Course 6 - Sound the Alarm: Detection and Response

Question 1

To recall, the five core functions of the NIST CSF are:

Answer 1

identify, protect, detect, respond, and recover.

Question 2

The NIST incident response lifecycle is another NIST framework with additional substeps dedicated to incident response. It begins with preparation. Next, detection and analysis, and then containment, eradication and recovery, and finally post-incident activity.

Question 3

According to NIST, an incident is “an occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.”

Question 4

An event is an observable occurrence on a network, system, or device.

Question 5

five W’s of an incident: who triggered the incident, what happened, when the incident took place, where the incident took place, and why the incident occurred.

Answer 5

who triggered the incident,

what happened,

when the incident took place,

where the incident took place,

why the incident occurred.

Question 6

Computer security incident response teams, or CSIRTs, are a specialized group of security professionals that are trained in incident management and response.

Question 7

Depending on the organization, a CSIRT can also be referred to as an Incident Handling Team, or IHT, or Security Incident Response Team, SIRT.

Question 8

Question 9

National Institute of Standards and Technology (NIST) Incident Response Lifecycle

Answer 9

Preparation

Detection and Analysis

Containment, Eradication, and Recovery

Post-incident activity

Question 10

A computer security incident response team (CSIRT) is a specialized group of security professionals that are trained in incident management and response. During incident response, teams can encounter a variety of different challenges. For incident response to be effective and efficient, there must be clear command, control, and communication of the situation to achieve the desired goal.

Command refers to having the appropriate leadership and direction to oversee the response.

Control refers to the ability to manage technical aspects during incident response, like coordinating resources and assigning tasks.

Communication refers to the ability to keep stakeholders informed.

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

An incident response plan is a…

Answer 20

…document that outlines the procedures to take in each step of incident response

Question 21

Question 22

An ______________ is an application that monitors system and network activity, and produces alerts on possible intrusions.

Answer 22

intrusion detection system

Question 23

___________ have all the same capabilities as an IDS, but they can do more. They monitor system activity for intrusions and take action to stop it.

Answer 23

Intrusion prevention systems, or IPS,

Question 24

Many tools have the ability to perform the function of both IDS and IPS. Some popular tools are….

Answer 24

Snort
Zeek
Kismet
Sagan
Suricata

Question 25

Question 26

Question 27

Question 28

SIEM is a tool that collects and analyzes log data to monitor critical activities in an organization. SIEM provides security professionals with a high-level overview of what goes on in their networks.

Question 29

Question 30

Security orchestration, automation, and response, or SOAR, is a collection of applications, tools, and workflows that uses automation to respond to security events.

While SIEM tools collect, analyze, and report on security events for security analysts to review, SOAR automates analysis and response to security events and incidents. SOAR can also be used to track and manage cases. Multiple incidents can form a case, and SOAR offers a way to view all of these incidents in one centralized place.

Question 31

Question 32

A form of documentation used in incident response

Answer 32

Incident handler’s journal:

Question 33

A document that outlines the procedures to take in each step of incident response

Answer 33

Incident response plan:

Question 34

A framework for incident response consisting of four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-incident activity

Answer 34

National Institute of Standards and Technology (NIST) Incident Response Lifecycle:

Question 35

A manual that provides details about any operational action

Answer 35

Playbook:

Question 36

An application that collects and analyzes log data to monitor critical activities in an organization

Answer 36

Security information and event management (SIEM):

Question 37

An organizational unit dedicated to monitoring networks, systems, and devices for security threats or attacks

Answer 37

Security operations center (SOC):

Question 38

A collection of applications, tools, and workflows that uses automation to respond to security events

Answer 38

Security orchestration, automation, and response (SOAR):

Question 39

A state where there is no detection of malicious activity

Answer 39

True negative:

Question 40

An alert that correctly detects the presence of an attack

Answer 40

True positive

Question 41

Question 42

Question 43

Organizations may deploy a network operations center (NOC), which is an organizational unit that monitors the performance of a network and responds to any network disruption, such as a network outage. While a SOC is focused on maintaining the security of an organization through detection and response, a NOC is responsible for maintaining network performance, availability, and uptime.

Question 43

As part of an organization’s security policy, all assets should be cataloged in an asset inventory. The appropriate security controls should also be applied to protect these assets from unauthorized access.

