Hi Guys,
I have been tasked to investigate a matter whereby a companies CSirt team identified that a vulnerability scan was conducted from my org.
We managed to trace it back to a specific computer. Computer was imaged, includeing RAM dump. Ram appears clear with no malware running in memory.
a short while ago the 3party contacted us again indicating they are still seeing activity on their side. this time for a different pc.
It should be noted that the 3 party website is used by us for legitimate work as well.
currently we are routing all traffic to through a single proxy to eliminate the rest of our org's proxies.
Please assit in helping me establish what is causing all this traffic to this website. or any ideas/area's that i can check.
Thanks
We managed to trace it back to a specific computer. Computer was imaged, includeing RAM dump. Ram appears clear with no malware running in memory.
How long between the observation and the image? What was it doing at the time of the scan – did you get a timeline? Interviewed the users who were logged in and active at the time? Did the two relevant systems have the same user logged in at the time by any chance?
a short while ago the 3party contacted us again indicating they are still seeing activity on their side. this time for a different pc.
It should be noted that the 3 party website is used by us for legitimate work as well.
And had those computers been used for such work?
What *exactly* are they seeing? A full synscan from 1-65535? A distinctive nmap 'ping'? What ports are involved? Or … what else? A webapp vulnerability scan? sqlmap injection tests? Burpsuite fuzzing attempts? Dirbuster? Can the scanner software be identified?
You don't need to answer – but start to build up hypotheses about what may be happening, and look for ways of testing them. Doesn't matter how many bad hypotheses you invent as long as you keep testing and eliminating them, one by one.
And start to think about incident response handling do it in-house, or should you be calling in external help?