9. INCIDENT RESPONSE - DONE Flashcards
there are four phases of the IR lifecycle:
preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.
Describe the preparation phase
in the preparation phase, a company establishes its computer security IR capability and creates a (computer security incident response team) CSIRT so that the company is properly equipped and ready to respond to incidents.
The following are the required elements listed in the CSA Guidance for this phase:
*Process to handle the incidents
*Handler communications and facilities
*Incident analysis of hardware and software
*Internal documentation (port lists, asset lists, network diagrams, current baselines of network traffic)
*Training identification
*Evaluation of infrastructure by proactive scanning and network monitoring, vulnerability assessments, and performing risk assessments
*Subscription to third-party threat intelligence services
know your assets and your weaknesses and have knowledgeable people both internally (CSIRT) and externally (third-party threat intelligence services), and you will be well prepared.
Describe the detection and analysis phase
This phase is all about the telemetry (logging, monitoring, metrics, alerts, and other messages) you get from systems and other IT components. As you just learned, there’s a difference between ITIL (an organization that focuses on continuous improvement of IT service management) incident response and computer security incident response. Here’s an area that highlights the different approaches. Simply looking at CPU usage and other generic telemetry is insufficient to detect attacks. The CSIRT needs security-specific detection and analysis tools.”
“The following tasks are recommended as part of the CSA Guidance:
*Form a system of alerts, including endpoint protection, network security monitoring, host monitoring, account creation, privilege escalation, other indicators of compromise, SIEM, security analytics (baseline and anomaly detection), and user behavior analytics.
*Validate alerts (reducing false positives) and escalation.
*Estimate the scope of an incident.
*Assign an incident manager who will coordinate further actions.
*Designate a person who will communicate the incident containment and recovery status to senior management.
*Build a timeline of the attack.
*Determine the extent of the potential data loss.
*Set up notification and coordination activities.”
Describe the containment, eradication and recovery phase
First, you must contain the attack by taking systems offline. Consider data loss versus service availability. Ensure that systems don’t destroy themselves upon detection. Next, eradication and recovery involve cleaning up compromised devices and restoring systems to normal operation. Confirm that systems are functioning properly. Deploy controls to prevent similar incidents. Finally, document the incident and gather evidence (chain of custody)..
Describe the post-incident activity phase
These post-incident meetings are meant to help everyone learn about possible IR process improvements; unfortunately, they always seem to wind up being a blame game. Rather than casting blame, ask the following questions:
*What could have been done better?
*Could the attack have been detected sooner?
*What additional data would have been helpful to isolate the attack faster?”
“ttack faster?
*Does the IR process need to change? If so, how?”
.
what are some key questions you should ask about your cloud provider’s IR support in the preparation phase?
“*Who is responsible for IR and in which scenarios? In other words, how are responsibilities allocated between the CSP and its customers?
*What are the points of contact? If an incident occurs, does the CSP know who to contact, can your organization call someone at the CSP, do they offer e-mail support, or do they provide access to a discussion forum? Is a contact available 24×7 or just during business hours?
How long does the CSP have to respond to you after an incident occurs? Is it ten minutes? Ten hours? Ten days?”
“What are the CSP’s escalation procedures?
*Is out-of-band communication possible if networks are down?
*How do hand-offs work between the customer IR team and that of the provider?
*Does the customer have access to data and logs to support IR? Which data and logs are included?
*Are logs available in a format that your IR team can easily access using their own tools, or do you require access to the provider’s tools to access them?
*Under what circumstances do the CSP alert customers of an ongoing incident? What are their SLA requirements for such notification?
*Does the CSP have a dedicated IR team?”
what are a few suggestions to ensure that you and your CSP have solid opportunities for communication in the event of an incident?
*Make sure that you have an open access channel to engage with the provider, and also that the provider is able to contact you in the event of a problem.
*Avoid listing a particular employee as a main contact. What if the provider is trying to advise you of an incident, but the contact listed with the provider is no longer with your company? Make sure the contact’s e-mail address is monitored and that notifications are integrated into your IR processes.”.
“Testing is also vital to preparing for an incident. If possible, review and test your IR processes with your providers annually or when significant changes are made. Most providers want to have happy clients, and they would much rather work with you to make sure you’re ready for an incident than have an upset client on their hands. Your processes will have to change, and the provider may be able to make recommendations on what they have seen from other customers in the past and how you can improve your processes.
“Test, test, test. Testing must be performed at least annually or when significant changes are made. Again, consult your provider and make sure they become part of your tests to the greatest extent possible.
what is the cloud jump kit?
the jump kit will enable you to get information about activities in the cloud platform itself (metastructure) and activities from the systems you’re running in the cloud environment (applistructure). This can be performed in many ways, ranging from API calls for metastructure information to using free open source software (FOSS) and commercial off-the-shelf (COTS) software to perform actions such as accessing memory on a running server.
The cloud jump kit is a collection of tools required to perform investigation of remote locations (such as cloud services). This is the set of “virtual tools for a virtual world” if you will.
regarding architecture and how it work with IR in the cloud:
*Know where your systems and data are stored. The CSA Guidance calls out “Application Stack Maps” as a means to factor in geographic differences in monitoring and data capture. An Application Stack Map essentially identifies all the components of an application (such as instances used, databases, and other services it interacts with).
*Know where your log files are stored. Do investigators have access to them?
*Know how you are isolating your workloads. Rather than dealing with an incident that scales from one system to hundreds, implementing a tight blast radius as part of your architecture can go a very long way in IR. This will reduce how far an incident can spread and make it easier to analyze and contain it.
*Leverage immutable workloads. You can get back up and running very quickly by moving workloads from a compromised instance to a known good instance. This will also allow for a greater detective capability with file integrity monitoring and configuration management because no changes should be made to running instances in an immutable model.
*Perform threat modelling and tabletop exercises to determine the most effective means of containment for different types of incidents on different components of the cloud stack
What is the difference between the CCM and CAIQ?
For the exam, remember that the CCM states the control and the responsible party, whereas the CAIQ provides questions you can ask in plain language.
What is automated IR workflow?
you should be able to have automatic event-driven security in place that will kick off automated responses to incidents in the cloud environment. Did a security group change? Why wait for an engineer to get around to investigating it when you can automatically change it back to what it’s supposed to be?.
“Other data feeds the provider generally offers may be more focused on performance metrics”
how is that perceived?
“Although not ideal from a security perspective, as “low and slow” attacks that are crafted to be as quiet as possible (that is, not causing CPU spikes or abnormal amounts of network traffic that may cause an alert), these data feeds may be useful in detecting a security incident..
What is an example of how managing the applistructure (when it is the responsibility of the consumer) is the same in a cloud environment as it is in a traditional data centre?
External threat intelligence remains applicable in a cloud environment, just as it is in a traditional data centre environment, to assist with identifying indicators of a compromise of a system and to gain information on adversaries.
“If a provider doesn’t offer full logging of APIs (IaaS and PaaS are more likely to offer full logging than SaaS), how would you identify configuration changes?
“the console may be a means to identify any environment or configuration changes. If the provider doesn’t appear to offer full logging of APIs, talk with them, because they may have internal log data that could be useful if a serious incident occurs.
“Without logging, there is no detection. Without detection, there is no ability to respond. Make sure your logging has as much visibility into your environment as possible.”