Enterprise Incident Response Flashcards

Question 1

Q

What percentage of organizations took more than 90 days to detect the intrusion?

Question 2

Q

What is the median number of days attackers were present on a victim network before detection?

Question 3

Q

What is APT?

Answer

A

Advanced Persistent Threat

Question 4

Q

How do most organizations find out about intrusions?

Answer

A

Third party notifications. In many cases, law enforcement.

Question 5

Q

What are the steps of incident handling?

Answer

A

Preparation
Identification
Containment
Eradication
Recovery
Lessons learned

Question 6

Q

What is the first step of incident response?

Answer

A

Identification of all the systems compromised.

Question 7

Q

What percentage of compromised systems have malware installed? Implication?

Answer

A

54%

Just because a system doesn’t have malware installed doesn’t mean it isn’t compromised,

Question 8

Q

What is the difference between remediation and recovery?

Answer

A

Remediation actions are required to be completed in a very short time, often a weekend, and are intended to mitigate the current incident. Recovery is to move the enterprise back to day to day business.

Question 9

Q

TTP?

Answer

A

Tactics, Techniques, and Procedures

Question 10

Q

Kill chain?

Answer

A

Aka Attack Progression.

Reconnaissance
Weaponization
Delivery
Compromise/exploit
C2
Exfiltration

Question 11

Q

How is persistence in APT demonstrated?

Answer

A

Maintaining a presence on the network and repeated attempts to gain access to areas where presence is not established.

Question 12

Q

Why has there been a switch to remotely examining systems rather than imaging?

Answer

A

This has happened because in an Enterprise environment it’s often more important to identify the scope of the intrusion than to preserve every last bit of evidence.

Question 13

Q

What is rip.pl

Answer

A

RegRipper, an automated HIVE parser for SAM, SECURITY, SYSTEM, SOFTWARE, and NTUSER.DAT HIVES. Also works on restore point registries.

Question 14

Q

What does pffexport do?

Answer

A

Pffexport accesses PFF (Personal Folder File) and OFF (Offline Folder File) formats.

Question 15

Q

pffexport options

Answer

A

Page 23, book 1.

Question 16

Q

Where are compromised images stored on the SIFT workstation?

Answer

A

/cases. Each case should have a separate subdirectory under /cases.

Question 17

Q

Where are filesystem mount points on the SIFT workstation?

Question 18

Q

How should the SIFT workstation be networked?

Answer

A

SANS recommends it be placed on the air-gapped Host Only network

Question 19

Q

What is IR?

Answer

A

Incident Response

Question 20

Q

What are the 6 steps of Incident Response handling?

Answer

A

Preparation
Identification
Containment and Intelligence Gathering
Remediation
Recovery
Follow Up

Question 21

Q

Where should incident detects come from? Where do they?

Answer

A

They should be found by the security team, but often they’re from a third party, often law enforcement.

Question 22

Q

What is the first critical step of incident response?

Answer

A

Identifying all the compromised systems.

Question 23

Q

Why is it critical to identify all compromised systems?

Answer

A

Intruders install malware on 54% of the systems they compromise.

Question 24

Q

How often is malware installed on a compromised system?

Answer

A

54% of the time.

Question 25

Q

What is the benefit of intelligence gathering during a compromise?

Answer

A

Learning how the intruders are gaining access to systems may help identify traits of compromised systems. Those traits can be used to identify other compromised systems that hadn’t yet been detected.

Question 26

Q

What is the difference between remediation and recovery?

Answer

A

Remediation includes the short term actions required to mitigate the current incident. Recovery is the return to day-to-day operations.

Question 27

Q

What might happen in the follow up stage of IR?

Answer

A

Verification that the mitigation is complete and effective. Possible additional monitoring or scanning.

Question 28

Q

What is the difference between digital forensics and enterprise forensics?

Answer

A

Digital forensics is the deep dive on specific systems looking at all processes, all timeline activity, all file system analysis. Enterprise forensics takes a broader view typically targeted at identifying systems that might be of interest. Enterprise forensics would look for select processes, specific timeline activity, and specific filesystem artifacts.

Question 29

Q

What is a vulnerability?

Answer

A

Not well defined on p.40.

Question 30

Q

What is impact?

