Chapter 4 - Operations and Incident Response Flashcards
tracert (Windows)
Determines the route a packet takes to a destination by mapping the route
Time to Live (TTL) is counted in hops
traceroute (POSIX)
Determines the route a packet takes to a destination by mapping the route
Time to Live (TTL) is counted in hops
nslookup
Lookup information from DNS servers
Examples: canonical names, IP addresses, cache timers, etc.
Deprecated - used dig instead
dig
Lookup information from DNS servers
More advanced domain information - use instead of nslookup
Examples: canonical names, IP addresses, cache timers, etc.
ipconfig
Displays all current Windows TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol and Domain Name System settings
ifconfig
View and change the configuration of the network interfaces on your system for Linux
Network Mapper (nmap)
Find and learn more about network devices by doing port scans, operating system scans, service scans, and running additional scripts
ping
Tests reachability and can determine the round-trip time
Uses Internet Control Message Protocol (ICMP)
Primary troubleshooting tool
pathping
Combining ping and traceroute and is divided into two phases
Phase 1: runs a traceroute to build a map
Phase 2: Measures the round-trip time and packet loss at each hop
hping
Open-source packet generator and analyzer for the TCP/IP protocol
Used for security auditing and testing of firewalls and networks
Network Statistics (netstat)
Generates displays that show network status and protocol statistics used in many different operating systems
IP Scanners
Searching the network for IP addresses - locate active devices and avoid doing work on an IP address that isn’t there
Address Resolution Protocol (arp)
Determines a MAC address based on an IP address
Need the hardware address to communicate
arp -a
Is able to view the local ARP table
route
View a devices routing table to find out which way packets will go
Client URL (curl)
Can retrieve data using a URL such as web pages, FTP, emails, databases, etc.
Grab the raw data by searching, parsing, and automating
theHarvester
Gathers OSINT by scraping information from different web pages like google and bing
Examples: list of people from LinkedIn, a list of email contacts, etc.
sn1per
Combines many recon tools into a single framework
Examples: dnsenum, metasploit, nmap, theHarvester, etc.
scanless
Running port scans from a different host by doing a port scan proxy
dnsenum
Viewing host information (names) from DNS servers
Nessus
Industry leading in vulnerability scanning
Identifying known vulnerabilties before they can be exploited
Can provide a checklist or issues and filter out false positives
Cuckoo
A sandbox for malware and testing a file in a safe environment
Can track and trace API calls, network traffic, memory analysis
netstat -a
Show all active connections
netstat -b
Show binaries
netstat -n
Do not resolve names
netcat
“Read” and “write” to the network
Can open a port and send or receive some traffic
Listen on a port number, transfer data, scan ports and send data to a port
Can become a back door and run a shell from a remote device
head
Being able to view the first part of a file (the head or beginning)
head [OPTION] … [FILE] …
Can use -n to specify number of lines
head -n 5 syslog - first 5 lines of file
tail
Being able to view the last part of a file (the tail or end)
tail [OPTION] … [FILE] …
Can use -n to specify number of lines
tail -n 5 syslog - last 5 lines of file
Concatenate (cat)
Link together in a series
Copy a file/ files to the screen - cat file1.txt file2.txt
Copy a file/ files to another file - cat file1.txt file2.txt > both.txt
grep
File text in a file - search through many file names at a time
grep PATTERN [FILE]
Change Mode (chmod)
Change mode of a file system object - r; read, w; write, x; execute
Set for the file owner - u; owner, g; group, o; others, a; all
SEE SLIDE
logger
Add entries to the system log (syslog)
logger “This information os added to syslog”
Useful for including information in a local or remote syslog file
Secure Shell (SSH)
Encrypted consoel communication - tcp/22
Windows PowerShell
Commmand line for system administrators
.ps1 file extension
Python
General-purpose scripting language
.py file extension
OpenSSL
A toolkit and crypto library for SSL/ TLS
Create X.509 certificates and manages others
Message digest
Encryption and decryption
Tcpreplay
A suite of replay utilities
Test security devices
Test and tune IP Flow/ NetFlow devices
Evaluate the performance of security devices
Tcpdump
Capture packets from the command line that can display and write packets
Wireshark
Analyze packets by viewing traffic patterns, identifying unknown traffic, and verifying packet filtering and security controls
Gather frames on the network
dd
Used to create disk images and destroy data by overwriting the contents of a file or a disk
Memdump
Copy information in system memory to the standard output stream
Can be copied to another host across the network
WinHex
A universal hexadecimal editor for Windows 10 that can edit disks, files, and RAM
FTK imager
Allows you to perform memory capture or registry capture on a live device, to recover passwords or other data stored in memory on the active device
Autopsy
Allow you to perform digital forensics of hard drives, smart phones by viewing and recovering data from storage devices
Exploitation Frameworks
A pre-built toolkit used to find exploitations that can add more tools when vulnerabilities are found
Metasploit
Password Crackers
Finding passwords either online or offline by brute forcing a hash file
Data Sanitization
Completely removing data making sure no data can be recovered and no useable information remains
Incidence Response Lifecycle
Preparation
Detection and analysis
Containment, eradication, and recovery
Post-incident activity
Incident Response Process: Preparation
Make sure to have good communication, updated software and hardware, incident analysis resources, incident mitagtion software, and policies needed to handle an incident
Incident Response Process: Identification
There can be many precursors to an incident as well as some indicators - attack attempt, anti-virus identifies malware, a configuration change, traffic flows deviate from the norm
Incident Response Process: Containment/ Isolation
