130n@calvinlai.com
  • About Calvin Lai (fkclai)
  • My Work
  • Cyber Security
    • Cyber Security Centre (CSC)
      • Why we need a CSC
      • CSC Team Structure: Roles, Functions, and Tools
        • Key Function & Role
        • Tools & Platforms
        • People
        • Outsource Strategy
      • HRMC Executive Paper
  • Detection and Response
    • Playbook: Threat Prioritization & Automated Response Strategies
      • Scenario: Detecting and Mitigating a Ransomware Attack
      • Scenario: DC Sync Attack Detected and Mitigated
      • Scenario: Pass-the-Hash (PtH) Attack Detected and Contained
      • Scenario: Phishing Campaign with Malware / Credential Theft Detected and Mitigated
  • Application Architecture
    • Comparison of MVC , N-tier and Microservice Architecture
  • Application Security
    • OAuth, SAML, and OpenID Connect: Key Differences and Use Cases
    • Secure Coding Principles
    • HTTP Header Security Principles
    • Mitigating Broken Object Level Authorization (BOLA)
    • Spring Boot Validation
    • Output Encoding in JavaServer Faces (JSF)
    • Session Management Security Issues
    • Common API Security Problems
      • Broken Authentication
      • Excessive Data Exposure
      • Lack of Resources & Rate Limiting
      • Broken Function Level Authorization
      • Unsafe Consumption of APIs
    • JAVA Exception Handling
    • File Upload Validation
    • OAuth 2.0 Security
      • Insecure Storage of Access Tokens
    • Microservice Security
      • Sample Coding Demo
        • Service Implementation
        • Client Interaction
      • Security Solution for Microservices Architecture
    • Modifying and Protecting Java Class Files
      • Modify a Class File Inside a WAR File
      • Direct Bytecode Editing
        • Steps to Directly Edit a Java Class File
          • Update: Java Bytecode Editing Tools
      • Techniques to Protect Java Class Files
        • Runtime Decryption in WebLogic
    • JAVA Program
      • Secure, Concurrent Web Access Using Java and Tor
      • Creating a Maven Java project in Visual Studio Code
  • Exploit/CVE PoC
    • ZeroLogon Exploit
    • Remote Retrieved Chrome saved Encrypted Password
    • Twitter Control an RCE attack
  • Hacking Report (HTB)
    • Hits & Summary
      • Tools & Cheat Sheet
    • Windows Machine
      • Love 10.10.10.239
      • Blackfield 10.10.10.192
      • Remote 10.10.10.180
      • Sauna 10.10.10.175
      • Forest 10.10.10.161
      • Sniper
      • Json
      • Heist
      • Blue
      • Legacy
      • Resolute
      • Cascade
    • Linux Machine
      • Photobomb 10.10.11.182
      • Pandora 10.10.11.136
      • BountyHunter 10.10.11.100
      • CAP 10.10.10.245
      • Spectra 10.10.10.229
      • Ready 10.10.10.220
      • Doctor 10.10.10.209
      • Bucket 10.10.10.212
      • Blunder 10.10.10.191
      • Registry 10.10.10.159
      • Magic
      • Tabby
  • Penetration Testing
    • Web Application PenTest
    • Network/System PenTest
    • Mobile Penetration Test
      • Certificate Pinning
        • Certificate Pinning Bypass (Android)
          • Root a Android Device
          • Setup Proxy Tool - Burp Suite
      • Checklist
  • Threat Intelligence
    • Advanced Persistent Threat (APT) groups
      • North Korean APT Groups
      • Chinese APT Groups
      • Russian APT Groups
      • Other APT
  • Red Team (Windows)
    • 01 Reconnaissance
    • 02 Privileges Escalation
    • 03 Lateral Movement
    • 04 AD Attacks
      • DCSync
    • 05 Bypass-Evasion
    • 06 Kerberos Attack
    • 99 Basic Command
  • Exploitation Guide
    • 01 Reconnaissance
    • 02 Port Enumeration
    • 03 Web Enumeration
    • 04 Windows Enum & Exploit
      • Windows Credential Dumping
        • Credential Dumping: SAM
        • Credential Dumping: DCSync
      • Kerberos Attack
      • RDP
    • 05 File Enumeration
    • 06 Reverse Shell Cheat Sheet
      • Windows Reverse Shell
      • Linux Reverse Shell
    • 07 SQL Injection
    • 08 BruteForce
    • 09 XSS Bypass Checklist
    • 10 Spring Boot
    • 11 WPA
    • 12 Payload list
  • Vuln Hub (Writeup)
    • MrRobot
    • CYBERRY
    • MATRIX 1
    • Node-1
    • DPwwn-1
    • DC7
    • AiWeb-2
    • AiWeb-1
    • BrainPan
  • CTF (Writeup & Tips)
    • CTF Tools & Tips
    • Hacker One
    • CTF Learn
    • P.W.N. University - CTF 2018
    • HITCON
    • Pwnable
      • 01 Start
  • Useful Command/Tools
    • Kali
    • Windows
    • Linux
  • Offensive Security Lab & Exam
    • Lab
    • Tools for an Offensive Certification
      • Strategy for an Offensive Exam Certification
        • CVEs
        • Privilege Escalation
        • Commands
        • Impacket
  • ISO 27001
    • Disclaimer
    • What is ISO 27001
      • Implementation
    • Documentation
    • Common Mistake
    • Q&A
      • Can internal audit to replace the risk assessment
      • Is it sufficient for only the IT department head to support the ISO 27001 program
      • Does the Business Continuity Plan (BCP) and a Disaster Recovery Plan (DRP) are the same?
    • ISO 27001 Controls and Domains
      • 1. Information Security Policies
      • 2. Organization of Information Security
      • 3. Human Resource Security
      • 4. Asset Management
      • 5. Access Control
      • 6. Cryptographic Controls
      • 7. Physical and Environmental Security
      • 8: Operational Security
      • 9. Communications Security
      • 10. System Acquisition, Development, and Maintenance
      • 11. Supplier Relationships
      • 12: Information Security Incident Management
      • 13. Information Security Aspects of Business Continuity Management
      • 14. Compliance
Powered by GitBook
On this page
  • 🚨 Critical Priority (Immediate Response Required)
  • ⚠️ High Priority (Urgent Investigation Required)
  • 📌 Medium Priority (Security Review Needed)
  • 🛠 Low Priority (Routine Monitoring & Alerts)

