9. INCIDENT RESPONSE - DONE Flashcards

1
Q

there are four phases of the IR lifecycle:

A

preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Describe the preparation phase

A

in the preparation phase, a company establishes its computer security IR capability and creates a (computer security incident response team) CSIRT so that the company is properly equipped and ready to respond to incidents.

The following are the required elements listed in the CSA Guidance for this phase:
*Process to handle the incidents
*Handler communications and facilities
*Incident analysis of hardware and software
*Internal documentation (port lists, asset lists, network diagrams, current baselines of network traffic)
*Training identification
*Evaluation of infrastructure by proactive scanning and network monitoring, vulnerability assessments, and performing risk assessments
*Subscription to third-party threat intelligence services

know your assets and your weaknesses and have knowledgeable people both internally (CSIRT) and externally (third-party threat intelligence services), and you will be well prepared.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe the detection and analysis phase

A

This phase is all about the telemetry (logging, monitoring, metrics, alerts, and other messages) you get from systems and other IT components. As you just learned, there’s a difference between ITIL (an organization that focuses on continuous improvement of IT service management) incident response and computer security incident response. Here’s an area that highlights the different approaches. Simply looking at CPU usage and other generic telemetry is insufficient to detect attacks. The CSIRT needs security-specific detection and analysis tools.”

“The following tasks are recommended as part of the CSA Guidance:
*Form a system of alerts, including endpoint protection, network security monitoring, host monitoring, account creation, privilege escalation, other indicators of compromise, SIEM, security analytics (baseline and anomaly detection), and user behavior analytics.
*Validate alerts (reducing false positives) and escalation.
*Estimate the scope of an incident.
*Assign an incident manager who will coordinate further actions.
*Designate a person who will communicate the incident containment and recovery status to senior management.
*Build a timeline of the attack.
*Determine the extent of the potential data loss.
*Set up notification and coordination activities.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Describe the containment, eradication and recovery phase

A

First, you must contain the attack by taking systems offline. Consider data loss versus service availability. Ensure that systems don’t destroy themselves upon detection. Next, eradication and recovery involve cleaning up compromised devices and restoring systems to normal operation. Confirm that systems are functioning properly. Deploy controls to prevent similar incidents. Finally, document the incident and gather evidence (chain of custody)..

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe the post-incident activity phase

A

These post-incident meetings are meant to help everyone learn about possible IR process improvements; unfortunately, they always seem to wind up being a blame game. Rather than casting blame, ask the following questions:
*What could have been done better?
*Could the attack have been detected sooner?
*What additional data would have been helpful to isolate the attack faster?”
“ttack faster?
*Does the IR process need to change? If so, how?”
.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what are some key questions you should ask about your cloud provider’s IR support in the preparation phase?

A

“*Who is responsible for IR and in which scenarios? In other words, how are responsibilities allocated between the CSP and its customers?
*What are the points of contact? If an incident occurs, does the CSP know who to contact, can your organization call someone at the CSP, do they offer e-mail support, or do they provide access to a discussion forum? Is a contact available 24×7 or just during business hours?
How long does the CSP have to respond to you after an incident occurs? Is it ten minutes? Ten hours? Ten days?”
What are the CSP’s escalation procedures?
*Is out-of-band communication possible if networks are down?
*How do hand-offs work between the customer IR team and that of the provider?
*Does the customer have access to data and logs to support IR? Which data and logs are included?
*Are logs available in a format that your IR team can easily access using their own tools, or do you require access to the provider’s tools to access them?
*Under what circumstances do the CSP alert customers of an ongoing incident? What are their SLA requirements for such notification?
*Does the CSP have a dedicated IR team?”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

what are a few suggestions to ensure that you and your CSP have solid opportunities for communication in the event of an incident?

A

*Make sure that you have an open access channel to engage with the provider, and also that the provider is able to contact you in the event of a problem.
*Avoid listing a particular employee as a main contact. What if the provider is trying to advise you of an incident, but the contact listed with the provider is no longer with your company? Make sure the contact’s e-mail address is monitored and that notifications are integrated into your IR processes.”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
A

“Testing is also vital to preparing for an incident. If possible, review and test your IR processes with your providers annually or when significant changes are made. Most providers want to have happy clients, and they would much rather work with you to make sure you’re ready for an incident than have an upset client on their hands. Your processes will have to change, and the provider may be able to make recommendations on what they have seen from other customers in the past and how you can improve your processes.

