Resource Downloads
Google Slides | Microsoft PowerPoint | PDF Presentation
Injection
MISecure Operations Center Calls and informs you that you have a vulnerable server that is exposed to the internet and it might have been hacked. It appears that the server was misconfigured with SSH (22) and RDP (3389) enabled.
Discussion Prompts
- How do you determine if this is a confirmed security incident or some kind of anomaly?
- How do you identify what systems, data, people, and operational processes are potentially involved?
- What real or potential risk(s) does your organization face?
- What short term containment options do you have?
- Can you contain it without destroying evidence?
- What is the operational impact of the incident and your containment strategy?
Check Your Work
- Are you able to identify a machine quickly and scan it on your own for vulnerabilities?
- Review log files for anomalous or malicious activity?
- Determine if there was lateral movement
- Did this server interact abnormally with others?
- Quickly remove server from the internet?
- Do you have standard configurations for servers?
- Do you review your externally facing machines for vulnerabilities and compromises?
- Are you subscribed to the free CISA Cyber Hygiene scanning service?