Brute Force / Password Attack Play Book

Identification

Brute Force /
Start Event Password Attack
Identified

Yes

Disable targeted user account

No
Block any suspicious connections
Containment

Incident or any suspicious IOC

Ticket IR Action
Created Monitor and investigated for Update Case
unexpected successful logins

Investigate the visited website by

the user and add the suspicious
website in block mode

Change Impacted Users Account

Eradication & Remediation

Credentials

Mitigate all detected

vulnerability in the network
especially in the public facing
service
IR Action
Implement Multi Factor
Authentication

Change User Email Address to be

not similar as User ID

Conduct Security awareness for

the end users

Enable user account

Restoration

Restore Action Resolve /

Continuous monitoring of the Case Close
End
target machine and user account
activities until confirming no
suspicious activity detected

Author: Muhammad Waleed Khaliq

https://www.linkedin.com/in/waleedkhaliq
CSS - Cross Site Scripting Attack Play Book
Identification

Cross Site Scripting

Start Event Identified

YES
Disable the targeted service

Block any suspicious connections

or any suspicious IOC

Disable Java and JavaScript

Incident
Ticket IR Action Investigate any suspicious
Containment

Created activity in the targeted service or Update Case

any change in the network

Block any suspicious script file NO

detected in the web application
server

Disable any discovered abnormal

accounts

Run YARA rules if required

Remove any suspicious and

unnecessary applications and
executable files from target web
Eradication & Remediation

application

Install latest OS updates and

patches

IR Action
Update the installed software
such as Flash player , java ,
browser …etc
Mitigate all detected
vulnerability in the impacted web
application and in the public
facing service

Scan User machine with latest AV

definations

Ensure that the impacted services

are reachable again.
Restoration

Ensure that your infrastructure

Resolve /
performance is back to your
Case Close
End
baseline performance.
Restore Action
Continuous monitoring of the
target machine and user account
activities until confirming no
suspicious activity detected

https://www.linkedin.com/in/waleedkhaliq Author: Muhammad Waleed Khaliq

DOS and DDOS Attack Play Book
Identification

DDOS / DOS traffic

Start Event Identified

Yes
Terminate unwanted connections from No
routers or perimeter firewalls

Switch to alternate sites or networks

using DNS or another mechanism.
Blackhole DDoS traffic targeting the
original IP addresses

Incident If the bottleneck is a particular feature

Containment

Ticket IR Action of an application, temporarily disable Update Case

Created that feature

Attempt to throttle or block DDoS

traffic as close to the network’s “cloud”
as possible via a router, firewall, load
balancer, specialized device, etc.

If the bottleneck is at the ISP’s side,

only the ISP can take efficient actions.
In that case, work closely with your ISP
and make sure you share information
efficiently
Eradication & Remediation

Contact your ISP and make sure that it

enforces remediation measures. For
information, here are some of the possible
IR Action measures:
- Filtering (if possible at level Tier1 or 2)
- Traffic-scrubbing/Sinkhole/Clean-pipe
- Blackhole Routing

Ensure that your infrastructure

performance is back to your
baseline performance.
Restoration

Switch back traffic to your original

network
Restore Action
Ensure that the impacted services
are reachable again. Case Close End

Restart stopped services

https://www.linkedin.com/in/waleedkhaliq/ Author: Muhammad Waleed Khaliq

Malware Outbreak Play Book
Identification

Malware
Start Event Identified No

Yes
Disable targeted user account
Containment

Isolate the target machine

Incident Ticket from network
IR Action
Created Update Case
Block the detected IOC such as
hash file, IP, URL ,Applications
..etc

Disable USB Access

Remove suspicious
Eradication & Remediation

applications and files from

target machine
Install latest OS updates and
patches

Scan target machine using

IR Action latest antivirus signatures

Rebuild the target machine OS

if required

Security awareness have to be

performed for the end users
Restoration

Enable user account

Restore Action Connect the machine to network

Case Close End
Keep monitoring the target
machine and user account for
some time until confirming no
suspicious activity detected

https://www.linkedin.com/in/waleedkhaliq/ Author: Muhammad Waleed Khaliq

Password or Credential Attack Play Book
Identification

Password /
Start Event Credential Attack
Identified

Yes
Disable targeted user account

Block any suspicious connections

or suspicious detected IOC
Containment

Investigate any suspicious activity No

by user or any change in the
network
Incident Ticket Update Case
IR Action Investigate any suspicious
Created websites browsed by user or any
and add them in block mode
Investigated for unexpected
successful logins
Investigated for unexpected
Phishing email

