[go: up one dir, main page]

DEV Community

a.infosecflavour
a.infosecflavour

Posted on

IR Playbooks TryHackMe

Hello! πŸ‘‹

TryHackMe just launched a new πŸ”΅roomπŸ”΅. It's very well structured and the practical exercise is very easy to follow.

Honestly, the experience with Servidae: Log Analysis in ELK room helped me in successfully completing the task from IR Playbooks βœ….

About the room

The room reviews the difference between an Incident Response Process and an Incident Response Playbook. The difference is the granularity. Basically,

playbooks are processes that define in detail what granular steps need to be taken for each different type of alert that we receive.

There are few types of playbooks, for example: phishing, malware, account compromise, policy violation, ransomware.

Incident Response Process and Playbooks

The room focuses on the NIST framework for Incident Response:

Step 1: Preparation
Step 2: Detection and Analysis
Step 3: Containment, Eradication and Recovery
Step 4: Post-Incident Activity

There is also SANS incident response framework, which is built upon 6 steps:

Step 1: Preparation
Step 2: Identification
Step 3: Containment
Step 4: Eradication
Step 5: Recovery
Step 6: Lessons learned.

The NIST framework emphasizes planning and preparedness, while the SANS framework provides more detailed guidance on technical implementation.

Practical approach

There are 7 questions. The answers for these can be retrieved from the VM, VirusTotal and the earlier presented theory.

The details shared in the Scenario are extremely helpful: basically, the world revolves around them πŸ˜‰.

In order to begin the investigation, we need to press the hamburger button πŸ” and select Discovery:

discovery.

We need to select a timeframe (that's on the right side of the app)

timeframe.

After selecting the desired and helpful timeframe, we select the necessary columns: process_name, DestinationIp, SourceIp, SourcePort, DestinationPort. Time column is there by default. We cannot remove it. ⏳

For adding a column, selection is made by clicking on the "+":
column selection

You can search for the field names. Once added on the dashboard, they do not appear in the search field anymore.

To filter the data, you can use the Kibana Query Language (KQL). I decided to search after the source port.

KQL.

Then, we shall look after the Hash of the process, by refining filters. We shall add the Hashes field to check where there is hash associated with the identified process. Also, I refined my KQL query, searching for the process_name.

I searched for the SHA1 hash in the first appearance of the process that was associated to Hashes column. According to VirusTotal, the process is not dangerous. Is it a False Positive then πŸ€”?

hash

The Detection and Analysis step for the Malware Playbook emphasizes the following:

  • On VirusTotal, check if the process is marked as safe, distributed by a known vendor, or if it is signed by that vendor. Important Note: Do not upload the binary to VirusTotal or any other third-party platform without consulting your management.

  • If the process is clean but was used to execute a file (such as an MS Word file, PDF file, or PowerShell script), analyse the executed file using VirusTotal, Hybrid Analysis, or other similar platforms.

  • Check the parent process of the process that triggered the alert. Using the above steps, see if the parent process is clean or malicious.

Therefore, let's look for the parent process.
Expanding the document, its name will be discovered in the _raw field or parent_process_exec field.

If you want to find out more about the WanaCry ransomware, I recommend you to read this article.

Because this is a True Positive incident, it needs to be escalated to L2 so the Containment process put into practice.

Final Opinion

From my point of view, this room explains clearly the Incident Response Process and Playbooks. It covers theory, examples and practice in a detailed and at the same time easy to understand manner. We explored the difference between the presence and the essence- even though via VirusTotal we found the process not malicious, exploring deeper we actually hovered over a ransomware. Moreover, a little search on Google will reveal a lot of details about the identified process.
What do you think so far?

Top comments (0)