Video Screencast Help

Common Recommendations for Security Incidents – SSIM: (Part 1)

Created: 22 Mar 2012 • Updated: 22 Mar 2012 | 1 comment
Language Translations
SG Raj's picture
+9 9 Votes
Login to vote

Here are some common Recommendations / Best Practices to be followed in an organisation for Security Incidents triggered by SIEM (SSIM) depending on the rules:

1) IP Spoofing:

  • Check for any misconfiguration.
  • Deny private addresses.
  • Apply anti-spoof filters.
  • Filter Invalid source addresses.
  • Filter close to the packet origin as possible.
  • Check whether its bind spoofing or non bind spoofing & take the action accordingly.
  • Possibly avoid using the source address authentication. Implement cryptographic authentication system-wide.                                
  • Implementing ingress and egress filtering on the border routers and implement an ACL (access control list) that blocks private IP addresses on your downstream interface.

 

2) Malicious Code Outbreak:

  • Kindly scan the machine with latest AV signature.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives.
  • Isolate infected computers quickly to prevent further compromising of the network.
  • Operating system updates to fix vulnerabilities.The patch Microsoft Security Bulletin MS08-067 should be installed.
  • File sharing protection
  • Follow Best practices for instant messaging
  • Follow Best practices for browsing the Web
  • Follow Best practices for email

 

3) Port Scan Detector:

  • Check for any application installed on the Source machine which is trying to connect the Dest. IP on specified port.          
  • Check If it is due to scheduled scan activity.
  • check whether traffic is authorized or not.
  • Check for any rule is configured on firewalll for this.
  • Check received TCP and UDP packets and collect statistics on how many destination ports a source IP address is sending such packets to. If the number reaches the pre-defined limit in a period, drop such packets received later from the source IP address, log the event, and add the source IP address to the blacklist, depending on the configuration & if found suspicious.

 

4) Scan followed by Exploit:

  • Attempts to access unused services should be investigated.
  • Repeated attempts to access unused ports in a short time could indicate a port sweep or an attacker probing for  vulnerability. Ensure that this user cannot access the system or block this host from future activity on the network.
  • Kindly check for any signs of comprise.
  • Check for latest patches and hotfix at OS and Application level.
  • Check If it is authorized activity or not.

 

5) Spyware Outbreak:

  • Check for the data status ID in events.
  • Isolate infected computers quickly to prevent further compromising of the network.
  • Update and run the most current AV signature update on the network.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives.
  • Avoid visiting  compromised Web site which can cause infection if certain browser vulnerabilities are not patched.

 

6) SQL Injection:

  • Check for vulnerability of SQL Injection in web server.
  • Apply latest patches & update the server.
  • Check for any signs of compromise.
  • Verify that the activity is authorized activity or not.
  • Check this server, the databases, and logs for any signs of intrusion or possible compromise.
  • Additionally developing a multi layer defense by sanitizing all user input, minimizing the use of dynamic SQL, limiting user accounts, and presenting sanitized error messages, among other measures will greatly reduce exposure to these attacks in the future.
  • Check If it is due to any scheduled activity or not.

 

7) SQL Slammer Exploit Attempt:

  • The target hosts are properly patched against this threat and consider blocking inbound traffic of this nature via a firewall to prevent it from entering into network.
  • If source IP spoofing is suspected, ensure that proper ingress filtering is implemented on the n/w.
  • To aviod such attack, we can configure perimeter devices to block the ingress UDP traffic to concerned port from untrusted hosts. Possibly, block the egress UDP traffic from the network to the destination port.
  • Scan the hosts with updated AV & apply latest patches.

 

8) Suspicious Traffic:

  • Kindly check rules configured on firewall & validate traffic on server.
  • Check If it id due to scheduled scan activity.
  • Please check the source for unauthorized software installed which is used for Peer-to-Peer activity.
  • Scan the source with updated anti virus & apply latest patches. These Malware programs may cause physical damage to the network hosts or storage media, up to and including deletion of data on network and local drives.

 

9) Trojan Connection:

  • Isolate infected computers quickly to prevent further compromising of the network.
  • Update and run the most current AV signature update on your network.  
  • Further recommended to ensure patches have been applied to both internally and externally facing systems.                                          
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives.                                                            
  • Check for any suspicious activity done from this IP.                
  • Check If this traffic is authorized or not.

 

10) SMTP Scanning:

  • Consider blocking outbound SMTP traffic except from authorized SMTP servers.
  • Ensurie patches have been applied to both internally and externally facing systems.
  • Update and run the most current AV signature update on the network.
  • If this is legitimate traffic i.e from authorized SMTP servers, then provide the details.

Comments 1 CommentJump to latest comment

Prasad Prabhu's picture

Do u have any recommendations for window related security incidents. ???

Please share it, as it would be useful.

0
Login to vote