Course 6 - Sound the Alarm: Detection and Response Flashcards
To recall, the five core functions of the NIST CSF are:
identify, protect, detect, respond, and recover.
The NIST incident response lifecycle is another NIST framework with additional substeps dedicated to incident response. It begins with preparation. Next, detection and analysis, and then containment, eradication and recovery, and finally post-incident activity.
According to NIST, an incident is “an occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.”
An event is an observable occurrence on a network, system, or device.
five W’s of an incident: who triggered the incident, what happened, when the incident took place, where the incident took place, and why the incident occurred.
who triggered the incident,
what happened,
when the incident took place,
where the incident took place,
why the incident occurred.
Computer security incident response teams, or CSIRTs, are a specialized group of security professionals that are trained in incident management and response.
Depending on the organization, a CSIRT can also be referred to as an Incident Handling Team, or IHT, or Security Incident Response Team, SIRT.
National Institute of Standards and Technology (NIST) Incident Response Lifecycle
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-incident activity
A computer security incident response team (CSIRT) is a specialized group of security professionals that are trained in incident management and response. During incident response, teams can encounter a variety of different challenges. For incident response to be effective and efficient, there must be clear command, control, and communication of the situation to achieve the desired goal.
Command refers to having the appropriate leadership and direction to oversee the response.
Control refers to the ability to manage technical aspects during incident response, like coordinating resources and assigning tasks.
Communication refers to the ability to keep stakeholders informed.
An incident response plan is a…
…document that outlines the procedures to take in each step of incident response
An ______________ is an application that monitors system and network activity, and produces alerts on possible intrusions.
intrusion detection system
___________ have all the same capabilities as an IDS, but they can do more. They monitor system activity for intrusions and take action to stop it.
Intrusion prevention systems, or IPS,
Many tools have the ability to perform the function of both IDS and IPS. Some popular tools are….
Snort
Zeek
Kismet
Sagan
Suricata
SIEM is a tool that collects and analyzes log data to monitor critical activities in an organization. SIEM provides security professionals with a high-level overview of what goes on in their networks.
Security orchestration, automation, and response, or SOAR, is a collection of applications, tools, and workflows that uses automation to respond to security events.
While SIEM tools collect, analyze, and report on security events for security analysts to review, SOAR automates analysis and response to security events and incidents. SOAR can also be used to track and manage cases. Multiple incidents can form a case, and SOAR offers a way to view all of these incidents in one centralized place.
A form of documentation used in incident response
Incident handler’s journal:
A document that outlines the procedures to take in each step of incident response
Incident response plan:
A framework for incident response consisting of four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-incident activity
National Institute of Standards and Technology (NIST) Incident Response Lifecycle:
A manual that provides details about any operational action
Playbook:
An application that collects and analyzes log data to monitor critical activities in an organization
Security information and event management (SIEM):
An organizational unit dedicated to monitoring networks, systems, and devices for security threats or attacks
Security operations center (SOC):
A collection of applications, tools, and workflows that uses automation to respond to security events
Security orchestration, automation, and response (SOAR):
A state where there is no detection of malicious activity
True negative:
An alert that correctly detects the presence of an attack
True positive
Organizations may deploy a network operations center (NOC), which is an organizational unit that monitors the performance of a network and responds to any network disruption, such as a network outage. While a SOC is focused on maintaining the security of an organization through detection and response, a NOC is responsible for maintaining network performance, availability, and uptime.
As part of an organization’s security policy, all assets should be cataloged in an asset inventory. The appropriate security controls should also be applied to protect these assets from unauthorized access.
header, which includes information like the type of network protocol and port being used. Imagine this as being the name and mailing address located on an envelope.
The header also contains the packet’s source and destination IP address. We’ll explore more information contained in the header in a later section.
next, there’s the payload, which contains the actual data that’s being delivered. This is like the content of a letter inside of an envelope.
And there’s the footer, which signifies the end of the packet.
Security analysts monitor networks to identify any signs of potential security incidents known as indicators of compromise (IoC) and protect networks from threats or attacks. To do this, they must understand the environment that network communications travel through so that they can identify deviations in network traffic.
Network protocol analyzers, also known as packet sniffers, are tools designed to capture and analyze data traffic within a network. They can be used to analyze network communications manually in detail. Examples include tools such as tcpdump and Wireshark, which can be used by security professionals to record network communications through packet captures. Packet captures can then be investigated to identify potentially malicious activity.