Answer

A

Impact is the consequence of exploiting a vulnerability. The damage to confidentiality, integrity, or availability as a result. Often a property of the organization and often difficult to change.

Question 31

Q

What is a threat?

Answer

A

Not well defined on p.40.

Question 32

Q

What are the three components of a threat?

Answer

A

Intent, Opportunity, and Capability

Question 33

Q

What is Intent with regards to threat?

Answer

A

The goal the adversary is trying to accomplish. At a high level, often data theft. Often defined by the industry.

Question 34

Q

What is Opportunity with regards to a threat?

Answer

A

Timing and knowledge of the target space. Often paired with vulnerability.

Question 35

Q

What is Capability with regards to a threat?

Answer

A

The ability of adversaries to achieve their goal. Includes skills and resources (financial, human, technical).

Question 36

Q

What is CND?

Answer

A

p41. Might be Computer Network Defense.

Question 37

Q

What is TTP?

Answer

A

Tactics, Techniques, and Procedures (p44)

Question 38

Q

Why might you not block the IP an adversary is known to use?

Answer

A

You can instead monitor activity from the IP and watch for new attack signatures. Using those might enable detecting future attacks even if the adversary changes IPs.

Question 39

Q

What is the key to security intelligence?

Answer

A

Mapping intent to impact. If the goal is data theft, you probably don’t have to worry about DDoS.

Question 40

Q

What is “the kill chain”?

Answer

A

The attack progression. p.43.

Question 41

Q

What are the different types of indicators (of what?)

Answer

A

Atomic, Behavioral Computed

Question 42

Q

Describe an atomic indicator

Answer

A

Pieces of data, like an IP address, email address, string, FQDN, that indicates adversary activity.

Question 43

Q

What is a behavioral indicator?

Answer

A

A combination of other indicators that form a profile. These can include other behaviors, like “targets sales force”. Broadly, how does the adversary do their job.

Question 44

Q

What is a computed indicator?

Answer

A

Computed indicators include hashes and complex IDS signatures.

Question 45

Q

What are the stages of the kill chain?

Answer

A

Reconnaissance
Weaponization
Delivery
Compromise / Exploit
C2
Exfiltration

Question 46

Q

Describe the reconnaissance portion of the kill chain.

Answer

A

Recon consists of passive research such as examining web sites, reading PDFs, learning about the organization. Often indistinguishable from normal activity.

Question 47

Q

Describe the weaponization portion of the kill chain.

Answer

A

The act of placing malicious payload in a delivery vehicle, such as a trojan in a document.

Question 48

Q

Describe the delivery phase of the kill chain.

Answer

A

Straightforward. The payload is delivered to the target. For example, though email, HTTP, etc.

Question 49

Q

Describe the compromise or exploit phase of the kill chain.

Answer

A

Either a multi-phase or straightforward attack that might have software, hardware, and/or human components (aka social engineering). This typically provokes the classic incident response. Compromise doesn’t guarantee that C2 is established.

Question 50

Q

Describe the C2 phase of the kill chain.

Answer

A

Command and Control (C2) is the period following the compromise where the adversary has control over the system. C2 may be established after compromise, but not always. For example, if an adversary inserts malware that isn’t compatible with the system, or if you’ve studied the adversary and have mitigated the attack that would have established C2.

This also includes lateral movement inside the organization, file system enumeration, additional tool dropping.

Question 51

Q

Describe the exfiltration phase of the kill chain.

Answer

A

Exfiltration is the phase where data is takenby the adversary. This doesn’t include data taken for the purpose of furthering the attack. Such data movement happens during the C2 phase. Exfiltration removes the actual target data.

Question 52

Q

How is the P in APT manifested?

Answer

A

In two ways: maintaining a presence on the network and making repeated attempts to gain access to areas that are not yet compromised.

Question 53

Q

Why is it important to reconstruct the entire kill chain?

Answer

A

Failure to reconstruct the entire kill chain may result in detections only at the compromise stage, which leaves the organization continually vulnerable to intrusions.

Question 54

Q

What is an “Indicator of compromise”?

Answer

A

A combination of boolean expressions that can be used to identify general characteristics of malware. These can be host or network based.

Question 55

Q

How do you identify indicators of compromise?