Question 43

header, which includes information like the type of network protocol and port being used. Imagine this as being the name and mailing address located on an envelope.

The header also contains the packet’s source and destination IP address. We’ll explore more information contained in the header in a later section.

next, there’s the payload, which contains the actual data that’s being delivered. This is like the content of a letter inside of an envelope.

And there’s the footer, which signifies the end of the packet.

Question 43

Security analysts monitor networks to identify any signs of potential security incidents known as indicators of compromise (IoC) and protect networks from threats or attacks. To do this, they must understand the environment that network communications travel through so that they can identify deviations in network traffic.

Question 43

Network protocol analyzers, also known as packet sniffers, are tools designed to capture and analyze data traffic within a network. They can be used to analyze network communications manually in detail. Examples include tools such as tcpdump and Wireshark, which can be used by security professionals to record network communications through packet captures. Packet captures can then be investigated to identify potentially malicious activity.

Question 43

Question 44

Question 45

Question 46

Payload
The payload component directly follows the header and contains the actual data being delivered. Think back to the example of uploading an image to a website; the payload of this packet would be the image itself.

Question 47

Footer
The footer, also known as the trailer, is located at the end of a packet. The Ethernet protocol uses footers to provide error-checking information to determine if data has been corrupted. In addition, Ethernet network packets that are analyzed might not display footer information due to network configurations.

Note: Most protocols, such as the Internet Protocol (IP), do not use footers.

Question 48

Network protocol analyzers (packet sniffers) are tools designed to capture and analyze data traffic within a network. Examples of network protocol analyzers include tcpdump, Wireshark, and TShark.

Question 49

How network protocol analyzers work
Network protocol analyzers use both software and hardware capabilities to capture network traffic and display it for security analysts to examine and analyze. Here’s how:

First, packets must be collected from the network via the Network Interface Card (NIC), which is hardware that connects computers to a network, like a router. NICs receive and transmit network traffic, but by default they only listen to network traffic that’s addressed to them. To capture all network traffic that is sent over the network, a NIC must be switched to a mode that has access to all visible network data packets. In wireless interfaces this is often referred to as monitoring mode, and in other systems it may be called promiscuous mode. This mode enables the NIC to have access to all visible network data packets, but it won’t help analysts access all packets across a network. A network protocol analyzer must be positioned in an appropriate network segment to access all traffic between different hosts.

The network protocol analyzer collects the network traffic in raw binary format. Binary format consists of 0s and 1s and is not as easy for humans to interpret. The network protocol analyzer takes the binary and converts it so that it’s displayed in a human-readable format, so analysts can easily read and understand the information.

Question 50

Note: Using network protocol analyzers to intercept and examine private network communications without permission is considered illegal in many places.

P-cap files can come in many formats depending on the packet capture library that’s used. Each format has different uses and network tools may use or support specific packet capture file formats by default. You should be familiar with the following libraries and formats:

Libpcap is a packet capture library designed to be used by Unix-like systems, like Linux and MacOS®. Tools like tcpdump use Libpcap as the default packet capture file format.

WinPcap is an open-source packet capture library designed for devices running Windows operating systems. It’s considered an older file format and isn’t predominantly used.

Npcap is a library designed by the port scanning tool Nmap that is commonly used in Windows operating systems.

PCAPng is a modern file format that can simultaneously capture packets and store data. Its ability to do both explains the “ng,” which stands for “next generation.”

Pro tip: Analyzing your home network can be a good way to practice using these tools.

Question 51

The internet layer accepts and delivers packets for the network. It’s also the layer where the Internet Protocol operates as the foundation for all communications on the internet. It’s responsible for making sure packets reach their destinations.

The Internet Protocol operates like a mail courier delivering an envelope. Instead of using the delivery information found on the envelope, the Internet Protocol uses the information found in a packet header, like IP addresses. It then determines the best available route for packets to take, so that data can be sent and received between hosts.

Question 52

There are two different versions of the Internet Protocol: IPv4, which is considered to be the foundation of internet communications, and IPv6, which is the most recent version of the Internet Protocol. Remember, different protocols use different headers. So IPv4 and IPv6 headers differ, but they contain similar fields with different names. IPv4 is still the most widely used

Question 53

The next field, ToS stands for Type of Service. This field tells us if certain packets should be treated with different care. For example, think of ToS like a fragile sticker on a mailed package.