Payload
The payload component directly follows the header and contains the actual data being delivered. Think back to the example of uploading an image to a website; the payload of this packet would be the image itself.
Footer
The footer, also known as the trailer, is located at the end of a packet. The Ethernet protocol uses footers to provide error-checking information to determine if data has been corrupted. In addition, Ethernet network packets that are analyzed might not display footer information due to network configurations.
Note: Most protocols, such as the Internet Protocol (IP), do not use footers.
Network protocol analyzers (packet sniffers) are tools designed to capture and analyze data traffic within a network. Examples of network protocol analyzers include tcpdump, Wireshark, and TShark.
How network protocol analyzers work
Network protocol analyzers use both software and hardware capabilities to capture network traffic and display it for security analysts to examine and analyze. Here’s how:
First, packets must be collected from the network via the Network Interface Card (NIC), which is hardware that connects computers to a network, like a router. NICs receive and transmit network traffic, but by default they only listen to network traffic that’s addressed to them. To capture all network traffic that is sent over the network, a NIC must be switched to a mode that has access to all visible network data packets. In wireless interfaces this is often referred to as monitoring mode, and in other systems it may be called promiscuous mode. This mode enables the NIC to have access to all visible network data packets, but it won’t help analysts access all packets across a network. A network protocol analyzer must be positioned in an appropriate network segment to access all traffic between different hosts.
The network protocol analyzer collects the network traffic in raw binary format. Binary format consists of 0s and 1s and is not as easy for humans to interpret. The network protocol analyzer takes the binary and converts it so that it’s displayed in a human-readable format, so analysts can easily read and understand the information.
Note: Using network protocol analyzers to intercept and examine private network communications without permission is considered illegal in many places.
P-cap files can come in many formats depending on the packet capture library that’s used. Each format has different uses and network tools may use or support specific packet capture file formats by default. You should be familiar with the following libraries and formats:
Libpcap is a packet capture library designed to be used by Unix-like systems, like Linux and MacOS®. Tools like tcpdump use Libpcap as the default packet capture file format.
WinPcap is an open-source packet capture library designed for devices running Windows operating systems. It’s considered an older file format and isn’t predominantly used.
Npcap is a library designed by the port scanning tool Nmap that is commonly used in Windows operating systems.
PCAPng is a modern file format that can simultaneously capture packets and store data. Its ability to do both explains the “ng,” which stands for “next generation.”
Pro tip: Analyzing your home network can be a good way to practice using these tools.
The internet layer accepts and delivers packets for the network. It’s also the layer where the Internet Protocol operates as the foundation for all communications on the internet. It’s responsible for making sure packets reach their destinations.
The Internet Protocol operates like a mail courier delivering an envelope. Instead of using the delivery information found on the envelope, the Internet Protocol uses the information found in a packet header, like IP addresses. It then determines the best available route for packets to take, so that data can be sent and received between hosts.
There are two different versions of the Internet Protocol: IPv4, which is considered to be the foundation of internet communications, and IPv6, which is the most recent version of the Internet Protocol. Remember, different protocols use different headers. So IPv4 and IPv6 headers differ, but they contain similar fields with different names. IPv4 is still the most widely used
The next field, ToS stands for Type of Service. This field tells us if certain packets should be treated with different care. For example, think of ToS like a fragile sticker on a mailed package.
Next, IHL stands for Internet Header Length. This field specifies the length of the IP header plus any options
Next is the Total Length field, which identifies the length of the entire packet, including the headers and the data. This can be compared to the dimensions and weight of an envelope.
Let’s start with the Version field, which specifies which version of IP is being used, either IPv4 or IPv6. Referring back to our mail analogy, the Version field is like the different classes of mail, like priority, express, or regular.
The next three fields, Identification, Flags, and Fragment Offset, deal with information related to fragmentation. Fragmentation is when an IP packet gets broken up into chunks, which then get transmitted over the wire and reassembled when they arrive at their destination. These three fields specify if fragmentation has been used and how to reassemble the broken packets in the correct order. This is similar to how mail can travel through multiple routes like mailboxes, processing facilities, airplanes, and mail trucks before it reaches its destination.
The TTL field stands for Time to Live. Like its name suggests, this field determines how long a packet can live before it gets dropped. Without this field, packets could loop through routers endlessly. TTL is similar to how tracking information provides details about an envelope’s expected delivery date.
The Protocol field specifies the protocol used by providing a value which corresponds to a protocol. For example, TCP is represented by 6. This is similar to including the number of a house in a postal address.