Answer

A

Through malware reverse engineering and application footprinting.

Question 56

Q

What is IOC?

Answer

A

Indicator of Compromise

Question 57

Q

What is Cybox?

Answer

A

A Mitre project: Cyber Observable eXpression. A standardized schema for the specification, capture, characterization, and communications of events or stateful properties that are observable in the operational domain.

Question 58

Q

What is STIX?

Answer

A

Structured Threat Information eXpression. Also by Mitre. Community driven effort to define and develop a standardized language t represent structured cyber threat information.

Question 59

Q

CRITS?

Question 60

Q

YARA?

Question 61

Q

OpenIOC?

Answer

A

Originally for MANDIANT’s products, now standardized and open sourced.

Question 62

Q

Describe IOC Editor

Answer

A

Part of OpenIOC, this GUI editor edits XML documents that capture attributes of malicious files, registry changes, memory artifacts, etc. Also supports detailed descriptions of attributes.

Question 63

Q

Add content on psexec.

Question 64

Q

How has the default “image anything” policy changed?

Answer

A

It’s become more triage oriented, using remote and automated tools to identify indicators of compromise. Once found, those systems can be examined in more depth.

Answer 59

A

Provides a connector to raw disk and memory only.

Answer 60

A

Contains code to perform system analysis in addition or instead of a connector to raw disk and memory.

Answer 61

A

Good for targeted analysis, file querying, quick artifact examination, and it’s cheap.

Answer 62

A

Great for targeted or deep analysis, registry, file querying and scanning, quick or deep artifact analysis, and memory analysis.

Answer 63

A

Poor for file carving, stream extraction, memory analysis since the data has to traverse the network for local processing.

Answer 64

A

Often a resource hog. Usually have to scan when the systems aren’t being utilized. Expensive, and requires a separate controller.

Answer 65

A

No. Compromise a system and add an account. It’s compromised, but no malware present.

Answer 66

A

Unusual OS artifacts that wouldn’t normally be present.

Answer 67

A

A command line access tool (shell) in Windows.

Answer 68

A

A file compressor with difficult to crack encryption.

Answer 69

A

Evidence of compromise, possible privilege escalation or persistence.

Answer 70

A

PsExec: remote execution
PsLoggedOn: interactive logon enumeration
ProcDump: dumping of credentials within lsass.exe address space

Answer 71

A

They’re all used for remote execution

Answer 72

A

It’s used for mapping drives and enumerating groups, such as “Domain Admins”. Suggests possible attempts at lateral movement in the network.

Answer 73

A

Adding persistence such as run keys or services.

Answer 74

A

It shows shares on remote systems such as C$, Temp$, etc.

Answer 75

A

Malware can exist on a system, but it can’t hide inactive forever. To do what it is intended for, it must run.

See http://jessekornblum.com/publications/ijde06.html

Answer 76

A

Malware acive
Malware exists, but not active
No malware, but the system is compromised.

Answer 77

A

A system that’s compromised, but no malware is present. There’s little to look for.

Answer 78

A

svchost.exe. It’s running 5-6 times on most systems, and it’s hard to identify a good one from a bad one.

Answer 79

A

svchost. exe
iexplore. exe
iprinp. dll
winzf32. dll

Answer 80

A

Process injection, service persistence

Answer 81

A

Wireless Zero Configuration Service
RIP Listener Service
Background Intelligent Transfer Service

Answer 82

A

executables, libraries, PDFs, ZIPs, and other document types.

Answer 83

A

Attempts to hide can make the system unstable or result in detection anyway.

Answer 84

A

Frequent compilation, packing, armoring.

Answer 85

A

It’s proven too easy to steal certificates (Adobe, Opera). Stuxnet was signed code.

Answer 86

A

It spreads and hides easier on networks. It can remain hidden longer without arousing suspicion. Often espionage malware is hidden.

Answer 87

A

According to McAfee, 4.5% of malware is signed. Malware discovered in the last year: 6%. This has been stable over the past several years. 6.6% in 2012.

Answer 88

A

Slower development and release. Rapid devleopment and release is needed to thwart AV.

Need “a plethora of signing certs” to avoid burning all their active malware when certs are revoked.