“Test, test, test. Testing must be performed at least annually or when significant changes are made. Again, consult your provider and make sure they become part of your tests to the greatest extent possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

what is the cloud jump kit?

A

the jump kit will enable you to get information about activities in the cloud platform itself (metastructure) and activities from the systems you’re running in the cloud environment (applistructure). This can be performed in many ways, ranging from API calls for metastructure information to using free open source software (FOSS) and commercial off-the-shelf (COTS) software to perform actions such as accessing memory on a running server.

The cloud jump kit is a collection of tools required to perform investigation of remote locations (such as cloud services). This is the set of “virtual tools for a virtual world” if you will.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

regarding architecture and how it work with IR in the cloud:

A

*Know where your systems and data are stored. The CSA Guidance calls out “Application Stack Maps” as a means to factor in geographic differences in monitoring and data capture. An Application Stack Map essentially identifies all the components of an application (such as instances used, databases, and other services it interacts with).
*Know where your log files are stored. Do investigators have access to them?
*Know how you are isolating your workloads. Rather than dealing with an incident that scales from one system to hundreds, implementing a tight blast radius as part of your architecture can go a very long way in IR. This will reduce how far an incident can spread and make it easier to analyze and contain it.
*Leverage immutable workloads. You can get back up and running very quickly by moving workloads from a compromised instance to a known good instance. This will also allow for a greater detective capability with file integrity monitoring and configuration management because no changes should be made to running instances in an immutable model.
*Perform threat modelling and tabletop exercises to determine the most effective means of containment for different types of incidents on different components of the cloud stack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the difference between the CCM and CAIQ?

A

For the exam, remember that the CCM states the control and the responsible party, whereas the CAIQ provides questions you can ask in plain language.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is automated IR workflow?

A

you should be able to have automatic event-driven security in place that will kick off automated responses to incidents in the cloud environment. Did a security group change? Why wait for an engineer to get around to investigating it when you can automatically change it back to what it’s supposed to be?.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

“Other data feeds the provider generally offers may be more focused on performance metrics”
how is that perceived?

A

“Although not ideal from a security perspective, as “low and slow” attacks that are crafted to be as quiet as possible (that is, not causing CPU spikes or abnormal amounts of network traffic that may cause an alert), these data feeds may be useful in detecting a security incident..

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is an example of how managing the applistructure (when it is the responsibility of the consumer) is the same in a cloud environment as it is in a traditional data centre?

A

External threat intelligence remains applicable in a cloud environment, just as it is in a traditional data centre environment, to assist with identifying indicators of a compromise of a system and to gain information on adversaries.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

“If a provider doesn’t offer full logging of APIs (IaaS and PaaS are more likely to offer full logging than SaaS), how would you identify configuration changes?

A

“the console may be a means to identify any environment or configuration changes. If the provider doesn’t appear to offer full logging of APIs, talk with them, because they may have internal log data that could be useful if a serious incident occurs.

“Without logging, there is no detection. Without detection, there is no ability to respond. Make sure your logging has as much visibility into your environment as possible.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How are windows and linux logs collected?

A

“The best practice is to get system logs off of the instance as quickly as possible and into a centralized logging system. Your provider may have the means to collect operating system log data from individual instances, but you should determine whether an agent is required and whether you are willing and able to install the provider’s agents on your systems.”

17
Q

What is the limitation of network log collection?

A

“any network logs will likely be limited in comparison to what can be seen in a traditional data centre under your control. You may be able to obtain flow logs, but you won’t be able to do a full packet capture of all network traffic in the environment. This is a natural consequence of SDN and micro segmentation (aka hypersegregation).”

18
Q

How will you collect logs from Paas and serverless application?

A

“When dealing with PaaS and serverless applications, you’re going to need to add custom application-level logging, because the platform that your application is running on belongs to the provider, and you won’t necessarily have access to any of the log data generated by systems under their control. The CSA Guidance refers to this as “instrumenting the technology stack.

Use the automation capabilities of the cloud environment to your advantage. Implementing continuous and serverless monitoring may help you detect potential issues much more quickly than what is possible in a traditional data centre.

19
Q

How will you perform forensics in a cloud environment Iaas?

A

“You have an incredible opportunity to streamline forensics in an IaaS environment, from the metastructure through to the applistructure, but you have to architect for it. You will want to leverage imaging and snapshots to take advantage of bit-level copies of data accessible for forensics activities at the applistructure layer. You can architect an isolated blast zone for forensics activities and copy images and snapshots to this environment, where they will be fully isolated.”

