CISSP Domain 7 Flashcards
Incident management steps
Detect
Response - Severity of incident (CIRT)
Mitigate
Reporting
Recovery
Remediation
Lessons learned
Primary goals of effective incident management
Limit effect or scope of an incident
Recovery
Effective incident and configuration management
Remediation
Perform RCA
Botnets
Multiple bots in a network form a botnet and will do what attackers instruct to do
C&C
DoS
So many data packets sent across to a server causing system to slow
DDoS
When Multiple systems attack a single system at same time
DRoS
Manipulates traffic or network device so that attacks are reflected back to the victim from other sources
SYN flood
Doesn’t complete three way handshake
Doesn’t send ack hence gets flooded
Smurf attack
Floods victim with ICMP echo packets instead of TCP SYN packets
Attacker send echo request out as a broadcast to all systems on networks to spoof the source IP address.
All these systems respond with with Echo replies to spoofed IP address
Fraggle attack
Smurf attack instead of ICMP uses UDP
Ping flood
Flood victims with ping requests
Ping of death
Oversized ping packets
Teardrop
Attack Fragmented data packets, making it too difficult to put it back by receiving system
Land attack
Sends spoofed syn packets to a victim using victims IP address as both the source and destination IP address
2 types of MiTM
Sniffing traffic between two parties
Store and forward proxy mechanism by sitting in between
Types of IDS
knowledge based - IDS can have sensors or agents to monitor key devices , signature based
Behaviour based - Create a baseline to detect abnormal behaviour
IDS response
Passive response- Notification can be sent to admins in email or text message
Dashboard type
Active Response: Modify environment using Firewall
IDS types
Host based
Network based
NIPS
Block an attack after it starts
Honeypot and Honeynet
Enticement or decoy
Don’t make it entrapment
Honeynet - Two or more networked honeypots used together
Hosted on VM for easy re creation
Firewall blocks
Router to block broadcast
Private IP address
Sandboxing
Provides security boundary for apps and prevents the apps interacting with other apps
Goal of logging and monitoring
To prevent incidents and provide effective response when they occur
Common log types - Security
Security logs: Record access to resources such as files, folders , printers
System logs
When system, service starts or stops
Application logs
Application devoloper choose what to record in app logs
What type of control are audit trails ?
Deterrent
SIEM - Sampling
Data reduction to use precise mathematical functions to extract meaningful information from large volume of data
Clipping levels
Non stastical sampling - Discretionary of the owner - Discretionary sampling
Predefined threshold for the event
Rollover logging
Admins set maximum log size then over write the logs
SOAR
Automated response to some incidents
SOAR - Incident response methods
Playbook - What needs to be done if an incident occurs
Runbook - playbook data into an automated tool
Example: IDS implementing it
SOAR technologies will automatically deal with false positives based on runbook
Difference between ML and AI ?
Reinforcement learning (Plays itself) Vs zero knowledge of the game
Seperate algorithm outside of AI system enforce rules
Behaviour based users ML to learn from false positives
AI starts without a baseline creates it’s own baseline based on traffic. It looks for anomalies
Threat intelligence
Gathering data on potential threats
Kill chain
Reconciance
Weaponization
Delivery
Exploitation
Installation
C&C
Actions on objectives
MITRE attack
KB of TTP used by attackers in various attacks
Threat feeds
Steady stream of raw data related to current and potential threats
Suspicious domains
Known malware hashes
Code shared on internet sites
IP addresses linked to malicious activity
Threat hunting
Actively searching for cyber threats in networks basically IoC’s
False negatives
When there is attack but IDS doesn’t detect and raise
Igress and Egress monitoring
Monitoring incoming traffic
Monitoring outgoing traffic
Fault tolerance
Primary goal of fault tolerance is to eliminate SPOF
Ability of system to suffer a fault but continue to operate
Achieved by RAID array or additional components with failover clustered configuration
SPOF
Components which can cause entire system to fail
System resilience
Ability is system to maintain an acceptable level of service during an adverse event
In some events ability of system to to return to previous stateafter an adverse event
High availability
Use of redundant technology components to allow the system to quickly recover from a failure after expecting a brief disruption
Load balancing and failover servers
Load balancing
Primary responsibility is to balance network traffic and handle more
But can sense the failure and stop sending traffic
UPS and generator
Goal of UPS is to give power to 15-30 minutes so that you could logically shutdown system
Generator to provider power long enough
Fail open vs fail secure state
Granting all access
Blocking all access
Choice should be based on security or availability
Two elements of recovery process
- Failure preparation: Systems resilience, fault tolerance, reliable back-up solution
- System recovery: Restoration of all affected files and services actively in use on system at time of failure or crash
Type of recovery
Manual
Automatic
Automated recovery with undue loss: Specific objects are protected to prevent their kids
Additionally you can rebuild data from transaction looks
Function recovery: Specific functions
QoS
Protect availability of data network under loads
