Domain 7 - Security Operations Flashcards
Describe the proper process during an Incident Scene.
- ID the Scene
- Protect the environment
- ID evidence and potential sources of evidence
- Collect evidence
– hash + - Minimize the degree of contamination
Locard’s Exchange Principle
– perps leave something behind
What are the important factors within Evidence?
Sufficient Reliable Relevant Permissible Preserved and identifiable
Sufficient
persuasive enough to convince one of its validity
Reliable
consistent with fact, evidence has not been tampered with or modified
Relevant
relationship to the findings must be reasonable and sensible, Proof of crime, documentation of events, proof of acts and methods used, motive proof, identification of acts
Permissible
lawful obtaining of evidence, avoid: unlawful search and seizure, secret recording, privacy violations, forced confessions, unlawful obtaining of evidence
Preserved and identifiable
collection, reconstruction
Identification
labeling, recording serial number etc. Evidence must be preserved and identifiable
•Collection, documentation, classification, comparison, reconstruction
EVIDENCE LIFECYCLE
- Discovery
- Protection
- Recording
- Collection and identification
- Analysis
- Storage, preservation, transportation
- Present in court
- Return to owner
Witnesses that evidence is trustworthy, description of procedures, normal business methods collections, error precaution and correction
Best Evidence
–Primary Evidence–is used at the trial because it is the most reliable.
–Original documents–are used to document things such as contracts
– NOTE: no copies!
–Note: Oral is not best evidence though it may provide interpretation of documents, etc.
Secondary Evidence
–Not as strong as best evidence.
–A copy, Secondary Evidence, is not permitted if the original, Best Evidence, is available –Copies of documents.
–Oral evidence like Witness testimony
Direct Evidence
–Can prove fact by itself and does not need any type of backup.
–Testimony from a witness –one of their 5 senses:
•Oral Evidence is a type of Secondary Evidence so the case can’t simply stand on it alone But it is Direct Evidence and does not need other evidence to substantiate
Conclusive evidence
–Irrefutable and cannot be contradicted
–Requires no other corroboration
Circumstantial evidence
–Used to help assume another fact
–Cannot stand on its own to directly prove a fact
Corroborative Evidence
Supports or substantiates other evidence presented in a case
Hearsay Evidence
something a witness hears another one say. Also business records are hearsay and all that’s printed or displayed. One exception to business records: audit trails and business records are not considered hearsay when the documents are created in the normal course of business.
Interviewing
gather facts and determine the substance of the case.
Interrogation
–Evidence retrieval method, ultimately obtain a confession
The Process - Due Process
–Prepare questions and topics, put witness at ease, summarize information
–interview/interrogation plan
–Have one person as lead and 1-2 others involved as well
–never interrogate or interview alone
Opinion Rule
Requires witnesses to testify only about the facts of the case, cannot be used as evidence in the case.
Expert Witnesses
–Used to educate the jury, can be used as evidence
Six principles to guide digital evidence technicians as they perform media analysis, network analysis, and software analysis in the pursuit of forensically recovered evidence:
When dealing with digital evidence, all of the general forensic and procedural principles must be applied. Upon seizing digital evidence, actions taken should not change that evidence.
When it is necessary for a person to access original digital evidence, that person should be trained for the purpose.
All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review.
An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession.
Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles.
Media analysis
a branch of computer forensic analysis, involves the identification and extraction of information from storage media. This may include the following: Magnetic media (e.g., hard disks, tapes) Optical media (e.g., CDs, DVDs, Blu-ray discs) Memory (e.g., RAM, solid state storage) Techniques used for media analysis may include the recovery of deleted files from unallocated sectors of the physical disk, the live analysis of storage media connected to a computer system (especially useful when examining encrypted media), and the static analysis of forensic images of storage media.
Network Analysis
Forensic investigators are also often interested in the activity that took place over the network during a security incident. Network forensic analysis, therefore, often depends on either prior knowledge that an incident is underway or the use of preexisting security controls that log network activity. These include: Intrusion detection and prevention system logs Network flow data captured by a flow monitoring system Packet captures deliberately collected during an incident Logs from firewalls and other network security devices The task of the network forensic analyst is to collect and correlate information from these disparate sources and produce as comprehensive a picture of network activity as possible.
Software Analysis
Forensic analysts may also be called on to conduct forensic reviews of applications or the activity that takes place within a running application. In some cases, when malicious insiders are suspected, the forensic analyst may be asked to conduct a review of software code, looking for back doors, logic bombs, or other security vulnerabilities. In other cases, forensic analysis may be asked to review and interpret the log files from application or database servers, seeking other signs of malicious activity, such as SQL injection attacks, privilege escalations, or other application attacks.
Hardware/ Embedded Device Analysis
Forensic analysts often must review the contents of hardware and embedded devices. This may include a review of Personal computers & Smartphones
Admissible Evidence
- The evidence must be relevant to determining a fact.
- The fact that the evidence seeks to determine must be material (that is, related) to the case.
- The evidence must be competent, meaning it must have been obtained legally. Evidence that results from an illegal search would be inadmissible because it is not competent.