Question 54

Next, IHL stands for Internet Header Length. This field specifies the length of the IP header plus any options

Question 55

Next is the Total Length field, which identifies the length of the entire packet, including the headers and the data. This can be compared to the dimensions and weight of an envelope.

Question 56

Let’s start with the Version field, which specifies which version of IP is being used, either IPv4 or IPv6. Referring back to our mail analogy, the Version field is like the different classes of mail, like priority, express, or regular.

Question 57

The next three fields, Identification, Flags, and Fragment Offset, deal with information related to fragmentation. Fragmentation is when an IP packet gets broken up into chunks, which then get transmitted over the wire and reassembled when they arrive at their destination. These three fields specify if fragmentation has been used and how to reassemble the broken packets in the correct order. This is similar to how mail can travel through multiple routes like mailboxes, processing facilities, airplanes, and mail trucks before it reaches its destination.

Question 58

The TTL field stands for Time to Live. Like its name suggests, this field determines how long a packet can live before it gets dropped. Without this field, packets could loop through routers endlessly. TTL is similar to how tracking information provides details about an envelope’s expected delivery date.

Question 59

The Protocol field specifies the protocol used by providing a value which corresponds to a protocol. For example, TCP is represented by 6. This is similar to including the number of a house in a postal address.

Question 60

The Header Checksum stores a value called a checksum, which is used to determine if any errors have occurred in the header.

Question 61

The Source Address specifies the source IP address and the Destination Address specifies the destination IP address. This is just like the sender and receiver’s contact information found on an envelope.

Question 62

The Options field is not required and is commonly used for network troubleshooting rather than common traffic. If it’s used, the header length increases. It’s like purchasing postal insurance for an envelope.

Question 63

Finally, at the end of the packet header is where the packet’s data resides, like the text in an email message.

Question 64

IPv4
IPv4 is the most commonly used version of IP. There are thirteen fields in the header:

Version: This field indicates the IP version. For an IPv4 header, IPv4 is used.

Internet Header Length (IHL): This field specifies the length of the IPv4 header including any Options.

Type of Service (ToS): This field provides information about packet priority for delivery.

Total Length: This field specifies the total length of the entire IP packet including the header and the data.

Identification: Packets that are too large to send are fragmented into smaller pieces. This field specifies a unique identifier for fragments of an original IP packet so that they can be reassembled once they reach their destination.

Flags: This field provides information about packet fragmentation including whether the original packet has been fragmented and if there are more fragments in transit.

Fragment Offset: This field is used to identify the correct sequence of fragments.

Time to Live (TTL): This field limits how long a packet can be circulated in a network, preventing packets from being forwarded by routers indefinitely.

Protocol: This field specifies the protocol used for the data portion of the packet.

Header Checksum: This field specifies a checksum value which is used for error-checking the header.

Source Address: This field specifies the source address of the sender.

Destination Address: This field specifies the destination address of the receiver.

Options: This field is optional and can be used to apply security options to a packet.

Question 65

Question 66

Question 67

Question 68

Question 69

Question 70

Question 71

Question 72

Question 73

Question 74

Tcpdump is a popular network analyzer. It’s pre-installed on many Linux distributions and can be installed on most Unix-like operating systems, like macOS. You can easily capture and monitor network traffic such as TCP, IP, ICMP, and many more.

Question 75

Tcpdump is a command-line network protocol analyzer. Recall that a command-line interface (CLI) is a text-based user interface that uses commands to interact with the computer.

Question 76

Question 77

Question 78

Question 79

Question 80

Question 81

Question 82

Question 83

Question 84

Question 85

Question 86

Question 87

Question 88

Question 89

Question 90

A command that temporarily grants elevated permissions to specific users

Answer 90

Sudo:

Question 91

An open-source network protocol analyzer

Answer 91

Wireshark:

Question 92

A command-line network protocol analyzer

Answer 92

tcpdump:

Question 93

Question 94

Question 95

Question 96

Question 97

Question 98

Chain of custody is the process of documenting evidence possession and control during an incident lifecycle.

