Alert Notification
Action: Receive an alert from the SIEM system indicating potential unauthorized access.
Details:
- Regularly monitor SIEM alert channels for real-time notifications.
- Prioritize alerts based on defined severity levels, ensuring immediate attention to critical incidents.
Example: Receive an alert indicating multiple failed login attempts on a critical server during non-business hours. SIEM Dashboard Analysis
Action: Consult the SIEM dashboard to get an initial overview of related logs and events.
Details:
- Utilize the SIEM interface to visually interpret logs and events.
- Explore specific dashboards dedicated to authentication, access, and intrusion detection to identify anomalies or patterns.
Example: Navigate through the SIEM dashboard to observe a spike in failed login attempts and access requests from an unusual location.
Data Sources Analysis
Action: Analyze relevant data sources, such as logs from authentication servers, firewalls, and intrusion detection systems.
Details:
- Dive into logs to extract detailed information about user activities, including login/logout events.
- Scrutinize authentication logs for unauthorized login attempts, looking for patterns or anomalies.
- Examine firewall logs for unusual network traffic patterns that may indicate unauthorized access.
Example: Review authentication logs and identify repeated failed login attempts for a specific user account.
Correlation Analysis
Action: Use SIEM correlation rules to identify patterns or anomalies in the data.
Details:
- Establish correlation rules based on known attack patterns and historical data.
- Correlate events across multiple data sources, piecing together a comprehensive timeline of the potential threat.
Example: Correlate failed login attempts with firewall logs to identify if there’s a coordinated effort to gain unauthorized access.
User and Entity Behavior Analytics (UEBA)
Action: Leverage UEBA features in the SIEM to identify abnormal user behavior.
Details:
- Set baselines for normal user behavior using historical data and machine learning.
- Detect deviations such as unusual login times or access from uncommon locations, indicating potential malicious activity.
Example: UEBA highlights a user logging in from a geographical location not associated with their usual activity.
IP Geolocation Analysis
Action: Investigate the geolocation of IP addresses associated with the alert.
Details:
- Utilize geolocation databases to determine the physical location of IP addresses.
- Cross-reference with known locations of authorized users to identify potentially suspicious access.
Example: Identify an IP address associated with the alert originating from a country where the organization doesn’t have operations.
Threat Intelligence Integration
Action: Integrate threat intelligence feeds to check if the IP address or user credentials are associated with known malicious entities.
Details:
- Cross-reference IP addresses and user credentials with threat intelligence databases containing indicators of compromise (IoCs).
- Identify any matches with recent cyber threats, enhancing the context of the potential unauthorized access.
Example: Discover that the IP address in question is linked to a recent phishing campaign reported in threat intelligence feeds.
Alert Validation
Action: Cross-verify the alert with other security tools and logs to ensure its accuracy.
Details:
- Validate the alert by cross-referencing with firewall logs, antivirus alerts, and endpoint detection logs.
- Check for consistency in the alert context across various sources, ensuring a comprehensive and accurate understanding.
Example: Confirm the alert by checking endpoint logs, which also show suspicious activities matching the SIEM alert.
Isolation and Containment
Action: If unauthorized access is confirmed, isolate the affected system or user to prevent further damage.
Details:
- Isolate the affected system by disconnecting it from the network, preventing potential lateral movement.
- Change compromised user account credentials and implement account-level containment measures to restrict unauthorized access.
Example: Isolate the compromised server and change the credentials of the affected user account to prevent further unauthorized access.
Incident Response Plan
Action: Follow the incident response plan to coordinate with the incident response team.
Details:
- Activate the incident response team promptly, ensuring key personnel are informed of the ongoing incident.
- Execute predefined steps outlined in the incident response plan for incident containment, eradication, and recovery.
Example: Initiate the incident response plan, involving key team members to contain and eradicate the potential threat, followed by recovery procedures.
Conclusion
In navigating a potential unauthorized access incident, each step is meticulously designed for a comprehensive response. Real-time monitoring and detailed analysis of logs provide a nuanced understanding of the situation. The integration of threat intelligence, collaboration with the incident response team, and decisive actions based on the incident response plan collectively ensure a swift and effective response. Continuous learning from each incident enhances the organization’s overall resilience against evolving cybersecurity threats.