20
Q

How will you perform forensics in a cloud environment from an applistructure perspective?

A

“From the applistructure perspective, you likely have access to tools today that enable you to perform some forensic activities in your existing environment. It all boils down to collecting data from a remote machine, and you can do this with virtual machines in either a cloud-based or a traditional data centre.

21
Q

How will you perform forensics in a cloud environment from a metastructure perspective?

A

The main thing to keep in mind, for both real life and the exam, is that your forensic activities need to support appropriate chain-of-custody requirements, and this applies to all forensic activities by the customer and the provider. That said, it’s important that you work with your legal team to ensure that this critical component of forensics is being properly addressed.

22
Q

“Following are some recommended automated actions from the CSA Guidance that can support investigations in a cloud environment:”

A

*Snapshot the storage of the virtual machine.
*Capture any metadata at the time of the alert, so the analysis can happen based on what the infrastructure looked like at the time of the incident.
*If supported by the provider, “pausing” an instance will save the volatile memory.
other capabilities of the cloud platform that may be leveraged to determine the extent of a potential compromise include the following:
*Analyze network flows to check whether isolation held up. API calls may be available to snapshot the network and virtual firewall ruleset, which could give you an accurate picture of the entire stack at the time of the incident.
*Examine configuration data to check whether other similar instances were potentially exposed in the same attack.
*Review data access logs (for cloud-based storage, if available) and management plane logs to see if the incident affected or crossed into the cloud platform.
*Remember that serverless and PaaS-based architectures will require additional correlation across the cloud platform and any self-generated application logs.”

23
Q

What is your first action during he containment eradication and recovery phase?

Of course, most of this capability is exclusively that of IaaS. For PaaS and SaaS service models, you will be much more reliant on your provider to perform many of the activities associated with response, because these models will likely be more restrictive in the IR capabilities exposed to customers.

A

“Your first action when responding to an incident is ensuring that the attacker is no longer in the cloud management plane to begin with. To ensure that you have complete visibility, this requires accessing the management plane with the master (root) credentials. (Remember that this account is locked away and only to be used in the case of an emergency. This is the time to use it!) Using the master account may unmask activities that are hidden from view when you’re using a limited-privilege administrator account.

Items such as software-defined infrastructure, auto-scaling groups, and automated API calls to change virtual network or machine configurations can all be leveraged to enhance your recovery times. Again, though, these can be performed only once you are certain the attacker no longer has access to the management plane.

24
Q

How can virtual firewalls be leveraged during the containment eradication and recovery phase

A

“Through the use of virtual firewalls, there’s no longer a need to remove an instance from the network prior to performing an investigation. An instance can be locked down very quickly by changing the virtual firewall ruleset to allow access only from an investigator’s system. By using this approach, nothing changes at the applistructure layer, and the chain of custody remains valid as a result. This isolation technique should be leveraged whenever possible. Isolate the system using virtual firewall changes, build a fresh replacement from a trusted image, and then kick off your investigation of the compromised machine.

25
Q

from a post-incident perspective, what may happen in a cloud environment?

A

“This is where you might realize that your IR team didn’t quite have the knowledge of a cloud environment that both your leadership and the team itself thought they had. This will most likely include data collection sources and methods.
From a governance perspective, you may need to re-evaluate SLAs, actual response times, data availability, and other items that were found to be suboptimal. It may be hard to change an SLA with a provider, but this is a great time to come to them with experience under your belt and try to renegotiate.

26
Q

what is a resume-generating event?

A

“if you have an incident in a cloud environment and you realize only at that time that you are lacking virtual tools and knowledge of them, this is most likely a resume-generating event.

27
Q

The CSA Guidance states that “SLAs and setting expectations around what the customer does versus what the provider does are the most important aspects of incident response for cloud-based resources.” You need to do these things before you can work on the tools and training of individuals.

A

The CSA Guidance states that “SLAs and setting expectations around what the customer does versus what the provider does are the most important aspects of incident response for cloud-based resources.” You need to do these things before you can work on the tools and training of individuals.

28
Q

Which area of incident response is most impacted by the automation of activities?

A

The correct answer is containment, eradication, and recovery. Although tools supplied by the cloud provider can greatly enhance detection as well, the tools available to you in a cloud environment have the most impact on containment, eradication, and recovery efforts.

29
Q

“What is the purpose of an “Application Stack Map”?”

A

The best answer is that an Application Stack Map can be implemented to understand where data is going to reside. On top of knowing where your data can reside, it will help address geographic differences in monitoring and data capture.