4.0 Operations and Incident Response Flashcards
a command-line utility that you can use to trace the path that an Internet Protocol (IP) packet takes to its destination.
Linux: traceroute domainname
Windows: tracert domainname
Command that lets an Internet server administrator or any computer user enter a host name (for example, “whatis.com”) and find out the corresponding IP address or domain name system (DNS) record
Linux: dig domainname
Windows: nslookup domainname
Command for Displaying all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings
Linux: ifconfig
Windows: ipconfig
program scans the network that a computer is connected to and outputs a list of ports, device names, operating systems, and several other identifiers that help the user understand the details behind their connection status
nmap
command can be used to send large volumes of TCP traffic at a target while spoofing the source IP address, making it appear random or even originating from a specific user-defined source
HPing
command is a networking tool used for troubleshooting and configuration, that can also serve as a monitoring tool for connections over the network. Both incoming and outgoing connections, routing tables, port listening, and usage statistics are common uses for this command
netstat
a back-end tool that allows for port scanning and port listening
netcat
analyzing a business network to discover IP addresses and identify relevant information associated with those IP addresses and devices.
IP Scanner
command allows you to make manual entries into the network routing tables.
route
Example
route add -net 192.56.76.0 netmask 255.255.255.0 dev eth0
a command-line tool that lets you transmit HTTP requests and receive responses from the command line or a shell script
curl
Linux that acts as a wrapper for a variety of search engines and is used to find email accounts, subdomain names, virtual hosts, open ports / banners, and employee names related to a domain from different public sources
TheHarvester
automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities
Sn1per
automated tool developed in the Python language, which performs port scanning on the target host
Scanless
multithreaded perl script to list DNS information of a domain and to discover non-contiguous ip blocks.
Dnsenum
an open-source network vulnerability scanner that uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools
Nessus
is a tool that is used to launch malware in a secure and isolated environment, the idea is the sandbox fools the malware into thinking it has infected a genuine host
Cuckoo sandbox
Linux command to used to change the access mode of a file
Chmod
a linux command prints the first lines of one or more files (or piped data) to standard output
Head
a linux command which prints the last few number of lines (10 lines by default) of a certain file, then terminates.
Tail
a Linux command used in searching and matching text files contained in the regular expressions
grep
provides an interface to the syslog subroutine, which writes entries to the system log
logger
a tool for replaying network traffic from files saved with tcpdump or other tools which write pcap(3) files
TCPreplay
packet analyzer that is launched from the command line. It can be used to analyze network traffic by intercepting and displaying packets that are being created or received by the computer it’s running on. It runs on Linux
TCPDump
basic purpose of this linux command is to transfer data from one drive to another while also making sure that the data itself is not changed
dd
used for forensics, data recovery, low-level data processing, and IT security. It allows the user to view files in hexadecimal format
winHex
a tool for creating disk images and is absolutely free to use. It was developed by The Access Data Group. It is a tool that helps to preview data and for imaging
FTK Imager
are supported software packages that contain reliable exploit modules and other useful features, such as agents used for successful repositioning
Exploitation frameworks
recovers passwords using various techniques. The process can involve comparing a list of words to guess passwords or the use of an algorithm to repeatedly guess the password
password crackers
the process of irreversibly removing or destroying data stored on a memory device (hard drives, flash memory / SSDs, mobile devices, CDs, and DVDs, etc.) or in hard copy form
Data sanitization
A plan that has a set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information systems
incident response plans
This is a process for identifying an attack, understanding its severity and prioritizing it, investigating and mitigating the attack, restoring operations, and taking action to ensure it won’t recur
incident response process
Incident Response Process technique that does the following
These are things you would before an attack happens
- communication, who gets contacted, what are the phone numbers, etc
- resources: documentation, diagrams, base-lines
- incident mitigation software
- policies to follow
IRP Preparation
Incident Response Process technique that does the following
This step in the IRP is figuring out the type of attack
buffer overflows
- anti-virus can identify
- host-based monitors detect configuration changes: something is going to happen or is already underway
- network traffic flow deviates
IRP Identification
This is a incident response process technique for making sure the attack doesn’t get out of hand
Techniques you would use
- don’t leave it alone
- sandbox
- isolation can sometimes be problematic because some malware will delete itself and other data once it detects is doesn’t have an internet connection
IRP Containment
Incident Response Process technique that does the following
- remove malware
- disable breached user accounts
- fix vulnerabilities
IRP Eradication
Incident response process technique that has:
- different ways to detect incidents, due to large amount of data
- security incidents are normally complex
IRP Detection
Incident Reponse Process technique that is referring to the aftermath:
- have it soon after the attack
- what happened?