Five rules of evidence
- Be authentic; evidence tied back to scene
- Be accurate; maintain authenticity and veracity
- Be complete; all evidence collected, for & against view
- Be convincing; clear & easy to understand for jury
- Be admissible; be able to be used in court
Forensic Disk Controller
intercepting and modifying or discarding commands sent to the storage device Write Blocking, intercepts write commands sent to the device and prevents them from modifying data on the device
Return data requested by a read operation
Returning access-significant information from device
Reporting errors from device to forensic host
LOGS TAKEN IN THE NORMAL COURSE OF BUSINESS
MOM
means, opportunity and motive
Victimology
why certain people are victims of crime and how lifestyle affects the chances that a certain person will fall victim to a crime Investigation
Types of Investigations
- Operational
- Criminal
- Civil
- eDiscovery
What is a very important step when investigating a hard drive?
don’t use message digest because it will change the timestamps of the files when the file-system is not set to Read-Only
Slack space on a disk should be inspected for hidden data and should be included in a disk image
Common Law
USA, UK Australia Canada (judges)
Civil Law
Europe, South America
Islamite and other Religious laws
ME, Africa, Indonesia
United States 3 Branches for Laws
Legislative: writing laws (statutory laws).
Executive: enforces laws (administrative laws)
Juridical: Interprets laws (makes common laws out of court decisions)
What are the 3 categories of law?
Criminal law
Civil law
Administrative/Regulatory law
Criminal law
individuals that violate government laws. Punishment mostly imprisonment
Civil law
wrongs against individual or organization that result in a damage or loss.
Punishment can include financial penalties. AKA tort law (I’ll Sue You!) Jury decides liability
Administrative/Regulatory law
how the industries, organizations and officers have to act. Wrongs can be penalized with imprisonment or financial penalties
Uniform Computer Information Transactions Act (UCITA
A federal law that provides a common framework for the conduct of computer-related business transactions.
UCITA contains provisions that address software licensing.
The terms of UCITA give legal backing to the previously questionable practices of shrink-wrap licensing and click-wrap licensing by giving them status as legally binding contracts.
Computer Crime Laws -3 types of harm
- unauthorized intrusion,
- unauthorized alteration or destruction
- malicious code
Admissible evidence
relevant, sufficient, reliable, does not have to be tangible
Hearsay
second-hand data not admissible in court
Enticement
the legal action of luring an intruder, like in a honeypot
Entrapment
the illegal act of inducing a crime, the individual had no intent of committing the crime at first
Federal Sentencing Guidelines
provides judges and courts procedures on the prevention, detection and reporting
SIEM
Security incident and event management
Automating much of the routine work of log review. Provide real‐time analysis of events occurring on systems throughout an organization but don’t necessarily scan outgoing traffic.
Intrusion Detection and Prevention
An intrusion occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organization’s resources. Intrusion detection is a specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion.
IDS
Intrusion Detection System
automates the inspection of logs and real-time system events to detect intrusion attempts and system failures. IDSs are an effective method of detecting many DoS and DDoS attacks. They can recognize attacks that come from external connections, such as an attack from the Internet, and attacks that spread internally such as a malicious worm. Once they detect a suspicious event, they respond by sending alerts or raising alarms. In some cases, they can modify the environment to stop an attack. A primary goal of an IDS is to provide a means for a timely and accurate response to intrusions. An IDS is intended as part of a defense-in-depth security plan. It will work with, and complement, other security mechanisms such as firewalls, but it does not replace them.
IPS
Intrusion Prevention System
Includes all the capabilities of an IDS but can also take additional steps to stop or prevent intrusions. If desired, administrators can disable these extra features of an IPS, essentially causing it to function as an IDS.
Data Loss Prevention (DLP)
PROTECT SENSITIVE INFORMATION
Data loss prevention systems attempt to detect and block data exfiltration attempts. These systems have the capability of scanning data looking for keywords and data patterns
Network-based DLP
scans all outgoing data looking for specific data. Administrators would place it on the edge of the negative to scan all data leaving the organization. If a user sends out a file containing restricted data, the DLP system will detect it and prevent it from leaving the organization. The DLP system will send an alert, such as an email to an administrator.
Endpoint-based DLP
Can scan files stored on a system as well as files sent to external devices, such as printers. For example, an organization endpoint-based DLP can prevent users from copying sensitive data to USB flash drives or sending sensitive data to a printer.
3 states of information
- data at rest (storage)
- data in transit (the network)
- data being processed (must be decrypted) / in use / end-point
Can look for sensitive information stored on hard drives
Configuration item (CI)
component whose state is recorded Version: recorded state of the CI
Configuration
collection of component CI’s that make another CI
Building
assembling a version of a CI using component CI’s
Build list
set of versions of component CI’s used to build a CI Software Library - controlled area only accessible for approved users
Recovery procedures
system should restart in secure mode
maintenance mode
Startup should occur in maintenance mode that permits access only by privileged users from privileged terminals
Fault-tolerant
continues to function despite failure
Fail safe system
program execution is terminated and system protected from compromise when hardware or software failure occurs
DOORS usually
Fail Closed/secure
most conservative from a security perspective
Fail Hard
BSOD, human to see why it failed
Fail soft or resilient system
reboot, selected, non-critical processing is terminated when failure occurs
FAIL SAFE
doors UNLOCK
FAIL SECURE
doors LOCK
Trusted Path
Protect data between users and a security component. Channel established with strict standards to allow necessary communication to occur without exposing the TCB to security vulnerabilities. A trusted path also protects system users (sometimes known as subjects) from compromise as a result of a TCB interchange.
ONLY WAY TO CROSS SECURITY BOUNDARY RIGHT WAY
Events
anything that happens. Can be documented verified and analyzed
Security Incident
event or series of events that adversely impact the ability of an organization to do business
suspected attack
Security intrusion
evidence attacker attempted or gained access
Lifecycle - Response Capability
policy, procedures, a team