Can use sandboxes to isolate an OS and help you run the malware to analyze it
Incident Response Process: Eradication
Cannot wait - remove the threat and restore affected systems to their previous state, ideally while minimizing data loss as quickly as possible
Incident Response Process: Recovery
Restore backups, rebuild from scratch, replace compromised files, and tighten down the perimeter/ security
Incident Response Process: Lessons Learned
Learn what happened and improve on it for next
Have a meeting asap
Tabletop Exercise
Logistics of a diaster can be determined through analysis with key players of an organization so you do not physically have to go through a disaster
Walkthrough Exercises
Testing processes and procedures before an event by walking through each step, involving all the groups, and referring actual response materials
Simulation Exercises
Test with an actual simulated event
MITRE ATT&CK
A guideline for classifying and describing cyberattacks and intrusions
The Diamond Model of Intrusion Analysis
An adversary deploys a capability over some infrastructure against a victim - used when an intrusion occurs
Defines an event as the central element necessary for four key aspects of malicious activity to occur
Adversary, victim, infrastructure, and capability
Cyber Kill Chain
A military concept that used seven phases of a cyber attack
Reconnaissance, weaponization, delivery, exploit, installation, command and control, and actions on objectives
Stakeholder Management
Keeping a good ongoing relationship with customers of IT
Exercises for future disasters should involve customers and communication
Communication Plan
Getting your contact list together because everyone is in the loop for a disaster
Corporate, internal non-IT, external contacts
Disaster Recovery Plan
A comprehensive plan that is made and initiated after a disaster takes place
Keeps the organization up and running
Business Continuity Plan
A comprehensive plan that is made and initiated during a disaster
Continuity of Operations Planning (COOP)
Alternative ways to keep the business up and running after a disaster if it disupts the organization from operating under the norm
Examples: paper receipts, manual transactions, phone calls
Incident Response Team
A specialized group that is trained and tested to deal with any type of organizational emergency
IT security management, Compliance officers, technical staff, and user community
Retention Policies
How long a business needs to keep a piece of information (record), where it’s stored and how to dispose of the record when its time
Vulnerability Scan Output
The process of discovering, analyzing, and reporting on security flaws and vulnerabilities
Lack of security controls, misconfigurations, and real vulnerabilities
False Positives
A vulnerability is identified that doesn’t really exist
False Negatives
A vulnerability exists, but you didn’t detect it
SIEM - Sensors
Operating systems, infrastructure devices
SIEM - Sensitivity
Easy to be overwhelmed with data but some is unnecessary
Informatonal, warning, urgent
SIEM - Trends
Identify changes over time
Easily view constant attack metrics
SIEM - Alerts
Real-time information
Identify a security event
SIEM - Correlation
Link diverse data types
View data in different ways
Network Log Files
Physical network devices: switches, routers, APs, VPNs
Network changes: routing updates, authentication issues
System Log Files
Operating system information and may also include security events
Application Log Files
Specific to the application
Windows, Linux, MacOS
Security Log Files
Detailed security related events: traffic flows, exploit attempts
Security devices: IPS, firewall
Web Log Files
Web server access and access errors
Exploit attempts
Server activity
DNS Log Files
DNS queries and requests to servers
Authentication Log Files
Know who logged in and correlate with other events like file transfers
Dump Files
A snapshot that shows the process that was executing and modules that were loaded for an app at a point in time
VoIP and Call Managers Logs
View inbound and outbound call information
Session Initiation Protocol (SIP) Traffic Logs
Call setup and management
Inbound and outbound calls
Alet on unusual numbers or country codes
syslog
Standard for message logging
Diverse systems create a consolidated log
rsyslog
Rocket-fast System for log processing
syslog-ng
A popular syslog daemon with additional filtering and storage options
journalctl
Provides a method for querying and displaying the system logs that were stored in a binary format
NXLog
Collection from many diverse log types
Bandwidth Monitors
Shows the percentage of network use over time
Metadata
Data that describes other data sources
Metadata - Email
Header details, sending servers, destination address
Metadata - Mobile
Type of phone, GPS location
Metadata - Web
Operating system, browser type, IP address
Metadata - File
Name, address, phone number, title
Netflow
Gathering traffic statistics from all traffic flows/ packets
Shared communication between devices
Sampled Flow (sFlow)
Designed to perform flow-export by random sampling of packets and time-based sampling of network interfaces, and not by considering every packet
IP Flow Information Export (IPFIX)
Newer NetFlow-based standard
Templates used to describe data
Protocol Analyzer Output
Solves complex application issues by viewing detailed traffic information - helps idenfiy unkown traffic, verify packet filteirng and security controls, and view plain-language description of application data
Endpoint Security
The end user device
Recognize and react to any malicious activity
Application Approved List
Application does not run or execute on device/ endpoint unless it’s approved
Application Blocklist/ Deny List
List of applications that cannot be run on endpoint/ device
Quarantine
If an application is not on an allow or deny list - system can place application into a safe area where no applications are allowed to run until further investigated
Firewall Rules
Managing application flows and blocking dangerous applications
Mobile Device Management
Enabling or disabling phone and tablet functionality regardless of physical location
Data Loss Prevention
Block transfer of perosnally identifiable information (PII) or sensitive data
Examples: credit card #’s, social security #’s, etc.
