SecurityResearch-101

What is XDR (Extended detection and response) We all know the prominence of EDR solutions. However the latest technology to enter the space is now: extended detection and response (XDR) which is the result of evolution from endpoint detection and response (EDR). XDR can be considered as the upgraded EDR but with further unified capabilities with other security tools as well to provide combined security analysis visibility, highly efficient detection, and a vastly improved correlation, investigation, and response.   Background and reason for developing XDR: EDR served as the baby steps towards the journey of XDR. In every way, EDR solutions did help to provide effective endpoint detection and response integrating a number of threat detection solutions. However, on the bigger picture, the question still remained about the security team’s challenges around the best possible way to leverage combined capabilities around analytics platforms, security information, and event management (SIEM)

We all know about the recent ransomware attack on Colonial pipeline. With regard to this, let us try to understand what happened exactly: About the firm: The largest refined products pipeline in the US, it is involved in transporting over 100 million gallons of fuel across their corridors. The recent ransomware attack against colonial pipeline's networks led to an emergency declaration in 17 states and the district of Columbia across 5,500 miles of fuel pipeline Let’s understand about Darkside ransomware Darkside is a relatively new ransomware strain that made its first appearance in August 2020. It follows RaaS (ransomware-as-a-service) model. It follows a double extortion trend like: 1.       Threat actors encrypt the user’s data 2.       Exfiltrate the data and threaten to make it public if the ransom demand is not paid. Their ransom demand ranges between $200,000 to $2,000,000. Let’s now understand how the attack vector of this: 1.       Downloading the rans

What is digital forensics? A specialized branch of forensic science that works to recover and investigate digital devices in the world of cybercrime. The aim of this work is to identify, preserve, analyze, and document digital evidence in order to present it to the relevant law authorities as and when required. Who is a Digital forensics investigator?  A person who has a mindset to discover evidence and trace back the storyline to solve the case. It can range from discovering:  • How attackers gained access to the network- or the point of breach • Lateral movement on the network- or affected systems discovery • Information stolen or backdoors planted- Corporate Espionage  • Recover data that were attempted for deletion, damage as well as manipulation. Let’s now analyze the different phases across a digital forensics investigation: Phases: 1. First-line incident response The focal point right after a suspected breach /security incident is known as the first response. These ini

Welcome readers back to my blog. Today we will have a run-through in terms of performing incident response on ransomware breaches. Ransomware as we all know is becoming an increasing menace the world over, many firms keep getting compromised one way or another due to this specialized attack. The most critical factor in handling incident response would range around how effective firms do tackle such incidents. TL; DR: Validate the attack Gather the incident response team Analyze the incident and perform a thorough investigation  Contain the incident Eradicate the malware and its traces Perform post-incident analysis and monitoring Perform a post mortem analysis and prepare the lessons learned  In this part, let’s focus majorly on validation, analysis, containment phases.  Let’s take a look as a refresher for how best to handle such incidents (and also others similar in nature)  1.    Initial Triaging a.      Start with the aim to limit the infection, measures include such as: switching

A great matter of debate and confusion I have always seen is the line of difference between SOAR and SIEM along with fact that if you have one, do you still need the other or in conjunction. In order to understand the clarity, let us analyze the details and the concept behind both one by one: 1.       Understanding SIEM SIEM is the abbreviation for the technology platforms which stands for security information and event management used to collect and store security data. This can be related to simple examples including firewalls, intrusion detection systems/ prevention systems etc. This technically helps to aggregate and correlate all of this gathered data by help in analyze date wth focused analytics and machine learning software. 2.       Understanding SOAR SOAR on the other hand is the collective technology involving Security orchestration, automation and response (SOAR), that is intended to help imbibe security operations with the pillars of efficiency and consisten

Introduction Network forensics in a nutshell is the combined activities regarding capturing, recording, and analyzing network packets in order to determine the source of attacks. Steps of network forensic examinations ·         Identification ·         Preservation ·         Collection ·         Examination ·         Analysis ·         Presentation ·         Incident Response Types of analysis performed on network level: ·         Data-link and physical layer (Ethernet) Methods are achieved with eavesdropping bitstreams on the Ethernet layer of the OSI model. Monitoring tools or network sniffers such as Wireshark or Tcpdump are used. These help to capture traffic data from a network card interface configured in promiscuous mode. ·         Transport and network layer (TCP/IP) Network layer provides router information from routing table present as well as log evidence. These help a great deal in providing information on compromised packets, identifying sources