- evaluate how incident plans worked
- did the precursors help?
IRP Lesson Learned
Incident Response process technique to get back to working operation
can take months
- a phased approach
- start with high-value parts
IRP Recovery
set of data matrices, and assessment tool developed by this corporation to help organizations understand their security readiness and uncover vulnerabilities in their defenses.
MITRE ATT&CK
analysis is an approach employed by several information security professionals to authenticate and track cyber threats.
Diamond Model of Intrusion Analysis
a way to understand the sequence of events involved in an external attack on an organization’s IT environment.
Cyber Kill chain
Palnning effort within individual agencies to ensure they can continue to perform their mission essential functions during a wide range of emergencies
continuity of operations planning
signaling protocol that enables the Voice Over Internet Protocol (VoIP) by defining the messages sent between endpoints and managing the actual elements of a call
Session Initiation Protocol
a protocol that computer systems use to send event data logs to a central location for storage
syslog/rsyslog/syslog-ng
Linux command for querying and displaying logs from journald, systemd’s logging service
journalctl
open source log collection tool
and centralization tool that offers log processing features, including log enrichment (parsing, filtering, and conversion) and log forwarding
NXLog
standard for monitoring network flow data
allows you to monitor IP network traffic information as data packets enter or exit an interface.
Netflow
provides a more comprehensive picture of network traffic, because it includes the full packet header, from which any field can be extracted
SFlow
works with Cisco equipment
To do so, collects data packets from across the network
IPFix
used to monitor data traffic and analyze captured signals as they travel across communication channels
Protocol analyzer output
automate, control, and secure administrative policies on laptops, smartphones, tablets, or any other device connected to an organization’s network.
Mobile Device Management
SOAR technique consists of a series of conditional steps to perform actions, such as data enrichment, threat containment, and sending notifications, automatically as part of the incident response or security operations process.
SOAR Runbook
SOAR technique designed to help SOC teams respond to known threats because security breaches are not typically the result of unknown threats
Soar playbook
the process by which organizations preserve potentially relevant information when litigation is pending or reasonably anticipated
Legal Hold
the sequence or order in which the digital evidence is collected.
order of volatility
A piece of evidence, such as text or a reference to a resource, that is submitted to support a response to a question.
Artifacts
entitles your organization to review your vendor’s work product and reporting which may include self-assessments, third-party audits and other, official documents detailing the sufficiency of internal systems and controls
right-to-audit clauses
any government or governmental unit which has authority to regulate the sale or use of a Co-Development Product in any territory
Regulatory/jurisdiction
A mathematical value created using a cryptographic algorithm that is assigned to data and later used to test the data to verify that the data has not changed
checksum
form of digital investigation that attempts to find evidence in email, business communications and other data that could be used in litigation or criminal proceedings
e-discovery
What are the six steps in the incident response process?
Preparation
Detection
Analysis
Containment
Eradication
Recovery
Lesson Learn
A model standard describes malicious activity and enables intrusion analysis, threat hunting, and threat detection.
Diamond Model Intrusion Analysis
Name the four diamond model intrusion analysis
Adversary , Capability , Infrastructure and Victim
