you include plenty of detail. Click Add Comment and then Save. 23. Click the hamburger menu next to the Post-Incident Activity stage, click Edit, change the Status to Complete, and then click Save. 24. Click on the Security Incident tab at the very top of the page, next to Stages to return to the Security Incidents page. 25. Click on the hamburger menu next to your security incident and click edit. On the General Page, scroll down to the Closure Date on the General Tab and select a closure date of September 21 st , 2021. Change the Status to closed. Click Save. Take a screenshot of your closed case and paste it below Type in the name/title you gave your case below Part 2 - Incident Tracking with TheHive IR Platform In this second part of the lab, we will use a platform that has been purpose-built for incident responders. Using MISP and Cortex, TheHive allows you to add malicious files and potential indicators of compromise and will automatically go to services like threat intelligence services, virus total, any.run, AbuseIPDB to check for malicious indicators.

1. Open Chrome and navigate to https://thehive.bbtrust.com or click the shortcut on your analyst desktop for TheHive. Log in using the name analyst#@bbtrust.com and the password An@lyst#!!. 2. At the top of the screen, click + New Case. 3. On the Create a new case page, fill in the following information: a. Title - A unique title for your case based on the case study b. Date - The date the incident began, 16 September, 2021 c. Severity - High d. TLP - Amber e. PAP - Amber f. Tags - Phishing, Ransomware g. Description - A good description of the event based on the case study h. Click + Create Case

10. Click + Add Observable. You will repeat this process four times, one for each observable type, domain names (fqdn), hashes, IP addresses, and email addresses. Fill out the following information for each new observable type. a. Type (fqdn, hash, mail, or IP address). b. In the Value field, put each observable of the correct type on each line, one per line. c. Keep the One observable per line checked. d. TLP Amber e. Is IOC: True f. Tags: Ransomware, Phishing g. Description: Provide a good description of the IOCs, i.e., where they came from, who reported them, etc. A note on copying and pasting: You can copy and paste from your own computer into your analyst computer to make things easier (especially with the hashes). Copy the text you want to paste into the remote workstation. Then click on the remote analyst workstation and press CTRL+SHIFT+ALT. This action will bring up the following dialog.

Paste the text into this box and then close it by pressing CTRL+SHIFT+ALT again. You can now paste this text into a Window on the analyst workstation. 11. At this point, we will use the integration with Cortex to automatically fetch threat intelligence and other information from web services like AbuseIPDB, OTX, and Virus Total. Note that there are over 100 different integrations with platforms like Threat Grid, DomainTools, Any.Run, Cuckoo, and other IR tools. Due to the throttling limit on Virus Total, make sure that you are only running three or fewer analyzers at a time. Start by selecting three observables that have not been analyzed by selecting the checkmark next to the observable.

13. After all of the observables have been successfully analyzed, ensure that you spend a few minutes clicking on the color-coded results from VirusTotal, OTX, and AbuseIPB when more than 0 records are shown. The information provided will be in JSON, but there is often great information. Make sure you take notes of the results. 14. Return to the Tasks tab. Click on the highlighted text for the Analysis task title and then click + Add New task log. Describe what you found with the analysis. Include information in the case study, then click Add log. Return to the Tasks tab and close the Analysis task.

15. Now, go to the Containment task and click the start (play) icon. Click + Add a new task log. Add a detailed description of how the incident in the case study was contained and click Add log. Return to the Tasks tab and close this task. 16. Repeat these actions with the Eradication task and click the start (play) icon. Click + Add a new task log. Add a detailed description of how the incident in the case study was eradicated and click Add log. Return to the Tasks tab and close this task. 17. Repeat these actions with the Recovery task and click the start (play) icon. Click + Add a new task log. Add a detailed description of how the incident in the case study was recovered and click Add log. Return to the Tasks tab and close this task. 18. Repeat these actions with the Post-Incident Activity task and click the start (play) icon. Click + Add a new task log. Add a detailed description of what could be improved to better prevent and respond to an incident of this nature in the future and click Add log. Return to the Tasks tab and close this task. 19. Though we will often add TTPs and other information as part of incident tracking, we will not do so in this case as we covered the critical core functionality. When you are ready, click the Close button at the top of the case. Mark the status as True Positive, mark the Impact as Yes, then provide an executive summary of the case in the Summary textbox. Click Close case.