(10) Unusual DNS, IoCs, And Evidence Flashcards
Considering unusual DNS traffic, what types of things should security professionals focus on when monitoring for such things?
Abnormal levels of DNS queries, specifically unusual domain names
Unusual domain name queries, often to randomly generated or machine generated host names like jku845.com
Large numbers of DNS query failures that could indicate use of automatically generated DNS names embedded in malware
Describe how Indicators of Compromise (IoC) need to be used to help detect an issue on a system?
IoCs often need to be combined in order to figure out that there is an issue or where the issue is coming from. IoCs don’t occur in isolation.
When it comes to forensic evidence, describe Preservation and chain of custody
Preservation is all about getting the data in custody and preserving it securely and in a documented way.
Chain of custody is about documenting how data travels and changes hands throughout the entire process of the investigation. Chain of custody makes sure that evidence is not modified
in terms of evidence, describe a legal hold and validating data integrity
Legal holds are all about preserving data in the event that it may be called upon to be used in a legal case of some kind. Orgs may proactively put legal holds on their own data if they think a lawsuit is coming
Validating data integrity is very important as it makes sure that the data has not been inadvertently changed or deleted. Hashing is often used to preserve data because a hash verifies that the copy of data that is being used is the real thing and not an altered copy