17 - Preventing and Responding to Incidents Flashcards
What is an Incident?
Any event that has a negative effect on the CIA of an organization’s assets.
In terms of computer security, any adverse event which compromises some aspect of computer or network security.
What are the steps of Incident Response?
- Detection: This includes IDS/IPS, AV, SIEM, reporting by users.
- Response: After severity is determined, the appropriate team is called for asessing damage, collecting evidence, reproting the incident, and recovery procedures. The quicker the reponse, the better the odds that damage is limited.
- Mitigation: Containing or isloating the incident so it doesn’t apread while investigation is ongoing.
- Reporting: Informing the necessary parties depending severity and scope of incident. Sometimes this is a legal requirement.
- Recovery: Return the system to a fully functional state.
- Remediation: Confirm what allowed the incident to occur and take steps to prevent it from happenning again (includes root cause analysis).
- Lessons Learned: Recommended changes to prevent future incidents and assist in better detections.
What are some basic Preventive Measures?
- Keep systems and apps up-to-date
- Remove/disable unneeded services and protocols
- Use IDS and IPS systems
- Use up-to-date AV
- Use firewalls
- Implement configuration and system management processes
What are some Common Attacks Methods?
-
Botnets: A multitude of infected machines that are controlled by attackers (botherder). These botnets can launch attacks, send spam/phishing emails, or be rented out to other criminals.
- Prevention: Keep systems up-to-date with AV, security controls, and patching. Educating users on secure practices.
-
Denial-of-Service Attacks: ANy attack that prevents a system from processing or responding to legitimate traffic or requests for resources and objects (flooding of packets or exploiting vulnerabilities).
- Distributed Denial-of-Service Attacks: When multiple systems attack a single system at the same time.
- Distributed Reflective Denial-of-Service Attacks: the victim isn’t attacked direclty, but via an intermediary so that the attacks are “reflected” back to the victim.
-
SYN Flood Attack: Disurpts the TCP 3-way handshake by sending a flood of SYN packets leaving the responding server to wait for the ACK packet and reserving resources for it. By doing this hundreds and thousands times until the victim is overwhelmed and not able to respond to legitimate requests.
- Prevention: Using SYN cookies to track sessions which use very few resources. Limit the amount of time to wait for an ACK packet. Use FW, IPS, and IDS systems to check for these attacks.
-
Smurf and Fraggle Attacks:
-
Smurf: Sends a Ping request (ICMP packets) to all systems on a network spoofing the source of the ping as the victim. Everyone replies and floods the victim with traffic.
- Prevention: Routers, firewalls, and even some servers today prevent Ping requests.
- Fraggle: Same as a Smurf but will use UDP packets on ports 7 and 19 to get responses from the network.
-
Smurf: Sends a Ping request (ICMP packets) to all systems on a network spoofing the source of the ping as the victim. Everyone replies and floods the victim with traffic.
-
Ping Flood: Botnets will flood a victim with ping requests using up all its resources trying to respond.
- Prevention: Block ICMP (Ping requests) on the network
-
Ping of Death: Uses an oversized Ping packet (<64 KB) in order crash the system or cause a Buffer Overflow.
- Prevention: MOst patched systems prevent this issue
-
Teardrop: Where attackers fragment traffic in such a way, receiving systems cannot put them back to together causing resources to be consumed and crash.
- Prevention: Most patched systems can prevent this issue.
-
Land Attacks: When an attacker sends spoofed SYN packets with the receiver’s IP address as both the source and destination which causes the receiver to constantly respond to itself until it freezes.
- Prevention: Filter packets that have identical source and dest IP’s.
- Malicious Code (malware): Any script or program that performs an unwanted, unauthorized, or unknown activity to the user on a system. Ex. Trojans, viruses, worms, macros, logic bombs. Can be disributed by email, external storage, drive-by-download (downloaded and installed without user’s knowledge). etc.
-
Zero-Day Exploits: Vulnerabilities not yet discovered or fixed by the vendor that attackers can take advantage of on unpatched systems.
- Prevention: Robust patch management system, turn off unneeded services and protocols, use network security controls such as firewalls and IPS/IDS systems for detection.
-
Man-in-the-Middle: When an attacker gains a position between two communicating endpoints. It can either be a sniffing attack where the attacker is just monitoring the traffic as it goes by or it can be where the attacker impersonates one of the endpoints and receives and forwards all communication. This atatck requires some sophistication and skills on the attackers part.
- Prevention: Patched systems and the use of a VPN to secure the communciation channel from outsiders
-
Sabotage: A criminal acto of destruction or disruption to an organization by a trusted employee. Generally done by disgruntled employees.
- Prevention: Swift termination processes that include account disabling, activity audits, good communication amomg employees and managers, and fair practices of employees recognition and compensation.
-
Espionage: Malicious act of gathering important data from an organization with the intent of selling it or giving it to another entity. Attackers could be employees who are disgruntled, blackmailed, and purposely placed in the organization for this purpose.
- Prevention: Monitor activity and access, screen new candidates, and protect data properly.
What is an Intrusion Detection/Prevention System? How does it work and how is it implemented?
An Intrusion Detection System automates the inspection of logs and real-time system events to dectect malicious activity and system failures. Once a detection occurs, alarms are triggered and activity can also be prevented if the system is an IPS (an IPS can do everything an IDS can as well as take additional steps to prevent/stop activity). An IPS needs to be placed inline with traffic to be most effective and proactive.
