Incident Response Flashcards
What is NIST SP800-61 used for?
It is an incident handling guide for computer security.
When you think of incident response frameworks think “NIST” and maybe remember this exact number
This gives you information about the entire lifecycle when you're handling a security incident. These steps are: Preparation Detection & analysis Containment, eradication, and recovery Post-incident Activity
What is an incident precursor?
This is a heads up that an incident might occur in the future.
This could be something like a log showing that a vulnerability scanner is in use, or an exploit announcement about a new emerging vulnerability.
This could also be finding out that a particular hacking group doesn’t like you.
What is an incident indicator?
These are signs that an attack is currently underway, different than a precursor, more absolute, something is happening.
For example our IPS/IDS might tell us if a buffer overflow was attempted and if it was successful.
Maybe a notice from a host-based monitor on a machine detects that there been a configuration change to one of the critical operating system files.
A big change in traffic flows from the norm could be an indicator as well.
At what stage of the NIST incident response process would you move a piece of malware to a sandbox?
Isolation and containment.
What is reconstitution?
This is a principle in the recovery process where you are making sure that you clean every system that might have been touched by this malware or this security incident.
This may take a very long time.
Start with quick, high-value security changes like patches, firewall policy changes, etc.
Later phases involve much heavier lifting such as infrastructure changes and large scale security roll outs.
During the lessons learned phase of incident response what is the most important part?
Documenting everything that happened and finding what worked well and didn’t work well so you can make changes to improve your plan for next time.
What is a tabletop exercise?
This would be part of Incident Response Planning.
Talking through a simulated disaster.
This is called a tabletop exercise because you key all of the key players together in an incident response team to talk through a simulated disaster and figure out holes in the plan, without needing to stage a large scale simulation of an incident.
Performing a full scale disaster drill can be costly and time consuming but many of the logistics can be determined through analysis without having to physically go through a disaster or drill.
What is a walkthrough in regards to incident response?
This is one step above a tabletop exercise.
This would involve virtually everyone involved in the incident response process and you would go through every single process and procedure and see how it would work if you were to actually perform it. Not just talking.
You could see if there were actual faults or missing steps, see if all of the software you need was up to date and working properly, etc.
In an incident response plan what is a simulation?
This is a test with a simulated event.
This would be like an intentional phishing test to see how many people click them.
Could also be data breaches, password requests, etc.
This is a great way to test your internal security as well. Did the phishing get past the filter?
You will also have a list of everyone who clicked the link, provided credentials, etc.
They can be sent to an anti phishing class.
What are stakeholders?
Stakeholders are people who will be directly affected by a security incident.
Without the stakeholder, IT would not exist.
These can be internal or external customers.
It is important to involve them in the incident response process.
What is a communication plan?
This is a part of incident response planning that is simply making sure that everyone is able to contact necessary parties in the event of an incident.
Getting your contact list together.
Not just IT, you will need to speak with HR, your PR team, your legal department, etc.
As well as maybe contacting the owner of the data, law enforcement, and possibly US-CERT if you work for a US government agency.
What are a couple of pieces that may be found in a disaster recovery plan?
Recovery location (hot,cold,warm sites)
Data recovery method
Application Restoration
IT team and employee availability
What is continuity of operations planning? (COOP)
This a plan that is created to give us an alternate way of continuing business during a disaster.
These must be documented and tested before an actual disaster happens.
There needs to be alternatives in place for if your computer systems are offline or any other large outage has happened.
Maybe writing down transactions manually on a piece of paper.
Maybe using paper receipts.
Phone calls for transaction approvals.
Etc.
What is a retention policy?
These policies regarding where you store your data, how much of it you store there, and for how long.
This may be for the purpose of keeping backups for a certain amount of time to help with disaster recovery or any other loss of data.
This may be required for regulatory compliance, like needing to keep data backed up for a certain amount of time due to regulations that your company must follow.
What is the MITRE ATT&CK framework?
This comes from the MITRE corporation.
This is an attack framework that helps determine the actions of an attacker.
Shows specific points of intrusion, ways of moving around a network, and possible security techniques to block future attacks.
Huge Huge framework.
From left to right it goes: reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defensive evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, and Impact.
No need to memorize all these but try to somewhat remember them.
