(11) Isolation, Removal, Identifying Attackers Flashcards
What does it mean to isolate a system that is undergoing an attack? What does it mean to isolate the attacker?
Isolation is about completely removing a system from the internal network so that the attacker cannot affect other systems. This type of method can be risky because it can allow the attacker to attack other systems on the Internet. Caution is needed with this approach.
Isolating the attacker means to put the affected system in a sandbox and let the attack continue, but the files involved with this particular machine won’t normally have anything of value inside it
What is removal as a response strategy to an ongoing attack?
Removal completely disconnects the affected system from the network so that it cannot cause any more damage. It is similar to unplugging a system.
Why is removal of a system not foolproof?
Removal of a system isn’t foolproof because the attacker can put a script in place to ping a well known server every so often such as 8.8.8.8 which is Google’s public DNS server. If the script doesn’t get replies back after a few times, such as if the defender removed the isolated system from the network, it can cause the malware to encrypt everything on the system or wipe out any and all evidence that the attack took place.
What type of information should incident responders keep when gathering evidence?
incident responders should keep a detailed log of the following information:
-Identifying information (MAC Addresses, IP Addresses, location, etc.)
-Name, title, phone number, etc. of everyone who collected or handled evidence during the investigation
-Time and data of each time evidence was handled
-Locations where the evidence was stored
Note: If the evidence was not handled properly, the court may not accept it
When it comes to incident response, should the attacker be identified?
The attacker could be identified but incident responders need to weigh the business benefit of doing so, because the main goal of incident response is to stop the attack and get systems back up and running.
If the org must know the name of the attackers, they can and probably should involve law enforcement
What are the eradication and recovery phases of the process?
Eradication is about removing any trace of the original attack and sanitizing systems/hardening them so that the same issue doesn’t happen again
Recovery is about restoring full system functionality, similar to sanitizing, mentioned above
Root cause analysis needs to be conducted as well to figure out why the issue happened so that it can be prevented in the future
What is the remediation process?
Remediation is about restoring full system functionality and updating any and all affected or unaffected systems so that the same attack can’t compromise other systems as well. Root cause analysis needs to be heavily considered so that the same vulnerability is not taken advantage of somewhere else on the network
The patch status of all affected, then unaffected systems should be considered too so that these types of issues are not exploited as well
During the recovery effort after a cybersecurity incident, security professionals may need to remove certain systems off of a network completely and replace them. What are the three activities that NIST SP 800-88 mentions as what can be done in these cases?
The three activities are as follows:
-Clear (applies logical techniques to sanitize data using normal read and write commands)
-Purge (Uses physical or logical techniques that cause data to be unrecoverable using state of the art techniques)
-Destroy (completely destroys the data through crushing, incinerating, or pulverizing of the hardware)
Note: After any of the above techniques, the complete destruction of data needs to be validated to make sure that it was in fact deleted permanently