Was this helpful?

  1. Detection and Response

Playbook: Threat Prioritization & Automated Response Strategies

🚨 Critical Priority (Immediate Response Required)

High-Severity Cyberattacks & Active Threats

  • Ransomware Attack Detected – Mass file encryption & extortion attempts.

    • 🚀 Response: Endpoint isolation, process termination, backup verification, & forensic analysis.

  • DC Sync Attack – Credential theft via Active Directory replication abuse.

    • 🚀 Response: Block unauthorized replication requests, revoke permissions, and investigate compromised accounts.

  • Pass-the-Hash (PtH) / Token Abuse – NTLM authentication misuse for lateral movement.

    • 🚀 Response: Disable compromised credentials, block unauthorized NTLM authentication attempts, enforce MFA.

  • Phishing Campaign with Malware / Credential Theft – Leading to system compromise.

    • 🚀 Response: Email quarantine, endpoint scanning, user credential reset, phishing simulation training.

  • Remote Code Execution (RCE) Exploit Detected – Unpatched system targeted in attack.

    • 🚀 Response: Patch immediately, isolate affected systems, investigate attacker actions, check exploit databases.

  • Data Exfiltration via DNS Tunneling or Cloud Storage Misconfigurations.

    • 🚀 Response: Block suspicious DNS queries, audit cloud permissions, investigate unauthorized data transfers.

  • Privileged Account Compromise – Enabling unauthorized transactions or system modifications.

    • 🚀 Response: Immediate privilege revocation, forensic investigation, identity validation, monitor privilege escalation attempts.

  • Web Shell Installation on Public-Facing Servers – Persistence threat detected.

    • 🚀 Response: Remove web shell, analyze attacker access patterns, audit server configurations, monitor for follow-up attacks.

  • Malware Beaconing to Command-and-Control (C2) Infrastructure.

    • 🚀 Response: Terminate beaconing process, block malicious domains/IPs, check other endpoints for infection.

  • Active Directory Privilege Escalation & Lateral Movement – Stolen credentials used to compromise domain infrastructure.