Change the Email Address to

be not similar as User ID and
reset the impacted account
password
Remove any suspicious and
unnecessary applications and
executable files from target
machine
Eradication & Remediation

Install latest OS updates and

patches
Remove any suspicious and
unnecessary plug-ins

Scan target machine using

IR Action latest antivirus update

Security awareness have to be

performed for the end users

Close all detected vulnerability

in the network especially in
the public facing service

Enable two factor

authentication
Restoration

Enable impacted user account

Restore Action
Connect the machine to network
Case Close End
Keep monitoring the target
machine and user account for
some time until confirming no
suspicious activity detected

https://www.linkedin.com/in/waleedkhaliq/ Author: Muhammad Waleed Khaliq

Phishing and Spear Phishing Attack Play Book
Identification

Check Domain / IP / URL

Reputation

Event / User Phishing email

Start Reported
Check Email Header Identified

Check Attachment

Yes

Disable targeted user account

Isolate the target machine from

Containment

network
Incident Ticket
IR Action No
Created
Block the Sender Email / IP / Update Case
sender Domain / URL

Investigate the behavior of this

attack to decide the Eradicate
actions

Delete the target sender emails

Eradication & Remediation

from users mailbox

Change Impacted Users’ Account

password

Scan target machine using latest

IR Action antivirus signatures

Remove any suspicious file or

application

Conduct Security awareness for

the end users

Enable user account

Restoration

Connect the machine to

Restore Action network Case Close End
Continuous monitoring of the
target machine and user
account activities until
confirming no suspicious
activity detected

https://www.linkedin.com/in/waleedkhaliq/ Author: Muhammad Waleed Khaliq

Privilege Elevation Attack Play Book
Identification

Privilege Elevation
Start Event Identified

YES

Disable targeted user account

Block any suspicious connections

or any suspicious IOC

Investigate users suspicious

Containment

activities like new schedule task Update Case

or application installed
Incident
Ticket IR Action Investigate any suspicious
Created
website visited by the user and NO
add the suspicious website in
blocklist

Investigate if the user has

received any phishing email

Change Impacted Users Account

Credentials
Eradication & Remediation

Mitigate all detected

vulnerability in the network
especially in the public facing
service
Change User Email Address to be
not similar as User ID
IR Action
Conduct Security awareness for
the end users

Scan User machine with latest AV

definations
Restoration

Enable user account

Restore Action Resolve /

Continuous monitoring of the Case Close
End
target machine and user account
activities until confirming no
suspicious activity detected

https://www.linkedin.com/in/waleedkhaliq/ Author: Muhammad Waleed Khaliq

SQL Injection Attack Play Book
Identification

SQL Injection
Start Event
Detected

Yes

Disable impacted service

Disable any discovered

abnormal accounts
Containment

Block the Malicious connection No

or IOC’s

Investigate any suspicious

Incident
activity or modification in the
Ticket IR Action Update Case
application level and database
Created level

Investigate for any SQL or

database vulnerability

Perform thorough input

validation

Use parameterized stored

procedures for database
Eradication & Remediation

access to ensure that input

strings are not treated as
executable statements. If you
cannot use stored procedures,
use SQL parameters when you
build SQL commands
Install latest OS updates and
patches & Close all detected
vulnerbilities
Use least privileged accounts
IR Action to connect to the database.
update the installed software
in the application server such
as Flash player , java , browser
…etc
Scan targeted machine with
latest AV signatures

Restore Impacted Service

Restoration

Keep monitoring the impacted

Restore service for some time until
Case Close / Resolve End
Action confirming no suspicious activity
detected

Conduct VAPT on the service

https://www.linkedin.com/in/waleedkhaliq/ Author: Muhammad Waleed Khaliq