Answer 89

A

Nation states.

Answer 90

A

Don’t focus on big name companies that are more likely to stay on top of certificates and revocations, like Microsoft, Apple, Google.

Answer 91

A

No. Only about half of compromised systems have malware.

Answer 92

A

p103 needs more examination.

Answer 93

A

Auto Start Execution Points. These are places in Windows that automatically run programs. There are over 50.

Answer 94

A

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce
\Software\Microsoft\Windows\CurrentVersion\Run
\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
\Software\Microsoft\Windows\CurrentVersion\Runonce

Answer 95

A

A registry key, an ASEP, that should only contain a reference to userinit.exe. It runs logon scripts, reestablishes network connections, and starts explorer.exe.

Answer 96

A

The Windows user interface.

Answer 97

A

A program that is automatically started in Windows. It runs logon scripts, reestablishes network connections, and starts explorer.exe.

Answer 98

A

Placing a program in %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. Shortcuts placed here start upon user logon.

Answer 99

A

It’s a generic service host process.

Answer 100

A

Registry keys under HKLM\System\CurrentControlSet\Servces provide parameters for each service.

Answer 101

A

Services often start before antivirus, making it easier to avoid detection. Also, a typical Windows system may have > 100 services registered, making it easier to hide in plain sight.

Answer 102

A

Similar to service creation as a malware persistence method, but different in that it finds a service already set to auto start that is unimportant, or one that isn’t typically started at boot. Not as common as service creation due to its complexity.

Answer 103

A

Sysinternals autoruns

Answer 104

A

A windows method of scheduling a task to run later.

Answer 105

A

Files named at*.job (at1.job and up) in the \Windows\Tasks and \Windows\System32\Tasks folders

Answer 106

A

At ran as SYSTEM regardless of the user’s privileges.

Answer 107

A

An upgraded at.exe, a windows tool for scheduling tasks for later execution.

Answer 108

A

On the remote system where the task actually runs, not the one it was scheduled from.

Answer 109

A

Sysinternals autoruns.

Answer 110

A

jobparser.py. jobparse.pl also does this.

Answer 111

A

Newly created Scheduled Tasks. It contains the user and task name, but not a lot more (look into what).

Answer 112

A

106: Scheduled Task Created
140: Scheduled Task Updated
141: Scheduled Task Deleted

Answer 113

A

Turn Object access auditing on and look in the Security log for:

4698: Scheduled Task Created
4699: Scheduled Task Deleted
4700: Scheduled Task Enabled
4701: Scheduled TAsk Diabled
4702: Scheduled Task Updated

Answer 114

A

Search order hijacking: place a malicious DLL in the search path before the legitimate one. Search path starts at CWD and ends at c:\Windows\System32. Exception: DLLs listed in the KnownDLLs registry key.

Answer 115

A

Abusing the fact that some old DLLs are still loaded (or attempted) by applications even though they aren’t needed, and sometimes not present on the system.

Answer 116

A

Windows Management Instrumentation

Answer 117

A

A feature that permits monitoring for specific events, and when triggered, alert event consumers that can run scripts or execute code. Requires admin privs, but can be used to create a backdoor.

Answer 118

A

SYSTEM in XP and LOCAL_SERVICE in Win7+.

Answer 119

A

Managed Object Format file.

Answer 120

A

A MOF (managed object format) file can be used to register new classes into the WMI repository.

Answer 121

A

A PowerShell cmdlet for identifying and removing suspicious WMI entries.

Answer 122

A

Auto-start locations
Service creation / replacement
Service failure recovery
Scheduled tasks
DLL hijacking
WMI Event Consumers

Answer 123

A

The autoruns tool from Sysinternals.

Answer 124

A

The command line version of the Sysinternals too, Autoruns.

Answer 125

A

It has to be run on a live system.

Answer 126

A

Autorunsc.exe has to be run on a live system. Autorunner works on a forensic image.

Answer 127

A

ntoskrnl.exe

Answer 128

A

http://digital-forensics.sans.org/media/poster_2014_find_evil.pdf

Answer 129

A

Hide in plain sight or use code injection or rootkit methods to appear legitimate.

Answer 130

A

Suspicious DLLS executed through rundll32.exe, implemented as services with svchost.exe, or injected into legitimate processes.