    • 🚀 Response: Audit privilege escalation paths, monitor Kerberos ticket abuse, investigate unauthorized admin access.


⚠️ High Priority (Urgent Investigation Required)

Potential Security Breaches & Exploit Attempts

  • Impossible Travel Logins & Geo-Based Authentication Anomalies.

    • 🚀 Response: Validate user identity, enforce MFA, block high-risk sessions.

  • Suspicious MFA Failure Attempts – Focused attack on sensitive accounts.

    • 🚀 Response: Investigate affected accounts, restrict privilege escalation paths, enforce MFA resets.

  • Privilege Escalation Attempt on Domain Controllers or Admin Accounts.

    • 🚀 Response: Audit account changes, track NTLM/Kerberos authentication patterns, block escalation.

  • Unauthorized API Access / Token Abuse – Financial or authentication service breach.

    • 🚀 Response: Disable misused API keys, enforce OAuth access control, review security logs for unusual API activity.

  • Web Application Firewall (WAF) Alerts – SQL Injection or Cross-Site Scripting (XSS) Attempt.

    • 🚀 Response: Investigate affected applications, patch vulnerabilities, enhance web security monitoring.

  • User Login Anomalies – Multiple failed login attempts in a short time.

    • 🚀 Response: Review credential stuffing indicators, monitor account lockout events, enforce CAPTCHA/MFA.

  • Exploit Code Publicly Available for Active Vulnerability.

    • 🚀 Response: Cross-reference CVE databases, confirm exploit attempts, validate immediate patch availability.

  • Unusual Kerberos Ticket Granting Ticket (TGT) Activity – Possible credential forgery attack.

    • 🚀 Response: Investigate forged tickets, enforce strict Kerberos authentication policies, scan for compromised admin accounts.

  • Abnormal Network Traffic Spikes – Possible DDoS attack or flooding attempt.

    • 🚀 Response: Rate-limit traffic, investigate attacker IP sources, alert ISP for mitigation.

  • Automated Credential Stuffing Attack – Repeated brute-force login attempts detected.

    • 🚀 Response: Apply account lockout policies, block attacker IP ranges, enforce CAPTCHA-based authentication.


📌 Medium Priority (Security Review Needed)

Insider Threats, Policy Violations & Suspicious Activity

  • Insider Threat – Privileged User Abusing Access for Data Theft.

    • 🚀 Response: Audit data access logs, monitor user behavior deviations, implement least privilege enforcement.

  • Unauthorized Email Forwarding Rules Created – Possible data leakage attempt.

    • 🚀 Response: Review email security settings, disable suspicious forwarding, train employees on phishing detection.

  • Excessive Failed Login Attempts Across Multiple Employee Accounts.

    • 🚀 Response: Investigate potential phishing campaigns or brute-force credential attacks.

  • Suspicious PowerShell or Bash Script Execution on Critical Servers.

    • 🚀 Response: Scan for unauthorized scripts, block execution of known malicious script patterns, enforce script-signing policies.

  • Weak TLS Configuration Detected – Outdated encryption standards in use.

    • 🚀 Response: Upgrade TLS settings, enforce strong cipher suites, ensure encryption compliance with industry standards.


🛠 Low Priority (Routine Monitoring & Alerts)

Security Hygiene, Configuration Issues & General Threat Awareness

  • Unoptimized Security Policies Affecting Cloud-Based Access Controls.

    • 🚀 Response: Review IAM permissions, enforce zero-trust access policies.

  • Use of Outdated Third-Party Libraries with Known Vulnerabilities.

    • 🚀 Response: Identify vulnerable dependencies, enforce automated patching cycles.

  • Improper Session Timeout Leading to Unintended Account Access.

    • 🚀 Response: Modify session timeout settings, restrict unauthenticated idle time.

  • Excessive Failed File Access Attempts Without Privileges.

    • 🚀 Response: Investigate unauthorized access attempts, restrict access permissions.

  • Debug Logs Containing Non-Sensitive System Information.

    • 🚀 Response: Ensure debug logs do not expose system internals to external actors.


PreviousDetection and ResponseNextScenario: Detecting and Mitigating a Ransomware Attack

Last updated 28 days ago

Was this helpful?