Course 6 - Sound the Alarm: Detection and Response Flashcards
To recall, the five core functions of the NIST CSF are:
identify, protect, detect, respond, and recover.
The NIST incident response lifecycle is another NIST framework with additional substeps dedicated to incident response. It begins with preparation. Next, detection and analysis, and then containment, eradication and recovery, and finally post-incident activity.
According to NIST, an incident is “an occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.”
An event is an observable occurrence on a network, system, or device.
five W’s of an incident: who triggered the incident, what happened, when the incident took place, where the incident took place, and why the incident occurred.
who triggered the incident,
what happened,
when the incident took place,
where the incident took place,
why the incident occurred.
Computer security incident response teams, or CSIRTs, are a specialized group of security professionals that are trained in incident management and response.
Depending on the organization, a CSIRT can also be referred to as an Incident Handling Team, or IHT, or Security Incident Response Team, SIRT.
National Institute of Standards and Technology (NIST) Incident Response Lifecycle
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-incident activity
A computer security incident response team (CSIRT) is a specialized group of security professionals that are trained in incident management and response. During incident response, teams can encounter a variety of different challenges. For incident response to be effective and efficient, there must be clear command, control, and communication of the situation to achieve the desired goal.
Command refers to having the appropriate leadership and direction to oversee the response.
Control refers to the ability to manage technical aspects during incident response, like coordinating resources and assigning tasks.
Communication refers to the ability to keep stakeholders informed.
An incident response plan is a…
…document that outlines the procedures to take in each step of incident response
An ______________ is an application that monitors system and network activity, and produces alerts on possible intrusions.
intrusion detection system
___________ have all the same capabilities as an IDS, but they can do more. They monitor system activity for intrusions and take action to stop it.
Intrusion prevention systems, or IPS,
Many tools have the ability to perform the function of both IDS and IPS. Some popular tools are….
Snort
Zeek
Kismet
Sagan
Suricata
SIEM is a tool that collects and analyzes log data to monitor critical activities in an organization. SIEM provides security professionals with a high-level overview of what goes on in their networks.
Security orchestration, automation, and response, or SOAR, is a collection of applications, tools, and workflows that uses automation to respond to security events.
While SIEM tools collect, analyze, and report on security events for security analysts to review, SOAR automates analysis and response to security events and incidents. SOAR can also be used to track and manage cases. Multiple incidents can form a case, and SOAR offers a way to view all of these incidents in one centralized place.
A form of documentation used in incident response
Incident handler’s journal:
A document that outlines the procedures to take in each step of incident response
Incident response plan:
A framework for incident response consisting of four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-incident activity
National Institute of Standards and Technology (NIST) Incident Response Lifecycle:
A manual that provides details about any operational action
Playbook:
An application that collects and analyzes log data to monitor critical activities in an organization
Security information and event management (SIEM):
An organizational unit dedicated to monitoring networks, systems, and devices for security threats or attacks
Security operations center (SOC):
A collection of applications, tools, and workflows that uses automation to respond to security events
Security orchestration, automation, and response (SOAR):
A state where there is no detection of malicious activity
True negative:
An alert that correctly detects the presence of an attack
True positive
Organizations may deploy a network operations center (NOC), which is an organizational unit that monitors the performance of a network and responds to any network disruption, such as a network outage. While a SOC is focused on maintaining the security of an organization through detection and response, a NOC is responsible for maintaining network performance, availability, and uptime.
As part of an organization’s security policy, all assets should be cataloged in an asset inventory. The appropriate security controls should also be applied to protect these assets from unauthorized access.
header, which includes information like the type of network protocol and port being used. Imagine this as being the name and mailing address located on an envelope.
The header also contains the packet’s source and destination IP address. We’ll explore more information contained in the header in a later section.
next, there’s the payload, which contains the actual data that’s being delivered. This is like the content of a letter inside of an envelope.
And there’s the footer, which signifies the end of the packet.
Security analysts monitor networks to identify any signs of potential security incidents known as indicators of compromise (IoC) and protect networks from threats or attacks. To do this, they must understand the environment that network communications travel through so that they can identify deviations in network traffic.
Network protocol analyzers, also known as packet sniffers, are tools designed to capture and analyze data traffic within a network. They can be used to analyze network communications manually in detail. Examples include tools such as tcpdump and Wireshark, which can be used by security professionals to record network communications through packet captures. Packet captures can then be investigated to identify potentially malicious activity.
Payload
The payload component directly follows the header and contains the actual data being delivered. Think back to the example of uploading an image to a website; the payload of this packet would be the image itself.
Footer
The footer, also known as the trailer, is located at the end of a packet. The Ethernet protocol uses footers to provide error-checking information to determine if data has been corrupted. In addition, Ethernet network packets that are analyzed might not display footer information due to network configurations.