Answer 131

A

Mandiant Redline.

Answer 132

A

Didier Stevens’ Authenticode Tools or Sysinternals’ sigcheck.exe.

Answer 133

A

Hiding from normal analysis techniques.

Answer 134

A

Memory analysis.

Answer 135

A

Software debugging.

Answer 136

A

It has few legitimate uses; notably software debugging. There may be no others.

Answer 137

A

Software which can use any of a broad category of methods intended to subvert the operating system to hide activities and data.

Answer 138

A

GMER

Rootkit Revealer

Answer 139

A

By comparing the state of the system according to the OS compared to the state determined by the tool.

Answer 140

A

It doesn’t rely on the compromised OS, so artifacts like unlinked but still running processes and suspicious function hooks may be found.

Answer 141

A

They require skill to create a reliable exploit across various Windows versions.

Answer 142

A

Mandiant Redline and Volatility

Answer 143

A

A generic service host process. It’s typical to see 5 or more running on a Windows system.

Answer 144

A

HKLM\SYSTEM\CurrentControlSet\Services

Answer 145

A

queryex
qc
qprivs
qtriggerinfo

Answer 146

A

Look for unusual OS-based artifacts that wouldn’t exist on a typical workstation or server in the organization.

Answer 147

A

Prefetch, shimcache, userassist registry keys, and jump file lists.

Answer 148

A

It provides command line access to a Windows system.

Answer 149

A

Rar.exe is a hard-to-crack archiving tool. Rar files may suggest a compromise or evidence of exfiltration.

Answer 150

A

Privilege escalation and persistence.

Answer 151

A

They are evidence of remote execution, interactive logon enumeration, and dumping of lsass.exe address space respectively.

Answer 152

A

Remote execution.

Answer 153

A

Mapping drives (useful for lateral movement and enumerating groups like Domain Admins)

Answer 154

A

Adding persistence such as run keys or services

Answer 155

A

It records shares on remote systems such as C$, Temp$, etc.

Answer 156

A

They can be related to odd application executions.

Answer 157

A

Started with the wrong parent processes
Image executable in the wrong path
Misspelled processes
Processes that are running under the wrong account (incorrect SID)
Processes with unusual boot times (minutes or hours after boot if it should be seconds)
Unusual command-line arguments
Packed executables

Answer 158

A

Image Path: N/A
Parent Process: None
Number of Instances: One
User Account: Local System
Start Time: Boot
Description: Responsible for most kernel-mode threads.  Modules run under system are mostly drivers (.sys), but include several important DLLs and the kernel executable, ntoskrnl.exe.

Answer 159

A

Image Path: %SystemRoot%\System32\smss.exe
Parent Process: System
Number of Instances: One master and another child per session. Children exit after creating their session
User Account: Local System
Start Time: Within seconds of boot for the master
Description: Responsible for creating new sessions. Exits after starting csrss.exe and wininit.exe or winlogon.exe.

Answer 160

A

Image Path: %SystemRoot%\System32\csrss.exe
Parent Process: smss.exe. Analysis tools usually can’t provide this.
Number of Instances: 2+
User Account: Local System
Start Time: Within seconds of boot for first 2, later as other sessions are created.
Description: Client/Server Run-Time Subsystem: the user mode process for the Windows subsystem. Manages processes and threads, imports DLLs that provide the Windows API, shuts down the GUI during system shutdown.

*Searching the address space for csrss.exe processes is particularly useful when analyzing the memory of compromised hosts (why?).

Answer 161

A

Image Path: %SystemRoot%\System32\services.exe
Parent Process: wininit.exe.
Number of Instances: 1
User Account: Local System
Start Time: Within seconds of boot
Description: Implements the Unified Background Process Manager (UBPM), which is responsible for services and scheduled tasks. Also implements the Service Control Manager (SCM) which handles loadin gof services and device drivers marked for auto-start. Also sets the Last Known Good control set to the value of the CurrentControlSet once a user has successfully logged in.

Answer 162

A

Image Path: %SystemRoot%\System32\svchost.exe
Parent Process: services.exe.
Number of Instances: 5+
User Account: Varies, but typically Local System, Network Service or Local Service.
Start Time: Within seconds of boot, unless services are started later.
Description: Generic Windows host process. Used for running service DLLs. -k parameter used for grouping similar services. (List them p133).

