CH31 Incident Response and Forensics Flashcards
What is Incident Response Procedures?
a set of procedures that an investigator follows when examining a computer security incident
These incident response procedures are part of your organization’s overall Incident Management Program – program consisting of monitoring and detection of security events on a computer network and the execution of proper responses to those security events
What are the basic 6 steps procedures of Incident Response Procedures?
- Preparation – You need to be prepared before the incident occurs. Ensure that the organization has well-planned incident response procedure.
- Identification – Process of recognizing whether an event that occurs should be classified as an incident.
- Containment – focused on isolating the incident.
- Eradication – Remove the threat or attack
- Recovery – Focused on data restoration, system repair, and re-enabling any servers or networks taken offline during the incident response.
- Lessons learned
For the exam : Know these six steps and know the right order. Ex: What is the third step of an incident response? You’ve just done X, Y, and Z action. Which step are you in? Rearrange the blocks to put them in order from one to six
What is CSIRT ?
CSIRT = Incident Response Team (aka, CSIRT – Computer Security Incident Response Team)
key people available to respond to any incident that meets the severity and priority threshold that are set out by your incident response plan
Your CSIRT should be the single point of contact for security incident and
may be a part of the SOC or and independent team
Who is Incident Response Manager ?
team lead.
oversees and prioritize actions during the detection, analysis, and containment of incident. Responsible for conveying info about the response and recovery efforts to the executives and management within your organization
Who is Security Analyst ?
assigned in order to work directly on the affected network and to play detective in order to determine what happened to this point
Who is Triage analyst?
a security analyst that’s assigned to work on the network during the incident response. He’s going to help filter out false positives by properly configuring intrusion detection and protection systems, perform ongoing monitor and analysis to detect any new or potential intrusions.
Who is Forensic analyst?
a security analyst who will be more focused on the detective work and trying to piece together what has already occurred on the network.
Who is Threat researcher?
provides threat intelligence and overall context during the incident response
Who is Cross functional support?
people from management or executive team, someone from human resources, or attorney or lawyer, technical exports
What is Out-of-band communication?
Signal that are sent between two parties or two device that are sent via a path or method different from that of the primary communication between the two parties or devices
What are the sources of investigative data?
Security Information and Event Monitoring (SIEM)
Log File
Syslog / rsyslog / syslog-ng
journalctl
nxlog
netflow
sflow
Internet Protocol Flow Information Export (IPfix)
Metadata
For the exam : understand what sources are available to you and pick the right one based on a given scenario
What is Security Information and Event Monitoring (SIEM)?
Security Information and Event Monitoring (SIEM) – a combination of different data sources into one tool that provides real-time analysis of security alerts generated by applications and network hardware.
Great for incident response.
- Sensor – actual end point that’s being monitored. Sensor can feed the data up into the SIEM.
- Sensitivity – focused on how much or how little you are going to be logging.
- Trends – check the trends in our network to see any odd events happening.
- Alert – we can set up certain alerts that happen based on certain parameters.
- Correlation – provides us with good picture across all the devices.
What are the different log files available for investigative data?
Network,
System,
Application,
Security,
web,
DNS,
Authentication,
Dump Files,
VoIP log files.
What are Syslog / rsyslog / syslog-ng for investigative data?
those are three variations of syslog permit the logging of data from different types of systems in central repository.
What is journalctl for investigative data?
a Linux command-line utility used for querying and displaying logs from journald, the systemd logging service on Linux.
what is nxlog in regards to investigative data?
a multi-platform log management tool that helps to easily identify security risks, policy breaches, or analyze operational problems in server logs, operation system logs, and application logs.
nxlog is a cross-platform, open-source tool that is similar to rsyslog or syslog-ng. rsyslog and syslog-ng only work on Linux and Unix systems, but nxlog is cross-platform.
what is netflow in regards to investigative data?
netflow – a network protocol system created by Cisco that collects active IP network traffic as it flows in or out of an interface, including its point of origin, destination, volume, and paths on the network.
What is sflow in regards to investigative data?
“sampled flow”. It provides a means for exporting truncated packets together with interface counters for the purpose of network monitoring.