Note: Most protocols, such as the Internet Protocol (IP), do not use footers.
Network protocol analyzers (packet sniffers) are tools designed to capture and analyze data traffic within a network. Examples of network protocol analyzers include tcpdump, Wireshark, and TShark.
How network protocol analyzers work
Network protocol analyzers use both software and hardware capabilities to capture network traffic and display it for security analysts to examine and analyze. Here’s how:
First, packets must be collected from the network via the Network Interface Card (NIC), which is hardware that connects computers to a network, like a router. NICs receive and transmit network traffic, but by default they only listen to network traffic that’s addressed to them. To capture all network traffic that is sent over the network, a NIC must be switched to a mode that has access to all visible network data packets. In wireless interfaces this is often referred to as monitoring mode, and in other systems it may be called promiscuous mode. This mode enables the NIC to have access to all visible network data packets, but it won’t help analysts access all packets across a network. A network protocol analyzer must be positioned in an appropriate network segment to access all traffic between different hosts.
The network protocol analyzer collects the network traffic in raw binary format. Binary format consists of 0s and 1s and is not as easy for humans to interpret. The network protocol analyzer takes the binary and converts it so that it’s displayed in a human-readable format, so analysts can easily read and understand the information.
Note: Using network protocol analyzers to intercept and examine private network communications without permission is considered illegal in many places.
P-cap files can come in many formats depending on the packet capture library that’s used. Each format has different uses and network tools may use or support specific packet capture file formats by default. You should be familiar with the following libraries and formats:
Libpcap is a packet capture library designed to be used by Unix-like systems, like Linux and MacOS®. Tools like tcpdump use Libpcap as the default packet capture file format.
WinPcap is an open-source packet capture library designed for devices running Windows operating systems. It’s considered an older file format and isn’t predominantly used.
Npcap is a library designed by the port scanning tool Nmap that is commonly used in Windows operating systems.
PCAPng is a modern file format that can simultaneously capture packets and store data. Its ability to do both explains the “ng,” which stands for “next generation.”
Pro tip: Analyzing your home network can be a good way to practice using these tools.
The internet layer accepts and delivers packets for the network. It’s also the layer where the Internet Protocol operates as the foundation for all communications on the internet. It’s responsible for making sure packets reach their destinations.
The Internet Protocol operates like a mail courier delivering an envelope. Instead of using the delivery information found on the envelope, the Internet Protocol uses the information found in a packet header, like IP addresses. It then determines the best available route for packets to take, so that data can be sent and received between hosts.
There are two different versions of the Internet Protocol: IPv4, which is considered to be the foundation of internet communications, and IPv6, which is the most recent version of the Internet Protocol. Remember, different protocols use different headers. So IPv4 and IPv6 headers differ, but they contain similar fields with different names. IPv4 is still the most widely used
The next field, ToS stands for Type of Service. This field tells us if certain packets should be treated with different care. For example, think of ToS like a fragile sticker on a mailed package.
Next, IHL stands for Internet Header Length. This field specifies the length of the IP header plus any options
Next is the Total Length field, which identifies the length of the entire packet, including the headers and the data. This can be compared to the dimensions and weight of an envelope.
Let’s start with the Version field, which specifies which version of IP is being used, either IPv4 or IPv6. Referring back to our mail analogy, the Version field is like the different classes of mail, like priority, express, or regular.
The next three fields, Identification, Flags, and Fragment Offset, deal with information related to fragmentation. Fragmentation is when an IP packet gets broken up into chunks, which then get transmitted over the wire and reassembled when they arrive at their destination. These three fields specify if fragmentation has been used and how to reassemble the broken packets in the correct order. This is similar to how mail can travel through multiple routes like mailboxes, processing facilities, airplanes, and mail trucks before it reaches its destination.
The TTL field stands for Time to Live. Like its name suggests, this field determines how long a packet can live before it gets dropped. Without this field, packets could loop through routers endlessly. TTL is similar to how tracking information provides details about an envelope’s expected delivery date.
The Protocol field specifies the protocol used by providing a value which corresponds to a protocol. For example, TCP is represented by 6. This is similar to including the number of a house in a postal address.
The Header Checksum stores a value called a checksum, which is used to determine if any errors have occurred in the header.
The Source Address specifies the source IP address and the Destination Address specifies the destination IP address. This is just like the sender and receiver’s contact information found on an envelope.
The Options field is not required and is commonly used for network troubleshooting rather than common traffic. If it’s used, the header length increases. It’s like purchasing postal insurance for an envelope.
Finally, at the end of the packet header is where the packet’s data resides, like the text in an email message.
IPv4
IPv4 is the most commonly used version of IP. There are thirteen fields in the header:
Version: This field indicates the IP version. For an IPv4 header, IPv4 is used.
