Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Certified Incident Responder > Incident Handling Process > Flashcards

Incident Handling Process Flashcards

1
Q

Incident Handling

A
  • well-defined course of action whenever a computer or network security incident occurs
  • only events with negative consequences are considered security incidents
  • such events can be:
    • system crashes
    • packet floods
    • unauthorized use of system privileges
    • unauthorized access to sensitive data
    • execution of destructive malware
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Cyber Kill Chain

A
  1. Reconnaissance
  2. Weaponization
  3. Delivery
  4. Exploitation
  5. Installation
  6. Command and Control
  7. Actions on Objectives
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

NIST: Incident Handling Process

A

aka Incident Response Lifecycle

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recover
  4. Post-incident Activity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Preparation Phase Components

A
  • Employees
  • Documentation
  • Defensive Measures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Preparation Phase: Employees

A
  • skilled response team
  • IT security training
  • security awareness/social engineering exercises
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Preparation Phase: Documentation

A
  • well-defined policies
  • well-defined response procedures
  • breach/incident communication plan
  • maintaining chain of custody actions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Preparation Phase: Defensive Measures

A
  • A/V, (H)IDS, DLP, EDR, Security Patches
  • SIEM, UTM, Threat Intelligence
  • NSM, Central Logging, Honeypots
  • Incident Handling Starter Kit:
    • Data acquisition software
    • Read-only diagnostic software
    • Bootable linux environment
    • HDs, Ethernet TAP, cables, laptop
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Detection and Analysis Phase Components

A
  • Means of detection
  • Information and knowledge sharing
  • Context-aware threat intelligence
  • Segmentation of the architecture
  • Good understanding/visibility of your network
  • Establish baselines
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How do you start to establish “levels of detection”?

A
  • logically categorize your network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the “levels of detection”?

A
  • Network perimeter
  • Host perimeter
  • Host-level
  • Application-level
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Network Perimeter?

A
  • Firewalls
  • Internet-facing NIDS
  • IPS
  • DMZ
  • Example: analyze packet capture in Wireshark [Statistics > IPv4 Statistics > Destinations and Ports]
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Host Permimeter?

A
  • Occurs whenever we analyze data a host receives from the network or sends out to the network.
  • Local firewalls or HIPS systems can assist such detection activities
  • Example: Checking a hosts network and Internet connections [netstat -naob]
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What should you consider whenever performing detection activities at the host or network perimeter levels?

A
  1. Utilize packet destinations (network perimeter) and identified ports (network and host perimeter) to identify running services at the respective host
  2. Are the identified services actually running and part of your organization?
  3. In not, check for port abuse
    Example: We see a packet trying to reach port 21 of a host, or we see a host listening on port 21. Is there legitimate FTP traffic, or is this malicious activity?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Host-level

A
  • Detection at the host level occurs whenever we analyze data residing in the host
  • A/Vs and EDR solutions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Application-level

A
  • Application logs
  • Web application logs, service logs, etc. can provide insight into user operations and inputs
  • Example: abnormal activity in IIS logs [ /CMS/SiteContent/Mock/shelly.asp running for 18,600 seconds; could be the existence of a web shell]
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What should you consider before call an event an incident?

A
  • Could this be user oversight?
  • Scrutinize all evidence
  • Base your decision on prior knowledge of the normal behavior
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

When handling an incident, what questions should be asked?