Answer 163

A

It’s ubiquitous, so easy to hide.

Answer 164

A

Either as camoflage (misspelling, putting an executable in an incorrect directory), or directly to start illegitimate services.

Answer 165

A

Image Path: %SystemRoot%\System32\svchost.exe
Parent Process: wininit.exe.
Number of Instances: 1
User Account: Local System
Start Time: Within seconds of boot
Description: Local Session Manager handles terminal services including RDP and additional local sessions via Fast User Switching. Communicates with smss.exe to start new sessions. Should never have child processes.

Answer 166

A

Image Path: %SystemRoot%\explorer.exe
Parent Process: userinit.exe. Analysis tools usually can’t provide this.
Number of Instances: 1 per interactively logged in user.
User Account: the logged on user
Start Time: When the user logs in
Description: Provides access to files, file browser, user interface to desktop, start menu, task bar, control panel, application launching via file extension and shortcut files.

Answer 167

A

Image Path: \ProgramFiles\Internet Explorer\iexplore.exe
Parent Process: explorer.exe
Number of Instances:0 to many
User Account: the logged on user
Start Time: When the user starts it. Can be started automatically via the -embedding switch, which causes a different parent process.
Description: Web browser. Subprocess for each tab (several reasons, including enhanced security). Tabs run with low integrity to make it more difficult to modify sensitive areas of the registry or filesystem.

Answer 168

A

Hiding in plain sight by naming their executable iexplore.exe and putting it in another directory or misspelling as iexplorer.exe.

Answer 169

A

Image Path: %SystemRoot%\System32\winlogon.exe
Parent Process: smss.exe which exits, so analysis tools usually don’t provide it.
Number of Instances: 1 or more
User Account: Local System
Start Time: Within seconds of boot for the first instance (Session 1). Additional as new sessions are created through RDP or Fast User Switching.
Description: Handles interactive user logons and logoffs. Launches LoginUI.exe, which accepts the username and password. Credentials verified by lsass.exe, then loads the user’s NTUSER.DAT into NKCU and starts the shell (explorer.exe) via userinit.exe.

Answer 170

A

Image Path: %SystemRoot%\System32\lsass.exe
Parent Process: wininit.exe
Number of Instances: 1
User Account: Local System
Start Time: Within seconds of boot
Description: Local Security Authentication Subsystem Server. Responsible for authenticating users by calling an appropriate security service provider (SSP) authenication package specified in HKLM\SYSTEM\CurrentControlSet\Control\Lsa. Typically kerberos SSP for domain accounts or MSV1_0 SSP for local. Generates an access token for the user that specifies security rights and constraints for the user and processes. Should never have child processes.

Answer 171

A

Image Path: %SystemRoot%\System32\taskhost.exe
Parent Process: services.exe
Number of Instances: Multiple
User Account: . One or more owned by logged in users and/or local service accounts
Start Time: Vary greatly
Description: Generic host process for Windows Tasks. Tasks are handled through Universal Background Process Manager (UBPM). Runs in a continuous loop listining for trigger events, such as: definied schedule, user logon, system startup idle CPU, Windows log event, workstation lock or unlock.

Answer 172

A

Image Path: %SystemRoot%\System32\wininit.exe
Parent Process: smss.exe, which exits so analysis tools usuall can’t provide it.
Number of Instances: 1
User Account: . Local System
Start Time: Within seconds of boot
Description: Starts key background processes within Session 0. Starts the Service Control Manager (SCM, services.exe), Local Security Authority processes (lsass.exe), and the Local Session Manager (lsm.exe).

Answer 173

A

Small hub or switch
CAT5
Crossover cable
Enterprise scanning capability (F-Response, GRR, Mandiant MIR)
Live resonse tools
Memory and Drive Analysis and/or Acquisition Tools
Sysinternals tools + scripts
Drive Adapters (SATA/IDE/SCSI) or
SATA/IDE Hardware write-blocker
Large Capacity Target media

Brainscape's Knowledge GenomeTM

Enterprise Incident Response Flashcards

Brainscape's Knowledge Genome^TM