Internet Header Length (IHL): This field specifies the length of the IPv4 header including any Options.
Type of Service (ToS): This field provides information about packet priority for delivery.
Total Length: This field specifies the total length of the entire IP packet including the header and the data.
Identification: Packets that are too large to send are fragmented into smaller pieces. This field specifies a unique identifier for fragments of an original IP packet so that they can be reassembled once they reach their destination.
Flags: This field provides information about packet fragmentation including whether the original packet has been fragmented and if there are more fragments in transit.
Fragment Offset: This field is used to identify the correct sequence of fragments.
Time to Live (TTL): This field limits how long a packet can be circulated in a network, preventing packets from being forwarded by routers indefinitely.
Protocol: This field specifies the protocol used for the data portion of the packet.
Header Checksum: This field specifies a checksum value which is used for error-checking the header.
Source Address: This field specifies the source address of the sender.
Destination Address: This field specifies the destination address of the receiver.
Options: This field is optional and can be used to apply security options to a packet.
Tcpdump is a popular network analyzer. It’s pre-installed on many Linux distributions and can be installed on most Unix-like operating systems, like macOS. You can easily capture and monitor network traffic such as TCP, IP, ICMP, and many more.
Tcpdump is a command-line network protocol analyzer. Recall that a command-line interface (CLI) is a text-based user interface that uses commands to interact with the computer.
A command that temporarily grants elevated permissions to specific users
Sudo:
An open-source network protocol analyzer
Wireshark:
A command-line network protocol analyzer
tcpdump:
Chain of custody is the process of documenting evidence possession and control during an incident lifecycle.
Automated playbooks automate tasks in incident response processes. For example, tasks such as categorizing the severity of the incident or gathering evidence can be done using an automated playbook. Automated playbooks can help lower the time to resolution during an incident. SOAR and SIEM tools can be configured to automate playbooks.
Finally, semi-automated playbooks combine a person’s action with automation. Tedious, error-prone, or time-consuming tasks can be automated, while analysts can prioritize their time with other tasks. Semi-automated playbooks can help increase productivity and decrease time to resolution.
Containment is the act of limiting and preventing additional damage caused by an incident. Organizations outline their containment strategies in incident response plans. Containment strategies detail the actions that security teams should take after an incident has been detected. Different containment strategies are used for various incident types.
Eradication involves the complete removal of the incident elements from all affected systems. For example, eradication actions include performing vulnerability tests and applying patches to vulnerabilities related to the threat.
Recovery is the process of returning affected systems back to normal operations. An incident can disrupt key business operations and services. During recovery, any services that were impacted by the incident are brought back to normal operation. Recovery actions include: reimaging affected systems, resetting passwords, and adjusting network configurations like firewall rules.
Similar to an incident response plan, a business continuity plan (BCP) is a document that outlines the procedures to sustain business operations during and after a significant disruption. A BCP helps organizations ensure that critical business functions can resume or can be quickly restored when an incident occurs.
Site resilience
Resilience is the ability to prepare for, respond to, and recover from disruptions. Organizations can design their systems to be resilient so that they can continue delivering services despite facing disruptions. An example is site resilience, which is used to ensure the availability of networks, data centers, or other infrastructure when a disruption happens. There are three types of recovery sites used for site resilience:
Hot sites: A fully operational facility that is a duplicate of an organization’s primary environment. Hot sites can be activated immediately when an organization’s primary site experiences failure or disruption.
Warm sites: A facility that contains a fully updated and configured version of the hot site. Unlike hot sites, warm sites are not fully operational and available for immediate use but can quickly be made operational when a failure or disruption occurs.
Cold sites: A backup facility equipped with some of the necessary infrastructure required to operate an organization’s site. When a disruption or failure occurs, cold sites might not be ready for immediate use and might need additional work to be operational.
