Chapter 14 - Monitoring and Incident Response

Question 1

Incident

Answer 1

An Incident is a violation of the organization’s policies and procedures or security practices.

Question 2

Event

Answer 2

An Event is an observable occurrence, meaning that there are many events, few of which are likely to be incidents.

Question 3

What are the six steps of the incident response cycle?

Answer 3

1. Preparation
2. Detection
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

Question 4

Tabletop Exercise

Answer 4

Tabletop Exercises are used to talk through processes. Team members are given a scenario and are asked questions about how they would respond, what issues might arise, and what they would need to do to accomplish the tasks they are assigned in the (Incident Response) IR plan.

Question 5

Simulation

Answer 5

Simulation exercises will simulate incidents and test responders on individual functions or elements of the incident response plan. They can also be done at full scale, involving the entire organization in the exercise.

Question 6

Account Lockout (IoC)

Answer 6

Account Lockout is often due to brute-force login attempts or incorrect passwords used by an attacker.

Question 7

Concurrent Session Usage (IoC)

Answer 7

Concurrent Session Usage is when a user is connected from more than one system or device at once, specifically when the second device is in an unexpected or uncommon location.

Question 8

Resource Consumption (IoC)

Answer 8

Resource Consumption, like filling up a disk or using more bandwidth than usual for uploads or downloads, can be an indicator of compromise.

Question 9

Out-of-Cycle Logging (IoC)

Answer 9

Out-of-Cycle Logging occurs when an event that happens at the same time or on a set cycle occurs at an unusual time. This might be a worker logging in at 2AM or a cleanup process being activated at an unusual time.

Question 10

Missing Logs (IoC)

Answer 10

Missing Logs may indicate that an attacker has wiped the logs to attempt to hide their actions. This is one reason that many organizations centralize their log collection on a protected system.

Question 11

MITRE’s ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)

Answer 11

The ATT&CK knowledgebase matrices include detailed descriptions, definitions, and examples for the complete threat life cycle from reconnaissance through execution, persistence, privilege escalation, and impact.

Question 12

System Monitoring

Answer 12

System Monitoring is typically done via system logs as well as through central management tools, including those found in cloud services.

Question 13

Application Monitoring

Answer 13

Application Monitoring may involve application logs, application management interfaces, and performance monitoring tools. This can vary significantly based on what the application provides.

Question 14

Infrastructure Monitoring

Answer 14

Infrastructure Monitoring includes monitoring SNMP and syslog entries created by infrastructure devices.

Question 15

Security Information and Event Management (SIEM)

Answer 15

SIEM devices and software have broad security capabilities, which are typically based on the ability to collect and aggregate log data from a variety of sources and then to perform correlation and analysis activities with that data.

Question 16

Alert Tuning

Answer 16

Alert Tuning is the process of modifying alerts to only alarm on important events. Alert Tuning often involves setting thresholds, removing noise by identifying false alarms and normal behaviors, and ensuring that tuning is not overly broad so that it ignores actual issues and malicious activity.

Question 17

Firewall Logs

Answer 17

Firewall Logs, which can provide information about blocked and allowed traffic, and with more advanced firewalls like NGFW or UTM, devices can also provide application-layer details or IDS/IPS functionality along with other security service-related log information.

Question 18

Application Logs

Answer 18

Application Logs for Windows include information like installer information for applications, errors generated by applications, license checks, and any other logs that applications generate and send to the application log. Web servers and other devices also generate logs like those from Apache and Internet Information Services (IIS), which track requests to the web server and related events.

Question 19

OS-Specific Security Logs

Answer 19

OS-Specific Security Logs for Windows systems store information about failed and successful logins, as well as other authentication log information.

Question 20

IDS/IPS Logs

Answer 20

IDS/IPS Logs provide insight into attack traffic that was detected or, in the case of IPS, blocked.

Question 21

Network Logs

Answer 21

Network Logs can include logs for routers and switches with configuration changes, traffic information, network flows, and data captured by packet analyzers like Wireshark.

Question 22

Syslog

Answer 22

Syslog, the Linux logging service, works with clients sending messages to servers that collect and store the logs.

Question 23

Metadata

Answer 23

Metadata is data about other data – in the case of systems and services, Metadata is created as part of files, embedded in documents, used to define structured data, and included in transactions and network communications.

Question 24

Reporting

Answer 24

Reporting on log information is part of the overall log management process, including identifying trends and providing visibility into changes in the logs that may indicate issues or require management oversight.

Question 25

Archiving

Answer 25

Archiving involves moving logs to a long term storage area when they must be retained but are not in active use. Organizations often pick a time frame like 30, 60, 90, or 180 days for log retention before archiving or deletion.

Question 26

Security Orchestration, Automation, and Response (SOAR)

Answer 26

SOAR platforms allow you to quickly assess the attack surface of an organization, the state of systems, and where issues may exist. They also allow automation of remediation and restoration workflows.

Question 27

Root Cause Analysis (RCA)

Answer 27

Root Cause Analysis can be performed once issues have been mitigated and the organization is on the path to recovery. This process focuses on identifying the underlying cause for an issue or compromise, identifying how to fix the problems that allowed the event or incident to occur, and ensuring that any systemic issues that led to the problem are also addressed.