Questions tagged [incident-analysis]

Analyzing what caused an event to be flagged as an incident

When an incident gets triggered it's helpful to know what caused it even if the event was just regular routine and nothing malicious.

35 questions
87
votes
2 answers

How did someone log-in to my Gmail account from Kenya?

While on holiday in France in May I received an email from Google "New sign-in". Your Google Account was just used to sign in: Nairobi, Kenya. Tuesday, 26 May 2015 22:10 (East Africa Time). I hastily changed my password. I've never been to…
Colonel Panic
  • 2,214
  • 2
  • 22
  • 23
59
votes
1 answer

What's the Impact of the CloudFlare Reverse Proxy Bug? ("#CloudBleed")

In Project Zero #1139, it was disclosed that CloudFlare had a bug which disclosed uninitialized memory, leaking private data sent through them via SSL. What's the real impact?
20
votes
7 answers

Prevent a bot accessing login page with multiple IPs and massive list of username/ passwords

For the second time my website seems to be the target of a large automated attack. It seems complex enough and very well executed. I have the following systems in place: Captcha on 3rd failed login from IP Account lock for 30 min after 5 failed…
18
votes
3 answers

What is the difference between "Incident", "Attack" and "event"?

In the Computer and network security incident taxonomy what are the differences between "Incident", "Attack" and "event"? Where does "threat" fit with them?
Mohammad
  • 517
  • 6
  • 17
9
votes
2 answers

What exactly does "Nation-State" code look like?

Juniper Networks has discovered unauthorized code that appears to be planted by a nation-state attacker in their firewalls. A similar claim was made about Stuxnet, Duqu, Flame, Gauss, and probably others that these were probably all written by…
Corey Ogburn
  • 732
  • 5
  • 15
6
votes
1 answer

What are the most valuable information when handling an IT security event/incident?

I'm currently looking into reporting processes in information security and I was wondering what kind of information should be reported when an IT security event or incident occurs. The definitions of those would be (taken from ISO/IEC…
Tom K.
  • 7,913
  • 3
  • 30
  • 53
5
votes
2 answers

Is there anyway to analyze memory dynamically?

I do malware analysis by using memory forensics to gather more useful information but as far as I know, the result of memory acquisition is just one memory dumped for a specific time (snapshot). So, is there anyway or solution to acquire or analyze…
Pandora
  • 167
  • 5
4
votes
0 answers

attack on Unix procmail analysis

2 days ago I received the following E-mail (this is its original format not the one of any mailer, but where sensitive information is replaced by ••field_name••): From qqqqqq@freemail.net Thu Jul 2 23:59:07 2015 Return-Path:…
dan
  • 3,033
  • 14
  • 34
4
votes
5 answers

Incident response and recovery from a security breach with unknown attack vector

Security breaches, hacks, “cyber” attacks or server compromises happen quite frequently, unfortunately, such as Quora in December 2018, Facebook in September 2018, Equifax in September 2017, Exactis in June 2018, MyFitnessPal in March 2018, and…
caw
  • 199
  • 1
  • 11
4
votes
3 answers

Need some recommendations on good IR hands-on training

Does anyone know if there is any good hands-on training for incident response and digital forensics, or certification I need to take in order to gain more hands-on experience? Thanks and any helpful information is appreciated.
3
votes
2 answers

Malware Author's Mindset

I'm studying common malware characteristics, and I'm having a bit of difficulty understanding the design choices the malware authors make. Many of said choices seem to revolve around making life difficult for a human analyst to pick apart the…
3
votes
3 answers

BlackHole Toolkit v2 JAVA Payload Stage Code Execution - What does this activity mean?! I cannot get hold of the owner of the server to check

An analyst came across this alert - BlackHole Toolkit v2 JAVA Payload Stage Code Execution from the Checkpoint IPS coming from a server, the event is recorded as a blocked outgoing connection attempt - and to everyone's surprise has been triggering…
2
votes
2 answers

Suspicious calls to testgvbgjbhjb.com

On the last few days, one of our endpoints calls to testgvbgjbhjb.com the calls came from google chrome outside. I used TCPView to find suspicious connections and check if there any unknown extension. The owner of the domain made it a 127.0.0.1…
F.Rahamim
  • 151
  • 1
  • 9
2
votes
1 answer

Bizarre series of web errors from vulnerability scanner OpenVAS - is this malicious?

A short series of errors just came in from Elmah. They are very peculiar, and I'm unsure as to what they represent and whether they might be malicious. It amounted to a series of 16 sequential calls to a non-existent web address. In each case the…
2
votes
1 answer

Accounts being accessed from X country

So recently I've been getting emails that X account has been accessed from Y country with an IP address that I obviously don't own. An example would be my Steam account which recently got accessed from India (but got foiled, hooray 2FA). The problem…
1
2 3