Containment, Eradication and Recovery phase of the NIST Incident Response Lifecycle
Terms and definitions from Course 6, Module 3
Analysis: The investigation and validation of alerts
Broken chain of custody: Inconsistencies in the collection and logging of evidence in the chain of custody
Business continuity plan (BCP): A document that outlines the procedures to sustain business operations during and after a significant disruption
Chain of custody: The process of documenting evidence possession and control during an incident lifecycle
Containment: The act of limiting and preventing additional damage caused by an incident
Crowdsourcing: The practice of gathering information using public input and collaboration
Detection: The prompt discovery of security events
Documentation: Any form of recorded content that is used for a specific purpose
Eradication: The complete removal of the incident elements from all affected systems
Final report: Documentation that provides a comprehensive review of an incident
Honeypot: A system or resource created as a decoy vulnerable to attacks with the purpose of attracting potential intruders
Incident response plan: A document that outlines the procedures to take in each step of incident response
Indicators of attack (IoA): The series of observed events that indicate a real-time incident
Indicators of compromise (IoC): Observable evidence that suggests signs of a potential security incident
Intrusion detection system (IDS): An application that monitors system activity and alerts on possible intrusions
Lessons learned meeting: A meeting that includes all involved parties after a major incident
Open-source intelligence (OSINT): The collection and analysis of information from publicly available sources to generate usable intelligence
Playbook: A manual that provides details about any operational action
Post-incident activity: The process of reviewing an incident to identify areas for improvement during incident handling
Recovery: The process of returning affected systems back to normal operations
Resilience: The ability to prepare for, respond to, and recover from disruptions
Standards: References that inform how to set policies
Threat hunting: The proactive search for threats on a network
Threat intelligence: Evidence-based threat information that provides context about existing or emerging threats
Triage: The prioritizing of incidents according to their level of importance or urgency
VirusTotal: A service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content
Telemetry is the collection and transmission of data for analysis.
An endpoint is any device connected on a network, such as a laptop, tablet, desktop computer, or a smartphone. Endpoints are entry points into a network, which makes them key targets for malicious actors looking to gain unauthorized access into a system.
network-based intrusion detection system collects and analyzes network traffic and network data.
Signature analysis is a detection method used to find events of interest. A signature specifies a set of rules that an IDS refers to when it monitors activity. If the activity matches the rules in the signature, the IDS logs it and sends out an alert. For example, a signature can be written to generate an alert if a failed login on a system happens three times in a row, which suggests a possible password attack.
Typically, the action is the first item specified in a signature. This determines the action to take if the rule criteria matches are met. Actions differ across NIDS rule languages, but some common actions are: alert, pass, or reject.
The header defines the signature’s network traffic. These include information such as source and destination IP addresses, source and destination ports, protocols, and traffic direction.
The first word specifies the signature’s ACTION. For this signature, the action is alert. This means that the signature generates an alert when all of the conditions are met. The next part of the signature is the HEADER. It specifies the protocol http. The source IP address is HOME_NET and source port is defined as ANY. The arrow indicates the direction of traffic coming from the home network and going to the destination IP address EXTERNAL_NET and ANY destination port.
The last part of the signature includes the RULE OPTIONS. They’re enclosed in parentheses and separated by semicolons. There’s many options listed here, but we’ll focus on the message, flow, and content options. The message option will show the message “GET on wire” once the alert is triggered. The flow option is used to match on direction of network traffic flow. Here, it’s established. This means that a connection has been successfully made. The content option inspects the content of a packet. Here, between the quotation marks, the text GET is specified. GET is an HTTP request that’s used to retrieve and request data from a server. This means the signature will match if a network packet contains the text GET, indicating a request.
Alert logs contain information that’s relevant to security investigations. Usually this is the output of signatures which have triggered an alert. For example, a signature that detects suspicious traffic across the network generates an alert log that captures details of that traffic.
While network telemetry logs contain information about network traffic flows, network telemetry is not always security relevant, it’s simply recording what’s happening on a network, such as a connection being made to a specific port. Both of these log types provide information to build a story during an investigation.
Anomaly-based analysis: A detection method that identifies abnormal behavior
Array: A data type that stores data in a comma-separated ordered list
Common Event Format (CEF): A log format that uses key-value pairs to structure data and identify fields and their corresponding values
Configuration file: A file used to configure the settings of an application
Endpoint: Any device connected on a network
Endpoint detection and response (EDR): An application that monitors an endpoint for malicious activity
False positive: An alert that incorrectly detects the presence of a threat
Host-based intrusion detection system (HIDS): An application that monitors the activity of the host on which it’s installed
Intrusion detection systems (IDS): An application that monitors system activity and alerts on possible intrusions
Key-value pair: A set of data that represents two linked items: a key, and its corresponding value
Log: A record of events that occur within an organization’s systems
Log analysis: The process of examining logs to identify events of interest
Log management: The process of collecting, storing, analyzing, and disposing of log data
Logging: The recording of events occurring on computer systems and networks
Network-based intrusion detection system (NIDS): An application that collects and monitors network traffic and network data
Object: A data type that stores data in a comma-separated list of key-value pairs
Search Processing Language (SPL): Splunk’s query language
Security information and event management (SIEM): An application that collects and analyzes log data to monitor critical activities in an organization
Signature: A pattern that is associated with malicious activity
Signature analysis: A detection method used to find events interest
Suricata: An open-source intrusion detection system, intrusion prevention system, and network analysis tool
Telemetry: The collection and transmission of data for analysis
Wildcard: A special character that can be substituted with any other character
YARA-L: A computer language used to create rules for searching through ingested log data
Zero-day: An exploit that was previously unknown
