• PDF / 218,460 Bytes
• 23 Pages / 439.37 x 666.142 pts Page_size
• 21 Downloads / 285 Views

DOWNLOAD

REPORT

Case Studies Instead of sharing plenty of light case studies with similar scenarios and remediations, three primary case studies have been handpicked, showcasing different attack vectors and appropriate resolutions. Due to confidentiality and sensitivity issues, one of the case studies is kept anonymous, but the attacks are depicted as accurately as possible.

Case Study 1: Anonymous Context An employee of AZ1 Inc. had carried a personal laptop into the company premises. As it turned out, the laptop was infected with Poison Ivy trojan, which the employee was unaware of. After it was connected with the company network through a wireless access point, the laptop system was assigned an IP address from DHCP. The infected system established a connection to the command and control center (anony.mous.xyz.com) through the internet. The threat actor executed the command to make the system perform scanning of the local network to discover all the available services. Despite observing a performance dip on the system, the user casually ignored it, probably having been in a Friday weekend vibe. The system was left still connected while the user decided to scrutinize it on Monday. The conducted scan discovered an FTP service running on the private network that permitted anonymous access. The threat actor that

© Rithik Chatterjee 2021 R. Chatterjee, Red Hat and IT Security, https://doi.org/10.1007/978-1-4842-6434-8_7

199

Chapter 7

Case Studies

was still in control of the compromised system was able to log in to the FTP server, thereby compressing all the existing data and transferring it over to the control server via a VPN tunnel. Across the weekend, the NOC (Network Operations Center) eventually tracked huge data content across an encrypted channel. Both the source and destination addresses were identified but since they did not have the decryption keys, they failed to decrypt the data and analyze any content. The source was obviously an IP from their private corporate network, the destination, however, was unidentified as it did not match from the list of malicious sites, which seemed valid as the list was outdated by over four months. A work ticket was then opened by the help desk to facilitate an investigation by the local desktop services. The aforementioned user detected that in spite of a reboot, the compromised system was still unstable. A ticket for the same was opened after the user notified the help desk about the issue. With further analysis, the technician was able to match the IP address of the system to the unknown traffic investigated earlier. While physically rechecking, the technician deduced that the particular system was not an official corporate system and thus did not have the required security programs. Performing a quick scan through a boot time tool revealed Poison Ivy signature as the culprit. The system was immediately seized for an in-depth forensic investigation and the pending tickets were closed. Through an exhaustive analysis of the system by the forensics team, the threat was confirmed to

Recommend Documents

Case Studies

212 69 4MB

Case Studies

229 47 2MB

Case Studies

228 65 35MB

Case Studies

191 34 14MB

Case Studies

202 29 3MB

Case Studies

192 64 6MB

Case Studies

201 36 2MB

Case Studies

190 79 11MB

Case Studies

205 78 252KB

Case Studies

207 108 4MB

Case Studies

203 16 3MB

Country Case Studies

161 106 485KB