Detection & Analysis Stage (Part 1)

Overview

• This stage focuses on detecting security incidents using various tools, sensors, logs, and trained personnel.

• Includes sharing information and utilizing context-based threat intelligence.

• Network segmentation and visibility are critical.

Sources of Threat Detection

Threats can be detected through:

1. Employees noticing abnormal behavior.

2. Alerts from security tools (EDR, IDS, Firewall, SIEM, etc.).

3. Threat hunting activities.

4. Third-party notifications about a compromise.

Levels of Detection

To enhance detection, organizations categorize their networks into different levels:

1. Network Perimeter: Firewalls, network intrusion detection/prevention systems, DMZ.

2. Internal Network: Local firewalls, host intrusion detection/prevention systems.

3. Endpoint Level: Antivirus systems, endpoint detection & response systems.

4. Application Level: Application logs, service logs.

---

Initial Investigation

When a security incident is detected:

• Conduct an initial investigation before calling an organization-wide incident response.

• Gather key information:

  • Date/Time of the incident.

  • Who detected it and how it was detected.

  • Type of incident (e.g., phishing, system unavailability).

  • Impacted systems and actions taken.

  • Physical location, OS, IP addresses, hostnames, and system state.

  • If malware is involved: List of affected systems, type of malware, forensic data (hashes, files, etc.).

• Understanding the impacted systems helps in making appropriate response decisions.

Building an Incident Timeline

• A chronological event log that organizes information for analysis.

• Example format:

Date	Time	Hostname	Event Description	Data Source
09/09/2021	13:31 CET	SQLServer01	Hacker tool 'Mimikatz' detected	Antivirus Software

• Helps identify attacker behavior, network connections, downloads, and activity origins.

---

Incident Severity & Extent

Key questions to determine severity:

1. What is the exploitation impact?

2. What are the exploitation requirements?

3. Are business-critical systems affected?

4. Suggested remediation steps?

5. How many systems are impacted?

6. Is the exploit actively being used in the wild?

7. Does the exploit have worm-like capabilities?

• High-impact incidents require immediate escalation.

---

Incident Confidentiality & Communication

• Incident details should remain confidential unless disclosure is legally required.

• Communication should be handled by authorized personnel in coordination with legal teams.

• Initial expectations and goals should be defined:

  • Type of incident.

  • Available evidence sources.

  • Time estimation for investigation.

  • Probability of identifying the adversary.

• Keep stakeholders and management updated as the investigation progresses.

---

Quiz: Detection & Analysis Stage (Part 1)

1. Which of the following is NOT a source of threat detection?

   • A) Firewall alerts

   • B) Threat hunting activities

   • C) A customer complaint about service delays

   • D) Employee reporting suspicious activity

2. What is the purpose of network segmentation in threat detection?

   • A) It improves network speed.

   • B) It isolates sensitive data and increases visibility.

   • C) It eliminates the need for endpoint security.

   • D) It makes external attacks impossible.

3. When conducting an initial investigation, which piece of information is the least relevant?

   • A) The color of the affected device

   • B) The system owner and its purpose

   • C) The IP address and hostname

   • D) The actions taken on the impacted system

4. What does an incident timeline primarily focus on?

   • A) System performance benchmarks

   • B) Attacker behavior and event sequence

   • C) Employee activity logs

   • D) Network bandwidth usage

5. Why should incident information be kept confidential?

   • A) To protect the adversary's identity

   • B) To prevent leaks that could benefit the attacker

   • C) To avoid informing law enforcement

   • D) To ensure all employees are aware of the breach

6. What is an important factor when determining incident severity?

   • A) Number of impacted systems

   • B) The number of employees in the company

   • C) The software licensing cost

   • D) The length of time since the last security audit

7. What is the role of a firewall in threat detection?

   • A) Prevents phishing attacks

   • B) Blocks unauthorized access at the network perimeter

   • C) Detects anomalies in email attachments

   • D) Tracks user login times

8. If malware is involved in an incident, what information should be collected?

   • A) The number of employees who received an email about it

   • B) The type of malware and forensic details (hashes, files, etc.)

   • C) The software update history of the affected system

   • D) The cost of the affected device

9. Why is context important when analyzing security incidents?

   • A) It helps prioritize responses based on potential impact

   • B) It speeds up hardware replacement

   • C) It guarantees all incidents have the same resolution process

   • D) It eliminates the need for log analysis

10. What should be included in an incident report?

• A) The favorite color of the affected user

• B) The date, time, hostname, and event description

• C) The last software update date

• D) The marketing budget for cybersecurity awareness

Answers:

1. C

2. B

3. A

4. B

5. B

6. A

7. B

8. A

9. A

10. B