IDPS detect activty by either 2 methods:
- Knowledge-Based: Matches patterns or signatures found in it’s database of known malicious attacks. (Only effective against known attacks)
- Behavior-Based: Checks for anomalies in baseline activity for attack detection. Can detect newer attacks that do not yet have signatures. Can also raise more false alarms as it is learning and building a baseline.
Responses can categorized into 2 buckets:
- Passive Response: Notifications are sent and event is logged/reported
- Active Response: Modifies the environment to block/stop the activity in addition to logging and notifying on the event.
Implementations:
- Host-Based: Montitors a singel host or system (can get more granular).
- Network-Based: Monitors a network by measuring traffic patterns
What are some Preventative Measures/controls admins used to thwart attackers?
-
Honeypots: Individual computers created as a trap for intruders that look and act like real systems but do not hold any real data. Generally setup with vulnerabilities to attract attackers and keep them away from real systems.
- Honeynets: Two or more honeypots used together to simulate a network.
- Psuedo Flaws: False vulnerabilities that are intentionally planted in a system to attack intruders.
- Padded Cells: A simulated environment that offers fake data to retain an intruder’s interest, similar to a honeypot.
- Warning Banners: Informs users (and intruders) about security guidelines and monitoring their activities while on a system.
- Anti-Malware: Protects against malicious code as long as it is up-to-date.
- Whitelisting/Blacklisting: Whitelisting identifies a list of authorized applications that are ok to run on a system. Blacklisting idnetifies a list of applications that are not authorized to run on a system.
- Firewalls: Provides protection to a network by filtering traffic by IPs, ports, protocols, etc.
- Sandboxing: Provides a boundary for applications and prevents the application from interactiing with other applications.
- Third-Party Security Services: Outsourcing security services to a 3rd party.
- Pen Testing: Mimics an actual attack in order to identify what techniques attackers use to circumvent security. (Requires written approval)
What are the different log types?
- Security Logs: Records access to resources.
- System Logs: Records system events (Starts, Stops, etc)
- Application Logs: Records info in specific apps
- Firewall Logs: Can record events related to any traffic that reaches a firewall.
- Proxy Logs: Records details such as what sites specific users visit and how much time they spend on these sites.
- Change Logs: Records change requests, approvals. actual changes
What is Logging?
The process of recording information about events to a log file or database.
What are some ways organizations protect logs?
- Storing on a SIEM
- Backups
- Restrict Access
What are some benefits of monitoring logs, etc. in your network?
- Audit Trails: Provides a record of activity. (Passive deterrence)
- Accountability: Ensures subjects can be held accountable for their actions and activities.
-
Investigations: Audit trails give investigators the ability to reconstruct events long after they have occurred.
- Ensure time stamps are consistent across the organization.
- Problem Identification
What are some techniques for monitoring (the process of reviewing information logs looking for something specific)?
- Log Analysis: Detailed and systematic form of monitoring in which the logged information is analyzed for trends and patterns as well as abnormal, policy-violating activities.
- SIEM (Security Information and Event Management): A centralized application to automate monitoring of systems on a network. They provide real-time analysis of events occurring throughout the organization. They generally use agents on the remote systems that will report any known events.
- Sampling (Data Extraction): The process of extracting specific elements from a large collection of data to construct a meaningful summary.
- Clipping Levels: Selects events that exceed a specified threshold
- CCTV Footage
- Keystroke Monitoring:The act of recording keystrokes a user performs on a physical keyboard.
- Traffic and Trend Analysis: Examines the flow of packets (network flow monitoring)
What is Egress Monitoring? And what are some components of it?
- The monitoring of outgoing traffic to prevent data exfiltration, the unauthorized transfer of data outside the organization.
-
Data Loss Prevention: Systems that attempt to detect and block data exfil. Looks for keywords and patterns.
- Network-based: Placed on the edge of network to scan all data leaving the organization.
- Endpoint-based: Scans files stored on a system or sent to external systems.
- Steganography: Embedding a message within a file such as a picture. Can be captured by checking hashes.
- Watermarking: The practice of embedding an image or pattern in paper that isn’t perceivable. Often used to thwart counterfeiting attempts.
What are some audits used to assess effectiveness?
-
Auditing: Methodical examination or review of a environment to ensure compliance with regulations and to detect abnormalities.
- Auditors: Responsible for testing and verifying that processes and procedures are in place to implement security policies or regulations.
-
Inspection Audits:
- Access Review Audits: Ensures that object access and account management practices support the security policy.
- User Entitlement Audits: Ensures users only have the privileges they need to perform their job and no more.
-
Audits of Privileged Groups:
- High-Level Admin Groups: Reveiw who is a member of such a group and how often they use it
- Dual Admin Accounts: Where admins have 2 accounts: one for day-to-day activity and the other for admin work with high privileges.
What are security audits and reviews?
Helps ensure that an organization has implemented security controls properly. Common items that are checked are:
- Patch Management
- Vulnerability Management
- Config Management
- Change Management
What is included in reporting the audit results?
-
Contents:
- The purpose
- The scope
- The results found
-
Protecting Audit Results:
- Assigned a classification label and only authorized personnel should see it
-
Distributing Audit Reports:
- Sent to its assigned recipients with receipt of delivery. Depending on the findings, the report may be escalated up higher management.
-
Using External Auditors:
- Sometimes required. They often possess a level of objectivity a fresh perspective that an internal audit cannot provide.
- Interim Report: While the full audit is being completed, sometimes an interim report is delivered about findings that need immediate resolution.
- Exit Conference: Auditors present their findings before they leave the premises/close out their audit. Once they close out, a final audit report will be sent.