Chapter 14 - Monitoring and Incident Response Flashcards
Incident
An Incident is a violation of the organization’s policies and procedures or security practices.
Event
An Event is an observable occurrence, meaning that there are many events, few of which are likely to be incidents.
What are the six steps of the incident response cycle?
- Preparation
- Detection
- Containment
- Eradication
- Recovery
- Lessons Learned
Tabletop Exercise
Tabletop Exercises are used to talk through processes. Team members are given a scenario and are asked questions about how they would respond, what issues might arise, and what they would need to do to accomplish the tasks they are assigned in the (Incident Response) IR plan.
Simulation
Simulation exercises will simulate incidents and test responders on individual functions or elements of the incident response plan. They can also be done at full scale, involving the entire organization in the exercise.
Account Lockout (IoC)
Account Lockout is often due to brute-force login attempts or incorrect passwords used by an attacker.
Concurrent Session Usage (IoC)
Concurrent Session Usage is when a user is connected from more than one system or device at once, specifically when the second device is in an unexpected or uncommon location.
Resource Consumption (IoC)
Resource Consumption, like filling up a disk or using more bandwidth than usual for uploads or downloads, can be an indicator of compromise.
Out-of-Cycle Logging (IoC)
Out-of-Cycle Logging occurs when an event that happens at the same time or on a set cycle occurs at an unusual time. This might be a worker logging in at 2AM or a cleanup process being activated at an unusual time.
Missing Logs (IoC)
Missing Logs may indicate that an attacker has wiped the logs to attempt to hide their actions. This is one reason that many organizations centralize their log collection on a protected system.
MITRE’s ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)
The ATT&CK knowledgebase matrices include detailed descriptions, definitions, and examples for the complete threat life cycle from reconnaissance through execution, persistence, privilege escalation, and impact.
System Monitoring
System Monitoring is typically done via system logs as well as through central management tools, including those found in cloud services.
Application Monitoring
Application Monitoring may involve application logs, application management interfaces, and performance monitoring tools. This can vary significantly based on what the application provides.
Infrastructure Monitoring
Infrastructure Monitoring includes monitoring SNMP and syslog entries created by infrastructure devices.
Security Information and Event Management (SIEM)
SIEM devices and software have broad security capabilities, which are typically based on the ability to collect and aggregate log data from a variety of sources and then to perform correlation and analysis activities with that data.
Alert Tuning
Alert Tuning is the process of modifying alerts to only alarm on important events. Alert Tuning often involves setting thresholds, removing noise by identifying false alarms and normal behaviors, and ensuring that tuning is not overly broad so that it ignores actual issues and malicious activity.
Firewall Logs
Firewall Logs, which can provide information about blocked and allowed traffic, and with more advanced firewalls like NGFW or UTM, devices can also provide application-layer details or IDS/IPS functionality along with other security service-related log information.
Application Logs
Application Logs for Windows include information like installer information for applications, errors generated by applications, license checks, and any other logs that applications generate and send to the application log. Web servers and other devices also generate logs like those from Apache and Internet Information Services (IIS), which track requests to the web server and related events.
OS-Specific Security Logs
OS-Specific Security Logs for Windows systems store information about failed and successful logins, as well as other authentication log information.
IDS/IPS Logs
IDS/IPS Logs provide insight into attack traffic that was detected or, in the case of IPS, blocked.
Network Logs
Network Logs can include logs for routers and switches with configuration changes, traffic information, network flows, and data captured by packet analyzers like Wireshark.
Syslog
Syslog, the Linux logging service, works with clients sending messages to servers that collect and store the logs.
Metadata
Metadata is data about other data – in the case of systems and services, Metadata is created as part of files, embedded in documents, used to define structured data, and included in transactions and network communications.
Reporting
Reporting on log information is part of the overall log management process, including identifying trends and providing visibility into changes in the logs that may indicate issues or require management oversight.
Archiving
Archiving involves moving logs to a long term storage area when they must be retained but are not in active use. Organizations often pick a time frame like 30, 60, 90, or 180 days for log retention before archiving or deletion.
Security Orchestration, Automation, and Response (SOAR)
SOAR platforms allow you to quickly assess the attack surface of an organization, the state of systems, and where issues may exist. They also allow automation of remediation and restoration workflows.
Root Cause Analysis (RCA)
Root Cause Analysis can be performed once issues have been mitigated and the organization is on the path to recovery. This process focuses on identifying the underlying cause for an issue or compromise, identifying how to fix the problems that allowed the event or incident to occur, and ensuring that any systemic issues that led to the problem are also addressed.