CH31 Incident Response and Forensics Flashcards
What is Incident Response Procedures?
a set of procedures that an investigator follows when examining a computer security incident
These incident response procedures are part of your organization’s overall Incident Management Program – program consisting of monitoring and detection of security events on a computer network and the execution of proper responses to those security events
What are the basic 6 steps procedures of Incident Response Procedures?
- Preparation – You need to be prepared before the incident occurs. Ensure that the organization has well-planned incident response procedure.
- Identification – Process of recognizing whether an event that occurs should be classified as an incident.
- Containment – focused on isolating the incident.
- Eradication – Remove the threat or attack
- Recovery – Focused on data restoration, system repair, and re-enabling any servers or networks taken offline during the incident response.
- Lessons learned
For the exam : Know these six steps and know the right order. Ex: What is the third step of an incident response? You’ve just done X, Y, and Z action. Which step are you in? Rearrange the blocks to put them in order from one to six
What is CSIRT ?
CSIRT = Incident Response Team (aka, CSIRT – Computer Security Incident Response Team)
key people available to respond to any incident that meets the severity and priority threshold that are set out by your incident response plan
Your CSIRT should be the single point of contact for security incident and
may be a part of the SOC or and independent team
Who is Incident Response Manager ?
team lead.
oversees and prioritize actions during the detection, analysis, and containment of incident. Responsible for conveying info about the response and recovery efforts to the executives and management within your organization
Who is Security Analyst ?
assigned in order to work directly on the affected network and to play detective in order to determine what happened to this point
Who is Triage analyst?
a security analyst that’s assigned to work on the network during the incident response. He’s going to help filter out false positives by properly configuring intrusion detection and protection systems, perform ongoing monitor and analysis to detect any new or potential intrusions.
Who is Forensic analyst?
a security analyst who will be more focused on the detective work and trying to piece together what has already occurred on the network.
Who is Threat researcher?
provides threat intelligence and overall context during the incident response
Who is Cross functional support?
people from management or executive team, someone from human resources, or attorney or lawyer, technical exports
What is Out-of-band communication?
Signal that are sent between two parties or two device that are sent via a path or method different from that of the primary communication between the two parties or devices
What are the sources of investigative data?
Security Information and Event Monitoring (SIEM)
Log File
Syslog / rsyslog / syslog-ng
journalctl
nxlog
netflow
sflow
Internet Protocol Flow Information Export (IPfix)
Metadata
For the exam : understand what sources are available to you and pick the right one based on a given scenario
What is Security Information and Event Monitoring (SIEM)?
Security Information and Event Monitoring (SIEM) – a combination of different data sources into one tool that provides real-time analysis of security alerts generated by applications and network hardware.
Great for incident response.
- Sensor – actual end point that’s being monitored. Sensor can feed the data up into the SIEM.
- Sensitivity – focused on how much or how little you are going to be logging.
- Trends – check the trends in our network to see any odd events happening.
- Alert – we can set up certain alerts that happen based on certain parameters.
- Correlation – provides us with good picture across all the devices.
What are the different log files available for investigative data?
Network,
System,
Application,
Security,
web,
DNS,
Authentication,
Dump Files,
VoIP log files.
What are Syslog / rsyslog / syslog-ng for investigative data?
those are three variations of syslog permit the logging of data from different types of systems in central repository.
What is journalctl for investigative data?
a Linux command-line utility used for querying and displaying logs from journald, the systemd logging service on Linux.
what is nxlog in regards to investigative data?
a multi-platform log management tool that helps to easily identify security risks, policy breaches, or analyze operational problems in server logs, operation system logs, and application logs.
nxlog is a cross-platform, open-source tool that is similar to rsyslog or syslog-ng. rsyslog and syslog-ng only work on Linux and Unix systems, but nxlog is cross-platform.
what is netflow in regards to investigative data?
netflow – a network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface, including its point of origin, destination, volume, and paths on the network.
What is sflow in regards to investigative data?
“sampled flow”. It provides a means for exporting truncated packets together with interface counters for the purpose of network monitoring.
What is Internet Protocol Flow Information Export (IPfix) in regards to investigative data?
a universal standard of export for Internet Protocol flow information from routers, probes, and other devices that are used by mediation systems, accounting/billing systems, and network management systems to facilitate services such as measurement, accounting, and billing by defining how IP flow information is to be formatted and transferred from an exporter to a collector. It’s used for backend of service management.
what is Metadata in regards to investigative data?
Data that describes other data by providing an underlying definition or description by summarizing basic information about data that makes finding and working with particular instances of data easier.
What are the 4 main areas of forensic procedures?
- Identification – Ensure the scene is safe, secure the scene to prevent evidence contamination, and identify the scope of evidence to be collected.
- Collection – Ensure authorization to collect evidence is obtained, and then document and prove the integrity of evidence as it is collected.
- Analysis – create a copy of evidence for analysis and use repeatable methods and tools during analysis.
- Reporting – create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis.
What is Legal Hold?
a process designed to preserve all relevant information when litigation is reasonably expected to occur. A computer or server could be seized as evidence
What are some things to do as part of data collection and evidence collection effort?
- Capture and hash system images – use a tool like FTK Imager to make exact copy of that server’s hard drive.
- Analyze data with forensic tools like FTK, the Forensic Toolkit, or EnCase.
- Capture Screenshots
- Review network traffic and logs
- Capture Video
- Consider Order of Volatility
- Take statements
- Review licensing and documentation
- Track man-hours and expenses
FTK and EnCase are popular forensic tools
What is Data Acquisition?
the method and tools used to create a forensically sound copy of data form a source device, such as system memory or a hard disk. Bring your own device (BYOD) policies complicate data acquisition since you may not be able to legally search or seize the device