Content Filter/ URL Filter
Limit access to untrusted websites and block know malicious sites
Large blocklists are used to share suspicious URLs
Update or Revoke Certificates
Manage device certificates to verify trust
Revoking a certificate effectively removes access
Isolation
Isolate compromised device from everything else in order to prevent the spread of malicious software
Containment
Limit interaction with host of operating system and other applications by running each application in it own sandbox
Segmentation
Separate the network to prevent unauthorized movement and limit the scope of a breach
Security Orchestration, Automation, and Response (SOAR)
Integrate third party tools and data sources to make the security teams more effective
Runbooks
A linear checklist or a step-by-step approach to automation
Examples: reset a password, create a website certificate, back up application data
Playbooks
Conditional steps to follow; a broad process
Examples: investigate data breach, recover from ransomeware
Documentation/ Evidence - Legal Hold
A legal technique to preserve relavant information
Often stored in separate respository for electronically stored information (ESI)
Documentation/ Evidence - Video
A moving record of the event that gathers information external to the computer and network
Documentation/ Evidence - Admissibility
Not all data can be used in the court of law
Must make sure data is legally authorized and collected correctly
Documentation/ Evidence - Chain of Custody
Documentation that shows integrity of data
Documentation/ Evidence - Time Stamps
Gives an electronic document a ‘certain date’ with probative value
Allows to associate the document with a legally certain date and time that can be enforced against third parties
Documentation/ Evidence - Time Offset
Record the time offset from the operating system
Documentation/ Evidence - Tags
A phsyical tag that can be put on the evidence that provides a detailed description of everything about it
Documentation/ Evidence - Reports
Document the finding for internal use, legal proceedings, etc.
Summary and overview of the security event
Detailed explanation of data acquisition
Documentation/ Evidence - Event Logs
Documents important operating system and application events that can be exported or stored for future reference
Documentation/ Evidence - Interviews
Can ask what others saw and can document what they say - they might have different information
Acquisition - Order of Volatility
Certain data being stored on a system for a certain period of time compared to data that will only be stored for a few minutes
Acquisition - Disk
Copy everything onto a storage device
Acquisition - Random-access Memory
Difficult to gather because information changes constantly but important
Memory dump
Acquisition - Swap/ Pagefile
A place to store RAM when memory is depleted and can also contain portions of an application
Acquisition - OS
Can help gain information and data for a security event
Users, open ports, processes running, device list
Acquisition - Device
Capture data by using an existing backup file or image over USB
calls, contact info, messages, email, images and video
Acquisition - Firmware
Rootkits and exploited hardware device
Investigate how the firmware functions
Acquisition - Snapshot
A point-in-time system image
Incremental updates from each snapshot
Contains all files and information about a VM
Acquisition - Cache
Store data for use later
Can speed up performance or application or OS
Acquisition - Network
Gather information about and from the network
Network connections, packet captures
Acquisition - Artifacts
Digital items left behind
Log info, flash memory, cache files, recycle bin, bookmarks
Right-to-audit Clauses
An agreement on how data can be accessed - data sharing and outsourcing
Permission to know where the data is being held, how the data is managed over the internet, and what security features is being used to protect the data
Regulatory/ Jurisdiction
Data in a different jurisdiction may be bound by very different regulations
Data Breach Notifications Laws
If consumer data is breached, the consumer must be informed
Type of data breached, who gets notified, and how quickly
Integrity - Hashing
Cryptographic integrity verification
A digital “fingerprint”
Integrity - Checksums
Makes sure information sent from one side to another has shown up without any corruption
Integrity - Provenance
Original documentation of the source of the data
Data handling and block chain technology
Preservation
Handling evidence by isolating, protecting, and copying the data
Electronic Discovery (E-discovery)
Collect, prepare, review, interpret, and produce electronic documents/ data
Data Recovery
Extract missing data without affecting the integrity of the data
Deleted files, hidden data, hardware/ software corruption, storage device damaged
Non-repudiation
Proof of data integrity and the origin of the data
The data is unchanged and really did come from the sender
MAC and digital signature
Strategic Intelligence
A focus in key threat activity for a domain
Internal threat reports, 3rd party data sources, and other data inputs
Counterintelligence (CI)
Preventing hostile intelligence operations
Discover and disrupt foreign intelligence threats