A
  • Are there any crown jewels that can be affected?
  • What are the minimum requirements for effective exploitation? [privileged position on the LAN; valid credentials; just an Internet connection]
  • Is this being actively exploited in the wild?
  • Is there a proposed remediation strategy?
  • Is there threat intel/evidence that suggests increased spreading capabilities?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Containment

A
  • preventing an incident from getting worse (i.e. preventing the intruder from getting any deeper)
  • divided into 2 sub-phases: short-term and long-term containment
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Short-term containment

A
  • render the intrusion ineffective without altering the machine’s hard drive (needs to be imaged for forensic activities)
  • to do so:
    • disable network connectivity
    • place the machine in a separate/isolated VLAN
    • Change DNS
    • isolate the machine through router and firewall configurations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Canary Token

A
  • generates documents that call back to a designated email or webhook URL the moment they are accessed, mentioning the source IP address and other information
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Long-term containment

A
  • make sure the intruder is locked out of the affected host and network
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Data Acquisition

A
  • to preserve the evidence, you’re NOT supposed to work on the original machine when investigating, and you’re also NOT supposed to analyze and work on the first image you take.
  • the original image is usually verified and then saved alongside the other parameters to protect it from tampering, while the work is done on copies of the original image
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Order of Volatility

A
  1. Registers
  2. CPU caches
  3. RAM
  4. HDD
  5. External and secondary storage devices
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are the two types of data acquisition?

A
  • static acquisition

- dynamic acquisition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Static acquisition

A
  • acquisition of data that is not volatile
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Dynamic acquisition

A
  • acquisition of data that is volatile
  • usually performed while the system is still powered on
  • since running process use RAM, it is very likely to find stored passwords, messages, domain names, and IP addresses belonging to those processes
27
Q

Definition of Volatility

A
  • data affected by restart of the computer
28
Q

What are the 2 acquisition approaches?

A
  • from disk drive to image file (imaging)

- from disk drive to disk drive (cloning)

29
Q

Write Blocker

A
  • used when copying data from a disk drive to an image file
  • ensures that the data acquisition process is performed w/o the risk of losing or altering data (blocks the hard disk from writing
30
Q

What are the three parts of Incident Classification

A
  • type
  • impact
  • extent
31
Q

Eradication

A
  • eliminating intruder artifacts, understanding the root cause/attack vectors/TTPs, utilizing backups and improving
  • identify root cause (use information from the Detection and Analysis and Containment procedures)
  • isolate the intrusion
32
Q

Eliminating Attacker Residuals

A
  • remove malware such as backdoors, rootkits, malicious kernel-mode drivers, etc.
  • In the case of a rootkit, zero the drive out, reformat and rebuild the system from trusted install media
  • thoroughly analyze logs to identify credential reuse through RDP, SSH, VNC, etc.
33
Q

Improving Defenses

A
  • configuring additional router and firewall rules
  • obscuring the affected system’s position
  • null routing
  • establishing effective system hardening, patching, and vulnerability assessment procedures
34
Q

Recovery

A
  • restoring and monitoring to make sure nothing evaded detection
  • contains 3 aspects:
    • process system recovery: making sure the system has everything required; QA testing
    • restore operations: deciding when to allow system back into production
    • monitoring: monitoring the restored system
35
Q

Things to watch for when Monitoring a system after Restoring

A
  • critically analyze logs and events for signs of reinfection or recompromise
  • changes to registry keys and values
  • abnormal processes via wmic
  • abnormal user accounts via wmic
36
Q

Incident Handling Forms

A
  • Incident contact list
  • Incident detection
  • Incident casualties
  • Incident containment
  • Incident eradication
37
Q

Incident Contact List

A

This form should contain the contact details of the organization’s:

  • CISO
  • SPOC of the incident handling or CSIRT team
  • Legal department
  • Public relations
  • ISP SPOC
  • Local cybercrime unit
38
Q

Incident Detection form

A
  • The first person that detected the incident
  • Incident’s summary:
    • Type of incident
    • Incident location
    • Incident detection details
39
Q

Incident Casualties form

A
  • Location of the affected system
  • Date and time incident handlers arrived
  • Affected system details
    • hardware vendor
    • serial number
    • network connectivity details (hostname, IP, MAC)
40
Q

Incident Containment form

A
  • Isolation activities per affected system
    • Was the affected system isolated?
    • Date and time of isolation
    • How the system was isolated
  • Backup activities per affected system
    • Handler who performed the restoration
    • Backup details
41
Q