Bandwidth: N capacity to carry loads
Jitter : Variation in latency between packets
Latency: Time taken for travel from source to destination
Packet loss: Lost between source and destination
Interference: Noise , corruption of packets
One of the goal of DRP
Restoration of work groups to the point they can resume their activities in their usual work locations
Alternate processing sites
Cold site: Facility there but nothing more it might take a week or two get it running
Hot site : Expensive can be up and running
Warm site : Might take 12 hours there are some critical components
“ No lockout policy”
Mobile site: Any operating location it can be deployed on fly away basis
Best for workgroup
Mutual assistance agreement
Two organisation assist each other in event of disaster
Concerns:
- Same geography
- Confidentiality
- Refused to support
Electronic vaulting
bulk transfer to a remote site
Stored in back up vaults on off-site
Remote Journaling
Backup of Db transaction logs that occurred since previous bulk transfer
Remote mirroring
A live DB is maintained at back up site
Remote server receives copy of database modifications at same time to production server
Important point when it comes to checklist
Arrange checklist tasks in order of priority, with most important task first
Backups and off site storage
Full backup - complete copy of data contained in the protected device
Incremental backup- Whatever data modified (store only those files) will be backed up at end of the day since last full back up
Deferential backup- * store All data/files* since the last full backup
Difference between incremental and differential back-up
Time to restore data in event of emergency
Full+ Deferential - 2 recent backup files of these both
Full+ incremental - recent full+ all incremental since full backup
Deferential backup takes longer to create but lesser time to restore compared to incremental
Software escrow agreement
Tool to protect against failure of a software developer to provide support for is products against possibility devloper going out of business and no tech support available
Recovery Vs Restoration
Bringing business operations and processes back to working state
Bringing business facility and environment back to workable state
Salvage team
To restore the company to full capabilities to begin their work
Structured walk through
Structured walk though - Scenario based in large conference room role play a disaster scenario and then participants refer copies and discuss response to that
May involve interruption non critical business activities
Stimulation test
Present scenario and response is asked to develop
Then response is tested
Parallel test
Relocation of personnel to Alternate recovery site and implement site activation
Full interruption test
Shutting down operations at primary site and shifting them to recovery site
Redundant
Copy of duplicate
RAID 0
Performance and data stripping
RAID 1, 1-0 , 3 , 5, 6
Availability by Mirroring - 2 disks
1-0 - Stripping and mirroring
Raid 3 - Parity bit(disk) to reconstruct data if any one of multiple disks fails
Raid 5 - Parity and disk distributed to all disk
Raid 6 - 2 Parity disks if 2 disks fails then you can recover data
Configuration management
Baselining for all systems
Recovery team
Used to get critical function running at alternate site
Salvage team
Used to return the primary site to normal
Waterfall
Very linear, each phase leads
Once phase done can’t go back
Administrative investigations
Policy violations internal to organization
Criminal investigations
Conducted by law enforcement
Beyond a reasonable doubt
Civil investigation
Internal employees and outside consultants on behalf of legal teams
Regulatory investigations
Conducted by govt. agencies when individuals have violated admin law
E discovery and steps
To preserve evidence share information with adversaries in the proceedings
Info governance
Identification
Preservation
Collection
Processing
Review
Analysis
Production
Presentation
Admissible evidence and requirements
Relevant - Fact
Material (related) to case
Competent ( obtained legally )
Types of evidence and evidence rules
- Real evidence - object evidence
- Documentary evidence - Written items
- best evidence rules
- parol evidence rule - Written agreement no verbal agreement
If documentary evidence follow above 2 rules + 3 admissible related rules then it can be admitted to court
- Testimonial evidence : Testimony of witnesses through direct or expert opinion
- Demonstrative evidence:
Evidence used to support testimonial evidence
Media Analysis - Always work on copy
Identification and extraction of info from storage media
a. Magnetic media b. Optical media
Use writer blocker to avoid tampering of data after disconnecting and connecting to physical workstation
In- Memory analysis
When gathering contents from Memory analyst should use trusted tools like Memory dump file
Compute Cryptographic values for authenticity
Network analysis
Use SPAN port - Generate copy of packet dump
Network analysis
Use SPAN port - Generate copy of packet dump
Software analysis
Software code - looking for logic bomb, backdoor
Hardware/ Embedded device
Contents of hardware
Investigating process
Gathering evidence
1. Voluntary surrender
2. Subpoena
3. Plain view doctrine
4. Search warrant
5. Exigent evidence
Calling in law enforcement
Conducting the investigation
Interviewing the individuals
Data integrity and data retention
Reporting and documenting investigations
APT
Advanced technical skills and resources act on behalf of nation state, organised crime
Script kiddies
For the thrill the attackers may download scripts freely available on internet to compromise system