Question 99

Question 100

Question 101

Automated playbooks automate tasks in incident response processes. For example, tasks such as categorizing the severity of the incident or gathering evidence can be done using an automated playbook. Automated playbooks can help lower the time to resolution during an incident. SOAR and SIEM tools can be configured to automate playbooks.

Finally, semi-automated playbooks combine a person’s action with automation. Tedious, error-prone, or time-consuming tasks can be automated, while analysts can prioritize their time with other tasks. Semi-automated playbooks can help increase productivity and decrease time to resolution.

Question 102

Question 103

Question 104

Question 105

Containment is the act of limiting and preventing additional damage caused by an incident. Organizations outline their containment strategies in incident response plans. Containment strategies detail the actions that security teams should take after an incident has been detected. Different containment strategies are used for various incident types.

Question 106

Eradication involves the complete removal of the incident elements from all affected systems. For example, eradication actions include performing vulnerability tests and applying patches to vulnerabilities related to the threat.

Question 107

Recovery is the process of returning affected systems back to normal operations. An incident can disrupt key business operations and services. During recovery, any services that were impacted by the incident are brought back to normal operation. Recovery actions include: reimaging affected systems, resetting passwords, and adjusting network configurations like firewall rules.

Question 108

Similar to an incident response plan, a business continuity plan (BCP) is a document that outlines the procedures to sustain business operations during and after a significant disruption. A BCP helps organizations ensure that critical business functions can resume or can be quickly restored when an incident occurs.

Question 109

Site resilience
Resilience is the ability to prepare for, respond to, and recover from disruptions. Organizations can design their systems to be resilient so that they can continue delivering services despite facing disruptions. An example is site resilience, which is used to ensure the availability of networks, data centers, or other infrastructure when a disruption happens. There are three types of recovery sites used for site resilience:

Hot sites: A fully operational facility that is a duplicate of an organization’s primary environment. Hot sites can be activated immediately when an organization’s primary site experiences failure or disruption.

Warm sites: A facility that contains a fully updated and configured version of the hot site. Unlike hot sites, warm sites are not fully operational and available for immediate use but can quickly be made operational when a failure or disruption occurs.

Cold sites: A backup facility equipped with some of the necessary infrastructure required to operate an organization’s site. When a disruption or failure occurs, cold sites might not be ready for immediate use and might need additional work to be operational.

Question 110

Question 111

Containment, Eradication and Recovery phase of the NIST Incident Response Lifecycle

Question 112

Question 113

Question 114

Terms and definitions from Course 6, Module 3
Analysis: The investigation and validation of alerts

Broken chain of custody: Inconsistencies in the collection and logging of evidence in the chain of custody

Business continuity plan (BCP): A document that outlines the procedures to sustain business operations during and after a significant disruption

Chain of custody: The process of documenting evidence possession and control during an incident lifecycle

Containment: The act of limiting and preventing additional damage caused by an incident

Crowdsourcing: The practice of gathering information using public input and collaboration

Detection: The prompt discovery of security events

Documentation: Any form of recorded content that is used for a specific purpose

Eradication: The complete removal of the incident elements from all affected systems

Final report: Documentation that provides a comprehensive review of an incident

Honeypot: A system or resource created as a decoy vulnerable to attacks with the purpose of attracting potential intruders

Incident response plan: A document that outlines the procedures to take in each step of incident response

Indicators of attack (IoA): The series of observed events that indicate a real-time incident

Indicators of compromise (IoC): Observable evidence that suggests signs of a potential security incident

Intrusion detection system (IDS): An application that monitors system activity and alerts on possible intrusions

Lessons learned meeting: A meeting that includes all involved parties after a major incident

Open-source intelligence (OSINT): The collection and analysis of information from publicly available sources to generate usable intelligence

Playbook: A manual that provides details about any operational action

Post-incident activity: The process of reviewing an incident to identify areas for improvement during incident handling

Recovery: The process of returning affected systems back to normal operations

Resilience: The ability to prepare for, respond to, and recover from disruptions

Standards: References that inform how to set policies

Threat hunting: The proactive search for threats on a network

Threat intelligence: Evidence-based threat information that provides context about existing or emerging threats

Triage: The prioritizing of incidents according to their level of importance or urgency

VirusTotal: A service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content

Question 115

Question 116

Question 117

Question 118

Question 119

Question 120

Question 121

Question 122

Question 123

Question 124

Telemetry is the collection and transmission of data for analysis.