Incident Eradication form

A
  • Handler performing the investigation
  • Was the incident’s root cause discovered
    • Incident root cause analysis
  • Actions taken to ensure the incident’s root cause was remediated and the possibility of a new incident eliminated
42
Q

Windows Cheat Sheet: User Accounts

A
  • Identify curious looking accounts in the Administrators group
    • use lusrmgr.msc for GUI access
  • Commands
    • net user
    • net localgroup administrators
43
Q

Windows Cheat Sheet: Processes

A
  • Identify abnormal processes
    • use taskmgr.exe for GUI access
  • Related commands:
    • tasklist
    • wmic process list full/brief
    • wmic process where processid=[pid] get commandline
    • wmic process list brief find “cmd.exe”
44
Q

Windows Cheat Sheet: Services

A
  • services.msc for GUI access
  • net start
  • sc query | more
  • tasklist /svc
45
Q

Windows Cheat Sheet: Scheduled Tasks

A
  • Start > Programs > Accessories > System > Tools > Scheduled Tasks
    • schtasks
46
Q

Windows Cheat Sheet: Startup Items

A
  • Identify users’ autostart folders
    • dir /s /b “C:\Documents and Settings[username]\Start Menu"
    • dir /s /b “C:\Users[username]\Start Menu"
47
Q

Windows Cheat Sheet: Auto-start Reg Key Entries

A
  • Check registry keys for malicious autorun configurations
  • Sysinternals Autoruns tool for this
    • HKLM\Software\Windows\CurrentVersion\Run
    • HKLM\Software\Windows\CurrentVersion\Runonce
    • HKLM\Software\Windows\CurrentVersion\RunonceEx
    • reg query [reg key]
48
Q

Windows Cheat Sheet: Listening and Active TCP and UDP ports

A
  • Identify abnormal listening and active TCP and UDP ports

- - netstat -nao 10

49
Q

Windows Cheat Sheet: File Shares

A
  • net view \127.0.0.1
50
Q

Windows Cheat Sheet: Files

A
  • Identify major decreases in free space

- Use file explorer: “size:>5M”

51
Q

Windows Cheat Sheet: Firewall Settings

A

– netsh advfirewall show currentprofile

52
Q

Windows Cheat Sheet: Systems connected to the machine

A
  • nbtstat -S
53
Q

Windows Cheat Sheet: Open sessions

A
  • net session
54
Q

Windows Cheat Sheet: Sessions with other systems

A
  • net use
55
Q

Windows Cheat Sheet: Log Entries

A
  • event viewer

- - wevtutil qe security

56
Q

Linux Cheat Sheet: User Accounts

A
  • Look for curious looking accounts in /etc/password
    • passwd -S [username]
    • grep :0: /etc/passwd (display UID/GID 0 accounts)
    • find / -nouser -print (attacker created tmp users)
57
Q

Linux Cheat Sheet: Log Entries

A
  • Identify curious looking log enries
58
Q

Linux Cheat Sheet: Resources

A
  • identify deviation from normal resource utilization
    • uptime (cpu load)
    • free (memory utilization)
59
Q

Linux Cheat Sheet: Running Processes

A
    • ps aux

- - lsof -p [pid]

60
Q

Linux Cheat Sheet: Services

A

– service –status-all

61
Q

Linux Cheat Sheet: Scheduled Tasks

A
    • crontab -l -u [account]
    • cat /etc/crontab
    • cat /etc/cron.*
62
Q

Linux Cheat Sheet: Listening and active TCP/UDP ports

A
  • lsof -i

- netstat -nap

63
Q

Linux Cheat Sheet: ARP

A
  • Identify abnormal MAC mapppings

- - arp -a

64
Q

Linux Cheat Sheet: Files

A
    • find / -uid 0 -perm -4000 -print (abnormal SUID roots)

- - find /home/ -type f -size +512k -exec ls -lh {} \; (overly large files)

Certified Incident Responder (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions