Resource Downloads
Google Slides | Microsoft PowerPoint | PDF Presentation
Injection
You get a report from your MDR software that there have been a high number of failed logins to several servers coming from the internal VPN IP address.
Discussion Prompts
- How do you determine if this is a confirmed security incident or some kind of anomaly?
- How do you identify what systems, data, people, and operational processes are potentially involved?
- What real or potential risk(s) does your organization face?
- What short term containment options do you have?
- Can you contain it without destroying evidence?
- What is the operational impact of the incident and your containment strategy?
Check Your Work
- Review logs for failed logins.
- Review past and current active VPN connections.
- Review VPN access rights.
- Can all VPN accounts access everything?
- If suspicious login is found, review logs of that user’s activity.