What is Internet Protocol Flow Information Export (IPfix) in regards to investigative data?
a universal standard of export for Internet Protocol flow information from routers, probes, and other devices that are used by mediation systems, accounting/billing systems, and network management systems to facilitate services such as measurement, accounting, and billing by defining how IP flow information is to be formatted and transferred from an exporter to a collector. It’s used for backend of service management.
what is Metadata in regards to investigative data?
Data that describes other data by providing an underlying definition or description by summarizing basic information about data that makes finding and working with particular instances of data easier.
What are the 4 main areas of forensic procedures?
- Identification – Ensure the scene is safe, secure the scene to prevent evidence contamination, and identify the scope of evidence to be collected.
- Collection – Ensure authorization to collect evidence is obtained, and then document and prove the integrity of evidence as it is collected.
- Analysis – create a copy of evidence for analysis and use repeatable methods and tools during analysis.
- Reporting – create a report of the methods and tools used in the investigation and present detailed findings and conclusions based on the analysis.
What is Legal Hold?
a process designed to preserve all relevant information when litigation is reasonably expected to occur. A computer or server could be seized as evidence
What are some things to do as part of data collection and evidence collection effort?
- Capture and hash system images – use a tool like FTK Imager to make exact copy of that server’s hard drive.
- Analyze data with forensic tools like FTK, the Forensic Toolkit, or EnCase.
- Capture Screenshots
- Review network traffic and logs
- Capture Video
- Consider Order of Volatility
- Take statements
- Review licensing and documentation
- Track man-hours and expenses
FTK and EnCase are popular forensic tools
What is Data Acquisition?
the method and tools used to create a forensically sound copy of data form a source device, such as system memory or a hard disk. Bring your own device (BYOD) policies complicate data acquisition since you may not be able to legally search or seize the device
What is the order of volatility when collecting evidence?
Analysts should always follow the order of volatility when collecting evidence. Short terms, highly volatile items first
1. CPU registers and cache memory
2. Contents of system memory (RAM), routing tables, ARP cache, process table, temporary swap files
3. Data on persistent mass storage (HDD/SDD/flash drive)
4. Remote logging and monitoring data
5. Physical configuration and network topology
6. Archival media (backup tapes, offsite storage)
what is tracert/traceroute used for?
a network diagnostic command for displaying possible routes and measuring transit delays of packets across an Internet Protocol network
what is nslookup/dig used for?
utilities used to determine the IP address associated with a domain name, obtain the mail server settings for a domain, and other DNS information
what is ipconfig / ifconfig used for?
utility that displays all the network configurations of the currently connected network devices and can modify the DHCP and DNS settings
what is nmap used for?
an open-source network scanner that is used to discover hosts and services on a computer network by sending packets and analyzing their responses.
Be able to lookup at the output from nmap, be able to read it and then pick out what are the open ports or closed ports over some basic vulnerabilities based on those nmap scans
what is ping/pathping used for?
Utility used to determine if a host is reachable on an Internet Protocol network
what is hping used for?
an open-source packet generator and analyzer for the TCP/IP protocol that is used for security auditing and testing of firewalls and networks
what is netstat used for?
Utility that displays network connections for Transmission Control Protocol, routing tables, and a number of network interface and network protocol statistics
what is netcat used for?
utility for reading from and writing to network connections using TCP and UDP which is a dependable back-end that can be used directly or easily driven by other programs and scripts.
You can use netcat for banner grabbing (a technique used to gain info about a computer system on a network and the services running on its open ports).
You can use netcat and connect to a web server, you’ll get a text-based response back, and you’ll be able to tread the code that the web server is sending back to you.
You can use netcat to have shell connection and remotely control a machine.
what is arp used for?
Utility for viewing and modifying the local Address Resolution Protocol (ARP) cache on a given host or server. (going from MAC addresses to IP address)
what is route used for?
utility that is used to view and manipulate the IP routing table on a host or server
what is curl used for?
a command line tool to transfer data to or from a server using any of the supported protocols (HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP or FILE)
what is the harvester used for?
a python script that is used to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN database
what is sn1per used for?
automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities across a network.
what is scanless used for?
Utility that is used to create an exploitation website that can perform Open port scans in a more stealth-like manner.
what is dnsenum used for?
Utility that is used for DNS enumeration to locate all DNS servers and DNS entries for a given organization
what is Nessus used for?
a proprietary vulnerability scanner that can remotely scan a computer or network for vulnerabilities