Question 125

An endpoint is any device connected on a network, such as a laptop, tablet, desktop computer, or a smartphone. Endpoints are entry points into a network, which makes them key targets for malicious actors looking to gain unauthorized access into a system.

Question 126

network-based intrusion detection system collects and analyzes network traffic and network data.

Question 127

Signature analysis is a detection method used to find events of interest. A signature specifies a set of rules that an IDS refers to when it monitors activity. If the activity matches the rules in the signature, the IDS logs it and sends out an alert. For example, a signature can be written to generate an alert if a failed login on a system happens three times in a row, which suggests a possible password attack.

Question 128

Question 129

Question 130

Question 131

Question 132

Question 133

Question 134

Typically, the action is the first item specified in a signature. This determines the action to take if the rule criteria matches are met. Actions differ across NIDS rule languages, but some common actions are: alert, pass, or reject.

Question 135

The header defines the signature’s network traffic. These include information such as source and destination IP addresses, source and destination ports, protocols, and traffic direction.

Question 136

Question 137

Question 138

Question 139

The first word specifies the signature’s ACTION. For this signature, the action is alert. This means that the signature generates an alert when all of the conditions are met. The next part of the signature is the HEADER. It specifies the protocol http. The source IP address is HOME_NET and source port is defined as ANY. The arrow indicates the direction of traffic coming from the home network and going to the destination IP address EXTERNAL_NET and ANY destination port.

Question 140

The last part of the signature includes the RULE OPTIONS. They’re enclosed in parentheses and separated by semicolons. There’s many options listed here, but we’ll focus on the message, flow, and content options. The message option will show the message “GET on wire” once the alert is triggered. The flow option is used to match on direction of network traffic flow. Here, it’s established. This means that a connection has been successfully made. The content option inspects the content of a packet. Here, between the quotation marks, the text GET is specified. GET is an HTTP request that’s used to retrieve and request data from a server. This means the signature will match if a network packet contains the text GET, indicating a request.

Question 141

Alert logs contain information that’s relevant to security investigations. Usually this is the output of signatures which have triggered an alert. For example, a signature that detects suspicious traffic across the network generates an alert log that captures details of that traffic.

Question 142

While network telemetry logs contain information about network traffic flows, network telemetry is not always security relevant, it’s simply recording what’s happening on a network, such as a connection being made to a specific port. Both of these log types provide information to build a story during an investigation.

Question 143

Question 144

Question 145

Question 146

Question 147

Question 148

Question 149

Question 150

Question 151

Question 152

Question 153

Question 154

Question 155

Anomaly-based analysis: A detection method that identifies abnormal behavior

Array: A data type that stores data in a comma-separated ordered list

Common Event Format (CEF): A log format that uses key-value pairs to structure data and identify fields and their corresponding values

Configuration file: A file used to configure the settings of an application

Endpoint: Any device connected on a network

Endpoint detection and response (EDR): An application that monitors an endpoint for malicious activity

False positive: An alert that incorrectly detects the presence of a threat

Host-based intrusion detection system (HIDS): An application that monitors the activity of the host on which it’s installed

Intrusion detection systems (IDS): An application that monitors system activity and alerts on possible intrusions

Key-value pair: A set of data that represents two linked items: a key, and its corresponding value

Log: A record of events that occur within an organization’s systems

Log analysis: The process of examining logs to identify events of interest

Log management: The process of collecting, storing, analyzing, and disposing of log data

Logging: The recording of events occurring on computer systems and networks

Network-based intrusion detection system (NIDS): An application that collects and monitors network traffic and network data

Object: A data type that stores data in a comma-separated list of key-value pairs

Search Processing Language (SPL): Splunk’s query language

Security information and event management (SIEM): An application that collects and analyzes log data to monitor critical activities in an organization

Signature: A pattern that is associated with malicious activity

Signature analysis: A detection method used to find events interest

Suricata: An open-source intrusion detection system, intrusion prevention system, and network analysis tool

Telemetry: The collection and transmission of data for analysis

Wildcard: A special character that can be substituted with any other character

YARA-L: A computer language used to create rules for searching through ingested log data

Zero-day: An exploit that was previously unknown

Question 156